« Return to Thread: Advisory #249 - Microsoft (Multiple), Kerberos, QuickTime, Multiple News
Advisory #249 - Microsoft (Multiple), Kerberos, QuickTime, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #249
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
1.2 Kerberos
- Remote Hacker Automatic Control
- Time Since Discovery - > 1 Week
1.3 QuickTime
- Remote Hacker Manual Control
- Time Since Discovery - 3 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Torrent-spiking Company Loses Email via Torrent
2.2 When Security Products Weaken Security
2.3 How the Online Trust Model is Broken - The Bank of India.com attack
2.4 Windows Vista SP 1 Slips to 2008
2.5 Listen to SIP Phones Even When They are on the Hook
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows 2000, XP, 2003, Vista
Crystal Reports
Windows Services for Unix
Messenger
-- Technical Description --
MS07-051 - Microsoft Agent (Win 2000 only). Arbitrary remote code
execution. Critical
MS07-052 - Crystal Reports (as distributed with Visual Studio).
Arbitrary remote code execution. Important
MS07-053 - Windows Services for Unix. Privilege Escalation. Important
MS07-054 - Microsoft Messenger. Arbitrary remote code execution.
Important
-- Description --
Microsoft delivered four patches as part of the September Security
Update release earlier this week. Only one of the patches (MS07-051)
has been rated as Critical, with the others rated as Important.
Exploit code has been available for some time for some of the patched
vulnerabilities, and Microsoft have updated the release information
for MS07-054 and MS07-052 to address issues identified after the
initial release date.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-052.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-053.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-054.mspx
-- External Tracking Data --
CVE-ID: CVE-2007-3040 (MS07-051)
CVE-ID: CVE-2006-6133 (MS07-052)
CVE-ID: CVE-2007-3036 (MS07-053)
CVE-ID: CVE-2007-2931 (MS07-054)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 Kerberos - Remote hacker automatic control
-- Products Affected --
Kerberos 5-1.6.2 and prior.
-- Technical Description --
Two vulnerabilities affecting the Kerberos application have been
discovered. The first is a buffer overflow affecting the RPC library
included with the MIT Kerberos application (and which may also be
included in other software), which allows arbitrary code execution.
The second vulnerability is with the kadmind component, where an
authenticated user may be able to execute arbitrary code through the
use of an uninitialised memory pointer.
-- Description --
Two separate vulnerabilities have been reported for the Kerberos
authentication tool maintained by MIT. The most serious of the two
vulnerabilities is a memory fault in an included software library
(which may also be in other products) that potentially allows an
attacker to run software of their choice on a victim's system. The
second vulnerability allows an authenticated user to run software of
their choice on a vulnerable system through another memory issue.
Although MIT have received sample exploitation code from a third
party, exploit code for these issues has yet to circulate widely.
-- Recommended Action --
Update to the latest official version from MIT, or wait until your
Operating System vendor is able to release a patched version for your
platform.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.3 QuickTime - Remote hacker automatic control
-- Products Affected --
QuickTime 7.1.6 and prior.
-- Technical Description --
From the available information, it appears that there is a problem
with how QuickTime handles XML data that is presented as a valid
QuickTime media format. Browsers enabled with a QuickTime plugin have
been demonstrated to be vulnerable to an attack based on this (it has
yet to be determined if it is the browser interpreting the XML, or
the plugin, but multiple browsers are vulnerable).
-- Description --
A web security researcher has identified a vulnerability with the
way that a number of browsers handle different QuickTime media files.
At this stage, it is too early to determine if the vulnerability is
with the QuickTime plugin (likely), or the browsers. Along with the
disclosure of the vulnerability, public exploit samples were
provided. At this time there has been no response from Apple about
the potential vulnerability.
-- Recommended Action --
Consider the use of alternate QuickTime media handling libraries, or
change the handling of QuickTime from within the browser.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Torrent-spiking Company Loses Email via Torrent
Via news at TorrentFreak, it seems that MediaDefender has become the
subject of what could be the biggest BitTorrent leak to date.
Apparently, more than 700 MB of internal email (almost 9 months
worth, with the most recent from September 2007) from the company was
leaked to the Internet after an employee's GMail account was hacked.
MediaDefender markets itself as 'the leading provider of anti-piracy
solution in the emerging Internet-Piracy-Prevention (IPP) industry',
specialising in services and technology designed to mitigate and
prevent the spread of illegally copied / distributed copyrighted
material. In simple terms, they are one of the companies believed to
be responsible for the poisoning of material on various P2P networks
and BitTorrent trackers.
The release of MediaDefender's email history appears to be the
responsibility of a group calling themselves 'MediaDefender-
Defenders', an advocacy group that claims to be working for securing
the privacy and integrity of all peer-to-peer users. According to the
information still publicly available from a number of Torrent tracker
sites, the data was captured from a MediaDefender employee's GMail
account, where the employee had been forwarding all internal email
(hint, don't ever do that). Even worse, he had been using a weak
access password on the account which eventually gave the
MediaDefender-Defenders group access.
Material that might get some to pause and think about the source of
that next download includes information on the New York State
Attorney General's Office apparently looking to set up fake sources
to build cases against file sharers in New York State. Even more
relevant for Torrent users is indication that MediaDefender had
accounts with several private torrent sites.
Current court cases where members of the RIAA are suing file sharers
might be looked at in a slightly different light (or at least
confirmed that certain activities are for the suspected reasons)
after it appears that Universal are looking for correlation between
their lawsuit activity and P2P usage from within Universities
(looking for a reduction following lawsuit activity). There is also
information suggesting that MediaDefender were using a Universal
Music Group site to store material that they had downloaded for later
analysis (complete with authentication details).
Because this information came out over the weekend, it is probable
that it will remain live for at least a few days into next week, and
it is guaranteed that the compromised email file will have reached
the critical number of users required for it to always have a
presence online.
While the file might be readily available and very enticing to look
at, readers should be reminded that if they are caught with it in
their possession or found to have accessed it, that it may be illegal
(civil or criminal) in their jurisdiction. Included amongst the
unedited file (which is still readily available) is information on
server authentication details, pay negotiations, IP lists, trackers
used as decoys, strategies, effectiveness of existing systems, and more.
2.2 When Security Products Weaken Security
It is almost becoming normal for malware to target a range of
antivirus and antimalware products as part of the infection routine,
preventing them from accessing definitions updates, preventing them
from accessing the vendor's website, or even terminating any running
process associated with protective software.
Sometimes it is the protective software that is the greatest risk to
a system, through bugs that introduce weaknesses to the systems it is
trying to protect. This could be as simple as problems with scanning
modules, as has often been seen with antivirus platforms, or it could
be a vulnerability with the core software that then allows an
attacker full access to the system that it is trying to protect.
When it comes to identifying and repairing these vulnerabilities,
which could have significant impacts on the overall security of
systems and networks, it is preferred that vendors release the
information publicly and make the patches available in a timely
manner. Sometimes it doesn't work out that way and hackers are openly
sharing information about critical vulnerabilities in various vendor
products.
Such a situation has recently taken place with Kaspersky Anti-Virus,
when noted Russian rootkit researcher EP_X0FF published a detailed
report on vulnerabilities that Kaspersky introduces into a system,
that otherwise wouldn't be there. Worryingly for users of Kaspersky
products, it seems that the particular vulnerabilities disclosed can
be exploited from an unprivileged account, but have system-wide
effects. At this stage, all the disclosed details will do is result
in a 'Blue Screen of Death', but it is likely to draw the attention
of other hackers, who could find ways to turn it into a situation
where they take control over the system.
While not a vulnerability as such, Microsoft have come under fire
lately for the automatic updates that have been applied to systems
that were otherwise configured not to update automatically. Software
updates to the Windows Update service were not being announced and
were silently being applied to systems where the users had configured
them for manual updates only. Supporters of Microsoft argue that this
isn't a problem, why is there concern over the issue (after all, you
only licence your software), while there has been a vocal chorus of
people who argue that any automated change to their system is a
problem, when they have specifically set up their system not to
automatically update. Why this particular practice of silently
updating Windows Update has suddenly grabbed attention is not known,
as Microsoft have been updating the application in this manner for a
long time.
2.3 How the Online Trust Model is Broken - The Bank of India.com attack
Thanks to the team at Sunbelt Software comes news of a serious hack
perpetrated on the website for the Bank of India at http://
www.bankofindia.com (non clicky for those who aren't reading closely).
While attacks and public defacements on websites are regular
occurrences and can be seen at Zone-h, attacks against high profile
sites are not uncommon. This particular hack introduces an invisible
1 x 1 <iframe> that loads immediately after the <body> tag, so
wouldn't normally be included in the Zone-h archive and wouldn't
normally be identified by the average Internet user.
Although the site that the iframe points to (goodtraff.biz) has since
vanished from the Internet (about an hour before this article was
written), WHOIS records still exist that indicate that the malware
was being hosted out of Russia. Sunbelt's analysis shows several
other sites being involved in the attack, though these no longer load
since goodtraff.biz doesn't respond to queries. Manually entering the
addresses into a browser will load some of them, suggesting that
those upstream malware sources are active (others have already been
shut down). Of interest is one particular referenced site, an Adult
website traffic aggregator that clearly sets out in its rules that
traffic is not to come from:
* pop-ups, consoles, iframes or Error pages
* dialers, iframes, exploits ...
As a money for traffic site, it is not known how much money the
attacker has been able to make from the Bank of India hack, but their
user number (0224) is sure to have attracted a significant amount of
traffic via the hidden iframe.
Goodtraff.biz has been implicated in malicious activity in the past,
though on a relatively small scale. Whoever compromised the Bank of
India site (which is still compromised) has elevated a low profile
malware site into the limelight, at least temporarily. With more than
22 pieces of malware attempted to be installed from the one site
visit, it represents a significant problem for the Bank of India
customers who have viewed the site over at least the last 36 hours.
Unfortunately there is no indication when the site was first
compromised, so there may be a lot of victims from this one
particular hack.
This is a problem when users are relying on various online Trust
brokers to tell them when a site is malicious, either through
displaying a certain colour to indicate malicious activity, or
through actively preventing the user from accessing the site. One of
the better known Trust brokers, SiteAdvisor gives the Bank of India
website a clean bill of health. It takes a bit of effort to drill
down into the comments before a small link is found, from a user,
that points to Sunbelt's coverage of the hack - but the overall
rating remains positive.
SiteAdvisor is not alone in trusting the compromised site. Google's
Safe Browsing extension for Firefox fails to notice the breach, as
does Finjan, NetCraft and PhishTank SiteChecker. It is expected that
most Trust broking sites will report that the Bank of India site is
still valid.
For critics of the various Trust broking models, this is a clear
example of the fatal flaws present in almost all models, that the
refresh time on a site is too long to be useful when a surf-by attack
on a trusted site can take place in a matter of seconds, with a
lifetime of hours, and with a victim base of thousands or greater.
All of the advice given to users for how to protect themselves when
surfing online breaks down in the face of a compromise to a trusted
online financial institution - it should be a trusted site that the
user can run Scripting and ActiveX controls on (as appropriate) with
little fear of compromise.
There are some alternative models of trust being developed, but most
are still being kept quiet by the various developers and vendors who
are working on them, including Sûnnet Beskerming's own Nabu system
(to address previous complaints - the reason why no one has heard of
Nabu and can not find information on it is because Sûnnet Beskerming
does not leak information about what is being created in their
research labs. If you want to know more, you can contact Sûnnet
Beskerming directly).
The best advice for visiting any site on the Internet is to apply
caution. It doesn't matter how well you trusted the site in the past,
it isn't going to take much to completely compromise both it and your
system.
2.4 Windows Vista SP 1 Slips to 2008
After initially reporting that Service Pack 1 for Vista was due
before the end of 2007, Microsoft now say that the Service Pack will
not be due out until the first quarter of 2008. Actually, what they
say is that they are 'targeting' the first quarter of 2008 for the
release, so the actual release date has yet to be made public.
For those who can't wait until 2008, or who weren't part of the
closed testing program, there is always the educated guesswork being
carried out over at vistasp1.net. With no confirmation that these
hotfixes and updates will be incorporated into SP 1, it is noteworthy
that Microsoft are annoyed with the information being put forward
about potential SP 1 content. Microsoft are also expecting to release
the Service Pack for public testing later this year, so there are
some opportunities for the general public to get ahold of the Service
Pack prior to release.
Despite it looking like a short period of time between the release of
Windows Vista and the first Service Pack, it is actually longer than
the amount of time that it took for Windows 2000 and XP to have their
first Service Pack releases.
Download size and hard drive space requirements have also been hinted
at, with around 50MB required for the initial download via WSUS, with
up to 7 GB of hard drive space required for the SP 1 install (it
seems that the standalone image is going to be around 1 GB). Unless
Microsoft have invented a new, ultra-efficient compression algorithm
for the download option, it is probably going to be most efficient
for most users to obtain their Service Pack updates on optical media.
Separating public testing from the public release could lead to
interesting Information Security aspects, with any new security fixes
bound to be reverse engineered and probed prior to the public Service
Pack release.
2.5 Listen to SIP Phones Even When They are on the Hook
Recently disclosed information suggests that it is a relatively
simple matter to remotely eavesdrop on a broad range of SIP-enabled
devices. For readers who aren't aware of what SIP-enabled devices
are, SIP (Session Initiation Protocol) is a protocol that is used by
a lot of VoIP software and associated telephone handsets to
establish, modify, and control a VoIP connection between two parties.
The research that was published indicates that, for at least one
vendor, it is possible to automatically call a SIP device from that
vendor and have it silently accept the call, even if it is still on
the hook - instantly turning it into a classic bugged phone. Whereas
historic telephony bugs needed physical targeting of the line running
to a property or place of business, the presence of VoIP in the
equation allows bugging from anywhere in the world with equal
ability. Now anyone can do from their armchair what only spies and
law enforcement used to be able to do from inside the telephone
switch / pit / distribution board, though it's still illegal to do so.
As well as bugging the phone, the action effectively acts as a Denial
of Service against the device (after all, it is already engaged in a
call).
Having found the bug via fuzzing, the discovering researchers believe
that there may be a number of vendors that have created their own SIP
networking code, with equivalent bugs contained within.
While the vendor concerned is expected to release appropriate patches
soon, the disclosure is likely to turn attention on other SIP device
providers.
This may already be happening, with two separate exploits released
publicly in the last couple of days targeting Cisco SIP handsets,
with the result of a Denial of Service condition against the phones.
VoIP client software from eCentrex has also been targeted with public
exploit code, except this time it allows for control over vulnerable
devices as a result of a remote buffer overflow condition.
Concerned users and administrators who have SIP enabled software or
hardware should be aware of their potential limitations and have
appropriate mitigation strategies in place, especially if they are
used in sensitive areas (military use, national secrets, trade
secrets, etc).
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
1.2 Kerberos
- Remote Hacker Automatic Control
- Time Since Discovery - > 1 Week
1.3 QuickTime
- Remote Hacker Manual Control
- Time Since Discovery - 3 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Torrent-spiking Company Loses Email via Torrent
2.2 When Security Products Weaken Security
2.3 How the Online Trust Model is Broken - The Bank of India.com attack
2.4 Windows Vista SP 1 Slips to 2008
2.5 Listen to SIP Phones Even When They are on the Hook
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows 2000, XP, 2003, Vista
Crystal Reports
Windows Services for Unix
Messenger
-- Technical Description --
MS07-051 - Microsoft Agent (Win 2000 only). Arbitrary remote code
execution. Critical
MS07-052 - Crystal Reports (as distributed with Visual Studio).
Arbitrary remote code execution. Important
MS07-053 - Windows Services for Unix. Privilege Escalation. Important
MS07-054 - Microsoft Messenger. Arbitrary remote code execution.
Important
-- Description --
Microsoft delivered four patches as part of the September Security
Update release earlier this week. Only one of the patches (MS07-051)
has been rated as Critical, with the others rated as Important.
Exploit code has been available for some time for some of the patched
vulnerabilities, and Microsoft have updated the release information
for MS07-054 and MS07-052 to address issues identified after the
initial release date.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-052.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-053.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-054.mspx
-- External Tracking Data --
CVE-ID: CVE-2007-3040 (MS07-051)
CVE-ID: CVE-2006-6133 (MS07-052)
CVE-ID: CVE-2007-3036 (MS07-053)
CVE-ID: CVE-2007-2931 (MS07-054)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 Kerberos - Remote hacker automatic control
-- Products Affected --
Kerberos 5-1.6.2 and prior.
-- Technical Description --
Two vulnerabilities affecting the Kerberos application have been
discovered. The first is a buffer overflow affecting the RPC library
included with the MIT Kerberos application (and which may also be
included in other software), which allows arbitrary code execution.
The second vulnerability is with the kadmind component, where an
authenticated user may be able to execute arbitrary code through the
use of an uninitialised memory pointer.
-- Description --
Two separate vulnerabilities have been reported for the Kerberos
authentication tool maintained by MIT. The most serious of the two
vulnerabilities is a memory fault in an included software library
(which may also be in other products) that potentially allows an
attacker to run software of their choice on a victim's system. The
second vulnerability allows an authenticated user to run software of
their choice on a vulnerable system through another memory issue.
Although MIT have received sample exploitation code from a third
party, exploit code for these issues has yet to circulate widely.
-- Recommended Action --
Update to the latest official version from MIT, or wait until your
Operating System vendor is able to release a patched version for your
platform.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.3 QuickTime - Remote hacker automatic control
-- Products Affected --
QuickTime 7.1.6 and prior.
-- Technical Description --
From the available information, it appears that there is a problem
with how QuickTime handles XML data that is presented as a valid
QuickTime media format. Browsers enabled with a QuickTime plugin have
been demonstrated to be vulnerable to an attack based on this (it has
yet to be determined if it is the browser interpreting the XML, or
the plugin, but multiple browsers are vulnerable).
-- Description --
A web security researcher has identified a vulnerability with the
way that a number of browsers handle different QuickTime media files.
At this stage, it is too early to determine if the vulnerability is
with the QuickTime plugin (likely), or the browsers. Along with the
disclosure of the vulnerability, public exploit samples were
provided. At this time there has been no response from Apple about
the potential vulnerability.
-- Recommended Action --
Consider the use of alternate QuickTime media handling libraries, or
change the handling of QuickTime from within the browser.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Torrent-spiking Company Loses Email via Torrent
Via news at TorrentFreak, it seems that MediaDefender has become the
subject of what could be the biggest BitTorrent leak to date.
Apparently, more than 700 MB of internal email (almost 9 months
worth, with the most recent from September 2007) from the company was
leaked to the Internet after an employee's GMail account was hacked.
MediaDefender markets itself as 'the leading provider of anti-piracy
solution in the emerging Internet-Piracy-Prevention (IPP) industry',
specialising in services and technology designed to mitigate and
prevent the spread of illegally copied / distributed copyrighted
material. In simple terms, they are one of the companies believed to
be responsible for the poisoning of material on various P2P networks
and BitTorrent trackers.
The release of MediaDefender's email history appears to be the
responsibility of a group calling themselves 'MediaDefender-
Defenders', an advocacy group that claims to be working for securing
the privacy and integrity of all peer-to-peer users. According to the
information still publicly available from a number of Torrent tracker
sites, the data was captured from a MediaDefender employee's GMail
account, where the employee had been forwarding all internal email
(hint, don't ever do that). Even worse, he had been using a weak
access password on the account which eventually gave the
MediaDefender-Defenders group access.
Material that might get some to pause and think about the source of
that next download includes information on the New York State
Attorney General's Office apparently looking to set up fake sources
to build cases against file sharers in New York State. Even more
relevant for Torrent users is indication that MediaDefender had
accounts with several private torrent sites.
Current court cases where members of the RIAA are suing file sharers
might be looked at in a slightly different light (or at least
confirmed that certain activities are for the suspected reasons)
after it appears that Universal are looking for correlation between
their lawsuit activity and P2P usage from within Universities
(looking for a reduction following lawsuit activity). There is also
information suggesting that MediaDefender were using a Universal
Music Group site to store material that they had downloaded for later
analysis (complete with authentication details).
Because this information came out over the weekend, it is probable
that it will remain live for at least a few days into next week, and
it is guaranteed that the compromised email file will have reached
the critical number of users required for it to always have a
presence online.
While the file might be readily available and very enticing to look
at, readers should be reminded that if they are caught with it in
their possession or found to have accessed it, that it may be illegal
(civil or criminal) in their jurisdiction. Included amongst the
unedited file (which is still readily available) is information on
server authentication details, pay negotiations, IP lists, trackers
used as decoys, strategies, effectiveness of existing systems, and more.
2.2 When Security Products Weaken Security
It is almost becoming normal for malware to target a range of
antivirus and antimalware products as part of the infection routine,
preventing them from accessing definitions updates, preventing them
from accessing the vendor's website, or even terminating any running
process associated with protective software.
Sometimes it is the protective software that is the greatest risk to
a system, through bugs that introduce weaknesses to the systems it is
trying to protect. This could be as simple as problems with scanning
modules, as has often been seen with antivirus platforms, or it could
be a vulnerability with the core software that then allows an
attacker full access to the system that it is trying to protect.
When it comes to identifying and repairing these vulnerabilities,
which could have significant impacts on the overall security of
systems and networks, it is preferred that vendors release the
information publicly and make the patches available in a timely
manner. Sometimes it doesn't work out that way and hackers are openly
sharing information about critical vulnerabilities in various vendor
products.
Such a situation has recently taken place with Kaspersky Anti-Virus,
when noted Russian rootkit researcher EP_X0FF published a detailed
report on vulnerabilities that Kaspersky introduces into a system,
that otherwise wouldn't be there. Worryingly for users of Kaspersky
products, it seems that the particular vulnerabilities disclosed can
be exploited from an unprivileged account, but have system-wide
effects. At this stage, all the disclosed details will do is result
in a 'Blue Screen of Death', but it is likely to draw the attention
of other hackers, who could find ways to turn it into a situation
where they take control over the system.
While not a vulnerability as such, Microsoft have come under fire
lately for the automatic updates that have been applied to systems
that were otherwise configured not to update automatically. Software
updates to the Windows Update service were not being announced and
were silently being applied to systems where the users had configured
them for manual updates only. Supporters of Microsoft argue that this
isn't a problem, why is there concern over the issue (after all, you
only licence your software), while there has been a vocal chorus of
people who argue that any automated change to their system is a
problem, when they have specifically set up their system not to
automatically update. Why this particular practice of silently
updating Windows Update has suddenly grabbed attention is not known,
as Microsoft have been updating the application in this manner for a
long time.
2.3 How the Online Trust Model is Broken - The Bank of India.com attack
Thanks to the team at Sunbelt Software comes news of a serious hack
perpetrated on the website for the Bank of India at http://
www.bankofindia.com (non clicky for those who aren't reading closely).
While attacks and public defacements on websites are regular
occurrences and can be seen at Zone-h, attacks against high profile
sites are not uncommon. This particular hack introduces an invisible
1 x 1 <iframe> that loads immediately after the <body> tag, so
wouldn't normally be included in the Zone-h archive and wouldn't
normally be identified by the average Internet user.
Although the site that the iframe points to (goodtraff.biz) has since
vanished from the Internet (about an hour before this article was
written), WHOIS records still exist that indicate that the malware
was being hosted out of Russia. Sunbelt's analysis shows several
other sites being involved in the attack, though these no longer load
since goodtraff.biz doesn't respond to queries. Manually entering the
addresses into a browser will load some of them, suggesting that
those upstream malware sources are active (others have already been
shut down). Of interest is one particular referenced site, an Adult
website traffic aggregator that clearly sets out in its rules that
traffic is not to come from:
* pop-ups, consoles, iframes or Error pages
* dialers, iframes, exploits ...
As a money for traffic site, it is not known how much money the
attacker has been able to make from the Bank of India hack, but their
user number (0224) is sure to have attracted a significant amount of
traffic via the hidden iframe.
Goodtraff.biz has been implicated in malicious activity in the past,
though on a relatively small scale. Whoever compromised the Bank of
India site (which is still compromised) has elevated a low profile
malware site into the limelight, at least temporarily. With more than
22 pieces of malware attempted to be installed from the one site
visit, it represents a significant problem for the Bank of India
customers who have viewed the site over at least the last 36 hours.
Unfortunately there is no indication when the site was first
compromised, so there may be a lot of victims from this one
particular hack.
This is a problem when users are relying on various online Trust
brokers to tell them when a site is malicious, either through
displaying a certain colour to indicate malicious activity, or
through actively preventing the user from accessing the site. One of
the better known Trust brokers, SiteAdvisor gives the Bank of India
website a clean bill of health. It takes a bit of effort to drill
down into the comments before a small link is found, from a user,
that points to Sunbelt's coverage of the hack - but the overall
rating remains positive.
SiteAdvisor is not alone in trusting the compromised site. Google's
Safe Browsing extension for Firefox fails to notice the breach, as
does Finjan, NetCraft and PhishTank SiteChecker. It is expected that
most Trust broking sites will report that the Bank of India site is
still valid.
For critics of the various Trust broking models, this is a clear
example of the fatal flaws present in almost all models, that the
refresh time on a site is too long to be useful when a surf-by attack
on a trusted site can take place in a matter of seconds, with a
lifetime of hours, and with a victim base of thousands or greater.
All of the advice given to users for how to protect themselves when
surfing online breaks down in the face of a compromise to a trusted
online financial institution - it should be a trusted site that the
user can run Scripting and ActiveX controls on (as appropriate) with
little fear of compromise.
There are some alternative models of trust being developed, but most
are still being kept quiet by the various developers and vendors who
are working on them, including Sûnnet Beskerming's own Nabu system
(to address previous complaints - the reason why no one has heard of
Nabu and can not find information on it is because Sûnnet Beskerming
does not leak information about what is being created in their
research labs. If you want to know more, you can contact Sûnnet
Beskerming directly).
The best advice for visiting any site on the Internet is to apply
caution. It doesn't matter how well you trusted the site in the past,
it isn't going to take much to completely compromise both it and your
system.
2.4 Windows Vista SP 1 Slips to 2008
After initially reporting that Service Pack 1 for Vista was due
before the end of 2007, Microsoft now say that the Service Pack will
not be due out until the first quarter of 2008. Actually, what they
say is that they are 'targeting' the first quarter of 2008 for the
release, so the actual release date has yet to be made public.
For those who can't wait until 2008, or who weren't part of the
closed testing program, there is always the educated guesswork being
carried out over at vistasp1.net. With no confirmation that these
hotfixes and updates will be incorporated into SP 1, it is noteworthy
that Microsoft are annoyed with the information being put forward
about potential SP 1 content. Microsoft are also expecting to release
the Service Pack for public testing later this year, so there are
some opportunities for the general public to get ahold of the Service
Pack prior to release.
Despite it looking like a short period of time between the release of
Windows Vista and the first Service Pack, it is actually longer than
the amount of time that it took for Windows 2000 and XP to have their
first Service Pack releases.
Download size and hard drive space requirements have also been hinted
at, with around 50MB required for the initial download via WSUS, with
up to 7 GB of hard drive space required for the SP 1 install (it
seems that the standalone image is going to be around 1 GB). Unless
Microsoft have invented a new, ultra-efficient compression algorithm
for the download option, it is probably going to be most efficient
for most users to obtain their Service Pack updates on optical media.
Separating public testing from the public release could lead to
interesting Information Security aspects, with any new security fixes
bound to be reverse engineered and probed prior to the public Service
Pack release.
2.5 Listen to SIP Phones Even When They are on the Hook
Recently disclosed information suggests that it is a relatively
simple matter to remotely eavesdrop on a broad range of SIP-enabled
devices. For readers who aren't aware of what SIP-enabled devices
are, SIP (Session Initiation Protocol) is a protocol that is used by
a lot of VoIP software and associated telephone handsets to
establish, modify, and control a VoIP connection between two parties.
The research that was published indicates that, for at least one
vendor, it is possible to automatically call a SIP device from that
vendor and have it silently accept the call, even if it is still on
the hook - instantly turning it into a classic bugged phone. Whereas
historic telephony bugs needed physical targeting of the line running
to a property or place of business, the presence of VoIP in the
equation allows bugging from anywhere in the world with equal
ability. Now anyone can do from their armchair what only spies and
law enforcement used to be able to do from inside the telephone
switch / pit / distribution board, though it's still illegal to do so.
As well as bugging the phone, the action effectively acts as a Denial
of Service against the device (after all, it is already engaged in a
call).
Having found the bug via fuzzing, the discovering researchers believe
that there may be a number of vendors that have created their own SIP
networking code, with equivalent bugs contained within.
While the vendor concerned is expected to release appropriate patches
soon, the disclosure is likely to turn attention on other SIP device
providers.
This may already be happening, with two separate exploits released
publicly in the last couple of days targeting Cisco SIP handsets,
with the result of a Denial of Service condition against the phones.
VoIP client software from eCentrex has also been targeted with public
exploit code, except this time it allows for control over vulnerable
devices as a result of a remote buffer overflow condition.
Concerned users and administrators who have SIP enabled software or
hardware should be aware of their potential limitations and have
appropriate mitigation strategies in place, especially if they are
used in sensitive areas (military use, national secrets, trade
secrets, etc).
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
« Return to Thread: Advisory #249 - Microsoft (Multiple), Kerberos, QuickTime, Multiple News
| Free Forum Powered by Nabble | Forum Help |
