Novell Privilege Escalation, AIX Unspecified Vuln, Firefox Dialog Box

Posted on January 7, 2008 by Nathan Grandbois

Novell ZENworks Endpoint Security Management (ESM) Security Client contains a vulnerability that could allow a local user to call cmd.exe thus giving them command line access and escalate privileges. The vulnerability is reported in version 3.5. Administrators should upgrade to version 3.5.0.82.

An unspecified vulnerability has been reported in IBM AIX. Hardly any detail is available except that it occurs when the wrong path name is passed to the “trustchk_block_write()” function and prevents trusted files from being modified. This issue is reported in AIX 6.1 and administrators are urged to apply APAR IZ12119.

When Firefox creates an authentication dialog box it displays the actual source of the website at the end of the dialog text, where other browsers may create it at the beginning. This could lead to luring unsuspecting users to phishing websites and stealing authentication credentials. Mozilla has assigned this a security rating of low. Users should be vigilant about where they put their authentication credentials and make sure it’s to the proper website.

Realplayer Exploit

Posted on January 4, 2008 by Adam Hostetler

RealNetworks has not yet patched the vulnerability for the issue we discussed a few days ago. With proof of concept code already released, its assumed that there are malicious versions of the exploit already out there, or at least being worked on. We highly recommend that real video files be blocked, or real player be uninstalled on machines for the time being. RealNetworks is still investigating the issue, and its unknown when a fix is expected.

Microsoft Security Advanced Bulletin

Posted on January 3, 2008 by wstoner

According to the latest Microsoft security advanced bulletin, January 8th will give us 1 new Critical and 1 new Important security updates. Both affect a large cross section of Windows Operating systems. Additionally a new version of the Microsoft Windows Malicious Software Removal Tool and 7 non-security updates will also be released. For full details see: http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx

PHP 4.4.8 Released

Posted on January 3, 2008 by wstoner

The latest release of the 4.4 branch of php was released today. This release addresses several vulnerabilities including a couple of integer overflows, input handling and file and database interaction issues. We encourage anyone running earlier versions of this branch to upgrade as soon as is possible. For full details see http://www.php.net

SWF Whitepaper and VoIP Vulns

Posted on January 3, 2008 by Nathan Grandbois

There is a guide available from Adobe on creating secure Flash applications. In the wake of the mid December Adobe Shockwave Flash vulnerabilities, Adobe has released a white paper on “Creating more secure SWF web applications”. This, combined with flash data validation libraries available from Google, allow for a complete solution to any potential vulnerabilities. Developers of Flash animations/movies/applications should take the time to read over this document and see where they could use the data validation libraries within their environment. Security teams should be testing all of their environments Flash applications for any vulnerabilities and coordinate to get these resolved. From what I’ve read, when Adobe makes the second update for these issues available early 2008, the issues will not be completely resolved in already developed Flash applications.

Here’s a link to the article http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html and the validation libraries http://code.google.com/p/flash-validators/

Also, it appears a few SIP vendors have had vulnerabilities reported in them today. Avaya is affected by two issues, one in pam and the other in OpenSSH. The issue in pam could allow for the disclosure of sensitive data, or allow the injection of characters into log entries. The issue with OpenSSH could allow arbitrary code execution (race condition) and the discovery of valid usernames. Here’s the original Avaya advisories: http://support.avaya.com/elmodocs2/security/ASA-2007-526.htm and http://support.avaya.com/elmodocs2/security/ASA-2007-527.htm

Asterisk is vulnerable to a Denial of Service when handling the “BYE/Also” transfer method. Exploitation requires that a dialog already be established between the two parties. Asterisk versions prior to 1.4.17 are vulnerable. The issue is fixed in version 1.4.17.

Research, NIST Speaks

Posted on December 31, 2007 by Nathan Grandbois

Over the past week some researchers have published new methods and tools for embedded device hacking and ways to improve blind SQL injection. It will be interesting to see the scope of where embedded device hacking goes, as more devices are getting additional capabilities, that may be coming in exchange for security. Also, the NIST says the feds are keeping up on their own penetration testing and will release new guidelines in March required third party testing for federally controlled facilities.

A new version of Nipper has been released. This handy tool performs configuration auditing for various network devices and can make limited security recommendations. When was the last time you went through your firewall rules? This should be happening at some regular occurrence, however dull it may be.

Another worm, Nugache, has recently been covered in an article by Bruce Schneier, where he talks about some interesting stuff. No direct C&C server, encrypted packets all around, and the ability for any node to become the “leader”. Bot development is becoming more sophisticated, and funded. Expect to see some serious Trojans in the coming future.

MS07-065 PoC, Scam Warning

Posted on December 28, 2007 by Nathan Grandbois

A proof of concept has been released for one of the vulnerabilities announced in Decembers Microsoft Update. The vulnerability in Message Queuing Service (ms07-065) now has a working proof of concept exploit available to the public. If you have not updated, or do not have automatic updates enabled, please do so.

Also, with the recent death of a foreign former prime minister, be on the lookout for emails or website attempting to lure you there as most of these will likely been social engineering/scam attempts.

More Storm Worm

Posted on December 27, 2007 by Adam Hostetler

Not a lot happening today in vulnerability news. However, a new round of the storm worm has been circulating. This time the emails are coming with “Happy New Years” themes. This one is seems to be pointing to the domain “uhavepostcard.com”. So be wary of any ecards in your inbox.

0wned By a Picture Frame & Other Digital Errata

Posted on December 26, 2007 by Brent Huston

First it was Trojan firmware on network routers, firewalls and other network appliances. That was followed by attackers installing trojans and malware on USB keys and then dumping them back into those sale bins by the registers. Now, SANS is reporting that a number of digital picture frames sold by retailers were pre-infected with malware, just waiting to be mounted on a PC during the picture loading process.

As we have been predicting in the State of the Threat presentations for more than a year, the attackers have found new and insidious ways to turn the newest and seemingly most benign technologies into platforms of attack. Now that just about everything from refrigerators to washing machines and from toasters to picture frames have memory, CPU and connectivity – the vectors for malware introduction and propagation are becoming logarithmically more available. As computers, mesh networks and home automation continue to merge, we have to think differently about risk, threats and vulnerabilities.

Until we as security folks can get our head around overall strategies for securing the personal networks and tools we become more dependent upon each day, we have to rely on point tactics like wiping drives when we get them, reloading firmware on all devices – even new ones – from trusted vendor sources and doing the basics to secure home and business networks and systems. Hopefully, one day soon, we can build better, more proactive solutions like integrated hashing, malware identification and other mechanisms for alerting users to basic tampering with our devices. While we geeks are getting the wired world we always dreamed of, we are learning all too quickly that it comes with some unexpected risk…

Novell Identity Manager, Groove Office

Posted on December 26, 2007 by Adam Hostetler

Groove Virtual Office is reported to have a vulnerable ActiveX control. The vulnerability is a buffer overflow which could potentially allow code execution if an exploit were successful. This vulnerability applies to Groove Virtual Office 3.x, and does not affect the newest version included in Office 2007. At this time there’s no patch, so it is recommended to disable the ActiveX control.

A vulnerability has also been reported in Novell Identity Manager. This vulnerability could be exploited by a remote attacker to cause a Denial of Service condition. It’s reported that version 3.5.1 is affected, but may also affect other versions. Novell has issued a patch for this issue.

MSI :: State of Security

Insight from the Information Security Experts

Category Archives: Emerging Threats