[Sunnet Alert] Advisory #93 - OS X, Multiple News

Security and IT News Alerts Alertmailinglist at skiifwrald.com
Thu Feb 23 00:53:04 EST 2006 

Sûnnet Beskerming Alert List Advisory #93

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at skiifwrald.com to resolve the  
error.

Contents
--------------------------------------------------------------------
1.     SECURITY
--------------------------------------------------------------------
1.1    OS X
         - Remote Hacker Manual Control
=======================================
/*
      - Remote or Local - Can it be achieved through a network or  
does it require physical access?
      - Hacker - The bad guy
      - Manual or Automatic  - Does the vulnerability need to be  
manually performed, or can it be automated?
      - Control, Denial of Service or Data Theft - Will the hacker  
get control of your system / website, will they prevent you from  
using it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1    Antivirus Company More Dangerous Than Infection
2.2    Identity Breaches Moving Closer
2.3    (ISC)2 Accused of Plagiarism
2.4    BP Plunges Off the Deep End
=======================================

1.    SECURITY

1.1    OS X - Remote Hacker Manual Control

      -- Products Affected --
          OS X

      -- Technical Description --
          What appears to be a variation on the Oomp / Leap script  
hiding mechanism has been identified as affecting Safari, Mail and  
manual extraction of archives.  This could lead to unexpected  
execution of scripts if Safari is set to automatically open 'safe'  
files after download, or on double click of a file with a custom icon  
(icon for a jpg replacing that for a Terminal script).

      -- Description --
          It has been discovered that scripts designed to run in the  
Terminal can be automatically run if the 'open safe files' option is  
selected in Safari.  It is also possible to trick users who have  
manually opened the archive into executing the script, through the  
use of a custom icon.  The advice given in the recommended action  
section is considered the best available at this stage to mitigate  
the effect of this vulnerability.

      -- Recommended Action --
          If it hasn't already been deselected, uncheck the 'open  
safe files' option in Safari's preference pane, apply caution to  
downloaded archives, avoid use of the Administrator account for  
everyday actions

      -- Threat Matrix --
                      U         O
          Home        8         8   (Very High)
          Business    8         8   (Very High)

=======================================
/*
Threat Matrix:
      U - User
      O - Operator
      Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.    NEWS

2.1    Antivirus Company More Dangerous Than Infection

Following the recent announcement of the Oomp / Leap and Inqtana  
worms for OS X, most Antivirus companies that have OS X products  
updated their software to detect these latest worms.  Unfortunately  
for one company, their product was a little over-eager, detecting a  
large number of false-positives (safe files which are mis-classified  
as infected) and deleting them.  Unfortunately, the files being  
detected were critical for the operation of other applications, so  
the fix has led to a greater risk than an infection would have ever  
been.

2.2    Identity Breaches Moving Closer

Public reporting of identity data losses is moving closer to  
Australian shores.  It was recently revealed that several thousand  
students associated with Canterbury University in New Zealand had  
potentially had their personal data exposed for an unknown period of  
time.  Over the weekend it was discovered that people accessing the  
University's online student system could view private data on any  
student.  While the attack requires some level of intent, it is  
possible to completely compromise a student's identity based on the  
information the system made available.  The system has since been  
taken offline, and it is not known when it will be made available  
again.  The timing of the discovery couldn't come at a worse time for  
the University, with classes soon to commence for the new academic year.

2.3    (ISC)2 Accused of Plagiarism

The organisation which manages the CISSP certification, (ISC)2, has  
been accused of outright plagiarism with their 'Official (ISC)2 Guide  
to the CISSP Exam' book, which is claimed to contain numerous  
sections that have been directly plagiarised from multiple sources  
without attribution.  Examples of the claimed plagiarism have been  
published online, which drew a defense from one of the editors of the  
book.  The defense did not actually address the claims of plagiarism  
- choosing to point out, instead, that there is rampant plagiarism  
within the industry, and they are not the only ones to do it.

2.4    BP Plunges Off the Deep End

Energy giant, BP, has taken the odd move of moving 18,000 corporate  
laptops out of the company LAN and onto direct connections to the  
Internet.  Concerned at the increasing attacks from criminal  
interests, the company has moved the laptops out of the corporate  
network in an effort to protect their internal systems.  Most  
observers have concerns over this move, claiming that it is more  
likely to lead to a major incident than the previous setup.  The move  
means that each laptop will need to be individually hardened against  
attacks (which means against known attacks), and instead of a handful  
being directly connected to the Internet, they all will be.  This  
massive increase in exposure brings a commensurate risk, which  
doesn't really appear to have been addressed very well.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at skiifwrald.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.skiifwrald.com
Tel: 0410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list