Wednesday, June 30, 2010

Hex-Rays x86 and ARM Version 1.3 Decompilers Released

Hex-Rays has released version 1.3 of their x86 and ARM decompilers. There are numerous bugfixes in each. Please refer to the links below for details.


References:
http://www.hex-rays.com/news1.shtml#100628
http://www.hex-rays.com/hexcomp13.shtml



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

IDA Pro 5.7 Released

IDA Pro 5.7 has been released. The full list of updates and bugfixes is in the references link below.

Highlights in version 5.7 include:
- Scripted plugins can be implemented in Python or IDC.
- Scripted processor modules be implemented in Python or IDC.
- Improvements for iPhone/iPad file analysis in the form of additional ARM module/Mach-O file format features.
- You can now define your own data types.
- The PDB plugin now works without having to install a full copy of Microsoft Visual Studio.


References:
http://www.hex-rays.com/idapro/57/index.htm

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, June 29, 2010

Opera 10.54 Released for Windows

Since Opera now has over 2% of web browser market share, we are initiating coverage of the Opera web browser platform.

Version 10.54 of Opera has been released. It includes 5 security bugfixes.


References:
http://www.opera.com/docs/changelogs/windows/1054/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Adobe Releases Reader/Acrobat 9.3.3 and 8.2.3

Adobe has released Reader/Acrobat versions 9.3.3 and 8.2.3. These updates include 17 security-related fixes including one related to Flash content embedded in PDFs that has been exploited in the wild.

/Launch actions are also defaulted to off starting with this release. If you enable /Launch, then the warning the user sees is much improved.

The GDI object leak and crash problem described here remains unfixed.

References:
http://www.adobe.com/support/security/bulletins/apsb10-15.html
http://blog.didierstevens.com/2010/06/29/quickpost-no-escape-from-pdf/



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, June 28, 2010

Apple iOS 4 Released for iPhone

Apple has released iOS 4. This new version of Apple iOS contains fixes for over 60 vulnerabilities.

References:
http://support.apple.com/kb/HT4225


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, June 23, 2010

Monday, June 21, 2010

Cisco Announces End-of-Sale and End-of-Life for Cisco Security Agent Product Line

Cisco has announced end-of-life for the Cisco Security Agent product line. The relevant timelines and other details related to the drawdown are at the link below.

From the article:

"There is no replacement available for the Cisco Security Agent at this time.

Cisco's network security product portfolio has complementary security technologies, such as Cisco Intrusion Prevention Systems,Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco IronPort Email and Web gateways. Please contact your Cisco account team for more information on these products. While there is no direct Cisco Security Agent replacement product from Cisco, many endpoint security products are available from a wide variety of third-party vendors. We expect that customers will want to do their own due diligence in choosing a replacement product that best meets their needs".


References:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps2330/end_of_life_c51-602579.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

New Samba Remote Root Vulnerability

Versions 3.0.x - 3.3.12 of Samba have a vulnerability that allows remote root level access. Version 3.4.0 and higher isn't vulnerable.

References:
http://www.samba.org/samba/security/CVE-2010-2063




email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, June 17, 2010

Security Updates in New Apple iTunes 9.2 Release

There are security updates in Apple's iTunes 9.2 release affecting Windows XP, Vista, and Windows 7. Details are in the link below.

References:
http://support.apple.com/kb/HT4220



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, June 15, 2010

New OpenOffice Release Fixes Two Security Issues

OpenOffice has released a new version that addresses two vulnerabilities.

References:
http://www.openoffice.org/security/cves/CVE-2009-3555.html
http://www.openoffice.org/security/cves/CVE-2010-0395.html



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Was Tavis Ormandy's Disclosure Irresponsible?

Regarding Tavis Ormandy's recent disclosure of a vulnerability in Windows Help and Support Center, my understanding is that there are five basic paths to take when you have a valid vulnerability to disclose. They are enumerated below. In short, I think Tavis Ormandy went down the RFPv2 path, and thus was within his rights to disclose when he did assuming that Microsoft didn't in fact reply to him within the 5 days allowed.

As a corporate defender, I would prefer that researchers not take such an aggressive stance with disclosure, but my point is that what he did might have long-standing precedent.

1). CERT/CC - Public disclosure happens within 45 days of the vulnerability being reported to CERT/CC. CERT/CC notifies the vendor per their own process.

2). Full Disclosure Policy (Rain Forest Puppy policy version 2 - RFPv2) - Reporter of problem contacts the software vendor directly. The vendor is allowed 5 days to reply. If the vendor does reply within the 5 day time window, then a disclosure schedule should be agreed upon by both parties. After that, the vendor should provide updates every 5 days. The wording of the disclosure should be agreed upon by both parties. if the vendor does not reply back with 5 days of the initial contact, the reporter of the problem is free to disclose.

3). OIS (Organization for Internet Safety) - Finder submits a VSR (Vulnerability Summary Report). Vendor can choose to do a partial public disclosure at this point if they wish. The vendor must respond directly to the finder within 7 days. If the vendor doesn't respond in 7 days, then the finder must submit again, and the vendor gets another 3 days to reply. if the finder doesn't get a reply after this final 3 days, the finder is OK to publicly disclose.

4). Go through a vulnerability broker like Verisign iDefense VCP or TippingPoint ZDI and follow whatever policy that broker uses.

5). Sell directly to a private buyer. Many governments - including the U.S - purchase vulnerabilities for their own purposes.

Having served as an intermediary before, I can tell you that this process sometimes isn't a walk in the park. I am not saying anyone is right or wrong, but I am saying that what he did isn't new and maybe he is being singled out unfairly in the media.

UPDATE 13 July 2010 - Microsoft has released a fix for this vulnerability in July 2010 patch MS10-042.


References:
http://www.microsoft.com/technet/security/advisory/2219475.mspx
UPDATED 13 July 2010 http://www.microsoft.com/technet/security/Bulletin/MS10-042.mspx


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Thursday, June 10, 2010

Microsoft Security Updates for Apple Mac Office 2004 and 2008

Microsoft has released updates for Apple Mac Office 2004, Mac Office 2008, and Open XML File Format Converter for Mac software. These updates includes fixes for some security vulnerabilities.


References:
Description of the Microsoft Office 2004 for Mac 11.5.9 Update: http://support.microsoft.com/kb/2028866

Download Microsoft Office 2004 for Mac 11.5.9 Update: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=16c71ab8-9284-407a-856a-93c67995f125

Description of the Microsoft Office 2008 for Mac 12.2.5 Update: http://support.microsoft.com/kb/2028864

Download Microsoft Office 2008 for Mac 12.2.5 Update: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=d46255bd-6470-4106-9fe2-ea67acd3f1bd

Download Open XML File Format Converter for Mac 1.1.4: http://www.microsoft.com/downloads/details.aspx?FamilyID=4c5487d5-c912-4087-8c83-769e3fb78ea9&displaylang=en



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, June 9, 2010

Google Chrome 5.0.375.70 Released

Google Chrome 5.0.375.70 has been released for Windows, Mac, and Linux. The update includes fixes for 11 vulnerabilities, 9 of which are classified as critical

References:
http://googlechromereleases.blogspot.com/2010/06/stable-channel-update.html


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Tuesday, June 8, 2010

Apple Releases Security Updates for Safari 4.1 and 5.0

Apple has released security updates and other bugfixes for the Apple Safari 4.1 and 5.0 browser platforms. Some of these security bugs are remotely exploitable according to Apple's release notes.

References:
http://support.apple.com/kb/HT4196



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Upcoming Adobe Flash and Adobe Reader/Acrobat security patches for Windows and Mac platforms

Adobe has announced that the next Flash player update is due out on 10 June 2010. This affects Windows and Mac.

The Adobe Reader/Acrobat update is due out 29 June 2010. This also affects Windows and Mac. Adobe also said that the normal quarterly update due out 13 July 2010 won't happen due to this out-of-band release.

UPDATE 09 June 2010 - Proof of concept code was made available here: http://www.exploit-db.com/exploits/13787/. Please be aware that the PoC provided at that link is live malicious code, so handle with caution.

UPDATE-2 10 June 2010 - Adobe released Flash player 10.1.53.64 fixing not only the one known problem, but 32 separate vulnerabilities.

References:
http://blogs.adobe.com/asset/2010/06/background_on_apsa10-01_patch.html
http://www.adobe.com/support/security/advisories/apsa10-01.html



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Monday, June 7, 2010

U.S. Military Intelligence Analyst Arrested for Data Leakage

This Wired article discusses a U.S. Army intelligence analyst being arrested for leaking classified and other sensitive information to Wikileaks.

A quote from the Wired article:
“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga’, erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”

“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis… a perfect storm.”

Manning told Lamo that the Garani video was left accessible in a directory on a U.S. Central Command server, centcom.smil.mil, by officers who investigated the incident. The video, he said, was an encrypted AES-256 ZIP file.

Some thoughts spring to mind:
1). Why did it take so long for him to get caught? Why couldn't the DoD and US Military tell exactly who touched the video that got released by Wikileaks as "Collateral Murder" in February 2010?
2). Why weren't there procedures in place to catch rogue IT system administrators and analysts browsing for files they don't need to see?
3). While it was good that the investigators encrypted and password-protected the helicopter attack video, why wasn't the password on the encrypted AES-256 ZIP file housing the video uncrackable? My understanding is that the US government password length and complexity requirements get dramatically better for Top Secret content. I shouldn't be able to drop the ZIP into a copy of Passware and just wait a while for the password to get displayed in front of me.

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Sunday, June 6, 2010

New Adobe Flash, Reader, Acrobat Vulnerability

Adobe announced a new vulnerability in its Adobe Flash and Adobe Reader/Acrobat products. There is no patch available as of this writing. The scope of the exploitation attempts isn't known at this time. The CVE number assigned is CVE-2010-1297.

For now, we will need to rely upon AV for protection. The major AV vendors started releasing definitions over the weekend. For example, Symantec has released definitions (detected as Trojan.Pidief.J) for the known exploits for the Adobe Flash, Reader, and Acrobat vulnerability.

References:
http://www.adobe.com/support/security/advisories/apsa10-01.html
http://www.symantec.com/connect/blogs/0-day-attack-wild-adobe-flash-reader-and-acrobat


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Wednesday, June 2, 2010

Security Bug Fixes in OpenSSL 1.0.0a Release

Two security holes in OpenSSL were fixed in the 1.0.0.a and 0.9.8o releases. These updates CVE-2010-1633 and CVE-2010-0742. The download tarballs are here.

References:
http://www.openssl.org/news/secadv_20100601.txt



email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Preparing for Apple Mac Malware

This SANS ISC article (http://isc.sans.org/diary.html?storyid=8890)
got me thinking again about the reality of Mac malware. What are
people using for AV scanning for Mac executables at their web and mail
gateways? As Macs increasingly make their way in the enterprise and
Apple continues to improve its market share, I assume that eventually
we will need to supplement host-based AV scanning on the Macs with
gateway-based AV defensive layers - just like we did to protect our
Windows endpoints.

What should we block at the web and email gateway level - all .DMG file, .PKG files, and OS X/MACH-O executables?


email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity