World’s first “Decode the Race car” Challenge!!

So I haven’t written for a while, and that’s mainly because setting up your own security consultancy takes a lot more time that I would have imagined, but hey, it’s been a fun ride so far.

So while everyone else is off writing about Sony, I figured that I’d lighten the mood here with something that I think is such a great idea. The guys at Secure Racing have a challenge coming up, which sounds like it’s going to be great fun, and it’s such a novel idea as well.

So taken directly from the Secure Racing website, here is all the information about the challenge coming up on the 19th June at Brands Hatch.

“Secure Racing, the Information Security industry’s motorsport team, has laid down a challenge to anyone with a flair for code-breaking or a passion for cryptography.

At the team’s first race on 19th June at the Brands Hatch circuit in Kent, the Secure Racing Aston Martin will feature a hidden coded message somewhere within its livery and decals. The question is – can you find it and decipher it?
This is the first time a motorsport team anywhere in the world has offered a competition like this on their car. Developed by the Threats and Vulnerabilities Team at PWC, it forms the basis of a competition for anyone who wants to test their mettle and win fantastic prizes. Anyone can enter.

One week after the race, one winner and nine runners up will be drawn at random from the first 100 correct answers that we receive. Later this year, the lucky winner will get to jump in the Secure Racing Aston Martin Vantage GT4 to experience the exhilarating speed of getting around a circuit alongside a professional race driver. The winner will also get tickets to join the team at the Silverstone British GT Championship round and, along with the nine runners up, they will also receive complimentary membership to the Secure Racing members club – the details of which will be announced on race day.
Anyone who attends the Brands Hatch race on 19th June will have a chance to get up close and personal with our Aston and therefore have the best chance of spotting and cracking the code. For those that can’t make it, we will be posting pictures of the car on our website a couple of days after the race so you can take part.
Those who find and crack our code should email their answer to richard.moss@secureracing.co.uk
Ladies and gentlemen – the fun begins here. Start your engines, the Secure Racing story is about to begin.
Discounted admission tickets available exclusively for Secure Racing fans at: www.motorsportvision.co.uk/secracing

Share

Microsoft Security Bulletin MS10-070, Important, Really??

So, SANS has set it’s InfoCon level to yellow to increase the visibility of this update, and hopefully to encourage people to patch it sooner rather than later. All I can say is that I hope that it does actually get people to apply this patch quickly.

Apparently MSFT are aware of “active attacks”, which begs the question as to why is this only rated as an “Important” patch? I’m sure they have their reasons though, but if you are running any web applications, you are really advised to patch sooner rather than later on this one.

The details of the patch, taken from Microsoft’s website are the following:

—————————–

Executive Summary

This security update resolves a publicly disclosed vulnerability in ASP.NET. The vulnerability could allow information disclosure. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Microsoft .NET Framework versions prior to Microsoft .NET Framework 3.5 Service Pack 1 are not affected by the file content disclosure portion of this vulnerability.

This security update is rated Important for all supported editions of ASP.NET except Microsoft .NET Framework 1.0 Service Pack 3. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by additionally signing all data that is encrypted by ASP.NET. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2416728.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

———————-
As always people, be safe and patch asap, the Internet is a dangerous place….

Share

Funniest E-mail sent to the LKML (Linux Kernel Mailing List)

This is just so very very wrong! Original e-mail can be found here.
“Hi, all

I have two machines that show very different performance numbers.

After digging a little I found out that the first machine has, in
/proc/cpuinfo:

model name      : Intel(R) Celeron(R) M processor         1.00GHz

while the other has:

model name      : Intel(R) Core(TM)2 Quad CPU    Q6600  @ 2.40GHz

and that seems to be the main difference.

Now the problem is that /proc/cpuinfo is read only. Would it be possible
to make /proc/cpuinfo writable so that I could do:

echo -n “model name      : Intel(R) Core(TM)2 Quad CPU    Q6600  @
2.40GHz” > /proc/cpuinfo
in the first machine and get a performance similar to the second machine?”

Share

Social Engineering and Facebook For Starters

The post that I wrote the other day about Foursquare and Facebook Places really got me thinking, and well, then it got me into doing mode very quickly.

So, putting on my reconnaissance hat, I logged into Facebook to see what I could find out about a complete stranger, and well, to say that it was interesting is to put it mildly. Bear in mind that I had no idea who this person was, or where in the world they were located before I started digging around.

The details that I managed to dig up about this person were the following:

- D.O.B

- In a relationship

- Hometown

- Religion

- Last 3 employers, as well as current

- Current Job Title

- Universities attended and relevant dates

- Schools attended and relevant dates

- Work e-mail address

- Private e-mail address

- Work phone number

- Home phone number

- Cell phone number

- Home address

- Work address

- Car make and model

- Car registration number

- Roughly how long it takes him to get from home to the office (average of 33 minutes)

- Roughly how long it takes him to get from home to his son’s school.

- Musical tastes

- Photo’s of his house, his dogs and his children

- He spends a lot of time (and I mean a lot) playing World of Warcraft

- He used to run Windows XP, but has recently upgraded to Windows 7

- I managed to map out the first two layers of his family tree

I then decided to do a bit more digging outside of Facebook now that I had all the above knowledge, and managed to find out a bit more about him.

- He goes running each day, and also uploads his routes and stats via Runkeeper

- He’s been in the newspapers a couple of times for good deeds and charity work

- He coaches a kids soccer team at his sons school every other weekend

- He spends a fair amount of time on forums relating to legal highs

- There’s some video’s of him and his family on YouTube

- He has a personal web site, with a photo gallery of his travels with his family

- He runs a server from home, it’s running Windows 2003, IIS, and Exchange

- He’s currently an MCP studying towards his MSCE for Windows 2003, and I have his MCP ID, so far he’s done 3 exams

- He’s been married once before, and looking at photo’s of his ex-wife and his children, and their respective ages, one of the children is from his previous marriage.

- His citizenship

I managed to find all this information in about 10 minutes, now if I really wanted to go all out on this one, I’m pretty sure I could find a lot more information about him and his lifestyle.

Already with the information that I’ve managed to obtain I could quite easily use this for social engineering purposes, and not just against this person, but against most the people in his family. It really does make me wonder why people are so open with all the details that they share online, with just a little bit of effort I feel like I know this person. I also know that if I wanted to attack his company it would be a pretty trivial thing to do.

People, it’s a scary world out there, and you really don’t need to publish all this sort of information, the people that know you and will already know this information, do you really need to advertise it to the world.

I’d like to thank George for taking part in my little experiment ;-)

Share

Security Conferences and Press Passes

We recently received a couple of press passes to some security conferences in Europe from the event organizers and this got me to thinking.

Firstly thank you to the organizers that sent the passes through, it really is appreciated and it shows just how far Securiteam’s reach is.

So if there are any other security event organizers reading this, and you want the in’s and out’s of your conference published here, then please get in touch with us, a press pass for a security conference doesn’t cost you anything, and we can make sure that we can do all we can to let others know how good or bad it really was.

As I’m sure that you’re aware of by now, here at Securiteam we right honestly and give thanks where thanks is due.

Share

DEFCON Social-Engineer CTF Contest Findings Report

If you’re at all interested in Social Engineering as I’m sure that most of our readers are, then you will probably be very interested in the report over at the Social-Engineer.org site.

At DEFCON 18 this year, held in Las Vegas there was a Social Engineering Capture The Flag event held. This proved to be quite a success, well more so for the participants, than the actual companies targeted, but hey. All’s fair in love and war.

Some of the rules for this event were the following:

- Contestants may not ask for or obtain financial data, passwords, or personal identifying information such as social security numbers or bank account numbers;
- Contestants may not attempt to falsify or falsify employment records;
- The list of target organizations will not include any financial, government, educational, or health care organizations;
- Contestants must keep it clean, for example, use of any pornography is banned.

Even the FBI were extremely weary of this contest and contacted the organizers beforehand, so this was getting a lot of press coverage. I am also aware that quite a few companies sent out internal communications about this event to their employees, warning them not to give out any sensitive information.

I’d personally just like to thank the team over at Social-Engineer.org for doing so much to bring social engineering into the public’s eye, and also for all the hard work they’ve put into SET and the Social Engineering Framework. Keep up the amazing work guys!
So without further ado, you can read the full report here.

Share

HDCP Master Key Leaked

High-bandwidth Digital Content Protection (HDCP) is a form of copyright protection developed by Intel. It is designed to prevent the copying of digital audio and video as it travels accross media interfaces such as HDMI, DisplayPort or Unified Display Interface (UDI).

The system is meant to stop HDCP-encrypted content from being played on devices that do not support HDCP or which have been modified to copy HDCP content. Before sending data, a transmitting device checks that the receiver is authorized to receive it. If so, the transmitter encrypts the data to prevent eavesdropping as it flows to the receiver.

Manufacturers who want to make a device that supports HDCP must obtain a license from Intel subsidiary Digital Content Protection, pay an annual fee, and submit to various conditions.

On 14th September 2010 the HDCP Master Key was somehow leaked, and published online in various sources. At present it is unknown how this Master Key was obtained, or whether Intel is doing any investigations as to how this happened. Intel has however threatened to sue anyone.

The leaked master key is used to create all the lower level keys that are stored within devices, so you can see what a nightmare this must be for Intel.

Intel have threatened to sue anyone that makes use of this key under intellectual property laws. However it will now only be a matter of time before we start seeing black market devices appearing.

If anyone’s at all interested though, you can find the key here.

Share

DDoS Attacks and Torrent Sites

If anyone has been following the recent news about anti-piracy companies trying to take torrent sites offline by DDoSing them, then you’ll know that this was a bad idea from the start, if not here’s a brief recap.

Aiplex Software is a company that has been trying to take down torrent sites for a while now. As they weren’t getting anywhere, they decided to take on a new approach, and DDoS the torrent sites instead. It was suspected that this was the case for a while, but then to save everyone the effort, the nice guys over at Aiplex Software openly admitted that they were doing it, big mistake!

As the Internet is a wonderful medium for communication, there was a scheduled DDoS attack against Aiplex Software which took their site offline for a fair amount of time, until all the attackers then decided that moving onto the MPAA website was a better idea. The MPAA was forced to move it’s site to a new IP address after being down for 18 hours.

Yesterday an attack was launched against the RIAA in the same manner, and knocked the web site of the Internet for a good few hours.

All this was done via various means of communication, using the tool LOIC (Low Orbit Ion Cannons) and a bunch of anonymous supporters that weren’t afraid to stand up for what they believed in. Whether these attacks were right or wrong is purely a matter of opinion, but more to the point is the amount of damage that can be done.

In the past, if people wanted to protest, they would all gather in groups with placards and march around yelling various slogans, this usually happened outside the offending parties premises. If it got out of hand, the police would be called in to disperse the crowd, and everything was back to normal. However now in the age of the Internet, people are free to participate from the comfort of their own homes, just by downloading a program, typing in an IP address or hostname and clicking “Attack”. These people won’t be traced if the attack is coordinated properly, as it’s next to impossible to trace where all the packets are coming from if you have a large amount of people doing this at the same time. Even if people were traced, there is always the “Botnet defense” (My PC must have been infected by something and become part of a botnet, I ran my anti-virus program and removed some things, and now it all seems fine).
As security professionals we need to look at this as the shape of things to come, what if an online retailer annoyed a few of it’s customers, or if an online gambling or finance site was just “asking for it”. All it takes is the right form of communication and a few thousand people, and poof, the site is off the Internet if it doesn’t have the correct protection mechanisms in place.

As security professionals, do you do your best to protect your companies online assets from DDoS attacks? Or are you mainly concentrating on making sure the web sites are coded securely, that the web servers have been hardened and patched up to date…

I’m really interested to hear everyone’s comments on this one, so please leave them below.

Share

Social Engineering Toolkit 0.7.1

For those of you who have never used the Social Engineering Toolkit (SET), you really are missing out on an amazing tool, and one that is guaranteed to make your lives simpler in the social engineering realm.

SET was written by David Kennedy a.k.a ReL1K, and you can find this amazing tool in either the BackTrack Linux distro, or you can get it via svn directly from Dave’s site. Full info on how to download this via svn can be found here.

SET is also tightly integrated with the Metasploit Framework, so you can easily make use of all the exploits within MSF to perform some really technical social engineering attacks.

I’m guessing that if you’ve never heard of SET before, you’re probably wondering what it can do, well, let’s put it this way, in the context of social engineering, what can’t SET do?

I would say that the best way to familiarize yourself with SET and all it’s features would be to download it and have a play with it. Then to go through some of the many tutorials available online.

There is now a section dedicated to SET over at Offensive Security‘s free Metasploit Unleashed training page, which you can find here.

Dave has also kindly put up a load of tutorial videos to walk you through the basics, and then some on his site. To check these out just head over to the Tutorials section on his site.
If you’d like to see a video of all the new features in SET 0.7, then have a look here.

Share

Facebook Places, Foursquare, and common sense…

Ever since I first became aware of Foursquare I thought that it was a bad idea, and that it wouldn’t last long. Well I still think that it’s a really bad idea, but I was definitely wrong about how long it would last.

I have to wonder about people.

I know that security folk are more paranoid than most other people. I also know that comes with the territory, but who ever though that it would be a good idea to advertise where you are at any given point in time? Now Facebook has gone and launched Places, which does pretty much the same thing as Foursqaure.

Call me extremely paranoid, but when your average user publishes personal details on Facebook, such as their home address, where they work, their work and home e-mail addresses, photo’s of themselves and their family (sometimes including photo’s of their home and car), do they really need to let the world know exactly where they are at any given point?

I am also betting that it’s some of these very same people that tend to get all up in arms, when someone reads over their shoulder on the tube, or stands at their desk waiting for them to finish their phone call. The same people that will complain about having their privacy violated!

Now imagine the following scenarios:

1. You’ve just arrived at the office, so you decide to “check in” to one of these applications, so that everyone knows that you’re at work. You’ve also just given out the exact location of where you work. In some cases this can be a major risk, if you work in an unmarked building for example, where the location of the building is supposed to not be that easily known, well now everyone knows. This also lets any would be breaking and entering specialist know that you are now no longer at home, or that your wife and kids are now home alone.

2. You call in sick for the day, and forget that you happened to befriend your boss on Facebook, you then take a nice trip to some art gallery, or to a shopping mall to catch that newly released film, and you “check in” (Yes, I’ve seen this happen!). Then you’re all shocked when you get called into your bosses office because he knows that you weren’t really sick, you were out having fun on company time. I’ve got no problem with people taking a day off, but if you’re going to be stupid about it, then you deserve what you get.

3.From a social engineering perspective, this is amazing, as if I’m going to target someone working for a company, it means that I get to see where they hang out, what type of things that they’re into, when they’re in the office or out of the office. Picture this, the head of IT security is using Facebook Places, he checks in when he reaches the station on his way to work, then he updates his Twitter status to say that the train is running an hour late. This means that I now have the perfect opportunity to phone the company helpdesk, and impersonate him, and get my remote login password reset. Then voila, I have all the access that he does, I also know that I have about an hour to grab whatever information I please, before I need to log off. Once he gets into the office, he’ll have some password problems, phone the helpdesk and get it reset, and be none the wiser.

C’mon people, please all I’m asking for is that you have some common sense, if you need people to know where you’re going, let them know, don’t tell the whole world and his dog.

Share

ACCU / Bletchley Park Autumn Lectures

Bletchley Park, also known as Station X, is where the Enigma cipher was cracked during World War II, and if you have never been, it’s a really worthwhile visit.

However this post is not about Bletchley Park, more so, it’s about the Bletchley Park 2010 Security Conference. Confirmed speakers this year are the following Bruce Scneier, Whitfield Diffie, Andy Clark and David Khan, so it should make for a rather interesting conference. Something else that makes attending this conference worthwhile is the fact that all proceeds from this even will be divided equally between the Bletchley Park Trust and the National Museum of Computing.

As I’m sure a lot of you are aware Bletchley Park is in desperate need of support, and as a security community we can help to support this establishment that has already done so much for what we do today. I often wonder that if it wasn’t for the time and effort spent at Bletchley Park during World War II, where would cryptography be now? Would we be as advanced as we now are? Somehow I think not.

For more info, and registration information point your browser here, if you can make it, let me know via the comments and it’d be good to hook up for a beer or 2.

After the conference there will also be a fireworks display and a fun fair. What more could you ask for a security conference, a bar, fireworks and a funfair sounds like a great evening to me!

Share

Apple Safari Denial Of Service (iPhone, iPad, iPod, OS X, Windows) 0-Day

I’ve spent a lot of time thinking about what to do with this one, and when I say a lot of time, I really mean just over 3 months now. I also informed Apple that I would be writing this article, and asked for an official quote from them, and also a rough date as to when the relevant patches would be disclosed.
I found this one by fuzzing Safari 5.0 on the night that it first came out, I was using Browser Fuzzer 2 (bf2)and then spent a while playing with it to see if I could turn this into more than just a Denial Of Service (DoS), unfortunately I wasn’t able to. This is not to say that it’s not possible to do so, I’m just not too sure on how to do it, it may very well be more than just a DoS with a few tweaks to the code.

I initially tried selling this one to ZDi, but their response to me was fair and to the point:

“Dear xyberpix

We have reviewed your recent case and discovered it was a duplicate of an issue we received in January of this year. We have also determined that this issue is likely non-exploitable. Due to this we are going to pass on the opportunity to pursue acquisition of this vulnerability information through the ZDI program.

Thank you for the submission and we look forward to your future work.

Regards,
The ZDI Team”

So, January 2010 and to date, this still has not been fixed by Apple! People give Microsoft and Adobe a hard time about their time to release patches, but seriously 8 months is really pushing it!

So I figured I’ll see what Apple has to say about this one, and sent it along to their product security team, asking if they were willing to reward vulnerability researchers for their time. I wasn’t asking for anything major at all, maybe the cheap iPad or even just a copy of Logic Studio 9 for my trouble. That’s really not too much to ask really is it? I didn’t have any high hopes though, and well here was their response:

“Hello Xyberpix,

When we address an issue in a Security Update, we give credit to the person who reported the issue to us.  However, Apple does not directly provide financial reward.”

Okay, fair enough, I didn’t go looking for bugs for financial gain, but it would have been a nice token nonetheless. I guess the fact that I’ve been a loyal Apple fan boy for close on 8 years now means nothing to them at all. I guess this is why I’m a firm believer in the No More Free Bugs movement, in the same sense though I can’t sit around idly and wait for what’s been over 3 months since I found this issue, and Apple has not released a patch yet!

Apple also came back to me stating that they had addressed this vulnerability in iOS 3.2 and iOS 4.0, well, erm, dunoo how to tell you guys this but, nope you didn’t. So being the nice guy that I am I sent them the relevant crash logs as requested. Their response was the following:

“Hello xyberpix,

Thank you for forwarding this issue to us.  We take any report of a potential security issue very seriously.

After reviewing the issue, it appears that this denial of service issue results in the unexpected termination of MobileSafari, but not of the host operating system or a system service.  For our internal tracking purposes, this will be classified as a “Crash / Hang” issue. Although we do not see additional security concerns, we do consider this to be an important issue, and are working with the engineering team to address it.

If you have reason to believe that the issue has ramifications beyond terminating Safari (such as terminating the operation of the host operating system or system service, or executing arbitrary code), we would appreciate the steps to reproduce this, or crash logs from when you observed it.”

I then replied asking about this issue on platforms other than iOS, namely Windows and OSX, to which I recieved the following response:

“Hello xyberpix,

The crash is still a security issue on platforms on which it has not been addressed.  So far, it has only been addressed on iOS.

For the protection of our customers, we ask that you do not disclose details of this vulnerability until it has been addressed on all platforms.

When we release an update to address this issue on other platforms, you will be credited for the vulnerability.”

Okay, so let me get this straight, this is not a security issue on iOS, it’s a crash/hang issue, which they have apparently addressed in iOS 4, and I had to bug Apple about the Windows and OS X Safari issues, even after I informed them that it was possible to crash Safari on all platforms, not just iOS? Something’s not quite right here…

When I asked for a rough timescale on when a patch for this is going to be released, I was given the following response:

“The following information should be considered confidential.  We are sharing this information as a status update on an issue you reported.  Please do not share this information with others.

This issue has already been assigned CVE-20xx-xxxx, when it was fixed on iOS.

The issue is currently planned for our next available software update.  I don’t have a date for you yet, but we will coordinate with you closer to the release of the udpate.

I completely understand confidentiality, but I also believe that security researchers should get more than just credit for discovering a vulnerability that Apple’s testers should have found in the first place.

Oh wait, it seems they did find it, but they just claimed to have fixed it, instead of actually fixing it, did I get that right?

My last attempt at contacting Apple was on the 2nd August 2010 to ask if they could please give me an official statement on this issue that I could include in this post, and if there was still no chance at all of getting some sort of reward for this finding. Their response was this:

“Hello xyberpix,

We do appreciate the time you took to find and report the issue to us.

As mentioned, it is not our policy to provide financial compensation for issues.”

I really don’t want this post to be taken the wrong way, yes I was looking for compensation for the vulnerability, but not thousands of dollars, just a little something to make the time spent on this one worthwhile. I also wanted to have an official statement from Apple on this one as to when they are likely to release a patch, neither of which they were willing to do. Personally I don’t feel that either of these things were too much to ask at all from a company that is growing in leaps and bounds each year.

If any Apple employee’s would like to discuss this one further with me, the case number for this issue is 111476071, and you have all my contact details.

As a matter of courtesy and security I will not be publishing the code for this DoS, as I do not believe that would be responsible, once a patch that works has been released by Apple, I will upload the code. I have also removed the CVE number and also the specific function that causes the crash.
I’m really looking forward to all your comments on this one people, as I’d love to hear your views.

Share

Microsoft Black Tuesday Summary – August 2010

I know, I know, I’m a couple of days late in publishing this one, so apologies to all.

If you haven’t seen the latest Microsoft security patches though, then this will be an interesting read to you. Hopefully you’re already in the midst of rolling out these patches though, but if not, have a look below at the nice new patches that you have to look forward to implementing across your estates.

This month there are a total of 15 patches, 9 Critical and 6 Important.
MS10-046 Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Yes

Affected Software: Microsoft Windows

MS10-049 Vulnerabilities in SChannel Could Allow Remote Code Execution (980436)

This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Secure Channel (SChannel) security package in Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a specially crafted Web site that is designed to exploit these vulnerabilities through an Internet Web browser. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker’s Web site.

Rating: Critical

Restart Required: Yes

Affected Software: Microsoft Windows

MS10-051 Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (2079403)

This security update resolves a privately reported vulnerability in Microsoft XML Core Services. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. An attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.

Rating: Critical

Restart Required: Yes

Affected Software: Microsoft Windows

MS10-052 Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (2115168)

This security update resolves a privately reported vulnerability in Microsoft MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows

MS10-053 Cumulative Security Update for Internet Explorer (2183461)

This security update resolves six privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Yes
Affected Software: Microsoft Windows, Internet Explorer

MS10-054 Vulnerabilities in SMB Server Could Allow Remote Code Execution (982214)

This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if an attacker created a specially crafted SMB packet and sent the packet to an affected system. Firewall best practices and standard default firewall configurations can help protect networks from attacks originating outside the enterprise perimeter that would attempt to exploit these vulnerabilities.

Rating: Critical

Restart Required: Yes
Affected Software: Microsoft Windows

MS10-055 Vulnerability in Cinepak Codec Could Allow Remote Code Execution (982665)

This security update resolves a privately reported vulnerability in Cinepak Codec. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows

MS10-056 Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (2269638)

This security update resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Critical

Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Office

MS10-060 Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

This security update resolves two privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in convincing a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing the page, as could be the case in a Web hosting scenario.

Rating: Critical

Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows, Microsoft .NET Framework, Microsoft Silverlight

MS10-047 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

This security update resolves several privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.

Rating: Important
Restart Required: Yes
Affected Software: Microsoft Windows

MS10-048 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2160329)

This security update resolves one publicly disclosed and four privately reported vulnerabilities in the Windows kernel-mode drivers. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Rating: Important
Restart Required: Yes
Affected Software: Microsoft Windows

MS10-050 Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (981997)

This security update resolves a privately reported vulnerability in Windows Movie Maker. The vulnerability could allow remote code execution if an attacker sent a specially crafted Movie Maker project file and convinced the user to open the specially crafted file. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Important
Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows

MS10-057 Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution (2269707)

This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Rating: Important
Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Office

MS10-058 Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886)

This security update resolves two privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege due to an error in the processing of a specific input buffer. An attacker who is able to log on to the target system could exploit this vulnerability and run arbitrary code with system-level privileges. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Rating: Important
Restart Required: Yes
Affected Software: Microsoft Windows

MS10-059 Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Tracing Feature for Services. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.

Rating: Important
Restart Required: Maybe, dependent on configuration
Affected Software: Microsoft Windows

Share

Apple iPhone/iPod Touch/iPad Security Update

Yesterday Apple released a security update that patches the Jailbreakme vulnerabilities to stop people Jailbreaking their Apple devices.

Okay, so maybe I’m looking at this the wrong way around, but it seems that when a vulnerability gets a lot of media attention, Apple work the backsides off to get this one patched. I understand that we are talking serious vulnerabilities here, but still. I’ve personally been in contact with Apple for a couple of months now in regards to a DoS vulnerability that I discovered, and still have no time line on when a patch for this will be released, so maybe all that’s needed is to turn this into some media hype, hmmm.

So the vulnerabilities that this patches are the following:

  • FreeTypeCVE-ID: CVE-2010-1797

    Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

    Impact: Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution

    Description: A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.

  • IOSurfaceCVE-ID: CVE-2010-2973

    Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

    Impact: Malicious code running as the user may gain system privileges

    Description: An integer overflow exists in the handling of IOSurface properties, which may allow malicious code running as the user to gain system privileges. This issue is addressed through improved bounds checking.

Share

The List Of A 100 Million Facebook Usernames.

By now you’ve probably all heard about the security researcher Ron Bowes, who wrote a script to grab the list of usernames from Facebook’s public directly. You probably also know that the torrent containing all these unique usernames is available as a torrent to download.

You may not know though that at present, on just one torrent site there are currently 4248 people who have downloaded this list, and that there’s a further 8141 currently downloading this list, that’s a hell of a lot of people that are interested in complete strangers personal information and lives.

Let me just set the record straight here as there are quite a few rumors on the Internet at the moment, this was NOT a hack people. The information is publicly available, via Facebook’s directory page. Some say that the users are to blame for not setting their privacy settings securely, others say that Facebook’s convoluted way of implementing user security settings is too complicated for most common users. Me, personally, I’m a member of the latter camp, security settings should be easy for users to apply, not difficult, a simple “Security Yes/No” would be sufficient for most users.

The social engineering possibilities that you could use this list for are just amazing, and you never know when it may come in handy, or is that just me?
Anyway, what’s done is done now.

Oh yeah, I almost forgot, if you want the torrent, well, that can be found right about here, here, or on pretty much any torrent site at the moment, please remember though, if you do download it………..please seed.

Share

Sophos Free Tool To Detect The Windows Shortcut Exploit (.lnk)

The friendly guys over at Sophos have been kind enough to release a protection tool to protect against the now famous Microsoft LNK 0-day vulnerability. Someone had to do it, it’s a shame it wasn’t Microsoft, but hey.
What this tool does is to replace the current Microsoft icon handler with the Sophos one, so it will check all shortcut (LNK) files before allowing them to run, what’s even nicer is that this tool is free, and you can download it from here.

Please note though that this tool does not protect you from  LNK files or targets stored on the local disk or PIF based exploits.

There’s also a video of the tool in action, which you can find on YouTube here.

Share