Sharpe Security Blog

At the recent Black Hat USA 2010 security conference, a well known Washington DC area security service provider accidentally leaked a sensitive penetration test report for a major US-based oil company containing enough sensitive information to gain Windows domain administrator access rights as well as the username and password for everyone in the target company’s domain. According to the detailed, 39-page report, these access rights included the ability to access servers containing SCADA system information. The report was not encrypted or password-protected in any way. Anyone with access to the leaked document and a copy of Microsoft … Continue Reading

Google Chrome 5.0.375.125 has been released for Windows, Mac, and Linux. The update includes fixes for five vulnerabilities, three of which are classified as critical.References:http://googlechromereleases.blogspot.com/email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Mozilla has released Firefox 3.6.8 This version contains security fixes according to the release notes (below).References:http://www.mozilla.com/en-US/firefox/3.6.8/releasenotes/email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Dell confirms malware is present in the firmware in some PowerEdge motherboards. No further details are available at this time beyond what is in the link below. If someone has a copy of the problematic firmware image and can send that to me, I will reverse the malware and post the results here. My contact information is below.References:http://en.community.dell.com/support-forums/servers/f/956/t/19339458.aspxemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Adobe has announced that the next major version of their Adobe reader product will contain “Adobe Reader Protected Mode” or sandboxing.From Adobe’s description of the new feature:”The initial release of Adobe Reader Protected Mode will be the first phase in the implementation of the sandboxing technology. This first release will sandbox all “write” calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. This will mitigate the risk of exploits seeking to install malware on the user’s computer or otherwise change the computer’s file system or registry. In future releases of … Continue Reading

Mozilla has released Firefox 3.6.7 and 3.5.11. These versions contain security fixes and other changes as outlined in the links below.References:http://www.mozilla.com/en-US/firefox/3.6.7/releasenotes/http://www.mozilla.com/en-US/firefox/3.5.11/releasenotes/email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

From http://www.iacis.com/news/view/33:”The IACIS Membership recently voted to open certification programs to non-members or those who do not qualify for membership. Therefore, the Certified Forensic Computer Examiner (CFCE) Certification will be available to applicants of the computer/digital forensics community who qualify. A comprehensive background check will be required, and we will provide more details as they become available. Please check back often as the program is unveiled”.email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

For the software packagers out there who need this type of list, the following command lines are provided as a reference can be used to silently uninstall updates from the various Office 2003 and 2007 SKUs. Please test these on a test machine before using them in any production environment.%windir%\System32\msiexec.exe /package /uninstall {8F1CF36F-7BC8-42CF-8A5A-8B803DE8423A} /QN /L*V %temp%\KB980373_Uninstall.log%windir%\System32\msiexec.exe /package /uninstall {48113C06-9BA2-4D54-A731-D1D2C5B3144A} /QN /L*V %temp%\KB980376_Uninstall.logOffice 2003 Product Codes (see KB832672 for related info):Office 2003 Standard{90120409-6000-11D3-8CFE-0150048383C9}Office 2003 Professional Edition{90E30409-6000-11D3-8CFE-0150048383C9}Office 2003 Enterprise{90110409-6000-11D3-8CFE-0150048383C9}… Continue Reading

Exploit code has been made publicly available for a vulnerability (CVE-2010-1964) in HP OpenView Network Node Manager. HP has stated that this vulnerability could potentially be remotely exploited. References:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02217439http://www.zerodayinitiative.com/advisories/ZDI-10-108/http://www.exploit-db.com/exploits/14256/http://cve.mitre.org/cgi-bin/cvename.cgi?email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

As a reminder, starting after 13 July 2010 (unless you have purchased Microsoft Custom Support) you will no longer receive patches for the following Microsoft products:- Windows XP Service Pack 2 (32 bit only. XP 64-bit remains under support through April 2014)- Windows 2000 Server and Professional- Microsoft Office 2007 Service Pack 1email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

IBM has released a fix for IBM solidDB to address a remotely exploitable buffer overflow vulnerability. This vulnerability can be exploited by an unauthenticated remote attacker to execute arbitrary code and potentially gain administrative access. The relevant Fix Pack is available from the second References section link below.From IBM’s bulletin:”This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM solidDB. Authentication is not required to exploit this vulnerability.The specific flaw exists within the solid.exe process which listens by default on TCP port 1315. The code responsible for parsing the first … Continue Reading

A vulnerability in the PHP unserialize() function was announced at the SyScan 2010 security conference. Proof of concept exploit code has been published publicly. PHP developers have committed a fix to their source code repository (see link below), but have not released an offical fix as of this writing. Affected versions:PHP 5.2 <= 5.2.13 PHP 5.3 <= 5.3.2 References:http://nibbles.tuxfamily.org/?p=1837http://svn.php.net/viewvc?view=revision&revision=300843http://php-security.org/2010/06/25/mops-2010-061-php-splobjectstorage-deserialization-use-after-freevulnerability/email: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Apple has released iTunes version 9.2.1. This release contains one security patch.From http://support.apple.com/kb/HT4263 :”Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code executionDescription: A buffer overflow exists in the handling of “itpc:” URLs. Accessing a maliciously crafted “itpc:” URL may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.”email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

According to this article, there appears to be a newly discovered threat affecting Windows 7 from USB devices NOT related to autorun or autoplay. This one has to do with viewing .LNK files through the Windows GUI. The major AV companies already have samples are releasing definitions for the known variants. For example, Symantec detects the malware as W32.Temphid and released that detection on 13 July 2010.References:http://anti-virus.by/en/tempo.shtmlhttp://en.securitylab.ru/viruses/395815.phpemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

As a HTCIA member, I think I am slightly ashamed of this.”Gregory Evans Why Cybercrime Pays from an Ex-Computer Hacker’s Perspective “UPDATE 29 July 2010 – HTCIA reports that LIGATT’s Gregory Evans has been removed from the speaker’s list. HTCIA (eventually) did the right thing. I am happy again.References:http://twitter.com/HTCIAhttp://www.htciaconference.org/speakers.shtmlemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Oracle has released their July 2010 quarterly patches. Oracle indicates that, for some of the products affected, several of these vulnerabilities may be remotely exploitable without authentication.References:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.htmlemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Microsoft has released the July 2010 monthly patches. This set includes a fix (MS10-042) for the vulnerability that Tavis Ormandy released a few weeks ago that caused a bit of a media storm and controversy about disclosure. Public exploit code exists for that vulnerability.References:https://www.microsoft.com/technet/security/bulletin/ms10-jul.mspxemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Exploit code has been published for a CSRF vulnerability in Microsoft Exchange Server 2007 Outlook Web Access. Early reports indicate that Microsoft has fixed the underlying bug in Service Pack 3 for Exchange Server 2007. Whether or not Exchange 2003 is affected is unknown at this time.References:http://www.securityfocus.com/bid/41462/http://www.exploit-db.com/exploits/14285/http://sites.google.com/site/tentacoloviola/pwning-corporate-webmailsemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Cisco Industrial Ethernet 3000 (IE 3000) Series switches running IOS versions 12.2(52)SE or 12.2(52)SE1 have vulnerability where the SNMP “public” and “private” community names are hard-coded for both read and write access. Vendor workaround and upgrade information is at the link below.References:http://www.cisco.com/warp/public/707/cisco-sa-20100707-snmp.shtmlemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Google Chrome 5.0.375.99 has been released for Windows, Mac, and Linux. The update includes fixes for nine vulnerabilities, four of which are classified as critical.References:http://googlechromereleases.blogspot.com/2010/07/stable-channel-update.htmlemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Hex-Rays has released version 1.3 of their x86 and ARM decompilers. There are numerous bugfixes in each. Please refer to the links below for details.References:http://www.hex-rays.com/news1.shtml#100628http://www.hex-rays.com/hexcomp13.shtmlemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

IDA Pro 5.7 has been released. The full list of updates and bugfixes is in the references link below.Highlights in version 5.7 include:- Scripted plugins can be implemented in Python or IDC. – Scripted processor modules be implemented in Python or IDC.- Improvements for iPhone/iPad file analysis in the form of additional ARM module/Mach-O file format features.- You can now define your own data types.- The PDB plugin now works without having to install a full copy of Microsoft Visual Studio.References:http://www.hex-rays.com/idapro/57/index.htm… Continue Reading