Advisory #249 - Microsoft (Multiple), Kerberos, QuickTime, Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #249 - Microsoft (Multiple), Kerberos, QuickTime, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #249
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 5 Days 1.2 Kerberos - Remote Hacker Automatic Control - Time Since Discovery - > 1 Week 1.3 QuickTime - Remote Hacker Manual Control - Time Since Discovery - 3 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Torrent-spiking Company Loses Email via Torrent 2.2 When Security Products Weaken Security 2.3 How the Online Trust Model is Broken - The Bank of India.com attack 2.4 Windows Vista SP 1 Slips to 2008 2.5 Listen to SIP Phones Even When They are on the Hook ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows 2000, XP, 2003, Vista Crystal Reports Windows Services for Unix Messenger -- Technical Description -- MS07-051 - Microsoft Agent (Win 2000 only). Arbitrary remote code execution. Critical MS07-052 - Crystal Reports (as distributed with Visual Studio). Arbitrary remote code execution. Important MS07-053 - Windows Services for Unix. Privilege Escalation. Important MS07-054 - Microsoft Messenger. Arbitrary remote code execution. Important -- Description -- Microsoft delivered four patches as part of the September Security Update release earlier this week. Only one of the patches (MS07-051) has been rated as Critical, with the others rated as Important. Exploit code has been available for some time for some of the patched vulnerabilities, and Microsoft have updated the release information for MS07-054 and MS07-052 to address issues identified after the initial release date. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms07-sep.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp? s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx http://www.microsoft.com/technet/security/bulletin/ms07-052.mspx http://www.microsoft.com/technet/security/bulletin/ms07-053.mspx http://www.microsoft.com/technet/security/bulletin/ms07-054.mspx -- External Tracking Data -- CVE-ID: CVE-2007-3040 (MS07-051) CVE-ID: CVE-2006-6133 (MS07-052) CVE-ID: CVE-2007-3036 (MS07-053) CVE-ID: CVE-2007-2931 (MS07-054) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 Kerberos - Remote hacker automatic control -- Products Affected -- Kerberos 5-1.6.2 and prior. -- Technical Description -- Two vulnerabilities affecting the Kerberos application have been discovered. The first is a buffer overflow affecting the RPC library included with the MIT Kerberos application (and which may also be included in other software), which allows arbitrary code execution. The second vulnerability is with the kadmind component, where an authenticated user may be able to execute arbitrary code through the use of an uninitialised memory pointer. -- Description -- Two separate vulnerabilities have been reported for the Kerberos authentication tool maintained by MIT. The most serious of the two vulnerabilities is a memory fault in an included software library (which may also be in other products) that potentially allows an attacker to run software of their choice on a victim's system. The second vulnerability allows an authenticated user to run software of their choice on a vulnerable system through another memory issue. Although MIT have received sample exploitation code from a third party, exploit code for these issues has yet to circulate widely. -- Recommended Action -- Update to the latest official version from MIT, or wait until your Operating System vendor is able to release a patched version for your platform. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) 1.3 QuickTime - Remote hacker automatic control -- Products Affected -- QuickTime 7.1.6 and prior. -- Technical Description -- From the available information, it appears that there is a problem with how QuickTime handles XML data that is presented as a valid QuickTime media format. Browsers enabled with a QuickTime plugin have been demonstrated to be vulnerable to an attack based on this (it has yet to be determined if it is the browser interpreting the XML, or the plugin, but multiple browsers are vulnerable). -- Description -- A web security researcher has identified a vulnerability with the way that a number of browsers handle different QuickTime media files. At this stage, it is too early to determine if the vulnerability is with the QuickTime plugin (likely), or the browsers. Along with the disclosure of the vulnerability, public exploit samples were provided. At this time there has been no response from Apple about the potential vulnerability. -- Recommended Action -- Consider the use of alternate QuickTime media handling libraries, or change the handling of QuickTime from within the browser. -- Source -- (Paid subscription required to access) -- Updates Available -- (Paid subscription required to access) -- External Tracking Data -- (Paid subscription required to access) -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Torrent-spiking Company Loses Email via Torrent Via news at TorrentFreak, it seems that MediaDefender has become the subject of what could be the biggest BitTorrent leak to date. Apparently, more than 700 MB of internal email (almost 9 months worth, with the most recent from September 2007) from the company was leaked to the Internet after an employee's GMail account was hacked. MediaDefender markets itself as 'the leading provider of anti-piracy solution in the emerging Internet-Piracy-Prevention (IPP) industry', specialising in services and technology designed to mitigate and prevent the spread of illegally copied / distributed copyrighted material. In simple terms, they are one of the companies believed to be responsible for the poisoning of material on various P2P networks and BitTorrent trackers. The release of MediaDefender's email history appears to be the responsibility of a group calling themselves 'MediaDefender- Defenders', an advocacy group that claims to be working for securing the privacy and integrity of all peer-to-peer users. According to the information still publicly available from a number of Torrent tracker sites, the data was captured from a MediaDefender employee's GMail account, where the employee had been forwarding all internal email (hint, don't ever do that). Even worse, he had been using a weak access password on the account which eventually gave the MediaDefender-Defenders group access. Material that might get some to pause and think about the source of that next download includes information on the New York State Attorney General's Office apparently looking to set up fake sources to build cases against file sharers in New York State. Even more relevant for Torrent users is indication that MediaDefender had accounts with several private torrent sites. Current court cases where members of the RIAA are suing file sharers might be looked at in a slightly different light (or at least confirmed that certain activities are for the suspected reasons) after it appears that Universal are looking for correlation between their lawsuit activity and P2P usage from within Universities (looking for a reduction following lawsuit activity). There is also information suggesting that MediaDefender were using a Universal Music Group site to store material that they had downloaded for later analysis (complete with authentication details). Because this information came out over the weekend, it is probable that it will remain live for at least a few days into next week, and it is guaranteed that the compromised email file will have reached the critical number of users required for it to always have a presence online. While the file might be readily available and very enticing to look at, readers should be reminded that if they are caught with it in their possession or found to have accessed it, that it may be illegal (civil or criminal) in their jurisdiction. Included amongst the unedited file (which is still readily available) is information on server authentication details, pay negotiations, IP lists, trackers used as decoys, strategies, effectiveness of existing systems, and more. 2.2 When Security Products Weaken Security It is almost becoming normal for malware to target a range of antivirus and antimalware products as part of the infection routine, preventing them from accessing definitions updates, preventing them from accessing the vendor's website, or even terminating any running process associated with protective software. Sometimes it is the protective software that is the greatest risk to a system, through bugs that introduce weaknesses to the systems it is trying to protect. This could be as simple as problems with scanning modules, as has often been seen with antivirus platforms, or it could be a vulnerability with the core software that then allows an attacker full access to the system that it is trying to protect. When it comes to identifying and repairing these vulnerabilities, which could have significant impacts on the overall security of systems and networks, it is preferred that vendors release the information publicly and make the patches available in a timely manner. Sometimes it doesn't work out that way and hackers are openly sharing information about critical vulnerabilities in various vendor products. Such a situation has recently taken place with Kaspersky Anti-Virus, when noted Russian rootkit researcher EP_X0FF published a detailed report on vulnerabilities that Kaspersky introduces into a system, that otherwise wouldn't be there. Worryingly for users of Kaspersky products, it seems that the particular vulnerabilities disclosed can be exploited from an unprivileged account, but have system-wide effects. At this stage, all the disclosed details will do is result in a 'Blue Screen of Death', but it is likely to draw the attention of other hackers, who could find ways to turn it into a situation where they take control over the system. While not a vulnerability as such, Microsoft have come under fire lately for the automatic updates that have been applied to systems that were otherwise configured not to update automatically. Software updates to the Windows Update service were not being announced and were silently being applied to systems where the users had configured them for manual updates only. Supporters of Microsoft argue that this isn't a problem, why is there concern over the issue (after all, you only licence your software), while there has been a vocal chorus of people who argue that any automated change to their system is a problem, when they have specifically set up their system not to automatically update. Why this particular practice of silently updating Windows Update has suddenly grabbed attention is not known, as Microsoft have been updating the application in this manner for a long time. 2.3 How the Online Trust Model is Broken - The Bank of India.com attack Thanks to the team at Sunbelt Software comes news of a serious hack perpetrated on the website for the Bank of India at http:// www.bankofindia.com (non clicky for those who aren't reading closely). While attacks and public defacements on websites are regular occurrences and can be seen at Zone-h, attacks against high profile sites are not uncommon. This particular hack introduces an invisible 1 x 1 <iframe> that loads immediately after the <body> tag, so wouldn't normally be included in the Zone-h archive and wouldn't normally be identified by the average Internet user. Although the site that the iframe points to (goodtraff.biz) has since vanished from the Internet (about an hour before this article was written), WHOIS records still exist that indicate that the malware was being hosted out of Russia. Sunbelt's analysis shows several other sites being involved in the attack, though these no longer load since goodtraff.biz doesn't respond to queries. Manually entering the addresses into a browser will load some of them, suggesting that those upstream malware sources are active (others have already been shut down). Of interest is one particular referenced site, an Adult website traffic aggregator that clearly sets out in its rules that traffic is not to come from: * pop-ups, consoles, iframes or Error pages * dialers, iframes, exploits ... As a money for traffic site, it is not known how much money the attacker has been able to make from the Bank of India hack, but their user number (0224) is sure to have attracted a significant amount of traffic via the hidden iframe. Goodtraff.biz has been implicated in malicious activity in the past, though on a relatively small scale. Whoever compromised the Bank of India site (which is still compromised) has elevated a low profile malware site into the limelight, at least temporarily. With more than 22 pieces of malware attempted to be installed from the one site visit, it represents a significant problem for the Bank of India customers who have viewed the site over at least the last 36 hours. Unfortunately there is no indication when the site was first compromised, so there may be a lot of victims from this one particular hack. This is a problem when users are relying on various online Trust brokers to tell them when a site is malicious, either through displaying a certain colour to indicate malicious activity, or through actively preventing the user from accessing the site. One of the better known Trust brokers, SiteAdvisor gives the Bank of India website a clean bill of health. It takes a bit of effort to drill down into the comments before a small link is found, from a user, that points to Sunbelt's coverage of the hack - but the overall rating remains positive. SiteAdvisor is not alone in trusting the compromised site. Google's Safe Browsing extension for Firefox fails to notice the breach, as does Finjan, NetCraft and PhishTank SiteChecker. It is expected that most Trust broking sites will report that the Bank of India site is still valid. For critics of the various Trust broking models, this is a clear example of the fatal flaws present in almost all models, that the refresh time on a site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater. All of the advice given to users for how to protect themselves when surfing online breaks down in the face of a compromise to a trusted online financial institution - it should be a trusted site that the user can run Scripting and ActiveX controls on (as appropriate) with little fear of compromise. There are some alternative models of trust being developed, but most are still being kept quiet by the various developers and vendors who are working on them, including Sûnnet Beskerming's own Nabu system (to address previous complaints - the reason why no one has heard of Nabu and can not find information on it is because Sûnnet Beskerming does not leak information about what is being created in their research labs. If you want to know more, you can contact Sûnnet Beskerming directly). The best advice for visiting any site on the Internet is to apply caution. It doesn't matter how well you trusted the site in the past, it isn't going to take much to completely compromise both it and your system. 2.4 Windows Vista SP 1 Slips to 2008 After initially reporting that Service Pack 1 for Vista was due before the end of 2007, Microsoft now say that the Service Pack will not be due out until the first quarter of 2008. Actually, what they say is that they are 'targeting' the first quarter of 2008 for the release, so the actual release date has yet to be made public. For those who can't wait until 2008, or who weren't part of the closed testing program, there is always the educated guesswork being carried out over at vistasp1.net. With no confirmation that these hotfixes and updates will be incorporated into SP 1, it is noteworthy that Microsoft are annoyed with the information being put forward about potential SP 1 content. Microsoft are also expecting to release the Service Pack for public testing later this year, so there are some opportunities for the general public to get ahold of the Service Pack prior to release. Despite it looking like a short period of time between the release of Windows Vista and the first Service Pack, it is actually longer than the amount of time that it took for Windows 2000 and XP to have their first Service Pack releases. Download size and hard drive space requirements have also been hinted at, with around 50MB required for the initial download via WSUS, with up to 7 GB of hard drive space required for the SP 1 install (it seems that the standalone image is going to be around 1 GB). Unless Microsoft have invented a new, ultra-efficient compression algorithm for the download option, it is probably going to be most efficient for most users to obtain their Service Pack updates on optical media. Separating public testing from the public release could lead to interesting Information Security aspects, with any new security fixes bound to be reverse engineered and probed prior to the public Service Pack release. 2.5 Listen to SIP Phones Even When They are on the Hook Recently disclosed information suggests that it is a relatively simple matter to remotely eavesdrop on a broad range of SIP-enabled devices. For readers who aren't aware of what SIP-enabled devices are, SIP (Session Initiation Protocol) is a protocol that is used by a lot of VoIP software and associated telephone handsets to establish, modify, and control a VoIP connection between two parties. The research that was published indicates that, for at least one vendor, it is possible to automatically call a SIP device from that vendor and have it silently accept the call, even if it is still on the hook - instantly turning it into a classic bugged phone. Whereas historic telephony bugs needed physical targeting of the line running to a property or place of business, the presence of VoIP in the equation allows bugging from anywhere in the world with equal ability. Now anyone can do from their armchair what only spies and law enforcement used to be able to do from inside the telephone switch / pit / distribution board, though it's still illegal to do so. As well as bugging the phone, the action effectively acts as a Denial of Service against the device (after all, it is already engaged in a call). Having found the bug via fuzzing, the discovering researchers believe that there may be a number of vendors that have created their own SIP networking code, with equivalent bugs contained within. While the vendor concerned is expected to release appropriate patches soon, the disclosure is likely to turn attention on other SIP device providers. This may already be happening, with two separate exploits released publicly in the last couple of days targeting Cisco SIP handsets, with the result of a Denial of Service condition against the phones. VoIP client software from eCentrex has also been targeted with public exploit code, except this time it allows for control over vulnerable devices as a result of a remote buffer overflow condition. Concerned users and administrators who have SIP enabled software or hardware should be aware of their potential limitations and have appropriate mitigation strategies in place, especially if they are used in sensitive areas (military use, national secrets, trade secrets, etc). ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free embeddable forum powered by Nabble | Forum Help |
