Advisory #252 - Microsoft (Multiple), QuickTime, PostgreSQL, Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #252 - Microsoft (Multiple), QuickTime, PostgreSQL, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #252
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 4 Days 1.2 QuickTime - Remote Hacker Automatic Control - Time Since Discovery - 3 Days 1.3 PostgreSQL - Remote Hacker Manual Control - Time Since Discovery - 4 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Does the new QuickTime 0-day mean Apple has Problems with Patching? 2.2 Ignorance is no Excuse 2.3 Ethical Boundaries in Information Security Research ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows 2000, XP, 2003, Vista -- Technical Description -- MS08-001 - TCP/IP. Arbitrary code execution. Replaces MS06-032. Critical MS08-002 - LSASS. Local arbitrary code execution and privilege escalation. Important -- Description -- Microsoft delivered two patches as part of the January Security Update release earlier this week. One patch (MS08-001) has been rated as Critical and delivers a fix for a previously unknown set of issues with the Windows TCP/IP stack, while the remaining patch deals with poor input handling associated with the LSASS service. Both patches address code execution problems, though only the TCP/IP issues could be remotely executed. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp? s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx http://www.microsoft.com/technet/security/bulletin/ms08-002.mspx -- External Tracking Data -- CVE-ID: CVE-2007-0066 (MS08-001) CVE-ID: CVE-2007-0069 (MS08-001) CVE-ID: CVE-2007-5352 (MS08-002) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 QuickTime - Remote hacker automatic control -- Products Affected -- 7.3 and prior. -- Technical Description -- A new vulnerability appears to have been discovered with the RTSP handling within QuickTime, despite the fixes provided with QuickTime version 7.3.1. According to Luigi Auriemma, the vulnerability is a buffer overflow that can be exploited when the QuickTime media player is retrieving information about the status of the current rtsp connection. At this stage it appears that the vulnerability as tested in the proof of concept only affects the Windows version of QuickTime, but it is possible that the OS X version is vulnerable as well. -- Description -- Luigi Auriemma has disclosed the discovery of a new vulnerability affecting QuickTime's handling of RTSP streams. This issue may be related to a previous RTSP vulnerability(updated with QuickTime 7.3.1, released in mid-December), but at this stage it appears to only affect Windows QuickTime versions. Proof of concept sample code is readily available from the discoverer. -- Recommended Action -- For all users, it is recommended that they update to QuickTime 7.3.1 (if they haven't already). Early reports suggest that OS X users (at least 10.5.1) are not vulnerable to this particular issue, but it is recommended that all users apply caution when interacting with rtsp:// streams. -- Source -- Upgrade to view -- Updates Available -- Upgrade to view -- External Tracking Data -- Upgrade to view -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.3 PostgreSQL - Remote hacker automatic control -- Products Affected -- PostgreSQL 7.3, 7.4, 8.0, 8.1, 8.2 -- Technical Description -- Various security vulnerabilities were patched in a set of updates released for the PostgreSQL RDBMS platform. Five separate vulnerabilities were patched across all versions from 7.3 through to 8.2. The vulnerabilities range from a privilege escalation vulnerability in the Index Functions, through to denial of service in regular expression libraries, and privilege escalation in DBLink. PostgreSQL 7.3, 8.0, and 8.1 have also been EOL'ed. -- Description -- The PostgreSQL Global Development Group has released updated versions of the PostgreSQL RDBMS, addressing several key vulnerabilities affecting all versions from 7.3 through to 8.2. The PostgreSQL developers consider these vulnerabilities to be critical and strongly recommend that administrators update to the latest versions as soon as possible. PostgreSQL developers discovered the vulnerabilities during security analysis, and have worked to ensure backwards compatibility for existing data stores with the updated versions. It should also be noted that PostgreSQL versions 7.3, 8.0, and 8.1 have been EOL'ed and it is recommended that administrators update to current versions. -- Recommended Action -- Update to the releases provided by the PostgreSQL development group. -- Source -- Upgrade to view -- Updates Available -- http://www.postgresql.org/ftp/binary/ -- External Tracking Data -- Upgrade to view -- Threat Matrix -- U O Home User 8 8 (Very High) Corporate 8 8 (Very High) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Does the new QuickTime 0-day mean Apple has Problems with Patching? In the past Microsoft has been criticised for poor vulnerability patching (by not patching the underlying vulnerability that is causing a problem and then having to reissue patches as attackers adjust and attack), and it is a criticism that has also been levied against Apple with the handling of different mDNSResponder vulnerabilities. Recently disclosed vulnerability information regarding another RTSP handling problem in QuickTime could be a sign of a similar problem brewing. RTSP vulnerabilities were patched no less than four times in the last twelve months (Security Update 2007-001, Security Update 2007-004, Darwin Streaming Server 5.5.5, and QuickTime 7.3.1), and it seems that there are still opportunities for remote code execution within the RTSP code handling routines. A minor blessing with the latest vulnerability disclosure seems to be that the vulnerability does not appear to affect the latest version of OS X (10.5.1), at least according to early reports from third party testers. It is known that there is partial exploit functionality on the Windows QuickTime version, but with increased attention sure to be focussed on the product it may yet be found that the vulnerability can be extended to the OS X versions. As in the past, it is recommended that users avoid RTSP data streams until Apple is able to issue a patch for this latest problem. 2.2 Ignorance is no Excuse After noted British television presenter Jeremy Clarkson took umbrage at the massive outcry regarding the loss of personal records for 25 million UK residents he decided to prove that it was an over-reaction (in his mind) by publishing his bank details in a newspaper column that he writes. According to Clarkson, the worst that could be done was that someone would be able to deposit money into his account. Unfortunately for Clarkson, a reader was able to establish a £500 direct debit to a Diabetes charity, direct from his account. While this should not have been allowed to take place (the bank should have required correct proof of identity in order to establish the direct debit), it was a wakeup call for Clarkson, who acknowledged the misconceptions that he originally held and recognised that the loss of personal data can have significant negative effects on those whose data has been misappropriated. It is rare to see such a public reversal of opinion on such a matter, and it is likely to serve as a clear example to many about the risks associated with the loss or mishandling of personal data. While the incident is unfortunate, it is highlighting a problem with the UK banking system. As Clarkson initially pointed out, all someone should have been able to do would have been to add money to his account, but the result showed that there is at least one UK bank that is more than happy to allow money to be withdrawn from an account without really validating that the account holder is the one authorising the withdrawal. Some comments have gone as far as to suggest that the financial industry is complicit in data theft cases - being too ready to allow the withdrawal of a victim's financial resources. 2.3 Ethical Boundaries in Information Security Research With Information Security being such a broad field, without any formalised coordinating or licensing body, appropriate boundaries for ethical and professional behaviour and activity can be difficult to determine. What is ethical to one researcher may be completely inappropriate to another. What may be generally accepted as appropriate behaviour at one point in time might be shown later to be completely inappropriate. When the burden of becoming the Information Security specialist falls to people who have little idea of the issues within the field, it can lead to further problems, as they attempt to reduce the problems and issues that they face into a format that they recognise and understand (which isn't always a bad thing - they just need to recognise when that approach breaks down). Unfortunately for the Information Security field, the strongest supporters can also sometimes become the threat that they continually warn about - a lot of the time completely by accident. The development and limited release of proof of concept tools is often a means to rapidly demonstrate a set of risks and aid in the development of techniques to address them. It was recently disclosed that one such tool, created by noted Information Security firm eEye, has had its techniques morphed into an attack tool by malware authors. In this particular case it had taken two years for the proof of concept to be morphed into an attack tool (or at least be publicly discovered). While it is likely that the techniques would have eventually been discovered independently, and there is no definitive proof that the eEye tool was the basis for the new attack code, it does raise the question as to how much assistance the publication of proof of concept materials provides to attackers. It can be argued that the previous example is more beneficial to the field of Information Security than it is harmful, and that similar examples are just as valuable. A less clear example has come to light in recent days, with noted web security expert RSnake issuing a call for entries in a contest designed to create the smallest XSS worm that can functionally replicate itself across a network. Arguments for the contest are centred on the benefits that it will bring to those studying how such worms can be created and how to defend against their potential. With increasing coverage of the contest, there are plenty of arguments being put forward that the approach is unethical and contributes to the image of Information Security being full of people who are just as willing to create the problem as they are to solve it (especially if they helped create it in the first place). That isn't the only ethical concern facing Information Security workers. One of the big selling points that Antivirus companies try to beat each other on is the number of malware types that they can detect and handle. Although there are plenty of examples of rootkits, viruses, and other malware that can easily slip past up to date antimalware defences, and there are plenty of cases where up to date antimalware tools have gone off the rails or companies have over- reported on critical problems (despite what some companies initially claimed, the exploit code was not publicly released), companies are still pushing to be number one in detection of numerous malware samples. F-Secure recently laid claim to one of the largest detection sets, at half a million distinct malware samples. Although this seems to correlate to other industry reporting the question posed is just how many of those samples can truly be claimed as distinct malware. If the same signature pattern will trigger on multiple variants, that might only differ in where they send their malicious data or where they report to, does it really mean that those variants are distinct? It also seems that antimalware companies are more than happy to move the boundaries of where they measure their malware from, and with the inclusion of malware based on JavaScript, HTML, PHP, and which targets those technologies, it means that their claims for numbers of malware types detected can be massively increased. This is even more beneficial for the antimalware companies as the change of a simple couple of bytes in a lot of these recently added malware types will allow them to slip past detection relatively simply without radically changing the exploit effectiveness (which means more added detection opportunities). The other interesting point raised by the claims of detections is that it suggests that efforts to arrest malware developers, close down their control networks, and provide other legal and paralegal means of limiting their activities are ineffective. Either that or malware authors are the biggest growth industry in software development and they have solved many of the efficiency problems plaguing large software development firms. As that is plainly not the case, and the legal efforts are starting to have some effect on the various malware industries (the Russian Business Network has effectively been forced offline in the last 12 months), it suggests that the antimalware companies are not being completely honest in how they identify distinct malware samples. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |