* You are viewing the archive for May, 2010

Google Chrome 5.0.375.55 Released

Google has announced the release of Google Chrome 5.0.375.55 here. From a risk perspective – as of this writing – the latest version of Google Chrome with known publicly available remote exploit is version 4.1.249.References:http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.htmlhttp://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugsemail: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Share

Restaurant Credit Card Skimming Alive and Well

From http://www.washingtonpost.com/wp-dyn/content/article/2010/05/23/AR2010052302921.html:”Three servers at the Cheesecake Factory restaurant on Wisconsin Avenue in the District allegedly stole credit card numbers from patrons as part of a scheme that racked up more than $117,000 in fraudulent charges between 2008 and last year, authorities say. Investigators with the U.S. Secret Service allege the servers were working for a larger fraud ring and were using electronic devices to “skim” the credit card numbers of customers they served at the restaurant. The devices were handed off to others, and the stolen numbers were used to make fake credit cards … Continue Reading

Share

Oracle Java SE and Java for Business ‘MixerSequencer’ Remote Code Execution Vulnerability

From SecurityFocus:”Oracle Java SE and Java for Business are prone to a remote code-execution vulnerability affecting the ‘Sound’ component.Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.”References:Descritpion – http://www.securityfocus.com/bid/39077/discussPoC exploit code – http://www.securityfocus.com/bid/39077/exploitList of affected versions – http://www.securityfocus.com/bid/39077/infoemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Update to Java for Mac OS X

Given the growing use of Apple products in the enterprise, I will start covering Apple vulnerabilities in this blog. Apparently, Apple is here to stay in the enterprise.Apple has recently released updates to Java for Mac OS X. These patches address several vulnerabilities. The worst one potentially allows an attacker to break out of the Java sandbox and execute code through an untrusted applet. References:http://support.apple.com/kb/HT4170http://support.apple.com/kb/HT4171email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

New Security Patches in Latest PostgreSQL Release

An update to PostgreSQL has been released that addresses several bugs including two security vulnerabilities. The patches in this release address a privilege escalation issue and another problem that allows an attacker to run arbitrary tcl scripts through the pltcl_modules table. Even if you don’t have PostgreSQL in production, your developers might have stood up PostgreSQL instances internally as a cost-saving measure for their own development and test platforms.References:http://www.postgresql.org/about/news.1203email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Patch Released for IBM AIX rpc.pcnfsd Integer Overflow Vulnerability

IBM has released a patch for the AIX rpc.pcnfsd integer overflow vulnerability. According to IBM, the vulnerability in the rpc.pcnfsd service could potentially be exploited to execute arbitrary code and this could be done by sending malicious RPC requests over the wire.UPDATE 28 May 2010 – This bug also affects HP-UX and SGI IRIX.References:http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=5088http://aix.software.ibm.com/aix/efixes/security/pcnfsd_advisory.aschttp://www.checkpoint.com/defense/advisories/public/2010/cpai-13-May.htmlhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02115103email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Security Updates in Fix Pack 31 for IBM Websphere 6.1 Released

Fix Pack 31 for IBM Websphere Application Server 6.1 has been released. According to IBM, the patched vulnerabilities are possible denial of service and information disclosure holes. The list of all security and bug fixes are in the link below.References:http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27007951email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

New US Law Regarding CallerID Spoofing

The US Congress has passed a law making certain types of malicious use of CallerID spoofing a felony. Please refer to the text of the new law for the specifics.The law exempts law enforcement agencies, so the investigative technique described here remains valid for exempted US agencies. Below is the text describing the LE exemption:”LAW ENFORCEMENT EXCEPTION.— This section does not prohibit lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency … Continue Reading

Share

Impact of SSDT Argument Substitution Attacks (KHOBE)

A report was released recently describing “SSDT Argument Substitution Attacks” against certain Windows endpoint security products. The original report can be found at: http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php.In a nutshell, this problem seems to fall under Law #1 of the 10 Immutable Laws of Security (http://technet.microsoft.com/en-us/library/cc722487.aspx).”If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.”Of the security products vendors that have issued responses to this report so far, I believe this law is a recurring theme in their replies. If a KHOBE attack has gotten … Continue Reading

Share

Adobe Fixes Three Security Issues in Latest ColdFusion Release

References:http://www.adobe.com/support/security/bulletins/apsb10-11.htmlemail: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Share

Adobe Closes 18 Security Holes in Adobe Shockwave Player 11.5.7.609 Release

The CVEs for all 18 bug fixes are in the article listed below. The Adobe Shockwave player is a relatively easy upgrade to deploy, just remember to make sure all old versions of the player software get removed so that follow up vulnerability scans and your software asset inventory data are clean and show only fully patched versions.References: http://www.adobe.com/support/security/bulletins/apsb10-12.htmlLet us know if you need any help packaging up this for deployment.email: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Share

Guidance Software to Acquire Tableau

Guidance Software is buying Tableau. I am still trying to figure out if this is a good thing or not. I don’t know what your experience has been like recently, but Guidance has been hounding me with sales calls so I had assumed they were having financial challenges.The press release is here.email: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Share

U.S. Secret Service Setting Data Sharing Example for Other Law Enforcement Agencies

According to this Verizon blog entry, we will see sanitized intrusion data from the U.S. Secret Service alongside Verizon Business Service’s own data in their next Data Breach Investigations Report (due later in 2010).Apparently the U.S. Secret Service started using Verizon’s VerIS framework and has decided to share at least some of their casework data. Very cool. Maybe this will set a precedent for others in the law enforcement world to start sharing real world data (where they can) so that system defenders everywhere can benefit from knowing more about the tactics and true … Continue Reading

Share

R.I.P. Dojosec

I really enjoyed the Dojosec series of monthly meetings that Marcus J Carey put together, and I am sad to see it has gone away. Dojosec was a security meetup in the southern Maryland area.  The last Dojosec that had speakers was in November 2009. Some of the videos from various Dojosecs are online, so you can still see some of those great presentations.Hopefully Dojosec will resurface again sometime in the future.UPDATE 24 August 2010 – Great news! It looks like Dojosec (and Dojocon) may be returning soon.email: david @ sharpesecurity.com website: … Continue Reading

Share