2005 Alerts

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=898
Last Updated: 2005-11-28 18:07:18 UTC
" A few readers reported that at there is trouble on the worldnic.com DNS servers.
Those servers are operated by Network Solutions and are hosting a number of their customer's DNS needs. Network Solutions is aware of the problem.
To clarify the impact to the casual reader:
* Not all customers of Network Solutions are affected.
* No root or TLD servers are known to reside on these machines.
* It's "just" individual domains that are affected, but it might be a lot of them.
* Only domains that have all their namervers on these machines will have significant impact.
There is a lesson to learn for those affected and those designing solutions. Do not put all your DNS servers on the same hardware, the same connections, the same location, ... , the same management. Diversity is the key to success.
This will be bad news for those organisations wanting to profit from Cyber Monday, the biggest on-line purchase day according to CNN.
- http://money.cnn.com/2005/11/28/news...ex.htm?cnn=yes

- http://www.networksolutions.com/help...jhtml?tab=home
"We are currently experiencing a widespread DNS related outage. If you are attempting to contact us to report a product that is not working, please know that we are aware of the issue, and are doing everything we can to resolve all issues as quickly as possible."

:(

FYI...(as of date/time of this post):

- http://isc.sans.org/diary.php?storyid=898
Last Updated: 2005-11-28 19:14:20 UTC
"...seems to have fixed it..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=920
Last Updated: 2005-12-08 02:24:41 UTC
"...Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you've visited. If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page. This vulnerability has been tested and does work, and no known patches are available at this time. Once this happens, firefox will be unable to be started until you erase the history.dat file manually. Presumably, if the topic was more tightly crafted than in the proof-of-concept code, a more malicious attack could be crafted that would install malware on the machine with the extra fun step of being reinstalled after each restart of firefox (unless you erase history.dat). As we research this more, details will be added on to this post...
POSSIBLE WORKAROUND
However, the following is a workaround that should work...
Go to Tools -> Options.
Select the Privacy Icon, and then the History tab. Set the number of days to save pages at 0. This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit.
HOW TO LOCATE THE PROFILE FOLDER
If you need to delete your history.dat file (in case you tested this PoC code), it can be difficult to locate where exactly this file is. You can find instructions for locating the profile folder at the following URL:
- http://www.mozilla.org/support/firefox/edit#profile ..."

---------------------------------------------------------------

FireFox 1.5 Buffer overflow exploit
- http://forums.mozillazine.org/viewtopic.php?t=351648

- https://bugzilla.mozilla.org/show_bug.cgi?id=319004
(Bugzilla Bug 319004 - overlong document.title setting can corrupt history data, causing non-responsive temporary hang (crash?) on subsequent startups)
Last modified: 2005-12-08 12:06:34 PST

---------------------------------------------------------------

- http://isc.sans.org/diary.php?compare=1&storyid=920
Last Updated: 2005-12-09 15:33:49 UTC
"Update 2: The official response from the folks at mozilla.org can be found here*. Their results match our testing, that we were able to make it take a long time for Firefox to start, but were not able to make it crash. Further, there doesn't seem to be any credible evidence at this time that this could be exploited to execute arbitrary code."

* http://www.mozilla.org/security/history-title.html

???

---------------------------------------------------------------
FYI...(per http://isc.sans.org/diary.php?storyid=920 - the "NoScript extension" workaround choice):

- http://www.noscript.net/whats
"1.1.3.5 is out!
Main good news:
* NoScript already protects users against this Firefox DOS exploit. However, it would be theoretically possible to exploit bug 319004 from the server side (no JavaScript). Hence the new NoScript "Truncate title" option (enabled by default) is a quick and dirty additional protection which will work even on whitelisted sites..."
- http://www.noscript.net/changelog

Get it!:
- https://addons.mozilla.org/extension...nfo.php?id=722

.

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.php?storyid=921
Last Updated: 2005-12-08 22:35:23 UTC
"...Stefan Esser published a critical vulnerability in phpMyAdmin, popular web based MySQL administration package. What's interesting about this vulnerability is that, in fact, it happens in the code which should protect the application.
The variable $import_blacklist is supposed to list variables that may not be overwritten. However, as this variable is not protected, an attacker can overwrite it and change the blacklist, after which this can be exploited to execute arbitrary script code in user's browser session, in the context of the site running a vulnerable installation of phpMyAdmin.
If you use this product, be sure to upgrade to phpMyAdmin 2.7.0-p1 from - http://sourceforge.net/project/showf...group_id=23067.
The original advisory is at
- http://www.hardened-php.net/advisory_252005.110.html ..."
"Risk: Critical...
Recommendation:
It is strongly recommended to upgrade to the new version of phpMyAdmin which you can download at:
- http://www.phpmyadmin.net/home_page/downloads.php ..."

Also:
- http://secunia.com/advisories/17925/

[AplusWebMaster]

FYI...

- http://www.theregister.com/2005/12/1..._worm_variant/
16th December 2005
"After an earlier unsuccessful attempt, Virus writers have created the first worm that successfully targets a critical Windows vulnerability (MS05-051) patched by Microsoft in October. The Dasher-B worm exploits a vulnerability in Microsoft Windows Distributed Transaction Coordinator (MSDTC) to spread across vulnerable systems. Unpatched Windows 2000 computers are particularly at risk. If successful, the worm establishes a backdoor on vulnerable computers and opens up a link to a remote server for further instructions. The server instructs infected machines to download a copy of the worm itself and a keylogger, which hides itself on infected systems by using a rootkit driver. Windows users are strongly urged to apply the latest Microsoft security fixes to guard against attack. The MS05-051 patch was the subject of early glitches, even after warnings that it was ripe for malware exploitation. "The worry is that the problems with the patch may have prevented it from being successfully rolled out onto some vulnerable computers," said Graham Cluley, senior technology consultant at anti-virus firm Sophos..."
- http://www.sophos.com/virusinfo/anal...32dasherb.html

- http://www.microsoft.com/technet/sec.../MS05-051.mspx

.

[AplusWebMaster]

FYI...

- http://www.websensesecuritylabs.com/...hp?AlertID=379
December 19, 2005
"Websense Security Labs (TM) is seeing a large increase in the number of websites and emails that use deception and/or browser vulnerabilities to install potentially unwanted software. The common theme among these threats is the use lures of possible spyware infections on your machine. In some cases, the scam actually reports fraudulent information regarding the security of your PC.
In many cases they also request money in return for cleaning the outlined security problems (we have seen as much as $500 per year). Over the last 2 weeks, we have identified more than 1500 sites that have some (or all) of the following criteria:
- They are hosted in Ukraine and Russia
- The website domain names are registered in countries like Vanuatu and Mexico
- IP netblocks hosting sites are often hosting other questionable sites such as fraudulent search engines
- IP netblocks have been hosting malicious code such as Trojan horse downloaders, droppers, and hosts-file redirection software
- Malicious code that modifies DNS settings has used these netblocks for DNS resolving
- Downloaded code often includes several pieces of spyware, adware, and other potentially unwanted software
- Removing the software often requires that you to fill out a survey
- Several of the sites contain links to other sites that are hosting IE exploit code ..."

(Various Example Screenshots available at URL above.)

[AplusWebMaster]

FYI...

- http://www.security-protocols.com/ad...1-advisory.txt
Release Date: December 20, 2005
Severity: High (think about how many ipods sold this year alone)
Vendor: Apple
Versions Affected:
Apple Quicktime 7.0.3 on OS X 10.4.3
Apple iTunes 6.0.1 (3) on OSX 10.4.3
Apple Quicktime 7.0.3 on Win32
Apple iTunes 6.0.1 (3) on Win32
Overview:
A heap overflow vulnerability exists within Apple iTunes 6.0.1 and Quicktime 7.0.3. The vulnerability allows for an attacker to cause the program to crash, and or to execute arbitrary code in the context of the user who execute the player. These flaws exists within all current versions, and prior versions of Apple iTunes and Quicktime for Mac OS X and Win32..."
>>> http://security-protocols.com/upcoming/qt-overflow.png

- http://news.com.com/iTunes+and+Quick...3-6004635.html
December 21, 2005
...For protection, Ferris' recommends that computer users don't open media files, or -any- file for that matter, from untrusted sources."

- http://secunia.com/advisories/18149/
.

FYI...

- http://isc.sans.org/diary.php?storyid=1033
Last Updated: 2006-01-10 20:55:19 UTC
"...Apple released a security update to Quicktime: http://docs.info.apple.com/article.html?artnum=303101 There are multiple vulnerabilities patched. To summarize the advisory: A maliciously-crafted GIF/TIFF/TGA/QTIF image or multimedia file may result in arbitrary code execution..."

-or-

QuickTime 7.0.4
>>> http://www.apple.com/quicktime/download/standalone.html