* You are viewing the archive for the ‘Vendor and Tool Updates’ Category

Volatility Framework 2.0 Released

Wow. This, in addition to MANDIANT’s recently released Redline tool, will amount to another devastating blow to HBGary Responder Pro sales and market share. How can you justify the $9000 USD cost for a Responder Pro license plus annual maintenance if one of these free tools works for the platforms you work on?

The following platforms are currently supported:
32bit Windows XP Service Pack 2 and 3
32bit Windows 2003 Server Service Pack 0, 1, 2
32bit Windows Vista Service Pack 0, 1, 2
32bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
32bit Windows 7 Service Pack 0, … Continue Reading

Share

Win32 YARA Version Available

More outstanding work from Virustotal: It looks like a Win32 version of YARA has been posted on the YARA project’s page on code.google.com. Unlike classic YARA, no Python runtime support is required. Note the interesting PID argument to YARA.exe.

usage: yara [OPTION]… [RULEFILE]… FILE | PID
options:
-t print rules tagged as and ignore the rest. Can be used more than once.
-i print rules named … Continue Reading

Share

Mozilla Firefox 5.0 and 3.6.18 Released

Mozilla has released Firefox versions 5.0 and 3.6.18. These new versions fix several security-related bugs.

BTW, Firefox version 4.x is now off support, as is 3.5.x. You should be running only 3.6.x or 5.x in production now.

References:
http://www.mozilla.com/en-US/firefox/5.0/releasenotes/
http://www.mozilla.com/en-US/firefox/3.6.18/releasenotes/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

RAM Dump Analysis for Apple OS X Systems

Kudos to Kyeong-Sik Lee and the Korean Digital Forensic Research Center for providing what I believe is the first publicly available tool for doing RAM dump analysis for Apple OS X systems. The new tool – volafox – isn’t as evolved as it’s Windows counterparts (HBGary Responder, MANDIANT Memoryze/Redline, or the Volatility Framework), but it is a great start. Volafox can be obtained from the link below.

References:
http://code.google.com/p/volafox/
http://computer.forensikblog.de/en/2011/06/mac_os_x_memory_analysis_with_volafox.html
http://blackhat.com/presentations/bh-dc-10/Suiche_Matthieu/Blackhat-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Commercial Grade Exploit Released for CVE-2011-0073 in Mozilla Firefox

White Phosphorus Exploit Pack version 1.12 for Immunity CANVAS now includes an exploit for CVE-2011-0073 in Mozilla Firefox versions 3.6.0 through to 3.6.16.

According to the vendor for White Phosphorus:

This module bypasses DEP and ALSR on anything from Windows XP through to Windows 7 to reliably provide a Mosdef node back to you.

(MOSDEF is Immunity CANVAS’ proprietary shell, like Meterpreter for Metasploit).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0073
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0073
http://blog.sharpesecurity.com/2011/04/29/mozilla-firefox-4-0-1-3-6-11-and-3-5-19-released/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Free MANDIANT Redline Malware Analysis Tool

 
MANDIANT might have just dealt another costly blow to HBGary’s Responder business with the release of their Redline memory dump and live system analysis tool. Considering what is available for free in this tool space (Volatility Framework 1.3 and 1.4, MANDIANT Memoryze, and now MANDIANT Redline) it is increasingly difficult to justify the $9000 USD upfront cost of HBGary Responder Pro plus the annual maintenance for Responder and HBGary DDNA (Digital DNA). It is awfully difficult to compete with free.

And unlike HBGary Responder Pro, I can actually reliably open up and analyze a Windows 7 RAM dump successfully … Continue Reading

Share

Duplicating Volatility Bioskbd Command Function on Live Windows Systems

I didn’t realize there was much demand for pulling passwords from BIOS keyboard buffers still until I saw that a “bioskbd” command had been added to the new 1.4 version of the Volatility Framework.

Examples of products that leak passwords in this manner:
Microsoft Bitlocker/Vista (SP0)
TrueCrypt 5.0 (possibly older versions also)
SafeBoot Device Encryption v4, Build 4750 and below
Secu Star’s DriveCrypt Plus Pack v3.9 (possibly other versions also)
DiskCryptor 0.2.6 for Windows (possibly other versions also)
Lenovo 7CETB5WW v2.05 (10/13/2006) BIOS (possibly others too)
Intel Corp PE94510M.86A.0050.2007.0710.1559 (07/10/2007) BIOS (possibly others too)
Hewlett-Packard 68DTT Ver. F.0D BIOS (possibly others too)

These passwords can be retrieved from a live … Continue Reading

Share

Signs of Life from ExploitHub

So, ExploitHub might just have a heartbeat after all. This just showed up in my inbox. Could be good news for exploit developers.

Want to get paid for your research? ExploitHub is now accepting exploits for sale to the community. It’s simple, just register to become a seller and begin contributing your work to the marketplace in three easy steps:

1. Submit your Metasploit exploit module via the Author Tools submission page.
2. Review the pre-populated information about your exploit that was extracted from the module and fill in any missing information such as price.
3. Submit the exploit … Continue Reading

Share

Google Chrome 10.0.648.127 Released

Google Chrome 10.0.648.127 has been released for Windows, Mac, and Linux. The update includes fixes for 23 vulnerabilities, 15 of which are classified as high or critical.

References:
http://sites.google.com/a/chromium.org/dev/Home/chromium-security
http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Share

Upcoming Security Changes for Android Market

Hopefully, from a security perspective, Google will move their Android market to more of the walled garden similar to Apple’s App Store. The developer and application vetting that Apple does seems to be working reasonably well in practice. The first reference link below is a statement from Google announcing some upcoming changes they intend to make to the Android Market due to recent problems (DroidDream) with malicious content being posted. Google has already removed those applications (putting REMOVE_ASSET to good use). And interestingly we see a beneficial use of INSTALL_ASSET, where Google used that facility to … Continue Reading

Share

Mozilla Firefox 3.6.15 Released

Mozilla has released Firefox versions 3.6.15. This new versions fixes an important problem with Java. There are no security updates in this version beyond what was in 3.6.14. You should abort any deployments to move to 3.6.14 in favor of the fixed 3.6.15 version.

References:
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.15/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Saving Money on Antivirus Subscription Renewals

Brian Krebs has published a good article that is of value to millions of home users who are currently overpaying to renew their antivirus licenses every year. He discusses the new Renewal Buddy site (http://www.renewalbuddy.com/), whose purpose is to help home users save money purchasing or renewing licenses for their antivirus products.

That is good information, but Renewal Buddy makes some dubious recommendations at times for alternative antivirus solutions. For the most effective antivirus support currently in existence, typical home users of Windows should stick with either Avira Antivir if they prefer a free tool, or one of … Continue Reading

Share

WordPress 3.1 Released

WordPress version 3.1 contains mostly normal bugfixes and feature enhancements (over 800). I upgraded this blog already to the 3.1 release level and it seems to work fine.

References:
http://codex.wordpress.org/Version_3.1

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

IE 9 and Windows 7 SP1 Blockers Available

Microsoft has released blockers for both IE 9 and Windows 7 SP1. These are useful in environments where you need to control when these new releases start appearing in production.

IE 9 blocker:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=a6169467-b793-4d17-837d-01776bf2bea4

Windows 7 Service Pack 1 blocker:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d7c9a07a-5267-4bd6-87d0-e2a72099edb7

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Managing Upcoming Symantec SAV10 End-of-Life Issues

It looks like Symantec intends to force customers trying to stay on SAV10 past April 2012 to upgrade sooner than they might want to. Symantec today announced that a root certificate (SymRoot1) related to LiveUpdate will expire on 30 April 30 2011. If nothing was done SAV10 clients running SAV10 MR9 and lower would no longer be able to authenticate, download, or install new AV definitions or product updates.

To provide some relief, Symantec will make a change that will allow SAV10 MR9 and lower clients to continue to function properly with LiveUpdate through 04 July 2012. Note … Continue Reading

Share

Mozilla Firefox 3.6.13 and 3.5.16 Released

Mozilla has released Firefox versions 3.6.13 and 3.5.16. These new versions contain updates for both security issues and several bugs.

References:
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.6.13/
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/3.5.16/
http://www.mozilla.com/en-US/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Freeware IDA Pro Version is now 5.0

Hex-Rays now offers version 5.0 as freeware instead of 4.9. The paid version is currently at 6.0 and is worth the spend. Otherwise much thanks to Ilfak and friends at Hex-Rays for making IDA Pro version 5.0 freeware.

References:
http://www.hex-rays.com/idapro/idadownfreeware.htm

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Google Chrome 8.0.552.215 Released

Google Chrome 8.0.552.215 has been released for Windows, Mac, and Linux. The update includes fixes for 13 vulnerabilities, 4 of which are classified as high or critical. There are also over 800 other bugfixes in this version.

References:
http://sites.google.com/a/chromium.org/dev/Home/chromium-security
http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Share

Adobe Reader 10 = Better

The Adobe Reader GDI object leak described that I described at http://sharpesecurity.blogspot.com/2010/02/gdi-object-leak-in-adobe-reader-92-and.html isn’t fixed in the Adobe Reader versions up to and including 9.4.1. However, it appears that the new Adobe Reader X (i.e. Adobe Reader 10) leaks handle and memory resources FAR LESS than its last several 8.x and 9.x predecessors. I think there might be hope for Adobe Reader after all!

Whether or not the re-engineered security in Adobe Reader 10 improves anything on the security front remains to be seen. The next few months will tell the tale.

For more information about Adobe Reader X … Continue Reading

Share

Review of Apricorn Aegis Padlock Hardware Encrypted Drives

There don’t appear to be a large number of viable solutions available for secure hardware-encrypted hard external drives. I used to recommend the Maxtor BlackArmor for this type of application, but those are no longer available. The Seagate BlackArmor drives are NOT hardware-encrypted – so don’t be fooled by the continued and confusing reuse of the BlackArmor name.

The best choice on the market right now appears to be the Apricorn Aegis Padlock drives. These drives offer features and security comparable to the Ironkey or Kanguru Defender/Elite USB thumbdrives, but in an external USB drive form factor.

Pros
1). Works with both Windows and … Continue Reading

Share

Mac OS X Server v10.6.5 Released

Apple has released Mac OS X Server v10.6.5 released. The security updates in this update are described in the link below.

References:
http://support.apple.com/kb/HT4452

email: david @ sharpesecurity.com
website: http://www.sharpesecurity.com/
Twitter: twitter.com/sharpesecurity

Share

New Social-Engineer Toolkit Version Released

A significant upgrade of the Social-Engineer Toolkit was released this week. This is excellent work by one of the top 10 pentesters in the world, and you should consider adding it to your existing pentest toolkit.

http://www.secmaniac.com/november-2010/the-social-engineer-toolkit-set-v1-0-release-date-announced/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Share

IDA Pro 6.0 Maintenance Pack Released

This update contains numerous fixes for IDA Qt. The download location is below.

References:
https://www.hex-rays.com/idafix.shtml

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity

Share

Hex-Rays Version 1.4 x86 and ARM Decompilers Released

Hex-Rays has released version 1.4 of their x86 and ARM decompilers. The major update is that the decompilers can now be used on the Linux and Apple Mac OS X platforms now. See the link below for a list of all of the fixes and updates.References:http://www.hex-rays.com/news1.shtml#101001email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

IDA Pro 6.0 Released

Hex-Rays has released IDA Pro 6.0. The major change is that the GUI for MS Windows, Linux, and Mac OS X are all the same now (Qt framework-based). A complete list of fixes and updates is at the link below.References:http://www.hex-rays.com/idapro/60/index.htmlemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

MANDIANT Memoryze 1.4.2900 Released

Jamie Butler and friends at MANDIANT have released Memoryze 1.4.2900. This new version supports Windows 7 32- and 64-bit and Windows Server 2008 64-bit. Despite how well the Volatility Framework works with Windows XP, I am fairly certain it has now been firmly relegated to third place behind HBGary Responder and MANDIANT Memoryze in the Windows RAM dump analysis space.References:http://blog.mandiant.com/archives/1459email: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

Hex-Rays x86 and ARM Version 1.3 Decompilers Released

Hex-Rays has released version 1.3 of their x86 and ARM decompilers. There are numerous bugfixes in each. Please refer to the links below for details.References:http://www.hex-rays.com/news1.shtml#100628http://www.hex-rays.com/hexcomp13.shtmlemail: david @ sharpesecurity.com website: www.sharpesecurity.comTwitter: twitter.com/sharpesecurity

Share

IDA Pro 5.7 Released

IDA Pro 5.7 has been released. The full list of updates and bugfixes is in the references link below.Highlights in version 5.7 include:- Scripted plugins can be implemented in Python or IDC. – Scripted processor modules be implemented in Python or IDC.- Improvements for iPhone/iPad file analysis in the form of additional ARM module/Mach-O file format features.- You can now define your own data types.- The PDB plugin now works without having to install a full copy of Microsoft Visual Studio.References:http://www.hex-rays.com/idapro/57/index.htmContinue Reading

Share

Cisco Announces End-of-Sale and End-of-Life for Cisco Security Agent Product Line

Cisco has announced end-of-life for the Cisco Security Agent product line. The relevant timelines and other details related to the drawdown are at the link below. From the article:”There is no replacement available for the Cisco Security Agent at this time.Cisco’s network security product portfolio has complementary security technologies, such as Cisco Intrusion Prevention Systems,Cisco ASA 5500 Series Adaptive Security Appliances, and Cisco IronPort Email and Web gateways. Please contact your Cisco account team for more information on these products. While there is no direct Cisco Security Agent replacement product from Cisco, many … Continue Reading

Share

Guidance Software to Acquire Tableau

Guidance Software is buying Tableau. I am still trying to figure out if this is a good thing or not. I don’t know what your experience has been like recently, but Guidance has been hounding me with sales calls so I had assumed they were having financial challenges.The press release is here.email: david @ sharpesecurity.com website: http://www.sharpesecurity.com/Twitter: twitter.com/sharpesecurity

Share