Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-12-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

* VMWare vulnerability announced and fixed

Published: 2005-12-21
Last Updated: 2005-12-21 21:28:46 UTC
by Jim Clausing (Version: 1)
0 comment(s)
A report showed up on the bugtraq and vulnwatch mailing lists in the last few hours about a vulnerability (discovered by Tim Shelton) in a number of VMWare products (including Workstation, GSX, ACE, and player), that would allow the attacker to escape the virtual machine and execute code in the underlying host OS.  There are new builds which correct the issue (VMWare Workstation 5.5 is now up to build 19175, e.g.) dated 20 Dec on their website, and the bulletin has a timeline section that states that VMWare acknowledged the vulnerability when they released the new builds.  This one is pretty significant for folks who use VMWare for malware analysis or even to isolate/sandbox their web browsing and you are urged to update to the latest build or disable NAT as soon as possible.  From looking at the bulletin, it appears that Mr. Shelton has created a Metasploit module to exploit this vulnerability.

The vulnwatch article is here.
The Secunia advisory is here
VMWare's response is here.

---------------------------------
Jim Clausing, jclausing at isc.sans.org
Keywords:
0 comment(s)

Symantec AV RAR library vulnerability

Published: 2005-12-21
Last Updated: 2005-12-21 20:19:58 UTC
by Jim Clausing (Version: 2)
0 comment(s)
Yesterday, Alex Wheeler released details of a vulnerability that appears to span many Symantec A/V products in the routines for decoded RAR compressed files.  Symantec is apparently working feverishly on a fix, but for the moment the recommendation is to disable scanning of these files (which I suppose is fine if we can convince the users not to open/uncompress them until Symantec has a fix or they can be scanned by some other A/V product) or block them completely at gateways/proxies.  We are not currently aware of exploits in the wild, but the concern is that this has occurred so close to the end-of-year holidays, even if a fix does come out in the next few days, will people be around to apply it.

For complete details see, the Bugtraq posting, the Secunia advisory, and what I believe is Alex's paper.

We'll bring you more info as it becomes available.

Update: Symantec is apparently distributing a new pattern/definition that may detect the malformed RAR files while they continue to work on fixing the underlying vulnerability.

----------------------
Jim Clausing, jclausing at isc.sans.org
Keywords:
0 comment(s)

Updated RSS Feed

Published: 2005-12-21
Last Updated: 2005-12-21 14:50:41 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
We updated the RSS feed from 0.91 to 2.0 this morning, and added partial diary content in addition to the headlines. There are a couple of reasons why we did that:
  • RSS 2.0 should now be understood by most aggregators. When we originally started offering the RSS feed two years ago, RSS 0.91 was the most commonly used standard.
  • RSS 2.0 allows us to include a 'TTL', which indicates to the RSS reader how frequently to refresh the feed. Lets see if this helps a bit with overly busy readers
  • We do get regular requests to include full diary content.
For a lot of readers, RSS has become the way to go to stay up to date. However, from a web site operator point of few, RSS does have a couple of problems. The "pull" nature of RSS can cause high loads to the side, even if nothing actually changed, as the RSS readers keep polling the site for updates. For example, yesterday we had about 12,000 different IPs accessing our RSS feed, polling it 250,000 time. So thats about 20 "polls/user/day".

Now the advantage is of course that the RSS feed is a static page, and doesn't take a lot of resources to serve.

Another problem with RSS feeds is less technical: The ISC site does not want to be just a "news feed". In order to work, we do need you to interact with the site, and support us by providing reports about incidents and other feedback. Using an RSS reader will remove you from the actual site and lead to a more passive use. This is one reason why we will not offer full content of diary entries. For now, I added a "teaser" (first 100 characters). A technical problem with adding diary content is the fact that we have to strip links and characters that are not supported by the RSS standard.

Special note for Firefox users: You may see an odd character at the beginning of each headline but the first two. This is due to the fact that there is a new line at the start of each subject. For now, this is necessary to support the "iscalert" taskbar application. The feed is valid according to the validators I checked, so as far as I am concerned this is a bug in Firefox.

And don't forget that you can always get alerts of new diaries via e-mail: sign up here
Keywords:
0 comment(s)
Diary Archives