Internet Storm Center
Training
Certification
Cyber Security Graduate School
Security Awareness Training
Computer Forensics
Penetration Testing
IT Audit
Software Security
advertisement
Use Discount Code SANSFIREISC10 when registering to get a 10% discount!!
Use Discount Code SANSFIREISC10 when registering to get a 10% discount!!
Openssl patches ASN.1 flaw
Published: 2006-09-28,
Last Updated: 2006-09-29 03:35:13 UTC
by Mike Poor (Version: 1)
Last Updated: 2006-09-29 03:35:13 UTC
by Mike Poor (Version: 1)
Openssl released patched versions today to fix security flaws in the 0.9.7 and 0.9.8 branches of their code. Read the full advisory here.
You can test what version of Openssl you have by using the following command:
# openssl version
One thing to remember is that many distributions fail to follow the projects patching nomenclature, so refer to the distribution's openssl patch to test for vulnerability.
Mike Poor ekim #@# intelguardians.com
Handler on Duty
You can test what version of Openssl you have by using the following command:
# openssl version
One thing to remember is that many distributions fail to follow the projects patching nomenclature, so refer to the distribution's openssl patch to test for vulnerability.
Mike Poor ekim #@# intelguardians.com
Handler on Duty
Keywords:
0 comment(s)MSIE: One patched, one pops up again (setslice)
Published: 2006-09-28,
Last Updated: 2006-09-28 22:58:47 UTC
by Swa Frantzen (Version: 5)
0 comment(s)
Last Updated: 2006-09-28 22:58:47 UTC
by Swa Frantzen (Version: 5)
If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE.
So: No, surfing with MSIE is still not safe.
References
Defenses
- Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
- Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)
- Set the killbits:
{844F4806-E8A8-11d2-9652-00C04FC30871} and {E5DF9D10-3B52-11D1-83E8-00A0C90DC849} - Keep antivirus signatures up to date.
- Keep an eye out for a patch from Microsoft.
- ...
--
Swa Frantzen -- Section 66
OpenSSH 4.4 (and 4.4p1) released
Published: 2006-09-28,
Last Updated: 2006-09-28 17:43:14 UTC
by Jim Clausing (Version: 2)
Last Updated: 2006-09-28 17:43:14 UTC
by Jim Clausing (Version: 2)
Version 4.4 (and 4.4p1) of OpenSSH was released yesterday. Among other things, it fixed the vulnerability announced earlier this week (CVE-2006-4924) in the CRC compensation attack detector that allowed for a denial of service if using SSH protocol verion 1 (which hopefully no one is using anymore anyway due to the other weaknesses in the protocol).
See http://www.openssh.com for more details.
See http://www.openssh.com for more details.
Keywords:
0 comment(s)Setslice Killbit Apps
Published: 2006-09-30,
Last Updated: 2006-09-30 15:17:50 UTC
by Tom Liston (Version: 4)
Last Updated: 2006-09-30 15:17:50 UTC
by Tom Liston (Version: 4)
Well... here we are again... seems like only last week, I was putting up killbit apps for "daxctle.ocx"...
(and really, it was 10 days ago... sheesh, how time flies!)
Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue. Note: we've tested these settings against the Metasploit project's test page, and they work. Because MS hasn't released any information as of yet, we're sort of flying blind here... However, that being said, the killbit method is great, because it is completely reversable.
There are two versions of the app, one a standard Windows program, the other a command-line version.
The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)
Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22
The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r"). It will return 0 on success and 1 on failure.
Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271
UPDATE: Should anyone need to know, the CLSIDs that these apps are setting the killbit on are:
{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
(Thanks to Mark for pointing out that I forgot to put that in the diary entry...)
Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians
New diary link: http://isc.sans.org/diary.php?storyid=1747
1 comment(s)(and really, it was 10 days ago... sheesh, how time flies!)
Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue. Note: we've tested these settings against the Metasploit project's test page, and they work. Because MS hasn't released any information as of yet, we're sort of flying blind here... However, that being said, the killbit method is great, because it is completely reversable.
There are two versions of the app, one a standard Windows program, the other a command-line version.
The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)
Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22
The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r"). It will return 0 on success and 1 on failure.
Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271
UPDATE: Should anyone need to know, the CLSIDs that these apps are setting the killbit on are:
{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
(Thanks to Mark for pointing out that I forgot to put that in the diary entry...)
Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians
New diary link: http://isc.sans.org/diary.php?storyid=1747
Powerpoint, yet another new vulnerability
Published: 2006-09-28,
Last Updated: 2006-09-28 02:09:35 UTC
by Swa Frantzen (Version: 1)
Last Updated: 2006-09-28 02:09:35 UTC
by Swa Frantzen (Version: 1)
Microsoft confirms yet another powerpoint vulnerability that leads to code execution.
Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...
--
Swa Frantzen -- Section 66
0 comment(s)References
Detection
McAfee has a writeup of the exploit they detected against this vulnerability to connect back to http:// mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places.Affected
It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable.Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...
Defenses
- Do not to open ... but we all know how easy it is to social engineer people into opening things anyway.
- Use the PowerPoint Viewer 2003 (nah, not an option if you have a Mac).
- Filter and/or quarantine powerpoint files in the perimeter (prevent powerpoint email attachments and getting powerpoint files on the web), but it's not easy as it has genuine uses and it has the potential of not needed the ".ppt" file extention.
- Keep antivirus signatures up to date.
- Keep an eye out for a patch from Microsoft.
- ...
--
Swa Frantzen -- Section 66
Comments
Please choose a specific diary above to comment
Diary Archives
