Openssl patches ASN.1 flaw

Published: 2006-09-28
Last Updated: 2006-09-29 03:35:13 UTC
by Mike Poor (Version: 1)
0 comment(s)
Openssl released patched versions today to fix security flaws in the 0.9.7 and 0.9.8 branches of their code.  Read the full advisory here

You can test what version of Openssl you have by using the following command:

# openssl version

One thing to remember is that many distributions fail to follow the projects patching nomenclature, so refer to the distribution's openssl patch to test for vulnerability.

Mike Poor   ekim   #@#  intelguardians.com
Handler on Duty
Keywords:
0 comment(s)

MSIE: One patched, one pops up again (setslice)

Published: 2006-09-28
Last Updated: 2006-09-28 22:58:47 UTC
by Swa Frantzen (Version: 5)
0 comment(s)

If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE.

So: No, surfing with MSIE is still not safe.

References

Defenses

  • Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
  • Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)
  • Set the killbits:
    {844F4806-E8A8-11d2-9652-00C04FC30871} and {E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
  • Keep antivirus signatures up to date.
  • Keep an eye out for a patch from Microsoft.
  • ...

--
Swa Frantzen -- Section 66


0 comment(s)

OpenSSH 4.4 (and 4.4p1) released

Published: 2006-09-28
Last Updated: 2006-09-28 17:43:14 UTC
by Jim Clausing (Version: 2)
0 comment(s)
Version 4.4 (and 4.4p1) of OpenSSH was released yesterday.  Among other things, it fixed the vulnerability announced earlier this week (CVE-2006-4924) in the CRC compensation attack detector that allowed for a denial of service if using SSH protocol verion 1 (which hopefully no one is using anymore anyway due to the other weaknesses in the protocol).

See http://www.openssh.com for more details.
Keywords:
0 comment(s)

Setslice Killbit Apps

Published: 2006-09-30
Last Updated: 2006-09-30 15:17:50 UTC
by Tom Liston (Version: 4)
1 comment(s)
Well... here we are again...  seems like only last week, I was putting up killbit apps for "daxctle.ocx"... 

(and really, it was 10 days ago... sheesh, how time flies!)

Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue.  Note: we've tested these settings against the Metasploit project's test page, and they work.  Because MS hasn't released any information as of yet, we're sort of flying blind here...  However, that being said, the killbit method is great, because it is completely reversable.

There are two versions of the app, one a standard Windows program, the other a command-line version. 

The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)

Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22

The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r").  It will return 0 on success and 1 on failure.

Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271

UPDATE: Should anyone need to know, the CLSIDs that these apps are setting the killbit on are:

{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}

(Thanks to Mark for pointing out that I forgot to put that in the diary entry...)

Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians

New diary link: http://isc.sans.org/diary.php?storyid=1747

Keywords: killbit setslice
1 comment(s)

Powerpoint, yet another new vulnerability

Published: 2006-09-28
Last Updated: 2006-09-28 02:09:35 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Microsoft confirms yet another powerpoint vulnerability that leads to code execution.

References

Detection

McAfee has a writeup of the exploit they detected against this vulnerability to connect back to http:// mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places.

Affected

It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable.

Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...

Defenses

  • Do not to open ... but we all know how easy it is to social engineer people into opening things anyway.
  • Use the PowerPoint Viewer 2003 (nah, not an option if you have a Mac).
  • Filter and/or quarantine powerpoint files in the perimeter (prevent powerpoint email attachments and getting powerpoint files on the web), but it's not easy as it has genuine uses and it has the potential of not needed the ".ppt" file extention.
  • Keep antivirus signatures up to date.
  • Keep an eye out for a patch from Microsoft.
  • ...
If you do run into a sample we're interested in obtaining one (to add to our collection ;-) )

--
Swa Frantzen -- Section 66

0 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives