Advisory #250 - Microsoft (Multiple), Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #250 - Microsoft (Multiple), Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #250
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 6 Days 1.2 OS X (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 6 Days 1.3 QuickTime - Remote Hacker Manual Control - Time Since Discovery - > 7 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Where Have we Been? 2.2 The fine line Between Security and Usability 2.3 Noted Italian Security Expert Arrested in Ongoing Spy Scandal 2.4 Internet Bubble 2.0 2.5 RealPlayer 0-Day Shows ActiveX Still an Issue ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows 2000, XP, 2003, Vista Crystal Reports Windows Services for Unix Messenger -- Technical Description -- MS07-061 - Windows Shell (Win XP, 2003). Arbitrary code execution. Critical MS07-062 - DNS Server (Win XP, 2003). DNS Spoofing due random number prediction. Important -- Description -- Microsoft delivered two patches as part of the November Security Update release earlier this week. One patch (MS07-061) has been rated as Critical and delivers a fix for well known URI handling vulnerabilities that were identified earlier this year and have been actively attacked for some time. The remaining patch deals with poor random number generation in certain Windows versions that allows for prediction of DNS response parameters and simple spoofing of results. Both patches replace earlier updates issued from Microsoft. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp? s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms07-061.mspx http://www.microsoft.com/technet/security/bulletin/ms07-062.mspx -- External Tracking Data -- CVE-ID: CVE-2007-3896 (MS07-061) CVE-ID: CVE-2007-3898 (MS07-062) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 OS X (Multiple) - Remote hacker automatic control -- Products Affected -- OS X 10.4.10 and prior. -- Technical Description -- AppleRAID - Opening a maliciously crafted disk image may lead to an unexpected system shutdown. BIND - An attacker may be able to control the content provided by a DNS server (weak random number generation) bzip2 - Multiple vulnerabilities in bzip2 CFFTP - A user's FTP client could be remotely controlled to connect to other hosts CFNetwork - Multiple Vulnerabilities CoreFoundation - Reading a directory hierarchy may lead to an unexpected application termination or arbitrary code execution CoreText - Viewing maliciously crafted text content may lead to an unexpected application termination or arbitrary code execution Flash Player Plug-in - Opening maliciously crafted Flash content may lead to arbitrary code execution Kerberos - A remote attacker may be able to cause a denial of service or arbitrary code execution if the Kerberos administration daemon is enabled Kernel - Multiple Vulnerabilities Networking - Multiple Vulnerabilities NFS - A maliciously crafted AUTH_UNIX RPC call may lead to an unexpected system shutdown or arbitrary code execution NSURL - Visiting a malicious web site may result in arbitrary code execution remote_cmds - If tftpd is enabled, the default configuration allows clients to access any path on the system Safari - Multiple Vulnerabilities SecurityAgent - A person with physical access to a system may be able to bypass the screen saver authentication dialog WebCore - Multiple Vulnerabilities WebKit - Multiple Vulnerabilities -- Description -- Apple Inc have released a cumulative update for OS X 10.4, bringing it to 10.4.11, and have released a separate Security Update 2007-008, for OS X 10.3.x systems (included in the 10.4.11 update). The update provides fixes for multiple serious vulnerabilities, including for AppleRAID, BIND, bzip2, CoreFoundation, and other system components. Vulnerabilities range from denial of service and local privilege escalation, through to automatic remote code execution. -- Recommended Action -- Apply the update to OS X 10.4.11 or Security Update 2007-008 (OS X 10.3.x systems) at the earliest opportunity, either from the Software Update option in the Apple Menu, or from Apple's download link, below. If the Software Update application is used, only the applicable update will be selected and installed on a vulnerable system. -- Source -- http://docs.info.apple.com/article.html?artnum=61798 -- Updates Available -- http://www.apple.com/support/downloads/ -- External Tracking Data -- CVE-ID: CVE-2007-4678 (AppleRAID) CVE-ID: CVE-2007-2926 (BIND) CVE-ID: CVE-2005-0953 (bzip2) CVE-ID: CVE-2005-1260 (bzip2) CVE-ID: CVE-2007-4679 (CFFTP) CVE-ID: CVE-2007-4680 (CFNetwork) CVE-ID: CVE-2007-0464 (CFNetwork) CVE-ID: CVE-2007-4681 (CoreFoundation) CVE-ID: CVE-2007-4682 (CoreText) CVE-ID: CVE-2007-3456 (Flash Player) CVE-ID: CVE-2007-3999 (Kerberos) CVE-ID: CVE-2007-4743 (Kerberos) CVE-ID: CVE-2007-3749 (Kernel) CVE-ID: CVE-2007-4683 (Kernel) CVE-ID: CVE-2007-4684 (Kernel) CVE-ID: CVE-2007-4685 (Kernel) CVE-ID: CVE-2006-6127 (Kernel) CVE-ID: CVE-2007-4686 (Kernel) CVE-ID: CVE-2007-4688 (Networking) CVE-ID: CVE-2007-4269 (Networking) CVE-ID: CVE-2007-4689 (Networking) CVE-ID: CVE-2007-4267 (Networking) CVE-ID: CVE-2007-4268 (Networking) CVE-ID: CVE-2007-4690 (NFS) CVE-ID: CVE-2007-4691 (NSURL) CVE-ID: CVE-2007-4687 (remote_cmds) CVE-ID: CVE-2007-0646 (Safari) CVE-ID: CVE-2007-4692 (Safari) CVE-ID: CVE-2007-4693 (SecurityAgent) CVE-ID: CVE-2007-4694 (WebCore) CVE-ID: CVE-2007-4695 (WebCore) CVE-ID: CVE-2007-4696 (WebCore) CVE-ID: CVE-2007-4697 (WebCore) CVE-ID: CVE-2007-4698 (WebCore) CVE-ID: CVE-2007-3758 (WebCore) CVE-ID: CVE-2007-3760 (WebCore) CVE-ID: CVE-2007-4671 (WebCore) CVE-ID: CVE-2007-3756 (WebCore) CVE-ID: CVE-2007-4699 (WebKit) CVE-ID: CVE-2007-4700 (WebKit) CVE-ID: CVE-2007-4701 (WebKit) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.3 QuickTime - Remote hacker automatic control -- Products Affected -- QuickTime 7.2 and prior. -- Technical Description -- QuickTime 7.3 has been released, and includes fixes for issues that could lead to arbitrary code execution as the result of interacting with malicious image or movie files. -- Description -- Apple Inc have released QuickTime 7.3 and have included numerous fixes to vulnerabilities present in previous versions. QuickTime 7.3 is available for both Windows and OS X platforms and users should update to the latest version as soon as practical. -- Recommended Action -- Update to QuickTime 7.3 from either the Software Update application, or from the download link below. -- Source -- http://docs.info.apple.com/article.html?artnum=61798 -- Updates Available -- http://www.apple.com/support/downloads/ -- External Tracking Data -- CVE-ID: CVE-2007-2395 (QuickTime) CVE-ID: CVE-2007-3750 (QuickTime) CVE-ID: CVE-2007-3751 (QuickTime) CVE-ID: CVE-2007-4672 (QuickTime) CVE-ID: CVE-2007-4676 (QuickTime) CVE-ID: CVE-2007-4675 (QuickTime) CVE-ID: CVE-2007-4677 (QuickTime) -- Threat Matrix -- U O Home User 9 9 (Critical) Corporate 9 9 (Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Where Have we Been? The observant reader would note that it has been almost two months since they last received an Advisory from this service, two months that have passed quickly for all concerned. While it was not an ideal situation, our website was kept updated throughout the period, with many new readers discovering our reporting through links from various high traffic sites such as The Register, Slashdot, Reddit, and others. Our RSS feeds, available from our website (http:// www.beskerming.com) have also been continuously updated, providing the latest reporting from Sûnnet Beskerming on both Security and Commentary material. 2.2 The fine line Between Security and Usability Finding the right balance between security and usability is difficult for any software developer. Recently a set of issues were disclosed where it was apparent that Microsoft had worsened the security situation for their users based on the software provided with Windows, or based on their response to reported problems. Whether it is Microsoft's desire to make computing as simple as possible for the masses, or whether it is a simple question of economic terms, the inclusion of the affected Macrovision DLL on Windows XP and 2003 could be interpreted as both. If Microsoft hadn't included it, then there would be many users confused as to why their software wasn't quite working as expected, and why a newly purchased game was seeking to install core system components. On the other hand, by providing the software, it means that there are millions of business systems that will never see gaming software installed, and which have no need for this particular anti-copying measure. In this instance, Microsoft identified and issued a patch before there was too much of a problem. On the other hand, predictable (pseudo)random number generation isn't something that most people would encounter on a routine basis, but it can have real world effects when systems rely upon that number generation to determine how network responses should be sequenced. While this was one of the patches issued by Microsoft with the November release cycle, it should be noted that numerous sources were carrying information about the predictability of number generation before the patches were released. Not only this, but Apple's Security Update 2007-008 / OS X 10.4.11 release that came out in the same week included an update for BIND that addressed a similar-looking weak (pseudo)random number generation issue. While it may have just been coincidental, it is interesting to see two major software vendors provide updates for very similar DNS server problems for two different DNS server products in the same approximate timeframe. Another issue which came to light last week may pose more of a problem for business and home users, especially given that Microsoft acknowledged to the discoverer that they would not be patching the remote code execution vulnerability that he had reported - "Microsoft replied me that they would not fix this vulnerability, it looks like they will not acknowledge vulnerabilities which are from .mdb file". Microsoft's response points to a Knowledge Base article which merely leads to a list of filetypes that are considered 'unsafe' by different Microsoft products. It doesn't actually indicate that the filetype should no longer be used by end users or that Microsoft will not be supporting the filetype anymore. As far as JET .mdb files go, it seems that Microsoft has deprecated the technology somewhat, but it still continues to be supported by the latest versions of Access (Access 2007). Not every application in use can or will be updated to the Microsoft Desktop Engine (MSDE) or SQL Server 2005 Express Edition / SQL Server 2005 Compact Edition, so there are going to be plenty of viable targets where exploits can find traction. Probably the biggest defensive measure against widespread attack of this vulnerability is the requirement to get a malicious .mdb file onto the target system and then executed through the JET engine. As ruder points out, some web servers could be at risk if users upload a malicious .asp / .mdb file and then execute it via calls to "ADODB.Connection". Unfortunately for Access users, this is just one of several arbitrary execution problems affecting the .mdb file format that may never get fixed by the vendor (the linked one is from 2005 and may be related). While vendors do have to draw the line somewhere with the filetypes and application versions that they will continue to support, refusing to provide security related fixes for serious vulnerabilities is a failure of their duty of care to their users. 2.3 Noted Italian Security Expert Arrested in Ongoing Spy Scandal Some fairly surprising news recently came to light when it was reported that Domina Security, Zone-h and WabiSabiLabi cofounder, Roberto Preatoni, was arrested and charged in connection with claims of spying at Telecom Italia. It was Roberto's work with a penetration testing team, a 'Tiger Team' that had been created to do some testing for Telecom Italia, that is believed to have led to the arrest rather than his involvement with the controversial WabiSabiLabi vulnerability auction market. The team that Roberto worked with apparently had some shady history, including allegations of spying, unauthorised hacking, wiretaps, and it may just be a case of 'wrong place, wrong time' for the security expert who has been charged with unauthorised access to computer systems and wiretapping. It is reported that hacking and spying activities were carried out against Brasil Telecom's CEO, an investigative agency, and two journalists. Others have been arrested earlier in the year, including Telecom Italia's Security Chief Technology Officer, who has presented alongside Preatoni at security conferences over the last twelve months. These presentations included one that might be considered ironic - "The Biggest Brother", presented at the 2006 Hack in the Box conference, which argued that many governments have taken advantage of September 11 to tighten control over their citizens. A previous presentation by Roberto, given at 2005's CCC, regarding industrial espionage and counter attacks might be of more interest to investigators. WabiSabiLabi has yet to issue a statement regarding the incident, though one is expected soon. 2.4 Internet Bubble 2.0 Microsoft's purchase of 1.6% of social networking site Facebook for $240 million USD has only added to fears that there is a significant overvaluation in the market for major websites and related companies - basically that there is an Internet Bubble 2.0 in the works. With Facebook valued now at up to $15 billion USD (based on Microsoft's purchase price) it has elevated the company into the top 10 Internet companies by value, though it is still producing far less in terms of ongoing revenue than other companies with comparable market value. Some who are looking deeper into the purchase are seeing it as a strategic move by Microsoft to prevent Google or another competitor from snapping up the site on the cheap. By paying so much for so little of the company it forces other would-be investors to significantly increase the amount of resources that they would need to gain a controlling stake in the site, while it also provides a stronger avenue for Microsoft to push their Flash-competing Silverlight technology on web users (Microsoft is Facebook's primary, now exclusive, advertising supplier). In the fickle world of social networking sites, it could still be a $240 million USD hole in the space of a few months if the next greatest thing comes along - something Microsoft should have already been aware of with their Windows Live Spaces platform. While Facebook currently has a nicer feel and look than many comparative sites, it is all based on something better not yet having much traction amongst Internet users. Some have pointed out that these sites maintain the position that free webhosts like Geocities once maintained in the late 90's. Microsoft's big push to purchase 20 web companies per year over the next five years could also be playing a part in the investment into Facebook and ongoing growth of the bubble for the next few years. With predicted purchase ranges of $50 million to $1 billion USD per company, that is a lot of money for companies that will soon find themselves in the sights of Microsoft (if they aren't already in the sights of Google, Yahoo!, or some other major technological company). Enterprising company owners can pitch directly to Steve Ballmer, or he can always contact us directly. 2.5 RealPlayer 0-Day Shows ActiveX Still an Issue News has been spreading rapidly of an actively-exploited vulnerability affecting RealPlayer, activated via Internet Explorer. Based on the available reporting, it appears that at least one major victim has been targeted with this exploit (NASA), with the first information being made public on Wednesday of this week. Symantec, McAfee, and the ISC then published initial details of the vulnerability on Thursday / Friday. Discovered in the wild, but without public exploit code samples at this stage, concerns are being aired by Information Security vendors about the risk of widespread infection attempts using this vulnerability. Making the situation worse is that it is being reported that a successful infection only requires the ActiveX control to be present - it does not need to be activated for a successful attack. While a critical vulnerability in a common third party ActiveX plugin is a problem for Windows users (especially one that comes pre- installed by default on some systems - such as Dell), it serves as a timely reminder for all that the Internet Explorer and ActiveX combination is still a risky one for Windows users, despite the ongoing efforts that Microsoft are putting in to tightening security. For users and administrators who do not have third party protection software in place, setting the following killbit in the Windows Registry will provide interim protection (as well as preventing RealPlayer from being called in Internet Explorer): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} With RealPlayer notorious for constant 'buffering...' messages early in the time of streaming online media content, some Internet humourists have suggested that the vulnerability might be due to a 'buffering overflow'. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |
