Information Armor

New Vulnerabilities

root — Wed, 17 Mar 2010 15:23:06 +0000

Vulnerability in HP Broadcom Integrated NIC Management Firmware
A potential vulnerability has been identified and reported with some HP PCs with Broadcom Integrated NIC Firmware. The vulnerability could be remotely exploited to execute arbitrary code. This vulnerability is reported in 1.x versions prior to 1.40.0.0, and 8.x versions prior to 8.08. This vulnerability references CVE-2010-0104 and CERT VU#512705. Please see the vendor’s advisory for details on affected hardware and a list of impacted machine models. Users are recommended to upgrade to the latest firmware available from the vendor, currently 1.40.0.0 for the 1.x series or 8.08 for the 8.x firmware. HP advisory HPSBGN02511 SSRT100022.

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02048471

http://secunia.com/advisories/39003/

Spamassassin Milter Plugin Remote Root Exploit
An exploit has been published to the mailing list “Full Disclosure” for a 0-day attack against the Spamassassin Milter Plugin. Spamassassin is a popular OpenSource spam filtering system. Successful exploitation results in remote root access to vulnerable systems. A preliminary patch for the flaw has been published to the project site. Mitigation recommendations include not running the milter (mail filter) plugin as root and not using the -x option. Users should implement the mitigations and patch vulnerable systems as soon as possible. Upgrades should be preformed as soon as official updates are made available.

http://isc.sans.org/diary.html?storyid=8434

http://www.securityfocus.com/bid/38578/info

http://seclists.org/fulldisclosure/2010/Mar/140

http://savannah.nongnu.org/bugs/index.php?29136

Microsoft

root — Tue, 09 Mar 2010 22:16:26 +0000

As a reminder, Microsoft is planning to release two security bulletins today, March 9, 2010. Both bulletins carry a maximum severity rating of important and the issues addressed could lead to remote code execution. The first bulletin applies to various versions of Windows XP, Vista and Windows 7 and is rated as important for all affected versions. The second bulletin applies to various Office releases and components for Windows and Mac and is also rated as important for all affected versions.
http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx

Bridal Scam

root — Tue, 09 Mar 2010 22:15:27 +0000

We would also like to draw our readers’ attention to interesting media articles on a scam, with something of a twist. The scam involved a purported bridal convention in Boston, which would be held at a convention center, and even claimed part of the profits from the event would be donated to earthquake victims in Haiti. It appears there are many victims of this scam including a significant number of wedding industry vendors and an estimated 5,000 individuals who bought tickets to attend. The scam came to light when an executive from the company who owns the convention center found the Web site promoting the event, which he knew was not booked at the center, and notified authorities. It appears the scam used radio, social networking, tweets, facebook and the scammer’s Web site to promote the event.
http://blogs.findlaw.com/injured/2010/03/bridal-no-show-the-boston-bridal-show-scam.html
http://www.boston.com/news/local/massachusetts/articles/2010/03/02/advertised_bridal_show_a_scam_fbi_police_say/?page=1

Apache HTTP server 2.2.15

root — Tue, 09 Mar 2010 22:14:19 +0000

Apache has released HTTP Server version 2.2.15, which addresses a number of security exposures in prior versions of the HTTP server. Of particular note is the updating of the OpenSSL library to 0.9.8m which addresses the renegotiation issues outlined in CVE-2009-3555. At the time of writing, the links to the complete changelog and downloads for 2.2.15 were not visible on the Apache Web site, however, we urge users to apply this latest vendor update as soon as possible.
http://mail-archives.apache.org/mod_mbox/www-announce/201003.mbox/%3C4B92BC77.8050401@apache.org%3E
http://httpd.apache.org/download.cgi

Proof of concept code exploiting a vulnerability (CVE-2010-0425) in the Apache HTTP server version 2.2.14, mod_isapi, was published to a well known Web site. Notes in the code state that the exploit may need to be run several times to achieve successful spawning of a shell however – a success rate of 70% is reported. Also mentioned in the code is that, if DEP is enabled (Windows platforms) for the Apache process, the result may be a denial of service condition. As CVE-2010-0425 is one of those noted as addressed in the above 2.2.15 release, we again suggest updating as soon as possible.
http://www.exploit-db.com/exploits/11650
http://securityreason.com/wlb_show/WLB-2010030028

Blackhat SEO

root — Tue, 09 Mar 2010 22:13:16 +0000

Recent assessments have discussed many of the Search Engine Optimization (SEO) scams currently in circulation. In a blog post published on Friday, X-Force analysts note how scammers are not only exploiting real news events, but they are also creating their own news to gain profits through affiliate programs. Our researchers warn, “you can’t always trust the hosts that search engines point to.” We encourage our customers to ensure their anti-virus software is up-to-date and to enable blacklisting on browsers that support it, such as the ‘Block reported attack sites’ setting in Firefox.
http://blogs.iss.net/archive/CreatingNewsForBlack.html

Happy Friday!

root — Fri, 26 Feb 2010 15:25:21 +0000

Adobe libtiff exploitation
On Monday, we reported that Secunia had discovered that one of the recent Adobe Reader vulnerabilities was actually related to an old vulnerability in libtiff. Secunia had developed an exploit but kept it private. Now, there are reports that others have succeeded in constructing exploits for this issue as well. We encourage clients to apply the recent Adobe patches as soon as possible.
http://rootkit.tw/blog/?p=34
http://www.adobe.com/support/security/bulletins/apsb10-07.html

Browser vulnerabilities
A proof of concept exploit has been posted for a vulnerability in the iPhone browser. The exploit sends a malformed CSS style tag which causes a denial of service. It’s possible that a remote attacker could execute arbitrary code if the victim is tricked into visiting a malicious website. The same vulnerability is reported to also affect Apple’s Safari browser and Google’s Chrome browser.
http://www.packetstormsecurity.nl/1002-exploits/iphone_crash.py.txt
http://www.packetstormsecurity.nl/1002-exploits/safarichrome-dos.txt

Olympic themed SEO
Last week we highlighted the use of Search Engine Optimization (SEO) techniques where an attacker modifies the optimized search results of search engines to direct users to malicious sites. Currently, many search results for Olympic-themed queries lead to malicious sites. Upcoming events like the St. Patrick’s Day holiday and Spring Break in March may be the next campaigns that are abused. We encourage our customers to be cautious when clicking on links from search results and to visit official Web sites when possible.
http://www.avertlabs.com/research/blog/index.php/2010/02/23/on-olympics-st-patricks-day-screensavers-and-wallpaper/
http://twitter.com/mikkohypponen/status/9628022758

Joke

root — Tue, 23 Feb 2010 18:29:24 +0000

During a recent password audit at a company, it was found that a receptionist was using the following password:
“MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento”

When asked why she had such a long password, she said she was told that it had to be at least 8 characters long and include at least one capital…

Top Tips for Twenty Ten

root — Wed, 17 Feb 2010 16:52:58 +0000

Rules of Social Networking

Pay attention to what you post and upload. Social networking is public.

Consider images, videos, and information you publish
You shouldn’t publish your address, date of birth, etc.
Use a nick-name that only your friends know.

Choose your friends with care.

Do not accept friend requests from people you do not know
Verify all your contacts

Protect your work and environment and avoid reputation risk

When joining a social networking site use your personal e-mail address
Be careful how you portray your company online
Do not mix your business contacts with your friend contacts

Protect your mobile phone and the information saved on it from any physical intrusion

Do not let anyone see your profile or personal information without consent
Do not leave your phone unattended
Do not save your passwords on your mobile phone
Use the security features available on your mobile phone

Turn off Location Aware Services

Twitter, Google Buzz, Foursquare and new Smart-phones will publish your location when you post an announcement. Letting the entire world know you aren’t home. See the website http://pleaserobme.com/
Instead of using a GPS to mark your home location, have your GPS set home to a familiar landmark near your home, such as a corner store. If a thief breaks into your car, not only do they know you aren’t home, but they will have access to your garage door opener and turn by turn directions to your front door.

When Planning Vacation

Do not post dates and times you will be away, rather write posts as a journal of events that have happened so it’s a surprise that you were gone for a period of time.

Microsoft MS10-015 BSOD Issue

root — Tue, 16 Feb 2010 16:19:28 +0000

Microsoft has acknowledged that there is an issue when applying the update related to advisory MS10-015 on systems that are infected with certain malware strains including one called “Tidserv”. These infected systems have a high likelihood of becoming unbootable displaying a PAGE_FAULT “Blue Screen of Death” (BSOD) error. Microsoft has issued directions on how to resolve this issue and has temporarily removed this update from the Windows Update Service until a complete investigation can be done.
http://www.symantec.com/connect/blogs/tidserv-and-ms10-015
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1
http://blogs.zdnet.com/microsoft/?p=5250
http://blogs.technet.com/msrc/archive/2010/02/12/update-restart-issues-after-installing-ms10-015.aspx

Anti-Phishing Procedure for Email

root — Tue, 16 Feb 2010 16:16:55 +0000

I saw something like this on the Internet and I do want to give credit to where credit is due, but I cannot remember where I found this. We have recreated it for businesses.

Please see the following flowchart for procedures on anti-phishing for email.