Got to love it, Adobe’s “Stay away from our product” quote not quite work as planned. You see, some clever sole has figured out that it can be exploited via the preview. This is bad news.
http://www.readwriteweb.com/archives/a_new_twist_to_the_adobe_vulnerability.php
I wonder if Adobe was aware this could be a potential problem, and I wonder if they ever considered advising its users to use another platform.
Add comment March 11th, 2009
Well, this is a day early and not really a link to an advisory or exploit but everybody has to admire any research done that gets the media all rowdy. I guess its been a few days but there was an advisory out about the PDF file format that *MIGHT* allow remote code execution. Naturally this is a disaster, MSNBC’s story on it is here
http://www.msnbc.msn.com/id/29390385/
Yea, lets install a little fear on user .01beta1. Really MSNBC? Really? Did Adobe REALLY say use other PDF readers? I don’t think so, it is more likely that they said only open PDF’s from trusted sources. I guess with online PDF services such as Google and their own they could have said something but ultimately why would you want to drive some one away from your product.
*SHRUGS*
I’m just glad there is no working exploit code and no clown has figured it out. I guess MSNBC is looking at worst case scenario that there could be some mass pwnage should a user with malicious intent get a hold of it. Worm/Virus, Trojan, Malware or anything else anyone? Well, March 11th is two weeks yesterday so we will see how this pans out. Adobe stocks are currently listed at $17.64 which is a small decrease from a little while ago yet a little higher then opening.
This has now got me thinking about stock prices over vulnerabilities and exploit reports. Perhaps some one has done some research or a mashup here? It would be easy to do a quick mashup if any one is interested.
Add comment February 26th, 2009
This week my favourite came in EARLY this morning. Its the Fedora update for xulrunner defined here:
http://secunia.com/Advisories/33841/
Fedora has issue an update for xulrunner. This fixes some vulnerabilities, which can be exploited by malicious, local users to potentially disclose sensitive information, and by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, disclose sensitive information, or potentially to compromise a user’s system.
and more information about other distributions and implementations here:
http://secunia.com/advisories/33799/
This is not specifically a local exploit as the Fedora advisory tries to lean towards. Multiple errors in the layout engine and javascript can be exploited to cause memory corruptions and potentially execute arbitrary code. Sounds like it could be done remotely if you ask me.
If I did not get this advisory in my mail this morning then I would have had to choose this one: http://www.securiteam.com/windowsntfocus/5PP010UQAK.html but I think that the xulrunner advisory is a better choice for this weeks Friday Favourite!
Add comment February 6th, 2009
This is some what of a ramble today based upon an Outlaw News article that was posted today: http://www.out-law.com//default.aspx?page=9505
A German court has ruled that website operators are allowed to store the internet protocol (IP) addresses of their visitors without violating data protection legislation. Without additional information, IP addresses do not count as personal data, it said.
This is interested because server logs almost always contain IP addresses. Would they be violating data protection legislation if they had a record of the hosts who accessed the web server? That would be ridiculous. I have mixed feelings about this, most of me personally do not see the problem with this, if a website wants to track when an IP address visits their site, and then correlate that data to user accounts then why is it a problem? Is it a problem if they geocode the IP address and store data related to accounts or geographic areas or demographics? Does that violate personal data since it is not targeted to a specific user?
While the document says that: “In practice, it is difficult to use IP addresses to build up personalised profiles,” said the guidance. “Many IP addresses, particularly those allocated to individuals, are ‘dynamic’. This means that each time a user connects to their internet service provider (ISP), they are given an IP address, and this will be different each time.”
I beg to differ. In practice I do not think it is particularly difficult to scan through server logs and/or customized event logs to get information on clients. Take a look at ARIN.NET whois page: http://ws.arin.net/whois/
then take a look at: http://www.maxmind.com/app/locate_ip
Does storing the IP address sound like private data now, or just the reports that can be automatically generated from this information. Any opinions thoughts or responses are always welcomed.
Add comment October 14th, 2008
Hey, just writing a quick note to inform you that my server suffered from a hard drive failure. Although mostly everything was recovered from backups I seem to have lost a couple of posts from October. While this isn’t a big deal for me because I have other means of recovering the lost content (if it works), but it makes me wonder how others deal with disasters. The site was down for a lot longer than I would have liked but it was out of my control, so there was nothing I could really do. Once everything was restored I still had to reset all the database passwords as the backups did not save these. It is something that I will think about and hopefully implement a fix for before the next disaster.
Add comment October 5th, 2008
A look back in history today as we enter the world of old exploits. I was rummaging around Google when I found this rather long list of exploits http://www.hoobie.net/security/exploits/index.html from back in the day. It appears that some of the files I was interested in 404 but some of them still have text files. It is a great read for any one interested, a lot of different types of exploits, some that are still common. You will find no SQL injections or PHP Code injection in this list and certainly no cross site scripting. I don’t know how long the site is going to be up, so I may download the files for reference, but my guess is that if its been up since 2002 (last page updated) then its probably going to be up for a while longer.
Add comment September 22nd, 2008
Every one has heard about Palin’s email getting hacked. Well, whats all over the news right now is who the script kiddie might be. Turns out that the handle of the poster has been linked to the 20-year-old son of Tennessee Democrat Mike Kernell. How interesting. Now, this is all speculation but if it was him I wonder if he used his scriptoicious leetness was used to “do something awesome” or whether it was instigated. What I do want to see is justice, if the claims are true: he hacked an e-mail account for malicious intent, published private content of another individual and generally caused mischief. I mean, think of the man hours that were lost because of people looking at wikileaks.org. What a hit to the economy.
I was watching the seclists.org mailing list while this was going on and thought it was funny that they were dissecting it before the proxy owner even said they were going to cooperate.
Now, even though David Kernell may have “hacked” yahoo’s password reset feature, do you really think that it was a hack? I mean, kids in high school and college do this all the time to their friends. I bet her password recovery question was easily guessable.
What I find really funny about this got caught, this is funny because if it was him he may have jeopardized his future, and perhaps the reputation of his father. If he did to it he and his father should be further investigated to make sure that David did this of his own will. All computer equipment should be seized and logs collected.
If David Kernell Didn’t do it you have to give credit to who ever pulled this off. I mean, if they never get caught and this was their plan then bravo. bravo. Use a script kiddie technique to obtain your information, post it under some one else’s name and then divert attention to the media blaming some one else. If the proxy had been gamed then that adds even more points.
Here is more information from seclists on the case:
On Wed, Sep 17, 2008 at 2:30 PM, Dave Korn
> Dave Aitel wrote on 17 September 2008 18:44:
>
>> http://wikileaks.org/wiki/Sarah_Palin_Yahoo_inbox_2008
>
> >From that page:
>
> “Nb. The ‘ctunnel.com’ reference in the browser screen shots is to a proxy
> service used to prevent the activists from being traced.”
[snip]
> So let me see if I’ve guessed this right: it’s a proxy that rewrites all
> your URLs in rot-13? And this is supposed to “protect your anonymity”?
>
> Those activists are screwed. They better get out of the country PDQ.
> Pardon me, but I’ll be sticking with proper mix chains for now.
Well this was predictable[1]:
“A Tennessee state legislator has confirmed that his son, a
20-year-old student at the University of Tennessee-Knoxville, is the
person being named on blogs and message boards in connection with the
hacking of Alaska Gov. Sarah Palin’s e-mail account, a Nashville paper
reported late yesterday.”
“State Rep. Mike Kernell told the Tennessean that his son, David
Kernell, is at the center of speculation about the identity of the
hacker who gained access to Palin’s account.”
“On Wednesday, someone identified only as “rubico” posted a
message to 4chan.org’s popular /b/ board claiming to have gained
access to Palin’s e-mail by using Yahoo’s password reset feature.
Although the post was deleted from 4chan.org, a copy was sent to
conservative syndicated columnist Michelle Malkin, who published it on
her blog Wednesday.”
But it gets better: why worry about the suitability of ROT-13 when you
have logs? I believe the term is “LULZ!”:
“Gabriel Ramuglia, the webmaster of an Athens, Ga.-based proxy
service, may be able to shed light on the identity of the hacker as
early as today. On Thursday, Ramuglia said that the FBI had contacted
both him and Yahoo the day before, asking for server logs to determine
who had accessed Palin’s account.
“Ramuglia operates Ctunnel, an ad-supported proxy service targeted
primarily at users in schools or businesses who want to access sites
that are normally blocked by network administrators. Screenshots of
several messages from Palin’s account showed that the hacker had used
Ramuglia’s proxy service in an attempt to hide his or her tracks.”
“He was also confident he would be able to pinpoint the person who
used his proxy service to access Palin’s account. “I should be able to
track it down to their original ISP, and then the IP address of the
person who did it,” Ramuglia said. “Who did this abused my service and
broke the law.”"
Add comment September 19th, 2008
http://secunia.com/Advisories/31884/
http://fd.the-wildcat.de/pma_e36a091q11.php
Proof of concept code has been released for the phpMyAdmin vulnerability and all versions prior to 2.11.9.1 need to be updated. The RC release of 3.0.0 is reportedly vulnerable also. RC2 was released this morning, I can not tell from the “Notes” section if RC2 fixes this problem. http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
Add comment September 16th, 2008
Problems with Apache’s mod_proxy in Mandriva have been resolved with updated packages. A DOS in the regular module and an XSS in the ftp module.
Mandriva Linux Security Advisory MDVSA-2008:195
http://www.securityfocus.com/archive/1/496352
Problem Description:
A vulnerability was discovered in the mod_proxy module in Apache where
it did not limit the number of forwarded interim responses, allowing
remote HTTP servers to cause a denial of service (memory consumption)
via a large number of interim responses (CVE-2008-2364).
A cross-site scripting vulnerability was found in the mod_proxy_ftp
module in Apache that allowed remote attackers to inject arbitrary
web script or HTML via wildcards in a pathname in an FTP URI
(CVE-2008-2939).
The updated packages have been patched to prevent these issues.
Add comment September 15th, 2008
StingRay FTS Cross-Site Scripting Vulnerability
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064368.html
Secunia: http://secunia.com/Advisories/31645/
Product URL: http://www.porthale.co.uk/products/stingray/stingray.htm
As with a lot of XSS and web security advisories its not uncommon to never have heard of the product. The StingRay FTS is a File Transfer Server. You may be asking why I’m writing about XSS exploits since they are so petty. The reason is, this exploit happens to be on a File Server. Now, imagine if there was an XSS exploit on a corporate file server. How hard would it be to gain access? Your simple XSS exploit, and minor development overlook has opened up your file server for further information gathering, corporate espionage and further attacks. The StingRay FTS has earned some awards, so its worthy of a mention. If you’re have one and, patch it and make sure that the problem did get patched.
Add comment September 15th, 2008
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Mar | ||||||
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 | |