[Sunnet Alert] Advisory #256 - Microsoft (Multiple), QuickTime, Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Fri Jun 13 17:34:19 EST 2008 

Sûnnet Beskerming Alert List Advisory #256

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Microsoft (Multiple)
	- Remote Hacker Automatic Control
	- Time Since Discovery - 3 days
1.2	QuickTime
	- Remote Hacker Automatic Control
	- Time Since Discovery - 3 days
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using it,  
or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Website Defacement Group Arrested After Going too far
2.2	An Interesting Firefox Flaw
2.3	BT Home Hub Still full of Holes
2.4	What makes for a Dangerous Domain?
=====================================

1.	SECURITY

1.1	Microsoft (Multiple) - Remote Hacker Automatic Control

	-- Products Affected --
	Microsoft Office
	Windows
	Internet Explorer

	-- Technical Description --
	MS08-030 - Bluetooth. Remote code execution.  Critical
	MS08-031 - Internet Explorer cumulative update. multiple remote code  
execution.  Replaces MS08-024. Critical
	MS08-032 - Speech API. Remote code execution.  Replaces MS08-023.  
Moderate
	MS08-033 - DirectX. Code execution.  Replaces MS07-064. Critical
	MS08-034 - WINS. Privilege escalation.  Replaces MS04-045.  Important
	MS08-035 - LDAP - Active Directory.  Denial of Service.  Replaces  
MS08-003. Important
	MS08-036 - Microsoft Message Queuing. Denial of Service.  Replaces  
MS06-052. Important

	-- Description --
	Microsoft has provided seven patches with the June Security Patch  
Release.  Of the patches, three are rated as Critical, three as  
Important, and the remaining patch as Moderate.  Exploit data for some  
of the Internet Explorer (MS08-031) and Speech API (MS08-032)  
vulnerabilities has been publicly available, but limited in  
distribution.

	-- Recommended Action --
	All users and administrators should apply the updates at the earliest  
opportunity.

	-- Source --
	http://www.microsoft.com/technet/security/bulletin/ms08-jun.mspx
	http://www.beskerming.com/premium/patch_pack.html
	http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
	
	-- Updates Available --
	http://www.microsoft.com/technet/security/bulletin/ms08-030.mspx
	http://www.microsoft.com/technet/security/bulletin/ms08-031.mspx
	http://www.microsoft.com/technet/security/bulletin/ms08-032.mspx
	http://www.microsoft.com/technet/security/bulletin/ms08-033.mspx
	http://www.microsoft.com/technet/security/bulletin/ms08-034.mspx
	http://www.microsoft.com/technet/security/bulletin/ms08-035.mspx
	http://www.microsoft.com/technet/security/bulletin/ms08-036.mspx

	-- External Tracking Data --
	CVE-ID: CVE-2008-1453 (MS08-030)
	CVE-ID: CVE-2008-1442 (MS08-031)
	CVE-ID: CVE-2008-1544 (MS08-031)
	CVE-ID: CVE-2007-0675 (MS08-032)
	CVE-ID: CVE-2008-0011 (MS08-033)
	CVE-ID: CVE-2008-1444 (MS08-033)
	CVE-ID: CVE-2008-1451 (MS08-034)
	CVE-ID: CVE-2008-1445 (MS08-035)
	CVE-ID: CVE-2008-1440 (MS08-036)
	CVE-ID: CVE-2008-1441 (MS08-036)

	-- Threat Matrix --
			U	O
	Home User	10	10 (Highly Critical)
	Corporate	10	10 (Highly Critical)


1.2	QuickTime - Remote Hacker Automatic Control

	-- Products Affected --
	QuickTime versions prior to 7.5

	-- Technical Description --
	QuickTime 7.5 has been released, incorporating several critical  
security patches, including patches for remote code execution risks  
associated with PICT file handling, AAC-encoded file handling, Indeo  
video content, and QuickTime media content.  The exploits are a range  
of heap overflows, stack overflows and URL handling issues and affect  
both the OS X and Windows versions of QuickTime.

	-- Description --
	Earlier this week, Apple released version 7.5 of the QuickTime media  
codec and associated player software.  With the update, Apple provided  
a range of critical security fixes which addressed a number of remote  
code execution opportunities that were identified with QuickTime.

	-- Recommended Action --
	Update to QuickTime 7.5 when possible.

	-- Source --
	http://support.apple.com/kb/HT1222
	
	-- Updates Available --
	http://www.apple.com/quicktime/download/

	-- External Tracking Data --
	CVE-ID:  CVE-2008-1581
	CVE-ID:  CVE-2008-1582
	CVE-ID:  CVE-2008-1583
	CVE-ID:  CVE-2008-1584
	CVE-ID:  CVE-2008-1585

	-- Threat Matrix --
			U	O
	Home User	10	10 (Highly Critical)
	Corporate	10	10 (Highly Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Website Defacement Group Arrested After Going too far

Most website defacement groups are regarded as more of a nuisance than  
a major threat. While they cost site operators and maintainers  
valuable time and resources to recover damaged sections of their sites  
and patch the entry points, generally the only damage done is to place  
a page on the site to proclaim the technical prowess of the group,  
before they run off and self-report to the World's largest online  
defacement archive, atZone-H.

Sometimes the groups go too far for comfort for authorities.  
Defacements of sites belonging to government agencies or bodies have  
their own special place in the Zone-H archive, but most of the time  
these defacements are treated exactly the same as for non-government  
sites - as a nuisance.

For one Spanish group, hacking a Spanish political site was the one  
step too far for comfort, eventually resulting in their arrest.  
Spanish sites weren't the only sites that they defaced, with numerous  
US sites, including NASA sites, on their list of defacements recorded  
at Zone-H.


2.2	An Interesting Firefox Flaw

Ronald van den Heetkamp has published information about an interesting  
heap corruption in Firefox.

Put simply, it has been discovered that merely running document.open,  
document.write and document.close in close succession can sometimes  
lead to code not being executed prior to the document being closed  
(the obviously named document.close method) and some inconsistent  
behaviour from Firefox. The interesting aspect of what Ronald has  
discovered is that if he uses an empty applet then it leads to a  
fairly predictable denial of service after a couple of minutes after  
attempting to load the initial code element. Based on the information  
provided, it is predictable from the point of view that it can be  
assumed the browser will be unresponsive within a few minutes of  
loading the code, even if the underlying mechanism of just how the  
code is causing the failure is not understood.

Although Ronald has not developed his example to the point of  
executing code, the sample gives an easy starting point for further  
investigation and develeopment. It is true that every heap corruption  
isn't going to end in arbitrary code execution, but on initial view it  
does seem possible with this particular vulnerability. At the moment  
it is an interesting and simple denial of service vulnerability.


2.3	BT Home Hub Still full of Holes

British Hacker group GNUCITIZEN, and in particular Adrian 'pagvac'  
Pastor, have been focussing on the BT (British Telecom) Home Hub, an  
ADSL modem capable of acting as a wireless access point and  
interfacing with DECT compliant telephone handsets (the standard used  
in most cordless handsets) as well as supporting VoIP. In their past  
research, GNUCITIZEN identified several methods to compromise various  
features of the BT Home Hub, including the complete take over of the  
device by a remote attacker, provided that the local user could be  
convinced to visit a malicious website.

Some of the modifications made by BT to address the concerns raised by  
GNUCITIZEN included changing the default password of the Home Hub to  
the serial number of the device. On initial observation, this gives  
each device a unique root password that should be non-guessable by a  
remote attacker, neutralising the techniques otherwise used to  
compromise the system.

Recent work, however, has shown that this serial number is  
recoverable, and thus the control of the device. To achieve this feat,  
a local network request is made using Multi Directory Access Protocol  
(MDAP) which then results in the device responding with its ID number,  
which can then be pre-prended with 'CP' to give the serial number and  
the default password for the device.

Limiting the impact of the discovery is the requirement for the  
attacker to be on the same LAN as the router, either through a wired  
or wireless connection. Given that the wireless connection is only  
secured with WEP, it isn't going to take long for a casual wardriver  
to break into a targeted device. Alternatively, techniques described  
by other researchers, to allow probing of local LAN resources remotely  
could be blended to give the remote attacker all the information they  
need without actually having to be present on the LAN.

While this is a real concern, Adrian points out that there are still  
critical UPnP port forwarding vulnerabilities that leave the Home Hub  
just as vulnerable. Given the numerous capabilities of the device and  
what it is designed to be used for, anything that could allow a remote  
attacker to capture all Internet and telephony traffic passing through  
the device is going to have serious consequences.

If BT, the company that purchased noted security company CounterPane  
(including Bruce Schneier) can have critical security errors in their  
consumer level devices, it doesn't bode well for the many other ISPs  
that provide slightly modified devices to their own customers, even if  
they are nothing like the Home Hub in appearance or capability. As  
with any other network or computing device, the safest approach to  
take is to always assume that it is or can be compromised and be aware  
of what information is being sent through or stored on it.


2.4	What makes for a Dangerous Domain?

McAfee recently published a study that identifies what could be  
described as the world's most dangerous top level domain (.hk).  
According to McAfee's report, 19% of .hk domains are alleged to be  
serving malware or otherwise considered potentially risky for site  
visitors. Two other top level domains, .cn and .info were identified  
as having more than 11% of their sites identified as being risky, with  
the .com domain only having about 5% of the total sites on that domain  
being considered risky.

While raw percentages give a quick initial first impression, in terms  
of the raw overall numbers of sites that are considered dangerous,  
there are more on the .com domain than on .hk. The other question not  
quite answered by the research is how likely a generic Internet user  
is going to stumble across one of these malicious sites and how  
obvious it is going to be that they have done so when they have.

Suggestions as to how to improve the data collection and reporting  
would be to report the numbers by IP block. This would give a better  
indication as to where on the Internet malicious (and potentially  
malicious) sites are located and also which network providers are more  
accommodating to these sites. It would also make the life of other  
admins much simpler in terms of limiting network traffic to dangerous  
sites.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,  
in conjunction with the tools developed by Jongsma & Jongsma Pty.  
Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list