[Sunnet Alert] Advisory #250 - Microsoft (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Tue Nov 20 00:42:01 EST 2007
Sûnnet Beskerming Alert List Advisory #250
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 6 Days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 6 Days
1.3 QuickTime
- Remote Hacker Manual Control
- Time Since Discovery - > 7 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Where Have we Been?
2.2 The fine line Between Security and Usability
2.3 Noted Italian Security Expert Arrested in Ongoing Spy Scandal
2.4 Internet Bubble 2.0
2.5 RealPlayer 0-Day Shows ActiveX Still an Issue
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows 2000, XP, 2003, Vista
Crystal Reports
Windows Services for Unix
Messenger
-- Technical Description --
MS07-061 - Windows Shell (Win XP, 2003). Arbitrary code execution.
Critical
MS07-062 - DNS Server (Win XP, 2003). DNS Spoofing due random number
prediction. Important
-- Description --
Microsoft delivered two patches as part of the November Security
Update release earlier this week. One patch (MS07-061) has been
rated as Critical and delivers a fix for well known URI handling
vulnerabilities that were identified earlier this year and have been
actively attacked for some time. The remaining patch deals with poor
random number generation in certain Windows versions that allows for
prediction of DNS response parameters and simple spoofing of
results. Both patches replace earlier updates issued from Microsoft.
-- Recommended Action --
All users and administrators should apply the updates at the
earliest opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms07-nov.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?
s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms07-061.mspx
http://www.microsoft.com/technet/security/bulletin/ms07-062.mspx
-- External Tracking Data --
CVE-ID: CVE-2007-3896 (MS07-061)
CVE-ID: CVE-2007-3898 (MS07-062)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 OS X (Multiple) - Remote hacker automatic control
-- Products Affected --
OS X 10.4.10 and prior.
-- Technical Description --
AppleRAID - Opening a maliciously crafted disk image may lead to an
unexpected system shutdown.
BIND - An attacker may be able to control the content provided by a
DNS server (weak random number generation)
bzip2 - Multiple vulnerabilities in bzip2
CFFTP - A user's FTP client could be remotely controlled to connect
to other hosts
CFNetwork - Multiple Vulnerabilities
CoreFoundation - Reading a directory hierarchy may lead to an
unexpected application termination or arbitrary code execution
CoreText - Viewing maliciously crafted text content may lead to an
unexpected application termination or arbitrary code execution
Flash Player Plug-in - Opening maliciously crafted Flash content may
lead to arbitrary code execution
Kerberos - A remote attacker may be able to cause a denial of
service or arbitrary code execution if the Kerberos administration
daemon is enabled
Kernel - Multiple Vulnerabilities
Networking - Multiple Vulnerabilities
NFS - A maliciously crafted AUTH_UNIX RPC call may lead to an
unexpected system shutdown or arbitrary code execution
NSURL - Visiting a malicious web site may result in arbitrary code
execution
remote_cmds - If tftpd is enabled, the default configuration allows
clients to access any path on the system
Safari - Multiple Vulnerabilities
SecurityAgent - A person with physical access to a system may be
able to bypass the screen saver authentication dialog
WebCore - Multiple Vulnerabilities
WebKit - Multiple Vulnerabilities
-- Description --
Apple Inc have released a cumulative update for OS X 10.4, bringing
it to 10.4.11, and have released a separate Security Update 2007-008,
for OS X 10.3.x systems (included in the 10.4.11 update). The update
provides fixes for multiple serious vulnerabilities, including for
AppleRAID, BIND, bzip2, CoreFoundation, and other system components.
Vulnerabilities range from denial of service and local privilege
escalation, through to automatic remote code execution.
-- Recommended Action --
Apply the update to OS X 10.4.11 or Security Update 2007-008 (OS X
10.3.x systems) at the earliest opportunity, either from the Software
Update option in the Apple Menu, or from Apple's download link, below.
If the Software Update application is used, only the applicable
update will be selected and installed on a vulnerable system.
-- Source --
http://docs.info.apple.com/article.html?artnum=61798
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
CVE-ID: CVE-2007-4678 (AppleRAID)
CVE-ID: CVE-2007-2926 (BIND)
CVE-ID: CVE-2005-0953 (bzip2)
CVE-ID: CVE-2005-1260 (bzip2)
CVE-ID: CVE-2007-4679 (CFFTP)
CVE-ID: CVE-2007-4680 (CFNetwork)
CVE-ID: CVE-2007-0464 (CFNetwork)
CVE-ID: CVE-2007-4681 (CoreFoundation)
CVE-ID: CVE-2007-4682 (CoreText)
CVE-ID: CVE-2007-3456 (Flash Player)
CVE-ID: CVE-2007-3999 (Kerberos)
CVE-ID: CVE-2007-4743 (Kerberos)
CVE-ID: CVE-2007-3749 (Kernel)
CVE-ID: CVE-2007-4683 (Kernel)
CVE-ID: CVE-2007-4684 (Kernel)
CVE-ID: CVE-2007-4685 (Kernel)
CVE-ID: CVE-2006-6127 (Kernel)
CVE-ID: CVE-2007-4686 (Kernel)
CVE-ID: CVE-2007-4688 (Networking)
CVE-ID: CVE-2007-4269 (Networking)
CVE-ID: CVE-2007-4689 (Networking)
CVE-ID: CVE-2007-4267 (Networking)
CVE-ID: CVE-2007-4268 (Networking)
CVE-ID: CVE-2007-4690 (NFS)
CVE-ID: CVE-2007-4691 (NSURL)
CVE-ID: CVE-2007-4687 (remote_cmds)
CVE-ID: CVE-2007-0646 (Safari)
CVE-ID: CVE-2007-4692 (Safari)
CVE-ID: CVE-2007-4693 (SecurityAgent)
CVE-ID: CVE-2007-4694 (WebCore)
CVE-ID: CVE-2007-4695 (WebCore)
CVE-ID: CVE-2007-4696 (WebCore)
CVE-ID: CVE-2007-4697 (WebCore)
CVE-ID: CVE-2007-4698 (WebCore)
CVE-ID: CVE-2007-3758 (WebCore)
CVE-ID: CVE-2007-3760 (WebCore)
CVE-ID: CVE-2007-4671 (WebCore)
CVE-ID: CVE-2007-3756 (WebCore)
CVE-ID: CVE-2007-4699 (WebKit)
CVE-ID: CVE-2007-4700 (WebKit)
CVE-ID: CVE-2007-4701 (WebKit)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.3 QuickTime - Remote hacker automatic control
-- Products Affected --
QuickTime 7.2 and prior.
-- Technical Description --
QuickTime 7.3 has been released, and includes fixes for issues that
could lead to arbitrary code execution as the result of interacting
with malicious image or movie files.
-- Description --
Apple Inc have released QuickTime 7.3 and have included numerous
fixes to vulnerabilities present in previous versions. QuickTime 7.3
is available for both Windows and OS X platforms and users should
update to the latest version as soon as practical.
-- Recommended Action --
Update to QuickTime 7.3 from either the Software Update application,
or from the download link below.
-- Source --
http://docs.info.apple.com/article.html?artnum=61798
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
CVE-ID: CVE-2007-2395 (QuickTime)
CVE-ID: CVE-2007-3750 (QuickTime)
CVE-ID: CVE-2007-3751 (QuickTime)
CVE-ID: CVE-2007-4672 (QuickTime)
CVE-ID: CVE-2007-4676 (QuickTime)
CVE-ID: CVE-2007-4675 (QuickTime)
CVE-ID: CVE-2007-4677 (QuickTime)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Where Have we Been?
The observant reader would note that it has been almost two months
since they last received an Advisory from this service, two months
that have passed quickly for all concerned. While it was not an
ideal situation, our website was kept updated throughout the period,
with many new readers discovering our reporting through links from
various high traffic sites such as The Register, Slashdot, Reddit,
and others. Our RSS feeds, available from our website (http://
www.beskerming.com) have also been continuously updated, providing
the latest reporting from Sûnnet Beskerming on both Security and
Commentary material.
2.2 The fine line Between Security and Usability
Finding the right balance between security and usability is difficult
for any software developer. Recently a set of issues were disclosed
where it was apparent that Microsoft had worsened the security
situation for their users based on the software provided with
Windows, or based on their response to reported problems.
Whether it is Microsoft's desire to make computing as simple as
possible for the masses, or whether it is a simple question of
economic terms, the inclusion of the affected Macrovision DLL on
Windows XP and 2003 could be interpreted as both. If Microsoft hadn't
included it, then there would be many users confused as to why their
software wasn't quite working as expected, and why a newly purchased
game was seeking to install core system components. On the other
hand, by providing the software, it means that there are millions of
business systems that will never see gaming software installed, and
which have no need for this particular anti-copying measure. In this
instance, Microsoft identified and issued a patch before there was
too much of a problem.
On the other hand, predictable (pseudo)random number generation isn't
something that most people would encounter on a routine basis, but it
can have real world effects when systems rely upon that number
generation to determine how network responses should be sequenced.
While this was one of the patches issued by Microsoft with the
November release cycle, it should be noted that numerous sources were
carrying information about the predictability of number generation
before the patches were released. Not only this, but Apple's Security
Update 2007-008 / OS X 10.4.11 release that came out in the same week
included an update for BIND that addressed a similar-looking weak
(pseudo)random number generation issue. While it may have just been
coincidental, it is interesting to see two major software vendors
provide updates for very similar DNS server problems for two
different DNS server products in the same approximate timeframe.
Another issue which came to light last week may pose more of a
problem for business and home users, especially given that Microsoft
acknowledged to the discoverer that they would not be patching the
remote code execution vulnerability that he had reported -
"Microsoft replied me that they would not fix this vulnerability, it
looks like they will not acknowledge vulnerabilities which are
from .mdb file".
Microsoft's response points to a Knowledge Base article which merely
leads to a list of filetypes that are considered 'unsafe' by
different Microsoft products. It doesn't actually indicate that the
filetype should no longer be used by end users or that Microsoft will
not be supporting the filetype anymore.
As far as JET .mdb files go, it seems that Microsoft has deprecated
the technology somewhat, but it still continues to be supported by
the latest versions of Access (Access 2007).
Not every application in use can or will be updated to the Microsoft
Desktop Engine (MSDE) or SQL Server 2005 Express Edition / SQL Server
2005 Compact Edition, so there are going to be plenty of viable
targets where exploits can find traction.
Probably the biggest defensive measure against widespread attack of
this vulnerability is the requirement to get a malicious .mdb file
onto the target system and then executed through the JET engine. As
ruder points out, some web servers could be at risk if users upload a
malicious .asp / .mdb file and then execute it via calls to
"ADODB.Connection".
Unfortunately for Access users, this is just one of several arbitrary
execution problems affecting the .mdb file format that may never get
fixed by the vendor (the linked one is from 2005 and may be related).
While vendors do have to draw the line somewhere with the filetypes
and application versions that they will continue to support, refusing
to provide security related fixes for serious vulnerabilities is a
failure of their duty of care to their users.
2.3 Noted Italian Security Expert Arrested in Ongoing Spy Scandal
Some fairly surprising news recently came to light when it was
reported that Domina Security, Zone-h and WabiSabiLabi cofounder,
Roberto Preatoni, was arrested and charged in connection with claims
of spying at Telecom Italia.
It was Roberto's work with a penetration testing team, a 'Tiger Team'
that had been created to do some testing for Telecom Italia, that is
believed to have led to the arrest rather than his involvement with
the controversial WabiSabiLabi vulnerability auction market.
The team that Roberto worked with apparently had some shady history,
including allegations of spying, unauthorised hacking, wiretaps, and
it may just be a case of 'wrong place, wrong time' for the security
expert who has been charged with unauthorised access to computer
systems and wiretapping. It is reported that hacking and spying
activities were carried out against Brasil Telecom's CEO, an
investigative agency, and two journalists.
Others have been arrested earlier in the year, including Telecom
Italia's Security Chief Technology Officer, who has presented
alongside Preatoni at security conferences over the last twelve
months. These presentations included one that might be considered
ironic - "The Biggest Brother", presented at the 2006 Hack in the Box
conference, which argued that many governments have taken advantage
of September 11 to tighten control over their citizens. A previous
presentation by Roberto, given at 2005's CCC, regarding industrial
espionage and counter attacks might be of more interest to
investigators.
WabiSabiLabi has yet to issue a statement regarding the incident,
though one is expected soon.
2.4 Internet Bubble 2.0
Microsoft's purchase of 1.6% of social networking site Facebook for
$240 million USD has only added to fears that there is a significant
overvaluation in the market for major websites and related companies
- basically that there is an Internet Bubble 2.0 in the works. With
Facebook valued now at up to $15 billion USD (based on Microsoft's
purchase price) it has elevated the company into the top 10 Internet
companies by value, though it is still producing far less in terms of
ongoing revenue than other companies with comparable market value.
Some who are looking deeper into the purchase are seeing it as a
strategic move by Microsoft to prevent Google or another competitor
from snapping up the site on the cheap. By paying so much for so
little of the company it forces other would-be investors to
significantly increase the amount of resources that they would need
to gain a controlling stake in the site, while it also provides a
stronger avenue for Microsoft to push their Flash-competing
Silverlight technology on web users (Microsoft is Facebook's primary,
now exclusive, advertising supplier).
In the fickle world of social networking sites, it could still be a
$240 million USD hole in the space of a few months if the next
greatest thing comes along - something Microsoft should have already
been aware of with their Windows Live Spaces platform. While Facebook
currently has a nicer feel and look than many comparative sites, it
is all based on something better not yet having much traction amongst
Internet users. Some have pointed out that these sites maintain the
position that free webhosts like Geocities once maintained in the
late 90's.
Microsoft's big push to purchase 20 web companies per year over the
next five years could also be playing a part in the investment into
Facebook and ongoing growth of the bubble for the next few years.
With predicted purchase ranges of $50 million to $1 billion USD per
company, that is a lot of money for companies that will soon find
themselves in the sights of Microsoft (if they aren't already in the
sights of Google, Yahoo!, or some other major technological company).
Enterprising company owners can pitch directly to Steve Ballmer, or
he can always contact us directly.
2.5 RealPlayer 0-Day Shows ActiveX Still an Issue
News has been spreading rapidly of an actively-exploited
vulnerability affecting RealPlayer, activated via Internet Explorer.
Based on the available reporting, it appears that at least one major
victim has been targeted with this exploit (NASA), with the first
information being made public on Wednesday of this week. Symantec,
McAfee, and the ISC then published initial details of the
vulnerability on Thursday / Friday.
Discovered in the wild, but without public exploit code samples at
this stage, concerns are being aired by Information Security vendors
about the risk of widespread infection attempts using this
vulnerability. Making the situation worse is that it is being
reported that a successful infection only requires the ActiveX
control to be present - it does not need to be activated for a
successful attack.
While a critical vulnerability in a common third party ActiveX plugin
is a problem for Windows users (especially one that comes pre-
installed by default on some systems - such as Dell), it serves as a
timely reminder for all that the Internet Explorer and ActiveX
combination is still a risky one for Windows users, despite the
ongoing efforts that Microsoft are putting in to tightening security.
For users and administrators who do not have third party protection
software in place, setting the following killbit in the Windows
Registry will provide interim protection (as well as preventing
RealPlayer from being called in Internet Explorer):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\
ActiveX Compatibility\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}
With RealPlayer notorious for constant 'buffering...' messages early
in the time of streaming online media content, some Internet
humourists have suggested that the vulnerability might be due to a
'buffering overflow'.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list