Threat Level: green Handler on Duty: Kevin Liston

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Security Advisory 2219475

Published: 2010-06-10
Last Updated: 2010-06-10 21:50:22 UTC
by Deborah Hale (Version: 1)
1 comment(s)

Microsoft has issued a Security Advisory for the vulnerability in the Windows Help and Support
Centre function that is delivered with supported editions of Windows XP and Windows Server 2003.
The information is referenced under CVE-2010-1885.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885

Full information for the advisory can be found at:

http://www.microsoft.com/technet/security/advisory/2219475.mspx

 

Deb Hale Long Lines, LLC

1 comment(s)

Microsoft Help Centre Handling of Escape Sequences May Lead to Exploit

Published: 2010-06-10
Last Updated: 2010-06-10 21:26:08 UTC
by Deborah Hale (Version: 1)
0 comment(s)

It appears that a problem has been discovered with Microsoft Help Centre that may lead to problems for
for those who are using it. 

http://archives.neohapsis.com/archives/fulldisclosure/2010-06/0197.html

According to the information provided by Microsoft on this issue:

"We are aware of a publicly disclosed vulnerability affecting Windows XP and Windows Server 2003.
We are not aware of any current exploitation of this issue and customers running Windows Vista,
Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not vulnerable to this
issue, or at risk of attack."

Microsoft warns that the analysis from the original disclosure of the event is incomplete and the
workaround provided by Google is incomplete.  They have made recommendations for and have
given the steps to unregister the hcp protocol to protect from exploitation. See the information for
mitigation at:

 http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx

Deb Hale Long Lines, LLC

0 comment(s)

Wireshark 1.2.9 Now Available

Published: 2010-06-10
Last Updated: 2010-06-10 18:35:34 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Wireshark has released an update.  This update corrects some vulnerabilities found
in earlier versions. Thanks to J. for sending this information to us.

http://www.wireshark.org/download.html

http://www.securityfocus.com/bid/40728/discuss

Deb Hale Long Lines, LLC

Keywords: Wireshark
0 comment(s)

Top 5 Social Networking Media Risks

Published: 2010-06-10
Last Updated: 2010-06-10 18:16:49 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Computerworld this week posted a rather thought provoking article on the risks that Social Networking
sites may pose on a company or organization.  We all know that even if we tell the employees that
discussion of work related issues is strictly forbidden that there is a good possibility that it will slip
through.  We also know that social networking sites are laden with badware/malware and viruses. 
That is the nature of the beast.  But are there other issues to consider.  My company has been
discussing just this issue at length.  We have a policy but we know that it is not near comprehensive
enough.

Take a look at this article if you are interested.

http://www.computerworld.com/s/article/9177786/Group_lists_top_five_social_media_risks_for_businesses

Deb Hale Long Lines, LLC

0 comment(s)

Another Morning of Fun

Published: 2010-06-10
Last Updated: 2010-06-10 17:48:57 UTC
by Deborah Hale (Version: 1)
3 comment(s)

Some of you may have noticed that I was a little slow in getting started this morning.  
I wasn't prompt with replying to your emails. For that I apologize.  I thought it would be
good if I explained why.

At my day job/paid job one of my responsibilities is handling abuse complaints, another
responsibility is cleaning up mail servers that are doing bad things.  The two usually go
hand and hand and generally are due to something one or more of the users did. Today
was no exception.  I logged into my email this morning and immediately knew I had a
problem.  I knew how the first half of my day was going to go.  I had several hundred
abuse reports for one of my mail servers.  I immediately began to investigate what
was going on with the server.  I soon discovered that I had over 33,000 emails queued
up and a bunch of bounces for undeliverable emails to domains like hotmail, yahoo,
comcast, aol, etc.  I began to review the emails and soon realized that someone had
logged into the webmail on the server with userid's on the box and sent emails.  All of
the emails indicated the webaccess came from ip's in 41.138.x.x which happens to be
in Africnic's world.  This particular server is a local server and I knew that it was highly
unlikely that someone would be legitmately logging in from Africa.  I immediately blocked
the CIDR from accessing the server and cleaned up the emails so that no more would
get out.  After the cleanup was done I began reviewing the logs for the webmail service.

Sure enough, I discovered that 3 valid userid's had indeed been used to login to the server
from the 41.138.x.x ip's.  I immediately changed the passwords on the 3 accounts so that the
spammers could not login again from a different CIDR.  Once the passwords were changed
I notified the customers of the situation.

I soon discovered that yesterday an email had been sent to the users on this adomain.net
(name changed to protect the domain). Here is what the email said:

Dear adomain.net Subscriber,

 We are currently carrying-out a  maintenance process to your adomain.net account, to
 complete this, you must reply to this mail immediately, and enter your User Name
 here (,,,,,,,,) And Password here (.......)  if you are the rightful owner of
 this account.

 This process we help us to fight against spam mails. Failure to summit your password,
 will render your email address in-active from our database.

 NOTE: If your have done this before, you may ignore this mail. You will be send a
 password reset messenge in next seven (7) working days after undergoing this process
 for security reasons.

 Thank you for using adomain.net!
 THE adomain.net TEAM


Inspite of multiple warnings in the past to the users on this domain, three of them responded
to the email. Those three logins were then used last night to login to the webmail and send
the emails. Now some of you reading this are probably just shaking your head and wondering
why end users are so gullible.  Well, I am with you on that.  If you read the content of the email
you will soon realize that the email contained a number of grammatical errors and it is pretty
obvious that it is a poor attempt at English grammar. Most of us would just ignore the email and
delete it.  Not these users...  They fell for it hook, line and sinker.

I put this out for you because we have received inquiries from several other folks today about this
or a similar phish.  Remind your employees/users that these emails are bogus and bad - not to
respond to them.  If you are on any of my mail servers....   I thank you heartedly.  This mornings
little investigation and cleanup took out 3 otherwise product hours from my day.

Deb Hale Long Lines, LLC

Keywords: Phish Spam
3 comment(s)

iPad Owners Exposed

Published: 2010-06-10
Last Updated: 2010-06-10 16:26:50 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Some of you may have seen the article about an iPad security breach.  Some of the information floating around is leading readers to believe that it is an
iPhone software problem.  It is not, the issue is with a web application not the iPhone or iPad software. 

http://www.sophos.com/blogs/duck/g/2010/06/10/apples-worst-security-breach/

"Apparently, the breach was the result of a web application vulnerability on an AT&T site. This allowed a malcontent to guess
at an AT&T SIM card identifier (the so-called ICC-ID) and – if the ICC-ID was issued to an iPad – to use it to retrieve the email address
of the iTunes account associated with the device."

The fact that this happened is bad, however the amount of incorrect information circulating the Net is even worse.  For the whole story see the
Sophos blog.

Another take on the situation:

http://www.wired.com/threatlevel/

Deb Hale Long Lines, LLC

0 comment(s)
Diary Archives