Multiple vulnerabilities including buffer overflows, have been found in various vendors X Windows releases. These could lead to memory corruption and information leakage. The original advisories can be found at:http://labs.idefense.com/intelligence/vulnerabilities/
MS08-030
Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376)
Performing a large number of SDP requests could allow for code execution.
MS08-031
Cumulative Security Update for Internet Explorer (950759)
Vulnerabilities in MSIE allow code execution and cross domain information leaks.
Should be patched immediately as details on exploiting are publically available.
Rated:Critical
Replaces MS08-024.
MS08-032
Cumulative Security Update of ActiveX Kill Bits (950760)
A vulnerability in the Speech API could allows for remote execution in the context of the user viewing a specially crafted webpage. Speech recognition must be enabled.
Rated: Moderate
Replaces MS08-023.
MS08-033
Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)
Input validation vulnerabilities may allow code execution via DirectX.
Rated: Critical
Replaces MS07-064.
MS08-034
Vulnerability in WINS Could Allow Elevation of Privilege (948745)
A privilege escalation vulnerability in WINS could allows an attacker to compromise a vulnerable system.
Rated: Important
Replaces MS04-045.
MS08-035
Vulnerability in Active Directory Could Allow Denial of Service (953235)
Input validation failure in the LDAP can lead to a Denial of Service.
Rated: Important
Replaces MS08-003.
MS08-036
Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)
Input validation vulnerabilities in PGM packets can be leveraged to cause a Denial of Service.
Rated:Important
Replaces MS06-052.
Tomorrow Microsoft will be releasing updates for their monthly patch cycle. It looks like there will be 3 critical rated vulnerabilities. One of which is in the bluetooth service. This one is interesting as it’s listed as being remotely exploitable. Assuming that it’s exploitable over the bluetooth interface, this one could be very interesting. Watch for exploits for this vulnerabilities showing up in every attackers repitoire if it’s viable.
The F5 FirePass SSL VPN appliance is vulnerable to cross site scripting attacks within the management console. This device, designed to protect against XSS attacks, contains a XSS within the /vdesk/admincon/webyfiers.php and /vdesk/admincon/index.php pages that could permit an attacker to force premature termination of the parameter value and to inject an event handler script. This vulnerability has been confirmed in version 6.0.2, hotfix 3. Previous versions may be affected. There’s no fix for it at the moment, so users/admins should not browse to untrusted sites while logged in to the management interface.
We are detecting increasing PHP scans for a series of known PHP vulnerabilities that thus far are originating from Asia.
To date, we see no new attacks, just checks for known bad pages, particularly admin interfaces and a couple of quick URLs to test for command injections. The scans seem to have begun in the last 24 hours and the traffic appears to be related to a possible new PHP scanner. Likely, some new tool has been released that contains a plethora of PHP vulnerabilities.
Organizations should ensure that any systems offering PHP or PHP applications have been properly assessed and patched.
HoneyPoint Security Server users are urged to deploy a web HoneyPoint or HornetPoint and to drop the hosts performing the scans into your firewall or router black hole lists. This should allow you to create a “one strike and you’re out” approach for black holing attacking systems.
Please let us know if you see any new PHP activity. We are currently watching this pattern for any zero-day type activity, but thus far, we have observed only known security issues. being probed.
It appears that Windows XP SP3 is shipping with an old vulnerable version of Adobe Flash player. If you recently upgraded to SP3, it would be a good idea to check Windows Update again to make sure the update for MS06-069 (Flash player vulnerability) is installed. It may also be wise to manually check the version that’s installed.
One Data center just found out that theirs wasn’t, and a lot of their customers were also caught with no backup servers, only relying on the Data center’s disaster recovery. On Saturday ThePlanet Data center experienced an explosion in their power room that knocked approximately 9,000 servers offline, effecting over 7,500 customers. ThePlanet was unable to get power back on to those servers for over a day, due to the fire department not letting them turn the backup power on.
Two separate issues can be seen from this, one, the Data center’s disaster recovery plan failed to recover them from a disaster. While quite unlikely to happen, an explosion in the power room can happen, as seen here, and they were not prepared for it. Perhaps they could have worked with the fire department during the disaster recovery policy creation to identify ways that backup power could be served while the power room was down. Or possibly with 5 Data centers (as ThePlanet has) they could have had spare hot servers at the other sites to send backups to. We don’t know the details of their policy or exactly what happened yet, so we can only speculate ways that the downtime could have been prevented.
Secondly, many customers found out the hard way to not rely on someone else’s disaster recovery plans. These sites could have failed over to a site at another Data center, or even a backup at their own site, but they weren’t prepared, assuming that nothing could happen to the Data center their server is at.
The lesson learned from this mistake is that disasters happen, and you need to be prepared. No disaster scenario should be ignored just because “it’s not likely to happen”. So take a look at your plans, and if you host at a Data center, if your website is critical make sure there is a backup at a separate Data center or on your own site.
If you’re running an OS X version below 10.5.3 it is time to upgrade or install security update 2008-003.
This update fixes multiple issues that could result in system access, security bypass and privilege escalation, DoS, Cross Site scripting and a number of information exposure issues.
The original advisory is available at: http://support.apple.com/kb/HT1897
In case you missed it last week, Snort seems to be suffering from a problem with odd TTL values, which could allow an attack to get by Snort without detection. 2.8.1 has been released and includes the fix for the issue. Users of Snort should upgrade as soon as possible or apply the following workaround until they can update:
/From iDefense/
In the snort.conf file, set the ttl_limit configuration value to 255 as shown below.
preprocessor frag3_engine: ttl_limit 255
This will set the allowable difference to the maximum possible value, and prevent fragments from being dropped.
/End iDefense Content/
Also, SANS is talking about malicious SWF files that have been found online. Looks like they are using some encoded images that can cause some issues with what may be a previously known flash player vulnerability. Advise your users to be wary of flash enabled sites that they would consider “untrusted”. Of course, your milage may vary with this one, but at least awareness might help….
Lastly, as refresher, if you are a Notes/Domino user, it might be a good idea to check out patches that have been released lately. There have been a number of issues in the last few weeks and we are seeing an increase in Domino fingerprinting on some of our non-US HoneyPoints. Looks like quick scans for names.nsf and a couple of other common Notes files. So far though, we have not seen any attacker activity out of the norm, but it may be the precursor to an attack or other activity. Just an FYI…
At least two injection attack vectors have been discovered in IBM’s Lotus Domino Web Servers versions 6.x, 7.x and 8.x. These can lead to a stack based buffer overflow which may allow remote code execution and Cross Site Scripting attacks that can allow the execution of arbitrary HTML and script code. We recommend that you update your web servers as is appropriate.
The original advisories can be viewed at:
http://www-1.ibm.com/support/docview.wss?uid=swg21303057
and