InfoSec News

Flash is designed around the sandbox concept to only allow access to specific local files, in particular of course flash cookie files. All other local files are off limits to Flash, to prevent malicious Flash applets from exfiltrating information.
Billy Ross, a researcher with some history when it comes to Flash, was able to show how to not only bypass this restriction and allow flash to access local files.
The local file access is amazingly simple: Adobe does allow access to remote files, via the getURL function. As pointed out by Billy, the easiest version of this attack would just use file:// and point to the local system. However, Adobe blacklists certain protocol handlers, so Billy had to find one that was not blacklisted and would provided the access needed. One he found is the mhtml handler, which works on modern Windows systems, and is not blacklisted. The user will not be prompted for permission in this case.
http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesystem-sandbox/
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Motorola Mobility announced at CES three new smartphones and the Xoom tablet running the new Android 3.0 OS, formerly codenamed Honeycomb -- just one day after its official spin off as a separate company.
 
Motorola finally unveiled its highly anticipated tablet, the Xoom, with a 10.1-inch touchscreen with the latest version of Google's Android mobile software on board, formerly called Honeycomb.
 
Tablets are taking center stage at CES, at least so far, but big announcements from Microsoft and buzz around chips are also in the limelight.
 
Wi-Fi Direct, a wireless LAN mode that doesn't require a hotspot, is starting to emerge in handsets and will be demonstrated on an LG Electronics smartphone this week at the International Consumer Electronics Show.
 
Microsoft Windows president Steven Sinofsky took a shot at Apple during CES, saying users are being inconvenienced because there is no convergence across the iPhone, iPad, iPod and MacBook.
 
Motorola finally unveiled its highly anticipated tablet, the Xoom, with a 10.1-inch touchscreen with the latest version of Google's Android mobile software on board, formerly called Honeycomb.
 
Nvidia is developing new CPU cores based on the ARM architecture for PCs and servers that will be able to run Microsoft's upcoming Windows OS, the company said on Wednesday.
 
PHP 'zend_strtod()' Function Floating-Point Value Denial of Service Vulnerability
 
Nullsoft Winamp VP6 Video Content Heap Buffer Overflow Vulnerability
 
Immunet will be integrated with Snort, ClamAV and Sourcefire's network behavior analysis capabilities to create a cloud-based enterprise suite.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
LG Electronics showed it's serious about 3D in mobile devices on Wednesday, introducing a new 4.3-inch glasses-free 3D screen for mobile devices and a similar prototype 7-inch 3D screen on a mobile TV.
 
Microsoft said Wednesday that the next version of its Windows PC operating system will run on ARM processors, part of an effort to adapt Windows to the fast-growing market for tablet computers, where Apple and Google have gained traction.
 
The latest version of the open source content management system is generally available.
 
Linux Kernel 'PKT_CTRL_CMD_STATUS' Invalid Pointer Dereference Denial of Service Vulnerability
 
Drupal Advanced Book Blocks HTML Injection and Cross Site Request Forgery Vulnerabilities
 
Cisco Wednesday announced the Videoscape platform for viewing video content from multiple sources.
 
Intel's new Sandy Bridge line of Core processors, officially unveiled today at CES, offer more speed, use less power and include integrated graphics.
 
French security researchers today confirmed the presence of a bug in Internet Explorer (IE) that's at the center of a spat between Microsoft and a Google security engineer.
 
AT&T today unveiled an inexpensive HTC Freestyle phone that runs the low-end Brew MP operating system.
 
Joomla! 'ordering' Parameter Cross-Site Scripting Vulnerability
 
Thanks to our reader Dan for getting this started. Here is a preliminary table on various Internet Explorer and Windows vulnerabilities that are as of yet unpatched.Let me know if I forgot one. I originally planned to include some of the older issues, but none of them appears to be as relevant/serious as the issues in this list.



CVE
Name
Release Date
Affected
Exploit and comments
Mitigation


no CVE
Use after free error within mshtml.dll
Jan 5th 2011
IE 7,8
http://www.vupen.com/english/advisories/2011/0026



CVE-2010-3970
Graphics Rendering Engine
Jan 4th 2011
Windows XP/VIsta (not: 7, 2008 R2)
Available

Disable shimgvw.dll
MSFT Advisory #2490606



no CVE
WMI ActiveX Control
Dec 23rd 2010
IE with WMI ActiveX Control installed


See this Websense blog for details


set killbit on affected ActiveX control


CVE-2010-3971
CSS Import Rule Processing Use-After-Free Vulnerability
Dec 14th 2010
IE 6,7,8
PoC available. Critical

Enhanced Mitigation Experience Toolkit
MSFT Advisory #2488013





------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
More than 100 tablets using Intel's Oak Trail chips are being designed and some will start shipping in the first half of this year, Intel CEO Paul Otellini said at CES.
 
A judge has issued a preliminary injunction blocking the U.S. Department of the Interior from moving forward on a Microsoft-only cloud computing contract.
 
Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability
 
Motorola on Wednesday showed off a new Android phone that connects to a docking station that looks like a laptop but has no CPU, so that users can access a full physical keyboard and monitor.
 
Devices like e-readers, tablets and smartphones could get faster storage as early as next year with the new SD 4.0 media card specification, the SD Association said.
 
Some long-time Mac developers have reservations about Apple's Mac App Store, the online market set to launch Thursday.
 
AT&T is set to unveil multiple LTE devices this year and to complete work on a nationwide LTE deployment by 2013.
 
phpMyAdmin Error Page Cross Site Scripting Vulnerability
 
BlogEngine.NET 1.6 Multiple Vulnerabilities
 
Multiple CSRF Vulnerabilities in Openfire 3.6.4 Administrative Section
 
Tablets are the big news so far and we get ready for press conferences and the evening Microsoft keynote (6:30pm PST).
 
AT&T is set to unveil multiple LTE devices this year and complete work on a nationwide deployment by 2013.
 
NComputing is the only VDI solution of the three reviewed that provides its own virtualization layer -- no VMware, Citrix, or Microsoft hypervisor required. NComputing's vSpace is a virtualization application with an ultrasmall footprint that runs on any Windows XP or Windows Server 2003 host operating system. Much like Terminal Services, it carves up the underlying system's resources among multiple users, allowing a single computer to host as many as 30 simultaneous
 
Kaviza VDI-in-a-box comes closer than either Pano Logic or NComputing to being a one-size-fits-all desktop virtualization solution. It is also straightforward to deploy. Available as a preconfigured virtual machine, Kaviza installs into an existing VMware ESX/ESXi or Citrix XenServer infrastructure, and it provides connection brokering, load balancing, user access control, and guest VM management in a single browser-based console. It supports both Microsoft RDP and Citrix HDX
 
Among the threats that keep IT security managers up at night, attacks against phone systems have often ranked near the bottom. The last time we asked IT leaders about their telephony security plans, just 2% had experienced a security incident, and in almost all of these cases, the attack was internal misuse of phone systems for personal long-distance calls. Few had developed any sort of comprehensive security or risk analysis plan covering their voice systems.
 
Getting root, the hard way
 
Multiple XSS Vulnerabilities in Openfire 3.6.4 Administrative Section
 
[USN-1035-1] Evince vulnerabilities
 
[ MDVSA-2011:000 ] phpmyadmin
 
Over the holidays, I used some of the vacation and down time to reorganize my home network. Part of this was to update my network maps and figure out how many of my devices do not support IPv6. Ido use IPv6 extensively at home, but even some recently purchased devices do not support it.
Another problem you have with IPv6 is to find all devices on your network. The standard and simplest way to do this (aside from passively listening)is to ping the all hosts multicast address ff02::1. If you use auto configured link local addresses, you can also look for the EUI-64 (MAC Address) derived IPv6 addresses.
The result: ashell script to run some of these scans for you [1]
The ipv6finder.sh script currently is tested on Linux and OS X. It will not work on Windows. It does require root access as it uses arping for some of its tests (could fix that, but I found the arping output to be more consistent between platforms then just the arp command which would work too with a normal ping).
Read the comments in the file for some more details. Also: at the top of the script there are some variables that you can use to point it to the right location for various binaries it uses. Why bash and not perl... well, I started it in bash and it grew.
[1] http://johannes.homepc.org/ipv6finder.sh
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Conference Series Targeting Technical Information Security Professionals ...
PRLog.Org (press release)
... one of the world's premier infosec event where the latest security threats are presented and debated, and vulnerabilities are disclosed and scrutinized. ...

 
Research finds preferences for iPhone and Android and recommends multidevice strategy, but sees trouble for Java ME.
 
A bug in the PHP scripting language could crash Web servers with large floating point numbers
 
Software application delivery teams must take a more strategic approach to application quality, according to a research paper from analyst house Forrester.
 
Oracle Java SE and Java for Business CVE-2010-3552 Remote New Java Plug-in Vulnerability
 
Earlier this week, Michal Zalewski of Google released cross_fuzz [1], a tool so far used internally at Google to identify browser bugs. While the tool is not specific to a particular browser, Google had a lot of success using it against Internet Explorer. It is no surprise that with the release of the tool, we see the release of new vulnerabilities. For example, today a Circular Memory References Use-after-free issue was uncovered in Internet Explorer [2]

[1] http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html

[2] http://www.vupen.com/english/advisories/2011/0026

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Qualcomm has entered into an agreement to purchase chip maker Atheros for $3.1 billion, or $45 per share, in cash, the company said on Wednesday.
 
Amazon is preparing to open an Android app store to compete with Google's Android Market, and has launched a beta portal where developers can submit applications for Android-based smartphones, according to a company blog post.
 
The Pano Express hardware and software bundle is a complete soup-to-nuts VDI deployment that can be up and running in less than an hour. Although Pano Express does rely on a third-party hypervisor -- either VMware ESX/ESXi or Microsoft Hyper-V -- the Pano system is far more than just a connection broker. Pano Manager provides complete lifecycle management of virtual desktops, while the Pano Direct protocol connects the zero-client Pano Devices directly to the guest virtual machines. Pano Express is a good solution for small to medium-sized installations -- as long as remote access to the virtual desktops via Web browser or thick client isn't required.
 
Check here for live blogging of Ballmer's presentation at the Consumer Electronics Show.
 
gif2png Remote Buffer Overflow Vulnerability
 
www.eVuln.com : "id" SQL Injection in WikLink
 
VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap
 
Plunging Through the Palo Alto Networks Firewall
 
Security researcher Michal Zalewski said his new cross_fuzz has helped identify about 100 bugs in prominent browsers that include Internet Explorer, Firefox and Opera.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
We currently offer a course, DEV 304 Software Security Awareness [1], which introduces managers and junior developer to software security concept. Right now, it covers the top 20 most common software weaknesses and threat modeling. But we are trying to improve the content and delivery of the course.
If you are developing software, or managing developers, please help us out by taking part in our survey.
http://www.surveymonkey.com/s/sansdev
And while we are talking surveys: We still have the annual ISC survey at http://www.surveymonkey.com/s/iscsurvey2011
[1] http://www.sans.org/appsec-2011/description.php?tid=1912
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Qualcomm has entered into an agreement to purchase chip maker Atheros for US$3.1 billion, or $45 per share, in cash, the company said on Wednesday.
 

Institutions Should Invest More in InfoSec
BankInfoSecurity.com (blog)
Here's a New Year's resolution every banker can appreciate: In 2011, the industry must embrace a stronger dedication to investments in fraud-detection and ...

and more »
 
VMWare today released Security Advisory VMSA-2011-0001 [1] as well as updated two of last years security advisories [2],[3]
The update patches glibc, sudo and openldap that are used as part of VMWare ESX. The vulnerabilities could be used to escalate privileges if a user has access to the VMWare console or launch a denial of service attack.



Component
CVE Number
CVSS Base Score
Access


glibc
CVE-2010-3847 (not yet released)
-
-



CVE-2010-3856 (not yet released)
-
-


sudo
CVE-2010-2956
6.2 Medium
local


openldap
CVE-2010-0211
5.0 Medium
network



CVE-2010-0212
5.0 Medium
network




[1] http://www.vmware.com/security/advisories/VMSA-2011-0001.html

[2] http://www.vmware.com/security/advisories/VMSA-2010-0017.html

[3] http://www.vmware.com/security/advisories/VMSA-2010-0016.html

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Wireless technology provider Qualcomm is in advanced talks to acquire Atheros Communications, a major vendor of Wi-Fi chips, according to news reports.
 
Micro-Star International (MSI) on Tuesday unveiled some of the first laptops and motherboards with Intel's latest microprocessor family, formerly codenamed "Sandy Bridge," on board.
 
Motion Computing on Tuesday showed off a Windows tablet with Intel's upcoming Oak Trail chip package, which is highly power efficient and has strong multimedia capabilities, a company executive said.
 
Microsoft and a Google security engineer are sparring over a bug the researcher reported to Microsoft last July.
 
With as many as 100 different models of tablet computers from dozens of makers expected to be on display at the Consumer Electronics Show (CES) this week, market consolidation is a certainty.
 
Three low-cost, low-fuss VDI solutions prove that desktop virtualization is within anyone's reach
 
At a time when IT is supposed to be getting easier to manage, more people are calling help desks for assistance than ever before, according to a new study.
 
OpenLDAP 'modrdn' Request Multiple Vulnerabilities
 
Toshiba will join the tablet race later this year with an Android-powered computer based on an Nvidia Tegra processor.
 


Internet Storm Center Infocon Status