If you’re running an OS X version below 10.5.3 it is time to upgrade or install security update 2008-003.
This update fixes multiple issues that could result in system access, security bypass and privilege escalation, DoS, Cross Site scripting and a number of information exposure issues.
The original advisory is available at: http://support.apple.com/kb/HT1897
In case you missed it last week, Snort seems to be suffering from a problem with odd TTL values, which could allow an attack to get by Snort without detection. 2.8.1 has been released and includes the fix for the issue. Users of Snort should upgrade as soon as possible or apply the following workaround until they can update:
/From iDefense/
In the snort.conf file, set the ttl_limit configuration value to 255 as shown below.
preprocessor frag3_engine: ttl_limit 255
This will set the allowable difference to the maximum possible value, and prevent fragments from being dropped.
/End iDefense Content/
Also, SANS is talking about malicious SWF files that have been found online. Looks like they are using some encoded images that can cause some issues with what may be a previously known flash player vulnerability. Advise your users to be wary of flash enabled sites that they would consider “untrusted”. Of course, your milage may vary with this one, but at least awareness might help….
Lastly, as refresher, if you are a Notes/Domino user, it might be a good idea to check out patches that have been released lately. There have been a number of issues in the last few weeks and we are seeing an increase in Domino fingerprinting on some of our non-US HoneyPoints. Looks like quick scans for names.nsf and a couple of other common Notes files. So far though, we have not seen any attacker activity out of the norm, but it may be the precursor to an attack or other activity. Just an FYI…
At least two injection attack vectors have been discovered in IBM’s Lotus Domino Web Servers versions 6.x, 7.x and 8.x. These can lead to a stack based buffer overflow which may allow remote code execution and Cross Site Scripting attacks that can allow the execution of arbitrary HTML and script code. We recommend that you update your web servers as is appropriate.
The original advisories can be viewed at:
http://www-1.ibm.com/support/docview.wss?uid=swg21303057
and
A vulnerability has been reported in Avaya Call Management System that can be exploited to create Denial of Service. For more information see the original advisory at:
http://support.avaya.com/elmodocs2/security/ASA-2008-206.htm
CA BrightStor has been found to contain several vulnerabilities. The issues identified are buffer overflows and directory traversal vulnerabilities. Both vulnerabilities exist in ARCServer Backup versions 11.0, 11.1, and 11.5. The buffer overflows exist in the xdr functions in the ARCServer server. The directory traversal could potentially also be used to execute code by writing to a startup or configuration file. CA has released updates for these issues, and they should be tested and deployed as soon as possible.
Internet Explorer has been found to be vulnerable to a cross-zone scripting when a user prints an HTML page and the browser is using its “Print Table of Links” options. The vulnerability exists because printing takes place in the local zone not the Internet zone. Any links within the page are not validated allowing for malicious code to be injected and run. The solution is simply to print without the “Print Table of Links” option. The original advisory can be read at: http://aviv.raffon.net/2008/05/14/InternetExplorerQuotPrintTableOfLinksquotCrossZoneScriptingVulnerability.aspx
The media is all abuzz about a possible Cisco router rootkit that may be part of a presentation at a near future security conference.
While various issues with Cisco gear have emerged over the years and there has been at least one really public overreaction on the part of Cisco to vulnerability disclosure talks, there is probably little to really get spun up about here for the average corporate manager or infosec person.
The big news is that hostile, difficult to detect code could be introduced to routers at any point in their lifespan if an attacker has access to introduce images onto the router. This is a common problem with almost every type of device. There have been a number of trojan horse loads for everything from home firewalls to other forms of network gear for a number of years. Sure, the Cisco router is almost ubiquitous, and sure, it powers a lot of the Internet at large, but I think we pretty much always assumed that attackers with physical access and opportunity could introduce bad things to a device if they gained opportunity.
So before you give in to the hype or fear mongering, consider how this is different than any other form of software/firmware or the like. Likely, you already have a process in place for blowing new firmware onto all devices you purchase before putting them into use (right???). If not, it might be time to think about writing one…
A serious issue was discovered this week in the OpenSSL packages distributed with Debian based distributions over the last year and a half. The issue revolves around a small piece of code that was removed, it turned out that removing this bit of code crippled the pseudo random number generator used when creating keys. The vulnerable code has been using only the process id of the service as the seed, which leaves a very small number of seeds that can be used (32,768 to be exact).
All SSL and SSH keys generated affected systems since September 2006 could be affected. All generated certificates will be need to recreated and resigned by the CA. This includes web site certificates as well as OpenVPN certificates. If your CA was created on an affected system, it will also need to be recreated, and the old one revoked. As for SSH, any systems using key authentication need to be audited. If the keys were generated on these affected systems, they should be updated and regenerated ASAP.
Debian and Ubuntu have released updated packages, as well as a tool for checking your keys. Upon installing the packages, it is possible to recreate the keys during the update. These updates should be installed immediately, and keys regenerated after installing the updates.
A vulnerability in Microsoft Word could allow attackers the ability to execute arbitrary code. Cascading Style Sheets (CSS) are documents that allow the definition of various styles within a word document. A vulnerability in the processing of CSS results in memory corruption, which could be exploited by malicious attackers. Users would have to open an infected document on their local system to trigger the exploit.
Microsoft posted their patches for May today. Looks like 3 critical patches, all of which allow remote code execution. A denial of service patch is also included as a moderate.
Given the interest lately in patch-based vulnerability generation, if exploits don’t already exist in the wild, they are likely very quickly.
Organizations should immediately begin testing the patches against their normal QA process and get them applied as quickly as possible.