[Sunnet Alert] Advisory #122 - Safari, Firefox, PHP, Winny, Ethereal, Multiple News
Security and IT News Alerts
Alertmailinglist at skiifwrald.com
Tue Apr 25 15:01:06 EST 2006
Sûnnet Beskerming Alert List Advisory #122
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at skiifwrald.com or
info at beskerming.com to resolve the error.
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Safari (Multiple)
- Remote Hacker Automatic Denial of Service
1.2 Firefox
- Remote Hacker Automatic Control and Denial of Service
1.3 PHP
- Remote Hacker Automatic Control and Denial of Service
1.4 Winny
- Remote Hacker Automatic Control
1.5 Ethereal
- Remote Hacker Automatic Control
=======================================
/*
- Remote or Local - Can it be achieved through a network or
does it require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be
manually performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker
get control of your system / website, will they prevent you from
using it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Ex-CA CEO Pleads Guilty
2.2 197,000 Privacy Records Exposed
2.3 Some Minor Refinement
=======================================
1. SECURITY
1.1 Safari (Multiple) - Remote Hacker Automatic Denial of Service
-- Products Affected --
Safari 2.0.3 and earlier
-- Technical Description --
Multiple DoS vulnerabilities based on malformed HTML
input. Public PoC code is available which demonstrates not only the
DoS against Safari, but also a DoS against OS X. The exploit is
reported to result in complete lock up of the system (even Apple+Opt
+Esc won't work very well) and appears to be the result of memory/
resource exhaustion.
-- Description --
The latest set of vulnerabilities affecting Internet
browsers based on malformed input has been announced and affects
Apple's default Safari browser. A set of vulnerabilities which
result in a Denial of Service against the browser, and eventually the
system, have been disclosed. A public proof of concept example has
been provided.
-- Recommended Action --
Consider the use of alternate browsers until Apple is able
to release a patch, and apply care to visiting untrusted sites.
-- Source --
Yannick Von Arx (yannick[dot]vonarx[at]yanux[dot]ch) -
www.yanux.ch/exploits/safari
-- Threat Matrix --
U O
Home 3 3 (Low)
Business 3 3 (Low)
1.2 Firefox - Remote Hacker Automatic Control and Denial of Service
-- Products Affected --
Firefox version 1.5.0.2 and possibly earlier (Windows and
Linux)
-- Technical Description --
Buffer overflow (arbitrary code execution) in Firefox
(Windows and Linux) due to improper handling of
'iframe.contentWindow.focus()', which also causes DoS. Full exploit
code has been publicly posted.
-- Description --
Following on from the Safari vulnerabilities disclosed
above, a '0-day' exploit has been released for a serious
vulnerability with the popular Firefox Internet browser. The
vulnerability is due to poor handling of certain JavaScript functions
which leads to a crash of the browser and can allow the remote
attacker to run software of their choice.
-- Recommended Action --
Consider the use of alternate browsers until Mozilla is
able to update the browser.
-- Source --
http://www.securident.com/vuln/ff.txt
-- Threat Matrix --
U O
Home 8 8 (Very High)
Business 8 8 (Very High)
1.3 PHP - Remote Hacker Automatic Control and Denial of Service
-- Products Affected --
PHP4 5.1.2 and earlier (including 4.4.2 and earlier)
-- Technical Description --
A range of issues with 'wordwrap()' - buffer overflow and
arbitrary code execution [PHP 4 and 5], 'substr_compare()' - DoS [PHP
4 and 5], and 'array_fill()' - DoS [PHP 5].
-- Description --
The PHP scripting language has been found to contain a
series of vulnerabilities that can lead to an attacker running
software of their choice on a vulnerable system, or leave the system
being unusable for legitimate users. Sample exploit code has been
provided by the discoverers. The Threat Matrix is not higher due to
the requirement for the attacker to be able to run arbitrary PHP
content on the victim system. This is readily achievable through
blending attacks with vulnerabilities in other products.
-- Recommended Action --
Review the use of vulnerable functions in PHP scripts that
are exposed to users. Review the ability of remote users to run
scripts of their choice. Apply the latest patches from php.net when
they are made available.
-- Source --
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-04-02
-- Threat Matrix --
U O
Home 7 7 (High)
Business 7 7 (High)
1.4 Winny - Remote Hacker Automatic Control
-- Products Affected --
Winny 2.0b7.1 and earlier
-- Technical Description --
Heap overflow leading to arbitrary code execution (in the
context of the user using Winny).
-- Description --
The popular Japanese P2P software, Winny, has been
discovered to contain a vulnerability which can lead to remote
attackers being able to run software of their choice on a vulnerable
system. Based on the serious worms and vulnerabilities that have
plagued the Winny network in the past (reference previous data theft
cases), it is likely that the new vulnerability will be actively
exploited in a reasonable timeframe.
-- Recommended Action --
Review the use of Winny until a patch can be made available
from the vendor.
-- Source --
Yuji Ukai, as reported by eEye - http://www.eeye.com/html/
research/advisories/AD20060421.html
-- Threat Matrix --
U O
Home 8 8 (Very High)
Business 8 8 (Very High)
1.5 Ethereal - Remote Hacker Automatic Control
-- Products Affected --
Ethereal 0.8.5 to 0.10.14
-- Technical Description --
Multiple vulnerabilities leading to arbitrary code
execution and control of vulnerable devices. The vulnerabilities
derive from infinite loop, off-by-one and buffer overflow issues
affecting the H.248, UMA, X.509if, SRVLOC, H.245, COPS, ALCAP, AIM,
RPC, DCERPC, ASN.1, SMB PIPE, BER, SNDCP, telnet, DCERPC NT, and PER
dissectors, and the OID printing, statistics counter, Network
Instruments, and NetXray/Windows Sniffer modules (FrSIRT). The
vulnerabilities can be exploited via malformed packets or trace file.
-- Description --
Ethereal is a popular piece of security software which is
used to investigate potentially malicious traffic traversing
networks. A large number of vulnerabilities have been discovered and
announced which affect the software. The vulnerabilities can allow a
remote attacker to run software of their choice on the vulnerable
system, by sending through malicious network traffic.
-- Recommended Action --
Conflicting advice suggests that version 0.99.0 is not
vulnerable, however Ethereal advice indicates that there is no
current workaround. Consider limiting the use of Ethereal (or at
least the use of vulnerable modules) until a secured update can be
released.
-- Source --
http://www.ethereal.com/appnotes/enpa-sa-00023.html
-- Threat Matrix --
U O
Home 8 8 (Very High)
Business 8 8 (Very High)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Ex-CA CEO Pleads Guilty
Computer Associate's previous CEO, Sanjay Kumar, has plead guilty to
securities fraud and obstruction of justice in relation to a massive
fraud that was perpetrated from 1999-2001, when billions of dollars
worth of income was improperly booked. The former head of worldwide
sales for the company has also plead guilty to similar charges over
the same incidents. This follows on from a 2004 payout where nearly
a quarter of a billion dollars was paid to shareholders in order to
defer prosecution over the illegal actions.
2.2 197,000 Privacy Records Exposed
One of the biggest privacy related breaches has recently been
identified by the University of Texas, where 197,000 people had their
records accessed by a hacker or hackers from Asia ("the Far East" in
the original report). The records were of alumni, current students,
prospective students, faculty, staff, and corporate recruiters
associated with the McCombs School of Business located at the
University of Texas. The University President has urged anybody
associated with the Business School to ensure that their privacy data
has not been used for Identity Theft. To aid this, the University
established a webpage with details on various steps that could be
taken, although no indication was given as to whether the University
would pay for fraud checks for affected individuals. This is the
latest in a series of breaches to affect Business Schools linked to
major universities - the impact of which is an exercise left to the
reader. A potential breach at another US University was also the
source for active discussion recently on a security mailing list -
the affected institution is expected to be identified in coming days.
2.3 Some Minor Refinement
A minor refinement has been made to the Advisory format. Regular
recipients would be aware that commentary is also posted to the list,
replacing the weekly columns that used to be generated. Sûnnet
Beskerming have also modified the format for the Advisories, adding
links to the original disclosure of vulnerabilities and issues when
appropriate. This added feature will allow concerned recipients to
further investigate the issues that have been reported, and follow up
on them as required. This step also helps resolve issues over
claimed ownership of vulnerability reports (which Sûnnet Beskerming
has never claimed), by providing links to the original reports.
Where multiple sources have provided details, the link will point to
the most authoritative (usually the first reporter).
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.skiifwrald.com/sunnet
http://www.beskerming.com
Tel: 0410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list