From alertmailinglist at skiifwrald.com Fri Jun 13 17:34:19 2008 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Fri, 13 Jun 2008 17:04:19 +0930 Subject: [Sunnet Alert] Advisory #256 - Microsoft (Multiple), QuickTime, Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #256 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, please contact info at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 3 days 1.2 QuickTime - Remote Hacker Automatic Control - Time Since Discovery - 3 days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Website Defacement Group Arrested After Going too far 2.2 An Interesting Firefox Flaw 2.3 BT Home Hub Still full of Holes 2.4 What makes for a Dangerous Domain? ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Microsoft Office Windows Internet Explorer -- Technical Description -- MS08-030 - Bluetooth. Remote code execution. Critical MS08-031 - Internet Explorer cumulative update. multiple remote code execution. Replaces MS08-024. Critical MS08-032 - Speech API. Remote code execution. Replaces MS08-023. Moderate MS08-033 - DirectX. Code execution. Replaces MS07-064. Critical MS08-034 - WINS. Privilege escalation. Replaces MS04-045. Important MS08-035 - LDAP - Active Directory. Denial of Service. Replaces MS08-003. Important MS08-036 - Microsoft Message Queuing. Denial of Service. Replaces MS06-052. Important -- Description -- Microsoft has provided seven patches with the June Security Patch Release. Of the patches, three are rated as Critical, three as Important, and the remaining patch as Moderate. Exploit data for some of the Internet Explorer (MS08-031) and Speech API (MS08-032) vulnerabilities has been publicly available, but limited in distribution. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms08-030.mspx http://www.microsoft.com/technet/security/bulletin/ms08-031.mspx http://www.microsoft.com/technet/security/bulletin/ms08-032.mspx http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx http://www.microsoft.com/technet/security/bulletin/ms08-034.mspx http://www.microsoft.com/technet/security/bulletin/ms08-035.mspx http://www.microsoft.com/technet/security/bulletin/ms08-036.mspx -- External Tracking Data -- CVE-ID: CVE-2008-1453 (MS08-030) CVE-ID: CVE-2008-1442 (MS08-031) CVE-ID: CVE-2008-1544 (MS08-031) CVE-ID: CVE-2007-0675 (MS08-032) CVE-ID: CVE-2008-0011 (MS08-033) CVE-ID: CVE-2008-1444 (MS08-033) CVE-ID: CVE-2008-1451 (MS08-034) CVE-ID: CVE-2008-1445 (MS08-035) CVE-ID: CVE-2008-1440 (MS08-036) CVE-ID: CVE-2008-1441 (MS08-036) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 QuickTime - Remote Hacker Automatic Control -- Products Affected -- QuickTime versions prior to 7.5 -- Technical Description -- QuickTime 7.5 has been released, incorporating several critical security patches, including patches for remote code execution risks associated with PICT file handling, AAC-encoded file handling, Indeo video content, and QuickTime media content. The exploits are a range of heap overflows, stack overflows and URL handling issues and affect both the OS X and Windows versions of QuickTime. -- Description -- Earlier this week, Apple released version 7.5 of the QuickTime media codec and associated player software. With the update, Apple provided a range of critical security fixes which addressed a number of remote code execution opportunities that were identified with QuickTime. -- Recommended Action -- Update to QuickTime 7.5 when possible. -- Source -- http://support.apple.com/kb/HT1222 -- Updates Available -- http://www.apple.com/quicktime/download/ -- External Tracking Data -- CVE-ID: CVE-2008-1581 CVE-ID: CVE-2008-1582 CVE-ID: CVE-2008-1583 CVE-ID: CVE-2008-1584 CVE-ID: CVE-2008-1585 -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Website Defacement Group Arrested After Going too far Most website defacement groups are regarded as more of a nuisance than a major threat. While they cost site operators and maintainers valuable time and resources to recover damaged sections of their sites and patch the entry points, generally the only damage done is to place a page on the site to proclaim the technical prowess of the group, before they run off and self-report to the World's largest online defacement archive, atZone-H. Sometimes the groups go too far for comfort for authorities. Defacements of sites belonging to government agencies or bodies have their own special place in the Zone-H archive, but most of the time these defacements are treated exactly the same as for non-government sites - as a nuisance. For one Spanish group, hacking a Spanish political site was the one step too far for comfort, eventually resulting in their arrest. Spanish sites weren't the only sites that they defaced, with numerous US sites, including NASA sites, on their list of defacements recorded at Zone-H. 2.2 An Interesting Firefox Flaw Ronald van den Heetkamp has published information about an interesting heap corruption in Firefox. Put simply, it has been discovered that merely running document.open, document.write and document.close in close succession can sometimes lead to code not being executed prior to the document being closed (the obviously named document.close method) and some inconsistent behaviour from Firefox. The interesting aspect of what Ronald has discovered is that if he uses an empty applet then it leads to a fairly predictable denial of service after a couple of minutes after attempting to load the initial code element. Based on the information provided, it is predictable from the point of view that it can be assumed the browser will be unresponsive within a few minutes of loading the code, even if the underlying mechanism of just how the code is causing the failure is not understood. Although Ronald has not developed his example to the point of executing code, the sample gives an easy starting point for further investigation and develeopment. It is true that every heap corruption isn't going to end in arbitrary code execution, but on initial view it does seem possible with this particular vulnerability. At the moment it is an interesting and simple denial of service vulnerability. 2.3 BT Home Hub Still full of Holes British Hacker group GNUCITIZEN, and in particular Adrian 'pagvac' Pastor, have been focussing on the BT (British Telecom) Home Hub, an ADSL modem capable of acting as a wireless access point and interfacing with DECT compliant telephone handsets (the standard used in most cordless handsets) as well as supporting VoIP. In their past research, GNUCITIZEN identified several methods to compromise various features of the BT Home Hub, including the complete take over of the device by a remote attacker, provided that the local user could be convinced to visit a malicious website. Some of the modifications made by BT to address the concerns raised by GNUCITIZEN included changing the default password of the Home Hub to the serial number of the device. On initial observation, this gives each device a unique root password that should be non-guessable by a remote attacker, neutralising the techniques otherwise used to compromise the system. Recent work, however, has shown that this serial number is recoverable, and thus the control of the device. To achieve this feat, a local network request is made using Multi Directory Access Protocol (MDAP) which then results in the device responding with its ID number, which can then be pre-prended with 'CP' to give the serial number and the default password for the device. Limiting the impact of the discovery is the requirement for the attacker to be on the same LAN as the router, either through a wired or wireless connection. Given that the wireless connection is only secured with WEP, it isn't going to take long for a casual wardriver to break into a targeted device. Alternatively, techniques described by other researchers, to allow probing of local LAN resources remotely could be blended to give the remote attacker all the information they need without actually having to be present on the LAN. While this is a real concern, Adrian points out that there are still critical UPnP port forwarding vulnerabilities that leave the Home Hub just as vulnerable. Given the numerous capabilities of the device and what it is designed to be used for, anything that could allow a remote attacker to capture all Internet and telephony traffic passing through the device is going to have serious consequences. If BT, the company that purchased noted security company CounterPane (including Bruce Schneier) can have critical security errors in their consumer level devices, it doesn't bode well for the many other ISPs that provide slightly modified devices to their own customers, even if they are nothing like the Home Hub in appearance or capability. As with any other network or computing device, the safest approach to take is to always assume that it is or can be compromised and be aware of what information is being sent through or stored on it. 2.4 What makes for a Dangerous Domain? McAfee recently published a study that identifies what could be described as the world's most dangerous top level domain (.hk). According to McAfee's report, 19% of .hk domains are alleged to be serving malware or otherwise considered potentially risky for site visitors. Two other top level domains, .cn and .info were identified as having more than 11% of their sites identified as being risky, with the .com domain only having about 5% of the total sites on that domain being considered risky. While raw percentages give a quick initial first impression, in terms of the raw overall numbers of sites that are considered dangerous, there are more on the .com domain than on .hk. The other question not quite answered by the research is how likely a generic Internet user is going to stumble across one of these malicious sites and how obvious it is going to be that they have done so when they have. Suggestions as to how to improve the data collection and reporting would be to report the numbers by IP block. This would give a better indication as to where on the Internet malicious (and potentially malicious) sites are located and also which network providers are more accommodating to these sites. It would also make the life of other admins much simpler in terms of limiting network traffic to dangerous sites. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.