InfoSec Podcast Episode 29 for December 16, 2009. Tonight we cover Vulnerabilities and News items of interest.
Vulnerabilities of Interest:
- Adobe Acrobat Reader is prone to a remote code-execution vulnerability. An attacker can exploit this issue by supplying a malicious PDF file. Successful exploits may allow the attacker to execute arbitrary code in the context of a user running the affected application. Failed attempts will likely result in denial-of-service conditions. This issue is currently being exploited in the wild in limited targeted attacks. A working commercial exploit is available through VUPEN Security – Exploit and PoCs Service. Exploit code is available in the wild.
- Merkaartor creates temporary files in an insecure manner. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks to overwrite arbitrary attacker-specified files. The issue affects Merkaartor 0.14; other versions may also be vulnerable. An attacker uses readily available commands to exploit the issue.
- Monkey HTTP Daemon is prone to a denial-of-service vulnerability. Remote attackers can exploit this issue to cause the application to crash, denying service to legitimate users. Versions prior to Monkey HTTP Daemon 0.9.3 are vulnerable. Exploit code is available in the wild.
- Invision Power Board is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Invision Power Board 2.0 through 3.0.4 are vulnerable. Other versions may also be affected. Attackers can exploit this issue by enticing an unsuspecting victim to view a malicious text file. Exploit code is available in the wild.
News Items of Interest: News item 1:http://kb2.adobe.com/cps/532/cpsid_53237.html
Adobe has issued an update to the advisory: The recommendation is that Home users should disable JavaScript if they are sure they don’t need it, using Adobe’s instructions:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK
Enterprise administrators should use the Blacklist Framework which provides more granular control over the execution of specific JavaScript API calls. The purpose of the Framework is to allow Adobe to protect customers against attacks that target a specific JavaScript API call. The documentation on the Framework can be found at: http://kb2.adobe.com/cps/504/cpsid_50431.html. This includes detailed instructions on using the JavaScript Blacklist Framework and to determine the best approach for their Windows environment. The required keys can be found at http://download.macromedia.com/pub/acrobat/updates/APSA09-07_E_Reg_Keys.zip.
If you are interested in sample pdf, it can be found at Offensive Computing: http://www.offensivecomputing.net/?q=ocsearch&ocq=ca1c1adab23e5baeeb3b49e0809e4ad4
News item 2: http://socialmediasecurity.com/videos/tutorials/<Rick>
Tom Eston from SocialMediaSecurity has created a video walking you through the new Facebook privacy settings. It also covers notifications, Facebook Ads and hiding your Friends list from public searches. Be sure to check it out at SocialMediaSecurity.com.
News item 3: http://www.projecthoneypot.org/1_billionth_spam_message_stats.php <Rick>
Project Honey Pot achieved a milestone: receiving its 1 billionth spam message. The billionth message was an US IRS phishing scam sent to an email address that had been harvested more than two years ago. The spam email was sent by a bot running on a compromised machine in India (122.167.68.1). The spamtrap address to which the message was sent was originally harvested on November 4, 2007 by a particularly nasty harvester (74.53.249.34) that is responsible for 53,022,293 other spam messages that have been received by Project Honey Pot.
News item 4: http://research.zscaler.com/2009/12/xss-embedded-iframes.html
Malware is apparently exploiting XSS vulnerabilities at the appleinsider.com, lawyer.com, news.com.au as well as dozens of other sites to serve up rogue anti-virus. These XSS attacks are being used to hide malware links inside the URLs of trusted sites. They are embedding iframes to redirect people,
SAMPLE: hxxp://lawyers.com/find_a_lawyer/content_search/results.php?sCHRISTINA%AGUILERA%20ANOREXIC%20PICS%3C%2F%74%69%74%6C%65%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%2F%2F%61%73%6B%35%2E%65%75%3E
News item 5: http://www.mozilla.org/security/announce/
Mozilla has released updates for Firefox. The current version is now 3.5.6 and 3.0.16. The security advisories are here http://www.mozilla.org/security/announce/ with three updates rated as critical which are Integer overflow, crash in libtheora video library, Memory safety fixes in liboggplay media library, and crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16).
News item 6: http://www.detnews.com/article/20091215/METRO/912150407/1409/METRO
Detroit News is reporting that Detroit Police are investigating two incidents in which patients’ medical records — including social security numbers — were stolen from the city’s health department. The first theft occurred in late October when a flash drive was stolen from a health department employee’s car. It contained files with birth certificate information for babies born in 2008 and the first half of 2009 whose parents reside in the 48202 and 48205 zip codes. Also a part of the files were information on the mothers’ names and health conditions, the fathers’ names, addresses, Medicaid numbers and social security numbers.
The second incident happened over the Thanksgiving break when five computers were stolen from the the city’s health department’s facility. One of the computers contained Medicare and Medicaid seasonal flu billing information for 2008.
While this is becoming common place, what in the world are people thinking? I’m talking the workers that are stupid enough to not keep tabs on their systems, but the administrators that are allowing these devices to be deployed without encryption and further more, containing data that goes back to 2008. Is that really necessary to have this data on a device? Have they every heard of Citrix? or VPN?
News item 7: http://www.forbes.com/2009/12/15/cybercrime-windows7-microsoft-technology-cio-network-fsecure.html
Forbes story on ‘Cybercrime Ghettos’ is really not too far off the mark. Granted this comes from an F-Secure report where they state that if given the choice between adapting their malicious software to a new operating system or focusing on users who haven’t made the switch, malware developers would choose the path of least resistance. Thereby targeting XP users which would have greater impact on the developing countries and those that can’t afford to upgrade be it in OS cost or hardware cost to Windows 7. The point has some merit when you look at the Conficker worm and it’s impact on Brazil, Russia, India, China and Vietnam.