May 8th, 2008
Microsoft previews three critical bulletins; two for Office
Microsoft on Thursday previewed three critical bulletins for Microsoft Office and Windows and a moderate denial of service vulnerability for the company’s security software.
According to Microsoft’s advance notification, the software giant will address the following in its Patch Tuesday update May 13:
- A critical remote code execution vulnerability primarily affecting Microsoft Office (Word) and another critical remote code execution flaw in Publisher. Affected software includes Office 2000, Office XP, Office 2003, Office 2007
- A critical Jet database engine issue that affects Windows 2000, Windows XP and Windows Server 2003.
- And a moderate bulletin was issued for a denial of service vulnerability in Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security.
May 8th, 2008
Malware shipped with Firefox 2 language pack
Mozilla is warning that a Vietnamese language pack for Firefox 2 is carrying malware.
In her blog, Mozilla security chief Window Snyder writes:
The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions.
Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy. While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.
Also follow the bug for the issue.
Snyder also noted that Mozilla scans for viruses at upload time, but the scanner didn’t catch this problem “until several months after the upload.” Mozilla is adding additional virus scans to catch these issues in the future.
May 6th, 2008
Can I interest you in a glass of Berry Blue Kool-Aid?: A recap of Microsoft Blue Hat v7
Hey all,
I was fortunate enough to be invited to attend Microsoft Blue Hat v 7 as I had some research that Microsoft was interested in bringing me in to talk about. Microsoft got to have co-worker and fellow researcher Rob Carter and I in to talk to product security teams about some of the things we’d found, and we got a free pass to an invite only conference that had some great talks.
Microsoft also asked me to write a guest blog on their Blue Hat site, which I was happy to do. Good friends and fellow bloggers Ryan Naraine and Rob McMillan gave me some good natured ribbing about why I got to go, and I returned the favor by saying Microsoft gave me an “exclusive” look at Blue Hat. It wasn’t really the way it went down, but it was more fun to poke some fun at the guys, so I thank Microsoft for letting me keep that in. In fact, Microsoft didn’t edit my posting at all, except to make a couple grammatical changes, so that was much appreciated. It was a very interesting trip, and I got to see several great talks and interview a few interesting people.
One thing you’ll see coming up soon is an interview I did with the guys who created DEP and ASLR, so keep your eyes open for that.
I’ve also included a gallery of pictures that includes shots of the conference, and some funny ones from the IOActive Limo Party… thanks to Josh Pennell and all the IOActive crew for putting that on, tons of fun.
-Nate
May 6th, 2008
Hot off the wire: Windows XP SP3 available from Windows Update
“At last the moment you’ve been waiting for. Microsoft wants to hit your version of Windows with an update, and this time you don’t have to go rummaging around the internet to find it: just fire up Windows Update and let Microsoft do all the work. After a few false starts XP users get the much-anticipated SP3 update, which promises speed boosts and some of the fancy security features found in Vista. If you’re a Vista user you’re also in luck, since Microsoft has restarted its Vista SP1 distribution after some compatibility problems with Microsoft Dynamics RMS. Sounds like a party.”
Hopefully tomorrow morning Larry and I will have full details on what was patched and why and we can talk about some of the “fancy security features” found in Vista that weren’t previously in XP SP2. Looking forward to the speed boost, I could sure use it!
-Nate
May 6th, 2008
House of Hackers social community opens up
PDP, the leader of the Gnucitizen White Hat Hacker outfit announced the opening of the House of Hackers social community yesterday. The House of Hackers is intended to enable its members to exchange ideas with each other, communicate, form groups, elite circles and tiger/red teams, conglomerate around projects, and participate in a hacker recruitment market.
There’s been some concern mentioned in the media about this being used as a tool for unsavory elements to recruit hackers, as is noted in HD Moore’s comment on a Dark Reading article by Kelly Jackson Higgins:
HD Moore, director of security research for BreakingPoint Systems, says his initial take on the House of Hackers announcement in the blog post is that the recruitment aspect of the House of Hackers could lure the wrong crowd. “If anything, hackers who work in security do all they can to appear professional and trustworthy and that really seems to undermine it,” Moore says. It could end up attracting “‘employers’” who aren’t interested in the legality of the work they sponsor, he says.
I understand HD’s concern, but I tend to think it will be too public a place for that kind of activity. In any case, PDP has asserted that the House of Hackers does not condone illegal activities and is intended simply to provide the community a better way to network. Personally, I’m excited about it. I think it has the potential to centralize some of the distributed threads of knowledge sharing and it certainly provides an interesting format for organizing community activities. I’ll leave the details of the community to PDP below: Read the rest of this entry »
May 6th, 2008
Google launches CERT for open source
Google on Tuesday detailed plans for oCERT, a volunteer workforce that will remediate security issues in open source applications.
The move makes a ton of sense. Community driven software can have bugs and plenty of folks to find these vulnerabilities. The problem: There’s no central group to actually fix these flaws.
In Google’s security blog, Will Drewry said:
I’m proud to announce that Google has sponsored participation in oCERT, the open source computer emergency response team. oCERT is a volunteer workforce of security professionals from the open source community with the goal of providing security vulnerability mediation and incident response services to open source projects. It will strive to contact software authors with all security reports and aid in debugging and patching, especially in cases where the author, or the reporter, doesn’t have a background in security. Reliable contacts for projects, publishers, and vendors will be maintained where possible and used for notification when issues arise and fixes are available for mediated issues. Additionally, oCERT will aid projects of any size with responses to security incidents, such as server compromises.
What oCERT does is give corporations a one-stop open source security repository. That’ll come in handy when navigating the patch cycle. Dana Blankenhorn notes that “Google’s backing of oCERT is a major milestone in the history of open source.”
May 5th, 2008
Hacking NASA: One small step for man, one giant leap for hackers?
The CORE Security Team released an advisory to the Full-Disclosure mailing list today that documented a stack overflow in NASA’s Common Data Format libs.
Looking at this bug, the tech details aren’t overwhelming, I think I’m mostly excited about it due to the high profile of hacking NASA libs. One can hardly fault NASA though, I mean, our government can’t even get them enough money to do some real space exploration, it’s hard to fault them for missing some security issues.
I’ll leave the technical details to CORE’s advisory, as they have a great description:
May 5th, 2008
SAP: Security keeps it off Symbian, Windows Mobile, iPhone for now
SAP has forged an agreement with Research in Motion to run its customer relationship management software on the BlackBerry platform. Just don’t expect SAP to roll out to other platforms anytime soon.
In an interview with the Enterprise Irregular blogging group Monday, Bob Stutz, SAP’s executive vice president and general manager of industries and CRM, says the company has no plans on bringing its enterprise applications to other platforms immediately. Stutz made the comments in an interview at SAP’s Sapphire conference in Orlando.
The RIM deal, announced Friday, hinges on security, says Stutz. “We have no plans to go to Windows Mobile or Symbian at this juncture,” he adds.
As for the iPhone, SAP is playing with the iPhone SDK, but Stutz noted that security remains an issue. “Until the iPhone builds out enterprise level security. No one is going to take applications on it without enterprise level security,” he says.
However, I don’t buy Stutz’s argument. In fact, he seemed a bit too dismissive about the iPhone and its corporate angle. Apple will deliver a bunch of new security features with its latest iPhone software. To be fair though, SAP deals with large enterprises that may be the most likely to not support the iPhone.
Other platforms are “really risky with the data.” “If I were CIO of a company I wouldn’t be putting corporate data on an open system,” says Stutz. “You have to protect the data.”
May 4th, 2008
Morse Code Rickroll 0-day… no, seriously, I mean it
In the security research world, getting Rickrolled has become a global epidemic. If you’ve been to any of the recent conferences, you’re sure to have been Rickrolled at least once… if you were fortunate enough to be at ToorCon Seattle, then you got Rickrolled about 300 times by Dan Kaminsky.
This is a light hearted post, as I’m in a great mood after having just proposed to my long time girlfriend this weekend (she said yes, thank God!), and I just couldn’t help but laugh about this one.
Marcin Wielgoszewski introduced me to Jeff Williams of Aspect Security (he also is heavy into OWASP contribution) who passed me an attack against a piece of code that de-morses morse code. Basically, Jeff crafted a morse code version of a cross-site scripting attack that will redirect the victim to a wonderful Rickroll. As the application de-morses the message, it of course get’s rendered as HTML… geez.
Enjoy, but be nice:
In case you don’t speak fluent morse, that basically translates into a redirect to a tinyurl site, which again redirects you to the youtube rickroll video.
I’d be re-missed if I didn’t lurch into my consultant talk here and talk about the necessity to do proper input validation and output sanitization… oh, and while I’m at it, don’t home roll your own input/output validation techniques… there’s tons of good APIs out there that you can either get, or are already built into the language you are using. In fact, Jeff Williams has been involved in putting together a great one called the Enterprise Security API (ESAPI). Everyone seems to understand that using home-grown encryption is bad, when is everyone going to realize that using home-grown validation is bad?
To summarize:
Rolling your own encryption is to encraption as
Rolling your own input/output validation is to _______
Answer: getting Rickrolled.
May 2nd, 2008
PHP delivers key patches
PHP Group delivered release 5.2.6 to fix multiple security vulnerabilities.
The open source PHP Group outlined all of the changes and Secunia rated these vulnerabilities “moderately critical.” Here’s Secunia’s breakdown of the vulnerabilities:
An unspecified error in the FastCGI SAPI can be exploited to cause a stack-based buffer overflow.
An unspecified error exists in processing incomplete multibyte characters within “escapeshellcmd()”.
A security issue is caused due to an unspecified error. No further information is currently available.
An error in cURL can be exploited to bypass the “safe_mode” directive.
A boundary error in PCRE can potentially be exploited by malicious people to cause a DoS or compromise a vulnerable system.
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
Recent Entries
- Microsoft previews three critical bulletins; two for Office
- Malware shipped with Firefox 2 language pack
- Can I interest you in a glass of Berry Blue Kool-Aid?: A recap of Microsoft Blue Hat v7
- Hot off the wire: Windows XP SP3 available from Windows Update
- House of Hackers social community opens up
Most Popular Posts
- Apple and AT&T providing free Wi-Fi access to iPhone users and oops... to everyone else as well!
- Word up to Linux fan boys: Multiple Linux flaws show that Linux also has kernel issues
- Hacking NASA: One small step for man, one giant leap for hackers?
- Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers
- More bad news for McAfee, HackerSafe certification
- Morse Code Rickroll 0-day... no, seriously, I mean it
Top Rated
- Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers+20 votes
- Websense: Microsoft Live Hotmail CAPTCHA hacked in 6 seconds+14 votes
- Microsoft previews three critical bulletins; two for Office+13 votes
- Targeted spear phishing attacks+13 votes
- Word up to Linux fan boys: Multiple Linux flaws show that Linux also has kernel issues+12 votes
- Obama site hacked; Redirected to Hillary Clinton+12 votes
- More bad news for McAfee, HackerSafe certification+11 votes
- More URI handler issues to come+11 votes
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
- Marc Canter: The master of multimedia speaks
-
In this Super Techies interview, larger-than-life techie Marc Canter talks with ZDNet's Editor in Chief Dan Farber about his career as a multimedia pioneer.
- Watch the video >>
- Give Your Business a Boost with Sun SMB
-
You're a growing business looking for a technological edge - but without the usual high cost and complexity. Sun is here for you, with powerful, open innovations - starting as low as $895 - that can drive revenue and add bottom-line value.
- Learn more about Sun's real-world solutions for your business >>
- Built-in Manageability and Proactive Security for Business Desktop PCs
-
"This technical white paper explores the capabiltiies of Intel vPro technology, including remote communication, simpler remote management, proactive security, virtualization, and much more.
- Download the white paper to learn more about Intel® vPro™ Technology >>
Archives
ZDNet Blogs
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- The Core Truth
- Dev Connection
- Digital Cameras
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Alley
- Enterprise Anti-matter
- Enterprise Web 2.0
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Irregular Enterprise
- IT Facts
- IT Project Failures
- John Carroll
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- Rational Rants
- The Semantic Web
- Service Oriented
- The Social Web
- Software as Services
- SOHO Networking
- Storage Bits
- Team Think
- Tom Foremski: IMHO
- The ToyBox
- The Universal Desktop
- Virtually Speaking
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Popular white papers
- Enabling Software as a Service OpSource
- Releasing Resources to Support Growth - The Long-Term Benefits of Finance Transformation Concur Technologies
- Executive Report: The Path to Sales Effectiveness AchieveGlobal
- Travel and Procurement: The Convergence Concur Technologies
- One Touch Business Travel and the End of the Expense Report Concur Technologies
- Avoiding the Compliance Trap for Travel and Expenses Concur Technologies
-
- Blue Nile takes on Tiffany, Zales 1:32 Blue Nile SVP, marketing & technology: Darrell Cavens
-
- Delivering 1 second load times 1:40 Zappos.com Director of Development: Brent Cromley
-
- Zillow's 'playground to experiment' 1:05 Zillow CTO: David Beitel
-
- Goodwill's online auction site 1:35 Goodwill Industries CIO: Steve Bergman
- View all CIO Vision Series Videos
