[Sunnet Alert] Advisory #248 - Microsoft (Multiple), Symantec, OS X, DXMedia, Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Tue Aug 21 07:58:00 EST 2007
Sûnnet Beskerming Alert List Advisory #248
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 7 Days
1.2 Symantec Product Range
- Remote Hacker Automatic Control
- Time Since Discovery - > 1 week
1.3 OS X
- Local Hacker Automatic Control
- Time Since Discovery - > 1 week
1.4 DXMedia
- Remote Hacker Automatic Control
- Time Since Discovery - 7 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 The Difficulty of Validating Systems and Users
2.2 When InfoSec Companies are Targeted
2.3 German Security Professionals in the Mist
2.4 Protecting Aussie Internet Users for $190 Million
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows 2000, XP, 2003, Vista
Visio 2002, 2003
Outlook Express
Windows Mail
-- Technical Description --
MS07-042 - MSXML. Arbitrary remote code execution. Critical
MS07-043 - OLE. Arbitrary remote code execution. Critical
MS07-044 - Excel. Arbitrary remote code execution. Critical
MS07-045 - Internet Explorer. Arbitrary remote code execution. Critical
MS07-046 - GDI (WMF). Arbitrary remote code execution. Critical
MS07-047 - Windows Media Player. Arbitrary remote code execution.
Important
MS07-048 - Vista Gadgets. Arbitrary remote code execution. Important
MS07-049 - Virtual PC. Arbitrary Host code execution. Important
MS07-050 - VML. Arbitrary code execution. Critical
MS07-041 - IIS. Arbitrary remote code execution. Important
-- Description --
Microsoft delivered nine patches as part of the August Security
Update release. Six of the patches have been rated as critical, with
the remaining three as Important. Exploit code has already begun to
circulate for a number of the vulnerabilities.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-042.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-043.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-044.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-045.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-046.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-048.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-049.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-050.mspx
-- External Tracking Data --
CVE-ID: CVE-2007-2223 (MS07-042)
CVE-ID: CVE-2007-2224 (MS07-043)
CVE-ID: CVE-2007-3890 (MS07-044)
CVE-ID: CVE-2007-0943 (MS07-045)
CVE-ID: CVE-2007-2216 (MS07-045)
CVE-ID: CVE-2007-3041 (MS07-045)
CVE-ID: CVE-2007-3034 (MS07-046)
CVE-ID: CVE-2007-3037 (MS07-047)
CVE-ID: CVE-2007-3035 (MS07-047)
CVE-ID: CVE-2007-3033 (MS07-048)
CVE-ID: CVE-2007-3032 (MS07-048)
CVE-ID: CVE-2007-3891 (MS07-048)
CVE-ID: CVE-2007-0948 (MS07-049)
CVE-ID: CVE-2007-1749 (MS07-050)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 Symantec Product Range - Remote hacker automatic control
-- Products Affected --
Various
-- Technical Description --
Two ActiveX controls managed by NAVCOMUI.DLL have input validation
errors that can lead to arbitrary code execution.
-- Description --
Symantec have released information about vulnerabilities with two
ActiveX controls associated with Norton AntiVirus, Norton Internet
Security, and Norton System Works. If an attacker is able to convince
a victim to interacting with malicious websites code that targets
these vulnerabilities, then it is possible for the attacker to take
control of the victim's system.
-- Recommended Action --
Run LiveUpdate from within affected Symantec software to obtain the
appropriate updates.
-- Source --
http://securityresponse.symantec.com/avcenter/security/Content/
2007.08.09.html
-- Updates Available --
Run LiveUpdate from within affected Symantec software to obtain the
appropriate updates.
-- External Tracking Data --
SYM07-021
-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)
1.3 OS X 10.4 - Remote hacker automatic control
-- Products Affected --
10.4.10 and prior.
-- Technical Description --
Numerous issues affecting OS X 10.4.x and 10.3.x, including:
bzip2 - bzgrep run on a file with a malicious name may lead to
arbitrary code execution (filename handling issue)
CFNetwork - Poor handling of FTP commands passed via a URI may lead
to arbitrary command execution. A second issue, affecting HTTP
response splitting may lead to XSS conditions. A vulnerability in the
Java interface to CoreAudio (via CFNetwork) allows for arbitrary
memory freeing and arbitrary code execution.
cscope - Multiple vulnerabilities, allowing buffer overflow conditions.
gnuzip - Similar problem to that affecting bzip2
iChat - Denial of Service or arbitrary code execution as a result of
buffer overflow conditions in UPnP IGD.
Kerberos - Multiple vulnerabilities, including remote code execution
(see separate vulnerability reports).
mDNSResponder - Denial of Service or arbitrary code execution as a
result of poor handling of UPnP IGD code. UPnP IGD support has been
removed.
PDFKit - Maliciously named PDF files may lead to arbitrary code
execution.
PHP - Multiple vulnerabilities.
Quartz Composer - Denial of service and possible arbitrary code
execution due to poor handling of Quartz Composer files.
Samba - Malicious MS-RPC requests can lead to arbitrary code
execution or denial of service.
SquirrelMail - Multiple vulnerabilities, most serious of which is XSS.
Tomcat - Multiple vulnerabilities.
WebCore - Multiple vulnerabilities, including the operation of Java
applets when Java support is disabled, scripting within HTML
elements, and multiple XSS opportunities.
WebKit - Poor IDN support leading to URL obfuscation and poor
handling of PCRE can lead to arbitrary code execution.
-- Description --
Apple have released Security Update 2007-007, addressing a large
number of serious vulnerabilities affecting both OS X 10.4.x and
10.3.x (Tiger and Panther, respectively). A number of the
vulnerabilities also affect the iPhone and Safari 3 Betas and have
been addressed via separate updates as well. A number of the
vulnerabilities could allow remote control over vulnerable systems,
while others could lead to loss of functionality for legitimate users.
-- Recommended Action --
Security Update 2007-007 should be applied at the earliest
opportunity. The update can be applied either through the Software
Update application, or through manually downloading it from the
download link below.
-- Source --
http://docs.info.apple.com/article.html?artnum=61798
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
Multiple
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.4 DXMedia SDK - Remote hacker automatic control
-- Products Affected --
DXMedia SDK At least version 6
-- Technical Description --
The DXTLIPI.DLL associated with the FlashPix ActiveX control, part
of the Microsoft DirectX Media SDK, has been discovered to have a
buffer overflow vulnerability affecting the SourceUrl() property.
Public exploit code is readily available.
-- Description --
Earlier this week it was discovered that an ActiveX control
associated with the Microsoft DirectX Media SDK, specifically the
DirectTransform FlashPix ActiveX control, contains a vulnerability
that allows an attacker to take control over a victim's system if the
victim can be convinced to interact with a malicious site. It is
possible that the affected ActiveX control is also available via
other products. Public exploit code is readily available from a
number of sources.
-- Recommended Action --
It is possible to mitigate the threat by setting the Registry
killbit (201EA564-A6F6-11D1-811D-00C04FB6BD36) for the affected
ActiveX control. Alternatively, disable support for all ActiveX
controls in order to mitigate.
-- Source --
Krystian Kloskowski (h07)
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
US-CERT VU#466601
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 The Difficulty of Validating Systems and Users
One of the issues plaguing Identity management and online
authentication systems is how to accurately validate the identity of
the system or user connecting to a service.
One possible means for identification that has attracted attention
recently is finding and identifying a 'MachineID', some form of
unique identifier that is specific to a particular physical system
and which is difficult to reliably fake. This might take the form of
tracking internal network IP addresses, end user system patch levels
and browser configuration, and even tracking of end user system
hardware configuration.
A problem that is then encountered is how to reliably identify when
more than one user is using an authenticated system - how is the
mechanism to handle seemingly identical requests that originate from
distinct users.
If the authentication system to be used is to be installed alongside
other software then this is a problem that has already been solved
and dismissed from all but casual usage. Many anti-copying software
and hardware efforts come in such a format - additional code that
forms part of an installed product, for the purpose of ensuring only
legitimate copies of the software are in use. These methods could
have modified key software based on how the system identified itself,
required the use of a hardware 'dongle' for authentication, looked
for the presence of hidden system files or the physical presence of
removable media, or even looked for the presence of intentionally-
corrupted space on original installation media.
With every effort to prevent people from copying or using software in
any way they want to comes a dedicated effort to overcome and
neutralise the above listed means of preventing non-authorised usage.
Going back to the first concept raised in this article - the
development and introduction of some equivalent system for use
online, the motivation to bypass or trick it increases rapidly
alongside the financial incentive to break it, and the increased
anonymity afforded to those trying to bypass the authentication. Even
when there is little obvious financial benefit to bypassing the
system, it can fail on its own. The problems encountered by
legitimate system users when Windows Genuine Advantage and the
Windows XP activation tools fail to properly work have been well
documented. If the system can fail completely without user
interaction, what benefit is it to those it is trying to protect?
Introducing this sort of mechanism into the online environment is
much more difficult than merely allowing it to exist on the end
user's system. Developers and administrators need to be cogniscent of
the problems posed by a stateless protocol that can serve consecutive
requests from seemingly different sources as well as the wide variety
of end systems that might be in use to reach the online service, not
only in terms of different operating system types, but also the use
of screen readers, mobile phones, kiosks, and any other of Internet-
capable devices. MAC addresses and hard drive serial numbers can
provide information to local applications, but they are more
difficult to reach via networked systems. Use of platform-dependent
technology like ActiveX can simplify this process, but it then leads
to security concerns and problems for users of other platforms (OS X
and Linux).
There are a number of methods available for basic authentication and
tracking of state across a site, but these all have drawbacks and
issues that become apparent when systems are scaled up and spread
across load balancing and the use of caching proxies. Even the
current 'best of breed' solutions have critical flaws where users can
force the system to a 'fallback' position and force it into a
remedial mode where the level of added security and authentication is
negligible (back to a simple question in some cases). Some of the
theories being put forward for implementation of one of these systems
include browser identification, username in use, system patch levels,
though each can be spoofed or hidden from the networked application.
At the end of the day, these approaches don?t really tie down to a
specific system in use.
Part of the difficulty comes in creating a system that is rigid
enough to identify and alert to changes in hardware or end user
system configuration, yet flexible enough to allow and identify
multiple users from the same machine or a reasonable level of system
changes, such as those that might occur from replacing a hard drive,
applying system patches, or other routine changes. As a result, many
of the systems that come close to achieving these goals don't really
add much overall to the security situation faced by the application
or primary system.
From a holistic viewpoint, addition of a system designed to identify
specific systems can cause problems by actually weakening overall
security (thus highlighting problems exist in the overall system
design).
There are solutions, however.
One of the products in our testing lab is a platform independent
mechanism for attaining this goal. With nothing to install on the
user side, complete platform and system independence, it appears that
Nabu (the product under testing) is close to achieving the goal of
allowing users to safely interact with online services (and vice
versa) even when end systems and the joining network are completely
compromised. If using a web kiosk or heavily infected system could be
made as safe for online account interaction as a heavily locked down
readonly system, it would go a long way towards addressing one of the
key problems facing Information Security researchers today.
2.2 When InfoSec Companies are Targeted
One of the perils of being an Information Security company is that
they become targets of the individuals and groups that produce
malware and engage in illegal online activity. Antivirus and
antimalware vendors have been targets of this sort of activity for a
long time, with a high percentage of current malware actively
preventing infected systems from connecting to antivirus, system,
antimalware and major software vendors - hoping to prevent the
detection and removal of the malware. Some malware variants have even
gone so far as to trigger a payload of what amounts to a distributed
Denial of Service attack (dDoS) against specific targets, with each
infected machine attempting to connect to specific company websites
at certain times.
Other attacks can be more obvious. In the space of 24 hours recently,
WhiteDust, InfoSec Sellout, and Sûnnet Beskerming were all victims of
various attacks from unrelated parties. WhiteDust and InfoSec Sellout
had compromises to their online presence, with attackers replacing
arbitrary content on the main Internet sites associated with each
entity, and Sûnnet Beskerming being targeted with a 'Joe Job' spam run.
The attack against WhiteDust originally resulted in the arbitrary
replacement of news articles and site content, suggesting that the
attacker had either gained administrator access to the site, or was
using a set of SQL injection opportunities to modify backend database
content. In the time since the attack was first identified, the
WhiteDust site has gone completely offline, leaving only the
following message:
14 August 2007 - 23:58 GMT
With the industry and those in it so seemingly hostile to Whitedust, and
pure apathy from anyone who thinks otherwise. Why bother. This site is
now closed permanently. It's staff have abandoned the scene and the
industry
for real world projects - for good, you won't be seeing us again. You
"Won".
Good luck out there. You'll need it.
-The Staff
At this time it is not known whether this is a message from the
attacker, or from WhiteDust staff (there has been no response from
WhiteDust at this time).
The InfoSec Sellout site was in the process of being reinstated after
accidental deletion when unknown parties appeared to take control of
the site and delete the content that had been replaced. As with
WhiteDust, this is not the limit of the disruption to normal site
operations, with the attacker taking the opportunity to fill the site
with spam content which is still in place at the time of writing this
article.
Sûnnet Beskerming, meanwhile, was victim to a major 'Joe Job' spam
run. A 'Joe Job' is when a spammer falsifies the 'Return' or 'From'
address in their spam emails. Not only does this act as a cover for
the true origin of the spam, but it also means that the innocent
victim receives heavy email traffic from bounced and rejected spam.
At its peak, Sûnnet Beskerming was receiving 50-100 messages per
minute, just from bounced replies.
It is worrying that although the industry understands the concepts
and limitations of a 'Joe Job' many systems will still trust in the
falsified data and still cause problems, years after it was known how
'Joe Job' attacks work. This is something that email protection
systems should be taking care of, by default.
2.3 German Security Professionals in the Mist
German Information Security professionals were hopeful after proposed
changes to the UK Computer Misuse Act Police and Justice Act
amendments were suspended due to the fact that if certain clauses
were enacted, it would effectively make the entire Information
Security industry in the UK criminals. This hope was important
because earlier this year the German Government had introduced
similar language into Section 202c StGB of the computer crime laws,
which would have made the mere possession of (creates, obtains or
provides access to, sells, yields, distributes or otherwise allows
access to) tools like John, Kismet, KisMAC, Nessus, nmap, and the
ability to Google effectively a crime.
Despite all efforts to peer through the mist about whether changes
would be made to the proposed law, as of today it became active
legislation. Penalties under the law include up to 12 months
imprisonment, a fine, and potential linkage to terrorism related
activities (at least as per sections 202a and 202b of the law).
Despite some observers fearing a 'Kristallnacht' in the near future,
and while it is likely there will be some abuses of the law (DMCA,
for example), the overall effect to Information Security work and
research in Germany is not likely to be all that great.
That doesn't mean that changes aren't already happening. A number of
security related products and groups have either closed up shop or
relocated to countries of convenience, such as the Netherlands.
KisMAC, an OS X wireless network discovery tool has ceased
development and will soon be reappearing in the Netherlands. This was
one of the first tools to suddenly cease production in a public manner.
Phenoelit have also closed their German presence, though it may be
possible to find their content available online in other locations.
Those who can read German can see the response from the CCC, who are
currently holding their Chaos Communications Camp 2007 near Berlin
(think of DefCon, in a field, with tents). The CCC have decided that
since the German Government took this move, that it means that there
are no more security problems facing computer users.
Stefan Esser, the noted PHP Security activist, has withdrawn all of
the exploit code that originally accompanied the Month of PHP Bugs
project. As Stefan points out:
"The law does not affect our freedom of speech to report and inform
about security vulnerabilities and how to exploit them.
We are just not allowed to create/distribute/use software that could
be used as "hacking tools". "
Like many other legislative attempts to address real or perceived
problems with computer-based activity, the law fails to account for
reality. Others have pointed out that it is only those already
engaged in illegal activity that are using 'hacking tools'. The
legitimate security industry is using 'diagnostics' and other useful
utilities. Already it seems that the law will have the unintended
consequence of making legitimate research just that much harder, only
deterring the legitimate researchers and the opportunistic attacker.
The serious criminal will just keep on going with their malicious
activity, probably a little bit bolder - safe in the knowledge that
the German Government has just made it a little bit more difficult
for them to be found.
2.4 Protecting Aussie Internet Users for $190 Million
Within the last 24 hours the Australian Commonwealth Government
announced that they would be spending $189 million Australian dollars
($162 million USD) on a range of packages and programs designed to
protect Australian Internet users against all that the Internet has
to offer, under the name Netalert. With increasing increasing
coverage by the Australian media, it is worthwhile to investigate
what the features of the proposed scheme actually are, and whether
they have any chances of working.
While the $189 million is not being immediately assigned to the
effort, and reflects a number of endeavours under the guise of
protecting Australians against Internet nasties, there are some
critical problems with the approach that the Government is taking.
Amongst the list of projects that have been earmarked for the money are:
* Internet blocking software for Australian families.
* Resources for efforts to track and identify online predators
on social networking sites and in chat rooms.
* Closing down terror sites, and
* Reducing the variety of pornography viewable by Australian
Internet users
Announced during a streaming video presentation to the largest
pentacostal evangelical church in Australia (Hillsong) - an
Assemblies of God megachurch, the Prime Minister, John Howard,
outlined several measures that would immediately appeal to the
conservative (ultra-conservative?) audience - provision of Internet
filters and efforts to block pornography at upstream providers by
working with ISPs. More than 700 other Christian assemblies were
linked into the address which meant that more than 100,000
Australians watching the presentations. The leader of the Opposition,
Kevin Rudd, also joined in on providing a presentation to the
assembled masses. This inclusion suggests that if the party in
government changes at the next Federal election (later this year),
then the Plan will stay in place (Labor have actually been ridiculed
in the past for their ideas about what it means to protect Australian
Internet users).
Probably the most effective way that the money is going to be spent
will be to improve funding for various online investigative measures
being carried out by The Australian Federal Police such as efforts to
detect and investigate online predators. This may not be all that
effective, though, with the AFP not being well-known for its ability
to keep up with, adequately identify, and understand Internet based
threats.
Despite the difficulty of correctly being able to identify online
predators, something that the social networking companies and other
interest groups are already struggling with (do you share a name or a
birth date with a known predator? If you do, don't go online...),
money will still be poured after it.
Several million dollars to knock the stupid predators offline might
be considered a good investment for some.
One of the ironic measures being proposed is a bucket of money to
establish a working group to find ways around the privacy laws and
measures that are effectively protecting predators, presumably to
make arrest and prosecution easier. If the laws and measures that
protect predators are so effective, what is the $189 million needed
for, again? Why don't those measures work for those we are supposed
to protect?
Even though there are known problems with blacklists, money will go
towards expanding such a blacklist of nasty sites that Australians
aren't supposed to see. If it were the United States, it would be
considered part of the argument about net neutrality and what it
means to be designated a 'Common Carrier', though there are probably
a number of Australian ISP customers secretly pleased that they might
get to sue their ISP for allowing them to view nasty content (the
Government was supposed to stop it, right?).
The effectiveness and speed with which malicious content can be
placed on 'trusted' sites through blended attacks makes all of these
efforts almost worthless. Any impartial observer who noted the big
trends at recent Information Security conferences would have been
able to identify this pattern in an instance.
A hotline to help families install the Internet filtering software
being provided will presumably join the National Security Hotline as
a widely derided black hole of funds, with limited usefulness (if VCR
clocks are taken as a precedence, then the helpline is probably going
to be staffed with the very children that the filters are meant to
stop looking at nasty material).
While voices against the measures have largely focussed on the choice
of audience (Christian conservative), it should not be forgotten that
there will be criticism from those in the technical community who
understand the sorts of threats and problems that are trying to be
faced by the measures.
With fairly strong support for the measures from those who watched
the presentations, ranging from those who are supportive of measures
to help them limit what they and their children can see online to
those supportive of the additional resources to hunt down online
predators.
Countering this is the argument that parents should not expect the
State to do their parenting for them if they are unwilling to. No one
is arguing against extra resources to track, identify, and prosecute
predators - so long as law enforcement get it right. The amount of
money being thrown at the problem has raised some objections, though.
Others have pointed out the abject failure of filtering software to
deal with health resources like breast cancer awareness and support
groups, breast feeding information, and the heavy handed treatment of
sites that push information and opinions that the filtering companies
object to (consider how various Left and Right blogs / news sources
are treated by different filtering programs). Others have pointed to
the inability of filters to keep up with the ability of those with
malicious intent to change the location and presentation of their
'objectionable material'.
At the end of the day, any teenager or young child that is adept
enough to intentionally seek out the content that this scheme is
designed to suppress will have the ability to sidestep the protection
mechanisms implemented by the program.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list