Old Alerts

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...erts/3139.aspx
07.23.2008 - "...At time of this alert, an exploit targeting this flaw has been added to Metasploit, an open source penetration testing tool that is free and publicly available. The US-CERT advisory also makes the several important “DNS best practices” recommendations. Please reference the advisory for complete details. http://www.kb.cert.org/vuls/id/800113 "

- http://www.microsoft.com/technet/sec.../MS08-037.mspx
Revisions
• V2.1 (July 23, 2008): Affected Software table revised to add MS06-064, MS07-062, and MS08-001 as bulletins replaced by this update.

//

[AplusWebMaster]

FYI...

DNS Exploit in the Wild...
- http://isc.sans.org/diary.html?storyid=4765
Last Updated: 2008-07-24 13:15:25 UTC ...(Version: 6) - "... A second module has been released for domains, which replaces the nameservers of the target domain. Unlike the first module which will not replace a cached entry, this exploit will do cache overwrites.
See http://blog.wired.com/27bstroke6/200...xploit-in.html
...Emerging Threats is offering a freely available snort signature* for DNS servers. As always, test before using in critical production environments."

* http://www.emergingthreats.net/content/view/87/1/
24 July 2008

[AplusWebMaster]

FYI...

- http://www.theregister.co.uk/2008/07...slow_to_patch/
25 July 2008 - "More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, BT, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks. According to an informal survey of Register readers, 15 ISPs failed the "Check my DNS" test*... Now that attack code exploiting the vulnerability has been leaked into the wild, millions of subscribers are at risk of being silently redirected to impostor sites that try to install malware or steal sensitive information. Comcast and Plusnet were the only two ISPs we found that weren't vulnerable... Subscribers of ISPs that are still vulnerable ought to hardwire an alternate DNS server into their operating system. We're partial to OpenDNS**. They've been vulnerability free... Other ISPs that were reported vulnerable include: Skybroadband, Carphone Warehouse Broadband, Opal Telecom, T-Mobile, Videotron Telecom, Roadrunner, Orange, Enventis Telecom, Earthlink, Griffin Internet and Jazztel. Demon Internet was reported as potentially being vulnerable..."

* http://www.doxpara.com/

** http://opendns.org/

[AplusWebMaster]

FYI...

- http://db.tidbits.com/article/9706
24 Jul 2008 - "...Apple has yet to patch this vulnerability, which affects both Mac OS X and Mac OS X Server. While individual computers that look up DNS are vulnerable, servers are far more at risk due to the nature and scope of the attack. Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date. All users of Mac OS X Server who use it for recursive DNS must immediately switch to an alternative* or risk being compromised and traffic being redirected..."

Apple server alternative:
* https://www.opendns.com/start?device=apple-osx-server

Apple client alternatives:
* OS X Leopard: https://www.opendns.com/start?device=apple-osx-leopard
* OS X Tiger: https://www.opendns.com/start?device=apple-osx-tiger
* OS 9: https://www.opendns.com/start?device=apple-os9

[AplusWebMaster]

FYI...

- http://www.securityfocus.com/brief/783
2008-07-28 - "A group of security researchers demonstrated on Monday one way to use the recent domain-name service (DNS) security issue to compromise computers by redirecting insecure update services to fake servers that install malicious code instead. The attack tool - dubbed Evilgrade by its creators at non-profit Infobyte Security Research - will enable penetration testers to exploit computers using the automated update feature of Sun Microsystems' Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit, according to the group*..."
* http://blog.metasploit.com/2008/07/e...oy-us-all.html

[AplusWebMaster]

FYI...

DNS patches cause problems...
The patches have caused slowdown in servers running BIND and have have crippled some machines running Windows Server
- http://preview.tinyurl.com/65ujxu
July 29, 2008 (Infoworld) - "Patches released earlier this month to quash a critical bug in the DNS (Domain Name System) have slowed servers running BIND (Berkeley Internet Name Domain), the Internet's most popular DNS software, and crippled some systems versions of Windows Server. Paul Vixie, who heads the Internet Systems Consortium (ISC), the group responsible for the BIND software, acknowledged issues with the July 8 fix that was rolled out... Vixie wasn't specific about the extent of the performance problems facing high-volume DNS servers, but said that a second round of patches, due later this week, will remedy port allocation issues and "allow TCP queries and zone transfers while issuing as many outstanding UDP queries as possible." Versions of the second update, which will be designated P2 when they're unveiled, are currently available in beta form for BIND 9.4.3* and BIND 9.5.1**...
ISC wasn't the only vendor involved in first-round DNS patching that has issued a mea culpa. Two weeks ago, Microsoft confirmed that the July 8 DNS update, tagged as MS08-037, was crippling machines running Windows Small Business Server, a suite based on, among other programs, Windows Server 2003... Last Friday, the company unveiled a pair of support documents that spelled out the patch's unintended side effects, but also added Exchange Server 2003 and Internet Security and Acceleration (ISA) Server to the affected list***. A second issue involves every supported version of Windows, ranging from Windows 2000, XP and Vista to Server 2003 and Server 2008.****..."

* http://www.isc.org/sw/bind/view?release=9.4.3b2

** http://www.isc.org/sw/bind/view?release=9.5.1b1

*** http://support.microsoft.com//kb/956189
Last Review: July 25, 2008 - Revision: 1.0

**** http://support.microsoft.com/kb/956188
Last Review: July 25, 2008 - Revision: 1.1

[AplusWebMaster]

FYI...

Apple Security Update 2008-005...
- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 08:27:35 UTC - "Apple released their patch overnight... Most importantly it contains the workaround for the DNS bug CVE-2008-1447. Also included is an upgrade to PHP 5.2.6 (which was released in source code at http://www.php.net/ on May 1st). Seems we all need to urge Job's gang to release patches significantly faster: it's the price to pay to base parts of your system on open source code. Apple Mac OS X users get it though software update. As always it's one big patch, given that little choice, you'll want to PATCH NOW."

- http://support.apple.com/kb/HT2647
August 01, 2008

- http://www.apple.com/support/downloads/
07/31/2008

- http://secunia.com/advisories/31326/
Release Date: 2008-08-01
Critical: Highly critical
Impact: Security Bypass, Spoofing, Privilege escalation, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X ...
Solution: Apply Security Update 2008-005...

---

- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 20:06:50 UTC ...(Version: 3) "...UPDATE ...Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness..."

---

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy

[AplusWebMaster]

FYI...

BIND: -P2 patches are released
- http://isc.sans.org/diary.html?storyid=4816
Last Updated: 2008-08-02 11:12:39 UTC - "As expected, the Internet Systems Consortium released patches today addressing stability and performance issues some of those having significant load on their systems were struggling with.
* BIND 9.5.0-P2: http://www.isc.org/sw/bind/view/?release=9.5.0-P2
* BIND 9.4.2-P2: http://www.isc.org/sw/bind/view/?release=9.4.2-P2
* BIND 9.3.5-P2: http://www.isc.org/sw/bind/view/?release=9.3.5-P2 ..."

[AplusWebMaster]

For the end-user, to recap all this, IMHO, the bottom line is here:

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you still have problems, go here and DO IT:
- http://www.opendns.com/


.

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...erts/3151.aspx
08.06.2008 - "Websense... has discovered that a CNET Networks <http://www.cnet.com/about/?tag=ft> site has been compromised. The main page of the CNET Clientside Developer Blog contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host.

The malicious code is observed to exploit a known integer overflow vulnerability in Adobe Flash ( http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071 ). At the time of this alert, the site is still hosting the malicious code. Visitors who are not patched against this vulnerability will be infected without any user interaction.
Software vulnerable to this attack includes:
- Adobe, Flash Player, 9.0.115.0*, and previous
- Adobe, Flex, 3.0
- Adobe, AIR, 1.0 ..."

(Screenshot available at the Websense URL above.)

* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0