Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-03-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SSL Phishing Scam / FreeBSD DoS Vulnerability / Acrobat Reader Flaw

Published: 2004-03-04
Last Updated: 2004-03-05 16:41:47 UTC
by Pedro Bueno (Version: 1)
0 comment(s)
SSL Phishing Scam



Phishing scams are becoming very common. While some of them are easy to recognize, some are becoming very difficult to detect due improvements and techniques to explore browsers vulnerabilities, i.e, url obfuscation.


A recent advisory sent by the US Federal Trade Commission about a way to recognize "safe" websites when conducting sensitive transactions contained an incorrect statement.
The statement implied if a Lock icon was visible then SSL was in use and that was a safe site.
In this way is possible to recognize a site that is using SSL, but since this could also be a fraudulent certificate, it is not the possible to identify fake or real websites by the lock icon alone.

So, while you can assure that the session is encrypted, it is not possible to ensure that this is the real organization.


The use of fraudulent certificates are also being widely used in phishing scams, so it is a good idea to always verify the certificates.


*Update*

Dr. Neal Krawetz, from Secure Science Corporation, just sent an email about the SSL/ lock icon issue:

"One of the SSL encoding methods is "plain text".
Most SSL servers have this disabled by default, but most browsers support it.
When plain text is used, no central certificate authority is consulted and the user never sees a message asking if a certificate should be accepted (because "plain text" doesn't use certificates).

Keeping that in mind, the little lock icon may not even indicate an encrypted channel. The little lock only indicates an SSL connection."

References: http://www.ftc.gov/bcp/conline/pubs/online/cybrsmrt.htm

http://www.zdnet.com.au/news/security/0,2000061744,39116416,00.htm

FreeBSD vulnerability

iDefense released today a security advisory about a Denial of Service vulnerability on FreeBSD systems.


According the advisory, a remote exploitation of a denial of service attack is possible by sending multiple out-of-sequence packets to a FreeBSD system. Also, to be successful the attack will only need one open TCP port open.
The attack works against all FreeBSD versions.


Even there is no PoC released yet, this attack looks pretty simple and FreeBSD users are advised to apply the patches as soon as possible.


Patches are already released and available at FreeBSD.org website:

[FreeBSD 5.2]

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp52.patch

[FreeBSD 4.8, 4.9]

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-04:04/tcp47.patch

References:
http://www.idefense.com/application/poi/display?id=78&type=vulnerabilities&flashstatus=true
Acrobat reader vulnerability



According a security advisory released by NGSSoftware there is a buffer overflow vulnerability in Adobe Acrobat Reader in the way it handles the XML Forms Data Format, or XFDF.


Also according the advisory, "Adobe urgently advises users of Adobe Reader to
upgrade."



References: http://www.ngssoftware.com/advisories/adobexfdf.txt

http://www.adobe.com/support/downloads/main.html

------------------------------------------------------------

Handler on Duty: Pedro Bueno (bueno@ieee.org)
Keywords:
0 comment(s)
Diary Archives