InfoSec News

Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
This upcoming Tuesday Microsoft is releasing four bulletins ranging from critical to moderate affecting all Windows OS. Detailed information can be found in the advance notification bulletin.
[1] http://technet.microsoft.com/en-us/security/bulletin/ms11-nov

[2] http://blogs.technet.com/b/msrc/archive/2011/11/03/advanced-notification-for-november-2011.aspx
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple may be looking to put its money where its cloud is, but the company's execs aren't afraid of Fire. And if you thought Apple would be keeping all of its products exactly the same in 2012, guess again. The remainders for Thursday, November 3, 2011 have got news for you.
No one expects Windows Phone to leap over Google Android and Apple iOS in a single bound, but industry analysts have been revising their projections for Windows Phone, now forecasting a dramatic surge in sales over the coming 12 months. Other data finds growing consumer awareness of and interest in the Microsoft platform, almost exactly a year after the first Windows Phone handsets became available on all major U.S. carriers. [Find here the full current lineup of handsets, including those formally debuting next week.]
Fitchburg State University installed Lancope?s SteathWatch NetFlow analyzer to boost security and network capacity management.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Today was a fairly slow *knock on wood* day on the Internet. Rare that we have business as usual, so in my normal readings I came across an article on how Apple, Inc. will require sandboxing [1] on all Apps posted to the Apple App Store by March 1, 2012 [2]. There is a lot of chatter on the Internet about this move. There are some pro's and con's to a move like this in my opinion. One clear Pro would be safer software (buyer beware as you have to trust Apple, Inc. Of course but). One perceived con is lack of control over your operating system.
Sandboxing [5] [6], in short, is a method of creating a controlled container, if you will, for an application to run. A few popular applications use this method, including Chrome [7]. This controlled container's purpose is around mitigating the applications ability to make persistent changes to the operating system. Another common sandbox technique we often use is chroot [8]
Part of last months Cyber Security Month, we covered critical controls. This move could attribute to a better implementation of CC 7?
How do our readers feel about this? Given there is an Apple, Inc. user population among us?

[1] https://developer.apple.com/devcenter/mac/app-sandbox/ (Warning Dev Account Required)
[2] http://developer.apple.com/news/index.php?id=11022011a
[3] http://www.sans.org/critical-security-controls/control.php?id=7
[4]http://apple.slashdot.org/story/11/11/03/1532203/apple-to-require-sandboxing-for-mac-app-store-apps (Source Article)

Richard Porter
--- ISC Handler on Duty
email:richard at isc dot sans dot edu
twitter: packetalien (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
In September, not long before Research In Motion's (RIM) fourth annual BlackBerry Developer Conference--and just a month or so after the company's former BlackBerry development chief stepped down--RIM named a brand new VP of Developer Relations: Alec Saunders.
RIM is tailoring its upcoming BBX operating system to meet the needs of developers who want a simple and profitable way to sell their mobile applications.
As Facebook and other social networks have grown in popularity, businesses have started looking for ways to leverage them within the enterprise. The result: an influx of social software companies vying for a spot in business' technology portfolios, and IT and business executives scrambling to map out long-range plans.

Federal Bureau of Investigation and the U.S. Attorney General's Office Win ...
Sacramento Bee
SANS offers a myriad of free resources to the Infosec community including consensus projects, research reports, newsletters, and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

and more »
PHP 'Zip' Extension 'stream_get_contents()' Function Denial of Service Vulnerability
[ MDVSA-2011:166 ] php
About a year ago, a few of the larger virtualization software vendors, such as VMware and CA Technologies, started campaigning against a phenomena that they called virtual stall.
The head of the agency that runs USAJobs.go, the federal government employment site, apologized on Thursday for site performance problems since it was taken over from Monster.com last month.
AMD plans to lay off 10% of its global workforce and will terminate "existing contractual commitments" in a plan to cut costs, the company announced Thursday.
30 Days With the Cloud: Day 1
HTC on Thursday introduced a Rezound smartphone that will ship ready to upgrade to Android 4.0.
The big zero-day exploit on everyone's mind is Duqu, or "son of Stuxnet" - but researchers don't expect Microsoft to include a patch for it in next week's Patch Tuesday. Instead, a manual fix could be out as soon as this week.
Bromium is a well funded startup that promises to tap some little-used inherent strengths of Xen virtualization to secure public clouds, opening up the possibility of greater cost savings for businesses that will be able to trust more data to these services.
There's no denying it: practically every business is moving to the cloud or at least thinking about it. But with a number of options available to them, many are still experimenting with which works best.
Job cuts in the U.S. technology industry in 2011 are down significantly from a year ago and turnover levels in IT shops have returned to pre-recessionary levels, but that doesn’t make the tens of thousands of people in the United States who have been laid off from electronics, telecommunications and computer industry jobs feel much better.
While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosby, says virtualization actually holds a key to better security.
Samsung boosted its global smartphone shipments by 223% in the third quarter, taking the top spot for the first time among smartphone vendors, with Apple in second, market research firm IDC said.
In a move to bring network connectivity to a wider range of devices, sensors and appliances, IBM has donated the source code of its machine-to-machine messaging software to the Eclipse Foundation, the company announced Thursday.
Cloud computing, security and the mobile space hold the most growth potential in the coming years, according to IT professionals surveyed by tech staffing firm Modis.
Congress and the Federal Communications Commission shouldn't forget unlicensed uses of spectrum as policymakers debate ways to open up more mobile spectrum for broadband and voice services, a group of wireless advocates said Thursday.
Microsoft today said it will issue four security updates next week to patch four vulnerabilities in Windows.
The company seeks transparency and an open development model in addition to the replacement of any closed code with open code
Google is looking to freshen up its search results with updated algorithms, a move it hopes can help it maintain its strong lead in the search business.
Global computer chip revenue showed strong signs of life in the third quarter, jumping 16.1% compared to the same period in 2010.
Oracle President Mark Hurd spoke with IDGE Chief Content Officer John Gallant about Oracle's strategy and why the company is uniquely positioned to help IT leaders deal with the difficult challenges they're facing today. Insider (registration required)
Mozilla developers hope to start testing phones running its new mobile operating system this quarter, with product demos slated for the first quarter next year and "productization" set for before June 2012, according to a road map on the project's website.
There's cause for contentment among IT pros, many of whom are staying put at their current jobs due to a combination of lingering economic concerns and improving conditions at work.
Amazon Web Services has added the option to use applications to create codes for its Multi-Factor Authentication (MFA) service, the company said on Wednesday.
ESA-2011-035: RSA, The Security Division of EMC, announces the release of Hotfix 6 with security updates for RSA Key Manager Appliance 2.7 Service Pack 1
[ MDVSA-2011:165 ] php
[security bulletin] HPSBMU02704 SSRT100619 rev.1 - HP OpenView Network Node Manager (OV NNM) Running Apache, Remote Denial of Service (DoS)
CmyDocument Content Management Application - XSS Vulnerabilities
The U.S. can expect more aggressive efforts from countries such as Russia and China to collect information through cyberespionage in areas such as pharmaceuticals, defense and manufacturing, according to a new government report released Thursday.
Android was the only smartphone operating system to gain U.S. market share in the third quarter, according to Nielsen.
Apple’s iTunes Match cloud-music feature seems to be inching closer to release: An option to enable the feature has now appeared on the second-generation Apple TV—this despite Apple having missed its goal of launching iTunes Match by the end of October.
Amazon Prime subscribers can now read more than 5,000 Kindle e-book titles for free thanks to a new service called Kindle Owners' Lending Library, but only if you own a Kindle device. The new Prime feature lets you borrow one book per month and read it on your Kindle device for as long as you want with no specific due date when your access to the book expires. Amazon lending library books cannot be read using Amazon's smartphone apps.
Motorola plans to release a follow-up to its Xoom Android tablet in November, but only in the United Kingdom and Ireland for now.
While the iPad continues to be a big success, the tablet market offers a harsher climate to vendors other than Apple -- and pricing strategies may be an important factor in their difficulties.
Almost 100 computer experts from 16 European countries jointly battled to hold off serious cyber attacks on the European Union’s security agencies and power plants as part of a simulated exercise on Thursday.
Romanian eBay hacker Vlad Duiculescu, known online as "Vladuz," lost the appeal to get his three-year suspended prison sentence reduced on Tuesday. The court also dismissed the appeal lodged by prosecutors regarding the hacker's acquittal on organized crime charges.
ESA-2011-032: EMC Documentum eRoom arbitrary file upload vulnerability.
Serendipity Plugin 'Karma Ranking' Multiple Cross-Site Scripting
Serendipity 'serendipity[filter][bp.ALT]' Cross-Site Scripting vulnerability
We look at five Android office suites that allow you to create and edit word processing docs, spreadsheets and presentations.
Oracle and Google held another settlement conference on Wednesday in their ongoing lawsuit over alleged Java intellectual-property violations in the Android mobile OS, but failed to reach an agreement, according to a filing in U.S. District Court for the Northern District of California.
Looking back on the development of speech recognition technology is like watching a child grow up, progressing from the baby-talk level of recognizing single syllables, to building a vocabulary of thousands of words, to answering questions with quick, witty replies, as Apple's supersmart virtual assistant Siri does.
A server belonging to the Massachusetts Institute of Technology was commandeered by hackers who used it to launch attacks against other websites as part of a larger drive-by download campaign, according to antivirus vendor BitDefender.

Another day, another vulnerability reporting reward program. Kinda.

Secunia, a vulnerability management vendor from Denmark, is the latest to join the bounty brigade, but it is bringing its spin to the market. Secunia’s new Secunia Vulnerability Coordination Reward Program is another platform for researchers to report software security flaws, but Secunia goes a step further and offers to handle the reporting process to the affected vendor. Software vendors have varied and sundry reporting processes and Secunia hopes to help researchers skip the hassle, according to Carsten Eiram, chief security specialist at Secunia.

“Most other schemes pay researchers for their discoveries, and, while these offerings are excellent for researchers, the companies are, naturally, very selective in which vulnerabilities they wish to purchase and coordinate,” he wrote in a release from the company. ”This leaves a huge gap for researchers, who either do not want to sell their vulnerabilities or discover vulnerabilities not fulfilling the requirements of the existing initiatives, but who would still like an independent third party to confirm their discoveries and handle coordination.”

TippingPoint’s Zero Day Initiative (ZDI) and VeriSign’s iDefense Labs Vulnerability Contributor Program are probably the most well known bug-bounty programs offered by security companies., Google, Microsoft and Mozilla also have their own twists on bug bounties. ZDI, for example, pays researchers for previously unpatched bugs and then develops signatures for its intrusion prevention products to give its customers first crack at protection. It also works with the affected vendor, and once a patch is ready, a joint advisory on the vulnerability is prepared.

Secunia says it will provide detailed information on vulnerabilities to the affected vendors and will participate in the patch process by providing feedback on fixes and confirming patches resolve the issue in question. Secunia hopes to establish itself as a trusted, independent third party in the vulnerability remediation process. In addition, the company says it will not notify its customers in advance as ZDI would. Instead, a public advisory would be the first notification of a vulnerability.

Secunia has established certain conditions for vulnerabiilties to be considered: the vulnerability must not be already publicly known; it must have been found in a stable product, inthe latest version that is actively supported by the vendor. Secunia’s research team must also be able to confirm the vulnerability.

Secunia said its rewards will include merchandise and accommodations and entry into major security conferences.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
A German data protection authority contends Facebook is tracking users even after they delete their accounts, and it wants the company to respond to this potential privacy violation by Monday.
Hewlett-Packard announced the new Slate 2 tablet with the Windows 7 OS, just under a week after the company announced it would retain its PC unit.
With all the security challenges encompassed in cloud services, one company is working to ensure that its users and other customers can rely on it for business critical computing.
With the first 'Ice Cream Sandwich' smartphones due in mid-November, the real app testing can soon begin
Workers plan to do more online holiday shopping this year while on the job, with many using their own smartphones and tablets. That's got IT managers worried, a survey shows. Insider (registration required)
We look at five Android office suites that allow you to create and edit word processing docs, spreadsheets and presentations.
A judge in the U.S. on Wednesday allowed parts of C Spire Wireless and Sprint Nextel's lawsuits against AT&T's proposed US$39 billion acquisition of T-Mobile USA.
Amazon.com announced the launch of an e-book lending library for Kindle users, that allows Amazon Prime members to borrow books for free, as frequently as a book a month, and without due dates.
Openswan Crpyotgraphic Helper Use After Free Remote Denial Of Service Vulnerability
Internet Storm Center Infocon Status