[Sunnet Alert] Advisory #215 - PHP (Multiple), Internet Explorer, Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Fri Mar 30 02:59:38 EST 2007
Sûnnet Beskerming Alert List Advisory #215
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 PHP (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - Several Days
1.2 Internet Explorer
- Remote Hacker Automatic Control
- Time Since Discovery - 4 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Cloning Implantable RFID Devices
2.2 Social Engineering Compromises XBox Accounts
2.3 New Threat Discovered?
2.4 Vista's Defences Fail To Stop Arbitrary Code Execution
2.5 Was Major Privacy Breach Aided By Web Vulnerabilities (Still In
Place)?
=====================================
1. SECURITY
1.1 PHP (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
All versions of PHP
-- Technical Description --
Numerous vulnerabilities affecting PHP, ranging from information
disclosure to arbitrary code execution. As with most of the previous
MOPB releases, exploitation of these issues requires the ability to
run arbitrary PHP code on the targeted system.
-- Description --
The Month of PHP bugs continues to deliver vulnerabilities that
affect all versions of PHP that are available for installation across
multiple platforms. The most recent set of vulnerabilities include
demonstrations of vulnerabilities that could allow an attacker who
can run PHP code on a server the ability to run code of their choice
on the server. More worrying is the suggestion that one of the more
serious vulnerabilities could be extended to allow remote users, that
do not have the ability to run PHP code, the ability to completely
compromise a system.
-- Recommended Action --
Update to the latest version of PHP, but be aware that a number of
the vulnerabilities will still be applicable. Consider limiting the
rights of users to run arbitrary PHP code on systems until patched
versions can be made available. Hardened versions of PHP, and
extensions such as Suhosin can provide protection against various of
these vulnerabilities.
-- Source --
http://www.php-security.org
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.2 Internet Explorer - Remote Hacker Automatic Control
-- Products Affected --
Internet Explorer running on Windows XP
-- Technical Description --
Automated exploit code targeting a double free memory vulnerability
in ADODB.Recordset (patched by MS07-009), targeted via Internet
Explorer, has recently been released onto a number of sites.
-- Description --
Exploit code targeting a known vulnerability that was recently fixed
(MS07-009) has recently been released onto a number of Internet
sites. The exploit code allows an attacker to take control of the
system of a victim who has been tricked into viewing a malicious web
page. Unfortunately for users who have not applied the appropriate
Windows patch, the exploit code is presented as a complete web page,
ready for exploitation.
-- Recommended Action --
If systems have not already had MS07-009 applied, it is critical
that it is applied as soon as possible.
-- Source --
http://www.milw0rm.com
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Cloning Implantable RFID Devices
After demonstrating that the new British RFID enabled passports could
be cloned, even though the package they were in had not been opened,
UK-based researcher, Adam Laurie, demonstrated at the recent
SchmooCon that implantable RFID chips could be readily cloned.
According to reporting at InfoWorld (http://weblog.infoworld.com/
zeroday/archives/2007/03/human_implant_r.html), the cloning was
achieved in just a few minutes when an audience member who already
had a chip implanted agreed to be part of the demonstration. The
cloning was achieved using standard cloning equipment, the
specifications of which are readily available from a number of
sources, and which was to have been publicised with the cancelled
IOActive demonstration at the BlackHat Federal briefings.
Even though it has been known for some time that it is a fairly
straight forward process to clone RFID chips, recent demonstrations
have really shown how easy the process is, and how simply it can be
achieved at range (one of the most commonly used arguments in favour
of RFID chips is that most cloning required actual contact with the
chip in order to clone it).
2.2 Social Engineering Compromises XBox Accounts
Although some XBox Live players have been complaining for months
about hacked / stolen accounts, it wasn't until noted Security
researcher, Kevin Finisterre (Month of Apple Bugs), had his account
stolen, and he went public about it - proving that a compromise
actually took place, that Microsoft publicly admitted to the breaches
taking place.
Up to that point, Microsoft was asserting that the compromises that
had taken place were the result of the actual users giving out
personal information. Unfortunately for Microsoft, one of the proven
methods to compromise an XBox Live account is to use the XBox Live
help desk to gradually extract personal information about a target,
before using that information to take control of a victim's account.
Unfortunately for gamers, compromised accounts can mean public slurs
on reputation, financial theft (from credit cards used to subscribe
the account), and overall loss of control of the account. With Kevin
FInisterre's case, the issue has been escalated to Microsoft legal
and shows no sign of going away soon. Interested observers can keep
track of what is going on at his site (http://www.digitalmunition.com/
StolenUpdate.html).
2.3 New Threat Discovered?
According to the McAfee Avert Labs blog, a new threat targeting
Windows XP SP2 systems that are fully patched has been discovered in
the wild. Interestingly, Windows XP SP 0 and SP 1 systems are
reported as not being vulnerable to this particular vulnerability.
Infecting systems through Internet Explorer 6 and 7, the malware is
reported to be using a vulnerabiltiy in the way the system handles
ANI files and successful infection will result in arbitrary code
execution on a compromised system.
2.4 Vista's Defences Fail To Stop Arbitrary Code Execution
Tucked in the midst of an otherwise unremarkable buffer overflow
exploit for the NaviCOPA webserver for
Windows, is the claim that the exploit is functional on Windows 2000,
XP and Vista (irrespective of ASLR setting).
This last claim is of most interest, as ASLR is one of the frontline
defences that Vista introduces to make it more difficult for
successful memory attacks to result in arbitrary code execution. By
randomising the location in memory where parts of an application are
stored, ASLR makes it extremely difficult for attackers to reliably
find the sections of memory they need to overwrite in order to take
control of a vulnerable system.
With the exploit code being released as part of the MetaSploit
framework, enterprising attackers will soon have this exploit as part
of their suite of attacks for probing and controlling vulnerable
systems.
2.5 Was Major Privacy Breach Aided By Web Vulnerabilities (Still In
Place)?
The breach of millions of credit card records over several years from
TJX and TJX-associated retailers is still causing a sour taste for
many involved in reporting and tracking Privacy / Financial
information breaches. One researcher decided to investigate whether
a suitable entry point into the TJX systems could have been through
their external web services.
Unfortunately, he quickly discovered that there are several major SQL
injection vulnerabilities and at least one server running an outdated
application stack that has known vulnerabilities and associated
exploit code readily available.
Astounded by his rapid discoveries, he didn't bother with a full
assessment (which would have been illegal without the approval of
TJX), but pointed out that the company should be held liable for the
losses - so that they may secure the holes in their existing services.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list