Information Security

Vulnerability Pipes

Bugtraq: [SECURITY] [DSA 2907-1] Announcement of long term support for Debian oldstable

Linux Security - 1 hour 21 min ago
[SECURITY] [DSA 2907-1] Announcement of long term support for Debian oldstable
Categories: Vulnerability Pipes

WinXP and/or Win2003 hanged systems because of SC Forefront Endpoint Protection faulty update, (Wed, Apr 16th)

Windows Security - Wed, 04/16/2014 - 12:48

Reader Philipp reported today a bug affecting his remaining Windows XP machines and Windows 2003 servers. Seems to be that all Windows XP and Windows 2003 machines with SC Forefront Endpoint Protection definition update 1.171.1.0 and later are affected. You might want to test definition update 1.171.64.0, as we have received reports stating that it fixes the problem. However, we have not seen yet any official statement from Microsoft regarding this issue.

If you disable Forefront because it's not letting your machine work, please place other controls that minimize the associated risk. Otherwise, your computers could be so easily hacked.

We also receive questions on which AV is the best. Since the answer is it depends on the company and the information security assets, you might want to check the Magic Quadrant for Endpoint Protection from Gartner Group and try to find yourself what is the best answer for your company. If you want to read the entire file, you can have it from Mcafee or Computerlinks.

We will update this diary if more information becomes available.

More information available at:

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Oracle Critical Patch Update for April 2014, (Wed, Apr 16th)

Other Security - Wed, 04/16/2014 - 08:07

Oracle released its quarterly Criticical Patch Update (CPU) yesterday [1]. As usual, the number of patches is quite intimidating. But remember these 104 fixes apply across the entire Oracle product range.

Some of the highlights:

CVE-2014-2406: A bug in Oracle's Database which allows a remotely authenticated user to gain control over the database.

37 new patches for Java SE, 35 of which allow remote execution as the user running the Java Applet (according to Oracle: "The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows)".

4 of the Java vulnerabilities have a base CVSS score of 10 indicating not only full remote code execution but also easy exploitability.

[1] http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Oracle Critical Patch Update for April 2014, (Wed, Apr 16th)

Windows Security - Wed, 04/16/2014 - 08:07

Oracle released its quarterly Criticical Patch Update (CPU) yesterday [1]. As usual, the number of patches is quite intimidating. But remember these 104 fixes apply across the entire Oracle product range.

Some of the highlights:

CVE-2014-2406: A bug in Oracle's Database which allows a remotely authenticated user to gain control over the database.

37 new patches for Java SE, 35 of which allow remote execution as the user running the Java Applet (according to Oracle: "The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows)".

4 of the Java vulnerabilities have a base CVSS score of 10 indicating not only full remote code execution but also easy exploitability.

[1] http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Bugtraq: [SECURITY] CVE-2014-0111 Apache Syncope

Linux Security - Wed, 04/16/2014 - 07:13
[SECURITY] CVE-2014-0111 Apache Syncope
Categories: Vulnerability Pipes

Vuln: Microsoft Word CVE-2014-1761 Remote Memory Corruption Vulnerability

Windows Security - Tue, 04/15/2014 - 19:00
Microsoft Word CVE-2014-1761 Remote Memory Corruption Vulnerability
Categories: Vulnerability Pipes

Vuln: Apache Tomcat CVE-2013-4322 Incomplete Fix Denial of Service Vulnerability

Linux Security - Tue, 04/15/2014 - 19:00
Apache Tomcat CVE-2013-4322 Incomplete Fix Denial of Service Vulnerability
Categories: Vulnerability Pipes

Vuln: Microsoft Word File Converting CVE-2014-1757 Remote Code Execution Vulnerability

Windows Security - Tue, 04/15/2014 - 19:00
Microsoft Word File Converting CVE-2014-1757 Remote Code Execution Vulnerability
Categories: Vulnerability Pipes

Reverse Heartbleed Testing, (Sun, Apr 13th)

Other Security - Sun, 04/13/2014 - 08:01

I wanted to know if the tools/software I execute regularly are vulnerable to scraping my system memory.  Now the reverse heartbleed scenario is very possible, but the likelihood seems to be much more of a non-issue.  

Seeing is still believing in my book.  So I set out to see what the interweb world was doing to test this out.  There are some very reputable services/organizations out there offering up a fresh url to the reverse heartbleed and others offering to 'test' a given url.   These are a black box.  Trust is hard to earn at times, especially when you are dealing with an exploit like this one.  I wanted to see source code, or at least pseudocode so I could craft my own.  I found a script out there called Pacemaker [1] that was written and provided by Peter Wu.  I liked it because it was transparent, simple, and it can be used exclusively under my control (the ultimate first step of developing trust).

So simple, I was able to review it for harm and function, and cut and paste it into vi.  Escape, write, quit, and I was off and running.   Basically it works like a simple webserver, very simple.  The script is executed and listens on port 4433.  You point your client software at it with a localhost url and the server script reports on STDOUT what it finds.  

I did not have any vulnerable client software readily available to give a whirl, but I did try all my curl and wget installs that I use regularly.   I also hit it with Chrome and Safari to see the error messages.

Here is what I tested with it.

wget 1.11.4:  

Connection from: 10.0.0.11:60401 Unable to check for vulnerability: SSL 2.0 clients cannot be tested   curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5:   Connection from: 10.0.0.11:60418 Got Alert, level=Fatal, description=40 Not vulnerable! (Heartbeats disabled or not OpenSSL)   curl 7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5:   Connection from: 127.0.0.1:59451 Possibly not vulnerable   Chrome 34.0.1847.116:
Connection from: 127.0.0.1:59490 Got Alert, level=Fatal, description=47 Not vulnerable! (Heartbeats disabled or not OpenSSL)  

I am interested in seeing more output from known vulnerable client software.  Feel free to give this a ride and share your results.  If I get a chance to spin out a new VM with some vulnerable OpenSSL on it today, then I will share my experiences too.

 

[1]   https://github.com/Lekensteyn/pacemaker


-Kevin
--
ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

How to talk to your kids (or manager) about "Heartbleed", (Fri, Apr 11th)

Windows Security - Fri, 04/11/2014 - 07:15

With more mass-media attention to the heartbleed bug, we are getting more questions from "normal users" about the heartbleed bug.

The "Heartbleed" bug is not affecting end users using Windows. It does not affect standard Windows browsers (Internet Explorer, Firefox, Chrome). It may affect some selected third party software, but most likely, you do not need to patch anything. The only widely used consumer platform vulnerable is Android 4.1.1, but there isn't much you can do about it but wait for a patch for your phone.

However, it is possible that a web site you used is or was affected by "Heartbleed". The result may be that the password you are using on the site was captured by someone attacking this site. So you may need to change the password that you used on the site.

How do I know if a site is/was vulnerable?

Your best bet is https://lastpass.com/heartbleed/ . They will show you if a site is vulnerable right now, or may have been vulnerable in the past. Tehre is a chance that the site received a new certificate that still uses the old issue date, which can lead to sites being identified as "not fixed". 

Should I change my password?

If you think the site was vulnerable, and is no longer vulnerable, then you should change your password. If in doubt, change your password. Changing your password while the site is still vulnerable probably doesn't hurt, but the new password may leak again, so the change may not help.

Should I avoid sites that are still vulnerable?

Yes

I received an e-mail from a site I use asking me to change my password. Should I do so?

First of all: Don't click on any links in this email. Then go to the website and change your password (even if the e-mail was a fake, it doesn't hurt to change your password as long as you are sure you go to the right site). Use the "lastpass" URL above to check if the site is/was vulnerable.

What else should I do?

Standard "safe computing" practices: use difficult to guess passwords, keep your system up to date, use anti-malware, be cautious with links distributed via e-mail.

And how do I explain the problem that caused all this?

XKCD has a great cartoon explaining it: http://imgs.xkcd.com/comics/heartbleed_explanation.png . The short summary: If an SSL connection is idle, heartbeat messages are used to chck if the other side is still listening. For example, the browser sends a message "if you are still alive, reply by sending the 3 letter word 'dog'", and the server replies with "dog". To trigger the bug, the client would send "reply with the 500 letter word 'cow'". Since "cow" only got 3 letters, the server will make up the missing 497 bytes with data from memory, and this data may contain other things the server was working on, like users passwords or private encryption keys.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Vulnerability Pipes

Wed, 12/31/1969 - 19:00
Syndicate content