[Sunnet Alert] Advisory #213 - PHP (Multiple), Multiple News

[Security and IT News Alerts]

Sûnnet Beskerming Alert List Advisory #213

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	PHP (Multiple)
	- Remote Hacker Automatic Control
	- Time Since Discovery - Several Days
=======================================

/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	VoIP / WAP Phones To Be Illegal In The UK?
2.2	Wetware Is Still The Biggest Security Risk
2.3	Ethical Boundaries In Research
2.4	Information Security Company Complains About Lack Of OS X Malware
=======================================

1.	SECURITY

1.1	PHP (Multiple) - Remote Hacker Automatic Control

	-- Products Affected --
	All versions of PHP (4, 5)

	-- Technical Description --
	Numerous arbitrary code execution and denial of service  
vulnerabilities continue to be released as part of the MOPB project.   
Mitigating the risk of many of the serious vulnerabilities is the  
need for the attacker to be able to run arbitrary PHP code on the  
targeted server (though that can be achieved through alternate means  
- XSS or file upload vulnerabilities).  Increasing numbers of exploit  
samples are surfacing which target the vulnerabilities discovered  
through the project.

	-- Description --
	The Month of PHP Bugs (MOPB) project continues to throw up  
vulnerabilities that affect the popular scripting and web application  
language.  While there are a number of serious vulnerabilities,  
including weaknesses that can allow an attacker to run software of  
their choice on a compromised system, the need for attackers to be  
able to run arbitrary PHP code to begin with mitigates the complete  
risk associated with many of these issues.

	-- Recommended Action --
	Update to the latest versions of PHP as appropriate, and consider  
the use of alternate protection packages, such as Suhosin, as an  
adjunct to existing protection mechanisms

	-- Source --
	http://www.php-security.org/

	-- Threat Matrix --
			U	O
	Home User	9	9 (Critical)
	Corporate	9	9 (Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	VoIP / WAP Phones To Be Illegal In The UK?

While the headline is somewhat alarmist, that is the very conclusion  
drawn by at least one observer about the limitations laid out in  
Section 62 of the Violent Crime Reduction Act 2006 (http:// 
www.opsi.gov.uk/ACTS/acts2006/60038--f.htm#62), which is soon to come  
into force in the UK.  There were concerns about the legislation  
initially, but new changes appear to have significantly broadened the  
scope and potential impact of the legislation when it comes into  
force.  Where the Act defines illegal activity associated with  
'cloning' or otherwise reprogramming mobile phones, the introduced  
changes extend illegal activity on mobile devices to including:

"(c) he offers or agrees to change, or interfere with the operation  
of, a unique device identifier, or (d) he offers or agrees to arrange  
for another person to change, or interfere with the operation of, a  
unique device identifier."

Focussing on the (deliberately?) imprecise definition of a unique  
device identifier, the fear is that VoIP handsets might be illegal as  
a result of changing IP, the ability to change the device ID, and  
other capabilities that networked devices tend to possess.

According to this particular interpretation of the Act, unless a user  
has permission from the device manufacturer, or is the device  
manufacturer, they can face up to five years in prison, or a fine, or  
both, should they modify the ID that their device is using /  
broadcasting.

While it appears to be a valid conclusion that can be drawn from the  
Act, it will not be until the Act comes into force that it will be  
seen just how the implementation and enforcement of the law will take  
place.


2.2	Wetware Is Still The Biggest Security Risk

Following on from the conman who talked his way into the diamond  
vault at ABN Amro in Antwerp (Advisory #50), comes more security  
issues at banks that have come about due to lapses in security  
practices by people associated with banks.

A number of HSBC customers in Australia have had their personal  
details exposed after an employee left a stack of documents on a rush  
hour train in Sydney.  The stack included letters of approval for  
mortgages and other sensitive documents which included the personal  
and financial details of the affected customers.  Other Australian  
banks have been known to fax sensitive internal documents to home  
faxes that sit on numbers close to the internal bank fax number  
(simple number transposition error).  When confronted over the issue,  
branches initially denied the error, and then recommended discarding  
the misplaced paperwork once the error was confirmed.


2.3	Ethical Boundaries In Research

Information Security ethical discussions have had a workout over the  
last several months, with several 'Month of *** Bugs' projects  
leading to heated argument over the relative merit of publicly  
releasing live vulnerability and exploit data in a high profile  
manner before vendors have been notified.

The most recent project, the ongoing 'Month of PHP Bugs' project  
continues to provide releases and sample exploit code for issues  
affecting the popular scripting language.  The ISC has indicated that  
there is at least one remote attacker who is using the available  
exploit samples as part of their ongoing probing and attack  
attempts.  As reported by the ISC, the attack is identified by the  
use of the 'Morfeus' attack toolset.

Other ethical concerns have been raised about the Jikto web  
application vulnerability scanner, due to be released by SPI Dynamics  
in the next couple of weeks (and hinted at in Advisory #50).  Many  
observers are questioning whether a serious ethical line has been  
crossed, as the Jikto tool makes use of JavaScript and XSS flaws to  
silently establish a distributed botnet.  Much of the concern is  
about whether or not the tool is to use questionable techniques to  
achieve its goals.  Although many of the dissenters from competing  
companies to SPI Dyanmics, the concerns are well founded and are  
appropriate to be raised.  Whatever the outcome, there will be  
increased interest in the ShmooCon presentation where the tool was to  
be debuted.


2.4	Information Security Company Complains About Lack Of OS X Malware

With more than a quarter of a million individual types of malware in  
existence (though many will be variations on a common theme), one of  
the major Antivirus vendors recently complained that there are less  
than a hundred malware examples targeting the Macintosh platform,  
with fewer than seven examples actually targeting OS X (in reality  
even fewer as most of the current examples are based on the same  
Input Controller capability).  Even Linux and Unix distributions  
weigh in with almost 700 distinct malware examples targeting them.

By most arguments, if OS X maintains a desktop percentage of 5%, then  
there should be significantly more examples of malware targeting the  
platform than actually exist.  This is the sort of situation that an  
antivirus vendor would like to see - platforms receiving  
proportionate attention based on the marketshare or install-base.

While some would like to see a massive increase in the number of  
malware examples targeting OS X (there are reported cases of targeted  
attacks that have taken over specific networks and systems), it is  
unlikely that there will be such a massive increase without a  
fundamental change in the underlying OS X platform.  Or, a major  
security vulnerability discovery (such as a major problem with the  
default network stack) that can not be quickly remedied.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.