Ryan Naraine

DHS Studying Global Response to Conficker Botnet

One year after the Conficker botnet was front-page news around the world, the U.S. Department of Homeland Security is preparing a report looking at the worldwide effort to keep it in check.The report, to be published within the month, shows how an ad hoc group of security researchers and Internet infrastructure providers banded together into an organization they called the Conficker Working Group. Its goal was to address what was at the time the world’s most serious cyberthreat.  Read the full story [IDG News Service]

Mozilla Plugs Firefox Pwn2Own Security Hole

Mozilla is the first browser vendor to fix a vulnerability exploited at this year’s CanSecWest Pwn2Own contest.Just one week after a U.K.-based hacker known as “Nils” broke into a 64-bit Windows 7 machine with a Firefox vulnerability, the open-source group shipped Firefox 3.6.3 to plug the security hole.

Apple Plugs Gaping Holes in QuickTime, iTunes

Just call it Mac OS X patchapalooza.  Over the last week, Apple has shipped security patches to cover 88 vulnerabilities in the Mac operating system, 16 holes in the QuickTime media player, 7 flaws in iTunes and a security bug in the AirPort Base Station.


Security response teams at Adobe and FoxIt are investigating ways to mitigate a new PDF hack that allows the execution of an embedded executable without exploiting any security vulnerabilities.A demo of the PDF hack has been published to show how a hacker could employ social engineering techniques to launch code execution attacks if a user simply opens a rigged PDF file.

Computer-security researchers say new “smart” meters that are designed to help deliver electricity more efficiently also have flaws that could let hackers tamper with the power grid in previously impossible ways. At the very least, the vulnerabilities open the door for attackers to jack up strangers’ power bills. These flaws also could get hackers a key step closer to exploiting one of the most dangerous capabilities of the new technology, which is the ability to remotely turn someone else’s power on and off.  Read the full story [syracuse.com]

SEE: Updated report with response from Adobe and FoxIt SoftwareA security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities.The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file. 

Microsoft today shipped a cumulative Internet Explorer update with patches for 10 security holes, including a drive-by download vulnerability that’s already being used in malware attacks.The critical MS08-018 update patches security holes that could lead to code execution attacks on all versions of Microsoft’s flagship browser, including the newest Internet Explorer 8. 

In the face of an uptick in hacker attacks targeting a zero-day flaw in its Internet Explorer browser, Microsoft has announced plans to ship an emergency IE patch tomorrow (March 30, 2010).

The out-of-band update comes exactly 21 days after Microsoft said it was aware of targeted attacks against Windows users running its flagship browser.

Apple Mega Patch Covers 88 Mac OS X VulnerabilitiesApple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping with fixes for 88 documented vulnerabilities.The Mac OS X v10.6.3 update, which is considered “critical,” covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.Security Update 2010-002 / Mac OS X v10.6.3 is now available andaddresses the following:AppKitCVE-ID:  CVE-2010-0056Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8Impact:  Spell checking a maliciously crafted document may lead to anunexpected application termination or arbitrary code executionDescription:  A buffer overflow exists in the spell checking featureused by Cocoa applications. Spell checking a maliciously crafteddocument may lead to an unexpected application termination orarbitrary code execution. This issue is addressed through improvedbounds checking. This issue does not affect Mac OS X v10.6 systems.Credit: Apple.Application FirewallCVE-ID:  CVE-2009-2801Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8Impact:  Certain rules in the Application Firewall may becomeinactive after restartDescription:  A timing issue in the Application Firewall may causecertain rules to become inactive after reboot. The issue is addressedthrough improved handling of Firewall rules. This issue does notaffect Mac OS X v10.6 systems. Credit to Michael Kisor ofOrganicOrb.com for reporting this issue.AFP ServerCVE-ID:  CVE-2010-0057Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  When guest access is disabled, a remote user may be able tomount AFP shares as a guestDescription:  An access control issue in AFP Server may allow aremote user to mount AFP shares as a guest, even if guest access isdisabled. This issue is addressed through improved access controlchecks. Credit: Apple.AFP ServerCVE-ID:  CVE-2010-0533Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  A remote user with guest access to an AFP share may accessthe contents of world-readable files outside the Public shareDescription:  A directory traversal issue exists in the pathvalidation for AFP shares. A remote user may enumerate the parentdirectory of the share root, and read or write files within thatdirectory that are accessible to the ‘nobody’ user. This issue isaddressed through improved handling of file paths. Credit to PatrikKarlsson of cqure.net for reporting this issue.ApacheCVE-ID:  CVE-2009-3095Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  A remote attacker may be able to bypass access controlrestrictionsDescription:  An input validation issue exists in Apache’s handlingof proxied FTP requests. A remote attacker with the ability to issuerequests through the proxy may be able to bypass access controlrestrictions specified in the Apache configuration. This issue isaddressed by updating Apache to version 2.2.14.ClamAVCVE-ID:  CVE-2010-0058Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8Impact:  ClamAV virus definitions may not receive updatesDescription:  A configuration issue introduced in Security Update2009-005 prevents freshclam from running. This may prevent virusdefinitions from being updated. This issue is addressed by updatingfreshclam’s launchd plist ProgramArguments key values. This issuedoes not affect Mac OS X v10.6 systems. Credit to Bayard Bell, WilShipley of Delicious Monster, and David Ferrero of Zion Software, LLCfor reporting this issue.CoreAudioCVE-ID:  CVE-2010-0059Available for:  Mac OS X v10.6 through v10.6.2,Mac OS X Server v10.6 through v10.6.2Impact:  Playing maliciously crafted audio content may lead to anunexpected application termination or arbitrary code executionDescription:  A memory corruption issue exists in the handling ofQDM2 encoded audio content. Playing maliciously crafted audio contentmay lead to an unexpected application termination or arbitrary codeexecution. This issue is addressed through improved bounds checking.Credit to an anonymous researcher working with TippingPoint’s ZeroDay Initiative for reporting this issue.CoreAudioCVE-ID:  CVE-2010-0060Available for:  Mac OS X v10.6 through v10.6.2,Mac OS X Server v10.6 through v10.6.2Impact:  Playing maliciously crafted audio content may lead to anunexpected application termination or arbitrary code executionDescription:  A memory corruption issue exists in the handling ofQDMC encoded audio content. Playing maliciously crafted audio contentmay lead to an unexpected application termination or arbitrary codeexecution. This issue is addressed through improved bounds checking.Credit to an anonymous researcher working with TippingPoint’s ZeroDay Initiative for reporting this issue.CoreMediaCVE-ID:  CVE-2010-0062Available for:  Mac OS X v10.6 through v10.6.2,Mac OS X Server v10.6 through v10.6.2Impact:  Viewing a maliciously crafted movie file may lead to anunexpected application termination or arbitrary code executionDescription:  A heap buffer overflow exists in CoreMedia’s handlingof H.263 encoded movie files. Viewing a maliciously crafted moviefile may lead to an unexpected application termination or arbitrarycode execution. This issue is addressed by performing additionalvalidation of H.263 encoded movie files. Credit to Damian Put workingwith TippingPoint’s Zero Day Initiative for reporting this issue.CoreTypesCVE-ID:  CVE-2010-0063Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  Users are not warned before opening certain potentiallyunsafe content typesDescription:  This update adds .ibplugin and .url to the system’slist of content types that will be flagged as potentially unsafeunder certain circumstances, such as when they are downloaded from aweb page. While these content types are not automatically launched,if manually opened they could lead to the execution of a maliciousJavaScript payload or arbitrary code execution. This update improvesthe system’s ability to notify users before handling content typesused by Safari. Credit to Clint Ruoho of Laconic Security forreporting this issue.CUPSCVE-ID:  CVE-2010-0393Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  A local user may be able to obtain system privilegesDescription:  A format string issue exists in the lppasswd CUPSutility. This may allow a local user to obtain system privileges. MacOS X v10.6 systems are only affected if the setuid bit has been seton the binary. This issue is addressed by using default directorieswhen running as a setuid process. Credit to Ronald Volgers forreporting this issue.curlCVE-ID:  CVE-2009-2417Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  A man-in-the-middle attacker may be able to impersonate atrusted serverDescription:  A canonicalization issue exists in curl’s handling ofNULL characters in the subject’s Common Name (CN) field of X.509certificates. This may lead to man-in-the-middle attacks againstusers of the curl command line tool, or applications using libcurl.This issue is addressed through improved handling of NULL characters.curlCVE-ID:  CVE-2009-0037Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8Impact:  Using curl with -L may allow a remote attacker to read orwrite local filesDescription:  curl will follow HTTP and HTTPS redirects when usedwith the -L option. When curl follows a redirect, it allows file://URLs. This may allow a remote attacker to access local files. Thisissue is addressed through improved validation of redirects. Thisissue does not affect Mac OS X v10.6 systems. Credit to DanielStenberg of Haxx AB for reporting this issue.Cyrus IMAPCVE-ID:  CVE-2009-2632Available for:  Mac OS X Server v10.5.8Impact:  A local user may be able to obtain the privileges of theCyrus userDescription:  A buffer overflow exists in the handling of sievescripts. By running a maliciously crafted sieve script, a local usermay be able to obtain the privileges of the Cyrus user. This issue isaddressed through improved bounds checking. This issue does notaffect Mac OS X v10.6 systems.Cyrus SASLCVE-ID:  CVE-2009-0688Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8Impact:  An unauthenticated remote attacker may cause unexpectedapplication termination or arbitrary code executionDescription:  A buffer overflow exists in the Cyrus SASLauthentication module. Using Cyrus SASL authentication may lead to anunexpected application termination or arbitrary code execution. Thisissue is addressed through improved bounds checking. This issue doesnot affect Mac OS X v10.6 systems.DesktopServicesCVE-ID:  CVE-2010-0064Available for:  Mac OS X v10.6 through v10.6.2,Mac OS X Server v10.6 through v10.6.2Impact:  Items copied in the Finder may be assigned an unexpectedfile ownerDescription:  When performing an authenticated copy in the Finder,original file ownership may be unexpectedly copied. This updateaddresses the issue by ensuring that copied files are owned by theuser performing the copy. This issue does not affect systems prior toMac OS X v10.6. Credit to Gerrit DeWitt of Auburn University (Auburn,AL) for reporting this issue.DesktopServicesCVE-ID:  CVE-2010-0537Available for:  Mac OS X v10.6 through v10.6.2,Mac OS X Server v10.6 through v10.6.2Impact:  A remote attacker may gain access to user data via a multi-stage attackDescription:  A path resolution issue in DesktopServices isvulnerable to a multi-stage attack. A remote attacker must firstentice the user to mount an arbitrarily named share, which may bedone via a URL scheme. When saving a file using the default savepanel in any application, and using “Go to folder” or draggingfolders to the save panel, the data may be unexpectedly saved to themalicious share. This issue is addressed through improved pathresolution. This issue does not affect systems prior to Mac OS Xv10.6. Credit to Sidney San Martin working with DeepTech, Inc. forreporting this issue.Disk ImagesCVE-ID:  CVE-2010-0065Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  Mounting a maliciously crafted disk image may lead to anunexpected application termination or arbitrary code executionDescription:  A memory corruption issue exists in the handling ofbzip2 compressed disk images. Mounting a maliciously crafted diskimage may lead to an unexpected application termination or arbitrarycode execution. This issue is addressed through improved boundschecking. Credit: Apple.Disk ImagesCVE-ID:  CVE-2010-0497Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  Mounting a maliciously crafted disk image may lead toarbitrary code executionDescription:  A design issue exists in the handling of internetenabled disk images. Mounting an internet enabled disk imagecontaining a package file type will open it rather than revealing itin the Finder. This file quarantine feature helps to mitigate thisissue by providing a warning dialog for unsafe file types. This issueis addressed through improved handling of package file types oninternet enabled disk images. Credit to Brian Mastenbrook workingwith TippingPoint’s Zero Day Initiative for reporting this issue.Directory ServicesCVE-ID:  CVE-2010-0498Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  A local user may obtain system privilegesDescription:  An authorization issue in Directory Services’ handlingof record names may allow a local user to obtain system privileges.This issue is addressed through improved authorization checks.Credit: Apple.DovecotCVE-ID:  CVE-2010-0535Available for:  Mac OS X v10.6 through v10.6.2,Mac OS X Server v10.6 through v10.6.2Impact:  An authenticated user may be able to send and receive maileven if the user is not on the SACL of users who are permitted to dosoDescription:  An access control issue exists in Dovecot when Kerberosauthentication is enabled. This may allow an authenticated user tosend and receive mail even if the user is not on the service accesscontrol list (SACL) of users who are permitted to do so. This issueis addressed through improved access control checks. This issue doesnot affect systems prior to Mac OS X v10.6.Event MonitorCVE-ID:  CVE-2010-0500Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  A remote attacker may cause arbitrary systems to be added tothe firewall blacklistDescription:  A reverse DNS lookup is performed on remote ssh clientsthat fail to authenticate. A plist injection issue exists in thehandling of resolved DNS names. This may allow a remote attacker tocause arbitrary systems to be added to the firewall blacklist. Thisissue is addressed by properly escaping resolved DNS names. Credit:Apple.FreeRADIUSCVE-ID:  CVE-2010-0524Available for:  Mac OS X Server v10.5.8,Mac OS X Server v10.6 through v10.6.2Impact:  A remote attacker may obtain access to a network via RADIUSauthenticationDescription:  A certificate authentication issue exists in thedefault Mac OS X configuration of the FreeRADIUS server. A remoteattacker may use EAP-TLS with an arbitrary valid certificate toauthenticate and connect to a network configured to use FreeRADIUSfor authentication. This issue is addressed by disabling support forEAP-TLS in the configuration. RADIUS clients should use EAP-TTLSinstead. This issue only affects Mac OS X Server systems. Credit toChris Linstruth of Qnet for reporting this issue.FTP ServerCVE-ID:  CVE-2010-0501Available for:  Mac OS X Server v10.5.8,Mac OS X Server v10.6 through v10.6.2Impact:  Users may be able to retrieve files outside the FTP rootdirectoryDescription:  A directory traversal issue exists in FTP Server. Thismay allow a user to retrieve files outside the FTP root directory.This issue is addressed through improved handling of file names. Thisissue only affects Mac OS X Server systems. Credit: Apple.iChat ServerCVE-ID:  CVE-2006-1329Available for:  Mac OS X Server v10.5.8,Mac OS X Server v10.6 through v10.6.2Impact:  A remote attacker may be able to cause a denial of serviceDescription:  An implementation issue exists in jabberd’s handling ofSASL negotiation. A remote attacker may be able to terminate theoperation of jabberd. This issue is addressed through improvedhandling of SASL negotiation. This issue only affects Mac OS X Serversystems.iChat ServerCVE-ID:  CVE-2010-0502Available for:  Mac OS X Server v10.5.8,Mac OS X Server v10.6 through v10.6.2Impact:  Chat messages may not be loggedDescription:  A design issue exists in iChat Server’s support forconfigurable group chat logging. iChat Server only logs messages withcertain message types. This may allow a remote user to send a messagethrough the server without it being logged. The issue is addressed byremoving the capability to disable group chat logs, and logging allmessages that are sent through the server. This issue only affectsMac OS X Server systems. Credit: Apple.iChat ServerCVE-ID:  CVE-2010-0503Available for:  Mac OS X Server v10.5.8Impact:  An authenticated user may be able to cause an unexpectedapplication termination or arbitrary code executionDescription:  A use-after-free issue exists in iChat Server. Anauthenticated user may be able to cause an unexpected applicationtermination or arbitrary code execution. This issue is addressedthrough improved memory reference tracking. This issue only affectsMac OS X Server systems, and does not affect versions 10.6 or later.iChat ServerCVE-ID:  CVE-2010-0504Available for:  Mac OS X Server v10.5.8,Mac OS X Server v10.6 through v10.6.2Impact:  An authenticated user may be able to cause an unexpectedapplication termination or arbitrary code executionDescription:  Multiple stack buffer overflow issues exist in iChatServer. An authenticated user may be able to cause an unexpectedapplication termination or arbitrary code execution. These issues areaddressed through improved memory management. These issues onlyaffect Mac OS X Server systems. Credit: Apple.ImageIOCVE-ID:  CVE-2010-0505Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  Viewing a maliciously crafted JP2 image may lead to anunexpected application termination or arbitrary code executionDescription:  A heap buffer overflow exists in the handling of JP2images. Viewing a maliciously crafted JP2 image may lead to anunexpected application termination or arbitrary code execution. Thisissue is addressed through improved bounds checking. Credit to ChrisRies of Carnegie Mellon University Computing Service, and researcher”85319bb6e6ab398b334509c50afce5259d42756e” working withTippingPoint’s Zero Day Initiative for reporting this issue.ImageIOCVE-ID:  CVE-2010-0041Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  Visiting a maliciously crafted website may result in sendingdata from Safari’s memory to the websiteDescription:  An uninitialized memory access issue exists inImageIO’s handling of BMP images. Visiting a maliciously craftedwebsite may result in sending data from Safari’s memory to thewebsite. This issue is addressed through improved memoryinitialization and additional validation of BMP images. Credit toMatthew ‘j00ru’ Jurczyk of Hispasec for reporting this issue.ImageIOCVE-ID:  CVE-2010-0042Available for:  Mac OS X v10.5.8, Mac OS X Server v10.5.8,Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2Impact:  Visiting a maliciously crafted website may result in sendingdata from Safari’s memory to the websiteDescription:  An uninitialized memory access issue exists inImageIO’s handling of TIFF images. Visiting a maliciously craftedwebsite may result in sending data from Safari’s memory to thewebsite. This issue is addressed through improved memoryinitialization and additional validation of TIFF images. Credit toMatthew ‘j00ru’ Jurczyk of Hispasec for reporting this issue.ImageIOCVE-ID:  CVE-2010-0043Available for:  Mac OS X v10.6 through v10.6.2,Mac OS X Server v10.6 through v10.6.2Impact:  Processing a maliciously crafted TIFF image may lead to anunexpected application termination or arbitrary code executionDescription:  A memory corruption issue exists in the handling ofTIFF images. Processing a maliciously crafted TIFF image may lead to