Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Sourcefire VRT MS-WORD 0DAY recommendations, Rules and tool Advisory

Published: 2006-05-26
Last Updated: 2006-05-26 22:27:22 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Ureleet reports that the Sourcefire VRT has an Advisory that contains MS-WORD 0DAY recommendations, Rules, and the "SOURCEFIRE MS-WORD 0DAY, checker v0.1 DocCheck tool download.

Thanks Ureleet!
Keywords:
0 comment(s)

MS tool to help ensure that your application does not have administrator access as a dependency

Published: 2006-05-26
Last Updated: 2006-05-26 20:44:49 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
From their site;

Microsoft Standard User Analyzer

Overview
The Standard User Analyzer helps developers and IT professionals diagnose issues that would prevent a program from running properly without administrator privileges. On Windows Vista, even administrators run most programs with standard user privileges by default, so it is important to ensure that your application does not have administrator access as a dependency.

Using the Standard User Analyzer to test your application can identify the following administrator dependencies and return the results in a graphical interface:

File access
Registry access
INI files
Token issues
Security privileges
Name space issues
Other issues

Quick Details
File Name: SUAnalyzer.x86.msi
Version: 1.0
Date Published: 5/23/2006

Supported Operating Systems: Windows Server 2003; Windows Vista; Windows XP
Microsoft Application Verifier
Keywords:
0 comment(s)

MailBag Response info about yhoo32-explr, IM malware

Published: 2006-05-26
Last Updated: 2006-05-26 19:43:26 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
We had an inquiry requesting additional information about a SANS NewsBites story (SANS Computer Security Newsletters and Digests) about yhoo32-explr, IM malware. Following up on the NewsBites item for the ISC contributor lead to the following information that might be of interest.

In discussing the actions of yhoo32-explr, FaceTime Security Labs researcher Chris Boyd says (at the spywareguide.com blog) "That's not all - a file is placed on the PC which contacts a URL firing off continually modified commands for the infection. They can change the infection message and the method of infection on the fly. Tailor made messages designed for Yahoo IM, Internet-based chat and IRC? You got it. It even randomly overtypes some of your IM messages as you hit the send button.".

Source information at Facetime.com here.

NewsBites item here Worm Spreads Through Yahoo Messenger (22 May 2006)
Keywords:
0 comment(s)

Important RH kernel security advisory

Published: 2006-05-26
Last Updated: 2006-05-26 18:57:22 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Over at the NISCC they posted information about RHSA-2006:0493-6 Important: kernel security update.

The RH Advisory includes fixes for a number of issues in addition to the ones I copied next;

* a flaw in the SCTP-netfilter implementation that allowed a remote user to cause a denial of service (infinite loop) (CVE-2006-1527, important)

* a directory traversal vulnerability in smbfs that allowed a local user to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences (CVE-2006-1864, moderate)

* a flaw in the ECNE chunk handling of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2271, moderate)

* a flaw in the handling of COOKIE_ECHO and HEARTBEAT control chunks of SCTP that allowed a remote user to cause a denial of service (panic) (CVE-2006-2272, moderate)

* a flaw in the handling of DATA fragments of SCTP that allowed a remote user to cause a denial of service (infinite recursion and crash) (CVE-2006-2274, moderate)
Keywords:
0 comment(s)

eEye Upcoming Advisory - both uses and abuses Symantec security applications

Published: 2006-05-26
Last Updated: 2006-05-26 18:54:33 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Some ISC participants have pointed us to an "Upcoming Advisory" posted at eEye that describes a remotely exploitable vulnerability in Symantec Antivirus 10.x and Symantec Client Security 3.x. Other ISC participants have pointed us to the new security website darkreading article where an eEye team member discusses issues, and the article also states that eEye "also tested Symantec's consumer security suite, Norton Internet Security 2006, which eEye uses, and found that it was not vulnerable."

Thanks folks!

Update - Symantec issued SYM06-010, Symantec AntiVirus Reported Vulnerability.
Keywords:
0 comment(s)
Diary Archives