Threat Level: green Handler on Duty: Lorna Hutcheson

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-12-19 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

FF/TB Updates

Published: 2006-12-19
Last Updated: 2006-12-20 01:54:08 UTC
by Tom Liston (Version: 1)
0 comment(s)
A slew of security fixes are being rolled out for FireFox and Thunderbird.  The patches, which will take FireFox to version 2.0.0.1 or 1.5.0.9 and Thunderbird to 1.5.0.9 fix critical security flaws such as XSS (cross-site scripting) issues, privacy leaks when retrieving RSS feeds, a flaw in SVG / DOM handling, and a cursor image overflow in FireFox.  Thunderbird gets fixes for a mail header overflow and inherits several of the FF fixes as well.  As I write this, the new code doesn't appear to be available, but expect the auto-update feature to kick in soon...

More info: http://www.mozilla.org/security/

UPDATE:

The links are now live and you can download this manually, but the auto-update feature is not there yet. Here's the list of security fixes in Firefox version 2.0.0.1:

XSS using outer window's Function object
RSS Feed-preview referrer leak
Mozilla SVG Processing Remote Code Execution
XSS by setting img.src to javascript: URI
LiveConnect crash finalizing JS objects
Privilege escallation using watch point
CSS cursor image buffer overflow (Windows only)
Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

Keywords:
0 comment(s)

APPLE-SA-2006-12-19

Published: 2006-12-19
Last Updated: 2006-12-19 21:54:05 UTC
by Tom Liston (Version: 1)
0 comment(s)
This newly released security update from Apple has nothing whatsoever to do with the recent "QuickSpace" worm.  It fixes a relatively obscure issue with QuickTime for Java and Quartz Composer.

Nothing to see here... move along.
Keywords:
0 comment(s)

It's baaaaaaaack...

Published: 2006-12-19
Last Updated: 2006-12-19 21:02:26 UTC
by Tom Liston (Version: 1)
0 comment(s)
The on-again-off-again update for Microsoft Office 2004 for Mac 11.3.2 is... well... on again.  There are, however, several more hours in the day, and who knows... they might change their mind again.

Get it while you can: http://www.microsoft.com/mac/downloads.aspx#Office2004
Keywords:
0 comment(s)

A cavity in Linux Bluetooth?

Published: 2006-12-19
Last Updated: 2006-12-19 20:50:58 UTC
by Tom Liston (Version: 1)
0 comment(s)
Looks like there is an issue with over-filling a cavity (buffer) in the Linux Bluetooth stack's cmtp_recv_interopmsg() function.  At the very least, it's a DoS condition, but it might be possible to leverage into running code using malformed CAPI messages with oversized (1) manu (manufacturer) or (2) serial (serial number) fields.  The issue exists in Linux kernels before 2.4.33.5 and in 2.6.x up to 2.6.19.1.  More information can be found here.
Keywords:
0 comment(s)

Soap Boxing

Published: 2006-12-19
Last Updated: 2006-12-19 18:14:09 UTC
by Tom Liston (Version: 1)
0 comment(s)
As we round out yet another year, I thought that I would take the opportunity to climb up on a soapbox and rant about something that has been bothering me for a bit:

We're ending 2006 much as it began: with an in-the-wild, un-patched live-data vulnerability in a widely used Windows application (for those of you with short memories, it was the WMF flaw in IE at the end of 2005, and we have three -- count 'em three -- un-patched Word flaws hanging over our heads now).

But, if you're expecting me to launch into an anti-Microsoft screed, you're about to be sorely disappointed.  Redmond represents far too easy a target at this point, and besides, I've really been trying to make it onto Uncle Bill's "Nice" list before the 25th rolls around.  The dude has over a billion dollars, so you know he's gotta give some primo stocking stuffers?

Back in my days as a True BOFH for a mid-range electronics company, I was constantly amazed at the whacky stuff that would come winging into my company via email.  And no, I'm not talking about spam, chain-emails, or dozens of copies of Mrs. Field's cookie recipes? I'm talking about legitimate business communication that was sent in the stupidest possible format.

We had one supplier who sent out a bi-weekly commodity price level update as an Excel spreadsheet? a header row with a single data row, eight columns wide, 39k.  Eight frickin' numbers!  Another supplier sent in a letter detailing their holiday shutdown as a 675k+ Word file just to communicate two paragraphs of text.

The following is a rough transcript of a phone conversation that I had with the IT department for one of our customers:

Me: "We've suddenly started receiving Excel files from your company"
Them:  "Oh, yes.  Those are part of our new ERP system.  We're quite excited about it."
Me: "Really?  Well, have you taken a close look at the files you're sending out?"
Them: "What do you mean?"
Me: "I think that you're probably sending out a bit more information than you probably should."
Them: "Well, the ERP system generates and emails out the files for us."
Me: "Ok... I'm sure that's handy, but... you see? the Excel file that we received was 3.7 MB? and it only contained one visible line."
Them: "Yes.  That's the information for your company.  You need to fill in the forecast data and send it back."
Me: "But did anyone there ever wonder why it takes 3.7 MB for one line of data?"
Them: "What do you mean?"
Me: "Well? while there is only one VISIBLE line, all of the data for all of your other vendors is still in the file.  Part numbers, prices, contact information? everything."
Them: "No, that's impossible.  The ERP system generates those files."

Their buyer often wondered how we were able to send him proposals barely undercutting our competition on several other parts.  I would have explained it to him, but? well? how it happened was "impossible".

The point?

Business on the whole has gotten sloppy about how we choose to transport data.  We've become so enamored with logos and company letterhead, ERP systems and dancing gerbils in our emails that we've forgotten that networks are about communicating, not about glitz.  If I see one more Excel spreadsheet used to transport photos and text, I'll scream.

There's a reason that the email system was designed to transport text? email is about TEXT.  Granted, there are times that you need to send binary stuff, but on the whole, that should be the exception, rather than the rule? and we certainly shouldn't be going out of our way to make up whole new ways of formatting the data we transport just so we can shove our company logo out on every message we generate.

Binary formatted data carries with it the possibility that a flaw in the associated application can be used as an avenue for compromise.  Using formatted files for the likes of Word, Excel, Powerpoint, etc... when they aren't necessary, increases our vulnerability to attack.  Educating users to be cautious about the dangers of "0-day" Word flaws is far more difficult when every other email you get contains a Word document.  Additionally, binary formatted data often carries with it far more "other" information than you might think... deleted sections, comments, user information, etc...

Start the New Year off right: take a look around your organization and see if your users are doing stupid stuff.  In a time when we should all be looking closely at any Word documents that we get, how many of the .DOC files that your company sends or receives could simply be communicated as text? 

I strongly believe that 2006 will be seen as a turning point in security: the year when application-based, live-data attacks began to flourish.  Get ahead of the game and take a cold, hard look at the avenues for data-borne attacks against your organization.  Wean your users from un-necessary reliance on formatted data when plain-old text will do.

Remember: when Moses came down off the mountain, it was with text chiseled into stone; not DHTML, JavaScript, and animated GIFs. 

If text is good enough for God, then it's good enough for you.  ;-)



Tom Liston - Intelguardians
Handler on Duty
Keywords:
0 comment(s)

Skype 'worm' whinnies...

Published: 2006-12-19
Last Updated: 2006-12-19 17:47:10 UTC
by Tom Liston (Version: 1)
0 comment(s)
It appears that the possible Skype "worm" that we reported on yesterday is actually more of a Trojan Horse.  It does not appear to exploit Skype in any way, it works in accordance with the Skype API, and requires end user confirmation (i.e. "click here to run a cool program" kinda thing...). More info from the fine folks at Websense here.
Keywords:
0 comment(s)
Diary Archives