Advisory #240 - Internet Explorer (Multiple), Firefox, Yahoo! Messenger, Ghost, Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #240 - Internet Explorer (Multiple), Firefox, Yahoo! Messenger, Ghost, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #240
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Internet Explorer (Multiple) - Remote Hacker Automatic Data Theft - Time Since Discovery - 5 Days 1.2 Firefox - Remote Hacker Automatic Control - Time Since Discovery - 5 Days 1.3 Yahoo! Messenger - Remote Hacker Automatic Control - Time Since Discovery - 3 Days 1.4 Ghost - Remote Hacker Automatic Denial of Service - Time Since Discovery - 3 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Web Servers as Viewed by Google 2.2 Tech Community Pressure Helps get Case Turned Over 2.3 Risks of Persistent Storage 2.4 June 2007 Microsoft Security Patch Advance Notification 2.5 This is not a Real Security Update 2.6 Recent Yahoo! Messenger Vulnerabilities Attract Attacks 2.7 I Know What You Did Last Visit ===================================== 1. SECURITY 1.1 Internet Explorer (Multiple) - Remote Hacker Automatic Data Theft -- Products Affected -- Internet Explorer 7.x and prior. -- Technical Description -- Race condition in at least IE 6.x and 7.x, which can be exploited by an attacker using JavaScript to arbitrarily change content on sites opened from a malicious web page. This includes cookie modification and may lead to browser crashes (memory corruption) if DOM content that has not been initialised is accessed. It is also possible to spoof the address in the IE 6 address bar, including the spoofing of https addresses. This is achieved through malicious scripting. Full exploit data is readily available. -- Description -- A serious vulnerability in the Internet Explorer Internet browser has been discovered and disclosed to a number of security sources. This vulnerability will allow a remote attacker to modify content displayed by the browser for sites opened from a malicious site. This can also be used to modify cookie content and may also lead to a browser crash. It has also been discovered that it is possible to spoof the address bar data in Internet Explorer 6 (for all versions of IE 6). This could allow a remote attacker to overwrite the actual site address with any information that they choose, effectively misleading the user into believing that they are on the legitimate site, when they are on the attacker's choice of site. Full exploit details are readily available. -- Recommended Action -- Disabling Active Scripting support in the browser should prevent the exploit from working, given that it requires the use of JavaScript to function. Alternatively, consider running IE from a less-privileged account (though there are still risks), or consider the use of an alternate Internet browser. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) 1.2 Firefox - Remote Hacker Automatic Control -- Products Affected -- Firefox 2.0.0.4 and prior. -- Technical Description -- Multiple vulnerabilities affecting Firefox have been disclosed. Through the use of various JavaScript actions, it is possible to inject arbitrary content on sites that rely on IFRAMEs to display content to the user. It is also possible to read keystrokes using the same vulnerability - risking potential disclosure of passwords or other sensitive information. Another vulnerability can be used to download arbitrary content to the user's download folder - bypassing the delay timers used by some configuration messages. Under specific conditions, this could be used to execute arbitrary content on a victim's system. -- Description -- Multiple vulnerabilities affecting the popular Internet browser Firefox have been discovered. These vulnerabilities could allow a remote attacker to read keystrokes, inject arbitrary web content and even download and potentially run software of the attacker's choice. Exploit code is readily available for all vulnerabilities. -- Recommended Action -- Apply caution when visiting untrusted sites and consider disabling support for JavaScript until Mozilla are able to release a patch for the issue. Alternatively, consider the use of an alternate Internet browser, such as Opera. Users should also consider operating Firefox from a less-privileged user account. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.3 Yahoo! Messenger - Remote Hacker Automatic Control -- Products Affected -- Yahoo! Messenger At least version 8.1 -- Technical Description -- Arbitrary remote code execution vulnerabilities affecting the ActiveX control associated with Yahoo! Messenger's support for webcams (ywcvwr.dll). Multiple derivatives of the vulnerabilities have been disclosed, complete with exploit code. Specifically, the vulnerabilities appear to be buffer overflows and can be triggered by the victim visiting a malicious web page. The ywcupl.dll is also vulnerable to remote code execution attacks. -- Description -- Multiple vulnerabilities have been discovered and disclosed affecting the Yahoo! IM software for Windows. Specifically, the vulnerabilities affect the support for webcams from within Yahoo! Messenger. Using the exploits that have already been circulated, it is possible for an attacker to run software of their choice on a victim's system. -- Recommended Action -- Update to the latest Yahoo! Messenger version. Advanced users and administrators may consider setting the killbit for the vulnerable ActiveX controls (clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277), and (clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277) -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) 1.4 Ghost Solution Suite - Remote hacker Automatic Denial of Service -- Products Affected -- Ghost Solution Suite 2.0.0 and prior. -- Technical Description -- Multiple denial of service vulnerabilities affecting the Symantec Ghost Solution Suite. A remote attacker is able to trigger the denial of service attacks by sending malicious UDP traffic to systems running either the client or server components of the Ghost Solution Suite. -- Description -- Symantec Ghost Solution Suite, the business version of the popular archiving and recovery software, Ghost, has been discovered that it has multiple vulnerabilities that could allow a remote attacker to prevent the use of either the server or client software components of the Ghost Solution Suite. All that the attacker needs to do in order to prevent use of the software is to send malicious network traffic to a vulnerable system. -- Recommended Action -- Apply the latest patches for the vulnerable versions, from the update link provided below. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 7 7 (High) Corporate 7 7 (High) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Web Servers as Viewed by Google For a long time, one of the most reputable sources for the breakdown of the numbers of installed web servers across the Internet has been the Netcraft survey of web servers. Now, Google has released information about how the Googlebot webcrawler has been viewing the Internet. Based off almost 80 million individual servers, discounting any virtual host servers (so it would only count each physical server), and deriving results from the HTTP 'Server:' header, Google have identified that 66% of the sample set are using Apache to provide web server capabilities, with only 23% using Microsoft's IIS to serve web data. From a vulnerability perspective, and considering only the number of IIS 5.x servers (approximately 20% of the total IIS numbers), it indicates that the recently highlighted authentication bypass methods could be used against 3.5 million individual web hosts. If there are virtual hosts in use, where a number of different websites are hosted on the same physical server, then the 3.5 million servers could feasibly translate into 10 million or more actual website domains. This may be reflected in the data presented by Google which indicates that almost half of the 70,000 domains recently identified by Google as hosting or distributing malware and Internet-based exploits are hosted on IIS. The underlying truth is that the percentage balance of IIS 5.x to IIS 6.x from this restricted dataset is almost the same as for the overall web hosting numbers. 2.2 Tech Community Pressure Helps get Case Turned Over A common problem that can plague Windows-based systems are uncontrolled popups whenever the system is connected to the Internet. Although all browsers can be at risk of advertising popups (or interstitials, as some companies like to call them), Windows systems are also prone to advertising popups via the Windows Messenger service (not to be confused with MSN), especially for systems compromised by spyware or other malware. When Julie Amero, substitute teacher at a Norwich middle school, encountered pornographic popups on a classroom computer while teaching a class of seventh grade students in late 2004, she was arrested and hauled off to court where she was found guilty of 'risk of injury to a minor' and potentially faced 40 years imprisonment. An almost unanimous outcry by technical experts amongst the online community following the January 2007 conviction (sentencing was to follow at a later date), over the extremely poor standards of technical 'forensic' investigation that were used to confuse the jury (more relevant and accurate defence forensics were excluded from the case), was cause for criticism from the judge who overruled the original verdict - sending the case back for a retrial (which is unlikely to happen). In the judge's ruling, they claimed that the public criticism of the case was "improperly influenc[ing]" the court. Following the overturning of the earlier conviction, many technical experts sighed a collective sigh of relief that accurate technical knowledge helped keep an innocent person from facing significant jail time. 2.3 Risks of Persistent Storage How to interact with online content when a user is offline has been a problem that many minds have struggled with over the years. In recent months one of the most popular theories of how users potentially would be able to interact with online content while offline has really taken off - that of caching significant data levels while online, then accessing and interacting with them while offline, all through the same interface. While it may not be the first to implement such an idea, the introduction of Google Gears has attracted attention that previous attempts have not been able to. With this attention has come the attention of web application security experts, who have begun to consider the risks and potential security weaknesses that these systems can introduce. Of greatest interest to the researchers is the concept of 'persistent storage', which means that projects such as Gears use a client-side (i.e. on the user's computer) database or other data storage method to store a chunk of online data that the user is expected to interact with while offline. Essentially, the data 'persists' on the user's system even after the connection to the Internet is gone. The technology behind the persistent storage for Gears is SQLite, a lightweight database engine that supports SQL data management and storage and which can be easily integrated within an application - rather than needing a separate database engine like many CMS do. The safe passing of data to SQL databases is fairly well known, with techniques such as bound parameters, stored queries, and careful input filtering amongst the methods used to achieve safe data storage and interaction. It is reported that Google Gears is making use of bound parameters to help protect against potential abuse of data input and mitigate against the risk of SQL injection. With the number of persistent storage offline interaction systems soon to increase in number and use (Firefox is soon to include a SQLite-based system in Firefox 3), all it is going to take is a single mistake by a development team for a serious vulnerability to be included. From there, it will only be a matter of time before the dedicated and creative researchers find it and work out how to exploit it. 2.4 June 2007 Microsoft Security Patch Advance Notification Microsoft have provided basic details of the patches that they expect to release with the June 2007 security patch release, due for release next Tuesday. At this stage Microsoft are expecting to release six patches for a variety of their products, including Windows, Office, Internet Explorer, and various email products. Of the six patches, four are rated as Critical, which is Microsoft's highest vulnerability rating, with one rated as Important, and the last rated as Moderate. Unfortunately for end users and administrators, all but one of the patch releases could lead to arbitrary remote code execution against the vulnerable software. While Microsoft's latest operating system, Windows Vista, avoids any Critical vulnerabilities affecting the core operating system, it is affected by two Critical vulnerabilities, affecting Windows Mail and Internet Explorer. 2.5 This is not a Real Security Update Following extremely closely after the notification of the expected patches for June 2007 comes news that malware is already spreading via spam that claims to be a valid Microsoft security update. Even though this is not the first time that spam has been used to push malware on unsuspecting victims by claiming to be a valid update from Microsoft, the close timing to the advance notification for this month's patches has caught the attention of a number of Information Security groups. From the various reports available about the spam, it appears that the body of the emails claim to supply patches for a range of vulnerabilities, using varied security update numbers and patch descriptions. While the spam is relatively well constructed, the most obvious flaw is the release of a MS06 security update in the middle of 2007. For readers who are not aware of how Microsoft label patches and updates, the first four characters of the update are always MSXX, where XX is the current year. Beyond that obvious flaw, Microsoft will not mass email users to tell them of an update - the built-in update services will already know about them. 2.6 Recent Yahoo! Messenger Vulnerabilities Attract Attacks The recently disclosed vulnerabilities with Yahoo! Messenger's support for webcams, allowing attackers to run software of their choice on a victim's system, have already attracted the attention of malware developers. The Chinese Incident Security Response Team (CISRT) is reporting that a Chinese malware author has released a new piece of malware that targets the specific vulnerabilities discovered in Yahoo! Messenger. Yahoo! have already issued patches for this issue, so it is imperative that users and administrators update to the latest version as soon as possible in order to be protected from this new malware. It appears that the malware is making use of publicly available exploit samples that are available from a number of readily available sources. 2.7 I Know What You Did Last Visit In the ruling of a court case fought by the Motion Picture Association of America (MPAA) against a number of filesharing sites and products, the popular BitTorrent hosting site TorrentSpy was ordered to start keeping logs of site visitors and then turn those records over to the MPAA. The practice of not keeping logs on users, as actually described in the TorrentSpy Privacy Policy, is not a new technique in use by sites where a user's activity could be illegal or there are strong privacy concerns. In responding to the ruling, TorrentSpy's legal counsel explained that the site would sooner prevent access to content by US visitors, than it would commence logging for the sole purpose of turning over those records. Community reaction, especially from frequent users of similar sites, has been of disbelief. Even if they don't support the potentially illegal activity taking place on the site, commentators have found it difficult to reconcile the court's ruling - many finding that it is a precedent that could be extremely risky for many other websites. Supporters have even pointed out that it is possible to find the same illegal data through sites such as Google, so why not go after them, instead? Further complicating matters are accusations that the MPAA used an illegal network breach to gain access to correspondence and trade secrets belonging to TorrentSpy (though what comprises a trade secret for such a site is unknown). The accusations form the basis of a concurrently-running suit in a Californian court. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |