SecuraBit - Part 2

Vulnerability Roundup

February 10th, 2010 No Comments

So last month’s Patch Tuesday was pretty quiet on the Microsoft front. Not so lucky this month with a total of 13 bulletins, 5 critical, 7 important. And one for MS Paint. That’s right, Paint. Looks like I’ll have to put down the little spray paint tool for a bit. The others include patches for Office (2 of them), SMB (2 more), an update of ActiveX killbits, IPv6 stack vulnerabilities, Hyper-V, ShellExecute, Client/Server Run-time, Kerberos and the Windows Kernel.

Oracle has also released an out-of-band patch this week for a problem with their WebLogic Node Manager. Also in the Oracle world, David Litchfield demonstrated a 0-day against Oracle’s 11g database server. It doesn’t appear there is a patch available yet, so check the links for mitigation info.

Samba also has a post regarding a zero day attack for a directory traversal issue via symlinks. I’ve included both a post on the vulnerability and a link to a post by the Samba developers. On one hand, yes it does look a configuration error by an admin. At the same time, it is the default configuration. I’ll leave it to you to decide. Besides, it never hurts to double check those smb.conf’s.

In an ongoing theme of malware in App Stores, or Market Places, or Galleries, it looks like two pieces of malware made it onto the Add-on site. One is a password sniffer disguised as video downloader, and the other contained a backdoor.

Additionally there are some updates available for LANDesk Management Gateway which fixed a problem which allows an attacker to run commands as root.

Microsoft: Patch Tuesday
Oracle: Security Alert for WebLogic Server (CVE-2010-0073)
Oracle: 0-day in Oracle 11G
Samba: symlink attack 0-day (Samba’s response here)
Mozilla: Malware in the add-ons
LANDesk: Management Gateway command injection vulnerability

Adobe JavaScript Blacklisting

February 10th, 2010 No Comments

The JavaScript implementations in Adobe Reader and Acrobat have been a sore spot for Adobe (as well as administrators) for a while now. To help make the world a safer place, Adobe has added a feature to Reader (versions 9.2 and 8.1.7) to allow administrators to blacklist certain functions in the JavaScript API. Many times when 0days are released for Reader, the recommendation for administrators is to disable JavaScript in Reader while a patch is readied. The problem is that in many organizations PDF forms are used extensively, so disabling JavaScript can mean that these forms stop working, so disabling it may not be practical. In addition, if it is disabled while waiting for a patch, that period of time may be long, as Adobe has switched to a quarterly update schedule, and has cited this schedule in the past as a reason for delaying patches.

The new JavaScript Blacklist Framework for Reader and Acrobat uses some configuration settings (registry on Windows, Preferences on MacOS). Instead of using one area for the settings, the Framework has two. The first is for administrators, and it appears the second is for Adobe to use in conjunction with the new silent update feature they have rolled out in beta versions of Reader. This means that the updates will not trample over administrator preferences.

Of course, there will always be cases where organizations know of a vulnerability in a particular function of the JavaScript API which is used by business documents, Adobe has also added a way to add “trusted locations” (by URL or path), as well as certificate management so that particular documents and be exempted from blacklisting.

There are some drawbacks, such as limitations to what can be blacklisted (not all JavaScript functions are eligible, nothing from the 3D JavaScript API, if a blacklisted function is called, all scripts in a document will stop working), but it is a good start.

SourceFire’s VRT has a post on some of their testing with the framework, and is nice enough to supply some suggestions for blacklisting candidates, as well as sample PDFs which can be used for testing.

Adobe Reader and Acrobat JavaScript Blacklist Framework

Managing JavaScript Execution in the Acrobat Family of Products (PDF)

Enhanced Security and Trusted Locations (PDF)

Vulnerability Roundup

February 4th, 2010 No Comments

Another week, another Adobe advisory. This time, it’s not reader, but ColdFusion 9 which shipped with a service someone forgot to lock down to the localhost which would allow an attacker to view system information as well as mess with search indexes.

Two advisories from Cisco as well this week, covering two different products and a few different vulnerabilities (XSS, SQLi, and escalation of privilege among them). Updates are also available for the iPhone OS for iPhones and iPod Touch devices which resolve vulnerabilities in different aspects of the OS. In many cases visiting or viewing malicious content could cause overflows, which may allow for code execution. An update for VMWare’s vCenter with more than 50 CVE’s covered, is also listed.

Some Open Source applications are also listed, one of the interesting ones is the e107 CMS, which was found to have a backdoor which was later used to compromise the project’s site before they applied their own patch (more details on that here).

Adobe: Information Disclosure in ColdFusion 9
Cisco Systems: Multiple Vulnerabilities in Cisco Unified MeetingPlace
Cisco Systems: Cisco Secure Desktop Remote Cross-Site Scripting Vulnerability
Apple: Multiple Vulnerabilities in iPhone OS
VMWare: VMware vCenter update release addresses multiple security issues in Java JRE
Lighttpd: slow request DoS/OOM attack
Squid: DoS issue in DNS handling
Bugzilla: Security Advisory for Bugzilla 3.0.10, 3.2.5, 3.4.4, and 3.5.2
e107 CMS: Admin Authentication Backdoor

SecuraBit T-Shirts are back! Pre-order to pickup at the Podcaster’s Meetup!

February 2nd, 2010 No Comments

We don’t have the final artwork back yet for posting here, however they are similar to the past design with one major exception: We inverted the black and white, so they are white t-shirts with black lettering.

We will have the following quantities:

9 Small
14 Medium
21 Large
21 X-Large
7 XX-Large

The shirts will be $12 each for pickup (you will also get a free sticker!) during Shmoocon at the PCM, or whenever it’s convenient for you throughout the weekend! Anything leftover will be sold via the website later. All proceeds go toward running the show!

Submit pre-order here, include your address and phone number!

Thank you for all of your support!

SecuraBit Episode 49: ConFoo.ca!

January 31st, 2010 No Comments

SecuraBit Episode 49: ConFoo.ca!

Podcasters Meetup - http://www.podcastersmeetup.com/
ShmooCon – Saturday Evening @ 8PM

SANS Discount Code SB508 – Free GCFA attempt when using this link.

Philippe Gamache:
Day job is focused on secure programing, developer training and code audit.
About ConFoo.ca:
-New conference about web technology
-PHP Quebec Conference offshoot
-Get all the user groups in the Monteral area together to share information
-8 Separate tracks at the time

ShmooCon FireTalks

Escaping the clutches of The GOOG - http://www.securabit.com/2010/01/21/escaping-the-clutches-of-the-goog/

Hosts:
Anthony Gartner – @anthonygartner
Christopher Mills – @thechrisam
Chris Gerling – @chrisgerling
Nicholas Berthaume - @aricon
Andrew Borel – @andrew_secbit

Guests:
Philippe Gamache – ConFoo.ca – @SecureSymfony

Chat with us on IRC at irc.freenode.net #securabit

Links:
ConFoo.ca - http://www.confoo.ca/en

Podcast: Play in new window | Download

The Academy Pro – Weekly Video Review

January 29th, 2010 No Comments

This week The Academy Pro has released videos covering Nessus 4.2, Shavlik NetChk Analyzer, Rapid 7 NeXpose, and McAfee Security Center! Visit their website and signup in order to view the videos! Sit back and learn something new!

(Please note, you must register with The Academy Pro before viewing these videos!)

Also, The Academy Pro has recruited bloggers to add content to their site, but they are still looking for more. If you believe you have what it takes to post up-to-date security content on their blog, drop them a line atfeedback[@]theacademypro[dot]com

Vulnerability Roundup

January 27th, 2010 No Comments

Well, it looks like all the big boys are here. Microsoft, Google, Adobe, Cisco, and ISC’s BIND all make this week’s roundup. As mentioned in last week’s roundup, Microsoft released an out-of-band update for vulnerabilities related to the attacks on Google, Adobe and others.

Speaking of Google and Adobe, Chrome 4 Stable has been released, which includes numerous security fixes, and Adobe has released an update to Shockwave Player to resolve a buffer overflow and an integer overflow. An Cisco advisory is also listed for a DoS problem in the SSH server on the IOS XR platform, and another for a vulnerability which could allow remote code execution.

Rounding out the roundup, the ICS’s has released an update for BIND, the Tor project releases an update due to a hack of some of their directory servers, RealNetwork releases some updates, and I have also included a link concerning a briefing at the upcoming Black Hat DC conference on vulnerabilities in the Security Zones feature in IE.

Microsoft: Cumulative Security Update for Internet Explorer
Google: Chrome 4.0.249.78 for Windows Released
Adobe: Security update available for Shockwave Player
Cisco: IOS XR Software SSH Denial of Service Vulnerability
Cisco: CiscoWorks Internetwork Performance Monitor CORBA GIOP Overflow Vulnerability
ISC: BIND 9 DNSSEC Validation Code Could Cause Bogus NXDOMAIN Responses
Tor Project: Updates in response to security breach
RealNetworks: RealNetworks, Inc Releases Update to Address Security Vulnerabilities
Microsoft: New Attack Uses Internet Explorer’s Own Features Against It

Rob Lee will be on the 2/10 show!

January 27th, 2010 No Comments

If you haven’t taken the Security 508 course yet we have an excellent opportunity for you! He will be teaching the SEC508 (Forensics) course via the SANS vLive! platform beginning 3/23/2010. Classes will occur every Tuesday and Thursday until 4/29/2010 from 7-10PM EDT.

I have personally taken the 508 course and recommend anyone who is interested in computer forensics take it as well. Even if you aren’t a full-time forensic examiner, the information you take away from the class will help you in all aspects of information security. Understanding how file systems and memory work can be crucial.

Please check out the course and register at this link! Use code SB508 to get a free GCFA certification attempt with the purchase of the full course.

SecuraBit will be interviewing Rob Lee on our 2/10/2010 show. If you have any questions for Rob or any questions regarding SANS vLive! please feel free to comment or shoot us an email via our contact form!

SecuraBit Live tonight!

January 27th, 2010 No Comments

Join us as we interview Philippe Gamache as he discusses ConFoo.ca, a web techno conference based in Montreal, Canada! The conference runs from March 10-12, 2010 and you can still register until February 20th!

We should be live around 8pm EST tonight, join us on IRC or listen in live at this link!

The Academy Pro – Weekly Video Review

January 22nd, 2010 No Comments

The Academy Pro this week released videos covering a range of topics applying to the penetration testing software Core Impact, McAfee Security Center, GFI Network Server Monitor, Panda GateDefender Integra and more! Here is a brief rundown of what’s new. So be sure to stop on by, sign up, sit back and learn something!

(Please note, you must register with The Academy Pro before viewing these videos!)

-Quick system scan with McAfee Security Center

-Installing McAfee Security Center

-GigaVUE file management with Citrus

-GigaVUE file management with the CLI I

-GigaVUE file management with the CLI II

-Enable logging with GFI Network Server Monitor 7

-Installing GFI Network Server Monitor 7

-Installing and updating Core Impact 10

-URL Filtering with Panda GateDefender Integra

-Configuring a Panda GateDefender Integra in Route Mode