Security Updates 20100622

Opera 10.54 Released for Windows The web browser Opera has released an update to address multiple security issues when used on Windows platforms. There are five listed security fixes, four of which have no details given. We advise customers that use this web browser to update as soon as possible.

Apple Quietly Includes Anti-Malware in latest OS X update While Apple products have had a reputation for eluding malware and virus threats, time might be catching up with them. Apple quietly added some Anti-Malware functionality to the latest update for Mac OS X 10.6.4. This is a proactive move by Apple to help maintain their reputation in being safe from malware.

Week In Review for June 14 – June 20, 2010 AlertCon Lowered For MS Windows Help Alert The Threat Level, raised to AlertCon 2 to draw awareness to the Microsoft Windows Help Center Protocol Handler vulnerability, has been lowered to AlertCon 1. Although exploitation continues, our analysts are seeing minimal traffic associated with that vulnerability. We assert that vigilance should be maintained and advise continued monitoring for attacks that exploit this weaknesses.

Sophisticated Flash Player Attack in Circulation IBM X-Force has received a report of a sophisticated attack occurring in the wild targeting a vulnerability in Flash Player (CVE-2010-1297). This issue was disclosed earlier this month and the current attack involves placing a specially-crafted Flash file within a PDF file. The IBM signature PDF_Swf_Detected is detecting this attack. As a conservative measure, customers may want to set this signature to blocking. While this change may also block legitimate traffic, this type of traffic (a Flash file embedded in a PDF file) is not commonly seen.

Apple iTunes 9.2 Released, Addresses Several Security Issues Apple has released iTunes 9.2 in preparation for the release of iPhone 4 next week. This updated release also addresses three security issues all of which have the potential to be exploited to allow arbitrary code execution. This update is available through Apple’s website or through the update tool provided in iTunes itself.

Remote Root Level Vulnerability Found in Samba The Samba team has announced a new memory vulnerability that allows remote root level access. This only impacts older versions of Samba (Versions 3.0.x – 3.3.12), with versions higher then 3.4.0 not being vulnerable. We are advising customers using Samba to verify which version(s) are in production and updating accordingly.

http://www.samba.org/samba/security/CVE-2010-2063

New IBM XPU Addresses Latest MS Vulnerability (CVE-2010-1885) IBM has released an XPU and a Protection Alert to address the Microsoft Windows Help Center vulnerability that currently has the AlertCon raised to Level 2. Due to the ease of exploitability we urge customers to upgrade to this XPU as soon as possible to detect this latest threat.

Writeups on Facebook Password Reset Spam Spammers are starting to leverage the pervasiveness of social networking and social media forums. There have been several writeups on the use of spam in the form of e-mails that look like they are coming from Facebook notifying users to reset their passwords. Links in these emails often contain malware in various forms. The best defense comes in the form of user education and the use of updated Anti-Virus/Anti-Malware software.

 Apple Releases Security Update Bundle for Mac OS X 10.6 Apple has released a security update for Mac OS X 10.6 that addresses 23 separate vulnerabilities, many of which allow remote execution capability. This update is available through the Apple Downloads site or through the Software Update tool. PLEASE NOTE: This update includes an older version of Adobe’s Flash Player that has some security vulnerabilities. If users have already upgraded to the latest version, then the older version will not be installed. We encourage customers running on this platform to apply these updates and verify their version of Adobe Flash Players soon as possible.

http://support.apple.com/kb/HT4188

http://support.apple.com/downloads/

 http://blogs.adobe.com/psirt/2010/06/apple_security_update_2010-004.html

 PHP 0day Vulnerability A presentation at the SyScan conference has made a PHP vulnerability public that allows remote attackers to execute arbitrary code via unserialized user input. Few details are currently available outside of the conference presentation. The PHP vulnerability is currently unpatched. We will continue investigating and provide more information as it becomes available.

http://twitter.com/i0n1c/status/16447867829

https://bugzilla.redhat.com/show_bug.cgi?id=605641

US Supreme Court Rules on Employer/Employee privacy case In a case where a local police department searched an employee’s text messages, the court ruled that the employee’s work provided phone and the data associated with it did not have an expectation to privacy. The unanimous ruling provides some clarity on the issue of privacy in the workplace with regards to electronic communications. We advise customers to review their corporate policies with legal counsel to verify their privacy statements are current with this ruling. http://www.latimes.com/news/nationworld/nation/la-na-court-worker-texting-20100618,0,7772406.story http://www.infolawgroup.com/2010/06/articles/workplace-privacy/quon-us-supreme-court-rules-against-privacy-on-employerissued-devices/



Posted on June 22, 2010 at 9:24 AM by root · Permalink · Leave a comment
In: Security

Patch Tuesday for Microsoft

Microsoft’s June Security Advance Notification
Microsoft is planning to release ten bulletins addressing 34 vulnerabilities on Tuesday, June 8th. The bulletins are rated as follows: 3 “Critical” and 7 “Important”. The affected software includes: Windows, Microsoft Office, and Internet Explorer. Additionally, Microsoft plans to address the issues highlighted in Security Advisories 983438 and 980088. We encourage our customers to review the vendor’s Advance Notification and associated blog post.
http://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx
http://blogs.technet.com/b/msrc/archive/2010/06/03/june-2010-security-bulletin-advance-notification.aspx

Mobile Malware
Reports have surfaced this week indicating that Samsung’s S8500 Wave handsets were shipped with a malware-infected microSD card. Reportedly, some German models of this device are affected. Once the device is connected to the computer, it automatically installs a Trojan using a file called “slmvsrv.exe.”

While this is an example of a mobile device being shipped with malware, there are ways that attackers can utilize different functionality to distribute their malware. For instance, the Multimedia Message Service (MMS) can be used as a vector for sending malware to unsuspecting victims. Many mobile phones and PDAs available today are capable of communicating via Bluetooth, a protocol designed for short range communication between electronic devices. Simple social engineering attacks have effectively convinced Bluetooth users to pair their devices with complete strangers, giving them unrestricted access to data on the victim’s phone. Additionally, many modern mobile phones and PDAs now run robust, feature-rich operating systems and offer the same or similar applications as PCs. Individuals increasingly use them to store personal data and conduct financial transactions which gives attackers more incentive to find and exploit vulnerabilities in the software.

Several major security vendors now provide security applications and anti-virus software for mobile users. Cellular service providers also offer some protection to their customers automatically by scanning for specific types of malicious code as data traverses the network. Bluetooth should be disabled while not in use and should never respond to unsolicited connection attempts. Although the level of mobile attacks is currently relatively low, it is still important for organizations to be aware of the potential threat.
http://www.engadget.com/2010/06/02/samsung-wave-shipping-with-infected-microsd-card/
http://www.f-secure.com/weblog/archives/00001959.html



Posted on June 7, 2010 at 8:36 AM by root · Permalink · Leave a comment
In: Security · Tagged with: , , ,

The Internet

A New Phishing Attack
We were intrigued when looking at the demo of what has been dubbed ‘tabnabbing’, a new type of phishing attack discovered by Aza Raskin from Mozilla. Different from the more contemporary phishing attacks that generally lure victims directly to the malicious phishing page through emails and links, this attack could load a malicious phishing page in the background while the user is browsing another tab. For example, a user could be enticed to visit what is an apparently normal web page, not a phishing page. When the user’s browser is interrogated, a phishing page for a service the user has actually visited could be opened. However, this would happen in the background and a user may not notice at all and might unwittingly enter details into the malicious page. How this works is probably best explained by the proof of concept page provided by Raskin which, currently, is no longer publicly available. Another demonstration page created by Aviv Raff and based on a mockup of the Brian Krebs blog article on tabnabbing is also available (see links below).

The issue appears to affect all major browsers, though results vary between browsers and operating systems. The remediation for this issue would be to completely disable Javascript in the browser. The Raff demo is notable in that it can work against Firefox, even with the popular Noscript add-on installed. We do suggest readers familiarize themselves with this issue.
http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/
http://avivraff.com/research/phish/article.php?406707075

Wardriving and Open Wireless Networks
Stories about the number of unprotected wireless networks used to be common place but it has been some years now since WPA and then WPA2 have become prevalent. WPA2 is relatively easy to setup and provides a good level of encryption and authentication. So, we were somewhat surprised to read the results of a wardriving exercise conducted by the state police in various regional centers across Queensland, Australia. The results have led to the police estimating that some fifty percent of the wireless internet connections in Queensland of having no or minimal security settings enabled, no password, or still have the default password on their wireless device. Perhaps more disturbing is a comment from Detective Superintendent Brian Hay of the Queensland state police, “We know that the crooks are out there, scanning the environment and identifying these vulnerable networks, plotting them and then selling the information.”

Open wireless systems present many dangers and while we consider the results of the wardriving exercise would reflect largely on domestic wireless systems, these same systems may well be used by corporate employees when working from home. While we would expect most remote access systems to be encrypted or utilize a VPN for access, corporate resources or information might still be exposed. We suggest that at the business level, staff are made aware of the dangers of using open wireless systems and we urge all people who have wireless access points in their homes or businesses to verify that their systems are configured to operate in a secure manner.
http://www.couriermail.com.au/news/technology/half-of-wireless-networks-unsecured-in-queensland/story-e6frep1o-1225870268562



Posted on May 27, 2010 at 8:45 AM by root · Permalink · One Comment
In: Education, Security · Tagged with: ,

April Patches and Updates

1. Denial of Service Conditions in Microsoft Exchange and Microsoft SMTP Service (MS10-024 CVE-2010-0024)
Microsoft Windows SMTP Service and Microsoft Exchange are vulnerable to a denial of service, caused by the improper handling of DNS Mail Exchanger (MX) resource records by the Simple Mail Transfer Protocol component. As SMTP services are often exposed to the Internet and email is usually considered a business critical function, the business impact of this vulnerability is more significant than for typical Denial of Service issues.

http://www.microsoft.com/technet/security/bulletin/MS10-024.mspx

2. Microsoft DirectShow Remote Code Execution (MS10-026 CVE-2010-0480)
Microsoft Windows is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MPEG Layer-3 audio codecs when handling malicious files. The vulnerable MPEG Layer-3 audio codecs are the MPEG Layer-3 Audio Codec for Microsoft DirectShow. Successful exploitation of this issue would provide an attacker with complete control over the endpoint target. The use of malicious media files like images and movies has been prevalent in the past years.

http://www.microsoft.com/technet/security/bulletin/MS10-026.mspx

Adobe Reader and Acrobat Security Update
Adobe has addressed multiple critical vulnerabilities affecting Adobe Reader 9.3.1 (and earlier versions) for Windows, Macintosh, and UNIX, Adobe Acrobat 9.3.1 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.1 (and earlier versions) and Adobe Acrobat 8.2.1 (and earlier versions) for Windows and Macintosh. The most severe of these issues could allow a remote attacker to execute arbitrary code on a vulnerable system. Refer to the “Solution” section of the Adobe Security Bulletin for information on remediating these issues.
http://www.adobe.com/support/security/bulletins/apsb10-09.html

Microsoft April 2010 Security Release
Microsoft released eleven security bulletins today. There are five rated Critical, five rated Important and one rated Moderate. We encourage our customers to apply the patches and IBM product coverage where applicable. Please, review the break-down below.
http://www.microsoft.com/technet/security/bulletin/ms10-apr.mspx

Microsoft Maximum Severity Rating: Critical
Microsoft Security Bulletin MS10-019: Vulnerabilities in Windows Could Allow Remote Code Execution (981210)
Vulnerabilities in Windows Authenticode Verification could allow a remote attacker execute arbitrary code on a vulnerable system.
CVE-2010-0486
CVE-2010-0487
http://www.microsoft.com/technet/security/bulletin/ms10-019.mspx

Microsoft Security Bulletin MS10-020: Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)
Multiple vulnerabilities affecting Microsoft Windows could allow remote code execution. Successful exploitation can occur if an attacker can convince a user to initiate an SMB connection to a specially crafted SMB server.
CVE-2009-3676
CVE-2010-0269
CVE-2010-0270
CVE-2010-0476
CVE-2010-0477
http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx

Microsoft Security Bulletin MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
A remote code execution vulnerability affects Windows Media Services running on Microsoft Windows 2000 Server. The Windows Media Unicast Service fails to properly handle specially crafted transport information packets. On Microsoft Windows 2000 Server Service Pack 4, Windows Media Services is an optional component and is not installed by default.
CVE-2010-0478
http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx

Microsoft Security Bulletin MS10-026: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)
2. Microsoft DirectShow Remote Code Execution (MS10-026 CVE-2010-0480)
http://www.microsoft.com/technet/security/bulletin/ms10-026.mspx

Microsoft Security Bulletin MS10-027: Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
The Windows Media Player ActiveX control is affected by a remote code execution vulnerability.
CVE-2010-0268
http://www.microsoft.com/technet/security/bulletin/ms10-027.mspx

Microsoft Maximum Severity Rating: Important
Microsoft Security Bulletin MS10-021: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
This bulletin addresses two vulnerabilities in Microsoft Windows, the most severe of which could allow elevation of privilege. In order to exploit these vulnerabilities, an attacker must have valid logon credentials and be able to log on locally.
CVE-2010-0236
CVE-2010-0237
http://www.microsoft.com/technet/security/bulletin/ms10-021.mspx

Microsoft Security Bulletin MS10-022: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
A vulnerability affecting VBScript on Microsoft Windows could allow remote code execution. This vulnerability requires user interaction and cannot be exploited on Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.
CVE-2010-0483
http://www.microsoft.com/technet/security/bulletin/ms10-022.mspx

Microsoft Security Bulletin MS10-023: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)
Microsoft Office Publisher is vulnerable to a remote code execution issue. An attacker could exploit this issue by creating a specially crafted Publisher file and sending it in an email or hosting it on a Web site.
CVE-2010-0479; IBM Product Coverage: CompoundFile_Shellcode_Detected
http://www.microsoft.com/technet/security/bulletin/ms10-023.mspx

Microsoft Security Bulletin MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
1. Denial of Service Conditions in Microsoft Exchange and Microsoft SMTP Service
http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx

Microsoft Security Bulletin MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)
Vulnerabilities in Microsoft Office Visio could allow remote code execution if a user opens a specially crafted Visio file.
CVE-2010-0254; IBM Product Coverage: CompoundFile_Shellcode_Detected
CVE-2010-0256; IBM Product Coverage: CompoundFile_Shellcode_Detected
http://www.microsoft.com/technet/security/bulletin/ms10-028.mspx

Microsoft Maximum Severity Rating: Moderate
Microsoft Security Bulletin MS10-029: Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338)
A spoofing vulnerability exists in the Microsoft Windows IPv6 stack which could allow an attacker to impersonate an address to bypass edge or host firewalls. CVE-2010-0812
http://www.microsoft.com/technet/security/bulletin/ms10-029.mspx

Posted on April 14, 2010 at 9:07 AM by root · Permalink · Leave a comment
In: Security · Tagged with: , , ,

Microsoft Internet Explorer Vulnerability

New Exploit Code for Microsoft Internet Explorer Vulnerability
Exploit code has surfaced for one of the vulnerabilities in MS10-018, the out-of-cycle bulletin released by Microsoft on March 30. This bulletin addresses multiple vulnerabilities in Internet Explorer including a 0-day vulnerability that was being exploited earlier this month. This most recent exploit code which has been released targets a different vulnerability covered by this same update. Customers that have not done so already should apply this cumulative update.
http://www.microsoft.com/technet/security/bulletin/ms10-018.mspx

http://www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb

Posted on April 7, 2010 at 8:50 AM by root · Permalink · Leave a comment
In: Security · Tagged with: , , , ,

New Vulnerabilities

Vulnerability in HP Broadcom Integrated NIC Management Firmware
A potential vulnerability has been identified and reported with some HP PCs with Broadcom Integrated NIC Firmware. The vulnerability could be remotely exploited to execute arbitrary code. This vulnerability is reported in 1.x versions prior to 1.40.0.0, and 8.x versions prior to 8.08. This vulnerability references CVE-2010-0104 and CERT VU#512705. Please see the vendor’s advisory for details on affected hardware and a list of impacted machine models. Users are recommended to upgrade to the latest firmware available from the vendor, currently 1.40.0.0 for the 1.x series or 8.08 for the 8.x firmware. HP advisory HPSBGN02511 SSRT100022.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02048471

http://secunia.com/advisories/39003/

Spamassassin Milter Plugin Remote Root Exploit
An exploit has been published to the mailing list “Full Disclosure” for a 0-day attack against the Spamassassin Milter Plugin. Spamassassin is a popular OpenSource spam filtering system. Successful exploitation results in remote root access to vulnerable systems. A preliminary patch for the flaw has been published to the project site. Mitigation recommendations include not running the milter (mail filter) plugin as root and not using the -x option. Users should implement the mitigations and patch vulnerable systems as soon as possible. Upgrades should be preformed as soon as official updates are made available.

http://isc.sans.org/diary.html?storyid=8434

http://www.securityfocus.com/bid/38578/info

http://seclists.org/fulldisclosure/2010/Mar/140

http://savannah.nongnu.org/bugs/index.php?29136

Posted on March 17, 2010 at 8:23 AM by root · Permalink · Leave a comment
In: Security · Tagged with: ,

Microsoft

As a reminder, Microsoft is planning to release two security bulletins today, March 9, 2010. Both bulletins carry a maximum severity rating of important and the issues addressed could lead to remote code execution. The first bulletin applies to various versions of Windows XP, Vista and Windows 7 and is rated as important for all affected versions. The second bulletin applies to various Office releases and components for Windows and Mac and is also rated as important for all affected versions.
http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx

Posted on March 9, 2010 at 3:16 PM by root · Permalink · Leave a comment
In: Education, Security · Tagged with: , , , ,

Bridal Scam

We would also like to draw our readers’ attention to interesting media articles on a scam, with something of a twist. The scam involved a purported bridal convention in Boston, which would be held at a convention center, and even claimed part of the profits from the event would be donated to earthquake victims in Haiti. It appears there are many victims of this scam including a significant number of wedding industry vendors and an estimated 5,000 individuals who bought tickets to attend. The scam came to light when an executive from the company who owns the convention center found the Web site promoting the event, which he knew was not booked at the center, and notified authorities. It appears the scam used radio, social networking, tweets, facebook and the scammer’s Web site to promote the event.
http://blogs.findlaw.com/injured/2010/03/bridal-no-show-the-boston-bridal-show-scam.html
http://www.boston.com/news/local/massachusetts/articles/2010/03/02/advertised_bridal_show_a_scam_fbi_police_say/?page=1

Posted on March 9, 2010 at 3:15 PM by root · Permalink · Leave a comment
In: Education · Tagged with: 

Apache HTTP server 2.2.15

Apache has released HTTP Server version 2.2.15, which addresses a number of security exposures in prior versions of the HTTP server. Of particular note is the updating of the OpenSSL library to 0.9.8m which addresses the renegotiation issues outlined in CVE-2009-3555. At the time of writing, the links to the complete changelog and downloads for 2.2.15 were not visible on the Apache Web site, however, we urge users to apply this latest vendor update as soon as possible.
http://mail-archives.apache.org/mod_mbox/www-announce/201003.mbox/%3C4B92BC77.8050401@apache.org%3E
http://httpd.apache.org/download.cgi

Proof of concept code exploiting a vulnerability (CVE-2010-0425) in the Apache HTTP server version 2.2.14, mod_isapi, was published to a well known Web site. Notes in the code state that the exploit may need to be run several times to achieve successful spawning of a shell however – a success rate of 70% is reported. Also mentioned in the code is that, if DEP is enabled (Windows platforms) for the Apache process, the result may be a denial of service condition. As CVE-2010-0425 is one of those noted as addressed in the above 2.2.15 release, we again suggest updating as soon as possible.
http://www.exploit-db.com/exploits/11650
http://securityreason.com/wlb_show/WLB-2010030028

Posted on March 9, 2010 at 3:14 PM by root · Permalink · Leave a comment
In: Security · Tagged with: , , ,

Blackhat SEO

Recent assessments have discussed many of the Search Engine Optimization (SEO) scams currently in circulation. In a blog post published on Friday, X-Force analysts note how scammers are not only exploiting real news events, but they are also creating their own news to gain profits through affiliate programs. Our researchers warn, “you can’t always trust the hosts that search engines point to.” We encourage our customers to ensure their anti-virus software is up-to-date and to enable blacklisting on browsers that support it, such as the ‘Block reported attack sites’ setting in Firefox.
http://blogs.iss.net/archive/CreatingNewsForBlack.html

Posted on March 9, 2010 at 3:13 PM by root · Permalink · Leave a comment
In: Security · Tagged with: , , , ,