* You are viewing the archive for April, 2010

Exploit Code Published for MS10-020 (KB980232)

Exploit code for MS10-020 (KB980232) has been published here.  Please read http://sharpesecurity.blogspot.com/2010/04/problems-with-microsoft-april-2010.html for all known issues with patching MS10-020, paying special attention the information about MS10-020 and Cisco WAAS-related issues if you use that technology in your environment.email: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Share

Problems with Microsoft April 2010 Patch MS10-020 – KB980232

In some cases, there are problems after installing Microsoft April 2010 Patch MS10-020 (KB980232).  Microsoft acknowledges that there are problems and is collecting data to determine the root cause(s).We have seen four symptoms.  In each case, removing the KB980232 patch and rebooting the affected machine resolved the problem:1).  Errors saving from Office 2007 applications to network shares.2).  Not being able to read the contents of the Security tab when looking at the properties of a file on a file share.  Click the image below to see a larger view…. Continue Reading

Share

GDI Object Leak Still Present in Adobe Reader 9.3.2 Release

The GDI object leak problem described here is still present in Adobe Reader 9.3.2.Hopefully Adobe will provide a fix soon. People affected by this bug cannot upgrade their Adobe Reader instances to either the newest version of 8.x or 9.x until this gets fixed.email: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Share

You Really, Really Should Upgrade Adobe Reader

I am analyzing a Windows RAM dump now where a machine running a version of Adobe Reader that is long off vendor support – version 6.x – got compromised by navigating to a website serving up malicious PDF content from an installation of the YES Exploit Kit. Many of the commonly available commercial exploit toolkits include robust and reliable working exploits for unpatched Adobe Reader util.printf, Collab.collectEmailInfo, and Collab.getIcon vulnerabilities. Soon I will translate a number of the top exploit kits’ exploit lists to English and publish those here to back up my point. For now … Continue Reading

Share

MoonSol’s new Windows Memory Toolkit

I just stumbled across Matthieu Suiche’s new website and his (Windows Memory Toolkit). The free version of that toolkit includes a utility to convert Windows RAM dumps from all current versions of 32-bit Windows to crash dump format for use with windbg/kd. Very cool! It is also very cool that 32-bit support is free!Given the various problems each of the free and commercial vendors are having in the Windows RAM dump analysis space, Windbg plus custom extensions might be the way to go for the future for Windows RAM dump analysis for incident response … Continue Reading

Share

Poke in the Eye to SANS and CISSPs in Defcon 18 CTF Announcement

From the Defcon 18 CTF contest announcement at https://forum.defcon.org/showthread.php?p=112359#post112359:”This isn’t CTF like your mama used to make. Level 1 questions make CISSPs turn red, Level 2 make SANS Fellows cry in frustration, Level 3 are typically only answerable by sheep of above average barnyard intelligence, you get the idea.”and”Those with SANS certs need not apply. CISSPs are right out”.Two things spring to mind:1). The organization putting on Defcon 18’s CTF is “Defense Diutinus Technologies Corp (ddtek)”. My understanding is that ddtek is really Chris Eagle’s Naval Postgraduate School … Continue Reading

Share