Advisory #248 - Microsoft (Multiple), Symantec, OS X, DXMedia, Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #248 - Microsoft (Multiple), Symantec, OS X, DXMedia, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #248
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 7 Days 1.2 Symantec Product Range - Remote Hacker Automatic Control - Time Since Discovery - > 1 week 1.3 OS X - Local Hacker Automatic Control - Time Since Discovery - > 1 week 1.4 DXMedia - Remote Hacker Automatic Control - Time Since Discovery - 7 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 The Difficulty of Validating Systems and Users 2.2 When InfoSec Companies are Targeted 2.3 German Security Professionals in the Mist 2.4 Protecting Aussie Internet Users for $190 Million ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows 2000, XP, 2003, Vista Visio 2002, 2003 Outlook Express Windows Mail -- Technical Description -- MS07-042 - MSXML. Arbitrary remote code execution. Critical MS07-043 - OLE. Arbitrary remote code execution. Critical MS07-044 - Excel. Arbitrary remote code execution. Critical MS07-045 - Internet Explorer. Arbitrary remote code execution. Critical MS07-046 - GDI (WMF). Arbitrary remote code execution. Critical MS07-047 - Windows Media Player. Arbitrary remote code execution. Important MS07-048 - Vista Gadgets. Arbitrary remote code execution. Important MS07-049 - Virtual PC. Arbitrary Host code execution. Important MS07-050 - VML. Arbitrary code execution. Critical MS07-041 - IIS. Arbitrary remote code execution. Important -- Description -- Microsoft delivered nine patches as part of the August Security Update release. Six of the patches have been rated as critical, with the remaining three as Important. Exploit code has already begun to circulate for a number of the vulnerabilities. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp? s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms07-042.mspx http://www.microsoft.com/technet/security/bulletin/ms07-043.mspx http://www.microsoft.com/technet/security/bulletin/ms07-044.mspx http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx http://www.microsoft.com/technet/security/bulletin/ms07-048.mspx http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx -- External Tracking Data -- CVE-ID: CVE-2007-2223 (MS07-042) CVE-ID: CVE-2007-2224 (MS07-043) CVE-ID: CVE-2007-3890 (MS07-044) CVE-ID: CVE-2007-0943 (MS07-045) CVE-ID: CVE-2007-2216 (MS07-045) CVE-ID: CVE-2007-3041 (MS07-045) CVE-ID: CVE-2007-3034 (MS07-046) CVE-ID: CVE-2007-3037 (MS07-047) CVE-ID: CVE-2007-3035 (MS07-047) CVE-ID: CVE-2007-3033 (MS07-048) CVE-ID: CVE-2007-3032 (MS07-048) CVE-ID: CVE-2007-3891 (MS07-048) CVE-ID: CVE-2007-0948 (MS07-049) CVE-ID: CVE-2007-1749 (MS07-050) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 Symantec Product Range - Remote hacker automatic control -- Products Affected -- Various -- Technical Description -- Two ActiveX controls managed by NAVCOMUI.DLL have input validation errors that can lead to arbitrary code execution. -- Description -- Symantec have released information about vulnerabilities with two ActiveX controls associated with Norton AntiVirus, Norton Internet Security, and Norton System Works. If an attacker is able to convince a victim to interacting with malicious websites code that targets these vulnerabilities, then it is possible for the attacker to take control of the victim's system. -- Recommended Action -- Run LiveUpdate from within affected Symantec software to obtain the appropriate updates. -- Source -- http://securityresponse.symantec.com/avcenter/security/Content/ 2007.08.09.html -- Updates Available -- Run LiveUpdate from within affected Symantec software to obtain the appropriate updates. -- External Tracking Data -- SYM07-021 -- Threat Matrix -- U O Home User 8 8 (Very High) Corporate 8 8 (Very High) 1.3 OS X 10.4 - Remote hacker automatic control -- Products Affected -- 10.4.10 and prior. -- Technical Description -- Numerous issues affecting OS X 10.4.x and 10.3.x, including: bzip2 - bzgrep run on a file with a malicious name may lead to arbitrary code execution (filename handling issue) CFNetwork - Poor handling of FTP commands passed via a URI may lead to arbitrary command execution. A second issue, affecting HTTP response splitting may lead to XSS conditions. A vulnerability in the Java interface to CoreAudio (via CFNetwork) allows for arbitrary memory freeing and arbitrary code execution. cscope - Multiple vulnerabilities, allowing buffer overflow conditions. gnuzip - Similar problem to that affecting bzip2 iChat - Denial of Service or arbitrary code execution as a result of buffer overflow conditions in UPnP IGD. Kerberos - Multiple vulnerabilities, including remote code execution (see separate vulnerability reports). mDNSResponder - Denial of Service or arbitrary code execution as a result of poor handling of UPnP IGD code. UPnP IGD support has been removed. PDFKit - Maliciously named PDF files may lead to arbitrary code execution. PHP - Multiple vulnerabilities. Quartz Composer - Denial of service and possible arbitrary code execution due to poor handling of Quartz Composer files. Samba - Malicious MS-RPC requests can lead to arbitrary code execution or denial of service. SquirrelMail - Multiple vulnerabilities, most serious of which is XSS. Tomcat - Multiple vulnerabilities. WebCore - Multiple vulnerabilities, including the operation of Java applets when Java support is disabled, scripting within HTML elements, and multiple XSS opportunities. WebKit - Poor IDN support leading to URL obfuscation and poor handling of PCRE can lead to arbitrary code execution. -- Description -- Apple have released Security Update 2007-007, addressing a large number of serious vulnerabilities affecting both OS X 10.4.x and 10.3.x (Tiger and Panther, respectively). A number of the vulnerabilities also affect the iPhone and Safari 3 Betas and have been addressed via separate updates as well. A number of the vulnerabilities could allow remote control over vulnerable systems, while others could lead to loss of functionality for legitimate users. -- Recommended Action -- Security Update 2007-007 should be applied at the earliest opportunity. The update can be applied either through the Software Update application, or through manually downloading it from the download link below. -- Source -- http://docs.info.apple.com/article.html?artnum=61798 -- Updates Available -- http://www.apple.com/support/downloads/ -- External Tracking Data -- Multiple -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) 1.4 DXMedia SDK - Remote hacker automatic control -- Products Affected -- DXMedia SDK At least version 6 -- Technical Description -- The DXTLIPI.DLL associated with the FlashPix ActiveX control, part of the Microsoft DirectX Media SDK, has been discovered to have a buffer overflow vulnerability affecting the SourceUrl() property. Public exploit code is readily available. -- Description -- Earlier this week it was discovered that an ActiveX control associated with the Microsoft DirectX Media SDK, specifically the DirectTransform FlashPix ActiveX control, contains a vulnerability that allows an attacker to take control over a victim's system if the victim can be convinced to interact with a malicious site. It is possible that the affected ActiveX control is also available via other products. Public exploit code is readily available from a number of sources. -- Recommended Action -- It is possible to mitigate the threat by setting the Registry killbit (201EA564-A6F6-11D1-811D-00C04FB6BD36) for the affected ActiveX control. Alternatively, disable support for all ActiveX controls in order to mitigate. -- Source -- Krystian Kloskowski (h07) -- Updates Available -- http://www.apple.com/support/downloads/ -- External Tracking Data -- US-CERT VU#466601 -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 The Difficulty of Validating Systems and Users One of the issues plaguing Identity management and online authentication systems is how to accurately validate the identity of the system or user connecting to a service. One possible means for identification that has attracted attention recently is finding and identifying a 'MachineID', some form of unique identifier that is specific to a particular physical system and which is difficult to reliably fake. This might take the form of tracking internal network IP addresses, end user system patch levels and browser configuration, and even tracking of end user system hardware configuration. A problem that is then encountered is how to reliably identify when more than one user is using an authenticated system - how is the mechanism to handle seemingly identical requests that originate from distinct users. If the authentication system to be used is to be installed alongside other software then this is a problem that has already been solved and dismissed from all but casual usage. Many anti-copying software and hardware efforts come in such a format - additional code that forms part of an installed product, for the purpose of ensuring only legitimate copies of the software are in use. These methods could have modified key software based on how the system identified itself, required the use of a hardware 'dongle' for authentication, looked for the presence of hidden system files or the physical presence of removable media, or even looked for the presence of intentionally- corrupted space on original installation media. With every effort to prevent people from copying or using software in any way they want to comes a dedicated effort to overcome and neutralise the above listed means of preventing non-authorised usage. Going back to the first concept raised in this article - the development and introduction of some equivalent system for use online, the motivation to bypass or trick it increases rapidly alongside the financial incentive to break it, and the increased anonymity afforded to those trying to bypass the authentication. Even when there is little obvious financial benefit to bypassing the system, it can fail on its own. The problems encountered by legitimate system users when Windows Genuine Advantage and the Windows XP activation tools fail to properly work have been well documented. If the system can fail completely without user interaction, what benefit is it to those it is trying to protect? Introducing this sort of mechanism into the online environment is much more difficult than merely allowing it to exist on the end user's system. Developers and administrators need to be cogniscent of the problems posed by a stateless protocol that can serve consecutive requests from seemingly different sources as well as the wide variety of end systems that might be in use to reach the online service, not only in terms of different operating system types, but also the use of screen readers, mobile phones, kiosks, and any other of Internet- capable devices. MAC addresses and hard drive serial numbers can provide information to local applications, but they are more difficult to reach via networked systems. Use of platform-dependent technology like ActiveX can simplify this process, but it then leads to security concerns and problems for users of other platforms (OS X and Linux). There are a number of methods available for basic authentication and tracking of state across a site, but these all have drawbacks and issues that become apparent when systems are scaled up and spread across load balancing and the use of caching proxies. Even the current 'best of breed' solutions have critical flaws where users can force the system to a 'fallback' position and force it into a remedial mode where the level of added security and authentication is negligible (back to a simple question in some cases). Some of the theories being put forward for implementation of one of these systems include browser identification, username in use, system patch levels, though each can be spoofed or hidden from the networked application. At the end of the day, these approaches don?t really tie down to a specific system in use. Part of the difficulty comes in creating a system that is rigid enough to identify and alert to changes in hardware or end user system configuration, yet flexible enough to allow and identify multiple users from the same machine or a reasonable level of system changes, such as those that might occur from replacing a hard drive, applying system patches, or other routine changes. As a result, many of the systems that come close to achieving these goals don't really add much overall to the security situation faced by the application or primary system. From a holistic viewpoint, addition of a system designed to identify specific systems can cause problems by actually weakening overall security (thus highlighting problems exist in the overall system design). There are solutions, however. One of the products in our testing lab is a platform independent mechanism for attaining this goal. With nothing to install on the user side, complete platform and system independence, it appears that Nabu (the product under testing) is close to achieving the goal of allowing users to safely interact with online services (and vice versa) even when end systems and the joining network are completely compromised. If using a web kiosk or heavily infected system could be made as safe for online account interaction as a heavily locked down readonly system, it would go a long way towards addressing one of the key problems facing Information Security researchers today. 2.2 When InfoSec Companies are Targeted One of the perils of being an Information Security company is that they become targets of the individuals and groups that produce malware and engage in illegal online activity. Antivirus and antimalware vendors have been targets of this sort of activity for a long time, with a high percentage of current malware actively preventing infected systems from connecting to antivirus, system, antimalware and major software vendors - hoping to prevent the detection and removal of the malware. Some malware variants have even gone so far as to trigger a payload of what amounts to a distributed Denial of Service attack (dDoS) against specific targets, with each infected machine attempting to connect to specific company websites at certain times. Other attacks can be more obvious. In the space of 24 hours recently, WhiteDust, InfoSec Sellout, and Sûnnet Beskerming were all victims of various attacks from unrelated parties. WhiteDust and InfoSec Sellout had compromises to their online presence, with attackers replacing arbitrary content on the main Internet sites associated with each entity, and Sûnnet Beskerming being targeted with a 'Joe Job' spam run. The attack against WhiteDust originally resulted in the arbitrary replacement of news articles and site content, suggesting that the attacker had either gained administrator access to the site, or was using a set of SQL injection opportunities to modify backend database content. In the time since the attack was first identified, the WhiteDust site has gone completely offline, leaving only the following message: 14 August 2007 - 23:58 GMT With the industry and those in it so seemingly hostile to Whitedust, and pure apathy from anyone who thinks otherwise. Why bother. This site is now closed permanently. It's staff have abandoned the scene and the industry for real world projects - for good, you won't be seeing us again. You "Won". Good luck out there. You'll need it. -The Staff At this time it is not known whether this is a message from the attacker, or from WhiteDust staff (there has been no response from WhiteDust at this time). The InfoSec Sellout site was in the process of being reinstated after accidental deletion when unknown parties appeared to take control of the site and delete the content that had been replaced. As with WhiteDust, this is not the limit of the disruption to normal site operations, with the attacker taking the opportunity to fill the site with spam content which is still in place at the time of writing this article. Sûnnet Beskerming, meanwhile, was victim to a major 'Joe Job' spam run. A 'Joe Job' is when a spammer falsifies the 'Return' or 'From' address in their spam emails. Not only does this act as a cover for the true origin of the spam, but it also means that the innocent victim receives heavy email traffic from bounced and rejected spam. At its peak, Sûnnet Beskerming was receiving 50-100 messages per minute, just from bounced replies. It is worrying that although the industry understands the concepts and limitations of a 'Joe Job' many systems will still trust in the falsified data and still cause problems, years after it was known how 'Joe Job' attacks work. This is something that email protection systems should be taking care of, by default. 2.3 German Security Professionals in the Mist German Information Security professionals were hopeful after proposed changes to the UK Computer Misuse Act Police and Justice Act amendments were suspended due to the fact that if certain clauses were enacted, it would effectively make the entire Information Security industry in the UK criminals. This hope was important because earlier this year the German Government had introduced similar language into Section 202c StGB of the computer crime laws, which would have made the mere possession of (creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to) tools like John, Kismet, KisMAC, Nessus, nmap, and the ability to Google effectively a crime. Despite all efforts to peer through the mist about whether changes would be made to the proposed law, as of today it became active legislation. Penalties under the law include up to 12 months imprisonment, a fine, and potential linkage to terrorism related activities (at least as per sections 202a and 202b of the law). Despite some observers fearing a 'Kristallnacht' in the near future, and while it is likely there will be some abuses of the law (DMCA, for example), the overall effect to Information Security work and research in Germany is not likely to be all that great. That doesn't mean that changes aren't already happening. A number of security related products and groups have either closed up shop or relocated to countries of convenience, such as the Netherlands. KisMAC, an OS X wireless network discovery tool has ceased development and will soon be reappearing in the Netherlands. This was one of the first tools to suddenly cease production in a public manner. Phenoelit have also closed their German presence, though it may be possible to find their content available online in other locations. Those who can read German can see the response from the CCC, who are currently holding their Chaos Communications Camp 2007 near Berlin (think of DefCon, in a field, with tents). The CCC have decided that since the German Government took this move, that it means that there are no more security problems facing computer users. Stefan Esser, the noted PHP Security activist, has withdrawn all of the exploit code that originally accompanied the Month of PHP Bugs project. As Stefan points out: "The law does not affect our freedom of speech to report and inform about security vulnerabilities and how to exploit them. We are just not allowed to create/distribute/use software that could be used as "hacking tools". " Like many other legislative attempts to address real or perceived problems with computer-based activity, the law fails to account for reality. Others have pointed out that it is only those already engaged in illegal activity that are using 'hacking tools'. The legitimate security industry is using 'diagnostics' and other useful utilities. Already it seems that the law will have the unintended consequence of making legitimate research just that much harder, only deterring the legitimate researchers and the opportunistic attacker. The serious criminal will just keep on going with their malicious activity, probably a little bit bolder - safe in the knowledge that the German Government has just made it a little bit more difficult for them to be found. 2.4 Protecting Aussie Internet Users for $190 Million Within the last 24 hours the Australian Commonwealth Government announced that they would be spending $189 million Australian dollars ($162 million USD) on a range of packages and programs designed to protect Australian Internet users against all that the Internet has to offer, under the name Netalert. With increasing increasing coverage by the Australian media, it is worthwhile to investigate what the features of the proposed scheme actually are, and whether they have any chances of working. While the $189 million is not being immediately assigned to the effort, and reflects a number of endeavours under the guise of protecting Australians against Internet nasties, there are some critical problems with the approach that the Government is taking. Amongst the list of projects that have been earmarked for the money are: * Internet blocking software for Australian families. * Resources for efforts to track and identify online predators on social networking sites and in chat rooms. * Closing down terror sites, and * Reducing the variety of pornography viewable by Australian Internet users Announced during a streaming video presentation to the largest pentacostal evangelical church in Australia (Hillsong) - an Assemblies of God megachurch, the Prime Minister, John Howard, outlined several measures that would immediately appeal to the conservative (ultra-conservative?) audience - provision of Internet filters and efforts to block pornography at upstream providers by working with ISPs. More than 700 other Christian assemblies were linked into the address which meant that more than 100,000 Australians watching the presentations. The leader of the Opposition, Kevin Rudd, also joined in on providing a presentation to the assembled masses. This inclusion suggests that if the party in government changes at the next Federal election (later this year), then the Plan will stay in place (Labor have actually been ridiculed in the past for their ideas about what it means to protect Australian Internet users). Probably the most effective way that the money is going to be spent will be to improve funding for various online investigative measures being carried out by The Australian Federal Police such as efforts to detect and investigate online predators. This may not be all that effective, though, with the AFP not being well-known for its ability to keep up with, adequately identify, and understand Internet based threats. Despite the difficulty of correctly being able to identify online predators, something that the social networking companies and other interest groups are already struggling with (do you share a name or a birth date with a known predator? If you do, don't go online...), money will still be poured after it. Several million dollars to knock the stupid predators offline might be considered a good investment for some. One of the ironic measures being proposed is a bucket of money to establish a working group to find ways around the privacy laws and measures that are effectively protecting predators, presumably to make arrest and prosecution easier. If the laws and measures that protect predators are so effective, what is the $189 million needed for, again? Why don't those measures work for those we are supposed to protect? Even though there are known problems with blacklists, money will go towards expanding such a blacklist of nasty sites that Australians aren't supposed to see. If it were the United States, it would be considered part of the argument about net neutrality and what it means to be designated a 'Common Carrier', though there are probably a number of Australian ISP customers secretly pleased that they might get to sue their ISP for allowing them to view nasty content (the Government was supposed to stop it, right?). The effectiveness and speed with which malicious content can be placed on 'trusted' sites through blended attacks makes all of these efforts almost worthless. Any impartial observer who noted the big trends at recent Information Security conferences would have been able to identify this pattern in an instance. A hotline to help families install the Internet filtering software being provided will presumably join the National Security Hotline as a widely derided black hole of funds, with limited usefulness (if VCR clocks are taken as a precedence, then the helpline is probably going to be staffed with the very children that the filters are meant to stop looking at nasty material). While voices against the measures have largely focussed on the choice of audience (Christian conservative), it should not be forgotten that there will be criticism from those in the technical community who understand the sorts of threats and problems that are trying to be faced by the measures. With fairly strong support for the measures from those who watched the presentations, ranging from those who are supportive of measures to help them limit what they and their children can see online to those supportive of the additional resources to hunt down online predators. Countering this is the argument that parents should not expect the State to do their parenting for them if they are unwilling to. No one is arguing against extra resources to track, identify, and prosecute predators - so long as law enforcement get it right. The amount of money being thrown at the problem has raised some objections, though. Others have pointed out the abject failure of filtering software to deal with health resources like breast cancer awareness and support groups, breast feeding information, and the heavy handed treatment of sites that push information and opinions that the filtering companies object to (consider how various Left and Right blogs / news sources are treated by different filtering programs). Others have pointed to the inability of filters to keep up with the ability of those with malicious intent to change the location and presentation of their 'objectionable material'. At the end of the day, any teenager or young child that is adept enough to intentionally seek out the content that this scheme is designed to suppress will have the ability to sidestep the protection mechanisms implemented by the program. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |