January 2008 - Posts

 

Storm Worm coming to an end?

Published: 2008-01-31,
Last Updated: 2008-01-31 22:11:36 UTC
by Joel Esler (Version: 1)

According to this article over at internetnews.com, apparently American and Russian Law Enforcement know who created the Storm Worm.   The Storm Worm, which has plagued our email spam boxes for at least the past 3 or 4 holidays (US), and continues to be a nuisance, because of it's mutational ability.  Hopefully it's a short matter of time before this goes away.

(Of course only to be reborn in another form.)

We'll see.  In the meantime, take a look at the above article.

Joel Esler

http://www.joelesler.net

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 

Spyware - A Morphing Campaign

Wednesday January 30, 2008 at 4:25 pm CST
Posted by Anna Stepanov

Trackback

Here we are today - several years after Spyware’s nasty head poked through the security landscape in full force - and asking ourselves: What, if anything, has changed? Has the proliferation of the various types of PUPs (potentially unwanted programs) slowed down? Has the nastiness of spyware and it’s relatives diminished? I say, that landscape has simply changed. The gray areas have gotten grayer, and at the same time, the divide between the good and bad has broadened. The adware vendors have cleaned up just enough to appear truly benign, whereas the number of rootkits has flourished. There are many ways to sidestep legitimate detection, and the PUP vendors are becoming more and more deft at this on a number of different areas. If you’d like to explore more on this topic, please see our recently released whitepaper discussing the morphing campaign of Spyware…..

Source: Computer Security Research - McAfee Avert Labs Blog

Well this explains why I can't get to the Net on my Blackjack... 

AT&T Wireless Data Outage

Published: 2008-01-31,
Last Updated: 2008-01-31 20:21:05 UTC
by Joel Esler (Version: 2)

Thanks all of you that have written in.  We have seen the articles that say that AT&T is having a wireless data outage. 

We have heard from multiple sources on the issue, and it seems to be limited to only certain regions of the US.  (Central and South East primarily).  I am currently in the NE section of the country, writing this entry on my AT&T 3G Wireless card.  So I know it's working here (plus my iPhone and my wife's Blackberry work fine too).

We have also heard that this problem has been resolved.  So everything should be back (if not already) to normal soon.

Thank you for writing in all of you.

Joel Esler

http://www.joelesler.net

UPDATE:  According to Gizmodo -- AT&T's network is "sporadic" in the Midwest and South East.  This will probably be the last update to this article, as it seems to be clearing up.  Apparently 6 points between the wireless network and the wired network "rolled over"  (I think that's wireless speak for "died".)

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

 

Cisco Wireless Control System Apache Tomcat JK Web Server Connector Buffer Overflow

Secunia Advisory:

SA28711

Release Date:
2008-01-31

Critical:

Moderately critical

Impact:
System access

Where:
From local network

Solution Status:
Vendor Patch

Software:
Cisco Wireless Control System (WCS)

CVE reference:
CVE-2007-0774 (Secunia mirror)

Description:
Cisco has acknowledged a vulnerability in Cisco Wireless Control System (WCS), which can be exploited by malicious people to compromise a vulnerable system.

For more information:
SA24398

The vulnerability affects versions 3.x and 4.0.x prior to 4.0.100.0, and 4.1.x and 4.2.x prior to to version 4.2.62.0.

Solution:
Update to the latest versions.

WCS for Linux and Windows 4.0.x and earlier:
Update to version 4.0.100.0.

WCS for Linux and Windows 4.1.91.0 and earlier:
Update to version 4.2.62.0.

Original Advisory:
Cisco (100361):
http://www.cisco.com/warp/public/707/cisco-sa-20080130-wcs.shtml

Source: Cisco Wireless Control System Apache Tomcat JK Web Server Connector Buffer Overflow - Advisories - Secunia

 

From Myth to Reality: Evaluating the State of IT Risk Management

Today Symantec launched Volume II of the IT Risk Management Report, entitled “IT Risk Management – From Myth to Reality.” It analyzes the results of interviews with more than 400 IT executives and professionals from around the world during 2007. As the title implies, the report takes a look at the truth behind four common myths around IT Risk Management.

Myth One: IT Risk = Security Risk

The report clearly demonstrates that people really don’t believe this myth any more. In fact, most (78 percent) of those participating in the survey thought that availability was the most important aspect of IT risk. While more than half of the participants rated every risk element serious or business-critical, only 15 percentage points separated the highest and lowest elements.

Myth Two: IT Risk Management is a Project

Well, anyone who believes this myth is making a big mistake because risk assessment and management needs to match the pace of incidents. The great majority of survey participants (69 percent) expected about one IT incident a month and more than a quarter (26 percent) expected a regulatory non-compliance incident every year. It’s therefore pretty clear that IT risk management must be an ongoing process.

Myth Three: Technology Alone Mitigates IT Risk

In fact, the report shows that those organizations that manage their risk the best (and have the fewest incidents) are those that balance technology with people and process controls. Unfortunately, training and awareness, which are really critical people and process controls, were the least effectively implemented at 43 percent, compared to 49 percent in Volume I. And, if we’re going to mitigate IT risks effectively we’ve got to develop a culture of risk awareness.

Myth Four: IT Risk Management is a Science

The report shows that in reality we are dealing with a developing business discipline—one that is based on the accumulating experience and good practice of those engaged in it rather than an exact science.

Some additional highlights of the report include:

• There is a serious disconnect between organizations that expect a major issue resulting from laptops and mobile devices and their plans to manage the risks stemming from such mobile devices.
• The fact that 63 percent of participants thought that data leakage posed a serious risk, but only 40 percent were actively managing their assets (the first critical step to preventing data leakage).
• It isn’t all doom and gloom. Some things seem to be getting better, such as secure system building and application development. This is perhaps indicating that people are beginning to concentrate on the fundamentals.

So, if you’re interested in the reality of IT risk management, you’ve got to read the report and find out the truth behind the stories of snake-oil and magic bullets! Check back on this blog in the next couple of weeks as I will be posting in more detail about the individual myths debunked by the report.

Posted by Jeremy Ward on January 30, 2008 07:00 AM

Source: Symantec Security Response Weblog: From Myth to Reality: Evaluating the State of IT Risk Management

 

WordPress WassUp Plugin "to_date" SQL Injection Vulnerability

Secunia Advisory:
SA28702

Release Date:
2008-01-31

Critical:

Moderately critical

Impact:
Manipulation of data
Exposure of sensitive information

Where:
From remote

Solution Status:
Vendor Patch

Software:
WassUp 1.x (plugin for WordPress)

Description:
enter_the_dragon has reported a vulnerability in the WassUp plugin for WordPress, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "to_date" parameter in spy.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieving usernames and password hashes for users and administrators, but requires knowledge of the database table prefix.

The vulnerability is reported in version 1.4 to 1.4.3. Other versions may also be affected.

Solution:
Update to version 1.4.3a.
http://wordpress.org/extend/plugins/wassup/

Provided and/or discovered by:
enter_the_dragon

Original Advisory:
WassUp:
http://www.wpwp.org/archives/warning-security-bug-in-version/

milw0rm:
http://milw0rm.com/exploits/5017

Source: WordPress WassUp Plugin "to_date" SQL Injection Vulnerability - Advisories - Secunia

 

MySpace Uploader Control ActiveX Control "Action" Property Buffer Overflow

Secunia Advisory:
SA28715

Release Date:
2008-01-31

Critical:

Highly critical

Impact:
System access

Where:
From remote

Solution Status:
Unpatched

Software:
MySpace Uploader Control 1.x

Description:
Elazar Broad has discovered a vulnerability in MySpace Uploader Control, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the MySpace.Uploader.4.1 ActiveX control (MySpaceUploader.ocx) when handling strings assigned to the "Action" property. This can be exploited to cause a stack-based buffer overflow by assigning an overly long (greater than 260 characters) string to the affected property.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in MySpaceUploader.ocx version 1.0.0.5 and reported in version 1.0.0.4. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
Elazar Broad

Original Advisory:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059980.html


Source: MySpace Uploader Control ActiveX Control "Action" Property Buffer Overflow - Advisories - Secunia

 

PatchLink Update Client for Unix Insecure Temporary Files
Advisory Available in German

Secunia Advisory:
SA28665

Release Date:
2008-01-30

Critical:

Less critical

Impact:
Manipulation of data
Privilege escalation

Where:
Local system

Solution Status:
Unpatched

Software:
PatchLink Update 6.x

Description:
Larry W. Cashdollar has reported two security issues in the PatchLink Update client for Unix, which can be exploited by malicious, local users to truncate arbitrary files and to gain escalated privileges.

1) The "logtrimmer" utility uses the "/tmp/patchlink.tmp" temporary file in an insecure manner, which can be exploited to truncate arbitrary files via symlink attacks.

2) The "rebootTask" script uses the "/tmp/plshutdown" temporary file in an insecure manner, which can be exploited via symlink attacks in combination with a race condition to execute arbitrary commands with root privileges.

Solution:
Restrict local access to trusted users only.

Provided and/or discovered by:
Larry W. Cashdollar

Original Advisory:
http://seclists.org/bugtraq/2008/Jan/0376.html

Source: PatchLink Update Client for Unix Insecure Temporary Files - Advisories - Secunia

 

WordPress AdServe Plugin "id" SQL Injection

Secunia Advisory:
SA28708

Release Date:
2008-01-30

Critical:

Moderately critical

Impact:
Manipulation of data
Exposure of sensitive information

Where:
From remote

Solution Status:
Unpatched

Software:
AdServe 0.x (plugin for WordPress)

Description:
enter_the_dragon has discovered a vulnerability in the AdServe plugin for WordPress, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "id" parameter in adclick.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieving usernames and password hashes for users and administrators, but requires knowledge of the database table prefix.

The vulnerability is confirmed in version 0.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
enter_the_dragon

Original Advisory:
http://milw0rm.com/exploits/5013



 

Source: WordPress AdServe Plugin "id" SQL Injection - Advisories - Secunia

 

Storm Worm Directing Users to Medical Spam Web Sites

added January 30, 2008 at 03:20 pm | updated January 31, 2008 at 09:01 am

US-CERT is aware of a variant of the Storm Worm that sends unsolicited email messages to users and attempts to evade spam filtering. When a user receives this email message, it will contain a link in the format of:
http://<IP Address>/<random directory name>
The link directs the user to a website containing spam about medical information.
US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

Source: US-CERT Current Activity

 

BitTorrent Web UI HTTP Request "Range" Header Processing Denial of Service

Secunia Advisory:

SA28695

Release Date:
2008-01-29

Critical:

Less critical

Impact:
DoS

Where:
From remote

Solution Status:
Unpatched

Software:
BitTorrent 6.x

Description:
Luigi Auriemma has discovered a vulnerability in BitTorrent, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to the use of vulnerable uTorrent code.

For more information:
SA28686

The vulnerability is confirmed in version 6.0.1 (build 7859) for Windows. Other versions may also be affected.

Solution:
Restrict network access to the Web UI interface.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/ruttorrent2-adv.txt

Other References:
SA28686:
http://secunia.com/advisories/28686/

Source: BitTorrent Web UI HTTP Request "Range" Header Processing Denial of Service - Advisories - Secunia

 

uTorrent Web UI HTTP Request "Range" Header Processing Denial of Service

Secunia Advisory:
SA28686

Release Date:
2008-01-29

Critical:

Less critical

Impact:
DoS

Where:
From remote

Solution Status:
Vendor Patch

Software:
uTorrent 1.x

Description:
Luigi Auriemma has discovered a vulnerability in uTorrent, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the handling of HTTP requests and can be exploited to cause the application to crash by sending multiple HTTP requests with an overly-long "Range" header string.

Successful exploitation requires that the Web UI interface is enabled (not default).

The vulnerability is confirmed in version 1.7.6 (build 7859) on Windows. Other versions may also be affected.

Solution:
Update to version 1.7.7 (build 8179).
http://download.utorrent.com/1.7.7/utorrent.exe

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/ruttorrent2-adv.txt



Source: uTorrent Web UI HTTP Request "Range" Header Processing Denial of Service - Advisories - Secunia

 

Coppermine Photo Gallery 'showdoc.php' Multiple Cross-Site Scripting Vulnerabilities

Bugtraq ID: 27511
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Jan 29 2008 12:00AM
Updated: Jan 30 2008 05:07PM
Credit: Janek Vind is credited with discovering these issues.
Vulnerable: Coppermine Photo Gallery 1.4.14
Coppermine Photo Gallery 1.4.13
Coppermine Photo Gallery 1.4.12
Coppermine Photo Gallery 1.4.11
Coppermine Photo Gallery 1.4.10
Not Vulnerable: Coppermine Photo Gallery 1.4.15

Source: Coppermine Photo Gallery 'showdoc.php' Multiple Cross-Site Scripting Vulnerabilities

 

 

WordPress WassUp Plugin 'spy.php' SQL Injection Vulnerability

Bugtraq ID: 27525
Class: Input Validation Error
CVE:
Remote: Yes
Local: No
Published: Jan 30 2008 12:00AM
Updated: Jan 31 2008 03:27AM
Credit: enter_the_dragon discovered this vulnerability.
Vulnerable: WordPress WassUp Plugin 1.4.3

Not Vulnerable: WordPress WassUp Plugin 1.4.3a

Source: WordPress WassUp Plugin 'spy.php' SQL Injection Vulnerability

 

Status update for Chrome Protocol Directory Traversal issue
29 January 2008

Background on this issue is available here.

Impact

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default.  Only users that have installed “flat” packed add-ons are at risk.  Discussion about “flat” packaged add-ons is here.  A partial list of “flat” packed add-ons is available here.  If you are an author of any of these add-ons, please release an update to your add-on that uses .jar packaging.

This bug is tracking the additional information:

https://bugzilla.mozilla.org/show_bug.cgi?id=413451

Status

Based on this new information Mozilla has changed the security severity rating to high.  A fix is included in Firefox 2.0.0.12 which be available shortly.

Source: Mozilla Security Blog » Blog Archives » Status update for Chrome Protocol Directory Traversal issue

More Posts Next page »