• SANS: August 2010 Microsoft Black Tuesday Summary
• Threatpost: Inside Microsoft’s August Patch Tuesday
• Microsoft TechNet: Microsoft Security Bulletin Summary for August 2010
• Microsoft Security Response Center: August 2010 Security Bulletin Release
• Microsoft Security Research & Defense: Assessing the risk of the August security updates

Update: Microsoft has published the advisory and patch. Details available here.

That catch comes in the form of an announcement from Core Technologies of a vulnerability in Microsoft’s Virtual PC which allows an attacker to bypass some of the security safeguards which would normally be in place if the system was running on bare metal.  (rather than as a guest OS, as well as some of the tools in place to protect Windows 7 such as DEP, ASLR and SafeSEH)  This means that older vulnerabilities which were not considered exploitable, as other protections were in place, have been given a new lease on life.

Microsoft’s response downplays the announcement.  Microsoft is not calling this a vulnerability, as it requires that there already be another vulnerability to exploit.  As such, they will not be releasing a patch for the flaw, but will instead be waiting until the next release or service pack for the Virtual PC product.

In response, Paul Cooke from Microsoft says, “An attacker can only exploit a vulnerable application running “inside” the guest virtual machine on Windows XP, rather than Windows 7!”.  The exclamation mark at the end of this sentence was bothersome.  It seems that they are missing something.  Obviously there have been enough people up in arms about compatibility issues with Windows 7 that Microsoft felt the need to relax the restrictions on XP mode to encourage migration to 7.  This also says that there are companies which have software doing very important things and that the software doesn’t like Windows 7, hence the need for XP mode to be used more widely.  It’s all well and good that the host Windows 7 box is fine, as the excited Microsoft response above states, but if the important stuff is in the Virtual PC then who cares about the host OS?

More coverage is available at Threatpost

Cisco has also released three advisories for vulnerabilities in three of their products.  Patches are now available for the Unified Communications Manager, Digital Media Manager and the Digital Media Player Remote display.

An interesting hardware/software vulnerability has been released for OpenSSL which could allow an attacker to deduce at least parts of the private key.  The technique used to exploit this weakness doesn’t seem very practical for attacking a full size system, but could be practical against embedded devices.

A new release of the TYPO3 Core CMS system has been released to cover a few vulnerabilities (XSS, information disclosure).  Other Open Source projects, PHP and BIND have also been updated with security fixes.

The Zero Day Initiative also has some upcoming advisories for Apple’s Safari browser, which may mean updates from Apple.  The ZDI has rated these as “High” severity.

Last, but never least, VMWare has released and advisory for some of their products, which includes another large list of CVEs covered.  These updates include a long list of third party updates for packages in ESX.

• Microsoft: IE Help Code Execution Vulnerability
• Microsoft: IE Help Code Execution Vulnerability (MS Security Research and Defense blog)
• Microsoft: March 2010 Patch Tuesday Advanced Notification
• Microsoft: Several known vulnerabilities to remain unpatched on forthcoming Microsoft patch day
• Cisco: Unified Communications Manager Denial of Service Vulnerabilities
• Cisco: Multiple Vulnerabilities in Cisco Digital Media Manager
• Cisco: Digital Media Player Remote Display Unauthorized Content Injection Vulnerability
• OpenSSL: Private key disclosure vulnerability
• TYPO3: Security update released
• ISC: BIND 9.6.2 released
• PHP: PHP 5.2.13 released
• Safari: Flaws in Safari Browser
• VMWare: Multiple ESX Service Console and vMA third party updates

Mozilla released Firefox 3.5.8 and 3.0.18 which fix multiple vulnerabilities, but the same day Intevydis dropped 0-day for Firefox 3.6 for the VulnDisco add-on for Immunity’s Canvas. There seems to be some debate on the validity of the exploit, so keep that in mind.  It does not appear that Mozilla has officially responded to this yet or provided a patch.

Cisco has released a trio of advisories for Firewall Services Modules, ASA 5500 appliances and the Cisco Security Agent.  The FWSM advisory is for a DoS attack when Skinny Client Control Protocol inspection is enabled.  The ASA and Security advisories both list multiple vulnerabilities, including SQLi, DoS, and Auth Bypass.

Updates are also available for OpenOffice and Google’s Picasa to close holes in file handling bugs among other vulnerabilites.

In other vulnerability news, 2X Software, who sell thin client/server/terminal software appear to have become accidental security researchers, as they claim to have found a vulnerability in Windows (according to them Windowas 2000 and up) which can be exploited for a DoS.  There is controversy around this, as other security researchers (non-accidental ones) argue that the same can be done without an exploit, and that the announcement is a publicity stunt and Microsoft appears to have this listed more as a bug than a feature, er vulnerability.  I’ve provided a few links so you can decide for yourself.

• Adobe: Security update available for Adobe Download Manager
• Mozilla: Firefox 3.5.8 Release fixes multiple vulnerabilities
• Mozilla:  0-day for Firefox 3.6
• Cisco: Cisco Firewall Services Module Skinny Client Control Protocol Inspection DoS
• Cisco: Multiple vulnerabilities in ASA 5500 Series Appliances
• Cisco: Multiple Vulnerabilities in Cisco Security Agent
• OpenOffice: Multiple vulnerabilities in versions prior to 3.2
• Google: Picasa JPEG Processing Integer Overflow Vulnerability
• Microsoft: Possible DoS in Windows 2000 and up:
  • The Register: Creaky old Windows flaw rises, divides doommongers
  • SC Magazine: Malta researchers find Windows bug that crashes PCs
  • SC Magazine: Microsoft operating system vulnerability claims refuted

Cisco has also posted updates, this set for their IronPort Appliances.  It looks like there are some serious vulnerabilities covered here, including accessing files on the appliance, as well as executing malicious code.

In the world of hardware hacking a researcher named Christopher Tarnovsky has managed to extract the encryption keys from the Trusted Computing Module.  There’s a lot of different chemicals, hardware and a Focused Ion Beam microscope involved.  Very impressive.

Google has released a new version of Chrome which fixes a large number of security issues, including one which earned some cash from the new Chrome bug bounty.  Of course there has been a lot of talk about privacy (or the lack thereof) in Google’s new Buzz service, but RSnake posted what appears to be a vulnerability in the service.

In an update to last week’s vuln roundup, some people have been having problems with update MS010-15, causing some XP machines to BSoD.  Turns out, those with the BSoD may also have another problem; a rootkit.  In other Microsoft matters, I’ve included an article on using Windows Communication Foundation services to perform a remote portscan, but which may also lead to other types of attacks against internal hosts.

Closing things out, TippingPoint’s Zero Day Initiative has announced the 2010 version of its Pwn2Own contest at the CanSecWest conference.  The targets of choice for this year are Web Browsers and Smart Phones.  I’m sure you’ll be reading about the outcome, or the patches from the outcome, after March 24th.

• Adobe: Security updates available for Adobe Reader and Acrobat
• Adobe: Security update available for Adobe Flash Player and Adobe AIR
• Adobe: Security update available for BlazeDS
• Cisco: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance
• Infineon: Crypto Key from TPM chip extracted
• Google: XSS in Buzz
• Google: Chrome 4.0.249.89 released
• Microsoft: Abusing WCF to Perform Remote Port Scans
• TippingPoint Zero Day Initiative: Pwn2Own 2010

Oracle has also released an out-of-band patch this week for a problem with their WebLogic Node Manager.  Also in the Oracle world, David Litchfield demonstrated a 0-day against Oracle’s 11g database server.  It doesn’t appear there is a patch available yet, so check the links for mitigation info.

Samba also has a post regarding a zero day attack for a directory traversal issue via symlinks.  I’ve included both a post on the vulnerability and a link to a post by the Samba developers.  On one hand, yes it does look a configuration error by an admin.  At the same time, it is the default configuration.  I’ll leave it to you to decide.  Besides, it never hurts to double check those smb.conf’s.

In an ongoing theme of malware in App Stores, or Market Places, or Galleries, it looks like two pieces of malware made it onto the Add-on site.  One is a password sniffer disguised as video downloader, and the other contained a backdoor.

Additionally there are some updates available for LANDesk Management Gateway which fixed a problem which allows an attacker to run commands as root.

• Microsoft: Patch Tuesday
• Oracle: Security Alert for WebLogic Server (CVE-2010-0073)
• Oracle: 0-day in Oracle 11G
• Samba: symlink attack 0-day (Samba’s response here)
• Mozilla: Malware in the add-ons
• LANDesk: Management Gateway command injection vulnerability

Speaking of Google and Adobe, Chrome 4 Stable has been released, which includes numerous security fixes, and Adobe has released an update to Shockwave Player to resolve a buffer overflow and an integer overflow.  An Cisco advisory is also listed for a DoS problem in the SSH server on the IOS XR platform, and another for a vulnerability which could allow remote code execution.

Rounding out the roundup, the ICS’s has released an update for BIND, the Tor project releases an update due to a hack of some of their directory servers, RealNetwork releases some updates, and I have also included a link concerning a briefing at the upcoming Black Hat DC conference on vulnerabilities in the Security Zones feature in IE.

• Microsoft: Cumulative Security Update for Internet Explorer
• Google: Chrome 4.0.249.78 for Windows Released
• Adobe: Security update available for Shockwave Player
• Cisco: IOS XR Software SSH Denial of Service Vulnerability
• Cisco: CiscoWorks Internetwork Performance Monitor CORBA GIOP Overflow Vulnerability
• ISC: BIND 9 DNSSEC Validation Code Could Cause Bogus NXDOMAIN Responses
• Tor Project: Updates in response to security breach
• RealNetworks: RealNetworks, Inc Releases Update to Address Security Vulnerabilities
• Microsoft: New Attack Uses Internet Explorer’s Own Features Against It

• Microsoft Patch Tuesday: OpenType Font file decompression vulnerability
• Adobe: Security update for Flash Media Server
• Adobe: Security updates for Reader and Acrobat
• Oracle: Oracle Critical Patch Update (CPU) – 24 vulns, 3 with no authentication required
• MacOS X: PoC for MacOS X 10.5/10.6 vulnerability
• VMWare: Multiple updates for ESX
• Juniper Networks: JUNOS Malformed TCP Packet DoS
• D-Link (Multiple Routers): HNAP Protocol Security Bypass Vulnerability
• PowerDNS: PowerDNS Recurser Buffer Overflow Vulnerability
• Motorola Droid: Screen Lock bypass

Another interesting story, also from the Android family is about a piece of malware which made its way into the Android Marketplace, specifically a fake mobile banking application which was designed to harvest login credentials.  More coverage can be found at SANS.

Blog post by:  David Shpritz