Last Updated: 2010-04-08 23:41:28 UTC
by Guy Bruneau (Version: 1)
Microsoft announced earlier today that they will be releasing a total of 11 bulletins (5 critical, 5 important, 1 moderate). If exploited, eight of the bulletins could allow for remote code execution. More details available here.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Last Updated: 2010-04-08 19:38:31 UTC
by donald smith (Version: 1)
First the Nmap Project was once again accepted for the Google
Summer of Code program, so he will have full time coding help this
summer! SoC previously brought them the Nmap Scripting Engine, Zenmap,
Ncat, 2nd generation OS detection, and great developers such as David
Fifield, Doug Hoyte, and Patrick Donnelly. But one of their biggest
challenges is getting the word out. They won't get great applicants if
they don't know about the program. So if you know any college/grad
students (or are one) who might be interested, please point them to
http://nmap.org/soc/ ASAP. They gain valuable experience writing code
used by millions of people and even earn a $5,000 stipend! But the
application deadline is THIS FRIDAY at NOON U.S. Pacific Time (that is
19:00 UTC). Our project ideas are listed at http://nmap.org/soc/.
He is also pleased to announce the 2010 Nmap/Sectools Survey! He
previously ran this survey in 2000, 2003, and 2006, and it helped
guide Nmap development as well as sharing our collective wisdom
through http://sectools.org/. He had 3,243 responses in 2006 and is
trying to reach 5,000 this year. And this year he has upped the ante
by offering prizes! So please take this quick survey, and in return
they will build you a better Nmap and a new and improved Sectools.Org:
Last Updated: 2010-04-08 18:44:03 UTC
by Johannes Ullrich (Version: 1)
We are still having connectivity issues at one of our hosting locations. Most of the ISC site is now working ok. DShield.org is just showing the ISC page for now (working on this).
E-Mail is still a problem, and reports are currently not processed. But the contact form should be working. Reports will be processed once we get back online.
Last Updated: 2010-04-08 05:49:50 UTC
by Bojan Zdrnja (Version: 1)
I know that most of you are probably already sick of malicious PDF documents, but one of our readers, Will Thomson, sent a really interesting malicious PDF document that used some more advanced obfuscation techniques that I wanted to share with everyone. So, let's get to work.
When called like this, the app.doc.getAnnots() call will return an array of objects that will contain all annotations. This is important to remember.
Take a look at the code below, which I tidied a bit for you so you can read it easier:
Especially important are lines 6-13. So, what do the attackers do here:
- First the variable n_AXr11_7Wdj is assigned value 0,
- On line 10, the h__l_S_1__f variable will contain pr[n_AXr11_7Wdj].subject. Since n_AXr11_7Wdj is 0, this equals to pr.subject. Remember what the pr array is? It contains annotations. In other words, this will use the first annotation.
While there has been a lot of words and warnings about how patching Adobe Reader installations is important, I would like to stress this out again as attackers are clearly not sleeping.