[Sunnet Alert] Advisory #199 - QuickTime, PDF, Multiple News

Fri Jan 5 01:36:56 EST 2007

Sûnnet Beskerming Alert List Advisory #198

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)

Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	QuickTime (multiple)
	- Remote Hacker Automatic Control
	- Time Since Discovery - 2-3 Days
1.2	PDF
	- Remote Hacker Automatic Data Theft / Control
	- Time Since Discovery - 1 Day
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Where Did We Go?
2.2	Various Windows Happenings
=======================================

1.	SECURITY

1.1	QuickTime - Remote Hacker Manual Control

	-- Products Affected --
	QuickTime 7.1.3 and possibly all earlier versions

	-- Technical Description --
	Arbitrary code execution available as the result of a buffer  
overflow in the handling of the rtsp streaming protocol, and data  
passed in the HREFTrack field of QuickTime content.  At this stage,  
the exploit has been demonstrated (complete with well-developed  
exploit code) to work on Windows systems for both vulnerabilities,  
and an rtsp exploit sample has been created for OS X.

	-- Description --
	The new 'Month of Apple Bugs' effort has released the first  
vulnerability associated with OS X, a vulnerability affecting  
QuickTime that can allow an attacker to run software of their choice  
on a victim's system.  The particular vulnerability makes use of a  
weakness in one of the supported streaming protocols that is  
available to media developers.  While it has not been disclosed  
whether the Windows version of QuickTime is vulnerable, it is  
believed to suffer from the same issue.

	-- Recommended Action --
	Concerned users and administrators may disable support for the rtsp  
protocol through the QuickTime Control Panel / Preference Pane and  
selecting the File Types / Advanced -> MIME Settings and deselecting  
the RTSP stream description under the Streaming - Streaming Movies  
option.  Alternatively, APE modules are available for concerned users.

	-- Source --
	http://projects.info-pull.com/moab/MOAB-01-01-2007.html
	http://projects.info-pull.com/moab/MOAB-03-01-2007.html

	-- Threat Matrix --
			U	O
	Home User	8	8  (Very High)
	Corporate	8	8  (Very High)

1.2	PDF - Remote Hacker Automatic Data Theft / Control

	-- Products Affected --
	Adobe Acrobat Reader 7 and below

	-- Technical Description --
	It has been discovered that it is possible to run arbitrary  
JavaScript on a site by appending it to the URL specifying a PDF  
document.  Certain browser flaws can then be targeted to obtain  
sensitive data from the victim's system, or even to take control of  
the system.  Arbitrary control also refers to the ability of the  
attacker to impersonate victims and gain access to websites as if  
they were the user.  It has been reported that the vulnerability is  
not consistent in exploitation across the different browsers and  
platforms in use.  The injected JavaScript code will run as if it was  
being called by the legitimate site.  Essentially, it means that  
every single PDF file on a website is a guaranteed XSS injection  
point, and it has been reported that it will bypass web application  
firewalls as well.

	-- Description --
	A presentation at a recent European Security conference provided a  
shock report that demonstrated that PDF content on websites could be  
used to provide guaranteed Cross Site Scripting opportunities that  
are not detectable with current Web application firewalls.  The scope  
of this disclosed vulnerability is that attackers can use any PDF  
file on a company's site to present whatever data they want to site  
visitors (who have been convinced to click on the malicious link), or  
use it to steal authentication or other potentially sensitive  
information from any cookies associated with the site.  Helpfully for  
users, the demonstrated vulnerability can not be reliably run on all  
platforms and browsers.

	-- Recommended Action --
	Concerned users and administrators may modify the way that their web  
browser of choice handles PDF content.  Handling should be changed to  
'Save to Disk' or equivalent, instead of viewing in the browser.

	-- Source --
	http://events.ccc.de/congress/2006/Fahrplan/attachments/1158- 
Subverting_Ajax.pdf

	-- Threat Matrix --
			U	O
	Home User	9	9  (Critical)
	Corporate	9	9  (Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Where Did We Go?

Subscribers might be wondering why there has been no news from us for  
a couple of weeks.  While it might be nice to think that we stopped  
operating services over the Christmas / New Year period, the simple  
truth is that there have not been any Information Security incidents  
of note to take place over the last several days.  Luckily, this  
period has not resulted in the discovery of active malware and '0- 
day' infections, such as took place around this period last year,  
with the WMF vulnerability being massively exploited.

Rest assured, critical information that did come up was still  
released to our paying subscribers.  It is also important to note  
that we selectively identify which items will be reproduced in our  
free lists, so not all security items that we have identified,  
analysed and reported on will be released openly.

2007 looks like it will have much to offer us.  We look forward to  
increasing our presence across numerous countries and operations,  
especially throughout Australia and South America (Brazil mainly).   
Already we have had more recognition via the Internet Storm Center,  
this time with assistance being passed on the QuickTime vulnerability  
mentioned above, and we had recognition late last year with one of  
the commentary pieces written by one of our employees receiving  
fairly wide coverage across a number of InfoSec sites.

2.2	Various Windows Happenings

While not much has happened security-wise over the last several days,  
there have been a couple of important developments in terms of the  
threats facing Windows users.  The memory disclosure vulnerability  
that was disclosed just before Christmas (Advisory #25 on the fee- 
based list) appears to have been extended into an arbitrary code  
execution exploit, allowing an attacker to run software of their  
choice on a victim's system.  At this stage the Proof-of-Concept  
release can not be remotely activated and relies upon a local user to  
interact with the code, first.  With the code specifically written to  
target Windows Vista, this could mark the first Vista-dedicated  
arbitrary code execution exploit (other Windows systems are also  
vulnerable, but the specific exploit code has not quite been released  
yet).

If this particular example can be combined with the discovery that it  
might be a very simple process to make Vista believe that it is not  
authenticated correctly - thus forcing it into the 'Reduced Function'  
mode, it could make for a very interesting attack.  As the 'Reduced  
Function' mode does not immediately activate, it provides a  
significant time delay between infection / attack and payload  
activation - the result of which is that users can not use most of  
the applications on their system, as it believes that it is no longer  
a properly validated system.

As of the new year, Microsoft no longer support their Windows  
Defender (http://www.microsoft.com/athome/security/spyware/software/ 
default.mspx) anti-spyware tool on Windows 2000-based systems (and  
there are reports that other systems will need to reinstall the tool  
- it may have quietly deactivated at the end of the year if users  
were running Beta 2 of the tool).  In addition to not being  
supported, the tool can not even be installed on Windows 2000  
systems, which means that administrators and users of those systems  
will need to find additional tools to install and operate to stay  
safe from spyware-related attack.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.