Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

A Report from the Field

Published: 2006-09-29
Last Updated: 2006-09-29 21:46:52 UTC
by Kevin Liston (Version: 2)
0 comment(s)
Kevin Shea wrote in to report:

Yesterday morning (9/27) when dropping off my son at school, I told his first grade teacher about the VML exploits and patch availability. She said she had computers at home and would call her husband to make sure they were patched.


When my signifigant-other picked him up around 5:30, the teachers were all talking about how her husband checked and found out they were infected with one of the trojans. Their bank accounts had been drained, by electronic withdrawals and money transfers. Since it had occurred the day before, the bank (unknown) was able to reverse the transfers and replace the money in their accounts. They won't even bounce a check.

After receiving the report, I had a few questions and I received a prompt follow-up.  What the thieves did with the money was interesting.  Most of the funds were transferred out using one of those services where you can wire cash to people.  I'm not sure if these were wired to other accounts using the intermediary, of it people actually walked up to a counter to retrieve the funds.  They also used funds in this account to purchase background checks at certain people-search/information-broker companies.  Most likely this is an attempt to gather further identities in a way that won't tip-off the broker.

Thanks for the report Kevin, study hard and get good grades next week at SANS Network Security in Las Vegas!  Don't poke your eye out with the antenna in SEC617

UPDATE: For those who do not read daily, the "VML vulnerabilty" refers to:
http://www.microsoft.com/technet/security/advisory/925568.mspx


Keywords: identity theft
0 comment(s)

Apple updates to 10.4.8 and Security Update 2006-006

Published: 2006-09-29
Last Updated: 2006-09-29 20:08:35 UTC
by Joel Esler (Version: 2)
0 comment(s)
Looks like it's time to click on the Apple in the top left of your screen, then followed by "Software Update..."  (or however you choose to update)

Lots of Updates today for Apple:

The entire iLife Suite gets an update.

Plus OSX goes from 10.4.7 to 10.4.8 and Security Update 2006-006 is bundled in too.  Lets take a look at whats in the update:

The 10.4.8 Update is recommended for all users and includes general operating system fixes, as well as specific fixes for the following applications and technologies:

- connecting to wireless networks using the EAP-FAST protocol
- Apple USB modem reliability
- using OpenType fonts in Microsoft Word
- compatibility with 3rd party USB hubs
- scanner performance
- RAW camera support
- printing documents with Asian language names
- performance of the Translation widget
- broadband network performance

Security Update 2006-006 says:

CFNetwork
CVE-ID: CVE-2006-4390
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: CFNetwork clients such as Safari may allow unauthenticated SSL sites to appear as authenticated

Flash Player
CVE-ID: CVE-2006-3311, CVE-2006-3587, CVE-2006-3588, CVE-2006-4640
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Playing Flash content may lead to arbitrary code execution

ImageIO
CVE-ID: CVE-2006-4391
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted JPEG2000 image may lead to an application crash or arbitrary code execution

Kernel
CVE-ID: CVE-2006-4392
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Local users may be able to run arbitrary code with raised privileges

LoginWindow
CVE-ID: CVE-2006-4397
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: After an unsuccessful attempt to log in to a network account, Kerberos tickets may be accessible to other local users

CVE-ID: CVE-2006-4393
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Kerberos tickets may be accessible to other local users if Fast User Switching is enabled

CVE-ID: CVE-2006-4394
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Network accounts may be able to bypass loginwindow service access controls

Preferences
CVE-ID: CVE-2006-4387
Available for: Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: After removing an account's Admin privileges, the account may still manage WebObjects applications

QuickDraw Manager
CVE-ID: CVE-2006-4395
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Opening a malicious PICT image with certain applications may lead to an application crash or arbitrary code execution

SASL
CVE-ID: CVE-2006-1721
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Remote attackers may be able to cause an IMAP server denial of service

WebCore
CVE-ID: CVE-2006-3946
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4 through Mac OS X v10.4.7, Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Viewing a maliciously-crafted web page may lead to arbitrary code execution

Workgroup Manager
CVE-ID: CVE-2006-4399
Available for: Mac OS X Server v10.4 through Mac OS X Server v10.4.7
Impact: Accounts in a NetInfo parent that appear to use ShadowHash passwords may still use crypt

Updates we are still waiting on from Apple:
php
SSL
SSH


Read all about the update here.
Keywords:
0 comment(s)
Diary Archives