Sharpe Security Blog

What we know at this point:

UPDATE 28 May 2011 – US DHS has confirmed that Lockheed has experienced a network intrusion (http://www.reuters.com/article/2011/05/29/us-usa-defense-hackers-idUSTRE74Q6VY20110529).

UPDATE 07 June 2011 – RSA has confirmed that data stolen from them was a factor in the Lockheed instrusion. RSA is offering to replace tokens for certain types of customers according to this: http://www.rsa.com/node.aspx?id=3891.

1). Lockheed’s entire VPN system was intentionally taken down by Lockheed
2). This happened about a week ago, and has been down the entire week
3). Lockheed is recalling all remote workers to the closest Lockheed offices to continue their … Continue Reading

WordPress version 3.1.3 contains both normal bugfixes and security-related changes. I upgraded this blog already to the 3.1.3 release level and it seems to work fine.

References:
http://codex.wordpress.org/Version_3.1.3

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Google Chrome 11.0.696.71 has been released for Windows, Mac, and Linux. The update includes fixes for 4 vulnerabilities, 3 of which are classified as high or critical.

References:
http://sites.google.com/a/chromium.org/dev/Home/chromium-security
http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

White Phosphorus Exploit Pack version 1.12 for Immunity CANVAS now includes an exploit for CVE-2011-0073 in Mozilla Firefox versions 3.6.0 through to 3.6.16.

According to the vendor for White Phosphorus:

This module bypasses DEP and ALSR on anything from Windows XP through to Windows 7 to reliably provide a Mosdef node back to you.

(MOSDEF is Immunity CANVAS’ proprietary shell, like Meterpreter for Metasploit).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0073
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0073
http://blog.sharpesecurity.com/2011/04/29/mozilla-firefox-4-0-1-3-6-11-and-3-5-19-released/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Apache Portable Runtime version 1.4.5 has been released. It contains a fix for a denial of service condition (CVE-2011-1928). Details are at the links below.

References:
http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3cBANLkTimWdBnKu8hS–O6HeXj_G=g9gfdxA@mail.gmail.com%3e
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1928

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Apache HTTP Server 2.2.19 has been released. It contains one security fix for a denial of service condtion. Details are at the links below.

References:
http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3c4DD92D02.70000@apache.org%3e
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

 
MANDIANT might have just dealt another costly blow to HBGary’s Responder business with the release of their Redline memory dump and live system analysis tool. Considering what is available for free in this tool space (Volatility Framework 1.3 and 1.4, MANDIANT Memoryze, and now MANDIANT Redline) it is increasingly difficult to justify the $9000 USD upfront cost of HBGary Responder Pro plus the annual maintenance for Responder and HBGary DDNA (Digital DNA). It is awfully difficult to compete with free.

And unlike HBGary Responder Pro, I can actually reliably open up and analyze a Windows 7 RAM dump successfully … Continue Reading

I recently took a look at a suspected malicious email supposedly sent from Verizon Wireless.  Despite looking possibly malicious at first glance, it turns out that the email was legitimate.  Verizon Wireless is now offering a Secure eBill service that allows customers to elect to receive their bill in a secured PDF file.  The Verizon “Secure eBill” service is described here: http://www.verizonwireless.com/b2c/splash/secure_ebill.jsp.

If your organization are similarly considering using secure PDFs for any customer contacts, I would suggest not going down that path.  Some people might think this looks like a phishing attempt and might simply delete your emails.

Below are some screenshots of what this all looks … Continue Reading

Adobe has released version 10.3.181.14 of their Flash player product for Windows.

References:
http://www.adobe.com/support/security/bulletins/apsb11-12.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Google Chrome 11.0.696.68 has been released for Windows, Mac, and Linux. The update includes fixes for 2 vulnerabilities, both of which are classified as high or critical.

References:
http://sites.google.com/a/chromium.org/dev/Home/chromium-security
http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

There are only two bulletins this month. MS11-036 replaces the problematic MS11-022 patch from April 2011 that broke Powerpoint 2003 and 2002 slide decks with background images in their master slide. So if you have systems affected by that bug and didn’t roll out the hotfix for MS11-022 yet, that problem will go away as you deploy MS11-036.

No fix for the Outlook 2007 print preview printing problem was included in this month’s patches. That should appear the next time releases Outlook 2007 patches.

References:
http://isc.sans.edu/diary/May+2011+Microsoft+Black+Tuesday+Overview/10855
http://www.microsoft.com/technet/security/bulletin/ms11-036.mspx

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): … Continue Reading

I didn’t realize there was much demand for pulling passwords from BIOS keyboard buffers still until I saw that a “bioskbd” command had been added to the new 1.4 version of the Volatility Framework.

Examples of products that leak passwords in this manner:
Microsoft Bitlocker/Vista (SP0)
TrueCrypt 5.0 (possibly older versions also)
SafeBoot Device Encryption v4, Build 4750 and below
Secu Star’s DriveCrypt Plus Pack v3.9 (possibly other versions also)
DiskCryptor 0.2.6 for Windows (possibly other versions also)
Lenovo 7CETB5WW v2.05 (10/13/2006) BIOS (possibly others too)
Intel Corp PE94510M.86A.0050.2007.0710.1559 (07/10/2007) BIOS (possibly others too)
Hewlett-Packard 68DTT Ver. F.0D BIOS (possibly others too)

These passwords can be retrieved from a live … Continue Reading

As of this writing (06 May 2011), there are four production versions of Microsoft Silverlight – versions 1 through 4. Silverlight 5 is currently in beta. According to Microsoft, they will still provide security patches as they see fit for all five versions of Silverlight. However, you can no longer receive free support for Silverlight versions 1 through 3. For normal usage, versions 1 and 2 went off support on 12 October 2010. Version 3 went off support on 12 April 2011.

If you use Silverlight in production at all, you should aim to … Continue Reading

Publicly available exploits exist (e.g. GLEG pack for Immunity CANVAS) for versions Symantec AMS (Alert Management System) from 10.1.8.8000 and below. For each affected server you have, you need to either need to disable AMS, uninstall it, or upgrade SAVCE 10.x to a patched version. Symantec AMS is an optional part of a SAVCE 10.x server installation that allows the SAV server to send email alerts and pages when events of interest happen. Disabling AMS doesn’t break reporting or any other function of SAVCE.

I recommend simply stopping and disabling the AMS services:
“Intel Alert Handler”
“Intel Alert Orginator”
“Intel File … Continue Reading