[Sunnet Alert] Advisory #241 - Microsoft (Multiple), Safari, Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Thu Jun 14 01:10:44 EST 2007 

Sûnnet Beskerming Alert List Advisory #241

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Microsoft (Multiple)
	- Remote Hacker Automatic Control
	- Time Since Discovery - 1 Day
1.2	Safari
	- Remote Hacker Automatic Control
	- Time Since Discovery - 2 Days
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Microsoft's June Security Patch Release
2.2	From Release to Attack in a Few Hours
2.3	An Apple a Day
2.4	Gaming the System = $1,000,000 USD?
=====================================

1.	SECURITY

1.1	Microsoft (Multiple) - Remote Hacker Automatic Control

	-- Products Affected --
	Windows 2000, XP, 2003, Vista
	Visio 2002, 2003
	Outlook Express
	Windows Mail

	-- Technical Description --
	MS07-030 - Visio.  Arbitrary remote code execution.  Important
	MS07-031 - Schannel.  Arbitrary remote code execution.  Critical
	MS07-032 - Vista.  Information disclosure.  Moderate
	MS07-033 - Internet Explorer. Cumulative update for multiple  
vulnerabilities.  Critical
	MS07-034 - Outlook Express / Windows Mail. Cumulative update for  
multiple vulnerabilities.  Critical
	MS07-035 - Windows.  Arbitrary remote code execution.  Critical

	-- Description --
	Microsoft delivered six patches as part of the June Security Update  
release.  Four of the patches have been rated as critical, with one  
as Important, and the remaining patch as Moderate.  Exploit code has  
already begun to circulate for the vulnerabilities that have been  
patched today.  It should be noted that Microsoft have re-released  
MS07-012 and MS07-018 as well.

	-- Recommended Action --
	All users and administrators should apply the updates at the  
earliest opportunity.

	-- Source --
	http://www.beskerming.com/premium/patch_pack.html
	http://store.eSellerate.net/s.asp? 
s=STR3448907936&Cmd=CATALOG&CategoryID=9811

	-- Updates Available --
	(Paid subscription required to access)

	-- External Tracking Data --
	(Paid subscription required to access)

	-- Threat Matrix --
			U	O
	Home User	10	10 (Highly Critical)
	Corporate	10	10 (Highly Critical)


1.2	Safari - Remote Hacker Automatic Control

	-- Products Affected --
	Safari At least version 3.0

	-- Technical Description --
	Numerous arbitrary remote code execution and denial of service  
vulnerabilities have been discovered in the new Safari 3 Beta. Most  
vulnerabilities target the Windows version, though some affect both  
versions. Exploit code is readily available for some of the  
vulnerabilities, but details and exploit code for others are being  
withheld until the release of Leopard (OS X 10.5) for greater impact.

	-- Description --
	The brand new Safari 3 Beta has been discovered to have numerous  
vulnerabilities affecting it, including a number of vulnerabilities  
that will allow a remote attacker to take complete control of a  
vulnerable system, and dozens that will prevent use of the browser by  
the local user. Exploits are readily available from a number of  
sources, and it is recommended that users refrain from downloading  
the Beta if they are planning to use it for general Internet usage.  
While most vulnerabilities target the Windows version, some also  
affect the OS X Beta.

	-- Recommended Action --
	Avoid using the Safari 3 Beta outside of a testing environment until  
Apple is able to release security patches to address the issue.

	-- Source --
	(Paid subscription required to access)

	-- Updates Available --
	(Paid subscription required to access)

	-- External Tracking Data --
	(Paid subscription required to access)

	-- Threat Matrix --
			U	O
	Home User	9	9  (Critical)
	Corporate	9	9  (Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Microsoft's June Security Patch Release

As expected, Microsoft released six patches yesterday as part of the  
June 2007 Security Update release. What was not expected was the re- 
release of two earlier patches, MS07-012 (Microsoft MFC) and MS07-018  
(Microsoft CMS). The re-release of these patches was to address some  
relatively minor issues that had been encountered since their  
original release, as well as to add support for extra OS versions.

Closely following the release of the patches has come a range of  
sample exploits that target the vulnerabilities patched by the  
Updates. At this stage there is not much sign of the '0-day'  
Wednesday that follows some Patch Tuesdays, but it is likely that  
there will be some previously unseen vulnerabilities that are  
released over the next few days.


2.2	From Release to Attack in a Few Hours

Within a matter of hours of the announcement at Apple's WWDC that the  
Beta version of Safari 3 was available for download on Windows and OS  
X came news that several security researchers had already found  
serious vulnerabilities affecting the software.

Even though the software is in Beta, the semi-production quality of  
many Beta releases from other companies (such as Google, who are  
notorious for leaving their products in an extended Beta phase, even  
after supposed public release) has given most users a false sense of  
the stability that they should expect from a Beta release.

The public announcement of the vulnerability existence before  
notifying the vendor (Apple) has been widely criticised, especially  
as the announcement was accompanied by statements that the  
researchers were intentionally not notifying Apple of the issue.

Some of the vulnerabilities discovered so far will affect both  
Windows and OS X versions of Safari, so OS X users should not be  
ignoring the vulnerability reports just because they initially work  
on the Windows version of the browser.


2.3	An Apple a Day

Apple Inc's WorldWide Developer's Conference (WWDC) is currently  
running in California and one of the highlights that many look  
forward to, even amongst the wider technical community that otherwise  
has little interest in an Apple event, is the opening Keynote address  
delivered by Steve Jobs on Monday.

In amongst confirmation of delivery dates for products like the  
iPhone (Late June for North America), and OS X 10.5 - Leopard  
(October 2007), and the availability of Leopard for developers, is  
surprising news that Apple have developed their flagship Internet  
browser Safari for the Windows platform. This beta product, Safari 3,  
has already gained the attention of a number of security researchers  
who are busily pulling it apart as quickly as they can (see earlier  
commentary).

In terms of security technology concerns, Safari 3 and Leopard are  
obvious choices, but the announcement of how applications will be  
developed to target the iPhone came as a surprise to many. Steve Jobs  
announced that while applications from third party developers would  
not be developed to run directly on the phone, they would be running  
an effectively complete application platform through the browser on  
the phone. Making use of existing technology, such as that which  
comprises AJAX / Web 2.0, developers should be able to create  
'applications' for the iPhone.

 From a practical perspective it means that if you can host it on the  
web, then an iPhone can use it.

 From a security perspective, the level of access to background  
iPhone data (like the address book and call parameters) by these  
externally hosted applications is likely to throw up some very  
interesting challenges and vulnerabilities in coming months.


2.4	Gaming the System = $1,000,000 USD?

Business news channel CNBC has recently been running a competition  
where the holder of the best virtual investment portfolio over a  
certain period would win $1 million USD.

It appears that the lure of so much cash was too much for some  
people. Claims have been made that the winners of the competition may  
have exploited a weakness in the browser-based system that was used  
to track and manage the competitor's virtual portfolios.

Specifically, it appears that if a competitor opened a browser window  
with a pending trade prior to the closure of the stock market at 4  
pm, then it was possible to conduct an after-hours trade at the  
closing price. This meant that competitors could observe stock price  
movement in after hours trading, especially large movement associated  
with major company news and dividend allotment, and adjust their  
trade accordingly.

Because the system being used by CNBC did not flag these trades as  
improper, it allowed competitors to build a significant advantage  
over those not using the system.

The case was highlighted by a competitor who was using 1,600 virtual  
portfolios to try and cover the movement in the market (a practice  
that some regard as outside the spirit of the competition).

While CNBC have engaged the services of some external security  
experts, there could be grounds for legal action against CNBC by  
affected competitors (especially with so much money at stake). CNBC  
have also suggested that other attempts to defeat the system were  
used, though apparently not as successful.

It should be noted that the exploitation of the system weakness  
actually parallels a real but unethical trading problem that some  
markets have faced in the past, where preferable trades between  
interested parties have been made using significantly outdated  
pricing data.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list