« Return to Thread: Advisory #254 - Microsoft (Multiple), OS X (Multiple), Multiple News
Advisory #254 - Microsoft (Multiple), OS X (Multiple), Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #254
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 7+days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Don't Click Here
2.2 When SSL Isn't Going to save you
2.3 A Simple Demonstration of CSRF risk
2.4 Somebody has to do the Dirty work
2.5 Advertising Poisons Major British Media Site
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Microsoft Office
-- Technical Description --
MS08-014 - Excel. Multiple Remote code execution. Replaces
MS07-044, MS07-036, MS08-013. Critical
MS08-015 - Outlook. Remote code execution. Replaces MS07-003. Critical
MS08-016 - Office. Multiple Remote code execution. Replaces
MS07-015, MS07-025, MS08-013. Critical
MS08-017 - Office Web components. Multiple Remote code execution.
Critical
-- Description --
Microsoft have provided four patches as part of the March Security
Patch Update release, with all marked as Critical. All four patches
are for Microsoft Office and related components, with at least one of
the patched vulnerabilities having been targeted by targeted attacks
prior to patching.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-mar.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-014.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-015.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-017.mspx
-- External Tracking Data --
CVE-ID: CVE-2008-0081 (MS08-014)
CVE-ID: CVE-2008-0112 (MS08-014)
CVE-ID: CVE-2008-0114 (MS08-014)
CVE-ID: CVE-2008-0115 (MS08-014)
CVE-ID: CVE-2008-0116 (MS08-014)
CVE-ID: CVE-2008-0117 (MS08-014)
CVE-ID: CVE-2008-0110 (MS08-015)
CVE-ID: CVE-2008-0113 (MS08-016)
CVE-ID: CVE-2008-0118 (MS08-016)
CVE-ID: CVE-2006-4695 (MS08-017)
CVE-ID: CVE-2007-1201 (MS08-017)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 OS X (Multiple) - Remote hacker automatic control
-- Products Affected --
OS X 10.4.x
OS X 10.5.x
-- Technical Description --
AFP Client - Arbitrary code execution due to poor handling of
malicious afp:// URLs
AFP Server - Cross-realm authentication can be bypassed
Apache - Numerous vulnerabilities affecting supplied Apache versions
AppKit - Arbitrary code execution risks from a range of
vulnerabilities.
Application Firewall - German translation of Preference Pane fixed.
CFNetwork - Spoofing of secure (https) content is possible
ClamAV - Numerous arbitrary code execution vulnerabilities
CoreFoundation - Arbitrary code execution through integer overflow
when handling time zone data.
CoreServices - AppleWorks may be convinced to open files ending
in .ief if Safari's "Open Safe files" preference is enabled.
CUPS - Multiple arbitrary code execution vulnerabilities.
curl - Possible arbitrary code execution when interacting with a
malicious URL.
Emacs - Multiple arbitrary code execution vulnerabilities possible
via the built-in Lisp interpreter.
file - Arbitrary code execution when using 'file' on a malicious file.
Foundation - Multiple arbitrary code execution vulnerabilities
Help Viewer - Malicious help: URLs may lead to arbitrary Applescript
execution
Image Raw - Viewing a malicious image may lead to arbitrary code
execution
Kerberos - Multiple arbitrary code execution and denial of service
vulnerabilities
libc - Denial of Service possible for applications using the strnstr
API.
mDNSResponder - Arbitrary code execution via privilege escalation
notifyd - System call spoofing
OpenSSH - Arbitrary code execution when used with X11.
pax archive utility - Arbitrary code execution risk when pax is run
as a command line utility
PHP - Multiple arbitrary code execution vulnerabilities
Podcast Producer - Information disclosure (passwords) to other local
users
Preview - Encrypted PDF saves may not adequately protect the file
Printing - Multiple Information disclosure opportunities
System Configuration - Arbitrary code execution
UDF - Denial of service (system shut down) when interacting with
malicious disk images
Wiki Server - Arbitrary system access possible for users with edit
access to the wiki
X11 - Numerous arbitrary code execution vulnerabilities
-- Description --
Apple Computer have released Security Update 2008-002, addressing a
number of serious security problems.
-- Recommended Action --
It is recommended that users apply the update, via the Software
Update option in the Apple Menu, or via the Apple Download link,
below. If installing via the Software Update option, it will only
download the applicable Update (Intel / PPC / 10.5 / 10.4).
-- Source --
http://docs.info.apple.com/article.html?artnum=61798
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
CVE-ID: CVE-2008-0044 (AFP Client)
CVE-ID: CVE-2008-0045 (AFP Server)
CVE-ID: CVE-2005-3352 (Apache)
CVE-ID: CVE-2006-3747 (Apache)
CVE-ID: CVE-2007-3847 (Apache)
CVE-ID: CVE-2007-5000 (Apache)
CVE-ID: CVE-2007-6388 (Apache)
CVE-ID: CVE-2007-5000 (Apache)
CVE-ID: CVE-2007-6203 (Apache)
CVE-ID: CVE-2007-6388 (Apache)
CVE-ID: CVE-2007-6421 (Apache)
CVE-ID: CVE-2008-0005 (Apache)
CVE-ID: CVE-2008-0048 (AppKit)
CVE-ID: CVE-2008-0049 (AppKit)
CVE-ID: CVE-2008-0057 (AppKit)
CVE-ID: CVE-2008-0997 (AppKit)
CVE-ID: CVE-2008-0046 (Application Firewall)
CVE-ID: CVE-2008-0050 (CFNetwork)
CVE-ID: CVE-2007-3725 (ClamAV)
CVE-ID: CVE-2007-4510 (ClamAV)
CVE-ID: CVE-2007-4560 (ClamAV)
CVE-ID: CVE-2007-5759 (ClamAV)
CVE-ID: CVE-2007-6335 (ClamAV)
CVE-ID: CVE-2007-6336 (ClamAV)
CVE-ID: CVE-2007-6337 (ClamAV)
CVE-ID: CVE-2008-0318 (ClamAV)
CVE-ID: CVE-2008-0728 (ClamAV)
CVE-ID: CVE-2006-6481 (ClamAV)
CVE-ID: CVE-2007-1745 (ClamAV)
CVE-ID: CVE-2007-1997 (ClamAV)
CVE-ID: CVE-2007-3725 (ClamAV)
CVE-ID: CVE-2007-4510 (ClamAV)
CVE-ID: CVE-2007-4560 (ClamAV)
CVE-ID: CVE-2007-0897 (ClamAV)
CVE-ID: CVE-2007-0898 (ClamAV)
CVE-ID: CVE-2008-0318 (ClamAV)
CVE-ID: CVE-2008-0728 (ClamAV)
CVE-ID: CVE-2008-0051 (CoreFoundation)
CVE-ID: CVE-2008-0052 (CoreServices)
CVE-ID: CVE-2008-0596 (CUPS)
CVE-ID: CVE-2008-0047 (CUPS)
CVE-ID: CVE-2008-0053 (CUPS)
CVE-ID: CVE-2008-0882 (CUPS)
CVE-ID: CVE-2005-4077 (curl)
CVE-ID: CVE-2007-6109 (Emacs)
CVE-ID: CVE-2007-5795 (Emacs)
CVE-ID: CVE-2007-2799 (file)
CVE-ID: CVE-2008-0054 (Foundation)
CVE-ID: CVE-2008-0055 (Foundation)
CVE-ID: CVE-2008-0056 (Foundation)
CVE-ID: CVE-2008-0058 (Foundation)
CVE-ID: CVE-2008-0059 (Foundation)
CVE-ID: CVE-2008-0060 (Help Viewer)
CVE-ID: CVE-2008-0987 (Image Row)
CVE-ID: CVE-2007-5901 (Kerberos)
CVE-ID: CVE-2007-5971 (Kerberos)
CVE-ID: CVE-2008-0062 (Kerberos)
CVE-ID: CVE-2008-0063 (Kerberos)
CVE-ID: CVE-2008-0988 (libc)
CVE-ID: CVE-2008-0989 (mDNSResponder)
CVE-ID: CVE-2008-0990 (notifyd)
CVE-ID: CVE-2007-4752 (OpenSSH)
CVE-ID: CVE-2008-0992 (pax archive utility)
CVE-ID: CVE-2007-1659 (PHP)
CVE-ID: CVE-2007-1660 (PHP)
CVE-ID: CVE-2007-1661 (PHP)
CVE-ID: CVE-2007-1662 (PHP)
CVE-ID: CVE-2007-4766 (PHP)
CVE-ID: CVE-2007-4767 (PHP)
CVE-ID: CVE-2007-4768 (PHP)
CVE-ID: CVE-2007-4887 (PHP)
CVE-ID: CVE-2007-3378 (PHP)
CVE-ID: CVE-2007-3799 (PHP)
CVE-ID: CVE-2008-0993 (Podcast Producer)
CVE-ID: CVE-2008-0994 (Preview)
CVE-ID: CVE-2008-0995 (Printing)
CVE-ID: CVE-2008-0996 (Printing)
CVE-ID: CVE-2008-0998 (System Configuration)
CVE-ID: CVE-2008-0999 (UDF)
CVE-ID: CVE-2008-1000 (Wiki Server)
CVE-ID: CVE-2007-4568 (X11)
CVE-ID: CVE-2007-4990 (X11)
CVE-ID: CVE-2006-3334 (X11)
CVE-ID: CVE-2006-5793 (X11)
CVE-ID: CVE-2007-2445 (X11)
CVE-ID: CVE-2007-5266 (X11)
CVE-ID: CVE-2007-5267 (X11)
CVE-ID: CVE-2007-5268 (X11)
CVE-ID: CVE-2007-5269 (X11)
CVE-ID: CVE-2007-5958 (X11)
CVE-ID: CVE-2008-0006 (X11)
CVE-ID: CVE-2007-6427 (X11)
CVE-ID: CVE-2007-6428 (X11)
CVE-ID: CVE-2007-6429 (X11)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Don't Click Here
A number of media outlets are now covering news of a program run by
the FBI that led to the arrest of people for clicking on fake links
that the FBI had set up. The rationale for this being appropriate was
that the fake links suggested that they led to child pornography.
As at least one noted web security expert has pointed out that it
sounds like a good idea in theory, but it fails to take into account
the ease by which users can either be tricked into visiting links or
by which their systems can automatically be sent to links without the
user's knowledge or permission. Even some browsers include link
prefetching, which silently loads data from the links present on a
page so that when a user follows one, the browser has already
received most of the data for the page.
Even worse, it acts as a discouragement for people to report on
anything that they have seen.
For the affected individuals, they had their homes raided and
""computer-related" equipment, utility bills, telephone bills, any
"addressed correspondence" sent through the U.S. mail, video gear,
camera equipment, checkbooks, bank statements, and credit card
statements" seized. That's a lot for clicking a link on the web
(which has to be proven that they actually clicked, first).
2.2 When SSL Isn't Going to save you
After many years of trying from InfoSec and general IT people, users
are starting to get a better grasp on the importance of looking for
the little lock icon in their browser and https at the start of the
URL when they go to enter sensitive personal or financial information
online. The more involved step of checking the validity of the SSL
certificate hasn't caught on as much but most browsers will alert the
user when the certificate appears to have expired or does not match
what the browser is expecting.
This improvement in user awareness and online activity is a wonderful
thing, however all it means is that the user is applying greater
security awareness to an established connection between their system
and a website. Malware authors and attackers that are trying to
recover sensitive details from a user have a much simpler means of
doing so, by compromising either end of the connection, though there
is still a small place for MITM attacks against the connection
itself. Remote website compromises is a topic which has had recent
coverage and is a problem which the user can do little about.
Disaffected insiders and motivated external attackers pose real
problems for users of popular sites, and it is a problem that
unfortunately is not uncommon.
Even the security of an end user's system can easily be compromised,
and it is at this point that a user's sensitive data is most likely
to be retrieved. Modern browsers make a range of efforts to limit the
amount of time that information being passed to a secured website
spends in an unencrypted state, but once malware is present on a
user's system it is much more difficult to prevent the loss of
sensitive information.
Didier Stevens has written a straight forward article that describes
how simple it is to trap information passed in Internet Explorer's
HTTPS requests even if the user is not running as an Administrator or
higher level. All it requires is for malicious software to be running
at the same time as the user is visiting websites through a secure
connection. As Didier points out, the process of capturing this
information is disturbingly easy. While the technique exactly as
described by Didier has just been published, capable malware authors
have been well aware of process hooking and it would not be
unreasonable to assume that if a system has been compromised by
malware, then ANY information being passed to and from the Internet
can be read by the malware.
If you are using your system for any online financial activity, or
any activity that requires the provision of sensitive details, then
it is considered prudent to at least be running regular antivirus and
antimalware scans, using a regularly updated suite of tools. There is
still a real risk to the end user that they will end up compromised,
but it is something that happens to the best of them.
2.3 A Simple Demonstration of CSRF risk
Noted Web Security expert Jeremiah Grossman has published an
interesting article that is a welcome reminder as to how easy it is
to sniff out whether a user is logged into a website, from another
one (i.e. Cross Site Request Forging).
Using the method Jeremiah describes, a request is made for a resource
that is only served to a logged in user. The nature of the response
dictates whether or not the user is logged in (either the browser
provides the requested resource or it returns an error).
Jeremiah suggests that possible options for site developers
preventing this sort of attack is to remove authentication
requirements from resources that aren't necessarily sensitive (so
that they are returned even for a non-authenticated user) or to
tokenise the resource descriptors so that arbitrary guessing of the
resource will not be a viable method for finding it. Browser
developers could prevent cross site information leakage in some way,
but no suggestion is put forward (plus it would break a lot of
existing Internet functionality that relies upon sites being able to
request and display information from other sites in the context of
the original site such as online advertising).
While most attacks that try to exploit a user for being logged into a
site are carried out blind (without actually checking the logged in
status), the simplicity with which it may be checked makes the risk
of targeted attacks, and also those that are harder to detect, much
more likely.
2.4 Somebody has to do the Dirty work
The team at Zone-H is currently questioning the merit of continuing
to update and maintain their well known defacement archive service
given the negative sentiment directed at them that many people
express when they find out that they have been compromised and the
discouraging trend of site defacers using the archive as an informal
ranking board, with some striving for the highest number of
defacements recorded in the archive.
Having become the leading archive of defaced sites following the
demise of the Alldas archive (the Zone-H archive is now more than 200
times larger than Alldas was at its peak), Zone-H has become a
valuable resource for Information Security, even more valuable when
the numerous other services that the company offers are considered.
However, the continuation of the archive isn't the only problem that
Zone-H has had to face in recent months, with the arrest of their
founder, Roberto Preatoni in relation to an Italian spying scandal.
Zone-H are currently running a poll to determine whether maintaining
the service is worthwhile (the poll is reachable directly from the
main page). Worryingly for Information Security researchers and
interested observers there is an almost 80% vote in favour of
terminating the mirroring services.
Those who would argue against the continuation of the Zone-H archive
should consider that their same arguments can be used against
Information Security resources such as Full Disclosure, BugTraq
(probably more of a concern given the moderation delay), Milw0rm, and
any number of sites that have published information about attacks and
how to carry them out. Most of these arguments seem to stem from the
fact that Zone-H is only a relatively small Information Security
company and a lot of the negative sentiment they attract comes from a
fear of the unknown.
Withholding valuable information from the Information Security
community is more of a problem than any short term embarrassment that
might come from the knowledge that an attacker might pick up from the
archive.
If nothing else, the historical data that Zone-H provides is a
valuable insight into the changing nature of website attacks and
defacements and the sort of general attacks that an attacker might be
expected to have in their toolkit. It is interesting to note that the
greatest overall successful target is Linux-hosted systems, and there
is a distinct downwards trend in terms of overall attack numbers
following a peak in 2006.
Open source advocates who point to the robustness of their chosen
solutions (generally a Linux - Apache stack) against attack will be
shocked to discover that the greatest number of successful attacks
were against Linux systems (more than double the combined number of
Windows systems in 2007) and against the Apache web server (more than
double the combined number of IIS attacks in 2007). It is surmised
that the primary reason for this is due to the greatest threat to a
website.
Based on the reported compromise methodology, it would appear that
poor administrative skills and weak security policies are the
greatest threat to a website, though almost a quarter of all attacks
are actually based on weaknesses within the site itself (file
inclusion, SQL injection and the like). This ratio is surprising,
given the increasingly vocal nature of the web security community
(though it should be noted that many site compromises that take place
through the actual site would never get reported as they are being
actively used for malicious purposes).
If Zone-H were to terminate their operation of the defacement
archives it would be a great loss to the Information and general
security community. It is disappointing that the reason may be due to
the ill will that Zone-H (and doubtless many others in the
Information Security receive very similar ill will) receives for
archiving what has been reported to them.
It is often those who are least capable of understanding the true
nature of what has happened to their systems who are quickest and
most vocal in attacking those who are reporting an identified problem
and it wouldn't be the first time that someone has stopped openly
reporting issues because of slander from victims when they have
passed along the information.
2.5 Advertising Poisons Major British Media Site
Any time that a site loads external content in their main pages there
is a risk of something going wrong. Probably the worst thing that
could go wrong is some of this content attempting to take control
over the systems belonging to site visitors. This is a risk that has
been covered here before, but it is something that is alarming and
most likely completely unexpected to the site operator when it does
happen.
One such incident recently took place on the main site for British
media firm ITV. According to Sophos, advertising placed on the site
was being used to push 'scareware' to end users, sniffing out the
Operating System a visitor was using, and serving the appropriate
scareware ad to each visitor. ITV wasn't the only British media firm
affected, with Radio Times (a TV listing magazine) also affected.
Other sites are considered likely to have been affected by the
injected malware.
Compromises can take many forms, with blended threats posing more
viable risks to end users than they may have in the past.
Incidents such as this highlight the risks that even 'safe' websites
can pose to end users. Advice such as whitelisting safe sites in a
'Scripting only' zone (either through IE's trusted zone, or through
the use of an extension like NoScript on Firefox) can now be
considered out of date and likely to harm end users.
What should users be advised to do now? Telling them to disable
scripting completely may be somewhat safe (ignoring the research that
is going into hacking via CSS), but it effectively disables much of
the Internet, including online shopping sites, online banking, and
many sports and news sites. Perhaps the best thing would be to have
browsers that can run happily inside a sandbox, reducing the threat
of automated exploitation, and for that to be the default operating
configuration direct from the browser developer.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 7+days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Don't Click Here
2.2 When SSL Isn't Going to save you
2.3 A Simple Demonstration of CSRF risk
2.4 Somebody has to do the Dirty work
2.5 Advertising Poisons Major British Media Site
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Microsoft Office
-- Technical Description --
MS08-014 - Excel. Multiple Remote code execution. Replaces
MS07-044, MS07-036, MS08-013. Critical
MS08-015 - Outlook. Remote code execution. Replaces MS07-003. Critical
MS08-016 - Office. Multiple Remote code execution. Replaces
MS07-015, MS07-025, MS08-013. Critical
MS08-017 - Office Web components. Multiple Remote code execution.
Critical
-- Description --
Microsoft have provided four patches as part of the March Security
Patch Update release, with all marked as Critical. All four patches
are for Microsoft Office and related components, with at least one of
the patched vulnerabilities having been targeted by targeted attacks
prior to patching.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-mar.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-014.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-015.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-017.mspx
-- External Tracking Data --
CVE-ID: CVE-2008-0081 (MS08-014)
CVE-ID: CVE-2008-0112 (MS08-014)
CVE-ID: CVE-2008-0114 (MS08-014)
CVE-ID: CVE-2008-0115 (MS08-014)
CVE-ID: CVE-2008-0116 (MS08-014)
CVE-ID: CVE-2008-0117 (MS08-014)
CVE-ID: CVE-2008-0110 (MS08-015)
CVE-ID: CVE-2008-0113 (MS08-016)
CVE-ID: CVE-2008-0118 (MS08-016)
CVE-ID: CVE-2006-4695 (MS08-017)
CVE-ID: CVE-2007-1201 (MS08-017)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 OS X (Multiple) - Remote hacker automatic control
-- Products Affected --
OS X 10.4.x
OS X 10.5.x
-- Technical Description --
AFP Client - Arbitrary code execution due to poor handling of
malicious afp:// URLs
AFP Server - Cross-realm authentication can be bypassed
Apache - Numerous vulnerabilities affecting supplied Apache versions
AppKit - Arbitrary code execution risks from a range of
vulnerabilities.
Application Firewall - German translation of Preference Pane fixed.
CFNetwork - Spoofing of secure (https) content is possible
ClamAV - Numerous arbitrary code execution vulnerabilities
CoreFoundation - Arbitrary code execution through integer overflow
when handling time zone data.
CoreServices - AppleWorks may be convinced to open files ending
in .ief if Safari's "Open Safe files" preference is enabled.
CUPS - Multiple arbitrary code execution vulnerabilities.
curl - Possible arbitrary code execution when interacting with a
malicious URL.
Emacs - Multiple arbitrary code execution vulnerabilities possible
via the built-in Lisp interpreter.
file - Arbitrary code execution when using 'file' on a malicious file.
Foundation - Multiple arbitrary code execution vulnerabilities
Help Viewer - Malicious help: URLs may lead to arbitrary Applescript
execution
Image Raw - Viewing a malicious image may lead to arbitrary code
execution
Kerberos - Multiple arbitrary code execution and denial of service
vulnerabilities
libc - Denial of Service possible for applications using the strnstr
API.
mDNSResponder - Arbitrary code execution via privilege escalation
notifyd - System call spoofing
OpenSSH - Arbitrary code execution when used with X11.
pax archive utility - Arbitrary code execution risk when pax is run
as a command line utility
PHP - Multiple arbitrary code execution vulnerabilities
Podcast Producer - Information disclosure (passwords) to other local
users
Preview - Encrypted PDF saves may not adequately protect the file
Printing - Multiple Information disclosure opportunities
System Configuration - Arbitrary code execution
UDF - Denial of service (system shut down) when interacting with
malicious disk images
Wiki Server - Arbitrary system access possible for users with edit
access to the wiki
X11 - Numerous arbitrary code execution vulnerabilities
-- Description --
Apple Computer have released Security Update 2008-002, addressing a
number of serious security problems.
-- Recommended Action --
It is recommended that users apply the update, via the Software
Update option in the Apple Menu, or via the Apple Download link,
below. If installing via the Software Update option, it will only
download the applicable Update (Intel / PPC / 10.5 / 10.4).
-- Source --
http://docs.info.apple.com/article.html?artnum=61798
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
CVE-ID: CVE-2008-0044 (AFP Client)
CVE-ID: CVE-2008-0045 (AFP Server)
CVE-ID: CVE-2005-3352 (Apache)
CVE-ID: CVE-2006-3747 (Apache)
CVE-ID: CVE-2007-3847 (Apache)
CVE-ID: CVE-2007-5000 (Apache)
CVE-ID: CVE-2007-6388 (Apache)
CVE-ID: CVE-2007-5000 (Apache)
CVE-ID: CVE-2007-6203 (Apache)
CVE-ID: CVE-2007-6388 (Apache)
CVE-ID: CVE-2007-6421 (Apache)
CVE-ID: CVE-2008-0005 (Apache)
CVE-ID: CVE-2008-0048 (AppKit)
CVE-ID: CVE-2008-0049 (AppKit)
CVE-ID: CVE-2008-0057 (AppKit)
CVE-ID: CVE-2008-0997 (AppKit)
CVE-ID: CVE-2008-0046 (Application Firewall)
CVE-ID: CVE-2008-0050 (CFNetwork)
CVE-ID: CVE-2007-3725 (ClamAV)
CVE-ID: CVE-2007-4510 (ClamAV)
CVE-ID: CVE-2007-4560 (ClamAV)
CVE-ID: CVE-2007-5759 (ClamAV)
CVE-ID: CVE-2007-6335 (ClamAV)
CVE-ID: CVE-2007-6336 (ClamAV)
CVE-ID: CVE-2007-6337 (ClamAV)
CVE-ID: CVE-2008-0318 (ClamAV)
CVE-ID: CVE-2008-0728 (ClamAV)
CVE-ID: CVE-2006-6481 (ClamAV)
CVE-ID: CVE-2007-1745 (ClamAV)
CVE-ID: CVE-2007-1997 (ClamAV)
CVE-ID: CVE-2007-3725 (ClamAV)
CVE-ID: CVE-2007-4510 (ClamAV)
CVE-ID: CVE-2007-4560 (ClamAV)
CVE-ID: CVE-2007-0897 (ClamAV)
CVE-ID: CVE-2007-0898 (ClamAV)
CVE-ID: CVE-2008-0318 (ClamAV)
CVE-ID: CVE-2008-0728 (ClamAV)
CVE-ID: CVE-2008-0051 (CoreFoundation)
CVE-ID: CVE-2008-0052 (CoreServices)
CVE-ID: CVE-2008-0596 (CUPS)
CVE-ID: CVE-2008-0047 (CUPS)
CVE-ID: CVE-2008-0053 (CUPS)
CVE-ID: CVE-2008-0882 (CUPS)
CVE-ID: CVE-2005-4077 (curl)
CVE-ID: CVE-2007-6109 (Emacs)
CVE-ID: CVE-2007-5795 (Emacs)
CVE-ID: CVE-2007-2799 (file)
CVE-ID: CVE-2008-0054 (Foundation)
CVE-ID: CVE-2008-0055 (Foundation)
CVE-ID: CVE-2008-0056 (Foundation)
CVE-ID: CVE-2008-0058 (Foundation)
CVE-ID: CVE-2008-0059 (Foundation)
CVE-ID: CVE-2008-0060 (Help Viewer)
CVE-ID: CVE-2008-0987 (Image Row)
CVE-ID: CVE-2007-5901 (Kerberos)
CVE-ID: CVE-2007-5971 (Kerberos)
CVE-ID: CVE-2008-0062 (Kerberos)
CVE-ID: CVE-2008-0063 (Kerberos)
CVE-ID: CVE-2008-0988 (libc)
CVE-ID: CVE-2008-0989 (mDNSResponder)
CVE-ID: CVE-2008-0990 (notifyd)
CVE-ID: CVE-2007-4752 (OpenSSH)
CVE-ID: CVE-2008-0992 (pax archive utility)
CVE-ID: CVE-2007-1659 (PHP)
CVE-ID: CVE-2007-1660 (PHP)
CVE-ID: CVE-2007-1661 (PHP)
CVE-ID: CVE-2007-1662 (PHP)
CVE-ID: CVE-2007-4766 (PHP)
CVE-ID: CVE-2007-4767 (PHP)
CVE-ID: CVE-2007-4768 (PHP)
CVE-ID: CVE-2007-4887 (PHP)
CVE-ID: CVE-2007-3378 (PHP)
CVE-ID: CVE-2007-3799 (PHP)
CVE-ID: CVE-2008-0993 (Podcast Producer)
CVE-ID: CVE-2008-0994 (Preview)
CVE-ID: CVE-2008-0995 (Printing)
CVE-ID: CVE-2008-0996 (Printing)
CVE-ID: CVE-2008-0998 (System Configuration)
CVE-ID: CVE-2008-0999 (UDF)
CVE-ID: CVE-2008-1000 (Wiki Server)
CVE-ID: CVE-2007-4568 (X11)
CVE-ID: CVE-2007-4990 (X11)
CVE-ID: CVE-2006-3334 (X11)
CVE-ID: CVE-2006-5793 (X11)
CVE-ID: CVE-2007-2445 (X11)
CVE-ID: CVE-2007-5266 (X11)
CVE-ID: CVE-2007-5267 (X11)
CVE-ID: CVE-2007-5268 (X11)
CVE-ID: CVE-2007-5269 (X11)
CVE-ID: CVE-2007-5958 (X11)
CVE-ID: CVE-2008-0006 (X11)
CVE-ID: CVE-2007-6427 (X11)
CVE-ID: CVE-2007-6428 (X11)
CVE-ID: CVE-2007-6429 (X11)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Don't Click Here
A number of media outlets are now covering news of a program run by
the FBI that led to the arrest of people for clicking on fake links
that the FBI had set up. The rationale for this being appropriate was
that the fake links suggested that they led to child pornography.
As at least one noted web security expert has pointed out that it
sounds like a good idea in theory, but it fails to take into account
the ease by which users can either be tricked into visiting links or
by which their systems can automatically be sent to links without the
user's knowledge or permission. Even some browsers include link
prefetching, which silently loads data from the links present on a
page so that when a user follows one, the browser has already
received most of the data for the page.
Even worse, it acts as a discouragement for people to report on
anything that they have seen.
For the affected individuals, they had their homes raided and
""computer-related" equipment, utility bills, telephone bills, any
"addressed correspondence" sent through the U.S. mail, video gear,
camera equipment, checkbooks, bank statements, and credit card
statements" seized. That's a lot for clicking a link on the web
(which has to be proven that they actually clicked, first).
2.2 When SSL Isn't Going to save you
After many years of trying from InfoSec and general IT people, users
are starting to get a better grasp on the importance of looking for
the little lock icon in their browser and https at the start of the
URL when they go to enter sensitive personal or financial information
online. The more involved step of checking the validity of the SSL
certificate hasn't caught on as much but most browsers will alert the
user when the certificate appears to have expired or does not match
what the browser is expecting.
This improvement in user awareness and online activity is a wonderful
thing, however all it means is that the user is applying greater
security awareness to an established connection between their system
and a website. Malware authors and attackers that are trying to
recover sensitive details from a user have a much simpler means of
doing so, by compromising either end of the connection, though there
is still a small place for MITM attacks against the connection
itself. Remote website compromises is a topic which has had recent
coverage and is a problem which the user can do little about.
Disaffected insiders and motivated external attackers pose real
problems for users of popular sites, and it is a problem that
unfortunately is not uncommon.
Even the security of an end user's system can easily be compromised,
and it is at this point that a user's sensitive data is most likely
to be retrieved. Modern browsers make a range of efforts to limit the
amount of time that information being passed to a secured website
spends in an unencrypted state, but once malware is present on a
user's system it is much more difficult to prevent the loss of
sensitive information.
Didier Stevens has written a straight forward article that describes
how simple it is to trap information passed in Internet Explorer's
HTTPS requests even if the user is not running as an Administrator or
higher level. All it requires is for malicious software to be running
at the same time as the user is visiting websites through a secure
connection. As Didier points out, the process of capturing this
information is disturbingly easy. While the technique exactly as
described by Didier has just been published, capable malware authors
have been well aware of process hooking and it would not be
unreasonable to assume that if a system has been compromised by
malware, then ANY information being passed to and from the Internet
can be read by the malware.
If you are using your system for any online financial activity, or
any activity that requires the provision of sensitive details, then
it is considered prudent to at least be running regular antivirus and
antimalware scans, using a regularly updated suite of tools. There is
still a real risk to the end user that they will end up compromised,
but it is something that happens to the best of them.
2.3 A Simple Demonstration of CSRF risk
Noted Web Security expert Jeremiah Grossman has published an
interesting article that is a welcome reminder as to how easy it is
to sniff out whether a user is logged into a website, from another
one (i.e. Cross Site Request Forging).
Using the method Jeremiah describes, a request is made for a resource
that is only served to a logged in user. The nature of the response
dictates whether or not the user is logged in (either the browser
provides the requested resource or it returns an error).
Jeremiah suggests that possible options for site developers
preventing this sort of attack is to remove authentication
requirements from resources that aren't necessarily sensitive (so
that they are returned even for a non-authenticated user) or to
tokenise the resource descriptors so that arbitrary guessing of the
resource will not be a viable method for finding it. Browser
developers could prevent cross site information leakage in some way,
but no suggestion is put forward (plus it would break a lot of
existing Internet functionality that relies upon sites being able to
request and display information from other sites in the context of
the original site such as online advertising).
While most attacks that try to exploit a user for being logged into a
site are carried out blind (without actually checking the logged in
status), the simplicity with which it may be checked makes the risk
of targeted attacks, and also those that are harder to detect, much
more likely.
2.4 Somebody has to do the Dirty work
The team at Zone-H is currently questioning the merit of continuing
to update and maintain their well known defacement archive service
given the negative sentiment directed at them that many people
express when they find out that they have been compromised and the
discouraging trend of site defacers using the archive as an informal
ranking board, with some striving for the highest number of
defacements recorded in the archive.
Having become the leading archive of defaced sites following the
demise of the Alldas archive (the Zone-H archive is now more than 200
times larger than Alldas was at its peak), Zone-H has become a
valuable resource for Information Security, even more valuable when
the numerous other services that the company offers are considered.
However, the continuation of the archive isn't the only problem that
Zone-H has had to face in recent months, with the arrest of their
founder, Roberto Preatoni in relation to an Italian spying scandal.
Zone-H are currently running a poll to determine whether maintaining
the service is worthwhile (the poll is reachable directly from the
main page). Worryingly for Information Security researchers and
interested observers there is an almost 80% vote in favour of
terminating the mirroring services.
Those who would argue against the continuation of the Zone-H archive
should consider that their same arguments can be used against
Information Security resources such as Full Disclosure, BugTraq
(probably more of a concern given the moderation delay), Milw0rm, and
any number of sites that have published information about attacks and
how to carry them out. Most of these arguments seem to stem from the
fact that Zone-H is only a relatively small Information Security
company and a lot of the negative sentiment they attract comes from a
fear of the unknown.
Withholding valuable information from the Information Security
community is more of a problem than any short term embarrassment that
might come from the knowledge that an attacker might pick up from the
archive.
If nothing else, the historical data that Zone-H provides is a
valuable insight into the changing nature of website attacks and
defacements and the sort of general attacks that an attacker might be
expected to have in their toolkit. It is interesting to note that the
greatest overall successful target is Linux-hosted systems, and there
is a distinct downwards trend in terms of overall attack numbers
following a peak in 2006.
Open source advocates who point to the robustness of their chosen
solutions (generally a Linux - Apache stack) against attack will be
shocked to discover that the greatest number of successful attacks
were against Linux systems (more than double the combined number of
Windows systems in 2007) and against the Apache web server (more than
double the combined number of IIS attacks in 2007). It is surmised
that the primary reason for this is due to the greatest threat to a
website.
Based on the reported compromise methodology, it would appear that
poor administrative skills and weak security policies are the
greatest threat to a website, though almost a quarter of all attacks
are actually based on weaknesses within the site itself (file
inclusion, SQL injection and the like). This ratio is surprising,
given the increasingly vocal nature of the web security community
(though it should be noted that many site compromises that take place
through the actual site would never get reported as they are being
actively used for malicious purposes).
If Zone-H were to terminate their operation of the defacement
archives it would be a great loss to the Information and general
security community. It is disappointing that the reason may be due to
the ill will that Zone-H (and doubtless many others in the
Information Security receive very similar ill will) receives for
archiving what has been reported to them.
It is often those who are least capable of understanding the true
nature of what has happened to their systems who are quickest and
most vocal in attacking those who are reporting an identified problem
and it wouldn't be the first time that someone has stopped openly
reporting issues because of slander from victims when they have
passed along the information.
2.5 Advertising Poisons Major British Media Site
Any time that a site loads external content in their main pages there
is a risk of something going wrong. Probably the worst thing that
could go wrong is some of this content attempting to take control
over the systems belonging to site visitors. This is a risk that has
been covered here before, but it is something that is alarming and
most likely completely unexpected to the site operator when it does
happen.
One such incident recently took place on the main site for British
media firm ITV. According to Sophos, advertising placed on the site
was being used to push 'scareware' to end users, sniffing out the
Operating System a visitor was using, and serving the appropriate
scareware ad to each visitor. ITV wasn't the only British media firm
affected, with Radio Times (a TV listing magazine) also affected.
Other sites are considered likely to have been affected by the
injected malware.
Compromises can take many forms, with blended threats posing more
viable risks to end users than they may have in the past.
Incidents such as this highlight the risks that even 'safe' websites
can pose to end users. Advice such as whitelisting safe sites in a
'Scripting only' zone (either through IE's trusted zone, or through
the use of an extension like NoScript on Firefox) can now be
considered out of date and likely to harm end users.
What should users be advised to do now? Telling them to disable
scripting completely may be somewhat safe (ignoring the research that
is going into hacking via CSS), but it effectively disables much of
the Internet, including online shopping sites, online banking, and
many sports and news sites. Perhaps the best thing would be to have
browsers that can run happily inside a sandbox, reducing the threat
of automated exploitation, and for that to be the default operating
configuration direct from the browser developer.
=======================================
Sincerely,
Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com
« Return to Thread: Advisory #254 - Microsoft (Multiple), OS X (Multiple), Multiple News
| Free Forum Powered by Nabble | Forum Help |
