Archive for August, 2011

National Cyber Alert System Cyber Security Bulletin SB11-241

Wednesday, August 31st, 2011

Excerpt from US-CERT.gov:  Vulnerability Summary for the Week of August 22, 2011

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
aimluck — aipo SQL injection vulnerability in Aimluck Aipo before 5.1.1, and Aipo for ASP before 5.1.1, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. 2011-08-19 7.5 CVE-2011-1342
emc — autostart Multiple buffer overflows in EMC AutoStart 5.3.x and 5.4.x before 5.4.1 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by sending a crafted message over TCP. 2011-08-23 7.9 CVE-2011-2735
freetype — freetype The LZW decompressor in (1) the BufCompressedFill function in fontfile/decompress.c in X.Org libXfont before 1.4.4 and (2) compress/compress.c in 4.3BSD, as used in zopen.c in OpenBSD before 3.8, FreeBSD, NetBSD, FreeType 2.1.9, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows context-dependent attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2896. 2011-08-19 9.3 CVE-2011-2895
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows attackers to have an unknown impact via a crafted directory pathname that is inserted into config.sh. 2011-08-23 9.3 CVE-2011-2225
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a crafted filename for a custom RPM. 2011-08-23 7.5 CVE-2011-2645
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a crafted filename in the list of testdrive modified files. 2011-08-23 7.5 CVE-2011-2646
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a crafted archive name in the list of testdrive modified files. 2011-08-23 7.5 CVE-2011-2647
marcus_schafer — kiwi Unspecified vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a filter in a modified file. 2011-08-23 7.5 CVE-2011-2648
marcus_schafer — kiwi Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows attackers to execute arbitrary commands via shell metacharacters in an unspecified FileUtils function call. 2011-08-23 7.5 CVE-2011-2649
marcus_schafer — kiwi Unspecified vulnerability in the file browser in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to execute arbitrary code via a crafted filename. 2011-08-23 7.5 CVE-2011-2651
php — php Buffer overflow in the crypt function in PHP before 5.3.7 allows context-dependent attackers to have an unspecified impact via a long salt argument, a different vulnerability than CVE-2011-2483. 2011-08-25 10.0 CVE-2011-3268
snitz — snitz_forums_2000 SQL injection vulnerability in members.asp in Snitz Forums 2000 3.4.07 allows remote attackers to execute arbitrary SQL commands via the M_NAME parameter. NOTE: some of these details are obtained from third party information. 2011-08-24 7.5 CVE-2010-4826
stunnel — stunnel stunnel 4.40 and 4.41 might allow remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors. 2011-08-25 9.3 CVE-2011-2940
symantec — netbackup_puredisk Multiple integer overflows in vxsvc.exe in the Veritas Enterprise Administrator service in Symantec Veritas Storage Foundation 5.1 and earlier, Veritas Storage Foundation Cluster File System (SFCFS) 5.1 and earlier, Veritas Storage Foundation Cluster File System Enterprise for Oracle RAC (SFCFSORAC) 5.1 and earlier, Veritas Dynamic Multi-Pathing (DMP) 5.1, and NetBackup PureDisk 6.5.x through 6.6.1.x allow remote attackers to execute arbitrary code via (1) a crafted Unicode string, related to the vxveautil.value_binary_unpack function; (2) a crafted ASCII string, related to the vxveautil.value_binary_unpack function; or (3) a crafted value, related to the vxveautil.kv_binary_unpack function, leading to a buffer overflow. 2011-08-19 10.0 CVE-2011-0547
t-dreams — cars_ads_package SQL injection vulnerability in processview.asp in Techno Dreams (T-Dreams) Cars Ads Package 2.0 allows remote attackers to execute arbitrary SQL commands via the key parameter. 2011-08-24 7.5 CVE-2010-4829
t-dreams — job_career_package SQL injection vulnerability in Resumes/TD_RESUME_Indlist.asp in Techno Dreams (T-Dreams) Job Career Package 3.0 allows remote attackers to execute arbitrary SQL commands via the z_Residency parameter. 2011-08-24 7.5 CVE-2010-4830
Back to top

Medium Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
aimluck — aipo Cross-site request forgery (CSRF) vulnerability in Aimluck Aipo before 4.0.4.0, and Aipo for ASP before 4.0.4.0, allows remote attackers to hijack the authentication of administrators for requests that modify data. 2011-08-19 6.8 CVE-2011-1341
apple — cups The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895. 2011-08-19 5.1 CVE-2011-2896
apple — cups The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896. 2011-08-19 5.1 CVE-2011-3170
hp — openview_performance_insight Cross-site scripting (XSS) vulnerability in HP OpenView Performance Insight 5.3, 5.31, 5.4, 5.41, 5.41.001, and 5.41.002 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-08-19 4.3 CVE-2011-2410
marcus_schafer — kiwi Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a pattern listing. 2011-08-23 4.3 CVE-2011-2226
marcus_schafer — kiwi Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to an RPM info display. 2011-08-23 4.3 CVE-2011-2644
marcus_schafer — kiwi Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via a crafted pattern name that is included in an RPM info display. 2011-08-23 4.3 CVE-2011-2650
marcus_schafer — kiwi Cross-site scripting (XSS) vulnerability in Kiwi before 3.74.2, as used in SUSE Studio 1.1 before 1.1.4, allows remote attackers to inject arbitrary web script or HTML via a crafted archive file list that is used in an overlay file. 2011-08-23 4.3 CVE-2011-2652
php — php The (1) ZipArchive::addGlob and (2) ZipArchive::addPattern functions in ext/zip/php_zip.c in PHP 5.3.6 allow context-dependent attackers to cause a denial of service (application crash) via certain flags arguments, as demonstrated by (a) GLOB_ALTDIRFUNC and (b) GLOB_APPEND. 2011-08-25 5.0 CVE-2011-1657
php — php crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash. 2011-08-25 5.0 CVE-2011-2483
php — php PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function. 2011-08-25 5.0 CVE-2011-3182
php — php The crypt function in PHP 5.3.7, when the MD5 hash type is used, returns the value of the salt argument instead of the hashed string, which might allow remote attackers to bypass authentication via an arbitrary password, a different vulnerability than CVE-2011-2483. 2011-08-25 4.3 CVE-2011-3189
php — php PHP before 5.3.7 does not properly implement the error_log function, which allows context-dependent attackers to cause a denial of service (application crash) via unspecified vectors. 2011-08-25 5.0 CVE-2011-3267
pleer — wp-twitter-feed Cross-site scripting (XSS) vulnerability in magpie_debug.php in the Twitter Feed plugin (wp-twitter-feed) 0.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the url parameter. 2011-08-24 4.3 CVE-2010-4825
rsa — envision RSA enVision 4.x before 4 SP4 P3 places cleartext administrative credentials in Task Escalation e-mail messages, which allows remote attackers to obtain sensitive information by sniffing the network or leveraging access to a recipient mailbox. 2011-08-25 5.0 CVE-2011-2736
rsa — envision RSA enVision 3.x and 4.x before 4 SP4 P3 allows remote attackers to read arbitrary files via unspecified vectors, related to an “arbitrary file retrieval vulnerability.” 2011-08-25 5.0 CVE-2011-2737
snitz — snitz_forums_2000 Cross-site scripting (XSS) vulnerability in members.asp in Snitz Forums 2000 3.4.07 allows remote attackers to inject arbitrary web script or HTML via the M_NAME parameter. NOTE: some of these details are obtained from third party information. 2011-08-24 4.3 CVE-2010-4827
solarwinds — orion_network_performance_monitor Multiple cross-site scripting (XSS) vulnerabilities in SolarWinds Orion Network Performance Monitor (NPM) 10.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Title parameter to MapView.aspx; NetObject parameter to (2) NodeDetails.aspx and (3) InterfaceDetails.aspx; and the (4) ChartName parameter to CustomChart.aspx. 2011-08-24 4.3 CVE-2010-4828
wireshark — wireshark Off-by-one error in the elem_cell_id_aux function in epan/dissectors/packet-ansi_a.c in the ANSI MAP dissector in Wireshark 1.4.x before 1.4.8 and 1.6.x before 1.6.1 allows remote attackers to cause a denial of service (infinite loop) via an invalid packet. 2011-08-23 4.3 CVE-2011-2698
zabbix — zabbix Cross-site scripting (XSS) vulnerability in acknow.php in Zabbix before 1.8.6 allows remote attackers to inject arbitrary web script or HTML via the backurl parameter. 2011-08-19 4.3 CVE-2011-2904
zabbix — zabbix zabbix_agentd in Zabbix before 1.8.6 and 1.9.x before 1.9.4 allows context-dependent attackers to cause a denial of service (CPU consumption) by executing the vfs.file.cksum command for a special device, as demonstrated by the /dev/urandom device. 2011-08-19 5.0 CVE-2011-3263
zabbix — zabbix Zabbix before 1.8.6 allows remote attackers to obtain sensitive information via an invalid srcfld2 parameter to popup.php, which reveals the installation path in an error message. 2011-08-19 5.0 CVE-2011-3264
zabbix — zabbix popup.php in Zabbix before 1.8.7 allows remote attackers to read the contents of arbitrary database tables via a modified srctbl parameter. 2011-08-19 5.0 CVE-2011-3265
Back to top

Low Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
citrix — xen tools/libxc/xc_dom_bzimageloader.c in Xen 3.2, 3.3, 4.0, and 4.1 allows local users to cause a denial of service (management software infinite loop and management domain resource consumption) via unspecified vectors related to “Lack of error checking in the decompression loop.” 2011-08-19 2.1 CVE-2011-3262
wireshark — wireshark The proto_tree_add_item function in Wireshark 1.6.1, when the IKEv1 protocol dissector is used, allows user-assisted remote attackers to cause a denial of service (infinite loop) via vectors involving a malformed IKE packet and many items in a tree. 2011-08-23 2.6 CVE-2011-3266

Microsoft Overhauls Windows Explorer in Windows 8

Thursday, August 25th, 2011

Hold onto your socks Windows 8 fans, because Microsoft is adding some new enhancements to its file manager application, Windows Explorer, in the next version of its popular operating system. And the first Explorer feature Microsoft wants to show off is (drumroll please): the new copy dialog. Huh?

I know, I know, copying functions may elicit yawns from many of you, but copying, moving, renaming and deleting files are the most oft-used features of Windows Explorer. Microsoft says these four basic functions account for 50 percent of all Explorer usage in Windows 7. That means there’s a lot of file management going on for the average Windows 7 user every day.

So while these changes may not be as exciting as say, a brand new touch-centric overlay, improvements to the way Windows handles copying could improve your overall OS experience, as long as you’re into copying multiple files that is.

This One’s For The Multitaskers

Microsoft’s copying overhaul doesn’t really improve much for people who typically move around one file or folder at a time or are used to handling small text files. But if you find yourself moving around large amounts of data such as photos and videos, then Windows 8 aims to make your copying experience easier.

Microsoft says it had three goals for its new copy dialog: move all copy jobs into one window, simplify the UI and give you more control over any operations in progress. Here’s what you have to look forward to when copying files in Windows 8.

Copy Central

Instead of having multiple windows open for each file, Windows 8 will automatically merge all copy jobs into one central window. The basic view shows you how many items are being copied in each job, their source and destination folders, and a progress bar. There are also pause and cancel buttons if you’d like to speed up one copy job by putting the other on hold or cancel one altogether. The source and destination folders are also clickable so you can open up those folders directly from the copy dialog.

If you want more details about your copy job, click on the “More details” disclosure button at the bottom of the window. Opening this up shows you a new real-time throughput graph, speed of data transfer, time remaining and how much data is left to transfer.

Microsoft also says it has improved its time estimates for how long it takes for a copy job to finish, but didn’t go into detail about what those improvements are. The Windows maker did point out that getting a precise time estimate is nearly impossible. There are just too many variables to account for, according to Microsoft, such as whether you’re anti-virus program will start scanning files on your hard drive halfway through the transfer.

Microsoft also warned that while the new copy dialog offers detailed information it was not designed to be a benchmarking tool.

Filename Collisions

Windows 7 Conflict Resolution Dialog

Windows 8 has a new way to handle alerts when you are about to copy a file with the same name as another file in your destination folder, a problem Microsoft calls a filename collision. This can happen if you maintain a separate folder for editing photos and don’t bother to change the filename. Or, you receive a revised copy of a contract via email and dump it into your contracts folder.

Before Windows 8 lets you overwrite your old file, you’ll be met with three choices that are somewhat similar to Windows 7: replace all the old files in the destination folder, skip copying the new files or choose the files to keep in the destination folder.

Windows 8 Conflict Resolution Dialog

If you choose the latter, a new dialog pops up showing you the files you want to copy in the left column and the files with the same name in the destination folder on the right. The dialog shows the file names, dates that each file was created, and each file’s size. You can also hover over each file to see its location or you can double click on a file to open it. When you’re ready to choose the files you want to keep, just click the check boxes next to the files, press “Continue” and you’re done. If you don’t click a check box next to one of your two colliding files, Windows 8 errs on the side of caution and keeps your old version intact.

New Windows 8 Start Icon?

Beyond the new copying features, online sleuths have been trying to glean other tidbits of information from Microsoft’s new Windows 8 demo. UK-based blog My Microsoft Life believes it saw a new Windows start icon at the beginning of the video below, but it’s hard to say for sure. Keep an eye on the screen behind Microsoft’s Alex Simons and let us know what you think in the comments. Microsoft also has a larger version of the copy dialog video to get a better look at the screen.

Source:  pcworld.com

Yale warns 43,000 about 10-month-long data breach

Tuesday, August 23rd, 2011

FTP server on which data was stored became searchable by Google in September

Yale University has notified about 43,000 faculty, staff, students and alumni that their names and Social Security numbers were publicly available via Google search for about 10 months.

All of the victims were affiliated with Yale in 1999, and are being offered identity theft insurance and free credit monitoring services for two years, the university said in a statement last week.

The breach resulted when a File Transfer Protocol (FTP) server on which the data was stored became searchable via Google as the result of a change the search engine giant made last September, the Yale Daily News reported

The online publication reported that Yale IT Services Director Len Peters said the FTP server holding the compromised information was used mainly for open-source materials.

In September 2010, Google made a change that allowed its search engine to index and find FTP servers. But university IT officials were unaware of the change, Peters told the Daily News.

When Yale discovered the breach in June, it immediately took the server offline, deleted the sensitive data and evaluated whether there were any other files containing similar data on the FTP server, Peters said.

In a statement to Computerworld, Yale officials make no mention of how the data was compromised. But the school said it has “secured” the file and Google has confirmed that its search engine no longer stores any information from it.

The statement doesn’t say how Yale discovered the breach, nor whether any of the data available via Google was accessed by anyone. Peters told the campus publication that the file and the directory in which the exposed information was stored had innocuous sounding names that are unlikely to have tipped off others about the contents.

This is the second publicly known breach in the last two months involving the inadvertent exposure of sensitive data on the Web. In June, Southern California Medical-Legal Consultants Inc. (SCMLC) said that the names and Social Security numbers of about 300,000 people who had filed for California workers compensation had been potentially compromised. That breach resulted when an internal server on which the data was stored became exposed to web searches.

SCMLC learned of the breach from security firm Identity Finder. In a statement, Identity Finder said that its security researchers had uncovered 3,875 uncompressed files containing several gigabytes of personal data on an SCMLC server that was exposed to the Web.

“The files were neither encrypted nor password-protected and some were cached by at least one major search engine,” Identity Finder said. The company subsequently worked with Google to clear search engine caches, a spokesman for the company said. As of today, Google caches are clear of sensitive personal information from SCLMC, the spokesman said.

Source:  computerworld.com

Security flaw found in Feds’ digital radios

Thursday, August 11th, 2011

Expensive high-tech digital radios used by the FBI, Secret Service, and Homeland Security are designed so poorly that they can be jammed by a $30 children’s toy, CNET has learned.

A GirlTech IMME, Mattel’s pink instant-messaging device with a miniature keyboard that’s marketed to pre-teen girls, can be used to disrupt sensitive radio communications used by every major federal law enforcement agency, a team of security researchers from the University of Pennsylvania is planning to announce tomorrow.

Converting the GirlTech gadget into a jammer may be beyond the ability of a street criminal for now, but that won’t last, says associate professor Matt Blaze, who co-authored the paper that will be presented tomorrow at the Usenix Security symposium in San Francisco. CNET obtained a copy of the paper, which will be made publicly available in the afternoon.

“It’s going to be someone somewhere creating the Project 25 jamming kit and it’ll be something that you download from the Net,” Blaze said. “We’re not there right now, but we’re pretty close.”

Project 25, sometimes abbreviated as P25, is the name of the wireless standard used in the radios, which have been widely adopted across the federal government and many state and local police agencies over the last decade. The plan was to boost interoperability, so different agencies would be able to talk to one another, while providing secure encrypted communications.

The radios aren’t cheap. A handheld Midland P25 Digital sells for $3,295, and scanners are closer to $450.

But federal agents frequently don’t turn encryption on, the researchers found. (Their paper is titled “A Security Analysis of the APCO Project 25 Two-Way Radio System,” and the other authors are Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, and Kevin Xu.)

Here’s an excerpt:

The traffic we monitored routinely disclosed some of the most sensitive law enforcement information that the government holds, including: Names and locations of criminal investigative targets, including those involved in organized crime… Information relayed by Title III wiretap plants…Plans for forthcoming arrests, raids and other confidential operations…

On some days, particularly weekends and holidays, we would capture less than one minute, while on others, we captured several hours. We monitored sensitive transmissions about operations by agents in every Federal law enforcement agency in the Department of Justice and the Department of Homeland Security. Most traffic was apparently related to criminal law enforcement, but some of the traffic was clearly related to other sensitive operations, including counter- terrorism investigations and executive protection of high ranking officials…

To intercept the Project 25 radio communications, the researchers used a high-quality receiver that cost about $1,000 and can be purchased off-the-shelf. But, Blaze said, it’s possible to do it on the cheap: “You can do everything you need with equipment you can buy at Radio Shack… hobbyist-grade equipment.”

Motorola XTS5000 handheld, which uses the Project 25 standardBlaze said he has contacted the Justice Department and the Defense Department, which also uses Project 25 digital radios. “They are now aware of the problem and are trying to mitigate against it,” he said.
Representatives of the Association of Public-Safety Communications Officials (APCO), which has championed the Project 25 standard, did not respond to a request for comment this afternoon. Neither did the Telecommunications Industry Association, which maintains the standard.

The University of Pennsylvania researchers did not discover any vulnerabilities in the actual encryption algorithms used in the radios. They also chose not to disclose which agencies were the worst offenders, what cities the monitoring took place in, or what frequencies they found each agency used.

A third vulnerability they found was that each radio contains a unique identifier, akin to a phone number, that is broadcast in unencrypted form. So is the unique ID of the destination radio. That allows an eavesdropper to perform what’s known as traffic analysis, meaning tracking who’s talking to whom.

The reason jamming is relatively easy is that the Project 25 doesn’t use spread spectrum, which puts the would-be jammer at a disadvantage. By contrast, P25 relies on metadata that must be transmitted perfectly for the receiver to make sense of the rest of the communication. A pulse lasting just 1/100th of a second, it turns out, is enough to disrupt the transmission of the metadata.

This isn’t the first time that University of Pennsylvania researchers have taken a critical look at Project 25. Many of the same authors published a security analysis last November, which concluded that it’s “strikingly vulnerable to a range of attacks.”

Source:  CNET

New IE9 update fixes several security flaws

Thursday, August 11th, 2011

Microsoft has rolled out a new update for Internet Explorer 9 that fixes a host of different security holes.

Launched yesterday on Microsoft’s familiar “Patch Tuesday,” the August 2011 Cumulative Security Update for Internet Explorer is a critical one that resolves issues not just in IE9 but in versions 6, 7, and 8 as well, according to a Microsoft blog. The update is available through Windows Update, so IE users who have Windows automatic updates turned on should have already received it.

The patch takes care of five holes in IE that were disclosed in coordination with Microsoft and two others that were publicly revealed. The most serious of the security flaws could let a hacker run code on a remote PC if the user visits a malicious Web page. Microsoft also advises that people who run accounts without administrative rights are generally better protected against these types of exploits.

Beyond patching the security holes, the 21MB update throws in some non-security fixes. One resolves an issue in which IE took a long time to open an e-mail on Outlook’s Web App. Another addresses a flaw in IE8 in which the browser may have frozen when opening some pages in Windows 7 or Windows Server 2008 R2.

Due to the critical nature of the security flaws, Microsoft is recommending that individual users who don’t have automatic updates turned on install the update manually as soon as possible. IT administrators will also want to roll out the update to their organizations using their own in-house update tools.

Yesterday’s Patch Tuesday was a big one for Microsoft and the third largest of 2011, according to security vendor McAfee. The folks in Redmond rolled out 13 security updates to fix 22 flaws that affected Windows, IE, Microsoft Office, the .Net Framework, and Microsoft Developer Tools.

“Overall this Patch Tuesday is on the large side,” Dave Marcus, director of security research and communications at McAfee Labs, said in a statement. “Although there are only two critical patches this month, this update comes after the July patches from Oracle and Apple, and there will be another release of critical patches for Adobe Flash Player [on Tuesday], leaving IT administrators with a full plate this summer.”

Marcus advises IT admins to place priority on the IE and Windows updates since their related vulnerabilities could “result in remote code execution attacks and can expose users to drive-by download attacks via the browser.”

Source:  CNET

Viruses: Destroying your systems for 25 years

Monday, August 8th, 2011

LAS VEGAS–The hacker conference DefCon kicked off this morning with the rare public sighting of a now-archaic piece of technology: the 5 1/4-inch floppy disk. Mikko Hypponen, the chief technical officer for the Finnish security company F-Secure, waved the disk above his head to start off his history of PC viruses, and said, “This is Brain.”

Hypponen was talking about a guest of honor housed on the disk: the original computer virus. Hypponen found the disk last year in a lockbox in F-Secure’s headquarters in Helsinki, and he dove in, cracked the virus code, and found in it the names and address of the virus’ writers, two brothers from a town near Lahore, Pakistan. And–believe it or not–he went to the address and found the same brothers there, now running an Internet service provider called Brain Communications. (Hypponen details his trip in a short YouTube film.)

One of the important things he learned from them is that they said they had no malicious intent when they created the virus. “There was no real motive,” said Hypponen. It was a proof-of-concept, created just to prove that it could be done. This was to inform computer virus development until the first years of the new century, as viruses grew more malicious and complicated, but were essentially pranks.

Just because they were pranks doesn’t mean they weren’t harmful, though. Hypponen demonstrated a number of early computer viruses from which he had removed the infectors, including one called Disk Destroyer. This particular piece of nastiness would copy the contents of your hard disk into the RAM, then wipe your drive. It then loaded a rudimentary slot machine-style game, and gave you five chances to win. If you won, it would reload your data back onto your hard drive. If you lost, your data was permanently wiped out.

Though viruses continued to get more and more complex, it wasn’t until 2003 that things began to change. First, Microsoft began to take computer viruses seriously, he said, because worm infections were causing serious Internet traffic packet loss and causing real-world damage. Trains in 2003 were stopped around Washington, D.C., because the Windows computers controlling the signals and routing systems had crashed. “This is the basic reason why serious problems like these were finally taken seriously,” Hypponen noted.

The other major change in 2003 was the Fizzer infection. “Fizzer, which nobody here remembers, is one of the most important viruses in history. It was the first virus written with one purpose only: making money.” Fizzer spread e-mail spam in an effort to rake in the dough. Hypponen said that when other virus writers realized they too could earn some bucks from writing malicious code, it was game on.

This began to have even more serious real-world implications, as some virus writers were found to have used their money to buy equipment for fighters in Iraq.

“We also began to see a geographical shift [in] where viruses were written,” he said. “From 1986 to 2003, it was mostly Western countries, the U.S., Western Europe, Japan. From 2003 on, it was Russia, Eastern Europe, Ukraine, China (of course), and South America, especially Brazil.”

However, Hypponen said the problem was not only limited to criminals. He called out the president of Sony BMG, Thomas Hesse, to calls of derision from the audience. Hesse was instrumental in approving a DRM system that surreptitiously installed a rootkit on your computer when you played a CD from that computer. “Sony gets a lot of hate, and they deserve it. Of course, some would claim that if you listen to Celine Dion, you get what you deserve,” Hypponen quipped.

But he especially called out Hesse for saying, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” Hypponen retorted, “Most people don’t even know what brain damage is, so why should they care about it, too?”

Hypponen talked about the technical complexity of the 2008 virus Mebroot, a trojan that infects the master boot record of computers and is exceptionally difficult to remove because of it, and ransomware like GPCode, which holds your computer hostage until you wire money to the virus writers. Stuxnet, though, was an embarrassment for the security industry, Hypponen said.

“All this work did not prepare us for what we found next. It was embarrassing. We missed Stuxnet for a freaking year,” he said, shaking his head.

“Today when you get infected by viruses, you will not know,” Hypponen said. “It’s running silently in the background. It won’t slow down your system, and it won’t take up too much of your resources.”

“It has been a pretty wild ride over the past 25 years, from Brain to Stuxnet. Many things have changed, many things haven’t changed. Brain didn’t spread on the Internet, it didn’t exist,” Hypponen said, alluding to the spread by floppy disk. “And Stuxnet spread by USB key.”

Source:  CNET

Malware turns off Windows’ UAC, warns Microsoft

Sunday, August 7th, 2011

Urges users to check that the regularly-belittled prompt is really on

Microsoft this week urged users to keep an oft-criticized Windows security feature turned on, even as it said that more malware is disabling the tool.

User Account Control (UAC) is the feature that debuted in Vista and revised in Windows 7 that prompts users to approve certain actions, including software installation.

UAC was “universally hated” in Vista, and was a major complaint about the unsuccessful operating system, a Gartner security analyst said more than two years ago.

“From a usability standpoint, no one was happy. And from a security standpoint, no one was happy either, because we knew that people get ‘click fatigue,’” said John Pescatore of Gartner in the months before Windows 7′s launch.

Microsoft took the complaints to heart, and downplayed UAC in Windows 7 after its data showed users got irritated when they faced more than two such prompts in a session at the computer.

This week, Microsoft’s Malware Protection Center (MMPC) said that malware was increasingly turning off UAC as a way to disguise its presence on infected PCs.

To disable UAC, attack code must either exploit a bug that allows the hacker to gain administrative rights — Microsoft calls those flaws “privilege elevation” vulnerabilities — or trick the user into clicking “OK” on a UAC prompt.

Apparently, neither are difficult.

Some of the most-common threats now in circulation — including the Sality virus family, Alureon rootkits, the Bancos banking Trojan and fake antivirus software — have variants able to switch off UAC, said Joe Faulhaber of the MMPC team in a post to the group’s blog.

One worm, dubbed “Rorpian” by Microsoft, is especially enamored with the anti-UAC tactic: In more than 90% of the cases involving Rorpian on a single day, MMPC observed the worm disabling UAC by exploiting a four-year-old Windows vulnerability.

Nearly one-in-four PCs that reported malware detections to Microsoft had UAC switched off, either because of malware antics, or because the user turned it off.

UAC has not been problem-free on the technical side, either. Months before Windows 7′s debut, a pair of researchers revealed a bug in the feature that hackers could use to piggyback on preapproved Microsoft code to trick Windows 7 into granting malware full access rights.

Although Microsoft initially dismissed their reports, it later changed UAC.

Faulhaber provided a link to instructions for switching UAC on or off on Vista. They can also be used on Windows 7, but the final step is to pull the slider to “Never Notify” to turn off UAC.

Source:  computerworld.com

Microsoft Security Bulletin Advance Notification for August 2011

Friday, August 5th, 2011

Microsoft yesterday announced a significant number of patches to secure vulnerabilities in its desktop/server OS, Office suite, and developer software.  Key excerpts from the release can be found below:

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 2 Critical
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 3 Important
Remote Code Execution
Requires restart Microsoft Windows
Bulletin 4 Important
Remote Code Execution
May require restart Microsoft Office
Bulletin 5 Important
Elevation of Privilege
May require restart Microsoft Windows
Bulletin 6 Important
Elevation of Privilege
Requires restart Microsoft Windows
Bulletin 7 Important
Elevation of Privilege
Requires restart Microsoft Windows
Bulletin 8 Important
Denial of Service
Requires restart Microsoft Windows
Bulletin 9 Important
Denial of Service
Requires restart Microsoft Windows
Bulletin 10 Important
Information Disclosure
May require restart Microsoft .NET Framework,
Microsoft Developer Tools
Bulletin 11 Important
Information Disclosure
May require restart Microsoft Developer Tools
Bulletin 13 Moderate
Denial of Service
Requires restart Microsoft Windows
Bulletin 12 Moderate
Information Disclosure
May require restart Microsoft .NET Framework

Windows Operating System and Components

Table 1

Windows XP
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical None None None Important Important
Windows XP Service Pack 3 Internet Explorer 6
(Critical)Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)
Not applicable Not applicable Not applicable Windows XP Service Pack 3
(Important)
Windows XP Service Pack 3
(Important)
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6
(Critical)Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)
Not applicable Not applicable Not applicable Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows Server 2003
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical Important None None Important Important
Windows Server 2003 Service Pack 2 Internet Explorer 6
(Important)Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)
Windows Server 2003 Service Pack 2
(Important)
Not applicable Not applicable Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6
(Important)Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)
Windows Server 2003 x64 Edition Service Pack 2
(Important)
Not applicable Not applicable Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 6
(Important)Internet Explorer 7
(Critical)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Not applicable Not applicable Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Vista
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical None None None None Important
Windows Vista Service Pack 2 Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)Internet Explorer 9
(Critical)
Not applicable Not applicable Not applicable Not applicable Windows Vista Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7
(Critical)Internet Explorer 8
(Critical)Internet Explorer 9
(Critical)
Not applicable Not applicable Not applicable Not applicable Windows Vista x64 Edition Service Pack 2
(Important)
Windows Server 2008
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical Critical None None None Important
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7**
(Critical)Internet Explorer 8**
(Critical)Internet Explorer 9**
(Critical)
Windows Server 2008 for 32-bit Systems Service Pack 2*
(Critical)
Not applicable Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2*
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7**
(Critical)Internet Explorer 8**
(Critical)Internet Explorer 9**
(Critical)
Windows Server 2008 for x64-based Systems Service Pack 2*
(Critical)
Not applicable Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2*
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7
(Critical)
Not applicable Not applicable Not applicable Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Windows 7
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical None Important None None Important
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
(Critical)Internet Explorer 9
(Critical)
Not applicable Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Important)
Not applicable Not applicable Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
(Critical)Internet Explorer 9
(Critical)
Not applicable Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Important)
Not applicable Not applicable Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 5 Bulletin 6 Bulletin 7
Aggregate Severity Rating Critical Critical Important Important None Important
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8**
(Critical)Internet Explorer 9**
(Critical)
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Critical)
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Important)
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1**
(Important)
Not applicable Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Important)
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
(Critical)
Not applicable Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Not applicable Not applicable Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)

Table 2

Windows XP
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating None Moderate Important None Moderate
Windows XP Service Pack 3 Not applicable Windows XP Service Pack 3
(Moderate)
Windows XP Service Pack 3
(Important)
Not applicable Windows XP Service Pack 3
(Moderate)
Windows XP Professional x64 Edition Service Pack 2 Not applicable Windows XP Professional x64 Edition Service Pack 2
(Moderate)
Windows XP Professional x64 Edition Service Pack 2
(Important)
Not applicable Windows XP Professional x64 Edition Service Pack 2
(Moderate)
Windows Server 2003
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating None Important Important None Moderate
Windows Server 2003 Service Pack 2 Not applicable Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 Service Pack 2
(Important)
Not applicable Windows Server 2003 Service Pack 2
(Moderate)
Windows Server 2003 x64 Edition Service Pack 2 Not applicable Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2
(Important)
Not applicable Windows Server 2003 x64 Edition Service Pack 2
(Moderate)
Windows Server 2003 with SP2 for Itanium-based Systems Not applicable Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Not applicable Windows Server 2003 with SP2 for Itanium-based Systems
(Moderate)
Windows Vista
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating Moderate None Important Moderate Moderate
Windows Vista Service Pack 2 Windows Vista Service Pack 2
(Moderate)
Not applicable Windows Vista Service Pack 2
(Important)
Windows Vista Service Pack 2
(Moderate)
Windows Vista Service Pack 2
(Moderate)
Windows Vista x64 Edition Service Pack 2 Windows Vista x64 Edition Service Pack 2
(Moderate)
Not applicable Windows Vista x64 Edition Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2
(Moderate)
Windows Vista x64 Edition Service Pack 2
(Moderate)
Windows Server 2008
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating Important None Important Moderate Moderate
Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2*
(Important)
Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2**
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2**
(Moderate)
Windows Server 2008 for 32-bit Systems Service Pack 2**
(Moderate)
Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2*
(Important)
Not applicable Windows Server 2008 for x64-based Systems Service Pack 2**
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2**
(Moderate)
Windows Server 2008 for x64-based Systems Service Pack 2**
(Moderate)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2
(Moderate)
Windows Server 2008 for Itanium-based Systems Service Pack 2
(Moderate)
Windows 7
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating Moderate None Important Moderate Moderate
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Moderate)
Not applicable Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Important)
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Moderate)
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1
(Moderate)
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1 Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Moderate)
Not applicable Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Important)
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Moderate)
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1
(Moderate)
Windows Server 2008 R2
Bulletin Identifier Bulletin 8 Bulletin 9 Bulletin 10 Bulletin 13 Bulletin 12
Aggregate Severity Rating Important None Important Moderate Moderate
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Important)
Not applicable Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Important)
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1**
(Moderate)
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*
(Moderate)
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Not applicable Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Moderate)
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Moderate)

Black Hat: Routers Using OSPF Open to Attacks

Friday, August 5th, 2011

LAS VEGAS – A researcher at Black Hat has revealed a vulnerability in the most common corporate router protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.

The problem is serious not only because of the damage an attacker might do but also because the protocol, OSPF, is used so pervasively that many networks are vulnerable. Open Shortest Path First (OSPF) is the most popular routing protocol used within the roughly 35,000 autonomous systemsinto which the Internet is divided.

Typically large corporations, universities and ISPs run autonomous systems.

The only remedies are using another protocol such as RIP or IS-IS or changing OSPF to close the vulnerability, says Gabi Nakibly, a researcher at Israel’s Electronic Warfare Research and Simulation Center, who discovered the problem.

Nakibly says he has successfully carried out an exploit against the vulnerability on a Cisco 7200 router running software version IOS 15.0(1)M, but that it would be equally effective against any router that is compliant with the OSPF specification. He says he chose a Cisco router to underscore the severity of the problem, since Cisco dominates the router market.

The problem lies in the OSPF protocol itself, which can be tricked into accepting false router table updates from phantom routers on the network — Nakibly says he used a laptop attached to the test network he was attacking.

The phantom sends a false link state advertisement (LSA) — a periodic router table update — to the targeted router. The router accepts it as legitimate because, to verify its authenticity, all it checks for is that it has the most recent LSA sequence number, contains the proper checksum and is plus or minus 15 minutes old.

Nakibly described how to falsify all of these and to overcome the protocol’s defense mechanism called fightback that floods accurate LSAs in the face of false ones.

The false LSA can be crafted to create router loops, send certain traffic to particular destinations or snarl a network by making the victim router send traffic along routes that don’t exist in the actual network topology, he says.

The exploit requires one compromised router on the network so the encryption key used for LSA traffic among the routers on the network can be lifted and used by the phantom router. The exploit also requires that the phantom router is connected to the network, Nakibly says.

To initiate the attack the phantom router introduces itself as being adjacent to the victim router, which must be the designated router on the network. Designated routers store complete topology tables for the network, and they multicast updates to the other routers.

Nakibly introduced a second attack that is not as effective, but similarly takes advantage of a vulnerability in the OSPF specification.

Source:  pcworld.com

A Power Plant Hack That Anybody Could Use

Friday, August 5th, 2011

The night before the start of this week’s Black Hat hacker conference here in Las Vegas, security researcher Dillon Beresford gave a demonstration to a small audience in his room at Caesar’s Palace. The topic: how a hacker could take over the Siemens S7 computers that are used to control engines, machines and turbines in tens of thousands of industrial facilities.

It was a preview of the talk he was set to give Wednesday, and Beresford seemed both nervous and relieved to be finally talking to the handful of reporters and industry and government officials in the room. A few months ago it wasn’t clear when or if he’d ever be able to go public with his research. Concerned that his research could be misused, he pulled out of an earlier conference to give Siemens more time to fix the problems he’d uncovered. Even now, after months of work with Siemens and the U.S. Department of Homeland Security, coordinating patch after patch for many of the bugs he’s found, Beresford can’t say everything he knows.

But clearly, he knows quite a lot. The question is, how much will he make public?

The NSS Labs researcher said he’s found ways to bypass the S7′s security measures and read and write data into the computer’s memory — even when the system has password protection enabled. He can steal sensitive information from the systems, he said. And on one model, the S7 300, he found a command shell, apparently left in the system’s firmware by Siemens engineers, that he can connect to and use to run commands on the system.

After poking around for a bit he discovered a hard-coded username and password that allowed him access to a Unix-like shell program on the systems, where he can run his own commands: Username: basisk; password: basisk.

This shell is a “back door” to the system that could be misused by an attacker, Beresford said.

He also discovered dancing monkeys. This goofy graphic of four dancing monkeys was apparently an Easter egg — a software developer’s version of graffiti, left for other geeks to discover — stuck in the S7 300′s firmware.

The demo wasn’t much to look at. The S7s are like futuristic grey shoeboxes with green LED lights on them. Smoking a cigarette, Beresford would type into his laptop and one by one, the machines would turn off. But considering that each one of those machines could be running a nuclear centrifuge or an elevator, the demonstration held everyone’s attention.

The government official in the room Tuesday night — a contractor from the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team — didn’t want to be quoted. Neither did Tim Roxey, a staffer with the North American Electric Reliability Corp., the nonprofit corporation chartered with helping to keep the U.S. supply of electricity online.

Clearly both groups are interested in Beresford’s work. The S7 300 systems on which Beresford found the back door and dancing monkeys are the same computers that were targeted by the Stuxnet worm, thought to have destroyed centrifuges at Iran’s Natanz nuclear reactor.

For decades, makers of these industrial computer systems — companies such as Siemens, Rockwell Automation and Honeywell International — lived in a bubble. They built computer systems that were adapted by electrical engineers for the factory floor. It used to be that these systems operated entirely on their own, disconnected from the rest of the networked world, but gradually they’ve been networked with Windows computers. They are supposed to be run on networks that are physically separate from the rest of the world, but these networks can have misconfigured routers, and every time a consultant plugs a laptop into them, it’s another opportunity for a virus to spread.

The problem is that these industrial systems were not built with security in mind, according to Dale Peterson, CEO of security consultancy Digital Bond. Industrial systems security experts like Peterson have known for at least 10 years that these kind of problems were coming, but not enough has been done. “We’ve made progress in a lot of areas, but we haven’t made progress on these field devices,” Peterson said.

He and other security experts say Siemens is hardly alone; that all industrial control systems suffer from the kinds of bugs that Beresford discovered.

The industry could add strong authentication control to machines like the Siemens S7, so they only run code that’s given to them by trusted sources. But in a world where rebooting a computer means taking a power plant offline for a day, that’s not easily done. “No one in the industry wanted to do this because of the possible consequences,” Peterson said.

On the other hand, as Stuxnet has shown, the risks of a cyber-attack on these industrial systems are very real. And malicious programs wind up on factory floors all the time.

In February 2011, the two-year-old Conficker worm infected systems at a Brazilian power plant, according to Marcelo Branquinho, executive director with TI Safe, the consulting company that has been working on fixing the problem these past few months. Engineers would clean up the infection only to find it reappear on the network, most likely spread there by an infected machine that they had missed. “This is not the first Conficker infection we’ve seen in Brazilian automation plants,” he said in an e-mail interview.

Branquinho wouldn’t name the power plant, but the infection was clearly disrupting operations. The plant’s management systems were freezing up and not displaying data from the field. This forced operators to control their systems the same way they did before computers — using radios to communicate with each other.

If those infected Conficker machines had contained the type of software that Beresford has written, things would have been much worse.

This isn’t the first time that researchers have released code relating to industrial systems, but past releases have focused on the Windows-based management consoles that these systems use — not the control systems themselves. And the fact that Beresford has hacked the S7 300 — widely used in the energy sector — puts his work in a category by itself.

In fact, Beresford isn’t sure when he’s going to make the software he’s written public. There are 15 modules, small programs he’s written for the open-source Metasploit hacking toolkit, but he wants to give Siemens’ customers time to patch their systems before he releases the code. He said that six months might be an appropriate window.

Once his code is available, anyone could use it. But Beresford believes that he’s only making public what others have secretly known for a long time.

Digital Bond’s Peterson says that releasing the code might be what it takes to push the industry to finally fix its security problems. “At this point, I’m like, let’s give it a shot,” he said. “I don’t think he’s telling the nasty people anything they don’t already know.”

Ralph Langner, one of the researchers who helped crack the Stuxnet mystery, thinks that Beresford should never release his code. “Dillon did not ask me for advice,” he said. “But the advice I would give him is, ‘Don’t ever release the Metasploit code, because this is dynamite.’”

The Metasploit modules would make it easy for a less-skilled hacker to build software that could disrupt a power plant. And even if Siemens has addressed all of the underlying issues, it will be years before the patches are installed. One day of downtime at a power plant can easily cost the operator US$1 million, Langner said. “Don’t assume that a power plant operator will say, ‘I will shut my plant down for a day to install the damned patch,’” he said.

It turns out that Langner is the guy who inspired Beresford to look into Siemens systems in the first place. Because of the apparent reconnaissance work and sophisticated PLC programming involved in Stuxnet, Langner believes that only a few organizations have the technical know-how to pull something like this off.

Beresford wanted to prove that industrial hacking could be done on the cheap too. His company kicked in $20,000 to buy the Siemens systems, but Beresford did most of the work from his bedroom in a couple of weeks. “It’s not just the spooks who have these capabilities,” he said when he finally gave this Black Hat presentation. “Average guys sitting in their basements can pull this off.”

Source:  pcworld.com

Drone Plane Converted to Airborne Hacking Platform at Black Hat

Friday, August 5th, 2011

Digital death rains from above! A pair of security researchers has turned a surplus U.S. Army drone plane into an airborne hacking platform that infiltrates Wi-Fi networks, intercepts cellphone calls, and even launches denial-of-service (DOS) attacks, according to media reports from the Black Hat security conference in Las Vegas.

Mike Tassey and Richard Perkins, security consultants to Wall Street firms and the U.S. intelligence community, built their Wireless Aerial Surveillance Platform (WASP) drone “as a proof of concept to show what criminals, terrorists and others might also soon be using for their nefarious activities,” according to Wired.

Building on a concept originally demonstrated at last year’s DefCon hacker conference by Chris Paget, the WASP drone’s hacking toolkit includes an IMSI catcher and antenna that can impersonate a cellphone base station. Simply flip the switch and nearby cellphones are tricked into routing outbound calls through the WASP instead of through legit, commercial cell towers.

The WASP’s cell tower spoof can even be used to intercept encrypted calls, tricking cellphones into disabling encryption and then either redirects call or records them using VoIP before they’re routed to the intended receiver, according to Wired.

The drone can also use jamming signals to conduct DOS attacks on data providers, sniff out nearby wireless networks, and includes in its manifest “a dictionary of 340 million words for brute-forcing network passwords.”

Tassey and Perkins said they built the WASP for $6,000, converting a surplus FMQ-117B U.S. Army target drone that runs quietly enough to patrol the skies unobtrusively from the FAA-mandated 400-foot ceiling at which it can legally fly (see video below of a test flight).

Perhaps the theoretical black hats who might want a WASP of their own wouldn’t be as concerned about following FAA rules. But the remote-control drone still needs to be within line-of-sight for manually controlled take-offs and landings—though Tassey and Perkins said the WASP can be put on auto-pilot while in flight on a pre-determined course if it’s programmed with GPS coordinates and Google maps.

The researchers said malicious hackers could easily build their own aerial hacking platforms, but that the WASP could be used for beneficial purposes as well, such providing emergency cellphone service in areas affected by a disaster.

Source:  pcmag.com

Black Hat: Square Credit-Card Reader Hacked!

Friday, August 5th, 2011

The Square reader makes any iPhone into a credit card reader. Set up an account with Square and you can take credit card payments, and the reader comes free with your account. It’s a great thing for craft vendors and other small-scale merchants. And it’s perfectly secure… isn’t it?

Adam Laurie (also known as Major Malfunction) and Zac Franken of Aperture Labs wondered just how secure such a thing could be. It just uses the earphone jack, after all. So it must be converting the magnetic stripe data into sound. Confirming this was simple enough.

The pair wrote a simple PC-based tool to record the credit card sound and play it back on demand. They bought a $10 cable to connect a laptop to the iPhone. In a small press preview at the Black Hat conference they demonstrated that playing the credit card sound has the same effect as scanning the card with the Square reader. The researchers notified Square in February; Square responded that they see no significant threat.

This hack also allowed them to effectively pull cash from a gift card that officially can’t be used for cash. All they had to do was “pay” themselves using the hack software. Laurie pointed out that malefactors can use this technique to directly get money from stolen credit card data, rather than having to purchase goods and resell them.

The hack poses no risk to users of the Square service. Quite the contrary; the risk is to everyone else from Square users misusing the device. This hack won’t last forever. A new version of the Square device is in the works.

In addition, this hack doesn’t really demonstrate a weakness with Square. The real problem is in the mag stripe concept itself. Using the Square reader simply lets people skim credit card data with no special knowledge or hardware. Now don’t you feel secure?

Source:  pcmag.com

Operation Shady RAT: five-year hack attack hit 14 countries

Wednesday, August 3rd, 2011

The governments of the United States, Canada, and South Korea, as well as the UN, the International Olympic Committee, and 12 US defense contractors were among those hacked in a five-year hacking campaign dubbed “Operation Shady RAT” by security firm McAfee, which revealed the attacks. Many of the penetrations were long-term, with 19 intrusions lasting more than a year, and five lasting more than two. Targets were found in 14 different countries, across North America, Europe, India, and East Asia.

The infiltration was discovered when McAfee came across a command-and-control server, used by the hackers for directing the remote administration tools—”RATs,” hence the name “Operation Shady RAT”—installed in the victim organizations, during the course of an invesigation of break-ins at defense contractors. The server was originally detected in 2009; McAfee began its analysis of the server in March this year. On the machine the company found extensive logs of the attacks that had been performed. Seventy-two organizations were positively identified from this information; the company warns that there were likely other victims, but there was not sufficient information to determine what they were.

The attacks themselves used spear-phishing techniques that are by now standard. Apparently legitimate e-mails with attachments are sent to organization employees, and those attachments contain exploit code that compromise the employee’s system. These exploits are typically zero-day attacks. With a PC now compromised, the hackers can install RAT software on the victim PCs, to allow long-term monitoring, collection of credentials, network probing, and data exfiltration.

Many other attacks have followed the same pattern. The same technique was used to break into security company RSA, the French and Canadian Finance Ministries, and many oil and gas companies this year. It was also used in the Operation Aurora attacks against Google and other companies discovered in late 2009.

The first organization to be hacked in this campaign was a South Korean construction company, first broken into in July 2006. Break-ins continued until September 2010, when an Indian government agency was compromised. Data theft continued beyond that date, with both an American think tank and the Hong Kong office of an American news agency—reported by Vanity Fair to be the Associated Press—being pillaged until May of this year.

McAfee says that the total data stolen through these attacks amounted to petabytes. Where it has gone and who has used it remains unknown. The targets were a mix of governments, technology and defense companies, and nonprofit sports bodies and think tanks. Due to this latter category, McAfee argues that the attacks were most likely performed by a state actor as the commercial value of these sporting organizations was low. The firm didn’t specify which country it believed to be responsible, but Jim Lewis of the Center for Strategic and International Studies accused China of being the perpetrator, after being briefed by McAfee. China has been accused of such attacks before; Lewis said that the presence of the International Olympic Committee and the Taiwan government on the list of victims further pointed to China.

The security company is working with US goverment agencies to try to shut down the command-and-control server. The firm has also worked with the victims to inform them of the attacks and offer assistance with their response. These offers have not always been warmly received, with some victims denying that they had been compromised, even when presented with overwhelming evidence that they had.

For all the press that Anonymous and LulzSec have received, McAfee warns that these long-term, targeted attacks are a far more serious threat both to corporations and governments. The damage—loss of intellectual property and secrets—is far greater, and the attackers, motivated not by a desire to get-rich-quick or a quest for lulz, but rather a long-term desire to steal massive amounts of data, are far more measured and tenacious. So widespread are the attacks that Dmitri Alperovitch, McAfee Vice President of Threat Research, said that the only companies not at risk are those who have nothing worth taking, and that of the world’s biggest firms, there are just two kinds: those that know they’ve been compromised, and those that still haven’t realized they’ve been compromised.

Source:  arstechnica.com

Optical WLAN uses LED light for up to 800 Mbit/s networking

Tuesday, August 2nd, 2011

Networking researchers have used LED lighting to distribute full HD movies to notebooks, smartphones and other devices, in a system that could join WiFi and PowerLine networks in shuttling high-speed data around the home and office. The optical WLAN co-opts white LEDs used for regular illumination to transmit data at up to 100 Mbit/s, by flickering it more rapidly than the human eye can see.

It’s the handiwork of the Fraunhofer Institute for Telecommunications, Heinrich Hertz Institute HHI in Berlin, Germany, where researchers have been looking at communications alternatives as part of the EU’s OMEGA Home Gigabit Access project. The lighting units – which rely on normal LEDs and a simple modulator to control the flickering – each have a roughly 90 square foot range, while any gadget wanting to receive the signal is outfitted with a simple photo diode.

It’s not the first time we’ve seen LED lighting used for line-of-sight networking. Back in 2008, the US Science Foundation gave an $18.5m grant to researchers at the University of Boston, who were experimenting with something similar. The overall appeal is obvious: the lights can apparently be modified to suit networking at little cost and with only minor adjustment, and can be used in places where traditional radio or wired networking is less feasible, such as in hospitals, on planes or in circumstances where running cables isn’t a possibility. There’s also no limit on the number of recipients of the data: basically, as many photo diodes as can maintain line-of-sight with the transmitter.

On the flip side, however, the researchers admit that the signal can be easily blocked if the photo diode is covered or shaded. They suggest it would work best as a companion to, rather than a replacement for, existing WiFi, 3G or other methods:

“It is best suited as an additional option for data transfer where radio transmission networks are not desired or not possible – without needing new cables or equipment in the house. Combinations are also possible, such as optical WLAN in one direction and PowerLAN for the return channel. Films can be transferred to the PC like this and also played there, or they can be sent on to another computer.”

The next step is boosting transmission speed, with researchers working on increasing the data rate eightfold. “Using red-blue-green-white light LEDs, we were able to transmit 800 Mbit/s in the lab” team member Klaus-Dieter Langer suggests.

Source:  slashgear.com

Vulnerability Summary for the Week of July 25, 2011

Monday, August 1st, 2011

National Cyber Alert System
Cyber Security Bulletin SB11-213

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
azeotech — daqfactory AzeoTech DAQFactory before 5.85 (Build 1842) does not perform authentication for certain signals, which allows remote attackers to cause a denial of service (system reboot or shutdown) via a signal. 2011-07-28 7.8 CVE-2011-2956
ca — gateway_security Icihttp.exe in CA Gateway Security for HTTP, as used in CA Gateway Security 8.1 before 8.1.0.69 and CA Total Defense r12, does not properly parse URLs, which allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and daemon crash) via a malformed request. 2011-07-28 10.0 CVE-2011-2667
cisco — sa500_software The web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote authenticated users to execute arbitrary commands via crafted parameters to web forms, aka Bug ID CSCtq65681. 2011-07-28 9.0 CVE-2011-2547
cisco — asr_9006_router Unspecified vulnerability in Cisco IOS XR 4.1.x before 4.1.1 on Cisco Aggregation Services Routers (ASR) 9000 series devices allows remote attackers to cause a denial of service (line-card reload) via an IPv4 packet, aka Bug ID CSCtr26695. 2011-07-28 7.8 CVE-2011-2549
drupal — drupal Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. 2011-07-26 7.5 CVE-2011-2687
gimp — gimp Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-4543. 2011-07-26 7.5 CVE-2011-1782
google — picasa Google Picasa before 3.6 Build 105.67 does not properly handle invalid properties in JPEG images, which allows remote attackers to execute arbitrary code via a crafted image file. 2011-07-28 9.3 CVE-2011-2747
ibm — lotus_symphony Multiple unspecified vulnerabilities in IBM Lotus Symphony 3 before FP3 have unknown impact and attack vectors, related to “critical security vulnerability issues.” 2011-07-27 10.0 CVE-2011-2884
jan_wolter — mod_authnz_external SQL injection vulnerability in mysql/mysql-auth.pl in the mod_authnz_external module 3.2.5 and earlier for the Apache HTTP Server allows remote attackers to execute arbitrary SQL commands via the user field. 2011-07-28 7.5 CVE-2011-2688
nrl — opie Multiple off-by-one errors in opiesu.c in opiesu in OPIE 2.4.1-test1 and earlier might allow local users to gain privileges via a crafted command line. 2011-07-26 7.2 CVE-2011-2489
nrl — opie opielogin.c in opielogin in OPIE 2.4.1-test1 and earlier does not check the return value of the setuid system call, which allows local users to gain privileges by arranging for an account to already be running its maximum number of processes. 2011-07-26 7.2 CVE-2011-2490
Back to top

Medium Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
chyrp — chyrp upload_handler.php in the swfupload extension in Chyrp 2.0 and earlier relies on client-side JavaScript code to restrict the file extensions of uploaded files, which allows remote authenticated users to upload a .php file, and consequently execute arbitrary PHP code, via a write_post action to the default URI under admin/. 2011-07-26 6.5 CVE-2011-2745
cisco — sa500_software SQL injection vulnerability in the web-based management interface on Cisco SA 500 series security appliances with software before 2.1.19 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtq65669. 2011-07-28 5.0 CVE-2011-2546
debian — apt APT before 0.8.15.2 does not properly validate inline GPG signatures, which allows man-in-the-middle attackers to install modified packages via vectors involving lack of an initial clearsigned message. 2011-07-26 4.3 CVE-2011-1829
ecava — integraxor Multiple cross-site scripting (XSS) vulnerabilities in Ecava IntegraXor before 3.60 (Build 4080) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-07-28 4.3 CVE-2011-2958
fabfile — fabric Fabric before 1.1.0 allows local users to overwrite arbitrary files via a symlink attack on (1) a /tmp/fab.*.tar file or (2) certain other files in the top level of /tmp/. 2011-07-26 4.4 CVE-2011-2185
google — search_appliance Cross-site scripting (XSS) vulnerability in Google Search Appliance before 5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-07-28 4.3 CVE-2011-1339
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via the sample .doc document that incorporates a user-defined toolbar. 2011-07-27 4.3 CVE-2011-2885
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application crash) via a .docx document with empty bullet styles for parent bullets. 2011-07-27 4.3 CVE-2011-2886
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 on Linux allows remote attackers to cause a denial of service (application crash) via a certain sample document. 2011-07-27 4.3 CVE-2011-2887
ibm — lotus_symphony IBM Lotus Symphony 3 before FP3 allows remote attackers to cause a denial of service (application hang) via complex graphics in a presentation. 2011-07-27 4.3 CVE-2011-2888
ibm — lotus_symphony The DataPilot feature in IBM Lotus Symphony 3 before FP3 allows user-assisted remote attackers to cause a denial of service (application crash) via a large .xls spreadsheet with an invalid Value reference. 2011-07-27 4.3 CVE-2011-2893
joomla — joomla! Joomla! before 1.5.23 does not properly check for errors, which allows remote attackers to obtain sensitive information via unspecified vectors. 2011-07-27 5.0 CVE-2011-2488
joomla — joomla! Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.6.4 allow remote attackers to inject arbitrary web script or HTML via (1) the query string to the com_contact component, as demonstrated by the Itemid parameter to index.php; (2) the query string to the com_content component, as demonstrated by the filter_order parameter to index.php; (3) the query string to the com_newsfeeds component, as demonstrated by an arbitrary parameter to index.php; or (4) the option parameter in a reset.request action to index.php; and, when Internet Explorer or Konqueror is used, (5) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. 2011-07-27 4.3 CVE-2011-2509
joomla — joomla! Multiple cross-site scripting (XSS) vulnerabilities in Joomla! before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URI to includes/application.php, reachable through index.php; and, when Internet Explorer or Konqueror is used, (2) allow remote attackers to inject arbitrary web script or HTML via the searchword parameter in a search action to index.php in the com_search component. NOTE: vector 2 exists because of an incomplete fix for CVE-2011-2509.5. 2011-07-27 4.3 CVE-2011-2710
joomla — joomla! templates/system/error.php in Joomla! before 1.5.23 might allow remote attackers to obtain sensitive information via unspecified vectors that trigger an undefined value of a certain error field, leading to disclosure of the installation path. NOTE: this might overlap CVE-2011-2488. 2011-07-27 5.0 CVE-2011-2889
joomla — joomla! The MediaViewMedia class in administrator/components/com_media/views/media/view.html.php in Joomla! 1.5.23 and earlier allows remote attackers to obtain sensitive information via vectors involving the base variable, leading to disclosure of the installation path, a different vulnerability than CVE-2011-2488. 2011-07-27 5.0 CVE-2011-2890
joomla — joomla! Joomla! 1.6.x before 1.6.2 allows remote attackers to obtain sensitive information via an empty Itemid array parameter to index.php, which reveals the installation path in an error message, a different vulnerability than CVE-2011-2488. 2011-07-27 5.0 CVE-2011-2891
joomla — joomla! Joomla! 1.6.x before 1.6.2 does not prevent page rendering inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. 2011-07-27 4.3 CVE-2011-2892
likewise — likewise_open SQL injection vulnerability in lsassd in Lsass in the Likewise Security Authority in Likewise Open 5.4 through 6.1, and Likewise Enterprise 6.0, allows local users to execute arbitrary SQL commands via unspecified vectors. 2011-07-26 5.8 CVE-2011-2467
linux — kernel The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space. 2011-07-28 4.9 CVE-2011-2689
linux — kernel Multiple off-by-one errors in the ext4 subsystem in the Linux kernel before 3.0-rc5 allow local users to cause a denial of service (BUG_ON and system crash) by accessing a sparse file in extent format with a write operation involving a block number corresponding to the largest possible 32-bit unsigned integer. 2011-07-28 4.9 CVE-2011-2695
mega-nerd — libsndfile Integer overflow in libsndfile before 1.0.25 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PARIS Audio Format (PAF) file that triggers a heap-based buffer overflow. 2011-07-26 6.8 CVE-2011-2696
redhat — network_satellite_server Cross-site request forgery (CSRF) vulnerability in the Spacewalk Java site packages (aka spacewalk-java) 1.2.39 in Spacewalk, as used in the server in Red Hat Network Satellite 5.3.0 through 5.4.1 and other products, allows remote attackers to hijack the authentication of arbitrary users for requests that (1) disable the current user account, (2) add user accounts, or (3) modify user accounts to have administrator privileges. 2011-07-26 6.8 CVE-2009-4139
redhat — jboss_enterprise_application_platform jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. 2011-07-26 6.8 CVE-2011-1484
redhat — jboss_enterprise_application_platform jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1484. 2011-07-26 6.8 CVE-2011-2196
rockwellautomation — factorytalk_diagnostics_viewer Unspecified vulnerability in Rockwell Automation FactoryTalk Diagnostics Viewer before V2.30.00 (CPR9 SR3) allows local users to execute arbitrary code via a crafted FactoryTalk Diagnostics Viewer (.ftd) configuration file, which triggers memory corruption. 2011-07-28 6.9 CVE-2011-2957
videolan — vlc_media_player Heap-based buffer overflow in the DemuxAudioSipr function in real.c in the RealMedia demuxer in VideoLAN VLC media player 1.1.x before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Real Media file. 2011-07-26 6.8 CVE-2011-2587
videolan — vlc_media_player Heap-based buffer overflow in the AVI_ChunkRead_strf function in libavi.c in the AVI demuxer in VideoLAN VLC media player before 1.1.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted AVI media file. 2011-07-26 6.8 CVE-2011-2588
Back to top

Low Vulnerabilities
Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
linux — kernel The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c. 2011-07-28 1.9 CVE-2011-2492

Source:  CERT.org