Apple updates Airport Drivers

Published: 2006-09-21
Last Updated: 2006-09-21 21:29:15 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Apple today released an urgent update for OS X, fixing arbitrary code executing issues with its airport drivers. This is likely going to fix the issues demoed at Blackhat. This demo ignited a controversy as Apple never actualy acknowledged that such a vulnerability exists. The researchers at the time where careful not to demo the exploit outside of a controlled lab in order to not release the exploit (after all... its "wireless").

The full advisory notes 3(!) arbitrary code execution issues fixed by this patch. The advisory mentions that there is no known exploit, and does not give credit to anyone for discovering the vulnerability.

I recommend applying the patch ASAP. However, you will only be able to download the full patch "as is". Patches for the individual vulnerabilities are not provided. Interestingly, OS-X update labels the patch a "wireless network reliability fix".

For more background from Brian Krebs, see his latest blog.




Keywords: airport apple osx
0 comment(s)

2222/tcp Probes

Published: 2006-09-21
Last Updated: 2006-09-21 21:12:28 UTC
by Chris Carboni (Version: 1)
0 comment(s)

In yesterday's diary  Jim showed Dshield data pointing to a drastic increase in probes to tcp port 2222.

Today, the data drops back down to 'normal' levels



We did recieve quite a few e-mails listing applications that use tcp 2222 by default including, Allen-Bradley SLC-505 PLCs, Direct Admin, Ethernet connected Allen Bradley Programmable Logic Controllers, and the pubcookie key server among them.

That port is also a known to be used by a couple of trojans.

We've also received a few packets, and based on what we can see, it is a syn packet that may be crafted.  One of the handlers noticed some irregularities in the source port and sequence numbers.

I'll post the packets as soon as I can properly anonymize them to protect the innocent.  ;)

We'll keep an eye on this over the next few days.

Keywords:
0 comment(s)

More 'sploit code released

Published: 2006-09-21
Last Updated: 2006-09-21 20:53:26 UTC
by Chris Carboni (Version: 3)
0 comment(s)
Juha-Matti sent a note telling us that exploit code for the Internet Explorer VML Remote Buffer Overflow vulnerability Swa reported on in Tuesday's diary has been released on one of the usual sites.

The site contains a modified version of the code that was originally released on Tuesday that has now been tested on:
  • Windows XP SP1 + IE6 SP1
  • Windows XP SP0 + IE6
  • Windows 2000 SP4 + IE6 SP1
  • Windows 2000 SP4 + IE6

He also mentions that exploit code for the Windows Kernel Privilege Escalation vilnerability fixed by MS06-049 has been been released.

This code is said to have been tested on:
  • Windows 2000 PRO SP4 Chinese
  • Windows 2000 PRO SP4 Rollup 1 Chinese
  • Windows 2000 PRO SP4 English
  • Windows 2000 PRO SP4 Rollup 1 English
Joel:  Snort's VRT team published rules today that catches the new VML vulnerabilities.  At this time, in tune with the VRT license, they are subscription only.  They will be public in 5 days.  Read the news release: here.
Keywords:
0 comment(s)

MS Desktop Search add-on vulnerabilities - Trustworty Computing gone too far

Published: 2006-09-21
Last Updated: 2006-09-21 16:26:38 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
  So I'm checking the usual vulnerability announcement sources and once again the folks at NISCC have posted info on a beauty. Their NISCC Vulnerability Advisory 693564/NISCC/FOLDERSHARE - Security Implications of the FolderShare Program details huge vulnerabilities (https tunnel, EFS bypassing, and more) in FolderShare, an "add-in tool for Microsoft Desktop Search" which enables "remote access to files stored on Windows and Mac OS X based computers.".

MS's KB "Best practices and security issues to consider when you use FolderShare" is weak, it's only useful recommendation is;

"you can effectively block outgoing traffic to FolderShare. To permanently block the FolderShare satellite from running in a particular environment, block access to the following host name on port TCP/443:
redir1.foldershare.com ".

The folks at NISCC credit "Ben Rexworthy of Securinet UK and white-hats.co.uk for reporting these issues to NISCC".

Keywords:
0 comment(s)

Comments

cwqwqwq

www

Nov 17th 2022
4 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
4 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
4 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
4 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
3 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
3 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
3 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
3 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
2 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
2 months ago

Login here to join the discussion.


Diary Archives