SQL Worm, MBR Rootkit

Posted on January 8, 2008 by Nathan Grandbois

There is a SQL “worm” spreading through the internet taking advantage of sites vulnerable to SQL injection attacks. The attack injects javascript in to all fields in the database that attempts to exploit browser flaws on clients that visit the infected website. Web developers should be aware of the increasing attacks using input validation errors as their attack vector.

We have received word of a working MBR rootkit that works on modern systems. Not a new concept, but one that hasn’t had attention for several years. Windows Vista allows users to edit the MBR from userland. A MBR rootkit has been discovered in the wild at the end of 2007. Keep an eye on this for more information coming in the future.

Microsoft Patch Tuesday Information

Posted on January 8, 2008 by wstoner

MS08-001

Addresses vulnerabilities in the TCP/IP stack that could lead to the execution of arbitrary code or Denial of Service conditions. It is rated Critical. This bulletin replaces MS06-032. The Microsoft security bulletin can be found at:http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx

MS08-002

Addresses vulnerabilities in input validation errors in Local Security Authority Subsystem Service (LSASS) that could lead to execution of code or privilege escalation. The Microsoft security bulletin can be found at: http://www.microsoft.com/technet/security/Bulletin/MS08-002.mspx

Patches for VMWare ESX Server and VirtualCenter

Posted on January 8, 2008 by wstoner

VMWare has released new patches that address vulnerabilities in Tomcat and Java JRE that could lead to compromise of systems, Denial of Service or the ability to circumvent security restrictions. The updates are for VirtualCenter 2.0.2, ESX 3.0.1 and ESX Server 3.0.2.
The original VMWare announcement can be found at: http://lists.vmware.com/pipermail/security-announce/2008/000003.html

Novell Privilege Escalation, AIX Unspecified Vuln, Firefox Dialog Box

Posted on January 7, 2008 by Nathan Grandbois

Novell ZENworks Endpoint Security Management (ESM) Security Client contains a vulnerability that could allow a local user to call cmd.exe thus giving them command line access and escalate privileges. The vulnerability is reported in version 3.5. Administrators should upgrade to version 3.5.0.82.

An unspecified vulnerability has been reported in IBM AIX. Hardly any detail is available except that it occurs when the wrong path name is passed to the “trustchk_block_write()” function and prevents trusted files from being modified. This issue is reported in AIX 6.1 and administrators are urged to apply APAR IZ12119.

When Firefox creates an authentication dialog box it displays the actual source of the website at the end of the dialog text, where other browsers may create it at the beginning. This could lead to luring unsuspecting users to phishing websites and stealing authentication credentials. Mozilla has assigned this a security rating of low. Users should be vigilant about where they put their authentication credentials and make sure it’s to the proper website.

Realplayer Exploit

Posted on January 4, 2008 by Adam Hostetler

RealNetworks has not yet patched the vulnerability for the issue we discussed a few days ago. With proof of concept code already released, its assumed that there are malicious versions of the exploit already out there, or at least being worked on. We highly recommend that real video files be blocked, or real player be uninstalled on machines for the time being. RealNetworks is still investigating the issue, and its unknown when a fix is expected.

Microsoft Security Advanced Bulletin

Posted on January 3, 2008 by wstoner

According to the latest Microsoft security advanced bulletin, January 8th will give us 1 new Critical and 1 new Important security updates. Both affect a large cross section of Windows Operating systems. Additionally a new version of the Microsoft Windows Malicious Software Removal Tool and 7 non-security updates will also be released. For full details see: http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx

PHP 4.4.8 Released

Posted on January 3, 2008 by wstoner

The latest release of the 4.4 branch of php was released today. This release addresses several vulnerabilities including a couple of integer overflows, input handling and file and database interaction issues. We encourage anyone running earlier versions of this branch to upgrade as soon as is possible. For full details see http://www.php.net

SWF Whitepaper and VoIP Vulns

Posted on January 3, 2008 by Nathan Grandbois

There is a guide available from Adobe on creating secure Flash applications. In the wake of the mid December Adobe Shockwave Flash vulnerabilities, Adobe has released a white paper on “Creating more secure SWF web applications”. This, combined with flash data validation libraries available from Google, allow for a complete solution to any potential vulnerabilities. Developers of Flash animations/movies/applications should take the time to read over this document and see where they could use the data validation libraries within their environment. Security teams should be testing all of their environments Flash applications for any vulnerabilities and coordinate to get these resolved. From what I’ve read, when Adobe makes the second update for these issues available early 2008, the issues will not be completely resolved in already developed Flash applications.

Here’s a link to the article http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html and the validation libraries http://code.google.com/p/flash-validators/

Also, it appears a few SIP vendors have had vulnerabilities reported in them today. Avaya is affected by two issues, one in pam and the other in OpenSSH. The issue in pam could allow for the disclosure of sensitive data, or allow the injection of characters into log entries. The issue with OpenSSH could allow arbitrary code execution (race condition) and the discovery of valid usernames. Here’s the original Avaya advisories: http://support.avaya.com/elmodocs2/security/ASA-2007-526.htm and http://support.avaya.com/elmodocs2/security/ASA-2007-527.htm

Asterisk is vulnerable to a Denial of Service when handling the “BYE/Also” transfer method. Exploitation requires that a dialog already be established between the two parties. Asterisk versions prior to 1.4.17 are vulnerable. The issue is fixed in version 1.4.17.

Three Examples of Thinking Differently About InfoSec

Posted on January 3, 2008 by Brent Huston

Today, I am putting my money where my mouth is. I have been talking about thinking differently about infosec as being a powerful tool in the future for several months now, but here are three concrete examples of how security folks need to think differently than they do today. (Note that some of you may have already begun to embrace these ideas – if so, awesome, you are ahead of the curve!)

#1 – Think like attackers AND defenders – We as infosec folks often get so caught up in our statements of ethics, credos and agreements about behavior that we get trapped inside them and become blind to the methods and ways of attackers. Many security folks I meet have taken such steps to distance themselves from attackers and they often show utter disdain for attackers, tools and techniques that they are essentially blind to the way attackers think. This is a dangerous paradox. If you don’t understand your opposition, you have no way of being effective in measuring your defensive capabilities. If you can’t think like an attacker, maneuver like an attacker and understand that they are not bound by the rules that you attempt to impose on them – then you will likely have little success in defending your organization against them. To better defend our assets, we have to be able and willing to understand our enemies. We have to have a realistic knowledge and capability to replicate, at the very least, their basic tools, techniques and attitudes. Otherwise, we are simply guessing at their next move. Essentially without insight and understanding, we are playing the “security lottery” in hopes of hitting the big defensive jackpot!

#2 – Deeper defenses are better defenses – We must extend defense in depth beyond an organizational approach to a data-centric approach. The closer to the data the controls are implemented, the more likely they are to be able to add security to the core critical data. (Of course, normal rationality applies here. The controls have to be rational, effective and properly implemented and managed – as always!) This is why security mechanisms like enclaving, data classification and eventually tagging are the future of enterprise security. If we start to think about our security postures, deployments and architectures with these ideas in mind today, we will be able to leverage them in their present state and eventually gain the maximum from them when they are fully ready for integration.

#3 – Think risk, not compliance – I am going to continue to talk about this, no matter how much heat I get from the “compliance guru set”. Striving for compliance with various regulations or standards is striving for the minimum. Guidance, regulations and law are meant to be the MINIMUM BASELINE for the work we need to do to separate liability from negligence. Compliance is a milestone, not a goal. Effective understanding and management of risk is the goal. Don’t be deceived by the “compliance guru set’s” argument that meeting baselines if effective risk management. It is NOT. Regulatory compliance, ISO/PCI compliance pays little attention to and has little management for attacker techniques like vulnerability chaining, management/analysis of cascading failures or zero-day/black swan (Thanks, Alex!) evolutionary capabilities. This step requires upper management education and awareness as well, since those that control the budgets must come to see compliance as a mile marker and not the end of the race ribbon!

I hope this helps folks understand more about what I am saying when I assert than in 2008, we have to think differently if we want infosec to improve. Of course, thought has to precede action, but action is also required if we are going to change things. What is clear, from the problems of 2007 and further back, is that what we are doing now is NOT WORKING. It should be very clear to all infosec practitioners that we are losing the race between us at attackers!

RealPlayer, ClamAV, Nugache

Posted on January 2, 2008 by Nathan Grandbois

There’s a buffer overflow in RealPlayer 11. We don’t have much detail at this time, however it is reported that this can be exploited with a maliciously crafted file opened with a vulnerable version. Opening a malicious file will result in the execution of code under the context of the user running the application. The issue is reported in RealPlayer 11, other untested version may be vulnerable.

ClamAV version 0.92 contains multiple vulnerabilities. The first vulnerability is a race condition, where an attacker could generate a file with a specific name that would be called by a ClamAV function. This could allow the attacker to overwrite arbitrary files. The next issue is in the handling Base64-UUEncoded files. Attackers can create certain packed files that can bypass the scanner itself. The consequences of this should be self evident, and the possibility to occur is very real, due to the success rate of socially engineered emails and links.

More articles are emerging on the Nugache Trojan. Briefly, the Nugache Trojan is a very sophisticated piece of P2P controlled malware. Using decentralized management, nodes that can attach/detach, and encryption, this malware is a professional job. The authors of these articles seem to feel that the Storm and Nugache authors are the same, or share similar tactics. Once we see a full write up, we’ll post the details.

MSI :: State of Security

Insight from the Information Security Experts

Monthly Archives: January 2008