InfoSec News

ICCLIB CVE-2012-4405 Out-of-Bounds Memory Write Remote Code Execution Vulnerability
Intel on Tuesday said it was on track to launch the next-generation Itanium processor later this year, brushing away any speculation that the processor would reach its end of life in the near future.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
In his first public appearance since Facebook's sluggish IPO, company co-founder and CEO Mark Zuckerberg called their stock performance "disappointing."
Two important bulletins were issued in Microsoft's September 2012 Patch Tuesday.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
GoDaddy CEO Scott Wagner said the disruption was caused by an internal network glitch.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
To get executive buy-in, the retailer's risk management program architect had to define success and make sure everyone could speak the same language.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google

Pakistan establishes infosec department for national database
Infosecurity Magazine
You are here: Home; /; News; /; Pakistan establishes infosec department for national database. Share. More services. Top 5 Stories. 1. What the Anonymous attacks on MI5 and MI6 tell us · 2. BitTorrent monitoring discovers file-sharers within 3 hours · 3.

Hewlett-Packard's lawsuit against Oracle over the latter's decision to halt future software development for Itanium will enter its second phase on Feb. 4, 2013, in front of a jury that will determine whether Oracle breached a contract and what damages it may owe.
The Windows Store, a new online marketplace for applications for Windows 8 and Windows RT computers, is now open to developers in 120 geographic markets.
Imagine a smartphone that can go weeks without needing its battery recharged.
Google announced this week that it would discontinue support for its branded pre-paid card in Google Wallet on Oct. 17, and urged customers to take steps to ensure they recover all their funds in a timely manner.
libexif Multiple Remote Vulnerabilities
The battery life of ultrabooks will nearly double with Intel's upcoming processors based on the Haswell microarchitecture, which will succeed processors code-named Ivy Bridge, Intel executives said on Tuesday.
Salesforce.com is getting ready to roll out a competing product to popular file-sharing and online storage service Dropbox as well as an identity management system that could rival companies like Okta, CEO Marc Benioff revealed Tuesday during an onstage interview at the TechCrunch Disrupt conference in San Francisco.
In the offseason, several NFL team moved their coveted playbooks to electronic form using iPads. They are relying heavily on iOS security to protect their team secrets. Could somebody hack into an iPad and steal a playbook? Well, it depends. It depends on how well the overall security framework is setup around the iPad iOS and applications involved in reading the playbook.
Microsoft today said it would update Flash on Windows 8 'shortly,' although it declined to set a timetable.
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2012-3958 Use-After-Free Memory Corruption Vulnerability
FreeRADIUS Multiple Stack Based Buffer Overflow Vulnerabilities
Cisco AnyConnect Secure Mobility Client Downgrade Security Weaknesses
Downgrade rights will be critical to Windows 8's acceptance in the enterprise, but if they're exercised by consumers, it's a sign Microsoft's newest OS has pulled a "Vista," analysts said today.
libguac Remote Buffer Overflow Vulnerability
Sencha Complete Team bundles existing tools with an Eclipse plug-in, a desktop application packager, and data connectors
Voice interaction will be available in ultrabooks starting in the fourth quarter, an Intel executive said Tuesday.
Mcrypt Stack Based Buffer Overflow Vulnerability
Nullsoft Winamp 'gen_ff.dll' Buffer Overflow Vulnerability
VUPEN - Mozilla Firefox "nsHTMLEditRules" Remote Use-after-free (CVE-2012-3958 / MFSA 2012-58)
Microcosmic warfare plots a course for cuteness in Amoebattle's pastel world of PokA(c)mon-like critters, but don't be easily fooled. The colorful real-time strategy offering from Grab Games boasts a brisk challenge to match its enticing gameplay.
Corrupted router tables, not malicious protesters, were the culprits behind Monday's widespread outage of GoDaddy's Internet registrar and hosting services, the company reported.
The U.S. Federal Trade Commission has begun mailing 93,086 refund checks totaling nearly $2.3 million to consumers who were allegedly charged hidden fees by a fake work-at-home service that used Google's name to advertise.
VUPEN - Microsoft Windows Common Controls MSCOMCTL.OCX Use-after-free (CVE-2012-1856 / MS12-060)
VUPEN - Adobe Flash Player "Matrix3D" Integer Overflow Code Execution (APSB12-19)
ESA-2012-029: RSA BSAFE(r) SSL-C Multiple Vulnerabilities
Multiple vulnerabilities in Ezylog photovoltaic management server
Overview of the September 2012 Microsoft patches and their status.

Contra Indications - KB
Known Exploits
Microsoft rating(**)
ISC rating(*)


XSS in Visual Studio Team Foundation Server

Visual Studio

KB 2719584

Exploitability: 1

System Center Configuration Manager (SCCM) Elevation of Privileges via Cross Site Scripting


KB 2741528

Exploitability: 1

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The website hosting and registrar released no details about its massive outage on Monday.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
To get executive buy-in, the retailer's risk management program architect had to define success and make sure everyone could speak the same language.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Samsung is thinking of filing a lawsuit against Apple over the next iPhone, possibly arguing that the device infringes on Samsung's LTE wireless patents, according to unnamed industry sources quoted by a Korean newspaper.
Just a day before Apple is expected to launch a new iPhone, Google today released its first iOS YouTube app.
VMware's new, Flash-based Web management GUI is easy to like, but it comes with a few gotchas
[PRE-SA-2012-06] FreeRADIUS: Stack Overflow in TLS-based EAP Methods
Wordpress Download Monitor - Download Page Cross-Site Scripting
When I first encountered the SpiderOak backup-service a few years ago, I found myself imagining that a marvelous alien species had designed it to teach us about their culture. It's a little more explicable these days, even as the company has built out its synchronization and sharing components on top of the backup component.
Upcoming smartphones and tablets will charge much more quickly with new micro-USB 3.0 ports, the USB standards-setting organization said on Tuesday.
[SE-2012-01] Security vulnerabilities in IBM Java
[ MDVSA-2012:150 ] java-1.6.0-openjdk
Samsung Electronics will start selling the souped-up LTE version of the Galaxy S III in the Nordic countries during the fourth quarter, the company said on Monday.
RocketTheme RokModule Joomla! Component 'moduleid' Parameter SQL Injection Vulnerability
RocketTheme RokModule Joomla! Component 'module' Parameter SQL Injection Vulnerability
Apple supplier Foxconn has denied forcing vocational school students in China to work at its factories, following claims that the students must remain employed at the company or lose school credit.
Citrix Systems has acquired New Zealand-based company Beetil, in an effort to expand the capabilities of its remote support offering GoToAssist, the company said on Monday.
Germany's Federal Commissioner tasked with reviewing the government's privacy policies has criticised the Federal Trojan used by the country's police. The commissioner was not able to gain access to the software's source code

The source of the million Apple device unique device identifiers has now been tracked down to a US publisher of digital book and magazine applications

Advances in accessible interfaces -- especially by Apple -- have been beneficial for the blind, but the Web remains a minefield of accessibility problems.
Web hosting service GoDaddy has suffered massive service disruptions. A hacker claiming to speak for Anonymous had claimed responsibility for the outage but this was later disputed by other members of the collective

Sony said Tuesday a new version of its popular "Personal 3D Viewer" head-mounted display, which wraps around the eyes and shows video so it appears at the size of a virtual movie screen, will go on sale next month for about $900.
Intel needs to generate a lot of excitement at its annual developer conference this week -- not just around the company but around the whole PC industry.
The idea that public cloud-based services will radically transform in-house IT operations is ever more evident at Netflix.
Sharp said Tuesday it will slash employee salaries by up to 10% from next month, in a round of cost-cutting that will save it about $180 million during the current fiscal year.
Australia's High Court on Tuesday began hearing Google's appeal of a ruling that it sold misleading advertisements that allowed companies to purchase keywords containing competitor's names.
The open-source Postgres database continues to be refined for enterprises: The latest version, released Monday, contains a number of new features and performance enhancements designed to ease professional large-scale usage.
Self-taught technologists are almost always better hires than those with a BS in computer science and a huge student loan
With more than 120 companies developing products, the market for devices that can charge or be charged wirelessly is about to explode in place you might never have imaged, like that car dashboard.
China plans to issue 4G licenses for LTE TDD networks within around one year, according to a top government official, speeding up the original timetable for deployment of the high-speed networks in the country.
According to cryptology experts at ElcomSoft, the popular UPEK fingerprint readers that are used in many makes of laptops are vulnerable to an attack that allows hackers to gain Windows passwords in plain text from the registry

Advanced Micro Devices has launched the first new products from its SeaMicro acquisition earlier this year, including a server that can be linked to a massive, 5-petabyte storage cluster for running large-scale big data and cloud computing applications.

Posted by InfoSec News on Sep 11


By Aliya Sternstein
September 10, 2012

The federal government is strategizing to build a virtual community that
would prompt computers worldwide to instantly, en mass, suppress
cyberattacks, sometimes without humans at the keyboard.

The so-called cyber ecosystem would take “collective action” to
Early prototype 64-bit ARM servers could be available for testing purposes by the end of this year or possibly at the latest by the middle of next year, ARM said on Monday.

Posted by InfoSec News on Sep 11


By Dan Goodin
Ars Technica
Sept 10 2012

GoDaddy, one of the Internet's biggest webhosting providers, experienced
technical difficulties on Monday that prevented many people from
visiting sites that relied on the service for connectivity.

A little after 5 p.m. California time on Monday, company officials took
to Twitter to say the...

Posted by InfoSec News on Sep 11


By Lucian Constantin
IDG News Service
September 10, 2012

The unique identifiers of 1 million Apple iOS devices that hackers
leaked last week were stolen from the servers of a Florida-based digital
publishing firm called Bluetoad.

Bluetoad develops digital distribution technologies. Its products
include custom iOS and Android apps that...

Posted by InfoSec News on Sep 11


By Kelly Jackson Higgins
Dark Reading
Sep 10, 2012

Walmart was the toughest nut to crack in last year's social engineering
competition at the DefCon hacker conference in Las Vegas, but what a
difference a year makes: this year, the mega retailer scored the worst

Posted by InfoSec News on Sep 11


By Elad Benari
Israel National News

Hackers from several countries around the world tried to attack the
website of the Jewish Agency this past weekend.

As of Friday, the website was targeted by attackers from Russia,
Hungary, Saudi Arabia, Brazil and Austria, among others.

The continued attacks brought down the site, causing it to be available
intermittently and endangering...
Internet Storm Center Infocon Status