Openssl patches ASN.1 flaw
Openssl released patched versions today to fix security flaws in the 0.9.7 and 0.9.8 branches of their code. Read the full advisory here.
You can test what version of Openssl you have by using the following command:
# openssl version
One thing to remember is that many distributions fail to follow the projects patching nomenclature, so refer to the distribution's openssl patch to test for vulnerability.
Mike Poor ekim #@# intelguardians.com
Handler on Duty
You can test what version of Openssl you have by using the following command:
# openssl version
One thing to remember is that many distributions fail to follow the projects patching nomenclature, so refer to the distribution's openssl patch to test for vulnerability.
Mike Poor ekim #@# intelguardians.com
Handler on Duty
Keywords:
0 comment(s)
MSIE: One patched, one pops up again (setslice)
If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE.
So: No, surfing with MSIE is still not safe.
References
Defenses
- Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
- Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)
- Set the killbits:
{844F4806-E8A8-11d2-9652-00C04FC30871} and {E5DF9D10-3B52-11D1-83E8-00A0C90DC849} - Keep antivirus signatures up to date.
- Keep an eye out for a patch from Microsoft.
- ...
--
Swa Frantzen -- Section 66
OpenSSH 4.4 (and 4.4p1) released
Version 4.4 (and 4.4p1) of OpenSSH was released yesterday. Among other things, it fixed the vulnerability announced earlier this week (CVE-2006-4924) in the CRC compensation attack detector that allowed for a denial of service if using SSH protocol verion 1 (which hopefully no one is using anymore anyway due to the other weaknesses in the protocol).
See http://www.openssh.com for more details.
See http://www.openssh.com for more details.
Keywords:
0 comment(s)
Setslice Killbit Apps
Well... here we are again... seems like only last week, I was putting up killbit apps for "daxctle.ocx"...
(and really, it was 10 days ago... sheesh, how time flies!)
Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue. Note: we've tested these settings against the Metasploit project's test page, and they work. Because MS hasn't released any information as of yet, we're sort of flying blind here... However, that being said, the killbit method is great, because it is completely reversable.
There are two versions of the app, one a standard Windows program, the other a command-line version.
The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)
Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22
The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r"). It will return 0 on success and 1 on failure.
Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271
UPDATE: Should anyone need to know, the CLSIDs that these apps are setting the killbit on are:
{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
(Thanks to Mark for pointing out that I forgot to put that in the diary entry...)
Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians
New diary link: http://isc.sans.org/diary.php?storyid=1747
1 comment(s)
(and really, it was 10 days ago... sheesh, how time flies!)
Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue. Note: we've tested these settings against the Metasploit project's test page, and they work. Because MS hasn't released any information as of yet, we're sort of flying blind here... However, that being said, the killbit method is great, because it is completely reversable.
There are two versions of the app, one a standard Windows program, the other a command-line version.
The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)
Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22
The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r"). It will return 0 on success and 1 on failure.
Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271
UPDATE: Should anyone need to know, the CLSIDs that these apps are setting the killbit on are:
{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}
(Thanks to Mark for pointing out that I forgot to put that in the diary entry...)
Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians
New diary link: http://isc.sans.org/diary.php?storyid=1747
Powerpoint, yet another new vulnerability
Microsoft confirms yet another powerpoint vulnerability that leads to code execution.
Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...
--
Swa Frantzen -- Section 66
0 comment(s)
References
Detection
McAfee has a writeup of the exploit they detected against this vulnerability to connect back to http:// mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places.Affected
It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable.Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...
Defenses
- Do not to open ... but we all know how easy it is to social engineer people into opening things anyway.
- Use the PowerPoint Viewer 2003 (nah, not an option if you have a Mac).
- Filter and/or quarantine powerpoint files in the perimeter (prevent powerpoint email attachments and getting powerpoint files on the web), but it's not easy as it has genuine uses and it has the potential of not needed the ".ppt" file extention.
- Keep antivirus signatures up to date.
- Keep an eye out for a patch from Microsoft.
- ...
--
Swa Frantzen -- Section 66
×
![modal content]()
Diary Archives
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago