Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft DirectShow vulnerability

Published: 2009-05-28
Last Updated: 2009-05-28 22:56:56 UTC
by Stephen Hall (Version: 1)
1 comment(s)

 Microsoft have recently announced a Microsoft DirectShow vulnerability via an advisory and multiple blog entries. 

The advisory indicates that Microsoft are investigating public reports of a vulnerability within the DirectShow element of DirectX - CVE-2009- 1537 has been allocated to this vulnerability.

Microsoft have published quite a detailed set of actions which provide a temporary workaround for this issue to prevent the download of a crafted QuickTime formated file.

The following information has been posted:

http://blogs.technet.com/msrc/default.aspx
http://www.microsoft.com/technet/security/advisory/971778.mspx
http://blogs.technet.com/srd/

In the advisory Microsoft have indicated that a patch will be produced for this but give no timescales. To reduce the potential risk you should consider the impact of applying the workaround versus the period of nil-protection whilst it's MAPP/MSRA partners get definitions out for detection, etc.

SecurityFocus have reported that targeted exploits of this issue have been seen in the wild.

 

1 comment(s)

Stego in TCP retransmissions

Published: 2009-05-28
Last Updated: 2009-05-28 19:19:35 UTC
by Jim Clausing (Version: 1)
0 comment(s)

I just started reading an interesting new paper out of the Warsaw University of Technology entitled Hiding Information in Retransmission.  This got me to thinking, even those of us who have extensive monitoring of our network rarely will have the capability to compare retransmitted packets to the original to detect this.  A really interesting idea.  The abstract can be found here and the paper itself here.

0 comment(s)

More new volatility plugins

Published: 2009-05-28
Last Updated: 2009-05-28 16:02:43 UTC
by Jim Clausing (Version: 1)
0 comment(s)

If you follow our diary at all, by now, you know I am a big fan of volatility for doing analysis of memory images.  I use it quit a bit in my automated malware analysis environment.*  Well, our friend, Michael Hale Ligh, who brought us the excellent malfind plugin has released another great plugin, the usermode_hook plugin.  Read his writeup, it is well worth the time.

 

*Shameless plug: Come to SANSFIRE in Baltimore next month and meet many of the handlers, I'll be talking about my automated environment including how I currently use volatility and some of what I still want to do with it.

0 comment(s)
Diary Archives