Help Net Security

A call to arms for infosec professionals
Help Net Security
A call to arms for infosec professionals. by Brian Honan - CEO BH Consulting - Wednesday, 10 April 2013. Bookmark and Share. An old saying says “nature abhors a vacuum,” meaning that in the absence of something nature will find a way of filling that gap.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

DSD's top 4 infosec strategies now mandatory for Aust govt
In particular, Infosec 4 requires that all agencies document and implement procedures and measures to protect their systems and networks, and specifically notes that it "includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber ...

Keeping track of all the online videos you want to watch can be a challenge...especially if you're not always in front of your PC. Sometimes, you see a video while you're on your computer, but you just can't remember what or where it is by the time you launch the browser on your smartphone. Enter DivX Stash, introduced at Mobile World Congress. This free service helps you create a queue of videos that you can watch later, either on your PC or mobile device. It's a very handy tool, and one that works well--most of the time.
It would be an understatement to say there are some New Zealanders who don't completely trust our government. There are probably more who have not yet completely overcome their mistrust of ICT.
Apple's iMessage and Facetime messaging systems have been hit with a glitch that has taken the services offline for several hours.
Mobile phone apps are accessing users' private data and transmitting it to remote servers far more than appears strictly necessary, while users have inadequate tools to monitor or control such access, according to a new study by two French government agencies.
RETIRED: Microsoft April 2013 Advance Notification Multiple Vulnerabilities
[ MDVSA-2013:092 ] imagemagick
[ MDVSA-2013:090 ] argyllcms
Oracle is planning to release a series of applications that take advantage of in-memory computing, a move that will up the competitive ante between itself and SAP.
Red Hat has revised its JBoss Data Grid software package, which now offers the ability to replicate copies of data across different data centers, and also comes with a number of other new features that can limit downtime.
CompTIA's second annual Trends in Mobility study found that 64% of companies allow, or mandate, the use of employee-owned devices, with most stating that improving productivity is the main driver.
System administrators and IT security pros can take bit of a breather: Microsoft has issued a comparatively light set of patches for this edition of its monthly release of software vulnerability fixes.

Microsoft Accounts—the credentials used for Hotmail, Outlook.com, the Windows Store, and other Microsoft services—will soon offer two-factor authentication to ensure that accounts can't be compromised through disclosure of the password alone.

Revealed by LiveSide, the two factor authentication will use a phone app—which is already available for Windows Phone, even though the two-factor authentication isn't switched on yet—to generate a random code. This code must be entered alongside the password.

For systems that are used regularly, it's possible to disable the code requirement and allow logging in with the password alone. For systems that only accept passwords, such as e-mail clients, it appears that Microsoft will allow the creation of one-off application-specific passwords.

Read 2 remaining paragraphs | Comments

RETIRED: Multiple HP Products Multiple Unspecified Remote Security Vulnerabilities
Apache CXF CVE-2012-5633 Security Bypass Vulnerability
[ MDVSA-2013:091 ] icecast
[ MDVSA-2013:089 ] icclib
[ MDVSA-2013:087 ] firefox
[ MDVSA-2013:086 ] groff
The proposed California Right to Know Act may compel CISOs to develop additional privacy policies or create new privacy officer roles.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Google has released what it calls a 'fresh look' for Google Play, with a goal of making a purchase quick and easy.
Microsoft today launched a third wave of 'Scroogled,' its attack ad-based campaign aimed at Google, this time highlighting what it said were privacy flaws in the latter's Android app store.
Google Fiber with gigabit speeds will be coming to homes in Austin, Texas, by mid-2014, Google announced today.
Rural telecom and broadband providers in the U.S. face big challenges in connecting their most remote customers, as the U.S. Federal Communications Commission transitions away from old telephone subsidies, a group of providers told lawmakers.

Some versions of a popular Wi-Fi router sold under the Linksys brand expose users to a variety of exploits that allow remote attackers to take full control of the devices, a security expert said.

The most severe of the vulnerabilities in the "classic firmware" for the Linksys EA2700 Network Manager is a cross-site request forgery weakness in the browser-based administration panel, according to Phil Purviance, an information security specialist at AppSec Consulting. He said routers running the software also don't require the current password to be entered when the passcode is changed. By exploiting the two weaknesses together, attackers can take full control of the router by luring anyone connected to it to a booby-trapped website. Malicious JavaScript in the end-user's browser resets the password and turns on remote management capabilities. The attacker can then gain administrative privileges over the device.

"If you have this router on your network and you browse [a] malicious website, five seconds later your router now has a new password and is available from the Internet," Purviance told Ars. "So [an attacker] can just log into it as if [he] was on your network." From there, an attacker could do anything a normal administrator could do, including installing a version of the device firmware that contains a backdoor and changing settings to use malicious domain name lookup servers. The security consultant documented more of his findings in a recently published blog post.

Read 4 remaining paragraphs | Comments

[ MDVSA-2013:081 ] gegl
Microsoft SharePoint CVE-2013-1289 HTML Injection Vulnerability
Microsoft Windows CSRSS CVE-2013-1295 Local Privilege Escalation Vulnerability
[ MDVSA-2013:083 ] glib2.0
[ MDVSA-2013:082 ] gimp

Overview of the April 2013 Microsoft patches and their status.



Contra Indications - KB

Known Exploits

Microsoft rating(**)

ISC rating(*)




The usual monthly MSIE cumulative patch, adding fixes for two more vulnerabilities. Both are use after free memory management issues and they both allow random code execution.

Replaces MS13-021.





No publicly known exploits






A memory management problem with the Remote Desktop Connection ActiveX control allows random code execution.

Replaces MS09-044 and MS11-017.



KB 2828223

No publicly known exploits






A vulnerability in the default access control lists (ACL) that sharepoint applies to lists allows unauthorized access to lists on a sharepoint server.




Microsoft claims the vulnerability CVE-2013-1290 was publicly disclosed.






Two kernel race conditions allow privilege escalation and read access to kernel memory.

Replaces MS13-017.





No publicly known exploits.






A denial of service vulnerability exists in the LDAP services provided by Active Directory. Also affects services such as ADAM and AD LDS.

Active Directory



No publicly known exploits.






A memory corruption vulnerability in CSRSS (Client/Server Runtime SubSystem) allows for privilege escalation to the context of the local system and/or Denial of Service.

Replaces MS12-003.




No publicly known exploits






Improper path names used by the Microsoft Anti-malware Client (MSAC) allow privilege escalation to the LocalSystem account.

Affects Windows Defender on Windows 8 and Windows RT.

The update also contains functional updates.






No publicly known exploits




Less Urgent


HTML validation is not done properly in Microsoft Office (InfoPath), Sharepoint Server, Groove Server, Sharepoint Foundation resulting in what looks like an XSS exploit resulting in privilege escalation.

Replace MS12-066.

HTML sanitization



Microsoft claims limited, targeted attacks against the vulnerability.






Multiple vulnerabilities in the windows kernel mode drivers allow privilege escalation and read access to kernel memory as well as Denial of Service.

Replaces MS13-016.

Kernel Mode Drivers






No publicly known exploits





We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.

Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.

Important: Things where more testing and other measures can help.

Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.

The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.

Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.

All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Swa Frantzen -- Section 66
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe released their April 2013 Black Tueday bulletins:




Adobe rating







Flash Player and AIR







Shockwave Player







Swa Frantzen -- Section 66
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Addressing the InfoSec Staffing Crisis
The IT security industry faces a major staffing crisis, according to the latest research. But what can schools, businesses and industry associations actually do to start addressing the problem? The new Global Information Security Workforce Study from ...

The unemployment rate for people at the heart of many tech innovations, electrical engineers, rose sharply in the first quarter of this year. The reasons for this spike aren't clear, but the IEEE-USA says the increase is alarming
Microsoft isn't fooling anyone by hiding behind a trade group to complain to European antitrust regulators about Google and its Android mobile operating system, a legal expert said today.
Several Canadian retailers and wireless carriers began taking pre-orders for the BlackBerry Q10 qwerty smartphone, although there was no word on when the phones would be available.
Two decades ago, Novell's network operating system software was almost ubiquitous in the enterprise. Now, its current president wants to restore Novell to a similar level of prominence.
Google will roll out its second city fiber network in Austin, Texas, offering gigabit-speed Internet and TV along with free basic broadband on plans similar to those in Kansas City, Missouri and its twin city in Kansas.
The war on smartphones at concerts and other live events seems unending.
Last autumn, Avira users updating from Windows 7 to Windows 8 found themselves facing the blue screen of death and having to manually uninstall the anti-virus software. The compatibility problems are now said to have been resolved

Zimbra 'aspell.php' Cross Site Scripting Vulnerability
[ MDVSA-2013:076 ] emacs
[ MDVSA-2013:075 ] elinks
[ MDVSA-2013:074 ] drupal
[ MDVSA-2013:073 ] dokuwiki
"It sounds like a clichA(c), but the information on the package is as important as the delivery of that package," says Praveen Sashi, Head of IT, DHL Express, as he explains that the IT department of the world's most successful logistics company is pivotal to how it operates.
Microsoft Office has long been the gold standard for creating, editing, and formatting serious documents. Google Docs and other Web-based competitors, however, have outpaced Office by making it easy to share and co-edit documents in real time.
Kickstarter might be the poster child of crowdfunding, but the space is vastly larger than you might imagine. And according to a recent report, it's ballooning like crazy.
Salesforce.com is giving customers and partners access to a new set of tools and services for building mobile applications on its cloud platform.
Recent developments could portend the demise of National Security Letters, which allow the FBI to get private customer information without a judge's approval.
To further its concentration on software-defined data centers, hybrid clouds and end-user computing, VMware has sold the Protect product family to LANDesk.
The FairSearch coalition, whose members include Microsoft, Nokia and Oracle, has filed a complaint with the European Commission against Google and Android, saying that the company is using the OS as a Trojan horse to deceive partners and monopolize the mobile marketplace.
There are many circumstances that can arise with the result of your data falling into the hands of a third-party provider, such as vendor acquisitions, mergers, or outsourcing toSaaS. The risks surrounding data in theA cloudA will rise and fall significantly if your business is not on top of the regulations regarding data ownership.
It used to be so simple. A new employee joined your organisation and you gave them a laptop, which was entirely under your control.
LinuxSecurity.com: Updated gimp packages fix security vulnerabilities: An integer overflow flaw, leading to a heap-based buffer overflow, was found in the GIMP's GIF image format plug-in. An attacker could create a specially-crafted GIF image file that, when opened, could [More...]
LinuxSecurity.com: Updated gegl packages fix security vulnerability: An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way the gegl utility processed .ppm (Portable Pixel Map) image files. An attacker could create a specially-crafted .ppm file [More...]
LinuxSecurity.com: Updated ganglia packages fix security vulnerability: There is a security issue in Ganglia Web going back to at least 3.1.7 which can lead to arbitrary script being executed with web user privileges possibly leading to a machine compromise. [More...]
LinuxSecurity.com: Updated ffmpeg packages fix security vulnerabilities: h264: Add check for invalid chroma_format_idc (CVE-2012-0851) h263dec: Disallow width/height changing with frame threads [More...]
LinuxSecurity.com: Updated fail2ban package fixes security vulnerability: fail2ban before 0.8.8 didn't escape the content of \<matches\> (if used in custom action files), which could cause issues on the system running fail2ban as it scans log files, depending on what content is matched, [More...]
LinuxSecurity.com: Updated ettercap package fixes security vulnerability: The GTK version of ettercap uses a global settings file at /tmp/.ettercap_gtk and does not verify ownership of this file. When parsing this file for settings in gtkui_conf_read\(\) [More...]
LinuxSecurity.com: Several security issues were fixed in the kernel.
LinuxSecurity.com: Several security issues were fixed in the kernel.
LinuxSecurity.com: Several security issues were fixed in the kernel.
LinuxSecurity.com: Several security issues were fixed in the kernel.
LinuxSecurity.com: Updated gnome-keyring package fixes security vulnerability: gnome-keyring seems to obey the configuration asking it to stop caching passphrases, but after a while it doesn't cache nor does it ask for the passphrase (CVE-2012-3466). [More...]
LinuxSecurity.com: Updated glib2.0 packages fix security vulnerability: It was discovered that the version of glib shipped with MBS 1 does not sanitise certain DBUS related environment variables. When used in combination with a setuid application which utilises dbus via [More...]
The easy upgrades to Windows XP have already been done, migration experts said, predicting that a large number of enterprises will still be running the aged OS a year from now.
WD subsidiary HGST today released the world's first 12Gbps SAS and Fibre Channel SSD line, which sport top speeds of 1,200MB/s.
Akamai Technologies demonstrated a prototype second-screen system that presents complementary content on a smartphone or tablet that is synchronized with what's happening on the main television screen.
Tata Consultancy Services is to acquire French IT services company Alti in a bid to increase its presence in the European market.
A privacy watchdog has filed a lawsuit contending the U.S. Federal Bureau of Investigation has failed to provide requested technical information about a biometric identification database expected to be the largest in the world.
Plenty of developers would love to be able to take advantage of Siri in their own apps. Alas, that's a significant technical challenge. Here's why.

Posted by InfoSec News on Apr 09


By Steven Musil
April 8, 2013

Six cyber tools have been designated as weapons by the U.S. Air Force,
allowing the programs to better compete for increasingly scarce Pentagon
funding, an Air Force official said on Monday.

Lt. Gen. John Hyten, vice commander of Air Force Space Command, told a
cyber conference held in conjunction with...

Posted by InfoSec News on Apr 09


By Bruce Rogers
Forbes Staff

With all of the recent corporate hacking scandals, Forbes Insights
decided to take a look at the most influential brands and individuals
currently involved in cyber security conversations. We noticed a few
interesting themes from evaluating influencer data (see infographic...

Posted by InfoSec News on Apr 09


By John E Dunn
08 April 2013

The software industry’s inability to reduce the number of security flaws
in its code is fuelling an age of the ‘everyday hacker’, criminals who
can exploit vulnerabilities with a minimum of technical skills, Security
testing firm Vercode’s latest State of Software Security (SoSS) report

Posted by InfoSec News on Apr 09


By Chana Ya'ar
Arutz Sheva

As hackers worldwide continue their assault against Israeli websites, a
systems analyst explains what's happening and offers advice on how to
avoid on onslaught.

The Israel Security Agency (Shin Bet) explained Monday the cyber storm
against Israeli websites that began Saturday is continuing, but
government and high-security sites are well...

Posted by InfoSec News on Apr 09


By Zachary K. Goldman
Foreign Affairs
April 8, 2013

“The tide of war is receding,” U.S. President Barack Obama proclaimed in
October 2011, announcing the impending conclusion of the war in Iraq. In
the year and a half since, however, the tide of a new type of conflict
has been rising -- one that takes place not on land, in...
MantisBT 'adm_config_report.php' HTML Injection Vulnerability
Internet Storm Center Infocon Status