Get yer bogons out!, (Mon, Apr 12th)

Sung to the tune of 'Get yer ya-ya's out' Street Fighting Man http://seclists.org/nanog/2010/Apr/821
From their announcement Team Cymru is pleased to announce a significant addition to our bogon reference project. The new portions of the project are offered at no cost to the community, and the original bogon lists and feeds are not being changed or cancelled, just augmented.


Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Network and process forensics toolset, (Sun, Apr 11th)

One of our readers recently asked us if we were aware of any integrated tools that would let an analyst compare network events against process events on a specific computer. As he pointed out, there are many tools that can tell you what is going on network-wise (netstat, tcpdump, portmon, etc.) and plenty that can tell you what the computer is doing (procmon, process explorer, etc.) but none that bring them all together. Here is how he described his wish list:

I want a tool (or set of tools) for monitoring a Windows PC in such a way that:



* it monitors packets in pcap, like tcpdump and

* it monitors each process network activity like netstat -anpb while

* being able to keep log and records of process activity changes, not just showing the past few seconds' changes.



A sample usecase scenario: I wake up in the morning and check my Wireshark or NetWitness Investigator logs and notice a strange session and I want to be able to quickly glue that session to a process that has been responsible for that...



While a mix of netstat and command-line Foo for piping outputs to a log file among Wireshark can do the job, I hope there must be a decent and handy tool out there, for this purpose.
So, readers - got any ideas? We had a lively debate between some of the handlers earlier today but could not come up with exactly what he is looking for. If you know of such a tool please use the comment feature below to tell us all about it. Of course, we are aware of Microsoft's Sysinternals suite by Mark Russinovich but that is not what our reader is looking for.
Thanks for any ideas.
Marcus H. Sachs

Director, SANSInternet Storm Center (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

New bug/exploit for javaws, (Sat, Apr 10th)

It looks like Tavis Ormandy posted an interesting bug in javaws application to Full Disclosure yesterday. Ihave yet to verify all the details, but if what Tavis posted is true it opens up a rather interesting scenario for an attacker. (one which Tavis in his PoC code outlines rather well!) We will try and update this post as more information is discovered. Ihave been talking to a few other security researchers who have verified his claims, i have yet to successfully verify his PoC on any of my vms. (might be version issues)
Tavis's post (full information here)
http://seclists.org/fulldisclosure/2010/Apr/119
Tavis also did an excellent job in not only formatting of his alert, but also in the content(again, i have yet to verify all this my self!). The below is a snippet of the mitigation portion of his alert.



-------------------
Mitigation
-----------------------

If you believe your users may be affected, you should consider applying one of
the workarounds described below as a matter of urgency.

- Internet Explorer users can be protected by temporarily setting the killbit
on CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA. To the best of my knowledge, the
deployment toolkit is not in widespread usage and is unlikely to impact end
users.

- Mozilla Firefox and other NPAPI based browser users can be protected using
File System ACLs to prevent access to npdeploytk.dll. These ACLs can also be
managed via GPO.

Detailed documentation on killbits is provided by Microsoft here

http://support.microsoft.com/kb/240797

Domain administrators can deploy killbits and File System ACLs using GPOs, for
more information on Group Policy, see Microsoft's Group Policy site, here

http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx

You may be tempted to kill the HKLM...JNLPFileShellOpenCommand key, but
the author does not believe this is sufficient, as the plugin also provides
enough functionality to install and downgrade JRE installations without
prompting (seriously). However, if none of your affected users are local
Administrators, this solution may work (untested).

As always, if you do not require this feature, consider permanently disabling
it in order to reduce attack surface.




(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Outage Update - isc.sans.org, (Fri, Apr 9th)

A quick update on the outage for our site and related processing.
Yesterday we experienced a power outage as well as a link outage in the main processing location for the storm centre. This affected elements of the web site, but also our contact form, the handlers-a-t-sans.org email address and log processing. These three issues have been resolved and are relatively stable (unlike the link at one datacentre).
I have replied to all the emails that made it through in the last 24 hours. If however you have not yet received a reply please do re-submit your question, query, or information and we'll process it as per normal.
With regards to log processing. The servers are happily churning through the backlog of data and will catch up, so you should receive confirmations.
There are still some elements of the site that may be broken, however the team is working through these. If after, say 12 hours from now, you find something that is still broken please let us know.
Thanks
Mark (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

VMware has released the following patch "VMSA-2010-0007 VMware hosted products, vCenter Server and ESX patches resolve multiple security issues". Make sure you test before applying to production., (Fri, Apr 9th)

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe launch issue response/work around., (Fri, Apr 9th)

Late last month Didier discussed a POC relating to the /launch functionality in PDF files (http://isc.sans.org/diary.html?storyid=8545)
Adobe published a reply and a work around for this on their blog pages (http://blogs.adobe.com/adobereader/2010/04/didier_stevens_launch_function.html)
The article shows a few default settings that can be changed and a registry modification to reduce the risk of this type of attack. Adobe is examining the issue and are deciding what to do. They may make a fix available as part of their quarterly updates to the product.
Mark (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Patch Tuesday April 2010 Pre-Release, (Thu, Apr 8th)

Microsoft announced earlier today that they will be releasing a total of 11 bulletins (5 critical, 5 important, 1 moderate). If exploited, eight of the bulletins could allow for remote code execution. More details available here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Financial Management of Cyber Risk, (Sun, Apr 4th)

Last Wednesday an interesting report was released called The Financial Management of Cyber Risk: An Implementation Framework for CFOs. Please take advantage of this new document that the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) have graciously provided. The PDF guide is free for download, after registering, on the ANSI web site. The document assists in assigning dollar amounts to the possible cyber risks and is further designed to place cyber attack mitigation on the C-level function.
The report is endorsed by Melissa Hathaway, former Acting Senior Director for Cyberspace for the National Security Council. The CFO guide is a direct response to the Cyberspace Policy Review released last May. That report stated, Between 2008 and 2009, American business losses due to cyberattacks grew to more than $1 trillion in intellectual property. Copies of the documents from the Fed review can be found on the White House website. (http://www.whitehouse.gov/cyberreview/documents)
Just another opportunity to educate your management staff on the possible financial repercussions of cyber attacks.
Happy Easter!
Mari Nichols - Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Oracle Java SE and Java for Business Critical Patch Update Advisory, (Fri, Apr 2nd)

Oracle released a collection of patches for multiple security vulnerabilities in the Java SE and Java for Business which includes security and non-security fixes. This update contains 27 new security fixes across all products. The security bulletin is posted here.
Note: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.
Affected product releases and versions:
Java SE:
JDK and JRE 6 Update 18 and earlier for Windows, Solaris, and Linux

JDK 5.0 Update 23 and earlier for Solaris

SDK 1.4.2_25 and earlier for Solaris
The Java SE update is available here.
Java for Business:
JDK and JRE 6 Update 18 and earlier for Windows, Solaris and Linux

JDK and JRE 5.0 Update 23 and earlier for Windows, Solaris and Linux

SDK and JRE 1.4.2_25 and earlier for Windows, Solaris and Linux
The Java for Business update is available here.

-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Foxit Reader Security Update, (Fri, Apr 2nd)

Foxit Reader has released a security that fixes an issue that runs an embedded executable in a PDF document without asking the user's permission. The update can be launch from Foxit (select version 3.2.1.0401) or download it from here.
This update is related to a recent ISC diary PDF Arbitrary Code Execution - vulnerable by design published on the 31 March 2010.


-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Security Advisory for ESX Service Console, (Fri, Apr 2nd)

VMware has released the security advisory VMSA-2010-0006 affecting the ESX Service Console. Update are available for samba and acpid.
The following CVE numbers are part of this advisory: CVE-2009-2906, CVE-2009-1888, CVE-2009-2813, CVE-2009-2948, CVE-2009-0798. Additional information is available here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Firefox 3.6.3 fix for CVE-2010-1121 http://www.mozilla.org/security/announce/2010/mfsa2010-25.html, (Fri, Apr 2nd)

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

PDF Arbitrary Code Execution - vulnerable by design., (Wed, Mar 31st)

Didier Stevens, who probably knows the PDF format better then most and has written some great PDF analysis tools, published a very interesting and concerning blog post [1].
In this post, he outlines how PDFs can be used to execute code. Nothing new you may say... plenty of exploits have done this in the past. This is different: He is not using a vulnerability, but a feature. Evidently, PDFs have the ability to execute code by design. Since this is not an implementation, but a design problem, various PDF readers are vulnerable. In his blog, Didier show a video of the exploit using Adobe's PDF reader. Adobe's reader will show a warning and ask the user for permission. However, the wording of this warning may be changed by the attacker. Foxit, a popular alternative to Adobe's reader, will show no warning.
At this point, Didier does not provide a public PoC exploit. However, he says he is in contact with vendors.

[1] http://blog.didierstevens.com
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

More Articles...

Page 9 of 26

9

Security News

Feed Source

Information mostly from: http://isc.sans.org

User Login



Login using Facebook Login Using Facebook