Apple Releases Security Update

If you’re running an OS X version below 10.5.3 it is time to upgrade or install security update 2008-003.
This update fixes multiple issues that could result in system access, security bypass and privilege escalation, DoS, Cross Site scripting and a number of information exposure issues.

The original advisory is available at: http://support.apple.com/kb/HT1897

Snort Issues In Case You Missed Them and Malicious SWF

In case you missed it last week, Snort seems to be suffering from a problem with odd TTL values, which could allow an attack to get by Snort without detection. 2.8.1 has been released and includes the fix for the issue. Users of Snort should upgrade as soon as possible or apply the following workaround until they can update:

/From iDefense/

In the snort.conf file, set the ttl_limit configuration value to 255 as shown below.

preprocessor frag3_engine: ttl_limit 255

This will set the allowable difference to the maximum possible value, and prevent fragments from being dropped.

/End iDefense Content/

Also, SANS is talking about malicious SWF files that have been found online. Looks like they are using some encoded images that can cause some issues with what may be a previously known flash player vulnerability. Advise your users to be wary of flash enabled sites that they would consider “untrusted”. Of course, your milage may vary with this one, but at least awareness might help….

Lastly, as refresher, if you are a Notes/Domino user, it might be a good idea to check out patches that have been released lately. There have been a number of issues in the last few weeks and we are seeing an increase in Domino fingerprinting on some of our non-US HoneyPoints. Looks like quick scans for names.nsf and a couple of other common Notes files. So far though, we have not seen any attacker activity out of the norm, but it may be the precursor to an attack or other activity. Just an FYI…

What is “Defensive Fuzzing”?

Since the release of HornetPoints with the newest version of HoneyPoint Security Server, I have been getting a lot of mail asking about “defensive fuzzing”. I thought I would take a moment and talk a little bit about it and explain a bit about its uses.

Defensive fuzzing is a patent-pending approach to network, system and application defense. It is based on the idea of using techniques from “fuzz testing”, but applying them against incoming connections in a defensive manner rather than as a test mechanism for known software. The idea is that attacker tools and malware probably fail to meet established best practices for software development and thus, are likely to have issues with unexpected input just as normal professionally developed software does. Further, “defensive fuzzing” lends itself to using fuzzing techniques as a protective mechanism to cause attacker tools, malware and other illicit code to abnormally terminate. Basically, by fuzzing incoming connections to a HornetPoint (which should have no real world use, thus all incoming connections are illicit) we can terminate scans, probes, exploits, worms, etc. and reduce the risk that our organization (and other organizations) face from these attacks.

For those of you who might not be familiar with fuzzing, you can read more about the basics of it here. However, keep in mind, that defensive fuzzing applies these techniques in new ways and for a protective purpose rather than a software testing process.

HornetPoints simply embody this process. They can be configured to fuzz many types of existing connections, emulating varying protocols and applications. For example, targeting spam and relay scanners can be done by implementing the SMTP HornetPoint. It listens on the SMTP port and appears to be a valid email relay. Instead, however, it not only captures the source and traffic from the spammers, but also fuzzes the connection as the spam is sent, attempting to terminate the spammer scanning tool, bot-net client or other form of malware that is generating the traffic. Obviously, success rates vary, but our testing has shown the process to be quite effective against a number of tools and code bases used by attackers today.

That is just one example and many more are possible. For more information about defensive fuzzing or HornetPoints, please leave us a comment or contact us. We would be happy to discuss this evolution in security with you!

Lotus Domino Cross Site Scripting and Buffer Overflows

At least two injection attack vectors have been discovered in IBM’s Lotus Domino Web Servers versions 6.x, 7.x and 8.x. These can lead to a stack based buffer overflow which may allow remote code execution and Cross Site Scripting attacks that can allow the execution of arbitrary HTML and script code. We recommend that you update your web servers as is appropriate.

The original advisories can be viewed at:
http://www-1.ibm.com/support/docview.wss?uid=swg21303057

and

http://www-1.ibm.com/support/docview.wss?uid=swg21303296

CA BrightStor Vulnerabilities

CA BrightStor has been found to contain several vulnerabilities. The issues identified are buffer overflows and directory traversal vulnerabilities. Both vulnerabilities exist in ARCServer Backup versions 11.0, 11.1, and 11.5. The buffer overflows exist in the xdr functions in the ARCServer server. The directory traversal could potentially also be used to execute code by writing to a startup or configuration file. CA has released updates for these issues, and they should be tested and deployed as soon as possible.

HoneyPoint Security Server Creates Proactive Protection

Columbus, Ohio; May 19, 2008 – MicroSolved, Inc. is pleased to announce the general availability of HoneyPoint™ Security Server version 2.50.

This latest release of their best-of-breed corporate honeypot product expands its capabilities to include new types of bleeding-edge protection in the form of HornetPoints and HoneyPoint Trojans. HornetPoints introduce a pioneering and patent-pending approach called “defensive fuzzing” that identifies and stops attacker activity in its earliest stage of reconnaissance, in some cases, literally eliminating bot-net and zero-day attacks before they have a chance to begin and propagate. HoneyPoint Trojans, modeled after the counter-intelligence efforts of nation states, enables organizations to create pockets of “dis-information” that, once touched, create a forensic tracking capability that follows it’s movement inside the network or out. Imagine the ability to literally turn the tables on attackers as you follow how this data is spread and used as it moves around the world.

“The addition of HornetPoints to the product really takes things to a new level. For the first time, organizations can proactively create protection that is robust, effective and capable of automatically defending them against many forms of attack.”, declared Brent Huston, CEO of MicroSolved. “Add the HoneyPoint Trojans to that mix and you finally have organizations that are capable of removing the layers of confidentiality, integrity and availability from attackers. Used properly and creatively, the product lends itself well to the creation of a corporate counter intelligence program.”, Huston added.

“Any organization that wants to improve their traditional security approach from a  “defense-only” posture to a new and pro-active mode of protection, simply must have a look at HoneyPoint. I don’t care how many layers of defense you have… it’s time to play some offense.”, said Allan Bergen, Business Development Director of MicroSolved.

For details on obtaining the 2.50 upgrades and/or to discuss the product or its new features, please contact a MicroSolved account executive. For more information, please visit www.microsolved.com/honeypoint

About MicroSolved, Inc.

MicroSolved, Inc. was founded in 1992, making it one of the most experienced information security services companies in the world. Providing risk assessment, ethical hacking, penetration testing and security intelligence to organizations of all sizes has been their passion for more than a decade. Today, they secure businesses on a global scale and still provide expertise close to home. From governments to the Fortune 500 and from small business to your business, they are the security experts you can trust.

Press Contacts

Brent Huston
CEO & Security Evangelist
(614) 351-1237 x201
Info@microsolved.com

Allan Bergen
Business Development Director
(614) 351-1237 x 250
Info@microsolved.com

Code Execution Exploit for Internet Explorer 7.0/8.0b

Internet Explorer has been found to be vulnerable to a cross-zone scripting when a user prints an HTML page and the browser is using its “Print Table of Links” options. The vulnerability exists because printing takes place in the local zone not the Internet zone. Any links within the page are not validated allowing for malicious code to be injected and run. The solution is simply to print without the “Print Table of Links” option. The original advisory can be read at: http://aviv.raffon.net/2008/05/14/InternetExplorerQuotPrintTableOfLinksquotCrossZoneScriptingVulnerability.aspx

Fear Renewed: The Cisco Router Rootkit

The media is all abuzz about a possible Cisco router rootkit that may be part of a presentation at a near future security conference.

While various issues with Cisco gear have emerged over the years and there has been at least one really public overreaction on the part of Cisco to vulnerability disclosure talks, there is probably little to really get spun up about here for the average corporate manager or infosec person.

The big news is that hostile, difficult to detect code could be introduced to routers at any point in their lifespan if an attacker has access to introduce images onto the router. This is a common problem with almost every type of device. There have been a number of trojan horse loads for everything from home firewalls to other forms of network gear for a number of years. Sure, the Cisco router is almost ubiquitous, and sure, it powers a lot of the Internet at large, but I think we pretty much always assumed that attackers with physical access and opportunity could introduce bad things to a device if they gained opportunity.

So before you give in to the hype or fear mongering, consider how this is different than any other form of software/firmware or the like. Likely, you already have a process in place for blowing new firmware onto all devices you purchase before putting them into use (right???). If not, it might be time to think about writing one…