InfoSec News

Joomla! Multiple Information Disclosure Vulnerabilities
Mozilla Firefox/SeaMonkey/Thunderbird XPConnect Security Check Cross Domain Scripting Vulnerability
Earlier today, Apple announced v 1.1 of the Security update 2012-001. The advisory announced the availability of Security Update for Mac OSX10.6.8 that addresses a compatibility issue, and the removal of security fixes that were present in original update for Snow Leopard. I am not confident why Apple removed security fixes from the original release, but maybe one of our readers can help us understand the issues behind the ImageIOsecurity fix removal.
Below is the security advisory and we will link to the advisory once it is available on Apple's website.

APPLE-SA-2012-02-03-1 Security Update 2012-001 v1.1

Security Update 2012-001 v1.1 is now available

for Mac OS X v10.6.8 systems to address a compatibility


Version 1.1 of this update removes the ImageIO security

fixes released in Security Update 2012-001.

OS X Lion systems are not affected by this change.

Update #1:
Apple Support shows there were 3 different issues which were corrected in ImageIO in the original Security Update information located at http://support.apple.com/kb/HT5130.
Elsewhere, it appears that there are a number of users of OS XLion which had problems after applying the original update as reported in Apple Support forums, 9to5Mac, and thevarguy.com. The Security Advisory only mentions OS X Snow Leopard, so I am not sure that the two issues are related or just coincidental. Stay tuned for more information.
Guy Bruneau Scott Fendley (ISC Handler On Duty) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
project-open 'account-closed.tcl' Cross Site Scripting Vulnerability
Last week Sophos released it 2012 Security Threat Report which highlighted some key finding from 2011:
- Smartphones and tablets causing significant security challenges

- Major data breaches and targeted attacks on high-profile companies and agencies

- Hacktivism - A shift from hacking for money to hacking as a form of protest or to prove a point

- Conficker worm is still the most commonly encountered pieces of malicious software seen is Sophos customers

- Fake antivirus software is still the most common type of malware but in second half of the year appears to be on the decline

- Spearphishing attacks on the rise
Despite all this, some successes On March 16, 2011 a coordinated effort known as Operation b107 between Microsoft, FireEye, U.S. federal law enforcement agents and the University of Washington knocked Rustock offline. [1] The entire report available here.
Handler Mark published a diary on some of the things to take in consideration When your service provider has a breach. [3]
[1] http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-07.aspx

[2] http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-01.aspx

[3] https://isc.sans.edu/diary.html?storyid=10651

[4] http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf
Data breach diaries reported by ISC in 2011:
[1] Wordpress.com https://isc.sans.edu/diary.html?storyid=10729

[2] RSA Breach https://isc.sans.edu/diary.html?storyid=10609

[3] Lockheed Marting https://isc.sans.edu/diary.html?storyid=10939

[4] Sega Pass https://isc.sans.edu/diary.html?storyid=11065

[5] SonyPictures https://isc.sans.edu/diary.html?storyid=10996

[6] DigiNotar SSL Breach (result = bankruptcy) https://isc.sans.edu/diary.html?storyid=11479

[7] GlobalSign https://isc.sans.edu/diary.html?storyid=12205

[8] Stratfor Global Intelligence https://isc.sans.edu/diary.html?storyid=12271
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A "worrying number" of Facebook users are sharing a link to a malware-laden fake CNN news page reporting the U.S. has attacked Iran and Saudi Arabia, security firm Sophos said Friday.
The White House is following up on an offer made by President Barack Obama this week to help find a job for an unemployed semiconductor engineer in Texas.
Zoho Writer is an online (with offline and syncing functionality) word processing application that offers a nice amount of functionality, especially given the limitations of the Web as a platform for productivity tools. After creating a free account with Zoho, you can access Zoho Writer. It looks a lot like most word processors, so if you've used any major program in this category, it will take no more than a few minutes of poking around to learn how to do things. This is good, because the "Help" is in the form of a FAQ, not a tutorial or index of functions.
[ MDVSA-2012:013 ] mozilla

CANCUN, Mexico — Kaspersky Labs cofounder and chief executive Eugene Kaspersky announced today that the Russian security company will not pursue an initial public offering in the forseeable future and will buy back the shares it sold to a private equity firm brought in 13 months ago to pursue an IPO.

In January 2011, General Atlantic bought 20% of Kaspersky, valued at about $200 million, from Eugene Kaspersky and his ex-wife Natalya. GA was brought in at the time to seek acquisition opportunities and set Kaspersky Lab up for an initial public offering.

“It’s quite a big deal, the biggest deal of my life,” Kaspersky said at the Kaspersky Security Analyst Summit 2012. “The company will stay private and stay focused on IT security.”

Kaspersky said the main motivation for the buy-back was the preservation of the company culture.

“IT security has to be flexivble and innovating. My impression is that being private is the right way because you don’t need to report [finances],” Kaspersky said. “I like the way company is going and the spirt of the company. To change their basic design, I’m afraid is dangerous. We are not going to change our ways, spirit, culture, emotion or strategy.”

Kaspersky said he could see the company branch beyond its core consumer and enterprise antimalware expertise. The company has a worldwide stable of security researchers with offices in 29 countries. Kaspersky said the company is profitable (less than 20% year over year growth), and promised to remain as transparent as possible in its financial disclosures.

“[If public], there are much more reports and governance and a longer decision-making process,” Kaspersky said. “I have the same feeling that I read in Richard Branson’s book that when you go public, the company goes slower. I don’t want that.”

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-0447 Information Disclosure Vulnerability
The world of hypervisors is complicated by the fact that there are proprietary and open source tools, each with different strengths and weaknesses.
A Hungarian hacker who attempted to extort money from Marriott International Inc. by stealing confidential data from its computers and threatening to expose it was sentenced to 30 months in prison.
Microsoft on Friday wrapped up a three-day campaign against rival Google by claiming its newest browser, Internet Explorer 9, is superior in stopping users from being tracked by online advertisers.
Fueled by a firestorm of outrage on Twitter and Facebook, the people behind the Susan G. Komen For the Cure Friday backed off their decision to cut funding of Planned Parenthood programs.
Steve Appleton, chairman and CEO of memory and semiconductor maker Micron, was killed in a small plane accident in Boise, Idaho, on Friday.
In what's turning out to be quite a busy Friday for the hacking collective, Anonymous today said it has broken into the website of a law firm that represented a U.S. Marine accused of killing civilians in Haditha, Iraq.
Lync Online, the instant messaging, online meeting and PC-to-PC voice and video communications tool in Office 365, will gain interoperability with non-Microsoft IM networks.
For Sunday's Super Bowl, fans will split their attention between the screens on their TVs, laptops, smartphones and tablets. The big game is going social.
Dell's formation of a new software group, which was announced Thursday, could be the forerunner to a string of acquisitions by the vendor, with some observers predicting a focus on systems management and cloud services provisioning.
Smartphone shipments overtook personal computers -- including tablets, laptops, netbooks and desktops -- for the first time in 2011, according to Canalys.
Germany's cyber security agency today recommended that Windows 7 users run Google's Chrome browser, citing the application's sandbox and auto-update features.
Some critics have blamed Silicon Valley tech firms for the massive online protests last month against two controversial copyright bills. Other groups have trumpeted the grassroots nature of the protests.
Ghostscript 'gs_init.ps' With '-P-' Flag Search Path Local Privilege Escalation Vulnerability
ESA-2012-010: EMC Documentum xPlore information disclosure vulnerability
RFC 6528 on Defending against Sequence Number Attacks
[SECURITY] [DSA 2403-1] php5 security update
Adobe security and privacy director Brad Arkin urges the security industry to focus on the latest exploit techniques and develop mitigations that make exploit writing costly.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
The PHP Group released PHP 5.3.10 on Thursday in order to address a critical security flaw that can be exploited to execute arbitrary code on servers running an older version of the Web development platform.
[SECURITY] [DSA 2402-1] iceape security update
[SECURITY] [DSA 2400-1] iceweasel security update
[SECURITY] [DSA 2401-1] tomcat6 security update
Though you might be tempted to ditch your office fax machine, you probably have to send out at least a few faxes every year. Windows lets you fax from the OS itself; but it requires you to use a landline that your small business may not want tied up, and it lacks security and mobile features that your business may need.
When you're selling items on shopping sites such as eBay and Etsy, presentation and marketing are just as important as producing a high-quality product. Customers are bombarded with images of goods of all shapes and sizes. Since they can't try things on or test them out, it's important for you to provide a clear, accurate, and appealing representation. Even if the cashmere scarf you knitted is beautiful in person, no one will want it if it appears out of focus, looks poorly lit, or sits wrapped around your unshaven friend's neck.
Google does not plan to delay its new privacy policy despite calls from Europe's data protection watchdog.
Despite pronouncements that they are pro-technology, all of the U.S. presidential candidates have made fairly feeble attempts at building mobile campaign websites.
[security bulletin] HPSBGN02740 SSRT100741 rev.1 - HP Operations Manager, Operations Agent, Performance Agent, Service Health Reporter, Service Health Optimizer, Performance Manager, Remote Execution of Arbitrary Code
Google yesterday unveiled an automated system that scans Android apps for potential malware or unauthorized behavior, a move critics have long called the company to make.
Researchers from security vendor Symantec have identified a new premium-rate SMS Android Trojan horse that modifies its code every time it gets downloaded in order to bypass antivirus detection.
Research in Motion is trying to woo developers by giving a free BlackBerry Playbook tablet to coders who port their Android application for its BlackBerry Tablet OS.
A recent lawsuit filed against the U.S. Food and Drug Administration is drawing attention to the question of whether employees have a reasonable expectation of privacy when using personal email accounts on workplace computers.
H-1B workers are better educated than U.S. born workers and earn more, according to a new study by an independent research group.
Despite pronouncements that they are pro-technology, all of the U.S. presidential candidates have made fairly feeble attempts at building mobile campaign websites.

Posted by InfoSec News on Feb 03


Amsterdam, The Netherlands, 1 February 2012 -- Hack In The Box Security
Conference is back again in Amsterdam this year for the European leg of
its annual circuit. From the 21st to the 25th of May, this deep
knowledge security conference will once again bring together a unique
mix of security professionals, independent researchers, government and
law enforcement officials and members of the...

Posted by InfoSec News on Feb 03


By Dan Bowman
February 1, 2012

Healthcare organizations need to "serve as their own watchdog" to
increase security and decrease data breaches, a new report from IT
security audit firm Redspin concludes. The increase in "bring your own
device" policies at various hospitals, in addition to the continued...

Posted by InfoSec News on Feb 03


By Gregg Keizer
February 2, 2012

Half of all Fortune 500 companies and major U.S. government agencies own
computers infected with the "DNS Changer" malware that redirects users
to fake websites and puts organizations at risk of information theft, a
security company said today.

DNS Changer, which at its peak was...

Posted by InfoSec News on Feb 03


The Secunia Weekly Advisory Summary
2012-01-26 - 2012-02-02

This week: 142 advisories

Table of Contents:

1.....................................................Word From Secunia...

Posted by InfoSec News on Feb 03


By Mathew J. Schwartz
February 02, 2012

Several successful hacks of VeriSign's network, in 2010, might have
compromised critical information relating to the Internet's domain name
system (DNS).

According to information released by VeriSign in October 2011, "we have
investigated and do not believe these attacks breached the servers that
support our...

Posted by InfoSec News on Feb 03


By Elinor Mills
InSecurity Complex
CNet News
February 2, 2012

When he's not at school, 15-year-old Cim Stordal spends his time playing
the Team Fortress video game, shooting his Airsoft pellet gun, and
working in a fish shop in Bergen, Norway. But his real passion is
finding bugs in software used by millions of people on the Internet....

Posted by InfoSec News on Feb 03


By Andrew Gumbel
2 February 2012

Computer security experts have warned that the 2013 Oscars ballot may be
vulnerable to a variety of cyber attacks that could falsify the outcome
but remain undetected, if the Academy of Motion Picture Arts and
Sciences follows through on its decision to switch to internet voting
for its members.

The Academy...
C6 Messenger Installation URL Downloader ActiveX Control Arbitrary File Download Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Just about a month ago, PHP 5.3.9 was released, which included a patch for the hash collision problem. The basic hash collision problem affected various languages, including php and .Net (Microsoft fixed the issue in an out of band patch 2011-100 in late December).
PHP fixed the issue not by introducing a new hash function, but instead it limited the number of input parameters. Just like the php hardening patch suhosin did all along, PHP now supported a max_input_var parameter to limit the number of input parameters a request may send. The default limit was set to 1,000, plenty for most web applications.
Sadly, the fix was implemented incorrectly, and introduced a more severe vulnerability, a remote code execution vulnerability. Thats right: An attacker could craft a request, that will execute code on a web server running PHP 5.3.9.
Today, the PHP team released PHP 5.3.10 to address the issue.
If you are running PHP 5.3.9: PATCH NOW! This is a very critical bug
If you are running PHP 5.3.8: DO NOT UPGRADE TO 5.3.9. I would actually recommend that you wait.
Additionally, try to enable Suhosin if at all possible. There is a slight performance hit, but it is unlikely to break your web application unless you are already tight in resources. Many Linux distributions include Suhosin, so it may be pretty easy to set up.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status