(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

All of the pretty MS-DOS virus colors. (credit: Archive.org)

Archive.org has gone to great lengths to preserve and host dated software, but up until last week, its vast collection of classic games and MS-DOS executables skewed toward the overly safe side. Sure, you could run the original Oregon Trail—even on your web browser, through a DOSBOX emulator—and burden virtual pioneers with dysentery, but what about acquiring an actual virus?

That changed on Friday with the site's unveiling of the Malware Museum, a website collection of 78 viruses from the MS-DOS era of the late '80s and early '90s, all ready to either launch on a DOSBOX web browser emulator or be downloaded to your hard drive. Before you fret about some kind of crazy dated-virus outbreak, know that Archive.org went to the trouble of "defanging" every virus in its collection.

The "museum" began to take shape when longtime Finnish computer security expert Mikko Hypponen offered his personal collection of roughly 30 viruses, which he'd already disassembled to remove their drive-destructive capabilities, to Archive.org software curator Jason Scott. "He contacted me a week ago, out of the blue, asking if I wanted to do anything with this collection [of viruses]," Scott said in a phone interview with Ars. "I just put them all up and said, 'Yes, I like it, and I already put them all up [on the site]!'"

Read 5 remaining paragraphs | Comments


Today, the Obama administration released the president's Cybersecurity National Action Plan (CNAP), a set of executive actions and budget requests that seeks to fix federal agencies' information security woes. The plan aims to spur broader efforts to protect citizens' privacy and the security of the nation's businesses and infrastructure from criminals and other threats. And it starts off by creating a commission to figure out how to do that.

The Federal government's information security posture, as demonstrated by the Office of Personnel Management breach last year, is at best antiquated and at worst horrific in its inadequacy. The CNAP looks to rapidly infuse money into efforts to modernize the decrepit information security systems at agencies such as the Social Security Administration, which as President Obama wrote in an op-ed piece published today by the Wall Street Journal, "uses systems and code from the 1960s. No successful business could operate this way.”

To make the fixes, the Obama administration is asking for over $19 billion in spending scattered across the proposed 2017 budget and is making a number of immediate moves that require funding now—$3.1 billion for an Information Technology Modernization Fund and to pay a new Federal Chief Information Security Officer (with a salary of between $123,175 and $185,100 a year, Top Secret/SCI clearance required—apply by February 26 if interested).

Read 4 remaining paragraphs | Comments


Enlarge (credit: vulnsec.com)

Camtasia, uTorrent, and a large number of other Mac apps are susceptible to man-in-the-middle attacks that install malicious code, thanks to a vulnerability in Sparkle, the third-party software framework the apps use to receive updates.

The vulnerability is the result of apps that use a vulnerable version of Sparkle along with an unencrypted HTTP channel to receive data from update servers. It involves the way Sparkle interacts with functions built into the WebKit rendering engine to allow JavaScript execution. As a result, attackers with the ability to manipulate the traffic passing between the end user and the server—say, an adversary on the same Wi-Fi network—can inject malicious code into the communication. A security engineer who goes by the name Radek said that the attack is viable on both the current El Capitan Mac platform and its predecessor Yosemite.

Here's a video showing a proof-of-concept attack performed against a vulnerable version of the Sequel Pro app:

Read 5 remaining paragraphs | Comments


APSB16-03: Adobe Photoshop CC and Bridge CC

3 critical vulnerabilities that could lead to code execution with a priority rating of 3 (low): CVE-2016-0951, CVE-2016-0952, CVE-2016-0953. You may have to download the updates directly from Adobe as they will not show up in Creative Cloud Packager!

APSB16-04: Adobe Flash Player

22 critical vulnerabilities that could lead to code execution. The priority rating is 1 for Flash Player (including the Flash Player embedded in Chrome/Edge/Internet Explorer 11) .

APSB16-05: Adobe Experience Manager

4 important vulnerabilities that could lead to information disclosure. This includes fixes for the Java deserialization issues.

APSB16-07: Adobe Connect

3 important vulnerabilities that lead to input validation and content spoofing issues. (including cross siterequest forgery). The priority rating for this update is 1 (low).

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Overview of the February 2016 Microsoft patches and their status.

soft Edge
CVE-2016-0077,CVE-2016-0080,">Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

  • ---
    Johannes B. Ullrich, Ph.D.

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
    Privilege escalation Vulnerability in ManageEngine Network Configuration Management
    # Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
    clients servers
    MS16-009 Cumulative Security Update for Internet Explorer (Replaces MS16-001 )

    Internet Explorer

    Cumulative Security Update for Microsoft Edge (Replaces KB3124266 )

    CSO Online

    CyberTech – The Golden Globes of information security
    CSO Online
    Using that analogy, and with some license, the CyberTech conference in Tel Aviv may be the Golden Globes with the RSA Security Conference in San Francisco being the Oscar's of information security. Strictly speaking, CyberTech would be the Israeli ...


    Oracle released an emergency update for Java [1]. The nature of the flaw, and how the update fixes the flaw, is somewhat obscured. According to Oracles advisory, the user would first have to install malicious software, then install Java. So it doesnt appear to be exploitable on any system that has Java already installed. The Oracle advisory also states that an exploit is complex.

    At this point, I dont see a compelling reason to rush out this patch. Deal with it as part of your regular patch process. Some of the Microsoft patches to be released later today are likely more important.


    Johannes B. Ullrich, Ph.D.

    (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

    Information Security Heavy-Hitters Join Peerlyst SecureDrop Review Board
    PR Newswire (press release)
    9, 2016 /PRNewswire/ -- Peerlyst, the preeminent information security community, announced the lineup of InfoSec journalists and experts to review vulnerabilities and breaches coming in via Peerlyst SecureDrop, a Tor network site for anonymously ...

    and more »
    [SECURITY] [DSA 3471-1] qemu security update
    [slackware-security] libsndfile (SSA:2016-039-02)
    [slackware-security] curl (SSA:2016-039-01)
    [SECURITY] [DSA 3472-1] wordpress security update

    CSO Australia

    ​Surviving infosec's perfect storm
    CSO Australia
    Enterprise security is very complex and constantly changing. Gigamon's CEO Paul Hooper says “Security is one of the most interesting attributes of enterprise infrastructure”. Reflecting back over the past decade, Hooper says security is evolving faster ...

    Internet Storm Center Infocon Status