SecuraBit

Before It Bytes!

Adobe and Google may team up for Flash

ZDNet has a post about a rumor that Google and Adobe may team up speculating that this may include bundling Flash with Chrome, both the OS and the browser.  We’ve had a lot of posts on Flash vulnerabilities on Securabit (they make a regular appearance during the Vulnerability Roundups), so the first thing that comes to mind is that could mean even more vulnerable systems for attackers to exploit.

On the other side, as has been mentioned on twitter by @jack_daniel, @quine and @egyp7, there could be some upside.  This could mean that the folks at Google will get to look through the source code for Flash, perhaps tightening it up, or that the sandboxing in Chrome sees some improvement to compensate for weaknesses in Flash.  While the first case would certainly be nice, any improvement to Flash security seems like a Win.  Now maybe if we can get them to team up on Reader…

Windows 7 “XP Mode” Vulnerability

This past Thursday (3/18/10) Microsoft announced that it will be dropping the hardware acceleration requirement for using the “XP Mode” feature on Windows 7.  XP Mode allows a user to run software which is not Windows 7 compatible in a virtualized instance of Windows XP on the same box.  Previously, to use this feature in Windows 7 you also had to have hardware virtualization acceleration, such as Intel  VT or AMD-V.  However, with this update anyone with Windows 7 (Professional, Enterprise, or Ultimate editions) can now use it.  It’s nice to see Microsoft making some concessions for those users that have been unable to migrate to it’s newest platform, and perhaps provide them some encouragement.  But there’s a catch.

That catch comes in the form of an announcement from Core Technologies of a vulnerability in Microsoft’s Virtual PC which allows an attacker to bypass some of the security safeguards which would normally be in place if the system was running on bare metal.  (rather than as a guest OS, as well as some of the tools in place to protect Windows 7 such as DEP, ASLR and SafeSEH)  This means that older vulnerabilities which were not considered exploitable, as other protections were in place, have been given a new lease on life.

Microsoft’s response downplays the announcement.  Microsoft is not calling this a vulnerability, as it requires that there already be another vulnerability to exploit.  As such, they will not be releasing a patch for the flaw, but will instead be waiting until the next release or service pack for the Virtual PC product.

In response, Paul Cooke from Microsoft says, “An attacker can only exploit a vulnerable application running “inside” the guest virtual machine on Windows XP, rather than Windows 7!”.  The exclamation mark at the end of this sentence was bothersome.  It seems that they are missing something.  Obviously there have been enough people up in arms about compatibility issues with Windows 7 that Microsoft felt the need to relax the restrictions on XP mode to encourage migration to 7.  This also says that there are companies which have software doing very important things and that the software doesn’t like Windows 7, hence the need for XP mode to be used more widely.  It’s all well and good that the host Windows 7 box is fine, as the excited Microsoft response above states, but if the important stuff is in the Virtual PC then who cares about the host OS?

More coverage is available at Threatpost

Vulnerability Roundup

Well, it isn’t Patch Tuesday yet, but that doesn’t mean there isn’t Microsoft news.  A new 0-day has been found which exploits the help system in IE and older versions of windows (2000, XP, 2003).  I’ve included a few links with information about the vulnerability and mitigation steps.  It appears a patch for this (and other known vulnerabilities) will not be included in the Microsoft release on Tuesday, which will include two bulletins, one for Office, and one for windows, which cover 8 vulnerabilities in total.

Cisco has also released three advisories for vulnerabilities in three of their products.  Patches are now available for the Unified Communications Manager, Digital Media Manager and the Digital Media Player Remote display.

An interesting hardware/software vulnerability has been released for OpenSSL which could allow an attacker to deduce at least parts of the private key.  The technique used to exploit this weakness doesn’t seem very practical for attacking a full size system, but could be practical against embedded devices.

A new release of the TYPO3 Core CMS system has been released to cover a few vulnerabilities (XSS, information disclosure).  Other Open Source projects, PHP and BIND have also been updated with security fixes.

The Zero Day Initiative also has some upcoming advisories for Apple’s Safari browser, which may mean updates from Apple.  The ZDI has rated these as “High” severity.

Last, but never least, VMWare has released and advisory for some of their products, which includes another large list of CVEs covered.  These updates include a long list of third party updates for packages in ESX.

Open Source Android Forensics

With more and more people using mobile devices, there’s a growing need to examine these devices forensically.  While there are commercial tools available, it only makes sense that there should be open source tools to use for it as well.

To that end Andrew Hoog of viaForensics has announced the first release of their Android Forensics application. Better yet, the application has been released under the GPL, so other developers will be free to tinker with the source, and hopefully expand the app’s capabilities.

The app is an APK file (currently unsigned, so to use it untrusted sources would need to be allowed on the device) which can be loaded on the device by using the Android SDK.  Once loaded it can compile information from various sources on the device including:

  • Browser history
  • Call logs
  • Contacts (including the different contact methods and other contact data)
  • SMS messages

The information is compiled into CSV files which can then be downloaded onto a workstation for review.  From the announcement it appears there are high hopes that more information can be gathered from the device, but this is certainly a start.

Announcement at the SANS Digital Forensics Blog

Google Code Project Page

viaForensics Blog

Vulnerability Roundup

Another week, another Adobe security problem, this time in Adobe’s Download Manager.  The Adobe Download Manager (DLM) used to download updates from Adobe’s site, but Aviv Raff discovered a vulnerability which would force the Download Manager to download a file of an attacker’s choosing.  DLM is supposed to remove itself from a system after a reboot, but as Aviv points out this is still a dangerous problem.  In what may be their quickest turnaround that I can remember, Adobe has released a patch and an advisory.

Mozilla released Firefox 3.5.8 and 3.0.18 which fix multiple vulnerabilities, but the same day Intevydis dropped 0-day for Firefox 3.6 for the VulnDisco add-on for Immunity’s Canvas. There seems to be some debate on the validity of the exploit, so keep that in mind.  It does not appear that Mozilla has officially responded to this yet or provided a patch.

Cisco has released a trio of advisories for Firewall Services Modules, ASA 5500 appliances and the Cisco Security Agent. The FWSM advisory is for a DoS attack when Skinny Client Control Protocol inspection is enabled.  The ASA and Security advisories both list multiple vulnerabilities, including SQLi, DoS, and Auth Bypass.

Updates are also available for OpenOffice and Google’s Picasa to close holes in file handling bugs among other vulnerabilites.

In other vulnerability news, 2X Software, who sell thin client/server/terminal software appear to have become accidental security researchers, as they claim to have found a vulnerability in Windows (according to them Windowas 2000 and up) which can be exploited for a DoS.  There is controversy around this, as other security researchers (non-accidental ones) argue that the same can be done without an exploit, and that the announcement is a publicity stunt and Microsoft appears to have this listed more as a bug than a feature, er vulnerability.  I’ve provided a few links so you can decide for yourself.

Vulnerability Roundup

While they were absent from last week’s roundup, Adobe has returned with advisories in 3 of their products, not surprisingly Flash and Reader, and also BlazeDS which is included in some of their server offerings.  The Flash and Reader vulnerabilities share a CVE (CVE-2010-0186) which can allow an attacker to subvert domain sandboxing.  The Reader update is also out-of-band for Adobe, and addresses a vulnerability which would allow an attacker to execute code in the context of Reader.  Interestingly enough, the second vulnerability is credited to a Microsoft researcher.

Cisco has also posted updates, this set for their IronPort Appliances.  It looks like there are some serious vulnerabilities covered here, including accessing files on the appliance, as well as executing malicious code.

In the world of hardware hacking a researcher named Christopher Tarnovsky has managed to extract the encryption keys from the Trusted Computing Module.  There’s a lot of different chemicals, hardware and a Focused Ion Beam microscope involved.  Very impressive.

Google has released a new version of Chrome which fixes a large number of security issues, including one which earned some cash from the new Chrome bug bounty.  Of course there has been a lot of talk about privacy (or the lack thereof) in Google’s new Buzz service, but RSnake posted what appears to be a vulnerability in the service.

In an update to last week’s vuln roundup, some people have been having problems with update MS010-15, causing some XP machines to BSoD. Turns out, those with the BSoD may also have another problem; a rootkit.  In other Microsoft matters, I’ve included an article on using Windows Communication Foundation services to perform a remote portscan, but which may also lead to other types of attacks against internal hosts.

Closing things out, TippingPoint’s Zero Day Initiative has announced the 2010 version of its Pwn2Own contest at the CanSecWest conference.  The targets of choice for this year are Web Browsers and Smart Phones.  I’m sure you’ll be reading about the outcome, or the patches from the outcome, after March 24th.

Vulnerability Roundup

So last month’s Patch Tuesday was pretty quiet on the Microsoft front.  Not so lucky this month with a total of 13 bulletins, 5 critical, 7 important.  And one for MS Paint.  That’s right, Paint.  Looks like I’ll have to put down the little spray paint tool for a bit. The others include patches for Office (2 of them), SMB (2 more), an update of ActiveX killbits, IPv6 stack vulnerabilities, Hyper-V, ShellExecute, Client/Server Run-time, Kerberos and the Windows Kernel.

Oracle has also released an out-of-band patch this week for a problem with their WebLogic Node Manager.  Also in the Oracle world, David Litchfield demonstrated a 0-day against Oracle’s 11g database server.  It doesn’t appear there is a patch available yet, so check the links for mitigation info.

Samba also has a post regarding a zero day attack for a directory traversal issue via symlinks.  I’ve included both a post on the vulnerability and a link to a post by the Samba developers.  On one hand, yes it does look a configuration error by an admin.  At the same time, it is the default configuration.  I’ll leave it to you to decide.  Besides, it never hurts to double check those smb.conf’s.

In an ongoing theme of malware in App Stores, or Market Places, or Galleries, it looks like two pieces of malware made it onto the Add-on site.  One is a password sniffer disguised as video downloader, and the other contained a backdoor.

Additionally there are some updates available for LANDesk Management Gateway which fixed a problem which allows an attacker to run commands as root.

Adobe JavaScript Blacklisting

The JavaScript implementations in Adobe Reader and Acrobat have been a sore spot for Adobe (as well as administrators) for a while now.  To help make the world a safer place, Adobe has added a feature to Reader (versions 9.2 and 8.1.7) to allow administrators to blacklist certain functions in the JavaScript API.  Many times when 0days are released for Reader, the recommendation for administrators is to disable JavaScript in Reader while a patch is readied.  The problem is that in many organizations PDF forms are used extensively, so disabling JavaScript can mean that these forms stop working, so disabling it may not be practical.  In addition, if it is disabled while waiting for a patch, that period of time may be long, as Adobe has switched to a quarterly update schedule, and has cited this schedule in the past as a reason for delaying patches.

The new JavaScript Blacklist Framework for Reader and Acrobat uses some configuration settings (registry on Windows, Preferences on MacOS).  Instead of using one area for the settings, the Framework has two.  The first is for administrators, and it appears the second is for Adobe to use in conjunction with the new silent update feature they have rolled out in beta versions of Reader.  This means that the updates will not trample over administrator preferences.

Of course, there will always be cases where organizations know of a vulnerability in a particular function of the JavaScript API which is used by business documents, Adobe has also added a way to add “trusted locations” (by URL or path), as well as certificate management so that particular documents and be exempted from blacklisting.

There are some drawbacks, such as limitations to what can be blacklisted (not all JavaScript functions are eligible, nothing from the 3D JavaScript API, if a blacklisted function is called, all scripts in a document will stop working), but it is a good start.

SourceFire’s VRT has a post on some of their testing with the framework, and is nice enough to supply some suggestions for blacklisting candidates, as well as sample PDFs which can be used for testing.

Adobe Reader and Acrobat JavaScript Blacklist Framework

Managing JavaScript Execution in the Acrobat Family of Products (PDF)

Enhanced Security and Trusted Locations (PDF)

Vulnerability Roundup

Another week, another Adobe advisory.  This time, it’s not reader, but ColdFusion 9 which shipped with a service someone forgot to lock down to the localhost which would allow an attacker to view system information as well as mess with search indexes.

Two advisories from Cisco as well this week, covering two different products and a few different vulnerabilities (XSS, SQLi, and escalation of privilege among them).  Updates are also available for the iPhone OS for iPhones and iPod Touch devices which resolve vulnerabilities in different aspects of the OS.  In many cases visiting or viewing malicious content could cause overflows, which may allow for code execution.  An update for VMWare’s vCenter with more than 50 CVE’s covered, is also listed.

Some Open Source applications are also listed, one of the interesting ones is the e107 CMS, which was found to have a backdoor which was later used to compromise the project’s site before they applied their own patch (more details on that here).

Vulnerability Roundup

Well, it looks like all the big boys are here.  Microsoft, Google, Adobe, Cisco, and ISC’s BIND all make this week’s roundup.  As mentioned in last week’s roundup, Microsoft released an out-of-band update for vulnerabilities related to the attacks on Google, Adobe and others.

Speaking of Google and Adobe, Chrome 4 Stable has been released, which includes numerous security fixes, and Adobe has released an update to Shockwave Player to resolve a buffer overflow and an integer overflow.  An Cisco advisory is also listed for a DoS problem in the SSH server on the IOS XR platform, and another for a vulnerability which could allow remote code execution.

Rounding out the roundup, the ICS’s has released an update for BIND, the Tor project releases an update due to a hack of some of their directory servers, RealNetwork releases some updates, and I have also included a link concerning a briefing at the upcoming Black Hat DC conference on vulnerabilities in the Security Zones feature in IE.