Symantec triggers on World of Warcraft update, (Sun, May 16th)

We have had a couple of reports over the last 24 hour of users experiencing issues with Symantec anti-virus products triggering on scan.dll.new which is a component of World of Warcraft.
Judging by the traffic on this topic in the WoW forums it would appear these are not isolated reports.
The detailed version of the alert is:
Severity = High

Activity = Auto-Protect has detected Infostealer

Date Time = 15/05/2010 (various times from 9:00 to now)

Status = Blocked

Recomended Action = Resolved no action



Risk Catagory = Virus

Definitions Version 2010.05.14.048

Severity = High

Component = Auto-Protect

Status = Blocked

File Name = c:userspublicworld of warcraftscan.dll.new
What I find interesting in this case is not that we have another anti-virus false positive, but that Symantec is listing scan.dll.new as an InfoStealer and that it appears this false positive has happened on past World of Warcraft patches/updates that created a file called scan.dll.new. What exactly are they triggering on? The filename? Shouldn't there be a secondary trigger? Is this an old signature from a previous issue?
Ihave been interested for a while in the accuracy of Anti-Virus products in the modern computing world. The Anti-Virus paradigm we have used since the 80's is seriously flawed, and in my opinion is slowly unraveling. The rash of false positives in recent months is just one symptom of that.
I have been watching with great interest the attempts to develop a new paradigm that fits better in the modern computing reality. Most of these are attempts at more heuristic or behavior based products that rely less on signatures. It seems to me that since these attempts require a little more fuzzy approach to anti-virus won't these sorts of false positives likely become more common, not less?
Are we getting to the point where software providers are going to have to start testing their updates against common anti-virus products before release?
As usual Iam interested in your opinions. You can submit them either via our comment mechanism at the bottom of this diary, or via our contact page.

-- Rick Wanner - rwanner at isc dot sans dot org

P.S. If any anti-virus companies have any documentation on futuristic anti-malware research directions that they can let me read Iwould be fascinated to have it. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Onboard Computers Subject to Attack?, (Sat, May 15th)

New Scientist has an article online titled New cars vulnerable to malicious attacks. The article states that 2 researchers have used the a socket under the dashboard to plug a laptop into. Using the laptop they were able to control various controls on the car. As the article states it would be difficult to use this method. I think the driver would notice a laptop connected to their dashboard. However, imagine the possibilities if some device plugged into the socket allowed wireless control of the control systems. Again probably still difficult to do but things thought to be impossible are cracked everyday.As an owner of one of these new vehicles with all the computer controlled gadgets it is a scary thought for me.Hopefully, the automakers will solve this potential security problem before someone does successfully take advantage of it and use it for malicious purposes. Imagine an out of control freight train or 18 wheeler heading straight at you because some terrorist or other knot head overrides the computer control system.
In these days of high tech gadgets with computer control of everything from cell phones to automobiles to 18 wheelers to Train Engines, it is time for everyone to take Computer/Data Security seriously.
www.newscientist.com/article/dn18901-modern-cars-vulnerable-to-malicious-hacks.html
Thanks to our reader Adam for bringing this to our attention.

Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Google Acknowledges Grabbing Personal Data, (Sat, May 15th)

It appears that Google, Inc has had a lapse in judgment for the last 4 years and has been scooping up snippets of personal data from open WiFi networks. Google has acknowledged that they have indeed done the captures. Google has issued a public apology and state that none of the information has made it to their search engines or other services. According to the article:
Google characterized its collection of snippets from e-mails and Web surfing done on public Wi-Fi networks as a mistake, and said it has taken steps to avoid a recurrence. About 600 gigabytes of data was taken off of the Wi-Fi networks in more than 30 countries, including the U.S. Google plans to delete it all as soon as it gains clearance from government authorities.
finance.yahoo.com/news/Google-grabs-personal-info-apf-2162289993.html
It looks like Google, Inc has some explaining to do.
Deb Hale Long Lines, LLC (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

New tool from Mozilla for updating plug-ins, (Thu, May 13th)

It's been a relatively quiet day so I thought I'd mention this nice little tool that Mozilla has released:
https://www.mozilla.com/en-US/plugincheck/
It does exactly what it looks like - checks to see if your plugins are up to date and provides links to update them if they are not. It works with Firefox 3.6+, Opera 10.5, Safari 4, Chrome 4, or IE 8 and while they claim limited support for IE, it worked just fine when I tried it. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Layer 2 Security - Private VLANs (the Story Continues ...), (Wed, May 12th)

Rob, you say - it's been a little while since we talked about Layer 2 Security (almost a week) - does that mean that we're done?



Not a chance - we haven't talked about Private VLANs yet!



A VLAN is often defined as a broadcast domain, and in most cases is co-incides with an IP subnet. Private VLANs (also called PVLANs) are the exception to this, a Private VLAN is still usually a single IP subnet, but the broadcast domain definition no longer holds true.



In a private VLAN, you start by defining an uplink port (also called a promiscuous port). This is normally the port (or link aggregation group) that is attached to the uplink router(s), firewall(s), provider network or server(s). After that is set, you define isolated ports. Any frame received on a isolated port is forwarded only out the uplink port, no matter what destination MAC or IPaddress it might have. This includes ARP traffic or any broadcast traffic. Frames received on the promiscuous port are then forwarded in the usual way - ARPs, Broadcasts and all other layer 2 frames work as you would expect them to.



So what this means is that isolated ports in a Private VLAN cannot speak to each other at all - their only traffic path is via layer 3, to other subnets or to other isolated ports in that PVLAN.



The concept of private ports can be expanded to include larger port groups - this concept is called community ports. Community ports can speak to each other via layer 2 just like a regular vlan, but are separated from ports in other communities, and from isolated ports.




Typical applications for private VLANs might be in a Colocation Facility or public or private IaaS network (Infrastructure as a Service Cloud), where you might have several customers using the same subnet, but communications between the customers is not desirable as it would circumvent their firewalls. This might also be used on a DMZ, where you might want to restrict communications between DMZhosts, but it's not worth the effort or cost of creating a separate DMZfor each host. Another common use for Private VLANs might be in a hotel situation, where each hotel room has internet access, all are on the same subnet, but communications between the rooms is not desired (for obvious reasons.)



This diary touches on only the most basic concepts of Private VLANs - I won't get into the specifics of the configuration, as they vary quite a bit between various vendors' gear. Also be aware that this covers only the most basic of PVLANconcepts - there's enough material in this for a good few hundred pages, if you were writing a book on Layer 2/3 Switching and Security for instance
As always, if there are any errors in this diary, or if you'd like to comment with other examples of how you've seen PVLANs used, feel free to use the comment link.


=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Adobe Shockwave Update, (Wed, May 12th)

Adobe released a new version of the Shockwave Player for Windows and OSXyesterday. Multiple vulnerabiltiies are addressed, most of the vulnerabilities on the list result in compromise of the workstation and arbitrary code execution, so this is an important update to get done ASAP.
Full details here == http://www.adobe.com/support/security/bulletins/apsb10-12.html
=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

.de TLD Outage, (Wed, May 12th)

Several readers wrote in to note that the .de domain (Germany), which is operated by DENIC [1], had an unplanned outage earlier that lasted a bit over an hour.

There is no official statement yet, but according to one source [2], a bad zone file was loaded and it took a while to fix.
Currently, .de domains appear to be reachable again.
[1] http://denic.de/ (in German)

[2] http://www.tld.sc/en/
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter
===================================================
The outage looks like it was from approximately 13:30 to 15:30 local time (CEST)
================= Rob VandenBrink ==================== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft Security Bulletin Summary for May 2010

Revision Note: V1.1 (May 12, 2010): Corrected the restart requirements for MS10-030.Summary: This bulletin summary lists security bulletins released for May 2010.

MS10-030 - Critical: Vulnerability in Outlook Express and Windows Mail Could Allow Remote Code Execution (978542) - Version:1.1

Severity Rating: Critical - Revision Note: V1.1 (May 12, 2010): Corrected restart requirements for Microsoft Windows 2000, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. Also corrected the verification registry key for Microsoft Outlook Express 6 Service Pack 1 when installed on Microsoft Windows 2000 Service Pack 4.Summary: This security update resolves a privately reported vulnerability in Outlook Express, Windows Mail, and Windows Live Mail. The vulnerability could allow remote code execution if a user visits a malicious e-mail server. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS10-031 - Critical: Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (978213) - Version:1.0

Severity Rating: Critical - Revision Note: V1.0 (May 11, 2010): Bulletin published.Summary: This security update resolves a privately reported vulnerability in Microsoft Visual Basic for Applications. The vulnerability could allow remote code execution if a host application opens and passes a specially crafted file to Visual Basic for Applications. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

MS09-061 - Critical: Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378) - Version:1.3

Severity Rating: Critical - Revision Note: V1.3 (May 11, 2010): Revised this bulletin to announce a detection logic change to fix a reoffer issue with Windows XP and Windows Server 2003. This is a detection change only that does not affect the files contained in the initial update. Also, corrected installation switches for KB953300 and KB974417 on Windows 2000, Windows XP, and Windows Server 2003, and corrected verification registry keys for KB953300 on Windows XP. Customers who have successfully updated their systems do not need to reinstall this update.Summary: This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in persuading a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario. Microsoft .NET applications, Silverlight applications, XBAPs and ASP.NET pages that are not malicious are not at risk of being compromised because of this vulnerability.

Another round of WordPress Attacks, (Mon, May 10th)

H-Security has published an article (http://www.h-online.com/security/news/item/Large-scale-attack-on-WordPress-996628.html) discussing a new series of attacks against WordPress-based sites.
Multiple ISPs have been hit including GoDaddy, Bluehost, Dreamhost, Network Solutions and Media Temple. There is one report that even sites built with the most current version of WordPress have been compromised.
We will update as we have more information, at this point I recommend reading the H-Security article for the summary of the scripts being added and contacting your hosting provider if you have concerns about your site. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark DOCSIS Dissector DoS Vulnerability, (Sat, May 8th)

Wireshark issued an update to fix an issue with the DOCSIS (Data Over Cable Service Interface Specification) dissector. It could be exploited by attackers to cause a DoS when processing malformed data, causing a crash of the application.
Affected Products
Wireshark versions 0.9.6 through 1.0.12 Bulletin can be viewed here.

Wireshark versions 1.2.0 through 1.2.7. Bulletin can be viewed here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

More Articles...

Page 2 of 26

2

Security News

Feed Source

Information mostly from: http://isc.sans.org

User Login



Login using Facebook Login Using Facebook