Nabble - Sunnet Beskerming Alert

Advisory #258 - Microsoft (Multiple), Multiple News

2008-08-13T03:59:39Z

Sûnnet Beskerming Alert List Advisory #258

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, pleasecontactinfo@... to resolve the error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 1 day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 $1 Million gets you International Hacking Capabilities
2.2 Online Attacks for Political Reasons
2.3 You can Only Blame Technology so Often
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Exchange Server
SQL Server

-- Technical Description --
MS08-041 - ActiveX Control associated with Microsoft Access. Remote
code execution. Critical
MS08-042 - Word. Remote Code Execution. Important
MS08-043 - Excel. Remote Code Execution. Critical
MS08-044 - Office. Remote Code Execution. Critical
MS08-045 - Internet Explorer. Remote Code Execution. Critical
MS08-046 - Windows Color Management System. Remote Code Execution.
Critical
MS08-047 - IPSec policy. Information Disclosure. Important
MS08-048 - Outlook Express, Windows Mail. Security Update. Important
MS08-049 - Event System. Remote Code Execution. Important
MS08-050 - Windows Messenger. Information Disclosure. Important
MS08-051 - Microsoft Office Filters. Remote Code Execution. Critical

-- Description --
Eleven patches were released by Microsoft with the August Security
Patch Release. Of those patches, six were rated as Critical, and the
remaining five were rated Important. This marked a change from the
advance notification, where it was identified that seven of the
patches were to be Critical, and only five as Important. Microsoft
also provided updated patches for MS08-022, MS08-033, MS08-047, and
MS08-040 and two advisories, 955179 and 954960.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
Register to gain access

-- External Tracking Data --
Register to gain access

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Olympic Ticket Scam Traps Many

In the age of the P-p-p-p-powerbook and the ubiquitous 419 scammer, it
comes as no surprise that many people have fallen for a Beijing
Olympics ticketing scam that seems to have hit people all across the
world. Due to the rarity of tickets for the games, and the particular
setup of the scam site (and others), there has been a lot of money
lost by many people as they struggled to get their hands on tickets
that didn't exist. It is ticket scalping for the 21st century, made
even more lucrative by the need not to actually provide any tickets to
the victims.

When MSNBC carried a Forbes Traveler article, initially published late
February, it carried links to at least one fake ticketing site, sites
that have since disappeared from the actual page, pulled sometime
between the end of July and now, it led to implied legitimacy for the
site and helped it gain a search engine position and helped lead many
down the path of losing large amounts of money.

By silently fixing the article, MSNBC have contributed to the
confusion as to how people were led into believing the site was
legitimate. If you or your site find yourself in the position of
having to amend something that you have already published online, you
need to make sure that visitors can tell that you have amended the
original page and at least identify what has changed. MSNBC's silent
fix, without any acknowledgement that the original links might not
have been appropriate, is the worst possible way to deal with things,
it is even worse than leaving the information as it was - at least
then people could identify where the implied legitimacy had originated
from.

Just to make it clear, this is NOT THE REAL BEIJING GAMES TICKET SITE,
this one is. Does it mean that the Chinese Olympic organisers have
failed to secure all probable online domains before selling tickets?
It is impossible to completely close off the multitude of possible
domains that might be set up to try and sell tickets, so the
organisers aren't really at fault for that. Could they have made more
effort to secure likely domains? Probably. Then again, hindsight is
always perfect.

Key to the whole incident is how trust is allocated and determined
when interacting with new sites on the Internet. It actually
highlights one of the biggest problems with establishing viable online
trust. If a site, such as MSNBC, that you would normally otherwise
trust, provides a link to a malicious site and claims it is
legitimate, how would you be able to differentiate if the link is
malicious if you had never been there before? Under almost any trust
model that exists, the site would have gained trustworthy status
earlier this year, when MSNBC first linked to it. Where the trust
breakdown took place was when people failed to receive their tickets
and it was realised that the site was claiming ticket availability for
events that had long been completely sold out. Some of the more
advanced trust models that are in development (such as the one
developed by Sûnnet Beskerming) would have given the site a dubious
weighting, but would have struggled to offset the implied trust
delivered by other sites against the Official Beijing site, which
should have been the only one to offer tickets for sale.

All you need to trick people into giving you their money, it seems, is
to have a flashy website and promise delivery in the future for some
desirable item. If you want to find out more about the risks and what
sites are scamming people, one of the best resources for those who are
trying to hunt down the people behind the various scams is over at
beijingticketscam.com.

2.2 Internet Flaw Highlights More Than Just Technical Problems

When Dan Kaminsky released a cryptic announcement that one of the core
technologies (DNS, the Domain Name System) tying the Internet together
was vulnerable to a critical weakness it gained the attention of many
people, especially given that many of the software vendors who create
the vulnerable software had come together to address the problem and
the fact that Kaminsky was going to delay the release of information
until early August, at the Las Vegas Black Hat conference.

Despite the secrecy about the details of the vulnerability, if you
don't want anyone else to work it out for you, then don't tell anyone
you've found something. The lack of openness about the issue led many
to start speculating and eventually Halvar Flake hit upon the correct
answer. When Kaminsky himself challenged others to look into the
security of DNS and look at what might have been missed, the outcome
was almost guaranteed. Indeed, since the vulnerability was correctly
speculated on, exploit code has been publicly released through a
number of websites and mailing lists.

Since the correct guessing of the vulnerability, the general response
has been one of panic. Those who have read and understood the
technical details have largely been left scratching their heads -
there's not really anything new there. All it demonstrates is a corner
case of a previously known issue. Certainly the issue is one that
should have been fixed properly the first time, but for whatever
reason it wasn't.

What is more interesting is to see the vitriol that has now emerged as
people realise the information is out there. Some of the most serious
claims have been levelled against the team at Matasano Chargen for
having been the ones to actually spill the beans, as Halvar Flake had
only speculated about the details. The pulled post at Matasano Chargen
did more to get people to sit up and take notice than it would have if
it was left in place and the fact that they had declared that they
were part of the trusted few who had the details confirmed by Dan
Kaminsky only further validated for many people what had been posted.

Part of the problem is once data has been published on the Internet it
is awfully hard to completely retract it, even if it has only been
there for a couple of hours in total. As the retracted post at
Matasano Chargen promised technical details on the vulnerability it
was quickly snapped up by the lucky few who were able to see it and
then reproduced on numerous other sites.

Information Security has egg on its face over this issue. It shows how
immature the industry can be and how poor many people's skills are at
managing release and coordination of information. To his credit Dan
Kaminsky did find something that hadn't been fixed. Whether that is an
old problem or not is irrelevant for the time being, as it affected a
significant portion of the Internet's DNS servers and required a
coordinated effort by vendors to do something about it.

The whole incident has left a sour taste in many mouths.

Is Black Hat or DefCon the place to release all about a vulnerability?
After the debacle surrounding David Maynor and Jon Ellch's Black Hat
OS X wireless vulnerability demonstration in 2006, perhaps people who
are looking to release sensitive vulnerability information with some
flair should reconsider the pre-release media blitz. It runs the very
high risk of turning what might be a valid issue into a circus and
leaving all involved worse off for the experience.

Richard Bejtlich suggests that the incident might have been better
handled if initial and full disclosure was handled by an impartial
third party and the conference used for post-disclosure discussion and
the details of how the vulnerability was found. The problem is then
finding what can be regarded as an impartial third party.

The open discussion that was created following the initial
announcement turned up a more serious problem, which will continue to
have problems for users long after most systems are updated to address
the vulnerability. NAT, a very common technology that allows for
multiple systems to sit behind a single network connection wasn't
considered in the vulnerability equation but it was soon realised that
the method implemented to protect against the vulnerability would
break down when network traffic encountered most NAT devices, with the
result of zero protection against the vulnerability.

The whole idea of responsible disclosure, most famously set out by
Rain Forest Puppy, has broken down in this case. Those who were not
briefed in with details on the vulnerability feel that security by
obscurity was the gameplan and watching how the incident played out in
the media and how those who knew were (mis)managing the information
reinforced this idea for them. As far as those who did know the
details, they saw the withholding of information as a necessary step
to prevent widespread attack before updated systems could be put in
place. The problem was that this left everyone else having to
guesstimate the severity of the vulnerability, or having to trust the
claims being made by people who weren't releasing enough information
to back up their claims.

The problem with the approach taken was that it was set up such that
the carrot being dangled was too tempting for everyone to leave alone
until Black Hat. When the vulnerability was finally released, it
didn't seem to make a lot of sense, surely the vulnerability wasn't as
simple as that. With the way that a number of people in the know were
talking it sounded like the world was about to end.

So, what is the vulnerability?

Historically, it was possible to guess fairly quickly the IDs in use
by DNS queries and responses and so insert fake responses to poison a
DNS cache and point requests for legitimate sites to those under a
hacker's control. Improved random number generators (to increase the
entropy of the IDs) and randomising the source ports helped make this
particular attack far more difficult to carry out (but not completely
impossible).

Within the structure of a DNS response it is possible for amplifying
data to be returned about a domain so that subsequent requests to that
domain or subdomains can be made more efficiently, either by
identifying the correct authoritative server to query or by supplying
the data direct to the requesting system so that it doesn't need to
poll the server.

It is this particular feature which is the key to the whole discovery
made by Dan Kaminsky. While it should not be possible (poor
implementation of the specification aside) for this amplifying data to
change the details of other domain entries, it is possible for the
amplifying data to change the details for parent domains. This means
that a poisoned response for poisoned.example.com can change the
details for example.com.

Without the source port randomisation, it has been discovered that it
is possible to overcome the message ID randomisation and inject a fake
response that poisons the entry for the top domain in around 10
seconds on a fast modern system. To achieve this, numerous requests
are made for fake subdomains until the right combination of ID and
timing have been found to inject the response. The solution of adding
increased randomisation to the source ports used in making the
requests adds another layer of complexity for the hacker to overcome,
one which is enough for this point in time.

It is a band-aid type solution? Only time will show, but it might
prove good enough for the next few years at least. Perhaps a better
solution would be that every domain should include a wildcard
subdomain entry that identifies the legitimate main server as the
authoritative one for all subdomains for that particular domain.
Sending this wildcard information in the DNS response would result in
increased network traffic but it would also completely neutralise a
spoofing attack (unless the attacker is lucky enough to have the right
combination of ID, timing, and source port to beat the legitimate
response to the end user). It might break some business models that
rely upon selling / marketing subdomains and mean more authoritative
DNS servers need to be set up, but that is what might be necessary to
completely neutralise the vulnerability.

At the end of the day it still only seems to be domain-specific
poisoning, that is you can't forcefully poison results for a domain
that you aren't already making requests for (i.e. poisoning the result
for google.com when making requests for yahoo.com), but with the
various IFRAME and JavaScript tricks that exist out there it isn't too
hard to make this seem transparent - such that the user doesn't know
that they have been making requests for the site, but by this stage it
is too late for their system and they are compromised. With readily
available exploit code this is going to become a real problem for many
people in a short period of time.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #257 - Microsoft (Multiple), Multiple News

2008-07-18T00:48:30Z

Sûnnet Beskerming Alert List Advisory #257

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contactinfo@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - >1 week
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 $1 Million gets you International Hacking Capabilities
2.2 Online Attacks for Political Reasons
2.3 You can Only Blame Technology so Often
=====================================

1. SECURITY

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Windows
Exchange Server
SQL Server

-- Technical Description --
MS08-037 - DNS Server / Client. Spoofing / Cache poisoning. Important
MS08-038 - Windows Explorer. Multiple remote code execution. Important
MS08-039 - Exchange Server - Outlook Web Access. Privilege
Elevation. Replaces MS07-026. Important
MS08-040 - SQL Server. Privilege Elevation. Important

-- Description --
Microsoft provided four Important patches with the July Security
Patch Release. Only one of the patches had any vulnerability or
exploit data available
Microsoft has provided seven patches with the June Security Patch
Release. Of the patches, three are rated as Critical, three as
Important, and the remaining patch as Moderate. Exploit data for some
of the Internet Explorer (MS08-031) and Speech API (MS08-032)
vulnerabilities has been publicly available, but limited in
distribution.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-038.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-1447 (MS08-037)
CVE-ID: CVE-2008-1454 (MS08-037)
CVE-ID: CVE-2008-1435 (MS08-038)
CVE-ID: CVE-2008-0951 (MS08-038)
CVE-ID: CVE-2008-2247 (MS08-039)
CVE-ID: CVE-2008-2248 (MS08-039)
CVE-ID: CVE-2008-0085 (MS08-040)
CVE-ID: CVE-2008-0086 (MS08-040)
CVE-ID: CVE-2008-0106 (MS08-040)
CVE-ID: CVE-2008-0107 (MS08-040)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 $1 Million gets you International Hacking Capabilities

A recent briefing by the US Department of Homeland Security has thrown
up some interesting figures about the level of online attack
capability that a number of designated terrorist organisations are
believed to possess. What is somewhat surprising is the level of
capability being claimed for a relatively low level of investment.

That a number of these organisations are developing an ability and
commensurate plans to target online services and data stores is not a
surprise. After all, online attacks represent almost the perfect form
of attack - significant short to medium term effect for almost no
personal risk, easy to set up and administer and have effects far
beyond the immediate region.

Figures were quoted in the report for Hezbollah, which is estimated to
be devoting almost $1 million of the estimated $60 million annually
that it receives to electronic warfare. From that amount it has
apparently developed the capability to tap and monitor / hijack fiber
optic networks, though it could be assumed that much of whatever
capability they have has come direct from their state sponsors (Syria
and Iran).

While people are coming to rely upon the Internet as an essential
service, it wasn't all that long ago that there was no real level of
interconnection as such and so the wider community probably won't be
too greatly affected by an attack on an individual level. Communities
as a whole may suffer due to outages with essential services and
service providers that may be relying upon the Internet for operations.

How the terrorist organisations compare to the existing spam networks,
Russian and Chinese controlled botnets, and system and software
updates going awry remains to be seen. Perhaps now that Information
Security threats have been linked with terrorist groups, the
Information Security may start to see some of the funds set aside to
combat terrorism.

2.2 Online Attacks for Political Reasons

It seems that the only time that state-sponsored online attacks are
covered in the media is when someone wants to create a short term
scare campaign that is focussed on driving business to a company, or
on increasing funding or perceived relevancy for a government agency
or group of agencies. Perhaps the best known case in the last few
years was in Estonia, though there remains contention about who
exactly was behind the attacks. Even though the official story is that
an ethnic Russian in Estonia was responsible, there are those who
still believe that the attacks were coordinated and managed from Russia.

State sponsored attacks are always guaranteed to attract interest, but
the idea of semi-state and stateless organisations developing online
attack capabilities for political goals is also starting to attract
attention. With many of the groups that have openly admitted to
developing such capability already engaged in open attacks in other
environments and many also attracting designation as 'terrorist'
groups, an online attack that is claimed by or attributed to one of
these groups is considered far more likely than a state-sponsored
attack. While the technology and methods used may be no different from
those used in spam, phishing, and other online criminal activity, it
is the political intent behind their use which places them in a
separate class.

Supporting this argument is a number of claims by different terror
groups that they have access to an electronic attack capability
surfacing in recent weeks and months. These claims are actively
promoted by the groups, who argue that it allows them to level the
playing field against their opponents and, more importantly for them,
it provides a means to disrupt their opponents without significant
risk to themselves.

Even though online attacks offer far less personal risk to the
instigators, there are still some global regions where this is not the
case. Earlier this year Israel killed a Palestinian believed to have
been in charge of the online attack element for a Palestinian militant
organisation, but this is probably the only global region where an
electronic attacker may be at significant personal risk.

India is the latest country to join the ranks of those accusing China
of attacking their internal networks and systems. This accusation is
more significant than most, given the geographic proximity of the two
countries and their historical military and political tension
(including two current disputed regions and a number of historical
armed conflicts).

It will be interesting to see how the two most populous and rapidly
developing countries in the world handle this sort of activity and how
each responds to claimed attack and counter attack, given that the
attacks may be attributed to state-sponsored, semi-state, and
stateless bodies in varying proportions. Though the scale of the
attacks is relatively small, given the overall size of both countries,
the economic and technological boost that has been delivered with the
outsourcing industry means that some of the juciest targets in India
are actually datasets belonging to foreign companies.

There is no sign that these sorts of attacks will increase in scope
anytime soon, but it is something to consider with data security
concerns - especially in an outsourced environment. You might wake up
one day to find that your data is being held ransom or under attack by
an external party that is actually targeting your supplier and not you
directly. That is cold comfort for the people whose data lies within
that dataset and it will be you ultimately held responsible for its
safety.

2.3 You can Only Blame Technology so Often

Is the latest defence against embarrassing or criminal emails, text
messages, and Internet activity that a hacker did it? Detroit's Mayor
is currently the subject of a lawsuit alleging that he and a former
aide conspired to lie under oath in a previous investigation.

That in itself isn't too much out of the ordinary, but the Mayor's
lawyers are arguing that allegedly incriminating text messages that
are supposed to have been sent between the parties were actually the
work of hackers.

It is assumed that the text messages will provide sufficient evidence
of guilt but it does make for an interesting defence tactic to prevent
the release of the messages. What it leaves most people with is the
impression that the text messages will implicate the Mayor and his
aide and that it is a wildly speculative attempt from his defence
lawyers to avoid them having to be shown in court.

It has been pointed out that while it is technically feasible to have
had hackers create the messages, it is fairly straight forward to
correlate messaging activity with other events on the Mayor's
schedule. A further reason why the defence lawyers seem to be pushing
hard to suppress release of the records is the belief that the
messages are the key component to the prosecution's case, and without
them the case will fail.

Making matters worse, when it can be shown that there is a reasonable
assumption that the person involved has actually been the victim of a
malware author / hacker, such as the Julie Amero case, it can be
difficult to convince people that it actually is the case.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #256 - Microsoft (Multiple), QuickTime, Multiple News

2008-06-13T00:34:19Z

Sûnnet Beskerming Alert List Advisory #256

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 days
1.2 QuickTime
- Remote Hacker Automatic Control
- Time Since Discovery - 3 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Website Defacement Group Arrested After Going too far
2.2 An Interesting Firefox Flaw
2.3 BT Home Hub Still full of Holes
2.4 What makes for a Dangerous Domain?
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Microsoft Office
Windows
Internet Explorer

-- Technical Description --
MS08-030 - Bluetooth. Remote code execution. Critical
MS08-031 - Internet Explorer cumulative update. multiple remote code
execution. Replaces MS08-024. Critical
MS08-032 - Speech API. Remote code execution. Replaces MS08-023.
Moderate
MS08-033 - DirectX. Code execution. Replaces MS07-064. Critical
MS08-034 - WINS. Privilege escalation. Replaces MS04-045. Important
MS08-035 - LDAP - Active Directory. Denial of Service. Replaces
MS08-003. Important
MS08-036 - Microsoft Message Queuing. Denial of Service. Replaces
MS06-052. Important

-- Description --
Microsoft has provided seven patches with the June Security Patch
Release. Of the patches, three are rated as Critical, three as
Important, and the remaining patch as Moderate. Exploit data for some
of the Internet Explorer (MS08-031) and Speech API (MS08-032)
vulnerabilities has been publicly available, but limited in
distribution.

-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-030.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-031.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-032.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-034.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-035.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-036.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-1453 (MS08-030)
CVE-ID: CVE-2008-1442 (MS08-031)
CVE-ID: CVE-2008-1544 (MS08-031)
CVE-ID: CVE-2007-0675 (MS08-032)
CVE-ID: CVE-2008-0011 (MS08-033)
CVE-ID: CVE-2008-1444 (MS08-033)
CVE-ID: CVE-2008-1451 (MS08-034)
CVE-ID: CVE-2008-1445 (MS08-035)
CVE-ID: CVE-2008-1440 (MS08-036)
CVE-ID: CVE-2008-1441 (MS08-036)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

1.2 QuickTime - Remote Hacker Automatic Control

-- Products Affected --
QuickTime versions prior to 7.5

-- Technical Description --
QuickTime 7.5 has been released, incorporating several critical
security patches, including patches for remote code execution risks
associated with PICT file handling, AAC-encoded file handling, Indeo
video content, and QuickTime media content. The exploits are a range
of heap overflows, stack overflows and URL handling issues and affect
both the OS X and Windows versions of QuickTime.

-- Description --
Earlier this week, Apple released version 7.5 of the QuickTime media
codec and associated player software. With the update, Apple provided
a range of critical security fixes which addressed a number of remote
code execution opportunities that were identified with QuickTime.

-- Recommended Action --
Update to QuickTime 7.5 when possible.

-- Source --
http://support.apple.com/kb/HT1222

-- Updates Available --
http://www.apple.com/quicktime/download/

-- External Tracking Data --
CVE-ID: CVE-2008-1581
CVE-ID: CVE-2008-1582
CVE-ID: CVE-2008-1583
CVE-ID: CVE-2008-1584
CVE-ID: CVE-2008-1585

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 Website Defacement Group Arrested After Going too far

Most website defacement groups are regarded as more of a nuisance than
a major threat. While they cost site operators and maintainers
valuable time and resources to recover damaged sections of their sites
and patch the entry points, generally the only damage done is to place
a page on the site to proclaim the technical prowess of the group,
before they run off and self-report to the World's largest online
defacement archive, atZone-H.

Sometimes the groups go too far for comfort for authorities.
Defacements of sites belonging to government agencies or bodies have
their own special place in the Zone-H archive, but most of the time
these defacements are treated exactly the same as for non-government
sites - as a nuisance.

For one Spanish group, hacking a Spanish political site was the one
step too far for comfort, eventually resulting in their arrest.
Spanish sites weren't the only sites that they defaced, with numerous
US sites, including NASA sites, on their list of defacements recorded
at Zone-H.

2.2 An Interesting Firefox Flaw

Ronald van den Heetkamp has published information about an interesting
heap corruption in Firefox.

Put simply, it has been discovered that merely running document.open,
document.write and document.close in close succession can sometimes
lead to code not being executed prior to the document being closed
(the obviously named document.close method) and some inconsistent
behaviour from Firefox. The interesting aspect of what Ronald has
discovered is that if he uses an empty applet then it leads to a
fairly predictable denial of service after a couple of minutes after
attempting to load the initial code element. Based on the information
provided, it is predictable from the point of view that it can be
assumed the browser will be unresponsive within a few minutes of
loading the code, even if the underlying mechanism of just how the
code is causing the failure is not understood.

Although Ronald has not developed his example to the point of
executing code, the sample gives an easy starting point for further
investigation and develeopment. It is true that every heap corruption
isn't going to end in arbitrary code execution, but on initial view it
does seem possible with this particular vulnerability. At the moment
it is an interesting and simple denial of service vulnerability.

2.3 BT Home Hub Still full of Holes

British Hacker group GNUCITIZEN, and in particular Adrian 'pagvac'
Pastor, have been focussing on the BT (British Telecom) Home Hub, an
ADSL modem capable of acting as a wireless access point and
interfacing with DECT compliant telephone handsets (the standard used
in most cordless handsets) as well as supporting VoIP. In their past
research, GNUCITIZEN identified several methods to compromise various
features of the BT Home Hub, including the complete take over of the
device by a remote attacker, provided that the local user could be
convinced to visit a malicious website.

Some of the modifications made by BT to address the concerns raised by
GNUCITIZEN included changing the default password of the Home Hub to
the serial number of the device. On initial observation, this gives
each device a unique root password that should be non-guessable by a
remote attacker, neutralising the techniques otherwise used to
compromise the system.

Recent work, however, has shown that this serial number is
recoverable, and thus the control of the device. To achieve this feat,
a local network request is made using Multi Directory Access Protocol
(MDAP) which then results in the device responding with its ID number,
which can then be pre-prended with 'CP' to give the serial number and
the default password for the device.

Limiting the impact of the discovery is the requirement for the
attacker to be on the same LAN as the router, either through a wired
or wireless connection. Given that the wireless connection is only
secured with WEP, it isn't going to take long for a casual wardriver
to break into a targeted device. Alternatively, techniques described
by other researchers, to allow probing of local LAN resources remotely
could be blended to give the remote attacker all the information they
need without actually having to be present on the LAN.

While this is a real concern, Adrian points out that there are still
critical UPnP port forwarding vulnerabilities that leave the Home Hub
just as vulnerable. Given the numerous capabilities of the device and
what it is designed to be used for, anything that could allow a remote
attacker to capture all Internet and telephony traffic passing through
the device is going to have serious consequences.

If BT, the company that purchased noted security company CounterPane
(including Bruce Schneier) can have critical security errors in their
consumer level devices, it doesn't bode well for the many other ISPs
that provide slightly modified devices to their own customers, even if
they are nothing like the Home Hub in appearance or capability. As
with any other network or computing device, the safest approach to
take is to always assume that it is or can be compromised and be aware
of what information is being sent through or stored on it.

2.4 What makes for a Dangerous Domain?

McAfee recently published a study that identifies what could be
described as the world's most dangerous top level domain (.hk).
According to McAfee's report, 19% of .hk domains are alleged to be
serving malware or otherwise considered potentially risky for site
visitors. Two other top level domains, .cn and .info were identified
as having more than 11% of their sites identified as being risky, with
the .com domain only having about 5% of the total sites on that domain
being considered risky.

While raw percentages give a quick initial first impression, in terms
of the raw overall numbers of sites that are considered dangerous,
there are more on the .com domain than on .hk. The other question not
quite answered by the research is how likely a generic Internet user
is going to stumble across one of these malicious sites and how
obvious it is going to be that they have done so when they have.

Suggestions as to how to improve the data collection and reporting
would be to report the numbers by IP block. This would give a better
indication as to where on the Internet malicious (and potentially
malicious) sites are located and also which network providers are more
accommodating to these sites. It would also make the life of other
admins much simpler in terms of limiting network traffic to dangerous
sites.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com

Advisory #255 - Microsoft (Multiple), Multiple News

2008-05-14T14:19:12Z

Sûnnet Beskerming Alert List Advisory #255

You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info@... to resolve the
error.

Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 PHP Updates to 5.2.6
2.2 Mass Site Hack Proves no Site is Truly Safe
2.3 DefCon Competition has Antivirus Vendors Complaining
=====================================

1. SECURITY

1.1 Microsoft (Multiple) - Remote Hacker Automatic Control

-- Products Affected --
Microsoft Office

-- Technical Description --
MS08-026 - Office. Multiple Remote code execution. Replaces
MS08-009. Critical
MS08-027 - Publisher. Remote code execution. Replaces MS07-037 and
MS08-012. Critical
MS08-028 - Jet Database Engine. Remote code execution. Critical
MS08-029 - Microsoft malware protection engine. Multiple Denial of
Service. Important

-- Description --
Microsoft has provided four patches with the May Security Update
release, with the first three identified as Critical, and the
remaining one as Important. MS06-069 was also re-released to account
for Windows XP SP3 as a vulnerable product. The Jet Database Engine
vulnerabilities (MS08-028) have been actively exploited for some
time, while the other vulnerabilities have not had any public release
of attack code.

-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.

-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-027.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-028.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-029.mspx

-- External Tracking Data --
CVE-ID: CVE-2008-1091 (MS08-026)
CVE-ID: CVE-2008-1434 (MS08-026)
CVE-ID: CVE-2008-0119 (MS08-027)
CVE-ID: CVE-2008-6026 (MS08-028)
CVE-ID: CVE-2008-1437 (MS08-029)
CVE-ID: CVE-2008-1438 (MS08-029)

-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)

=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2. NEWS

2.1 PHP Updates to 5.2.6

The PHP Group released version 5.2.6 of the popular scripting
language earlier this month. While there were more than 100 bugs
fixed with this update, there were several critical security
vulnerabilities patched that make updating essential for any
administrators or users currently using the 5.x branch of PHP (if
you're still stuck using 4.x or earlier you should really consider
updating your installation).

Several memory leaks, buffer overflows, safe mode bypasses, and multi-
byte character handling are amongst the issues addressed by this
update, which is the first one to be released in six months by the
PHP Group. Although there are probably many more security
vulnerabilities yet to be found or patched (just see Stefan Esser's
work, which has been somewhat quiet since the end of last year), the
significant number of bugs patched is a continuing good sign from a
project that has come under fire in the past for having a mixed
approach to the security of their main product.

2.2 Mass Site Hack Proves no Site is Truly Safe

There has been a lot of coverage of a widespread (estimated at more
than half a million sites) set of web server attacks that have been
taking place for a number of weeks using an unfortunately-common SQL
injection opportunity to take control of back end databases, and
sites themselves. So much concern and confusion has surrounded what
is going on that Microsoft's Security Response Center have released a
statement to clarify the nature of the attacks as reported to them.
Although there has been a new IIS vulnerability disclosed in recent
weeks, the attacks are only making use of poor site and database
maintenance practices - using SQL injection to exploit sites.

For site visitors who visit an affected site, JavaScript is used to
try and download / run malware that then targets a number of commonly
used technologies in order to gain full control over the system.

It goes to show that input validation is a critical component of the
security picture for a site and it is a problem that is still not
being properly addressed by many sites, including a lot that should
know better.

If anything else is needed to concern site operators, it is research
from David Litchfield that demonstrates an almost-generic attack
method against Oracle databases.

In one simple set of attacks, previously trustworthy sites can now no
longer be considered trustworthy and it is another blow to services
that tout their ability to mark a site as being 'Hacker Safe' or
otherwise safe for visiting (like SiteAdvisor).

2.3 DefCon Competition has Antivirus Vendors Complaining

DefCon is known for a range of 'out there' type activities and
presentations and it looks like this year is going to be no
different. A contest that is being organised on the sidelines of this
year's convention is already raising eyebrows and complaints from
around the Information Security industry.

In a nutshell, the aim of the contest is to successfully modify
malware samples so that they pass through a number of antivirus
scanners without detection, while still retaining the malware
capability. It could be seen as a polymorphism competition - how much
can you change the code and still retain the same function.

What the contest is seeking to achieve is nothing more than what is
happening continuously on the Internet, where malware developers are
continually fine-tuning their software to best avoid detection. It
should also show up the antivirus tools that are making use of poor
signature detection mechanisms and those that are using weak
heuristics to detect previously unknown malware. The big problem for
the antivirus developers is that it is possible to effectively drive
a truck through the holes in their systems and it isn't going to take
much for competitors to bypass most tools. It will be interesting to
see how the competition organisers set about increasing the
difficulty of each round.

Antivirus developers are complaining about the competition, though
most of the complaints sound like the developers are having a hard
time keeping their technology within spitting distance of the malware
authors. Even with the complaining, it probably won't take long for
the competition samples to appear in definition files and in the
count of malware types being detected. It is strange, though, how
competitions like CTF, or the recent 0-day competition at CanSecWest,
do not attract much complaint, but as soon as antivirus or
antimalware tools are targeted it is too much for people.

It is the latest in a number of interesting competitions where the
practical attack value of what is being done is greater than in other
competitions. This contest ranks up with miniscule-XSS competitions
and archives of XSS / SQL injection vulnerable sites.

=======================================

Sincerely,

Sûnnet Beskerming Team
info@...
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
_______________________________________________
Alertmailinglist mailing list
Alertmailinglist@...
http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com