hackers @ microsoft, MS’s place for white-hat (and blue-hat) hackers

New blog has been opened at MSDN Network Blogs section.
The opening post has officially – at last- informed the following fact:

We employ “white hat hackers” who spend their time pentesting and code reviewing applications and software looking for weaknesses and vulnerabilities so that others don’t once we’ve released that code into the wild.

It’s interesting to see if they will share information about BlueHat activities via this blog too.

But the link itself here:


Now fingerprint reader and rootkits – Sony did it again

This report of F-Secure’s Mika Ståhlberg states that MicroVault USM-F fingerprint reader software shipped with that Sony USB stick installs a driver that is hiding a directory under C:\Windows.

And – reportedly the guys of FS research laboratory

also tested the latest software version available from Sony at www.sony.net/Products/Media/Microvault/ and this version also contains the same hiding functionality. [added a hyperlink]

Hmmm – time to wear my white T-shirt with text familiar to many readers – “Most people don’t even know what a rootkit is, so why should they care about it?”


MS Patch Tuesday and Skype outage – why things didn’t match

In the situation when Skype’s explanation written on 20th Aug, Microsoft’s response written on Monday too and Skype’s clarification written today, 21th Aug exist it’s time to share word with a short summary:

Why the security community reacted like it reacted?

1. Microsoft has released monthly security updates since January 2004
2. There was three critical MS patches in July, and four critical in June
3. Only four August critical patches included a mandatory reboot
4. Critical patch (MS07-044) for code execution issue in Excel needs no reboot
5. Critical patch (MS07-050) for VML needs reboot only if files in use
6. SecurityLab.ru released public Skype Network Remote DoS Exploit on 17th Aug
7. There was new Skype for Windows version out on 17th Aug
8. A lot of home users go to Microsoft Update on Tuesday, not on Thursday…

Do we need more reasons? No. Boys and girls at Skype, please share information that you are aware of public PoC, what the new bugfix release fixes etc.

But the good news: Villu Arak of Skype states that their “bug has been squashed.” And

The parameters of the P2P network have been tuned to be smarter…

Fine, because there are Black Tuesday patches in the future too! ;-)


Cryptome updates its database: NSA surveillance works globally

When putting together all six updates of IP address listings released at Cryptome.org it appears that National Security Agency knows very well what is happening in cables of companies, which are very familiar to us.
The newest August update Latest Updated NSA-Affiliated IP Resources 6 includes the following ISP’s and organizations: 3G Mobile, AT&T, Akamai Technologies, Amazon, Apple, Deutsche Telekom, eBay, Google, Microsoft, MySpace.com, Qwest, and Xerox Research Center.

From Tokyo Japan,the listing knows NTT Communications Corp., from Warszawa, Poland Netia Telekom, from Stockholm, Sweden and Helsinki, Finland TeliaSonera and from Vaasa, Finland VLP.
As always, Mr. John Young doesn’t disclose his sources.


Ciaaaaaaliiis Viaaaaaagraaa – Nooo thaaanks!

Some of the spam e-mails in my Inbox today are really funny, when looking the basic information of the messages.

From: Isabelle Hammer

Subject: Re[05]: Ciaaaaaaliiis Viaaaaaagraaa Leeeeeevitra. Preise die keine Konkurrenz kennen
Message body: Hallo , jonleht !Meinung von unserem Kunden:
Ich nehme jedes Mal 10 mg….

Why the sender’s name differs from the visible name, why they are fighting against spam filters with thooose terrible wooords, why they send German language spam to Finland, why they call me jonleht – again?

Hey, we saw these non-working methods hundreds of times already!


Windows’s VML implementation – is it so difficult to patch?

When looking into this week’s Redmond patches there was a critical patch for Vector Markup Language component Vgx.dll – again.
The newest flaw exists in handling of compressed content and it’s heap overflow type vulnerability. The issue was discovered by Mr. Derek Soeder of eEye Digital Security.

Most of us remember the VML 0-day case in September ’06. ZERT released a 3rd party fix and Microsoft pushed out their official update before the monthly September bulletins. Details about the vulnerability and the case can be found from my Windows VML Vulnerability FAQ (CVE-2006-4868] document.

The reporting timelines of three newest VML issues below:

#1: fill method buffer overflow – Vgx.dll
18-Sep-06 Sunbelt Software contacted the vendor
Person who discovered this 0-day flaw is not known
25-Sep-06 MS06-055 is out

#2: Recolorinfo integer overflow – Vgx.dll
03-Oct-06 Vendor was contacted by iDefense
09-Jan-07 MS07-004 is out

#3: Compressed content heap overflow – Vgx.dll
24-Oct-06 Vendor was contacted by eEye
14-Aug-07 MS07-050 is out

Related to issue #2 Microsoft stated the following:

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?

The fact is that Microsoft was aware of the latest vulnerability, i.e. issue #3 almost ten months.


Month of PHP Bugs exploits are gone – or are they?

Mr. Stefan Esser of Hardened-PHP Project has informed that exploit codes of Month of PHP Bugs are not part of his Web site any more.

The reason for this is a new law in germany that is official since today. This new law renders the creation and distribution of software illegal that could be used by someone to break into a computer system or could be used to prepare a break in.

This list includes PoC exploits too, sees Mr. Esser.
But we know that The Internet remembers many things.


Mozilla’s JavaScript fuzzer – Opera’s best friend

Window Snyder, the head of security strategy at Mozilla Corporation wrote this week about the Opera’s way to use Mozilla’s fuzzer for JavaScript. Mrs. Snyder is pointing to the post of Claudio Santambrogio from Opera Software:

While running the tool, we found four crashers – one of which might have some security implications.

When we are reading news like this from Microsoft and Apple?


Bluetooth 2.1+EDR – officially here

Bluetooth Special Interest Group (SIG) has officially announced Core Specification v2.1 + EDR (i.e. Enhanced Data Rate) of Bluetooth.

The specification document itself is located here [.zip package].

The group states the following:

Improved pairing also offers “Man in the Middle” protection that in reality eliminates the possiblity for an undetected middle man intercepting information.


www-microsoft.com… www.microspft.com… old-fashioned – the newest trend is vvindowsupdate.com

During the last years several domains related to mispelled Microsoft.com have been registered, to advertise online casino etc.

But now, the Web site vvindowsupdate.com has been registered.

Did you see the address windowsupdate.com when reading the sentence? You are not alone!
Sunbelt guys are aware that a group behind the registration is affiliated with the infamous VxGame Trojan.


iPhone vulnerability video on YouTube

The following Exploiting the iPhone video (1:20) has been posted to YouTube to demonstrate the recent MobileSafari vulnerability reported by Independent Security Evaluators.

The technical document is located here [PDF].


MPack’s Dream Coders Team being interviewed

Mr. Robert Lemos of SecurityFocus has released an IM interview of Dream Coders Team – a Russian team behind the MPack kit.


It’s really worth of reading!


Patching an IPS – 16 months !

TippingPoint Technologies has released two alerts reporting about vulnerabilities in TippingPoint IPS this week.

The first issue is Signature Evasion type issue reported by Paul Craig, Security-Assessment.com.
3Com’s Alert 07-003
The second one is problem in the handling of fragmented packets.
Bypassing the intrusion prevention system is possible.
3Com’s Alert 07-002

But when looking into disclosure timeline [pdf] of Andres Riancho, Cybsec Security Systems the vendor was contacted on 6th February, 2006 already.

The updated TOS version was released on 4th July, 2007, i.e. last week.

I’m not saying 3Com is slow when fixing vulnerabilities, I think this issue was extremely difficult to resolve. Cybsec will “disclose technical details 30 days after publication of pre-advisory”. Let’s wait!


Zone-H.org is up and running again

The Web site of Zone-H (http://zone-h.org/) is running again – after a remarkable long downtime (and slowness).
It appears that they had some problems more than two years ago too.

Many thanks for replies posted to my message to funsec list confirming the problems.

In fact, there was problems to access their Web site on 31th May (and earlier) already.
The Digital Attacks Archive has content added in June too, however.


Plain-text FTP credentials and YouTube: a bad combination

The MOSEB campaign (Month of Search Engine Bugs) shared a good example of dangers of Googledorks this week.

When using the search string

site:youtube.com “clicks from ftp @” we’ll see 257 results.

When googling

“clicks from ftp” + filter=0, in turn, we will get 508 results.


Microsoft really trust to IIS 7.0

Redmond giant has switched to IIS 7.0 on their Web site. Netcraft report of www.microsoft.com:

IP address: OS: Windows Server 2003

Web Server: Last changed:
IIS/7.0 13-Jun-2007

They don’t care about reports like this:

Web Server Software and Malware