InfoSec News

ZDI-11-276: Adobe Flash Player MP4 sequenceParameterSetNALUnit Remote Code Execution Vulnerability
 
Readers have been writing in and I wanted to get this out to for info and comment. I have not had a chance to test it out myself. It first surfaced in 2007 by Michal Zalewski on bugtraq. [1] It appears due to its lack of sophistication, that it did not get much attention by Apache developers and it has remained unpatched all of this time.
It formally resurfaced last Friday with a proof of concept. A CVE is in draft and a patch is expected in a few days by the Apache team. You can read a discussion about it on the Apache HTTPD dev mailing list. [2] The link provides details on some mitigation measures to be taken. When I get chance I will test and report back.
In the mean time please share your experiences with your fellow readers with a comment.


[1] http://seclists.org/bugtraq/2007/Jan/83

[2] http://marc.info/?l=apache-httpd-devm=131418828705324w=2
-Kevin

--

ISC Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
ZDI-11-275: EMC Autostart ftAgent Opcode 0x11 Parsing Remote Code Execution Vulnerability
 
Working to boost the versatility and speed of virtual desktops, Citrix Systems has updated its XenDesktop software to allow users to personalize their desktops, as well as offer the ability to access their desktops over wide area networks (WANs), the company announced Wednesday.
 
With the resignation of Steve Jobs as CEO on Wednesday, Tim Cook, long seen as "the operations guy" at Apple, must prove he is capable of taking full charge of the company.
 
Steve Jobs' resignation as the CEO of Apple will not disrupt the company's product plans in the short-term, but could dull its ability to dazzle consumers down the road.
 
ZDI-11-274: EMC Autostart ftAgent Opcode 0x140 Parsing Remote Code Execution Vulnerability
 
Steve Jobs stepped down as Apple's CEO on Wednesday and Chief Operating Officer Tim Cook was named as his replacement. Jobs will remain with the company as chairman of the board.
 
Apple cofounder Steve Jobs has stepped down from his position as CEO of the company and Tim Cook, Apple's chief operating officer, has been named to take the helm, Apple announced Wednesday.
 
Apple's newest CEO has a tough act to follow. But in turning to chief operating officer Tim Cook to replace Steve Jobs in the wake of the latter's resignation Wednesday, Apple's board of directors has chosen a familiar face with a proven track record with the company.
 
Apple's iconic CEO, Steve Jobs, is resigning and has asked the company's board of directors to tap COO Tim Cook as his replacement.
 
The Apple co-founder who has just resigned as CEO was a polarizing force that in the end reshaped the tech industry several times.
 
Apple CEO Steve Jobs announced Wednesday that he is stepping down from his role in the iconic company he started.
 
After an earthquake rattled the East Coast and now a hurricane is roaring toward land, its becoming increasingly clear that social networks are a key part of our disaster response.
 
Apple's iconic CEO, Steve Jobs, is resigning and has asked the company's board of directors to tap COO Tim Cook as his replacement.
 
Use of personal health records should increase as more doctors use electronic health records (EHRs) and tech vendors develop offerings that are easier to use.
 
Users who eschew traditional relational databases in favor of the newly emerging NoSQL databases might be "throwing the baby out with the bath water," warned a database pioneer before a roomful of NoSQL advocates.
 
Expanding mobile broadband services in the U.S. in the coming years would produce thousands of new jobs and help reverse today's downward employment trend.
 
StackMob hopes to make it easier for Heroku's customers to extend their applications to mobile phones, by adding its service as a Heroku add-on.
 
With supplies tight for the larger-sized MacBook Air, Apple appears to be favoring its own retail and online stores, leaving some distributors unable to meet demand.
 
Developers of the Apache open-source project today warned users of the popular Web server software that a denial-of-service (DoS) tool is circulating that exploits a bug in the program.
 
For those who got their hands on the $99 HP TouchPad tablet, a few complementary accessories are also available on the cheap.
 
EMC's Iomega subsidiary this week announced a new top-of-the-line network storage array, which ratchets up the power and performance.
 
Apple's iPad will retain its dominance of the tablet market through at least 2013, research firm IHS iSuppli said today.
 
Even though Google+ has made a big splash in the social networking world, rivals Facebook and Twitter continue to grow at dramatic rates.
 
It might sound like a major win for Sprint to begin selling the iPhone for the first time in mid-October, but industry analysts say it won't help Sprint all that much.
 
Reader Richard is tiring of typing his e-mail address. Every time he logs into a site, shares an article with someone, registers for an online forum, and so on, he has to type it in. So he wants a keyboard shortcut than can "paste my e-mail address into everything." And while he's at it, how about a second shortcut that will paste in his nickname/username?
 
If you're working in IT today, technical proficiency will never be enough.
 
Lumension Security Lumension Device Control Memory Corruption Vulnerability
 
LedgerSMB/SQL-Ledger SQL Injection Vulnerability
 
Google has agreed to pay US$500 million to settle allegations from the U.S. government that it let online pharmacies in Canada use its AdWords system to advertise prescription drugs to U.S. consumers, resulting in illegal importation of the medicines into the U.S.
 
The disclosure of 2,000 usernames and passwords by the hacking collective Anonymous against a San Francisco transportation website could have been more damaging, according to a doctoral candidate at the University of Cambridge.
 
Personal data sent to India by customers outsourcing work to companies in the country will not be covered under new rules governing the collection of such information, the government said on Wednesday, providing relief to India's large outsourcing industry.
 
EMC AutoStart Multiple Buffer Overflow Vulnerabilities
 
Adobe Flash Player CVE-2011-2140 Remote Memory Corruption Vulnerability
 
Shopzilla Comparison Shopping Script 'search.php' Cross Site Scripting Vulnerability
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A court in The Hague banned the shipping of three Samsung Galaxy smartphones to Europe as of Oct. 15, ruling that the company has infringed an Apple photo management patent.
 
Nokia announced Belle, an update of Symbian, along with three phones running the software, on Wednesday at an event in Hong Kong, as it tries to keep consumers interested in the OS.
 
Tourismscripts Hotel Portal 'hotel_city' Parameter HTML Injection Vulnerability
 
CommodityRentals Real Estate Script 'txtsearch' Parameter HTML Injection Vulnerability
 

===============
Rob VandenBrink
Metafore (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
When you build a gaming system, it should be all about frame rates. The reality, though, is that most people don’t have the unconstrained budgets to wring out the maximum performance a game can deliver.
 
Twitter is slowly turning on automatic encryption on its website, a move following other major providers of web-based services to thwart account hijacking over wireless networks.
 
Hoping to spark developer interest in building cloud applications, VMware has issued a free version of its Cloud Foundry Platform-as-a-Service stack that can run on a single laptop or desktop computer.
 
Further preparing its software for production use, Eucalyptus Systems has outfitted its private cloud software with the ability to keep running even if an individual node fails, a feature called high availability (HA), the company announced Wednesday.
 
A quick look at the data shows that market share isn't as important as profit margins.
 
A proposed class-action lawsuit filed in federal court in Chicago on Tuesday accused online tracking and analytics firm comScore of surreptitiously collecting Social Security numbers, credit card numbers, passwords and other data from consumer systems.
 
The earthquake that struck the East Coast on Tuesday should serve as a wake-up call about the frailty of our aging infrastructure, and it shoud stir businesses to create or update business continuity plans.
 
With more than 16,000 IT-related groups on LinkedIn, it can be tough to pinpoint those that are worth your while. There are some simple clues, though, that can help you find groups with value and get the most out of them.
 
Photobucket has a cool mobile application that allows users to automatically upload mobile pictures to the company's photo-sharing website. That's something that Korey Heess is unlikely to forget anytime soon, after allegedly snapping a picture of himself that was used by police to identify him as a smartphone thief.
 
The long-awaited release got off to a rough start but offers a multitude of improvements for developers
 
The final version of the Windows Phone SDK 7.1 will arrive at the end of September. It allows developers to take advantage of new features in Windows Phone 7.5, also known as Mango, Microsoft said in a blog post on Tuesday.
 
ZDI-11-273: EMC Autostart Domain Name Logging Remote Code Execution Vulnerability
 

Posted by InfoSec News on Aug 24

Forwarded from: baythreat (at) gmail.com

The Call for Papers for the second annual BayThreat security conference
is open! BayThreat is a 3 day event at the Hacker Dojo in Mountain
View, CA, December 9th, 10th, and 11th. The theme for BayThreat is as
simple as black & white: "Building & Breaking Security." There will be
two tracks, each tackling opposite sides of the security fence.

We are currently seeking 30 & 50...
 

Posted by InfoSec News on Aug 24

http://www.fiercegovernmentit.com/story/federal-air-marshal-blackberries-risk-says-dhs-oig/2011-08-22

By David Perera
FierceGovernmentIT
August 22, 2011

Servers supporting the Blackberry devices used by federal air marshals
have high-risk vulnerabilities thanks to a backlog of security patches,
says the Homeland Security Department inspector general.

In a redacted report dated July 29 not posted online until Aug. 22, the
DHS OIG says scans...
 

Posted by InfoSec News on Aug 24

http://www.computerworld.com/s/article/9219437/China_hacking_video_shows_glimpse_of_Falun_Gong_attack_tool

By Michael Kan, Robert McMillan
IDG News Service
August 23, 2011

The clip shows up without explanation, lasting for about six seconds
during a rather mundane documentary about hacking produced by the
state-sponsored China Central Television

The video appears to give a peek at a state-sponsored hacking tool used
to disrupt the...
 

Posted by InfoSec News on Aug 24

http://www.komonews.com/news/consumer/128288593.html

By Herb Weisbaum
KOMO News
Aug 23, 2011

SEATTLE -- There's a warning for anyone with a credit card from two of
the nation's largest banks.

A security loophole could make your information vulnerable to criminals.

This has to do with those automated telephone account information
systems all the banks have. They sure are convenient. At Chase and Bank
of America, they could be a...
 

Posted by InfoSec News on Aug 24

http://news.techworld.com/security/3298629/android-users-hit-by-lethal-trojan-root-hack/

By John E Dunn
Techworld
23 August 11

Researchers have publicised probably the most dangerous Android malware
examples yet discovered, a Trojan that exploits the GingerBreak root
hack (CVE-2011-1823) in Android 2.3 that gained wide publicity after its
discovery in April.

According to a team at North Carolina State University, which analysed
the malware...
 
A top Chinese communist party official has urged the country's Internet companies to firmly put an end to the spread of fake and harmful information, a statement that appears to be a warning to one of China's most popular Twitter-like websites.
 
[CVE-2011-2712] Apache Wicket XSS vulnerability
 
Internet Storm Center Infocon Status