Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PoC for CVE-2009-0689 MacOS X 10.5/10.6 vulnerability

Published: 2010-01-12
Last Updated: 2011-02-08 23:48:03 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Proof of Concept code exploiting the MacOS X 10.5/10.6 libc/strtod(3) buffer overflow CVE-2009-0689 vulnerability has been released. The list of vulnerable software includes FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, as well as MacOS X 10.5/10.6. Impact includes Denial of Service (DoS) or execution of arbitrary code. This is remotely or locally exploitable, and does not require user interaction.


From NVD:
CVSS Severity (version 2.0):
CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type:Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation; Allows unauthorized disclosure of information; Allows disruption of service

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

0 comment(s)

Microsoft Security Bulletin: January 2010

Published: 2010-01-12
Last Updated: 2010-01-21 20:08:05 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

 Overview of the January 2010 Microsoft patch and status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS10-002 Cumulative Security Update in Internet Explorer
Internet Explorer
CVE-2009-4074
KB 978207 No known exploits. Severity:Critical
Exploitability: 2
PATCH NOW Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

2 comment(s)

Pre-Announced Adobe Reader and Acrobat Patch Found!

Published: 2010-01-12
Last Updated: 2010-01-13 14:24:01 UTC
by Johannes Ullrich (Version: 3)
0 comment(s)

As soon as I wrote this diary about the missing Adobe Acrobat / Reader patch, a few readers (ours, not Adobe's ;-) ) noticed that the new version is available on Adobe's FTP server.

See: ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: 0day acrobat adobe patch
0 comment(s)

Microsoft Advices XP Users to Uninstall Flash Player 6

Published: 2010-01-12
Last Updated: 2010-01-13 00:31:54 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

As part of today's bulletin release, Microsoft advices users of Windows XP to uninstall Flash Player 6 which is installed with Windows XP. Affected users should upgrade to the latest version or Flash Player which is available for download from Adobe.

The Adobe Flash Player was only provided with Windows XP, up to and including service pack 3. All other versions of Windows do not include Flash Player.

KB979267: http://www.microsoft.com/technet/security/advisory/979267.mspx

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

3 comment(s)

Haiti Earthquake: Possible scams / malware

Published: 2010-01-12
Last Updated: 2010-01-13 00:08:30 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Major news organizations reported earlier about a devastating earthquake in Haiti. Unlike the smaller earthquake a few days ago off the coast of California, Internet routing isn't our biggest concern right now. We may see another wave of on-line donation scams.

During Hurricane Katrina, we saw a lot of domains being registered with domain names targeting the disaster. Since then, the pattern in these schemes changes somewhat. Instead of domain registrations, we see more paid search engine placement ads and twitter "tag" poisoning. I just took a quick look, and didn't see anything obviously illegal. Just a few valid charities advertising their services to donors via modern social media techniques and keyword purchases.

Be aware off:

Fraudulent Organizations: If possible, donate to organizations you know and trust, not to new organizations just set up for this particular event. The IRS maintains a list of tax exempt charitable organizations [1]. This list is not 100% up to date, and it takes a while for a new organization to be added. But it can serve as a first sanity check.

Malware: Malware may be advertised as a video report of the event or come under other pretenses.
 

Please let us know if you come across any scams!

[1] http://www.irs.gov/app/pub-78/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: earthquake haiti
0 comment(s)

Oracle Patches Relased

Published: 2010-01-12
Last Updated: 2010-01-12 21:19:31 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Luckily, Microsoft din't have much to announce today. But don't take the day off yet. If you run Oracle's software, you may want to take a look at the patches released earlier today [1]

Oracle patches are complex and cover far more then just the database. Among other products, this release covers the Oracle Application Server and the Oracle WebLogic Server.

[1] http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html

(thanks to Juha-Matti for alerting us about the release)

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: oracle patches
0 comment(s)

IPv6 and isc.sans.org

Published: 2010-01-12
Last Updated: 2010-01-12 17:10:33 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

I spent some time last week to analyze the IPv6 traffic isc.sans.org receives. To do so, I considered the last 90 days worth of logs. The full report can be found here.

A quick summary: IPv6 is still used by only 1.3% of hosts connecting to isc.sans.org. This is a considerable increase from about a year ago, which was about 0.5%. But the number of hits is still small. I am not able to proof this in every single case, but the overwhelming use of tunnels suggests that most if not all of these users would be able to reach isc.sans.org via IPv4. The connection speed via IPv4 would probably be faster. For myself, the latency to isc.sans.org via IPv6 is about double what it is via IPv4. Most of the overhead comes from the latency of my tunnel connection at home. The round-trip time from isc.sans.org to our tunnel broker is only 12ms.

One of the important lessons from this analysis: A large number of hosts connecting to us appears to use automatically configured tunnels like 6to4 or Teredo. These tunnels are sometimes not managed, resulting in hosts unintentionally exposed to IPv6. Many firewalls are not configured to limit IPv6 or associated tunneling protocols, or don't even have the ability to do so. These hosts may be "naked" when it comes to IPv6.

Highlights:

  • We had IPv6 connections from about 13 thousand hosts.
  • about 2,500 of these used 6to4 (2002::/16 addresses) and 550 used Teredo.
  • only a very small fraction (815) of the IPs had PTR records configured for reverse DNS resolution.

 Full report: http://isc.sans.org/presentations/ipv6q42009.pdf (PGP Signature)

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ipv6
2 comment(s)

Baidu defaced - Domain Registrar Tampering

Published: 2010-01-12
Last Updated: 2010-01-12 16:55:59 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

The Chinese search engine Baidu was briefly defaced earlier today. The replacement page was identical to the defacement in a recent twitter.com hack.

It appears that like in the Twitter case, the attacker did not attack the site itself, but instead changed the sites domain registration. This kind of attack is not new, but still quite successful. To defend against this attack, companies should review domain name registration policies and how credentials are handled. Changes to the registration are typically infrequent. In addition to the domain name registration itself, DNS has been tampered with by stealing credentials to admin interfaces of DNS services and internal DNS administration utilities.

It is also worthwhile to monitor DNS zones for changes by regularly polling ALL authoritative name servers.

[1] http://www.washingtonpost.com/wp-dyn/content/article/2010/01/12/AR2010011200468.html

Update: More details can be found here: http://garwarner.blogspot.com/2010/01/iranian-cyber-army-returns-target.html

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

0 comment(s)

Microsoft Patch Tuesday - Preannouncement

Published: 2010-01-12
Last Updated: 2010-01-12 00:56:36 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

According to Microsoft patch tuesday preview, there will only be one bulletin released tomorrow [1].

The bulletin is only critical for Windows 2000 and considered "low" for other versions of Windows.

It does not appear that there will be a patch for the IIS file extension issue. We will have more details once the bulletin is released. Don't forget our reboot Wednesday webcast [2]!

[1] http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx
[2] http://isc.sans.org/j/webcast

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: Microsoft
0 comment(s)
Diary Archives