Sharpe Security Blog

Google has announced the release of Google Chrome 5.0.375.55 here. From a risk perspective – as of this writing – the latest version of Google Chrome with known publicly available remote exploit is version 4.1.249.References:http://googlechromereleases.blogspot.com/2010/05/stable-channel-update.htmlhttp://sites.google.com/a/chromium.org/dev/Home/chromium-security/chromium-security-bugsemail: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

From http://www.washingtonpost.com/wp-dyn/content/article/2010/05/23/AR2010052302921.html:”Three servers at the Cheesecake Factory restaurant on Wisconsin Avenue in the District allegedly stole credit card numbers from patrons as part of a scheme that racked up more than $117,000 in fraudulent charges between 2008 and last year, authorities say. Investigators with the U.S. Secret Service allege the servers were working for a larger fraud ring and were using electronic devices to “skim” the credit card numbers of customers they served at the restaurant. The devices were handed off to others, and the stolen numbers were used to make fake credit cards … Continue Reading

From SecurityFocus:”Oracle Java SE and Java for Business are prone to a remote code-execution vulnerability affecting the ‘Sound’ component.Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.”References:Descritpion – http://www.securityfocus.com/bid/39077/discussPoC exploit code – http://www.securityfocus.com/bid/39077/exploitList of affected versions – http://www.securityfocus.com/bid/39077/infoemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Given the growing use of Apple products in the enterprise, I will start covering Apple vulnerabilities in this blog. Apparently, Apple is here to stay in the enterprise.Apple has recently released updates to Java for Mac OS X. These patches address several vulnerabilities. The worst one potentially allows an attacker to break out of the Java sandbox and execute code through an untrusted applet. References:http://support.apple.com/kb/HT4170http://support.apple.com/kb/HT4171email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

An update to PostgreSQL has been released that addresses several bugs including two security vulnerabilities. The patches in this release address a privilege escalation issue and another problem that allows an attacker to run arbitrary tcl scripts through the pltcl_modules table. Even if you don’t have PostgreSQL in production, your developers might have stood up PostgreSQL instances internally as a cost-saving measure for their own development and test platforms.References:http://www.postgresql.org/about/news.1203email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

IBM has released a patch for the AIX rpc.pcnfsd integer overflow vulnerability. According to IBM, the vulnerability in the rpc.pcnfsd service could potentially be exploited to execute arbitrary code and this could be done by sending malicious RPC requests over the wire.UPDATE 28 May 2010 – This bug also affects HP-UX and SGI IRIX.References:http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=5088http://aix.software.ibm.com/aix/efixes/security/pcnfsd_advisory.aschttp://www.checkpoint.com/defense/advisories/public/2010/cpai-13-May.htmlhttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02115103email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Fix Pack 31 for IBM Websphere Application Server 6.1 has been released. According to IBM, the patched vulnerabilities are possible denial of service and information disclosure holes. The list of all security and bug fixes are in the link below.References:http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27007951email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

The US Congress has passed a law making certain types of malicious use of CallerID spoofing a felony. Please refer to the text of the new law for the specifics.The law exempts law enforcement agencies, so the investigative technique described here remains valid for exempted US agencies. Below is the text describing the LE exemption:”LAW ENFORCEMENT EXCEPTION.— This section does not prohibit lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency … Continue Reading

A report was released recently describing “SSDT Argument Substitution Attacks” against certain Windows endpoint security products. The original report can be found at: http://www.matousec.com/info/articles/khobe-8.0-earthquake-for-windows-desktop-security-software.php.In a nutshell, this problem seems to fall under Law #1 of the 10 Immutable Laws of Security (http://technet.microsoft.com/en-us/library/cc722487.aspx).”If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.”Of the security products vendors that have issued responses to this report so far, I believe this law is a recurring theme in their replies. If a KHOBE attack has gotten … Continue Reading

References:http://www.adobe.com/support/security/bulletins/apsb10-11.htmlemail: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

The CVEs for all 18 bug fixes are in the article listed below. The Adobe Shockwave player is a relatively easy upgrade to deploy, just remember to make sure all old versions of the player software get removed so that follow up vulnerability scans and your software asset inventory data are clean and show only fully patched versions.References: http://www.adobe.com/support/security/bulletins/apsb10-12.htmlLet us know if you need any help packaging up this for deployment.email: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Guidance Software is buying Tableau. I am still trying to figure out if this is a good thing or not. I don’t know what your experience has been like recently, but Guidance has been hounding me with sales calls so I had assumed they were having financial challenges.The press release is here.email: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

According to this Verizon blog entry, we will see sanitized intrusion data from the U.S. Secret Service alongside Verizon Business Service’s own data in their next Data Breach Investigations Report (due later in 2010).Apparently the U.S. Secret Service started using Verizon’s VerIS framework and has decided to share at least some of their casework data. Very cool. Maybe this will set a precedent for others in the law enforcement world to start sharing real world data (where they can) so that system defenders everywhere can benefit from knowing more about the tactics and true … Continue Reading

I really enjoyed the Dojosec series of monthly meetings that Marcus J Carey put together, and I am sad to see it has gone away. Dojosec was a security meetup in the southern Maryland area.  The last Dojosec that had speakers was in November 2009. Some of the videos from various Dojosecs are online, so you can still see some of those great presentations.Hopefully Dojosec will resurface again sometime in the future.UPDATE 24 August 2010 – Great news! It looks like Dojosec (and Dojocon) may be returning soon.email: david @ sharpesecurity.com website: … Continue Reading