Advisory #254 - Microsoft (Multiple), OS X (Multiple), Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #254 - Microsoft (Multiple), OS X (Multiple), Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #254
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 7+days 1.2 OS X (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 4 days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Don't Click Here 2.2 When SSL Isn't Going to save you 2.3 A Simple Demonstration of CSRF risk 2.4 Somebody has to do the Dirty work 2.5 Advertising Poisons Major British Media Site ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Microsoft Office -- Technical Description -- MS08-014 - Excel. Multiple Remote code execution. Replaces MS07-044, MS07-036, MS08-013. Critical MS08-015 - Outlook. Remote code execution. Replaces MS07-003. Critical MS08-016 - Office. Multiple Remote code execution. Replaces MS07-015, MS07-025, MS08-013. Critical MS08-017 - Office Web components. Multiple Remote code execution. Critical -- Description -- Microsoft have provided four patches as part of the March Security Patch Update release, with all marked as Critical. All four patches are for Microsoft Office and related components, with at least one of the patched vulnerabilities having been targeted by targeted attacks prior to patching. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms08-mar.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp? s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms08-014.mspx http://www.microsoft.com/technet/security/bulletin/ms08-015.mspx http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx http://www.microsoft.com/technet/security/bulletin/ms08-017.mspx -- External Tracking Data -- CVE-ID: CVE-2008-0081 (MS08-014) CVE-ID: CVE-2008-0112 (MS08-014) CVE-ID: CVE-2008-0114 (MS08-014) CVE-ID: CVE-2008-0115 (MS08-014) CVE-ID: CVE-2008-0116 (MS08-014) CVE-ID: CVE-2008-0117 (MS08-014) CVE-ID: CVE-2008-0110 (MS08-015) CVE-ID: CVE-2008-0113 (MS08-016) CVE-ID: CVE-2008-0118 (MS08-016) CVE-ID: CVE-2006-4695 (MS08-017) CVE-ID: CVE-2007-1201 (MS08-017) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 OS X (Multiple) - Remote hacker automatic control -- Products Affected -- OS X 10.4.x OS X 10.5.x -- Technical Description -- AFP Client - Arbitrary code execution due to poor handling of malicious afp:// URLs AFP Server - Cross-realm authentication can be bypassed Apache - Numerous vulnerabilities affecting supplied Apache versions AppKit - Arbitrary code execution risks from a range of vulnerabilities. Application Firewall - German translation of Preference Pane fixed. CFNetwork - Spoofing of secure (https) content is possible ClamAV - Numerous arbitrary code execution vulnerabilities CoreFoundation - Arbitrary code execution through integer overflow when handling time zone data. CoreServices - AppleWorks may be convinced to open files ending in .ief if Safari's "Open Safe files" preference is enabled. CUPS - Multiple arbitrary code execution vulnerabilities. curl - Possible arbitrary code execution when interacting with a malicious URL. Emacs - Multiple arbitrary code execution vulnerabilities possible via the built-in Lisp interpreter. file - Arbitrary code execution when using 'file' on a malicious file. Foundation - Multiple arbitrary code execution vulnerabilities Help Viewer - Malicious help: URLs may lead to arbitrary Applescript execution Image Raw - Viewing a malicious image may lead to arbitrary code execution Kerberos - Multiple arbitrary code execution and denial of service vulnerabilities libc - Denial of Service possible for applications using the strnstr API. mDNSResponder - Arbitrary code execution via privilege escalation notifyd - System call spoofing OpenSSH - Arbitrary code execution when used with X11. pax archive utility - Arbitrary code execution risk when pax is run as a command line utility PHP - Multiple arbitrary code execution vulnerabilities Podcast Producer - Information disclosure (passwords) to other local users Preview - Encrypted PDF saves may not adequately protect the file Printing - Multiple Information disclosure opportunities System Configuration - Arbitrary code execution UDF - Denial of service (system shut down) when interacting with malicious disk images Wiki Server - Arbitrary system access possible for users with edit access to the wiki X11 - Numerous arbitrary code execution vulnerabilities -- Description -- Apple Computer have released Security Update 2008-002, addressing a number of serious security problems. -- Recommended Action -- It is recommended that users apply the update, via the Software Update option in the Apple Menu, or via the Apple Download link, below. If installing via the Software Update option, it will only download the applicable Update (Intel / PPC / 10.5 / 10.4). -- Source -- http://docs.info.apple.com/article.html?artnum=61798 -- Updates Available -- http://www.apple.com/support/downloads/ -- External Tracking Data -- CVE-ID: CVE-2008-0044 (AFP Client) CVE-ID: CVE-2008-0045 (AFP Server) CVE-ID: CVE-2005-3352 (Apache) CVE-ID: CVE-2006-3747 (Apache) CVE-ID: CVE-2007-3847 (Apache) CVE-ID: CVE-2007-5000 (Apache) CVE-ID: CVE-2007-6388 (Apache) CVE-ID: CVE-2007-5000 (Apache) CVE-ID: CVE-2007-6203 (Apache) CVE-ID: CVE-2007-6388 (Apache) CVE-ID: CVE-2007-6421 (Apache) CVE-ID: CVE-2008-0005 (Apache) CVE-ID: CVE-2008-0048 (AppKit) CVE-ID: CVE-2008-0049 (AppKit) CVE-ID: CVE-2008-0057 (AppKit) CVE-ID: CVE-2008-0997 (AppKit) CVE-ID: CVE-2008-0046 (Application Firewall) CVE-ID: CVE-2008-0050 (CFNetwork) CVE-ID: CVE-2007-3725 (ClamAV) CVE-ID: CVE-2007-4510 (ClamAV) CVE-ID: CVE-2007-4560 (ClamAV) CVE-ID: CVE-2007-5759 (ClamAV) CVE-ID: CVE-2007-6335 (ClamAV) CVE-ID: CVE-2007-6336 (ClamAV) CVE-ID: CVE-2007-6337 (ClamAV) CVE-ID: CVE-2008-0318 (ClamAV) CVE-ID: CVE-2008-0728 (ClamAV) CVE-ID: CVE-2006-6481 (ClamAV) CVE-ID: CVE-2007-1745 (ClamAV) CVE-ID: CVE-2007-1997 (ClamAV) CVE-ID: CVE-2007-3725 (ClamAV) CVE-ID: CVE-2007-4510 (ClamAV) CVE-ID: CVE-2007-4560 (ClamAV) CVE-ID: CVE-2007-0897 (ClamAV) CVE-ID: CVE-2007-0898 (ClamAV) CVE-ID: CVE-2008-0318 (ClamAV) CVE-ID: CVE-2008-0728 (ClamAV) CVE-ID: CVE-2008-0051 (CoreFoundation) CVE-ID: CVE-2008-0052 (CoreServices) CVE-ID: CVE-2008-0596 (CUPS) CVE-ID: CVE-2008-0047 (CUPS) CVE-ID: CVE-2008-0053 (CUPS) CVE-ID: CVE-2008-0882 (CUPS) CVE-ID: CVE-2005-4077 (curl) CVE-ID: CVE-2007-6109 (Emacs) CVE-ID: CVE-2007-5795 (Emacs) CVE-ID: CVE-2007-2799 (file) CVE-ID: CVE-2008-0054 (Foundation) CVE-ID: CVE-2008-0055 (Foundation) CVE-ID: CVE-2008-0056 (Foundation) CVE-ID: CVE-2008-0058 (Foundation) CVE-ID: CVE-2008-0059 (Foundation) CVE-ID: CVE-2008-0060 (Help Viewer) CVE-ID: CVE-2008-0987 (Image Row) CVE-ID: CVE-2007-5901 (Kerberos) CVE-ID: CVE-2007-5971 (Kerberos) CVE-ID: CVE-2008-0062 (Kerberos) CVE-ID: CVE-2008-0063 (Kerberos) CVE-ID: CVE-2008-0988 (libc) CVE-ID: CVE-2008-0989 (mDNSResponder) CVE-ID: CVE-2008-0990 (notifyd) CVE-ID: CVE-2007-4752 (OpenSSH) CVE-ID: CVE-2008-0992 (pax archive utility) CVE-ID: CVE-2007-1659 (PHP) CVE-ID: CVE-2007-1660 (PHP) CVE-ID: CVE-2007-1661 (PHP) CVE-ID: CVE-2007-1662 (PHP) CVE-ID: CVE-2007-4766 (PHP) CVE-ID: CVE-2007-4767 (PHP) CVE-ID: CVE-2007-4768 (PHP) CVE-ID: CVE-2007-4887 (PHP) CVE-ID: CVE-2007-3378 (PHP) CVE-ID: CVE-2007-3799 (PHP) CVE-ID: CVE-2008-0993 (Podcast Producer) CVE-ID: CVE-2008-0994 (Preview) CVE-ID: CVE-2008-0995 (Printing) CVE-ID: CVE-2008-0996 (Printing) CVE-ID: CVE-2008-0998 (System Configuration) CVE-ID: CVE-2008-0999 (UDF) CVE-ID: CVE-2008-1000 (Wiki Server) CVE-ID: CVE-2007-4568 (X11) CVE-ID: CVE-2007-4990 (X11) CVE-ID: CVE-2006-3334 (X11) CVE-ID: CVE-2006-5793 (X11) CVE-ID: CVE-2007-2445 (X11) CVE-ID: CVE-2007-5266 (X11) CVE-ID: CVE-2007-5267 (X11) CVE-ID: CVE-2007-5268 (X11) CVE-ID: CVE-2007-5269 (X11) CVE-ID: CVE-2007-5958 (X11) CVE-ID: CVE-2008-0006 (X11) CVE-ID: CVE-2007-6427 (X11) CVE-ID: CVE-2007-6428 (X11) CVE-ID: CVE-2007-6429 (X11) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Don't Click Here A number of media outlets are now covering news of a program run by the FBI that led to the arrest of people for clicking on fake links that the FBI had set up. The rationale for this being appropriate was that the fake links suggested that they led to child pornography. As at least one noted web security expert has pointed out that it sounds like a good idea in theory, but it fails to take into account the ease by which users can either be tricked into visiting links or by which their systems can automatically be sent to links without the user's knowledge or permission. Even some browsers include link prefetching, which silently loads data from the links present on a page so that when a user follows one, the browser has already received most of the data for the page. Even worse, it acts as a discouragement for people to report on anything that they have seen. For the affected individuals, they had their homes raided and ""computer-related" equipment, utility bills, telephone bills, any "addressed correspondence" sent through the U.S. mail, video gear, camera equipment, checkbooks, bank statements, and credit card statements" seized. That's a lot for clicking a link on the web (which has to be proven that they actually clicked, first). 2.2 When SSL Isn't Going to save you After many years of trying from InfoSec and general IT people, users are starting to get a better grasp on the importance of looking for the little lock icon in their browser and https at the start of the URL when they go to enter sensitive personal or financial information online. The more involved step of checking the validity of the SSL certificate hasn't caught on as much but most browsers will alert the user when the certificate appears to have expired or does not match what the browser is expecting. This improvement in user awareness and online activity is a wonderful thing, however all it means is that the user is applying greater security awareness to an established connection between their system and a website. Malware authors and attackers that are trying to recover sensitive details from a user have a much simpler means of doing so, by compromising either end of the connection, though there is still a small place for MITM attacks against the connection itself. Remote website compromises is a topic which has had recent coverage and is a problem which the user can do little about. Disaffected insiders and motivated external attackers pose real problems for users of popular sites, and it is a problem that unfortunately is not uncommon. Even the security of an end user's system can easily be compromised, and it is at this point that a user's sensitive data is most likely to be retrieved. Modern browsers make a range of efforts to limit the amount of time that information being passed to a secured website spends in an unencrypted state, but once malware is present on a user's system it is much more difficult to prevent the loss of sensitive information. Didier Stevens has written a straight forward article that describes how simple it is to trap information passed in Internet Explorer's HTTPS requests even if the user is not running as an Administrator or higher level. All it requires is for malicious software to be running at the same time as the user is visiting websites through a secure connection. As Didier points out, the process of capturing this information is disturbingly easy. While the technique exactly as described by Didier has just been published, capable malware authors have been well aware of process hooking and it would not be unreasonable to assume that if a system has been compromised by malware, then ANY information being passed to and from the Internet can be read by the malware. If you are using your system for any online financial activity, or any activity that requires the provision of sensitive details, then it is considered prudent to at least be running regular antivirus and antimalware scans, using a regularly updated suite of tools. There is still a real risk to the end user that they will end up compromised, but it is something that happens to the best of them. 2.3 A Simple Demonstration of CSRF risk Noted Web Security expert Jeremiah Grossman has published an interesting article that is a welcome reminder as to how easy it is to sniff out whether a user is logged into a website, from another one (i.e. Cross Site Request Forging). Using the method Jeremiah describes, a request is made for a resource that is only served to a logged in user. The nature of the response dictates whether or not the user is logged in (either the browser provides the requested resource or it returns an error). Jeremiah suggests that possible options for site developers preventing this sort of attack is to remove authentication requirements from resources that aren't necessarily sensitive (so that they are returned even for a non-authenticated user) or to tokenise the resource descriptors so that arbitrary guessing of the resource will not be a viable method for finding it. Browser developers could prevent cross site information leakage in some way, but no suggestion is put forward (plus it would break a lot of existing Internet functionality that relies upon sites being able to request and display information from other sites in the context of the original site such as online advertising). While most attacks that try to exploit a user for being logged into a site are carried out blind (without actually checking the logged in status), the simplicity with which it may be checked makes the risk of targeted attacks, and also those that are harder to detect, much more likely. 2.4 Somebody has to do the Dirty work The team at Zone-H is currently questioning the merit of continuing to update and maintain their well known defacement archive service given the negative sentiment directed at them that many people express when they find out that they have been compromised and the discouraging trend of site defacers using the archive as an informal ranking board, with some striving for the highest number of defacements recorded in the archive. Having become the leading archive of defaced sites following the demise of the Alldas archive (the Zone-H archive is now more than 200 times larger than Alldas was at its peak), Zone-H has become a valuable resource for Information Security, even more valuable when the numerous other services that the company offers are considered. However, the continuation of the archive isn't the only problem that Zone-H has had to face in recent months, with the arrest of their founder, Roberto Preatoni in relation to an Italian spying scandal. Zone-H are currently running a poll to determine whether maintaining the service is worthwhile (the poll is reachable directly from the main page). Worryingly for Information Security researchers and interested observers there is an almost 80% vote in favour of terminating the mirroring services. Those who would argue against the continuation of the Zone-H archive should consider that their same arguments can be used against Information Security resources such as Full Disclosure, BugTraq (probably more of a concern given the moderation delay), Milw0rm, and any number of sites that have published information about attacks and how to carry them out. Most of these arguments seem to stem from the fact that Zone-H is only a relatively small Information Security company and a lot of the negative sentiment they attract comes from a fear of the unknown. Withholding valuable information from the Information Security community is more of a problem than any short term embarrassment that might come from the knowledge that an attacker might pick up from the archive. If nothing else, the historical data that Zone-H provides is a valuable insight into the changing nature of website attacks and defacements and the sort of general attacks that an attacker might be expected to have in their toolkit. It is interesting to note that the greatest overall successful target is Linux-hosted systems, and there is a distinct downwards trend in terms of overall attack numbers following a peak in 2006. Open source advocates who point to the robustness of their chosen solutions (generally a Linux - Apache stack) against attack will be shocked to discover that the greatest number of successful attacks were against Linux systems (more than double the combined number of Windows systems in 2007) and against the Apache web server (more than double the combined number of IIS attacks in 2007). It is surmised that the primary reason for this is due to the greatest threat to a website. Based on the reported compromise methodology, it would appear that poor administrative skills and weak security policies are the greatest threat to a website, though almost a quarter of all attacks are actually based on weaknesses within the site itself (file inclusion, SQL injection and the like). This ratio is surprising, given the increasingly vocal nature of the web security community (though it should be noted that many site compromises that take place through the actual site would never get reported as they are being actively used for malicious purposes). If Zone-H were to terminate their operation of the defacement archives it would be a great loss to the Information and general security community. It is disappointing that the reason may be due to the ill will that Zone-H (and doubtless many others in the Information Security receive very similar ill will) receives for archiving what has been reported to them. It is often those who are least capable of understanding the true nature of what has happened to their systems who are quickest and most vocal in attacking those who are reporting an identified problem and it wouldn't be the first time that someone has stopped openly reporting issues because of slander from victims when they have passed along the information. 2.5 Advertising Poisons Major British Media Site Any time that a site loads external content in their main pages there is a risk of something going wrong. Probably the worst thing that could go wrong is some of this content attempting to take control over the systems belonging to site visitors. This is a risk that has been covered here before, but it is something that is alarming and most likely completely unexpected to the site operator when it does happen. One such incident recently took place on the main site for British media firm ITV. According to Sophos, advertising placed on the site was being used to push 'scareware' to end users, sniffing out the Operating System a visitor was using, and serving the appropriate scareware ad to each visitor. ITV wasn't the only British media firm affected, with Radio Times (a TV listing magazine) also affected. Other sites are considered likely to have been affected by the injected malware. Compromises can take many forms, with blended threats posing more viable risks to end users than they may have in the past. Incidents such as this highlight the risks that even 'safe' websites can pose to end users. Advice such as whitelisting safe sites in a 'Scripting only' zone (either through IE's trusted zone, or through the use of an extension like NoScript on Firefox) can now be considered out of date and likely to harm end users. What should users be advised to do now? Telling them to disable scripting completely may be somewhat safe (ignoring the research that is going into hacking via CSS), but it effectively disables much of the Internet, including online shopping sites, online banking, and many sports and news sites. Perhaps the best thing would be to have browsers that can run happily inside a sandbox, reducing the threat of automated exploitation, and for that to be the default operating configuration direct from the browser developer. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free Forum Powered by Nabble | Forum Help |