InfoSec News

A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet.
 
The newest top-of-the-line Garmin Nuvi 3790T is sleek, sexy, and stylish--words you wouldn't normally associate with a GPS device. For its new 3000 series of Nuvis, Garmin completely redesigned the case and the screen. The Nuvi 3790T sports a new 4.3-inch glass screen with a higher-resolution 800 by 480 display. And like the iPhone, it offers multitouch (pinch and zoom) controls and automatic screen orientation. The 3790T includes almost every feature in Garmin's bag of tricks, but its $450 price tag (as of October 28, 2010) makes it a tough sell.
 
WiMax service provider Clearwire will lay off 15 percent of its employees and suspend the opening of retail stores and marketing campaigns in some cities as it tries to conserve cash and raise additional capital.
 
It is not easy to keep up with Adobe these days. Patches and new exploits are almost released on a daily schedule. So here is the current State of Adobe the way I see it:



Product
Latest Version
Latest Vulnerabilities




PDF Reader
9.4.0

version 9.4.0 (latest version) is vulnerable

Adobe Reader Unspecified Memory Corruption Vulnerability

Secunia #SA42095, no CVE Number assigned yet



Flash Player
10.1.102.64
version 10.1.85.3 is vulnerable. Patch released today (Nov. 4th)

Authplay Vulnerability

CVE-2010-3654


Shockwave Player
11.5.9.615
11.5.9.615 (latest version)is vulnerable

Shockwave Settings Use-After-Free Vulnerability)

Secunia# SA42112, no CVE Number assigned yet


Acrobat
9.4.0
version 9.4.0 (latest version)is vulnerable

Authplay Vulnerability

CVE-2010-3654




Air
2.5
version 2.0.3 is vulnerable (old version)



Please let me know if you have corrections, or better if you find a simple overview about the state of Adobe bugs on Adobe's own site. Any Adobe people out there:Feel free to copy the concept :). This table will be frozen to today's state and we may update similar, updated tables in the future as a new article.

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Google on Thursday started offering Google Instant on some Android devices and iPhones, as promised when it first launched the service in September.
 
Former Oracle President Charles Phillips testified in court Thursday that he would have been "terrified" to learn SAP had gained access to Oracle's software and that SAP would have had to pay "at least 3 or 4 billion dollars" to license it.
 
Ignorance is bliss, so don't read any further if you don't want to panic about Facebook and Twitter security.
 
There's a song by the Limousines that always makes me smile. Called "Internet Killed the Video Star," it's a tongue-in-cheek reference back to the 1979 song, "Video Killed the Radio Star," by the Buggles -- the very first music video on MTV.
 
The Mac App Store may still be more than two months away, but Apple's already looking to stock the shelves. This week, the company has been dispatching e-mails to members of its Mac Developer Program, encouraging them to submit their apps.
 
4G network performance claims in a new T-Mobile USA TV advertisement have prompted a renewed debate about the meaning of 4G among analysts and rival carriers.
 
Republican gains in Congress with Tuesday's elections put a controversial and largely partisan debate over proposed network neutrality rules back in the hands of the U.S. FCC, but some backers of new rules have their doubts about the agency's willingness to move forward.
 
Microsoft is continuing its Windows 7 marketing push with a recommendation that all customers examine desktop virtualization before moving users to the new operating system.
 
Researchers at the University of Arizona have developed a type of holographic telepresence that's can project a 3-D, full-color, moving image that viewers don't need special glasses to see.
 
Microsoft today said it will ship three security updates next week to patch 11 vulnerabilities, including the first in Office 2010 pegged "critical."
 
[USN-1014-1] Pidgin vulnerabilities
 
[USN-1013-1] FreeType vulnerabilities
 
[USN-1012-1] CUPS vulnerability
 
Re: [WEB SECURITY] [TOOL] DotDotPwn v2.1 - The Directory Traversal Fuzzer
 
We received a couple of reports about Microsoft's Smart Screen flagging harmless sites as malicious. Initially, we considered the possibility of an infected ad service. But it may be a bug in Smartfilter as well. Some reports on twitter [1] show that the problem has been resolved.
Please let us know if you have sample URLs that are still affected.
To disable smart screen:Select Internet Options from the Toolsmenu. Select the Advanced tab and find the Enable SmartScreen Filter setting (about the 10th item from the bottom. Scroll all the way down). Needless to say: This will also remove the smart screen protection from real-evil sites, not just from appear-to-be-evil-to-smartscreen-today sites. The setting should only be changed if you can't wait for the problem to be fixed.
[1] http://twitter.com/#!/search/%23smartscreen
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Microsoft published its pre-announcement for next Tuesday's patch release [1]. Looks light and easy this time. A total of 3 patches. One for Office, one for Powerpoint and one for the Forefront Unified Access Gateway.
Note that the Office patch will apply to the just released Office for Mac 2011.
[1] http://www.microsoft.com/technet/security/bulletin/ms10-nov.mspx
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
You want to be strategic? Then get to know your CEO's agenda and how you can help solve your company's most pressing problems in 2011. A new Gartner report outlines seven critical areas.
 
CIO.com obtained three examples of actual CIO resumes that executive recruiters deem outstanding enough to prompt a call about job opportunities. How does your resume stack up to these fine specimens?
 
Microsoft will repair 11 vulnerabilities affecting Microsoft Office, Office PowerPoint and Forefront Unified Access Gateway, according to its Advance Notification issued Thursday.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
When Skyfire Labs this week released an iOS browser that promised to play Flash content, it seemed they had a hit on their hands. But few--including Skyfire Labs itself--expected the app to sell as quickly as it did.
 
Google today patched 12 vulnerabilities in its Chrome browser, all of them rated as high-level threats by the company's security team.
 
The Oracle Applications Users Group is urging members running an older version of E-Business Suite to ensure they have all the necessary patches needed to qualify for extended support.
 
The global smartphone market grew nearly 90% in the third quarter, with enormous gains by Samsung and HTC, market research firm IDC reported.
 
Linux Kernel 'ipc/sem.c' Information Disclosure Vulnerability
 
FreeType 'ft_var_readpackedpoints()' Buffer Overflow Vulnerability
 
Microsoft Windows Embedded OpenType Font Engine Integer Overflow Remote Code Execution Vulnerability
 
Toshiba started shipping its Folio 100 tablet, which has a powerful dual-core processor and full high-definition graphics capabilities -- features designed to outperform Apple's iPad.
 
The best approach is to stress relationships over antagonism.
 
The nation's fifth-largest wireless carrier, MetroPCS Communications, launched its 4G LTE service in the Los Angeles and Philadelphia metro areas today, bringing the faster wireless technology to five major U.S. markets.
 
The patchwork of rules across Europe regarding the handling of data poses a hurdle for Microsoft's efforts to provide cloud-based services, a senior Microsoft attorney said on Thursday.
 
CUPS Server 'cups/ipp.c' Remote Memory Corruption Vulnerability
 
[ MDVSA-2010:220 ] pam
 
RSA is the latest vendor to combine encryption and tokens with a server that provides tokenization and key management functionality in one location.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Many security decisions and acceptable use policies are based on a false categorization of applications. "Business applications" are good, safe and have business value. "Personal applications" are bad, unsafe and have no business value.
 
Before you make an appointment with your eye doctor, it's not your eyes. It's Facebook.
 
A Minnesota federal jury ordered a woman to pay $1.5 million, or $62,500 per song, to recording companies for pirating 24 songs.
 
Regular Hassle-Free PC readers know that I'm a huge fan of keyboard shortcuts. And I just realized that of all the ones I've shared over the years, I never mentioned two of my favorites.
 
This issue of Network World features the 2010 edition of Cool Yule Tools. We tried more than 140 products and present our findings in print and online. Through this process, I've learned some valuable lessons about consumer technology this year, and want to share some of these insights.
 
YUI Multiple Cross Site Scripting Vulnerabilities
 
PAM 'pam_namespace' Module Local Privilege Escalation Vulnerability
 
BBcode XSS in eoCMS
 
LFI in eoCMS
 
SQL injection in eoCMS
 
Path disclosure in eoCMS
 
VeriSign announced that starting December 9th, .net and .com domains will be authenticated using DNSSEC. Right now, signatures are available for .net and .com, but they are not yet valid. The roll out will happen in stages, similar to the roll out for the root zone.
Verisign also offers a nice DNSSEC debugger [2]. In case you implement DNSSEC, use it to test your zone, as well as a DNSSEC Test site [3] to check if your resolver uses DNSSEC.

[1] http://www.verisign.com/domain-name-services/domain-information-center/dnssec-resource-center/index.html

[2] http://dnssec-debugger.verisignlabs.com/

[3] http://test.dnssec-or-not.org/

[4] http://www.h-online.com/security/news/item/Fast-start-of-DNSSEC-with-net-and-com-1128982.html
and if you missed it... the solution is out for our DNSSEC related packet challenge: http://johannes.homepc.org/packet.txt

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
In the not-too-distant future, children will look at keyboards and mice with a mixture of amusement and derision. Advances in speech-recognition and dictation technology have quietly made stunning leaps forward in recent years; and although it isn't perfect yet, speech recognition has suddenly achieved very good usability. Here's how to take advantage of Windows 7's built-in voice command tools and make a break from the keyboard and mouse.
 
Adobe Reader 9.4 Remote Memory Corruption Vulnerability
 
XSS in SweetRice CMS
 
Shell create & command execution in JAF CMS
 
RFI in JAF CMS
 
SQL injection in SweetRice CMS
 
Microsoft CEO Steve Ballmer called on Europe on Thursday to provide clearer rules on privacy and data retention issues as his company pushes into remote computing services.
 
Internet giants such as Facebook and Google could soon be forced to reveal more to European Internet users about what they are doing with personal data.
 

Feitian Presents Online Banking Solution At Rsa China
I-Newswire.com (press release)
... International Technical Consultant Gregory Dunn presented the speech at the first annual RSA Chine INFOSEC international forum in Beijing China. ...

 
Plantronics' new Savor M1100 Bluetooth headset offers good quality audio and a range of voice recognition features.
 
JustSystems Ichitaro Multiple Remote Code Execution Vulnerabilities
 
SAP is working with NEC to make portions of SAP's enterprise resource planning applications available via NEC's cloud infrastructure, the two companies announced Wednesday.
 
Hackers might crack or steal your password, but can they type like you?
 
China's strict controls on its Internet usage will eventually fail as more of the country's people go online and express themselves, said Google CEO Eric Schmidt.
 
A California woman sued Apple in state Superior Court, claiming that last summer's iOS 4.0 upgrade turned her iPhone into an "iBrick" that was slower and less reliable than before the update.
 
China may be no more than a year away from developing a supercomputer built entirely from its own technology, a big step toward freeing itself of Western technology.
 
Feeling tapped out on monitoring social media for customer comments, Zone Labs turned to Cisco's SocialMiner, which was released to limited customers on Wednesday.
 
In the hotel business, Wi-Fi reliability can be the difference between getting guests or not. The Sheraton Springfield recently upgraded to Meru Networks technology.
 
Privacy groups have raised alarms over plans by the federal Office of Personnel Management to build a database that would contain information about the healthcare claims of millions of Americans.
 
Gmail can help you speed through processing, reading and acting on e-mail. You can make it even better for home or business use with these tips and tools.
 
Computer Associates ARCserve Backup Multiple Remote Buffer Overflow Vulnerabilities
 


Internet Storm Center Infocon Status