Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-04-26 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Oracle CPU note; Google != Googkle; Obligatory Wireles Factoid

Published: 2005-04-26
Last Updated: 2005-04-27 10:32:03 UTC
by Joshua Wright (Version: 1)
0 comment(s)

Oracle April Critical Patch Update


Following up on regarding the Oracle April Critical Patch Update, this most recent patch cluster resolves several critical issues in 9i and 10g database releases. Two sections of this patch bundle seem to be the most pressing:


Oracle HTTP Server/Apache

The Oracle HTTP Server is a release of Apache 1.3.22. The April CPU updates the Apache distribution to resolve several Apache bugs, the oldest of which was reported in Jun 22, 2002. If you are using the Oracle HTTP Server product, it is recommended that you apply this patch bundle to resolve several outstanding vulnerabilities. If you are NOT using the Oracle HTTP Server on your database, it is recommended that you remove the software using the Oracle Universal Installer (OUI) tool.


Oracle Built-In Package SQL Injection

Several Oracle packages have been fixed with the April CPU to resolve SQL injection vulnerabilities that can allow an authenticated attacker to cause a denial-of-service attack, or to run arbitrary code as the SYS user with SQL injection techniques. As exploit code is publicly available for these vulnerabilities, it is important that DBA's take action to protect against authorized users escalating their privileges on the database.

The three most important packages that are of concern are DBMS_CDC_PUBLISH, DBMS_CDC_SUBSCRIBE and DBMS_METADATA. As a workaround, DBA's are encouraged to revoke PUBLIC privileges on these functions:


revoke EXECUTE on DBMS_METADATA from PUBLIC;
revoke EXECUTE on DBMS_CDC_PUBLISH from PUBLIC;
revoke EXECUTE on DBMS_CDC_SUBSCRIBE from PUBLIC;


Google != Googkle


Reader Alan Phelps wrote in this morning to alert us to a malicious site that has registered a domain that might be entered as a typo for google.com. DO NOT VISIT THIS SITE! Visiting this site installs about 49 pieces of spyware, uses the local hosts file to block access to popular anti-virus websites, and offers a link to a website that sells AV and anti-spyware tools with the slogan "We help people"... No comment.

Administrators might want to do a quick check on their DNS cache records to see if any users have resolved anything matching "googkle" lately, and then have field support visit the (likely) infested workstations.



Update 2005-04-27 @ 10:21 UTC

Several readers have written in to add that there are several other sites similar to the Googkle site including:


msnm(dot)com, gfoogle(dot)com, ghoogle(dot)com, googfle(dot)com, luycos(dot)com,
msn1(dot)com, passpport(dot)com and xcnn(dot)com.


Did I mention that you should NOT visit these sites?

More information on googkle is available at



Thanks to Juha-Matti Laurio, Barrie Dempster, Gene Chen, Arjan Haringa and anonymous posters who submitted their reports regarding this and other sites.


Obligatory Wireless Factoid


Since I can't complete a diary entry without mentioning wireless security in one way or another, here is something that I've been spending some time looking into lately:


The 802.11e committee has been working on a standard for QoS for quite some time now. They have run into multiple obstacles along the way, not the least of which was a security standard (802.11i) that made it impossible to re-queue packets of low importance for later transmission after they have been encrypted.

The
has recently started certifying vendors for Wireless Multimedia (WMM) interoperability. The WMM specification is planned to be finalized as the 802.11e standard, but early-adopters can get the assurance of multi-vendor interoperability by purchasing products that are WMM certified. This is similar to the Wi-Fi Alliance certifying products for WPA interoperability before the 802.11i standard was ratified.


The WMM specification allows organizations to prioritize traffic into one of four queues:


+ WMM Voice: Highest priority, intended for VoIP

+ WMM Video: Priority over data and legacy hardware

+ WMM Best Effort: Default queue for legacy hardware or unclassified data traffic

+ WMM Background: Intended for low-priority traffic such as file downloads.



Cisco Aironet users can take advantage of WMM functionality in IOS 12.3(2)JA and later. Client adapters will likely need a firmware upgrade to prioritize WMM traffic.

I believe little security-analysis has been done on the impact of WMM and the 802.11i specification, it will be interesting to see how WMM and QoS prioritization queueing affects some of the security requirements of 802.11i.



More information on WMM is available at with Wi-Fi Alliance website at
.



Joshua Wright/Handler-on-duty
Keywords:
0 comment(s)
Diary Archives