Got to love it, Adobe’s “Stay away from our product” quote not quite work as planned. You see, some clever sole has figured out that it can be exploited via the preview. This is bad news.
http://www.readwriteweb.com/archives/a_new_twist_to_the_adobe_vulnerability.php
I wonder if Adobe was aware this could be a potential problem, and I wonder if they ever considered advising its users to use another platform.
Add comment March 11th, 2009
Well, this is a day early and not really a link to an advisory or exploit but everybody has to admire any research done that gets the media all rowdy. I guess its been a few days but there was an advisory out about the PDF file format that *MIGHT* allow remote code execution. Naturally this is a disaster, MSNBC’s story on it is here
http://www.msnbc.msn.com/id/29390385/
Yea, lets install a little fear on user .01beta1. Really MSNBC? Really? Did Adobe REALLY say use other PDF readers? I don’t think so, it is more likely that they said only open PDF’s from trusted sources. I guess with online PDF services such as Google and their own they could have said something but ultimately why would you want to drive some one away from your product.
*SHRUGS*
I’m just glad there is no working exploit code and no clown has figured it out. I guess MSNBC is looking at worst case scenario that there could be some mass pwnage should a user with malicious intent get a hold of it. Worm/Virus, Trojan, Malware or anything else anyone? Well, March 11th is two weeks yesterday so we will see how this pans out. Adobe stocks are currently listed at $17.64 which is a small decrease from a little while ago yet a little higher then opening.
This has now got me thinking about stock prices over vulnerabilities and exploit reports. Perhaps some one has done some research or a mashup here? It would be easy to do a quick mashup if any one is interested.
Add comment February 26th, 2009
This week my favourite came in EARLY this morning. Its the Fedora update for xulrunner defined here:
http://secunia.com/Advisories/33841/
Fedora has issue an update for xulrunner. This fixes some vulnerabilities, which can be exploited by malicious, local users to potentially disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, or potentially to compromise a user’s system.
and more information about other distributions and implementations here:
http://secunia.com/advisories/33799/
This is not specifically a local exploit as the Fedora advisory tries to lean towards. Multiple errors in the layout engine and javascript can be exploited to cause memory corruptions and potentially execute arbitrary code. Sounds like it could be done remotely if you ask me.
If I did not get this advisory in my mail this morning then I would have had to choose this one: http://www.securiteam.com/windowsntfocus/5PP010UQAK.html but I think that the xulrunner advisory is a better choice for this weeks Friday Favourite!
Add comment February 6th, 2009
Now, this weeks favourite just came in. I was scouring my RSS feeds for interesting stuff to post but nothing really caught my eye. You know, we had the usual 10 million XSS holes, 5 million SQL injections and the odd buffer overflow but this is not as much an exploit in software as it is an exploit in stupidity.
Most Mac OSX users that I know are the types of people that think that since they switched, they don’t need an Antivirus. After all, there are no viri on Mac OSX right? Yea, and I suppose their default firewall will protect you against outgoing connections too. Anyhow back on point, these people are also the types of people that are willing to “borrow” software. Well, that’s great because if they borrow iWork09 then its possible they could get a trojan *GASP*:
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=212902080&cid=RSSfeed_IWK_ALL
Who would have thought? I guess a trojan isn’t technically a virus, but can be a means for a virus to spread. Well, that’s enough on that topic and should give you something to ponder.
Add comment January 23rd, 2009
What was it this week attack applications that use Adobe PDF technologies? For whatever reason this week had an unusual number of disclosures amongst the hundreds of SQL injection and XSS attacking the PDF file format. With that said my favourite this week is a toss up between:
Sun Solaris Adobe Reader Multiple Vulnerabilities
Advisory URL: http://secunia.com/Advisories/33491/
Sun has acknowledged some vulnerabilities Adobe Reader included in Solaris, which can be exploited by malicious, local users to gain escalated privileges or by malicious people to compromise a user’s system.
and:
jhead ‘DoCommand()’ Arbitrary File Deletion Vulnerability
Advisory URL: http://www.securityfocus.com/bid/32506
I find the jhead rather amusing since I use that piece of software. What I find even funnier is that I do not believe it has not yet been patched on my system, but I could be wrong. It probably will not get patched on many production servers that are running applications that the lazy administrators do not want to break. I guess when all of their files disappear they will learn their lesson.
I do not know much information about the sun adviosory other than what is listed on the secunia website but I think that the solution is hilarious.
“Do not open PDF files from untrusted sources.”
Ok, my boss just sent me a PDF do I trust it?
“Sorry Mr Boss Man, I haven’t opened any PDF’s recently because Sun told me not to. I can’t verify that it was you who actually sent the document since you send me so many.”
Oh well, another day another advisory.
Add comment January 16th, 2009
Today, informationweek reports that UK Internet users have been “censored” from a particular page on wikipedia.
http://www.informationweek.com/news/internet/policy/showArticle.jhtml?articleID=212300138&cid=RSSfeed_IWK_ALL
It makes me ask the question, is the internet a privilege or a right?
I think that this is absolutely stupid that the IWF took the task of blocking wikimedia for this page. System administrators have a hard enough time with high school students trying to keep them off sites they shouldn’t be visiting, let alone an entire country trying to look at something thats now gained a bundle of attention. So, why did they block it? Its not as if that image exists no where else on the web (Amazon.) I would like to know the reasoning behind this ordeal. It is the same sort of situation as the Lego’s that we saw last week (Terrorists and Nazi’s.) Publicity. While the situation is not socially acceptable there is no reason to bring this to more peoples attention.
So, now I’d like to find out if any one with a IWF governed ISP in England is able to circumvent these amateurish tactics. If people can break out of the great firewall of china, then this should be a snap. I bet a US based https encrypted web proxy would do the trick.
“The Wikimedia Foundation has urged the IWF to remove Wikipedia from its blacklist.”
If I were on the board of the Wikimedia Foundation I would not urge the IWF to remove them, I would demand it. If they do not comply then perhaps ask wikipedia users to take a visit over to their website and submit a complaint (Report Abuse). Or perhaps remove their right to use wikipedia at all. I do think the IWF is a good idea in theory, but this is not a good example of their work.
–UPDATE some outlaw news: http://www.out-law.com//default.aspx?page=9644
Add comment December 8th, 2008
So, its been a while since my last update, right on 50 days now. I was going to do a round up of some advisories. Turns out that it would take me too long to do this, since I have over 900 advisories in my RSS feeds. This is just for the time I had my RSS feed reader up. So, lets take the exact number of advisories I have in my feeds (904) and divide it by the number of days (904 / 50) = 18.08. Thats basically 18 advisories per day. Now, while those are not unique thats still a decent number per day. I might one day work on a security related Yahoo! pipe to de-dupe the results.
To the best of my knowledge there will be a Friday Favorite this week.
Add comment December 3rd, 2008
This is some what of a ramble today based upon an Outlaw News article that was posted today: http://www.out-law.com//default.aspx?page=9505
A German court has ruled that website operators are allowed to store the internet protocol (IP) addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data, it said.
This is interested because server logs almost always contain IP addresses. Would they be violating data protection legislation if they had a record of the hosts who accessed the web server? That would be ridiculous. I have mixed feelings about this, most of me personally do not see the problem with this, if a website wants to track when an IP address visits their site, and then correlate that data to user accounts then why is it a problem? Is it a problem if they geocode the IP address and store data related to accounts or geographic areas or demographics? Does that violate personal data since it is not targeted to a specific user?
While the document says that: “In practice, it is difficult to use IP addresses to build up personalised profiles,” said the guidance. “Many IP addresses, particularly those allocated to individuals, are ‘dynamic’. This means that each time a user connects to their internet service provider (ISP), they are given an IP address, and this will be different each time.”
I beg to differ. In practice I do not think it is particularly difficult to scan through server logs and/or customized event logs to get information on clients. Take a look at ARIN.NET whois page: http://ws.arin.net/whois/
then take a look at: http://www.maxmind.com/app/locate_ip
Does storing the IP address sound like private data now, or just the reports that can be automatically generated from this information. Any opinions thoughts or responses are always welcomed.
Add comment October 14th, 2008
So, it appears that Kernell, has a trial date for December 16th. If he is guilty like I said, he should be punished. What may have seemed like an elite hack for him (but was far from it) now has him facing a possible five years in years in prison, a possible quarter million fine, and three years of supervised release if convicted. While these will be negotiated down, I doubt he will do the full five years. While these terms may seem harsh the five year maximum term seems to be what others are getting for petty larceny. He is lucky that the penalties are not even greater.
I feel bad for Kernell in the way that one bad decision may count as a felony. He isn’t allowed a computer, but can apparently access e-mail and the internet for class work. How exactly this is going to be monitored and implemented would be interesting to know. Are they going to print his e-mails out and have supervised web-browsing?. How is he ever going to live without the web?
This also brings up the question is he allowed a cell phone? Mobile browsers or even SMS can be very powerful tools. I’ve put Dec 16th in my calendar, I’m interested in what the verdict will be for this one.
Add comment October 9th, 2008
Hey, just writing a quick note to inform you that my server suffered from a hard drive failure. Although mostly everything was recovered from backups I seem to have lost a couple of posts from October. While this isn’t a big deal for me because I have other means of recovering the lost content (if it works), but it makes me wonder how others deal with disasters. The site was down for a lot longer than I would have liked but it was out of my control, so there was nothing I could really do. Once everything was restored I still had to reset all the database passwords as the backups did not save these. It is something that I will think about and hopefully implement a fix for before the next disaster.
Add comment October 5th, 2008