Oracle Critical Patches for July 2008

Oracle has released their set of critical patches for July 2008. These fix multiple issues across several product lines. Potential impact against unpatched systems include remote system access (as root), privilege escalation, Denial of Service issues and information leakage. If you are running any of the following products you should visit Oracle’s advisory and begin the patching process.

Affected products:

    BEA WebLogic Express 7.x thru 10.x
    BEA WebLogic Server 6.x thru 10.x
    Oracle Application Server 10g
    Oracle Database 10.x and 11.x
    Oracle E-Business Suite 11i and 12.x
    Oracle Enterprise Manager 10.x
    Oracle Hyperion Business Intelligence Plus 9.x
    Oracle Hyperion Performance Suite 8.x
    Oracle PeopleSoft Enterprise Customer Relationship Management (CRM) 9.x
    Oracle PeopleSoft Enterprise Tools 8.x
    Oracle Times-Ten In-Memory Database 7.x
    Oracle9i Application Server
    Oracle9i Database Enterprise Edition and Database Standard Edition

Original Advisory:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

Sun Java System Access Manager XSLT/XML Vulnerabilities

A remote user may be able to execute arbitrary code in the context of the Access Manager application. The use would need to create an XML signature that would be viewed locally with the Access Manager. The privileges of the Access manager would be the same as web container application that it is run from. This could result in access to the hosting system.

The original advisory is available at: http://sunsolve.sun.com/search/document.do?assetkey=1-66-201538-1

Expect More Worms

The team at PandaLabs has discovered an application that converts any given executable into a worm. Apparently originating in Spain the tool allows a user to wrap any executable in worm code using a simple GUI interface. There are options for enabling Mutex, UPX compression, and disabling various operating system components. We will continue to see these types of tools lower the technical threshold of attackers and increase the number of malicious agents increase in the wild.

Security practitioners need to continue to assist their clients in developing defense in depth strategies that will reduce risk and exposure to these threats. Key elements to address would be identifying key at risk assests, moving towards enclave computing and adding more rigorous security testing of Internet facing applications (slowing their deployment if necessary). The need for security awareness training that is both engaging and current will continue to increase.

For more details on the tool itself you can visit:  http://pandalabs.pandasecurity.com/archive/T2W-_2D002D003E00_-Trojan-to-Worm.aspx

Microsoft Patch Tuesday details

MS08-030
Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)
Performing a large number of SDP requests could allow for code execution.

MS08-031
Cumulative Security Update for Internet Explorer (950759)
Vulnerabilities in MSIE allow code execution and cross domain information leaks.
Should be patched immediately as details on exploiting are publically available.
Rated:Critical
Replaces MS08-024.

MS08-032
Cumulative Security Update of ActiveX Kill Bits (950760)
A vulnerability in the Speech API could allows for remote execution in the context of the user viewing a specially crafted webpage. Speech recognition must be enabled.
Rated: Moderate
Replaces MS08-023.

MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
Input validation vulnerabilities may allow code execution via DirectX.
Rated: Critical
Replaces MS07-064.

MS08-034
Vulnerability in WINS Could Allow Elevation of Privilege (948745)
A privilege escalation vulnerability in WINS could allows an attacker to compromise a vulnerable system.
Rated: Important
Replaces MS04-045.

MS08-035
Vulnerability in Active Directory Could Allow Denial of Service (953235)
Input validation failure in the LDAP can lead to a Denial of Service.
Rated: Important
Replaces MS08-003.

MS08-036
Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)
Input validation vulnerabilities in PGM packets can be leveraged to cause a Denial of Service.

Rated:Important

Replaces MS06-052.

Apple Releases Security Update

If you’re running an OS X version below 10.5.3 it is time to upgrade or install security update 2008-003.
This update fixes multiple issues that could result in system access, security bypass and privilege escalation, DoS, Cross Site scripting and a number of information exposure issues.

The original advisory is available at: http://support.apple.com/kb/HT1897

Lotus Domino Cross Site Scripting and Buffer Overflows

At least two injection attack vectors have been discovered in IBM’s Lotus Domino Web Servers versions 6.x, 7.x and 8.x. These can lead to a stack based buffer overflow which may allow remote code execution and Cross Site Scripting attacks that can allow the execution of arbitrary HTML and script code. We recommend that you update your web servers as is appropriate.

The original advisories can be viewed at:
http://www-1.ibm.com/support/docview.wss?uid=swg21303057

and

http://www-1.ibm.com/support/docview.wss?uid=swg21303296

Code Execution Exploit for Internet Explorer 7.0/8.0b

Internet Explorer has been found to be vulnerable to a cross-zone scripting when a user prints an HTML page and the browser is using its “Print Table of Links” options. The vulnerability exists because printing takes place in the local zone not the Internet zone. Any links within the page are not validated allowing for malicious code to be injected and run. The solution is simply to print without the “Print Table of Links” option. The original advisory can be read at: http://aviv.raffon.net/2008/05/14/InternetExplorerQuotPrintTableOfLinksquotCrossZoneScriptingVulnerability.aspx

Mass Injection Attacks

Reports of a mass file injection attack were seen over the weekend. Upwards of 400,000 sites seem to have been affected so far by URLs that download a file that seems to be related to the Zlob trojan. Most of these sites seem to be running phpBB forum software. If you have the capability you may want to examine egress logs and/or blacklist the two URLs that are currently known to be distributors. Those URLs are:

hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js