Before It Bytes!

Vulnerability Roundup

The number of vulnerabilities this week isn’t as large as last week, but the impact is certainly much larger.  Leading off is the vulnerability used to break into Google’s internal systems, as well as those at more than 30 other Fortune 500 companies.  Also included is a link from SANS on what appears to be a working exploit which bypasses DEP in Internet Explorer 8.  It now appears that Microsoft will be releasing an out-of-band patch for this one.  Second, also from a ISC post, is a new escalation of privilege vulnerability in Windows which abuses the support for 16 bit applications.  Apple released their first security update of the new year, and a new version of MIT’s Kerberos is available to fix an integer underflow vulnerability.  The last two are a little more physical, one for a flaw in the ZigBee stack used in many smart grid applications, and the second is a great post from Krebs On Security on ATM skimmers.

Blog post by:  David Shpritz

Vulnerability Roundup

Here are some of the more interesting vulnerabilities or patches from this week. As this is our first roundup, some of these are a little older than a week, but noteworthy nonetheless. This week we have a light Patch Tuesday from Microsoft, but Adobe picks up the slack with patches for a server product, Acrobat and Reader. Network equipment also makes an appearance on both the enterprise and consumer level, with what appears to be a simple DoS for Juniper products and an authentication bypass for D-Link routers. To round things out there are PowerDNS and VMWare, and news from the Android camp, reminding us that as consumers move to new places, attackers will follow.

Another interesting story, also from the Android family is about a piece of malware which made its way into the Android Marketplace, specifically a fake mobile banking application which was designed to harvest login credentials.  More coverage can be found at SANS.

Blog post by:  David Shpritz

WASC Threat Classification v2.0 released


On the first of the year The Web Application Security Consortium (WASC) released the second version of its Threat Classification Project.  While the WASC is not as well known as OWASP, it has a lot to contribute to the web application security space.

This particular project is a compendium of threats to web application security, separated into attacks and the weaknesses those attacks take advantage of.  Each attack or weakness is described and followed by examples of attack scenarios, including code samples (C, C++, C#, PHP, and SQL) as well as a large number of references to other examples, explanations or news stories about the particular threat.

The document is an easy read (available in PDF or in a wiki-style format) and contains a lot of information and reference material.  The explanations for each threat are clear and concise and provide a great introduction to web application security for both security professionals and application developers.

Additionally, the project offers different views of the data, a nice one being the “Development Phase View” which shows where in a development life-cycle (design, implementation or deployment) the vulnerability may be introduced.

Overall the document is very well done, with a lot of clear explanations and examples, and a lot of links to references where more information can be found.  Mitigation of the threats are not discussed in most instances, but according to the project’s FAQit is currently up for discussion.  Still, this is really required reading for web developers, auditors or security professionals dealing with web applications.

Jeremiah Grossman from WhiteHat Security (and also the project lead for version 1 of the Threat Classification) has also posted a nice chart with mappings from the WASC Threat Classification to the OWASP Top Ten 2010 RC1.

Blog post by:  Dave Shpritz