MAAS History
Archives
Sunday
May032009

Spam Related to CDC, WHO and Swine Flue

There has been a drastic increase in spam related to the recent outbreak of Swine Flue. Many recent messages have links and file content that directs users to malicious sites. There is also reported cases of the inclusion of malicious files. It is important that users open emails from trusted sources. 

One way to help users become better educated is to create a sample White Paper for your organization. Marshal8e6's TRACElabs is an excellent starting point including definitions and examples. 

 

 

Wednesday
Apr292009

New Zero Day Adobe Acrobat Reader Exploits

Attackers continue to use maliciously crafted PDF files and JavaScript to take advantage of users, once the user opens the file with the exploit an attacker can execute code with the user privileges. (Note the importance of working as a non-root user!)

The exploit uses two functions specific to Acrobat, spell.customDictionayOpen() and getAnnots(). This is related to spell checking with custom dictionary and the getter method for annotations. The proof of concept was posted by "Arr1val" and possibly affect all versions of Acrobat Reader. 

You should have already disabled JavaScript in acrobat. Other workarounds include using Preview.app to open PDF files or block PDF files at the firewall. Please see the reference links to this post for alternatives to Acrobat Reader. 

 

Thursday
Apr232009

Firefox 3.09 Update Fixes Memory Curruption and Same-Origin Violations

There are four crash bugs which leads to memory corruption. If the user had root privileges then an attack could execute code with those privileges. 

Same-Origin is a concept that relates to sscripting in web pages, this allows for the access of scripts originating from the same site to access each others methods and variables without limits. One involves Adobe Flash plug-in. This can allow attackers to execute scripts under the context of a legitimate web site, using cross site scripting (XXS) or cross-site request forgery (CSRF). 

It is recomended that this upodate be installed. 

Thursday
Apr162009

Zero Day Excel Flaw Patched from February 2009

The security bulletin describes an attackers ability to use a "malformed object" to cause a memory corruption allowing them to gain access to the system as that user. Without going into the importance of only doing general computer activities such as web surfing, reading email and performing office task as a limited user again users need to install this update. The attacker assumes the users permissions and can operate as such.

This update is available for download using the Microsoft Update tool in office. The flaw affects both Windows and Macintosh platforms. This flaw has been in the wild since February 2009 and is active across both platforms. 

Sunday
Apr052009

Proof of Concept Exploit Code Published

Six kernel vulnerabilities have been published which affect Mac OSX including 5 which can be used to exploit 10.5.6. They can be view on Milw0rm.com, see the link to the Apple specific exploits on the sidebar. These exploits can also affect Solaris kernels and FreeBSD. FreeBSD has been patched, Mac OSX has not as of yet.

Issue one exploits a remote heap overflow in AppleTalk network stack. The second and third exploits a memory leak which can cause the kernel to run out of memory. The fourth exploit relates to HFS vfs sysctl flaw which allows for a global variable to be altered without locking the mutual exclusion object (mutex). Mutex is used to allow multiple program threads to share resources, this is done by locking the mutex from other threads. In this case the locking process does not happen causing a potential of memory corruption.

The last has been know for some time, it relates to the HFS I/O control (IOCTL) handler. User supplied code can be inserted and executed with kernel level privileges.