Advisory #245 - Microsoft (Multiple), Firefox, GIMP, QuickTime, Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #245 - Microsoft (Multiple), Firefox, GIMP, QuickTime, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #245
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 3 Days 1.2 Firefox - Remote Hacker Automatic Control - Time Since Discovery - 7+ Days 1.3 GIMP - Local Hacker Automatic Control - Time Since Discovery - 7+ Days 1.4 QuickTime - Remote Hacker Automatic Control - Time Since Discovery - 2 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Keeping Information Timely 2.2 Focussing on SAP 2.3 Big Media Consolidation 2.4 Antivirus Vendors Head to Court 2.5 A Matter of Numbers 2.6 It's Official, the iPhone has been Hacked 2.7 Microsoft July Security Patch Release 2.8 A Present for our Readers 2.9 Aussies face the threat of Robo-Pacinos ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows 2000, XP, 2003, Vista Visio 2002, 2003 Outlook Express Windows Mail -- Technical Description -- MS07-036 - Office. Multiple arbitrary remote code execution. Critical MS07-037 - Publisher. Arbitrary remote code execution. Important MS07-038 - Vista. Information disclosure. Moderate MS07-039 - Active Directory (LDAP). Remote code execution. Critical MS07-040 - .NET Framework. Multiple arbitrary remote code execution. Critical MS07-041 - IIS. Arbitrary remote code execution. Important -- Description -- Microsoft delivered six patches as part of the July Security Update release. Three of the patches have been rated as critical, two as Important, and the remaining patch as Moderate. Exploit code has already begun to circulate for a number of the vulnerabilities. A number of users are reporting issues with the installation and use of MS07-040. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp? s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 Firefox - Remote hacker automatic control -- Products Affected -- Firefox 2.0.0.4 and prior. -- Technical Description -- Firefox on Windows fails to properly parse command line parameters that are passed, allowing third party applications to run arbitrary code within the context of the trusted Chrome setting. Specifically, it is the registration of the 'FirefoxURL' handler which allows for commands to be passed to Firefox. A separate issue exists with Firefox's handling of wyciwyg: URIs. It is possible for a local user (or website) to bypass the protections preventing access to these cache related URIs, thus allowing access to potentially sensitive content. -- Description -- A demonstration of a vulnerability which allows attackers to pass arbitrary content to Firefox for execution in the 'Chrome' context has been released, using a link from within Internet Explorer to execute the attack. Another vulnerability has also been identified which allows for access to potentially sensitive cache content (on all systems). Based on the available source code, it is possible for attackers to embed links in their websites such that when they are visited with Internet Explorer, arbitrary code can be run against Firefox on Windows. -- Recommended Action -- It is possible to deregister the 'FirefoxURL' handler in the Registry (caution is urged when manipulating the Registry), by modifying the setting of the 'HKEY_CLASSES_ROOT\FirefoxURL' entry. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 8 8 (Very High) Corporate 8 8 (Very High) 1.3 GIMP - Local hacker automatic control -- Products Affected -- GIMP 2.2.15 and prior. -- Technical Description -- Arbitrary code execution due to integer overflow vulnerabilities in GIMP when handling DICOM, PNM, PSD, PSP, Sun RAS, XBm, and XWD file formats. The vulnerability in the Sun RAS format handling has been known since April, but the other formats are new disclosures. -- Description -- iDefense have released an advisory that expands on a previously known issue (Sunnet Alert Advisory #227 - April 07) affecting GIMP and the handling of various image types through external plugins. Previously, it was known that the SunRAS format was vulnerable, but numerous other formats are now known to be vulnerable. Successful exploitation requires the victim to open a malicious image file in GIMP. -- Recommended Action -- Update to GIMP version 2.2.16 at the earliest opportunity. Alternatively, move unused (and affected) image handling plugins out of the gimp/2.0/plug-ins directory. -- Source -- http://labs.idefense.com/intelligence/vulnerabilities/ -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 6 6 (High) Corporate 6 6 (High) 1.4 QuickTime - Remote hacker automatic control -- Products Affected -- QuickTime 7.1.6 and prior. -- Technical Description -- Memory corruption when handling H.264, .m4v, SMIL or arbitrary movie file content can lead to arbitrary code execution. This update also provides enhanced protection for the QuickTime for Java issue that was patched earlier this year. Further issues affecting QuickTime for Java have also been addressed, including removing support for JDirect. -- Description -- Apple Inc have released version 7.2 of the QuickTime media codec and associated player application. This release addresses a number of serious vulnerabilities that can allow a remote attacker to take over a vulnerable system if the victim can be convinced to interact with a malicious media file. In addition to fixing security issues, QuickTime 7.2 provides enhanced capabilities to QuickTime. -- Recommended Action -- Update to QuickTime 7.2 at the earliest opportunity, either through the download link below, or through Software Update. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Keeping Information Timely One of the pressing problems that has plagued information sources since before the Internet is ensuring the timely dissemination of information, before it becomes stale or out of date. With Information Security news and related online sources, arriving at a news source late could have significant cost to business operations or system stability due to attackers capitalising on threat information that you aren't aware of. A Sûnnet Beskerming article on strange Internet traffic patterns that had been observed drew a lot of traffic and exposure from a number of sources. Besides being an excellent demonstration of how information propagates across the Internet, it showed first hand that some communities could be accessing information for the first time over a week after it first appears, when its viable lifespan was measured in hours, not days. Had the information been related to a rapidly emerging threat, there were a number of communities that would have discovered that information too late. Even with wider dissemination of the article, it would have required a concerted concurrent effort to publish and report the article within a timeframe so that the raw underlying data would still be relevant. From a similar point of view, using information that is out of date can also introduce significant risks to operations and protection of critical systems and data stores. Information Security seems to be a field where accepted knowledge and best practices are overturned on a regular basis due to improved understanding of available threats, the evolution of new threats, or the development of more robust methodologies for protection and management. Just in the last decade and a half in the Information Security field, the commonly accepted dogma that email and image files are not virus propagation vectors has been overturned. For many in the Information Security field it was the seminal paper by Aleph One, 'Smashing the Stack for Fun and Profit', which really began to show them the risks associated with vulnerabilities that had otherwise been thought benign, and the paper was only released in the year 2000. Users have been connected to the Internet since it was the DARPANet, but the risks of online activity are still somewhat less understood when compared to risks associated with compromised desktop applications. While the risks of visiting untrusted websites are becoming better known, the true risk of online activity and web browsing is still being ascertained. Leading research in web application vulnerabilities and threats is still only scratching the surface of the issues tied to this platform. The concept of AJAX worms, JavaScript LAN enumeration and testing, and non-JavaScript enumeration and testing are areas that are pushing the field of Web application security forward at a time when most users are struggling to understand the importance of a secure transaction (or even what to look for and how to recognise one). With many of the leading voices in web application security still only in their early to mid twenties (and with some high school seniors mixed in), it is a young field that is doing its best to establish what can and can not be done with web applications. Information being generated by these researchers is busy turning over accepted dogma that itself may only be a couple of years old. Reading the wrong technical book, or not keeping up with the latest developments could place developers, site maintainers, and security representatives at a distinct disadvantage when creating and maintaining online services. Even though buffer overflows and their associated risks are relatively well known and understood, the fact that they still crop up in modern systems (such as Windows Vista) means that even with security-aware development, there are still risks and vulnerabilities that can enter complex systems (that may be so complex that they can not completely be understood or modelled accurately). Keeping current with information that has not expired or otherwise become out of date is one of the best ways to help prevent the ongoing inclusion of known risks in development and maintenance of new services and applications. 2.2 Focussing on SAP NGS Software, better known for their focus on Oracle products, have released information about a brace of SAP product vulnerabilities that range from low to critical risk for users of the products, who have not updated their products. With a heavy web-based interface component for SAP, and also for many other ERP / CRM / HRM / Enterprise systems, they represent one of the most prominent targets for web vulnerabilities (which most of the disclosed issues are). There are plenty of examples of poorly secured corporate networks where these applications can be interacted with from the general Internet (finding the appropriate Google Dorks is an exercise for the reader), so SAP administrators should expect some increased probing of their systems, given that sample exploitation code was provided with the vulnerability disclosure reports. SAP have provided patches for these issues in updates from January to May (product dependent), so administrators and caretakers of SAP systems should update as a matter of urgency, if they haven't already applied the patches. 2.3 Big Media Consolidation Rumours are flying thick and fast about the push by Rupert Murdoch's News Corporation to take over the Dow Jones media group (owners of the Wall Street Journal and other media assets). News of the proposed purchase rocked much of the media world when the bid for $60 per share was made in April, though it was welcomed by many outside observers. While the purchase of the financial news powerhouse might seem out of the ordinary for the owners of the Sky network and Fox, a number of outside observers believe that it might be the push that the Wall Street Journal and other Dow Jones assets need to improve their awareness and relevance in new markets. It could be argued, though, that the Wall Street Journal and Dow Jones already carry sufficient brand recognition not to require assistance from News Corporation. Even if the deal has not yet been settled, most sources agree that the deal is only a matter of days away from being settled, for a purchase price in the range of $5 billion USD. It appears that the removal of bids from the owners of the Financial Times and GE led to News Corporation's bid (with a 67% premium) being the last one standing. 2.4 Antivirus Vendors Head to Court A growing dispute between Kaspersky Lab and Rising Tech in China is now headed to court after Kaspersky sued Rising Tech for anticompetitive business practices. The growing dispute, tracked by the Chinese Internet Security Response Team, started when an update issued by Kaspersky for their antivirus products misidentified some of the files associated with the Rising Tech antivirus products as being malicious. This misidentification led to the Rising Tech products being unable to be updated. It is unlikely that the problem was very widespread, as it would have required affected users to be running both Kaspersky and Rising Tech software and updating them whenever a new definitions file was released. Even so, it was still a problem that needed rapid rectification. Kaspersky, based in Russia, and Rising Tech, a Chinese Antivirus vendor, kept up the slanging match, with Rising Tech accusing Kaspersky of misidentifying files at least 22 times within a six month period, accusing Kaspersky of "show[ing] despise for Chinese users". Rising Tech announced on the 30th of May that they were planning to sue the Beijing office of Kaspersky for unfair competitive practices (though it isn't known whether this suit was brought to court). Misidentification of critical system files and competitor files is an unfortunately all-too common problem that many antivirus and antimalware vendors have encountered in the past, with several significant incidents taking place in China over recent months. The outcome from the case could have widespread ramifications for antivirus vendors and the misidentification of system and competitor files, so the outcome from the Tianjin No.1 Intermediate People's Court is likely to be watched with interest. 2.5 A Matter of Numbers Over the last couple of weeks traffic to Sûnnet Beskerming has skyrocketed, largely as the result of introducing our new online delivery formats for security news and commentary. Since the start of July, Sûnnet Beskerming content has appeared on many websites, attracting many thousands of new and eager readers. Since introducing the new format for content delivery at the end of June, Sûnnet Beskerming has gone from success to success with attracting new readership and distribution methods. From time to time readers will note our content appearing on The Register, Planet- Websecurity.org, and a number of other sites. Just in the last week, we have seen our content appear on the following sites: * The Register * RootSecure * InfoSec News * Planet-Websecurity.org * Security Bloggers Network * WhiteDust * Digg * Security News Portal * Slashdot A question that is often asked is - what is the effect of a Slashdotting? Although little traffic was observed in the period following the appearance of our article on Slashdot (due to it being the weekend), come Monday morning traffic spiked at 160 kilobits per second of data transfer, before tailing off to a sustained 40 kilobits per second of data transfer several hours later. In comparison, Reddit peaked at just under 100 kilobits per second of sustained data transfer, with a much quicker tail off period. Based on the traffic from last week, Sûnnet Beskerming expects to attract 60,000 hits per month, based on normal traffic, and triple that in referred traffic from online distribution (based on one Reddit and one Slashdot front page article per month). Another 40,000 hits per month are estimated from readership of the primary Sûnnet Beskerming RSS feed, based on the last few weeks of traffic. How is it kept running? With a mix of XHTML, PHP, and CSS, beskerming.com was built by hand completely in house. Always conscious of the need to deliver content in the most efficient manner (after all, not everyone has broadband), we have looked at different ways to bring the same content to the end user without creating a bandwidth-hungry page. As a result, most of our pages weigh in at around 100 KB, with the significant proportion of content being informational text. Our hosting provider also provides us with sufficient hosting capacity to endure a slashdotting without straining the underlying hardware and network connections. Thank you to our readers for helping make our commentary and articles a success, we trust that you will stay with us into the future to keep up to date on important Information Security news and events. 2.6 It's Official, the iPhone has been Hacked Less than two weeks from the release of the iPhone, the researchers (#iphone @ irc.osx86.hu) who have been rapidly progressing towards controlling the iPhone have finally succeeded. Even though their most promising approach, via the bootloader, was cut short when it was discovered that they could not load arbitrary code into the bootloader without Apple's 1024-bit private RSA key, they have now claimed success through their filesystem investigation methods. Despite not having developed a complete toolchain, as they were expecting to have done prior to controlling the iPhone, they have claimed complete control over the device, providing a slightly blurry screenshot as evidence of their achievements. According to the detailed instructions that they have posted online, it will soon be possible (once they commit the code to the SVN) for anybody with an iPhone and the intent, to be able to take full control over their device. The detailed instructions do require two reboots along the way to taking control over the device (a third reboot then gives complete control), with both reboots into the device's Recovery mode. As part of this process, the researchers have been able to escape the chroot jail that was blocking most of their forward progress. After so much effort has been expended into researching ways to take control over the device, it appears that it comes down to a simple permissions change on 'fstab', and a simple addition to the 'Services.plist' file. Of course, simple is relative, prospective hackers and researchers still need the as-yet unreleased 'iPhoneInterface' version. While the researchers involved do not wish for direct links to their development wiki, it is simple enough to find for those who search for it. Now that this milestone has been released, it will be interesting to wait and see what sort of homebrew community develops around being able to have system-wide access to the iPhone, to see what Apple's response to this breakthrough will be, and to see what sort of influence this event has (remember, the number of iPhones in circulation isn't much more than a million). 2.7 Microsoft July Security Patch Release Microsoft have released six patches with the July 2007 Security Patch Release. As per the pre-release information that was provided last week, Microsoft released three Critical patches, two Important patches, and one Moderate patch. Although there are no known exploits for most of the issues (there are some minor exploits known for the IIS patch), it is expected that exploit data and detailed vulnerability code will be released over coming days by the researchers responsible for the discovery. It remains to be seen whether the suspected .NET 0-day will receive widespread release in coming days. There were minor concerns of a new threat to Windows users after a release was made to a number of security mailing lists claiming to have a new 0-day targeting Internet Explorer, though this was later found to be closely related to known historical problems with the handling of different protocols by Internet Explorer (which lead to arbitrary code execution). As with all other monthly patch releases, Sûnnet Beskerming provides detailed patch summaries and briefs for all users. 2.8 A Present for our Readers Here at Sûnnet Beskerming we like any excuse for a celebration, and what better way to celebrate than to give out presents (yes, we know you should be giving us the presents, but we're feeling happy and generous). For the month of July, all site visitors, RSS readers, or anybody who decides to look in on our site can obtain our July 2007 Security Patch Briefing Pack, completely free. All you need to do is to click on the link to be taken to our online store, then select the 'try' button (or go to our site, select the Products & Services tab, then Security Patch Briefing, before selecting one of the 'Per Report' options. You will then be able to download a .zip containing our briefing pack for this month's Security Patch Release from Microsoft. The link points to the SME version of our briefing pack, but it is the same download for the other service levels. Depending on your service level, this pack is worth between $5 and $5,000. What is the reason for this celebration? We've been keeping a close eye on our web server logs after our recent high traffic periods and noticed something very interesting over the last couple of days. Not only were we receiving traffic from more and more interesting and diverse sources (we're glad to make a difference for them all - even if some are profiting from our free resources), but some search engine referrers were implying some interesting results. At the time of writing, the following Google searches have us extremely high up in the listings: "platform draws" - We don't quite understand why someone would be searching for this particular search, but we come out on top. "July 2007 Microsoft Patch" - We are the first non-Microsoft result on what is probably a very popular search term at the moment. "ARP Poisoning WPA2" - While it is one of our older articles that turns up first, we are extremely pleased to show up first for this query. It is likely that we are scoring highly on a range of other searches, it is just that these were three of the most recent search engine referrers to turn up in our logs, and three that we return extremely relevant and useful results for. If this is how you have found our content, please enjoy your visit. 2.9 Aussies face the threat of Robo-Pacinos If reporting from The Age newspaper is to be believed, the Australian Federal Police (AFP) Commissioner, Mick Keelty, briefed a Parliamentary Inquiry into the future impact of organised crime that Australians would be facing the threat of part-robot humans involved in organised crime in the future. Without access to the transcripts from the Inquiry, it is difficult to determine exactly what the Commissioner exactly did say. Taken on face value, the report has begun receiving attention from security- focussed sites and blogs, not a lot of it favourable to the Commissioner's position. So, what is it that the Commissioner might have said? If the Inquiry that is mentioned is the Inquiry into the future impact of serious and organised crime on Australian society, then there is no record of the transcript available for the session held on July 5, but there is a record of him having provided a brief to the Inquiry. Looking at the submission that the AFP made to the above Inquiry, there are elements which suggest that the Commissioner may have used it as a springboard for his comments to the Inquiry. Further research also turns up the transcript of the Commissioner's speech delivered to the Pearls in Policing Conference, delivered on June 11. Combining these two sources, the seemingly outrageous claims made in the article in The Age seem to have a valid background in previous material published by the AFP. It is accepted that organised crime groups are making efficient and effective use of technological advances to enhance their own activities. The recent spate of Mpack website infections can be linked back to suspected East European organised crime groups that have previously been active in other online criminal activity, and it is well known that many other organised crime groups maintain an active online activity base. Whether or not viable cloning and robotic integration will take place within 20-30 years is more speculation than informed policing. There are enough dissenting voices out there that almost any position can be taken on where human cloning and robotic integration will end up, and it will appear to be a valid claim. Unfortunately, the Commissioner seems to come across as someone whose advisors have read too many press releases and dubious whitepapers and not watched enough 'Ghost in the Shell' to recognise where their ideas have been previously cleanly laid out and elaborated in an easily digestible format (especially the concept of a digital copy of an individual's brain - wrongly attributed to Second Life). If we see the AFP renamed to Section 9, then we will know where they have been looking for inspiration. Citing the presence of scams affecting online environments such as Second Life (it helps if the correct names and terminology are used for elements of the environment), the Commissioner suggests that some of these activities could be illegal, but difficult to track, monitor and enforce. The answer to this is surprisingly simple, even more so than the efforts being put into trapping criminals who are active through other online communication channels. Second Life, World of Warcraft, EvE Online, and every other form of online community and virtual world can all be boiled down to the following simple facts: * Individuals implement a persona when they become part of an online community * Individuals may use this persona to engage in actual, attempted, or simulated criminal acts. Intent now becomes an important factor. * It can be tracked. Information will be present on the victim's system, the perpetrator's system, and more than likely the servers providing the service. If those servers are in countries where laws and their application are different, then other existing laws can come into effect. There is precedent for applying national or state law to online services that are provided within relevant political boundaries, but it is fraught with loopholes and simple bypass mechanisms - something that law enforcement needs to be aware of, especially given that there will always exist ways around the online enforcement of legislation. On the positive side, the Commissioner did acknowledge that the AFP is really in the position of playing catch up in a number of these technical fields. He acknowledged that the AFP does not currently maintain the technical expertise to fully understand the legal and policing ramifications of different technological activity, and will need to enhance their interaction with industry in order to strengthen their future position. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |