[Sunnet Alert] Advisory #235 - Norton Personal Firewall / Internet Security, Multiple News

Fri May 18 19:17:56 EST 2007

Sûnnet Beskerming Alert List Advisory #235

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Norton Personal Firewall / Internet Security
	- Remote Hacker Automatic Control
	- Time Since Discovery - 2 Days
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Entering the Pentagon
2.2	Microsoft Snares Top Vulnerability Talent
2.3	Scamming and Social Networks
2.4	Failure to Check Sources = Costly Market Loss
2.5	Nationalistic Fervour and Online Attacks
2.6	Microsoft Modifies Monthly Patch Advance Notification
=====================================

1.	SECURITY

1.1	Norton Personal Firewall / Internet Security - Remote Hacker  
Automatic Control

	-- Products Affected --
	Norton Personal Firewall 2004
	Norton Internet Security 2004

	-- Technical Description --
	Buffer overflow in the ISLALERT.DLL ActiveX control associated with  
Personal Firewall / Internet Security 2004. The error occurs in the  
Get() and Set() functions used by ISAlertDataCOM.  Arbitrary code  
execution can result, at the level of the current user.

	-- Description --
	It has been discovered that there is a serious vulnerability  
affecting the 2004 versions of Norton Personal Firewall and Internet  
Security.  This particular vulnerability could allow a remote  
attacker to take over a vulnerable system and run code of their  
choice, as if they were the local user.

	-- Recommended Action --
	Select and run LiveUpdate from within Norton Personal Firewall 2004,  
or follow the link listed for Product Updates.

	-- Source --
	(Paid subscription required to access)

	-- Updates Available --
	(Paid subscription required to access)

	-- External Tracking Data --
	(Paid subscription required to access)

	-- Threat Matrix --
			U	O
	Home User	8	8  (Very High)
	Corporate	8	8  (Very High)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Entering the Pentagon

Following the drawn-out court case against UK-based hacker, Gary  
McKinnon, most people would assume that the US military and other  
government agencies would have taken the opportunity to review the  
security of their outward-facing systems.

Such an assumption doesn't account for the fact that there are many,  
many systems that might require securing and re-configuration.

This has been highlighted by two recent examples where outward-facing  
systems at the Pentagon (domains under pentagon.mil) were found to be  
lacking in suitable authentication and protection. At least one  
server was compromised by website defacers, who left their calling  
card as proof of their ability to break in. This particular incident  
took place within the last week, whilst the other incident - where a  
server that could be accessed without any authentication was  
discovered, has now been addressed.

2.2	Microsoft Snares Top Vulnerability Talent

News being reported over at ZDNet indicates that Microsoft has  
convinced the founder of Symantec's Vulnerability Research efforts to  
join the Microsoft Security Response Center.

While her stay at Symantec was relatively short, Katie Moussouris is  
a noted penetration tester who was a part of @Stake when it was  
purchased by Symantec in 2004. Her new role at Microsoft is to be  
involved with security community efforts, including working with  
independent researchers who discover vulnerabilities with Microsoft  
products.

One of the biggest complaints from third party researchers who have  
attempted to notify Microsoft of serious issues with their software  
is that Microsoft used to be very difficult to work with and very  
unresponsive to reports of vulnerabilities. Katie's new role at  
Microsoft will hopefully go a long way to help overcome this  
particular stumbling block that external researchers still sometimes  
encounter.

This practice of hiring in the top talent at Microsoft is expected to  
continue, with noted historical security-related hirings including  
researchers from McAfee, and Mark Russinovich, formerly of SysInternals.

2.3	Scamming and Social Networks

Increasing numbers of Information Security commentators and companies  
are starting to pick up on the increasing use of professional  
networking sites, social networking sites, and other related sites by  
scammers in order to get past the trust barrier that would prevent a  
successful scam.

One such article (with plenty of excellent resources) was recently  
posted at the SANS ISC. All of these articles would be remiss without  
mentioning the case study provided by Sûnnet Beskerming researchers  
in early 2007, when an attempted 419-type scam was perpetrated on one  
of Sûnnet Beskerming's researchers - through a professional  
networking site.

The findings from that case are fully supported by more recent  
articles, and it indicates that scammers are becoming more aware of  
the capabilities that these sites can give.

2.4	Failure to Check Sources = Costly Market Loss

Apple Inc's market value recently lost $4 billion USD in a matter of  
minutes, following the posting of a fake email to a popular tech blog  
site. Claiming to originate from within Apple, the fake email  
indicated that Apple's iPhone and Leopard operating system will be  
significantly delayed in coming to market. A later, official, email  
from Apple negated the fake message, and indicated that both products  
would still be on track for their planned release dates.

Poor information validation is a problem that is all-too common for  
companies and groups that depend on being the first to break news on  
important events (and for Information Security vendors as well). When  
there is a single source of material a judgement call needs to be  
made in order to determine whether appropriate trust can be placed in  
the report.

Intelligence agencies and major news aggregators (most of them, at  
least) will generally place a lower level of trust in single-source  
reporting, even if the material is 100% accurate. Because there is no  
corroborating reporting from other sources, they will generally avoid  
staking a reliable claim on the information (hence some of the  
problems commonly associated with Intelligence bodies and reporting  
aggregators).

This painful lesson is something that bloggers and other smaller  
groups need to be aware of, especially if they have not already been  
exposed to the practice of evaluating sources from a larger news  
organisation or Intelligence body.

2.5	Nationalistic Fervour and Online Attacks

Nationalistic fervour has long been a motivating factor for  
electronic attacks against companies, governments and websites in  
general. A significant proportion of the defaced sites listed in the  
Zone-h defacement archives have been defaced with a nationalistic  
statement or ultimatum of some sort from the attacker (even if the  
targeted site has no relevant link to the nationalistic claims).

Estonia's recent decision to relocate a Russian WWII war memorial  
from the centre of Tallinn to a war cemetery sparked outrage from  
Estonians and ethnic Russians in Estonia, and complaint from Russians  
in Russia. Mixed in with the street protests and political posturing  
were increasing numbers of attacks against Estonian government  
websites, as well as other significant Estonian company sites.

Claims have been made that the attacks have originated from Russia  
and are being state-sponsored. Getting NATO involved with the online  
feud is a major escalation that is likely to have longer term  
political effects, irrespective of any actual or perceived official  
Russian involvement.

While the scale of the attacks does suggest some form of official  
support, it could just as easily be a handful of very patriotic  
botnet controllers, who have turned their sights on Estonian sites.  
As with Air Power, their online attack effects are impermanent -  
which means that once the attacks are over, the sites will return to  
normal operation with no long-lasting effect.

Although the Cold War is over, this and other recent events is  
certainly making the political atmosphere chilly between Russia and  
former satellite states, between Russia and the EU, between Russia  
and NATO, and between Russia and the major Western powers.

This is not the first time that accusations of state-sponsored online  
attacks have been made. Various global Intelligence organisations  
have associated the 'Titan Rain' sequence of events with Chinese  
state-sponsored attacks, and other smaller claims have been made that  
countries such as North Korea maintain official state-sponsored  
hacking groups.

Any event of international tension between two nations can lead to  
these sort of results (such as was seen when the US EP-3 collided  
with the Chinese J-8 off Hainan Island).

2.6	Microsoft Modifies Monthly Patch Advance Notification

On the Thursday before the second Tuesday of each month, Microsoft  
provides a notification of the patches that they are expecting to  
release on the following Tuesday. Until now, the notification has  
broken down how many patches in total are expected, what platforms  
and product groups they are for, and the maximum severity of the  
patches within a given group.

Starting with June's Security Patch release, Microsoft will be  
providing more detailed information about the patches due for  
release. This information will include maximum severity rating,  
impact of the vulnerability, detection information, and affected  
software - for each patch.

In addition, Microsoft have changed the layout of each bulletin to  
reduce the amount of duplicated information, and to make it easier to  
find the critical information in the advisory.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.