InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The MD5 collision attack used by the creators of the Flame malware was significantly more difficult to pull off than an earlier attack that resulted in the creation of a rogue CA certificate, says security researcher Alexander Sotirov.
Spokeo, a company that aggregates and sells public data on individuals from numerous online and offline sources, has agreed to pay $800,000 to settle Federal Trade Commission (FTC) charges that it improperly marketed the information to employers and recruiters.
Like many of us, the 17-inch MacBook Pro has learned that it can be dangerous to one's health to carry around too much bulk. Apple has discontinued the largest member of its laptop line in the wake of its WWDC announcements.
This month?s Patch Tuesday release includes seven bulletins that address 26 vulnerabilities in Windows, Internet Explorer, .Net Framework and Dynamics AX.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
MIT researchers have developed an algorithm that they say will enable robots to learn and adapt to humans so they can soon work side-by-side on factory floors.
The H-1B cap for next year was reached this week, completing the annual petition process at the fastest pace since the start of the 'great recession.'
A powerful color-based imaging technique is making the jump from remote sensing to the operating roomamp-and a team of scientists* at the National Institute of Standards and Technology (NIST) have taken steps to ensure it performs as ...
In a world dominated by Apple's media efforts, other means of purchasing and consuming media are sometimes overlooked. One such means is Amazon MP3 and its accompanying Cloud Player.
Companies including Advanced Micro Devices and ARM have formed a consortium to provide an open specification for software to be written and deployed in a cost-effective manner across multiple hardware configurations, it was announced Tuesday.
Google yesterday released its first preview of Chrome that runs in the Windows 8 Metro environment, making good on a promise from last week.
Renowned security expert and hacker Edward Felten's time as the first chief technologist of the U.S. Federal Trade Commission has been "highly educational," he said at a USENIX conference, and urged fellow computer scientists to follow in his footsteps.
Hashing and salting passwords help deter cybercriminals from cracking them, but the goal should be to keep attackers out of the database, say security experts.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
Several readers mentioned that Microsoft today issued a Security advisory regarding Microsoft XML Core Services (MSXML). This is in response to active exploitation.
The issues affects Office 2003 and 2007 on all versions of windows. All a user has to do to fall victim is visit the wrong website using IE.
Microsoft has issued a fixit for it in the form of an msi file (see the KB 2719615 link below)
Alternative strategies would be to use browsers that do not support ActiveX, or disable the support in IE.



Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The National Institute of Standards and Technology (NIST) has issued the final version of the Guide to Bluetooth Security (NIST Special Publication 800-121 Rev. 1). The publication is a revision of the original guide, which was released ...
The National Institute of Standards and Technology (NIST) is hosting a workshop on the use of 'big data'amp-a term referring to massive amounts of stored and streaming digital informationamp-at its Gaithersburg, Md., campuss Green ...
Disputing a great deal of counter-evidence, famed cognitive psychologist and linguist Noam Chomsky insists that email was invented in 1978 by a precocious 14-year-old.
Microsoft urged enterprises to adopt Windows 8, its upcoming OS for desktops, laptops and tablets, which some industry experts believe faces an uphill battle for acceptance by IT professionals.
Toby reminded us that Oracle is releasing Java 7 update 5 and Java 6 update 33 today.
Updated after Oracle released the vulnerability details.

Release notes for 6u33
Release notes for 7u5
Advisory(contains their risk matrix)
More verbose version of their risk matrix

Unfortunately it's all still made to be useless to determine what the problems are with the software and perform your own risk assessments.
Just note there are CVSS scores of 10 in there, and in the past months we saw what slacking on patching Java can do (Ref: the recent Apple Mac OS X malware), so just patch this on a rather urgent time schedule due to lack of detailed descriptions.
My words above were barely written or I got the notification of Apple that they are releasing Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 today as well. This brings them in line with the updates to 1.6.0_33 above as well as implementing the deactivation of the Java browser plugin and Java Web Start if they remain unused for 35 days to Snow Leopard and deactivating the Java browser plugin and Java Web Start if they do not meet the criteria for minimum safe versions (on Both Lion and Snow Leopard.

Apple Patch info
Apple security patches overview


Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Reaction to the new Verizon Wireless Share Everything Plans was mixed, with some analysts calling the plans confusing and others seeing the concept as inevitable but still unproved.
Apple announcement that it's integrating Facebook into its operating system software should be welcome news for a social network that's taken a lot of hits in recent weeks.
Overview of the June 2012 Microsoft patches and their status.

Contra Indications - KB
Known Exploits
Microsoft rating(**)
ISC rating(*)


RDP (Remote Desktop Protocol) allows random code execution due to input validation issues. Also affects Small Business Server 2003 (called Remote Web Workplace). Having exposure to the RDP port with a vulnerable version on e.g. your web server will put you at great risk.

Remote Desktop

No publicly known exploits.


The usual MSIE cumulative patch fixing a multitude of security vulenrabilities, you want this one!

Note: this bulletin shares a CVE-2012-1858 with MS12-039 (both Internet Explorer and Lync suffer from the same)

Replaces MS12-023.












CVE-2012-1875 has active exploits against it according to the bulletin.


An vulnerability in .NET framework allows random code execution with the rights of the logged on user. This not only affects users browsing websites but also servers running .NET applications as they could bypass Code Access Security (CAS) restrictions.


No publicly known exploits


Multiple vulnerabilities in Lync allow for random code execution and information leaks.

CVE-2012-3402 is also affecting other Microsoft software (true-type font parsing).

CVE-2012-1858 is also affecting MSIE (HTML sanitation issue).

CVE-2012-1849 is related to the loading of libraries problems affecting many Microsoft products, first described in SA 2269637.






No publicly known exploits, but most vulnerabilities are quite well known due to exposure in other Microsoft products


A XSS vulnerability in Microsoft Dynamics AX Enterprise Portal.

Microsoft Dynamics AX Enterprise portal


No publicly known exploits


Multiple vulnerabilities in the windows kernel mode drivers allow escalation of privileges.

Replaces MS12-018.

Windows kernel mode drivers






No publicly known exploits


Multiple vulnerabilities in the windows kernel allow escalation of privileges.

Replaces MS11-098and MS11-068.

Windows kernel mode drivers



CVE-2012-1515 was publicly disclosed. No publicly known exploits


We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Dell today unveiled four different blade storage arrays with the ability to store up to 14TB of data per array, up to 28TB per group inside a blade chassis, and up to 56TB with two groups inside one blade chassis.
Computerworld sorts out the details in Verizon's new Share Everything data, voice and text sharing plan for customers who own several mobile devices, but want only one bill for their phone and data services.
Data broker and online people search service Spokeo will pay $800,000 to settle U.S. Federal Trade Commission charges that it sold consumer profiles to other companies without taking steps required under the U.S. Fair Credit Reporting Act to protect consumers.
The new, Retina-display-bearing MacBook Pro was in our offices Monday afternoon. While we'll start lab testing it and getting our review going, I got a chance to poke and prod it for a few hours. Here are some quick initial impressions.
FreeBSD Security Advisory FreeBSD-SA-12:04.sysret
This month Adobe decided to fix a ColdFusion vulnerability for Black Tuesday:
APSB12-15tells about the fix for CVE-2012-2041,a HTTP response splitting vulnerability in the ColdFusion Component browser.

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Revolutionizing the password, and other musings from the Infragard Day of Learning
Network World
If you didn't catch that, he made an effort to come out to local InfoSec conferences, and it will hopefully pay off. Come out to the ECTF, Infragard, ISSA, ISACA, OWASP, Derbycon, Shmoocon, Security B-Sides cons, or your local meetings.

and more »
Amid the hurly-burly of Apple's sweeping announcements Monday, the company also quietly launched its annual back-to-school promotion, offering $100 gift cards to customers who buy a qualifying Mac and $50 to those who purchase a third-generation iPad.
FreeBSD Security Advisory FreeBSD-SA-12:03.bind
APPLE-SA-2012-06-11-1 iTunes 10.6.3
[security bulletin] HPSBMU02776 SSRT100852 rev.1 - HP Onboard Administrator (OA), Remote Unauthorized Access to Data, Unauthorized Disclosure of Information Denial of Service (DoS)
[security bulletin] HPSBMU02790 SSRT100872 rev.1 - HP Server Automation, Remote Execution of Arbitrary Code

Suggested reading: 'Ragequitting SummerCon'
CSO (blog)
I'd like to turn your attention to a great read in the Idiosyncratic Routine blog written by New York-based infosec practitioner Amber Baldet. In the post "Ragequitting SummerCon," she writes of the "burlesque thing" that flavored the recent SummerCon ...

Japanese copy machine maker Fuji Xerox on Tuesday sent a group of employees to a city hit hard by last year's killer tsunami, to help digitize documents damaged in the flooding.
Raco Wireless and Enterprise Mobile have joined forces to help companies that lack telecom expertise get machine-to-machine (M2M) services off the ground, and in the process increase the sector's popularity, Raco said on Tuesday.
After years of study, Verizon Wireless unveiled a shared data plan that works across 10 Verizon devices.
For me, Tiny Wings sets the gold standard for what a casual game should be on the iOS platform. It's simple to control, fun to play, and the in-game mini-challenges you need to conquer in order to level up keep you coming back for more. It's been a long search trying to find a game that gives Tiny Wings a run for its money, but I think Ski Safari from Defiant Development is more than up to the task. In fact, in some ways, it even betters the Tiny Wings experience.
ZDI-12-091 : Symantec Web Gateway upload_file Remote Code Execution Vulnerability
ZDI-12-090 : Symantec Web Gateway Shell Command Injection Remote Code Execution Vulnerability
[SECURITY] [DSA 2491-1] postgresql-8.4 security update
ZDI-12-092 : RealNetworks RealPlayer QCELP Stream Parsing Remote Code Execution Vulnerability
For the first production release of what will be its flagship Apache Hadoop distribution, Hortonworks has focused on providing a set of tools to help deploy, manage and extend the data analysis platform.
Facebook is expanding its mobile know-how by hiring the team behind Pieceable Viewer, a mobile service that allows iOS app developers to demonstrate their apps in a Web browser, according to the Pieceable website.
I would like to thank Andrew for pointing out a XSS vulnerability in one of our tools. The tool pretty simply echoed back user input without proper output encoding.
XSS is in particular difficult to avoid as it may happen anywhere you send data back to the user. The proper encoding depends on the context the data is used in, and sometimes, a simple replace and with and doesn't cut it [1]. However, in my experience, many cross site scripting errors happen because the coder (in this case me), just didn't bother to properly escape at all.
A while back, I started using a safe_out function. This function will do the simple HTML entity replacement before printing the data. By using safe_out instead of echo or print, I got a simple check (grep print) to make sure I didn't miss a spot. The function is only good if you return data in the HTML body of a page, but this is what I am doing 99% of the time.

The function is however a pain to use if you are mixing HTML and user data. Lets say you are trying to replace a print statement like:

print trtd$col1/tdtd$col2/tdtd$col3/td/tr
this would become:

print trtd
print /tdtd
} else {
if ( is_array($aVars) ) {
foreach ( $aVars as $key=

Now, it almost starts to look like a prepared statement:

Of course Java users, may want to consider the OWASP ESAPI framework. It includes appropriate output encoders. But for php coders like me, the above snippet may be of help.

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple did something very unusual at WWDC on Monday: It dropped the price of three of the four models in its signature MacBook Air line by $100.
The U.S. International Trade Commission (ITC) has tossed out five Google patents assigned to High Tech Computer in support of its legal complaint against Apple, dealing a blow to the Taiwanese smartphone maker's court dispute to stop the import of the iPhone, iPad and other Apple products into the country for alleged patent infringement.
Digital maps provider TomTom said on Tuesday it has signed a global agreement with Apple for maps and related information.
U.S. federal prosecutors are fine with Megaupload users recovering their data -- as long as they pay for it.
Advanced Systems Concepts has updated its ActiveBatch job scheduling software to include the ability to schedule and automate tasks in the cloud.
Violin said today it will be demonstrating a new, all-flash NAS array at the TechEd conference that runs Windows Server 2012 and can offer up to 5GB/sec of performance.
A reader pointed us to F5'sSOL 13600, a vulnerability notice by now almost a week old. It details fixes and workarounds for a configuration mistake where unauthorized root access is possible via ssh over port 22. It doesn't exactly spell out their mistake.
Now any unix administrator will start to wonder: why configure ssh to even allow root access at all ? And moreover you'd still need the appropriate credentials of root.
It turns out that unpatched F5 systems not only allow root to connect over the network, but that they authorize a public RSA key for root and that they also left the corresponding supposedly private key on all of their systems.
If you have an F5 box and have not installed this update or worked around it properly, better do it now: every F5 customer has the keys to yours. And it takes only one to leak the key for all those who'd like to harm you to have it too.

Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted by InfoSec News on Jun 12


By Dan Goodin
ars technica
June 11, 2012

The cryptographic attack that Flame engineers used to hijack Microsoft's
Windows Update process was so computationally demanding, it would have
required the equivalent of $200,000 worth of computing time from
Amazon's EC2 Web service for most people to carry it out.

That estimate was delivered...

Posted by InfoSec News on Jun 12


By Lucian Constantin
IDG News Service
June 11, 2012

Security researchers have released details about a vulnerability in the
MySQL server that could allow potential attackers to access MySQL
databases without inputting proper authentication credentials.

The vulnerability is identified as CVE-2012-2122 and was addressed in...

Posted by InfoSec News on Jun 12


By Andrew Mayeda
June 11, 2012

Data on almost 1,000 Canadian government officials was stolen in the
hacking of a Texas-based intelligence firm in December, according to
internal government documents.

Almost 900 federal government workers and 109 provincial government
officials were affected when computers owned by Strategic...

Posted by InfoSec News on Jun 12


The Chosunilbo
June 12, 2012

Police are investigating a cyber attack against the Joongang Ilbo daily.
The police cyber crimes investigative unit said on Monday that it had
received a report that the newspaper's website and the intranet
journalists use to file stories had been hacked.

The website was attacked at around 6:30 p.m. on Saturday and could not

Posted by InfoSec News on Jun 12


By Gerry Braiden
Herald Scotland
12 June 2012

AN investigation is under way after a laptop computer containing the
bank account details of thousands of companies and individuals was
stolen from council offices in Glasgow.

Almost 38,000 city council "customers" had their personal details stored
on the stolen laptop, which,...
Internet Storm Center Infocon Status