[Sunnet Alert] Advisory #245 - Microsoft (Multiple), Firefox, GIMP, QuickTime, Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Fri Jul 13 18:15:40 EST 2007
Sûnnet Beskerming Alert List Advisory #245
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.2 Firefox
- Remote Hacker Automatic Control
- Time Since Discovery - 7+ Days
1.3 GIMP
- Local Hacker Automatic Control
- Time Since Discovery - 7+ Days
1.4 QuickTime
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Keeping Information Timely
2.2 Focussing on SAP
2.3 Big Media Consolidation
2.4 Antivirus Vendors Head to Court
2.5 A Matter of Numbers
2.6 It's Official, the iPhone has been Hacked
2.7 Microsoft July Security Patch Release
2.8 A Present for our Readers
2.9 Aussies face the threat of Robo-Pacinos
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows 2000, XP, 2003, Vista
Visio 2002, 2003
Outlook Express
Windows Mail
-- Technical Description --
MS07-036 - Office. Multiple arbitrary remote code execution. Critical
MS07-037 - Publisher. Arbitrary remote code execution. Important
MS07-038 - Vista. Information disclosure. Moderate
MS07-039 - Active Directory (LDAP). Remote code execution. Critical
MS07-040 - .NET Framework. Multiple arbitrary remote code
execution. Critical
MS07-041 - IIS. Arbitrary remote code execution. Important
-- Description --
Microsoft delivered six patches as part of the July Security Update
release. Three of the patches have been rated as critical, two as
Important, and the remaining patch as Moderate. Exploit code has
already begun to circulate for a number of the vulnerabilities. A
number of users are reporting issues with the installation and use of
MS07-040.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 Firefox - Remote hacker automatic control
-- Products Affected --
Firefox 2.0.0.4 and prior.
-- Technical Description --
Firefox on Windows fails to properly parse command line parameters
that are passed, allowing third party applications to run arbitrary
code within the context of the trusted Chrome setting. Specifically,
it is the registration of the 'FirefoxURL' handler which allows for
commands to be passed to Firefox. A separate issue exists with
Firefox's handling of wyciwyg: URIs. It is possible for a local user
(or website) to bypass the protections preventing access to these
cache related URIs, thus allowing access to potentially sensitive
content.
-- Description --
A demonstration of a vulnerability which allows attackers to pass
arbitrary content to Firefox for execution in the 'Chrome' context
has been released, using a link from within Internet Explorer to
execute the attack. Another vulnerability has also been identified
which allows for access to potentially sensitive cache content (on
all systems). Based on the available source code, it is possible for
attackers to embed links in their websites such that when they are
visited with Internet Explorer, arbitrary code can be run against
Firefox on Windows.
-- Recommended Action --
It is possible to deregister the 'FirefoxURL' handler in the
Registry (caution is urged when manipulating the Registry), by
modifying the setting of the 'HKEY_CLASSES_ROOT\FirefoxURL' entry.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 8 8 (Very High)
Corporate 8 8 (Very High)
1.3 GIMP - Local hacker automatic control
-- Products Affected --
GIMP 2.2.15 and prior.
-- Technical Description --
Arbitrary code execution due to integer overflow vulnerabilities in
GIMP when handling DICOM, PNM, PSD, PSP, Sun RAS, XBm, and XWD file
formats. The vulnerability in the Sun RAS format handling has been
known since April, but the other formats are new disclosures.
-- Description --
iDefense have released an advisory that expands on a previously
known issue (Sunnet Alert Advisory #227 - April 07) affecting GIMP
and the handling of various image types through external plugins.
Previously, it was known that the SunRAS format was vulnerable, but
numerous other formats are now known to be vulnerable. Successful
exploitation requires the victim to open a malicious image file in GIMP.
-- Recommended Action --
Update to GIMP version 2.2.16 at the earliest opportunity.
Alternatively, move unused (and affected) image handling plugins out
of the gimp/2.0/plug-ins directory.
-- Source --
http://labs.idefense.com/intelligence/vulnerabilities/
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 6 6 (High)
Corporate 6 6 (High)
1.4 QuickTime - Remote hacker automatic control
-- Products Affected --
QuickTime 7.1.6 and prior.
-- Technical Description --
Memory corruption when handling H.264, .m4v, SMIL or arbitrary movie
file content can lead to arbitrary code execution. This update also
provides enhanced protection for the QuickTime for Java issue that
was patched earlier this year. Further issues affecting QuickTime for
Java have also been addressed, including removing support for JDirect.
-- Description --
Apple Inc have released version 7.2 of the QuickTime media codec and
associated player application. This release addresses a number of
serious vulnerabilities that can allow a remote attacker to take over
a vulnerable system if the victim can be convinced to interact with a
malicious media file. In addition to fixing security issues,
QuickTime 7.2 provides enhanced capabilities to QuickTime.
-- Recommended Action --
Update to QuickTime 7.2 at the earliest opportunity, either through
the download link below, or through Software Update.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Keeping Information Timely
One of the pressing problems that has plagued information sources
since before the Internet is ensuring the timely dissemination of
information, before it becomes stale or out of date. With Information
Security news and related online sources, arriving at a news source
late could have significant cost to business operations or system
stability due to attackers capitalising on threat information that
you aren't aware of.
A Sûnnet Beskerming article on strange Internet traffic patterns that
had been observed drew a lot of traffic and exposure from a number of
sources. Besides being an excellent demonstration of how information
propagates across the Internet, it showed first hand that some
communities could be accessing information for the first time over a
week after it first appears, when its viable lifespan was measured in
hours, not days. Had the information been related to a rapidly
emerging threat, there were a number of communities that would have
discovered that information too late. Even with wider dissemination
of the article, it would have required a concerted concurrent effort
to publish and report the article within a timeframe so that the raw
underlying data would still be relevant.
From a similar point of view, using information that is out of date
can also introduce significant risks to operations and protection of
critical systems and data stores. Information Security seems to be a
field where accepted knowledge and best practices are overturned on a
regular basis due to improved understanding of available threats, the
evolution of new threats, or the development of more robust
methodologies for protection and management.
Just in the last decade and a half in the Information Security field,
the commonly accepted dogma that email and image files are not virus
propagation vectors has been overturned. For many in the Information
Security field it was the seminal paper by Aleph One, 'Smashing the
Stack for Fun and Profit', which really began to show them the risks
associated with vulnerabilities that had otherwise been thought
benign, and the paper was only released in the year 2000.
Users have been connected to the Internet since it was the DARPANet,
but the risks of online activity are still somewhat less understood
when compared to risks associated with compromised desktop
applications. While the risks of visiting untrusted websites are
becoming better known, the true risk of online activity and web
browsing is still being ascertained. Leading research in web
application vulnerabilities and threats is still only scratching the
surface of the issues tied to this platform.
The concept of AJAX worms, JavaScript LAN enumeration and testing,
and non-JavaScript enumeration and testing are areas that are pushing
the field of Web application security forward at a time when most
users are struggling to understand the importance of a secure
transaction (or even what to look for and how to recognise one).
With many of the leading voices in web application security still
only in their early to mid twenties (and with some high school
seniors mixed in), it is a young field that is doing its best to
establish what can and can not be done with web applications.
Information being generated by these researchers is busy turning over
accepted dogma that itself may only be a couple of years old. Reading
the wrong technical book, or not keeping up with the latest
developments could place developers, site maintainers, and security
representatives at a distinct disadvantage when creating and
maintaining online services.
Even though buffer overflows and their associated risks are
relatively well known and understood, the fact that they still crop
up in modern systems (such as Windows Vista) means that even with
security-aware development, there are still risks and vulnerabilities
that can enter complex systems (that may be so complex that they can
not completely be understood or modelled accurately). Keeping current
with information that has not expired or otherwise become out of date
is one of the best ways to help prevent the ongoing inclusion of
known risks in development and maintenance of new services and
applications.
2.2 Focussing on SAP
NGS Software, better known for their focus on Oracle products, have
released information about a brace of SAP product vulnerabilities
that range from low to critical risk for users of the products, who
have not updated their products.
With a heavy web-based interface component for SAP, and also for many
other ERP / CRM / HRM / Enterprise systems, they represent one of the
most prominent targets for web vulnerabilities (which most of the
disclosed issues are). There are plenty of examples of poorly secured
corporate networks where these applications can be interacted with
from the general Internet (finding the appropriate Google Dorks is an
exercise for the reader), so SAP administrators should expect some
increased probing of their systems, given that sample exploitation
code was provided with the vulnerability disclosure reports.
SAP have provided patches for these issues in updates from January to
May (product dependent), so administrators and caretakers of SAP
systems should update as a matter of urgency, if they haven't already
applied the patches.
2.3 Big Media Consolidation
Rumours are flying thick and fast about the push by Rupert Murdoch's
News Corporation to take over the Dow Jones media group (owners of
the Wall Street Journal and other media assets).
News of the proposed purchase rocked much of the media world when the
bid for $60 per share was made in April, though it was welcomed by
many outside observers. While the purchase of the financial news
powerhouse might seem out of the ordinary for the owners of the Sky
network and Fox, a number of outside observers believe that it might
be the push that the Wall Street Journal and other Dow Jones assets
need to improve their awareness and relevance in new markets. It
could be argued, though, that the Wall Street Journal and Dow Jones
already carry sufficient brand recognition not to require assistance
from News Corporation.
Even if the deal has not yet been settled, most sources agree that
the deal is only a matter of days away from being settled, for a
purchase price in the range of $5 billion USD.
It appears that the removal of bids from the owners of the Financial
Times and GE led to News Corporation's bid (with a 67% premium) being
the last one standing.
2.4 Antivirus Vendors Head to Court
A growing dispute between Kaspersky Lab and Rising Tech in China is
now headed to court after Kaspersky sued Rising Tech for
anticompetitive business practices.
The growing dispute, tracked by the Chinese Internet Security
Response Team, started when an update issued by Kaspersky for their
antivirus products misidentified some of the files associated with
the Rising Tech antivirus products as being malicious. This
misidentification led to the Rising Tech products being unable to be
updated. It is unlikely that the problem was very widespread, as it
would have required affected users to be running both Kaspersky and
Rising Tech software and updating them whenever a new definitions
file was released. Even so, it was still a problem that needed rapid
rectification.
Kaspersky, based in Russia, and Rising Tech, a Chinese Antivirus
vendor, kept up the slanging match, with Rising Tech accusing
Kaspersky of misidentifying files at least 22 times within a six
month period, accusing Kaspersky of "show[ing] despise for Chinese
users". Rising Tech announced on the 30th of May that they were
planning to sue the Beijing office of Kaspersky for unfair
competitive practices (though it isn't known whether this suit was
brought to court).
Misidentification of critical system files and competitor files is an
unfortunately all-too common problem that many antivirus and
antimalware vendors have encountered in the past, with several
significant incidents taking place in China over recent months. The
outcome from the case could have widespread ramifications for
antivirus vendors and the misidentification of system and competitor
files, so the outcome from the Tianjin No.1 Intermediate People's
Court is likely to be watched with interest.
2.5 A Matter of Numbers
Over the last couple of weeks traffic to Sûnnet Beskerming has
skyrocketed, largely as the result of introducing our new online
delivery formats for security news and commentary. Since the start of
July, Sûnnet Beskerming content has appeared on many websites,
attracting many thousands of new and eager readers.
Since introducing the new format for content delivery at the end of
June, Sûnnet Beskerming has gone from success to success with
attracting new readership and distribution methods. From time to time
readers will note our content appearing on The Register, Planet-
Websecurity.org, and a number of other sites. Just in the last week,
we have seen our content appear on the following sites:
* The Register
* RootSecure
* InfoSec News
* Planet-Websecurity.org
* Security Bloggers Network
* WhiteDust
* Reddit
* Digg
* Security News Portal
* Slashdot
A question that is often asked is - what is the effect of a
Slashdotting? Although little traffic was observed in the period
following the appearance of our article on Slashdot (due to it being
the weekend), come Monday morning traffic spiked at 160 kilobits per
second of data transfer, before tailing off to a sustained 40
kilobits per second of data transfer several hours later. In
comparison, Reddit peaked at just under 100 kilobits per second of
sustained data transfer, with a much quicker tail off period.
Based on the traffic from last week, Sûnnet Beskerming expects to
attract 60,000 hits per month, based on normal traffic, and triple
that in referred traffic from online distribution (based on one
Reddit and one Slashdot front page article per month). Another 40,000
hits per month are estimated from readership of the primary Sûnnet
Beskerming RSS feed, based on the last few weeks of traffic.
How is it kept running? With a mix of XHTML, PHP, and CSS,
beskerming.com was built by hand completely in house. Always
conscious of the need to deliver content in the most efficient manner
(after all, not everyone has broadband), we have looked at different
ways to bring the same content to the end user without creating a
bandwidth-hungry page. As a result, most of our pages weigh in at
around 100 KB, with the significant proportion of content being
informational text. Our hosting provider also provides us with
sufficient hosting capacity to endure a slashdotting without
straining the underlying hardware and network connections.
Thank you to our readers for helping make our commentary and articles
a success, we trust that you will stay with us into the future to
keep up to date on important Information Security news and events.
2.6 It's Official, the iPhone has been Hacked
Less than two weeks from the release of the iPhone, the researchers
(#iphone @ irc.osx86.hu) who have been rapidly progressing towards
controlling the iPhone have finally succeeded. Even though their most
promising approach, via the bootloader, was cut short when it was
discovered that they could not load arbitrary code into the
bootloader without Apple's 1024-bit private RSA key, they have now
claimed success through their filesystem investigation methods.
Despite not having developed a complete toolchain, as they were
expecting to have done prior to controlling the iPhone, they have
claimed complete control over the device, providing a slightly blurry
screenshot as evidence of their achievements.
According to the detailed instructions that they have posted online,
it will soon be possible (once they commit the code to the SVN) for
anybody with an iPhone and the intent, to be able to take full
control over their device. The detailed instructions do require two
reboots along the way to taking control over the device (a third
reboot then gives complete control), with both reboots into the
device's Recovery mode. As part of this process, the researchers have
been able to escape the chroot jail that was blocking most of their
forward progress.
After so much effort has been expended into researching ways to take
control over the device, it appears that it comes down to a simple
permissions change on 'fstab', and a simple addition to the
'Services.plist' file. Of course, simple is relative, prospective
hackers and researchers still need the as-yet unreleased
'iPhoneInterface' version.
While the researchers involved do not wish for direct links to their
development wiki, it is simple enough to find for those who search
for it.
Now that this milestone has been released, it will be interesting to
wait and see what sort of homebrew community develops around being
able to have system-wide access to the iPhone, to see what Apple's
response to this breakthrough will be, and to see what sort of
influence this event has (remember, the number of iPhones in
circulation isn't much more than a million).
2.7 Microsoft July Security Patch Release
Microsoft have released six patches with the July 2007 Security Patch
Release. As per the pre-release information that was provided last
week, Microsoft released three Critical patches, two Important
patches, and one Moderate patch.
Although there are no known exploits for most of the issues (there
are some minor exploits known for the IIS patch), it is expected that
exploit data and detailed vulnerability code will be released over
coming days by the researchers responsible for the discovery. It
remains to be seen whether the suspected .NET 0-day will receive
widespread release in coming days.
There were minor concerns of a new threat to Windows users after a
release was made to a number of security mailing lists claiming to
have a new 0-day targeting Internet Explorer, though this was later
found to be closely related to known historical problems with the
handling of different protocols by Internet Explorer (which lead to
arbitrary code execution).
As with all other monthly patch releases, Sûnnet Beskerming provides
detailed patch summaries and briefs for all users.
2.8 A Present for our Readers
Here at Sûnnet Beskerming we like any excuse for a celebration, and
what better way to celebrate than to give out presents (yes, we know
you should be giving us the presents, but we're feeling happy and
generous).
For the month of July, all site visitors, RSS readers, or anybody who
decides to look in on our site can obtain our July 2007 Security
Patch Briefing Pack, completely free. All you need to do is to click
on the link to be taken to our online store, then select the 'try'
button (or go to our site, select the Products & Services tab, then
Security Patch Briefing, before selecting one of the 'Per Report'
options. You will then be able to download a .zip containing our
briefing pack for this month's Security Patch Release from Microsoft.
The link points to the SME version of our briefing pack, but it is
the same download for the other service levels. Depending on your
service level, this pack is worth between $5 and $5,000.
What is the reason for this celebration? We've been keeping a close
eye on our web server logs after our recent high traffic periods and
noticed something very interesting over the last couple of days. Not
only were we receiving traffic from more and more interesting and
diverse sources (we're glad to make a difference for them all - even
if some are profiting from our free resources), but some search
engine referrers were implying some interesting results. At the time
of writing, the following Google searches have us extremely high up
in the listings:
"platform draws" - We don't quite understand why someone would be
searching for this particular search, but we come out on top.
"July 2007 Microsoft Patch" - We are the first non-Microsoft result
on what is probably a very popular search term at the moment.
"ARP Poisoning WPA2" - While it is one of our older articles that
turns up first, we are extremely pleased to show up first for this
query.
It is likely that we are scoring highly on a range of other searches,
it is just that these were three of the most recent search engine
referrers to turn up in our logs, and three that we return extremely
relevant and useful results for. If this is how you have found our
content, please enjoy your visit.
2.9 Aussies face the threat of Robo-Pacinos
If reporting from The Age newspaper is to be believed, the Australian
Federal Police (AFP) Commissioner, Mick Keelty, briefed a
Parliamentary Inquiry into the future impact of organised crime that
Australians would be facing the threat of part-robot humans involved
in organised crime in the future.
Without access to the transcripts from the Inquiry, it is difficult
to determine exactly what the Commissioner exactly did say. Taken on
face value, the report has begun receiving attention from security-
focussed sites and blogs, not a lot of it favourable to the
Commissioner's position.
So, what is it that the Commissioner might have said? If the Inquiry
that is mentioned is the Inquiry into the future impact of serious
and organised crime on Australian society, then there is no record of
the transcript available for the session held on July 5, but there is
a record of him having provided a brief to the Inquiry.
Looking at the submission that the AFP made to the above Inquiry,
there are elements which suggest that the Commissioner may have used
it as a springboard for his comments to the Inquiry. Further research
also turns up the transcript of the Commissioner's speech delivered
to the Pearls in Policing Conference, delivered on June 11.
Combining these two sources, the seemingly outrageous claims made in
the article in The Age seem to have a valid background in previous
material published by the AFP.
It is accepted that organised crime groups are making efficient and
effective use of technological advances to enhance their own
activities. The recent spate of Mpack website infections can be
linked back to suspected East European organised crime groups that
have previously been active in other online criminal activity, and it
is well known that many other organised crime groups maintain an
active online activity base.
Whether or not viable cloning and robotic integration will take place
within 20-30 years is more speculation than informed policing. There
are enough dissenting voices out there that almost any position can
be taken on where human cloning and robotic integration will end up,
and it will appear to be a valid claim.
Unfortunately, the Commissioner seems to come across as someone whose
advisors have read too many press releases and dubious whitepapers
and not watched enough 'Ghost in the Shell' to recognise where their
ideas have been previously cleanly laid out and elaborated in an
easily digestible format (especially the concept of a digital copy of
an individual's brain - wrongly attributed to Second Life). If we see
the AFP renamed to Section 9, then we will know where they have been
looking for inspiration.
Citing the presence of scams affecting online environments such as
Second Life (it helps if the correct names and terminology are used
for elements of the environment), the Commissioner suggests that some
of these activities could be illegal, but difficult to track, monitor
and enforce. The answer to this is surprisingly simple, even more so
than the efforts being put into trapping criminals who are active
through other online communication channels. Second Life, World of
Warcraft, EvE Online, and every other form of online community and
virtual world can all be boiled down to the following simple facts:
* Individuals implement a persona when they become part of an
online community
* Individuals may use this persona to engage in actual,
attempted, or simulated criminal acts. Intent now becomes an
important factor.
* It can be tracked. Information will be present on the victim's
system, the perpetrator's system, and more than likely the servers
providing the service. If those servers are in countries where laws
and their application are different, then other existing laws can
come into effect. There is precedent for applying national or state
law to online services that are provided within relevant political
boundaries, but it is fraught with loopholes and simple bypass
mechanisms - something that law enforcement needs to be aware of,
especially given that there will always exist ways around the online
enforcement of legislation.
On the positive side, the Commissioner did acknowledge that the AFP
is really in the position of playing catch up in a number of these
technical fields. He acknowledged that the AFP does not currently
maintain the technical expertise to fully understand the legal and
policing ramifications of different technological activity, and will
need to enhance their interaction with industry in order to
strengthen their future position.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list