magmatic.com - Squawk Box

MAAS History

Spam Related to CDC, WHO and Swine Flue

Sunday, May 3, 2009 at 10:57AM

There has been a drastic increase in spam related to the recent outbreak of Swine Flue. Many recent messages have links and file content that directs users to malicious sites. There is also reported cases of the inclusion of malicious files. It is important that users open emails from trusted sources.

One way to help users become better educated is to create a sample White Paper for your organization. Marshal8e6's TRACElabs is an excellent starting point including definitions and examples.

drStrangeP0rk |

Post a Comment |

1 Reference |

Spam

Wednesday

Apr292009

New Zero Day Adobe Acrobat Reader Exploits

Wednesday, April 29, 2009 at 07:09AM

Attackers continue to use maliciously crafted PDF files and JavaScript to take advantage of users, once the user opens the file with the exploit an attacker can execute code with the user privileges. (Note the importance of working as a non-root user!)

The exploit uses two functions specific to Acrobat, spell.customDictionayOpen() and getAnnots(). This is related to spell checking with custom dictionary and the getter method for annotations. The proof of concept was posted by "Arr1val" and possibly affect all versions of Acrobat Reader.

You should have already disabled JavaScript in acrobat. Other workarounds include using Preview.app to open PDF files or block PDF files at the firewall. Please see the reference links to this post for alternatives to Acrobat Reader.

Update on Wednesday, May 13, 2009 at 08:19PM by

drStrangeP0rk

Adobe has posted an update to these vulnerabilities.

http://www.adobe.com/support/security/bulletins/apsb09-06.html

drStrangeP0rk |

Post a Comment |

3 References |

Acrobat Exploits

Thursday

Apr232009

Firefox 3.09 Update Fixes Memory Curruption and Same-Origin Violations

Thursday, April 23, 2009 at 08:28AM

There are four crash bugs which leads to memory corruption. If the user had root privileges then an attack could execute code with those privileges.

Same-Origin is a concept that relates to sscripting in web pages, this allows for the access of scripts originating from the same site to access each others methods and variables without limits. One involves Adobe Flash plug-in. This can allow attackers to execute scripts under the context of a legitimate web site, using cross site scripting (XXS) or cross-site request forgery (CSRF).

It is recomended that this upodate be installed.

Update on Wednesday, April 29, 2009 at 07:39AM by

drStrangeP0rk

New problems introduced by fixes in update 3.0.9 require an update to 3.0.10 including a crash bug and a memory corruption vulnerability that may be exploitable. Make sure to check for updates when opening Firefox. (There is alos a No-Script update that should be installed as well.) It is always recommended that the home/soho user(s) set Auto-Update to check everyday for updates. For larger organizations the selection should be based on their patch and update policy.

drStrangeP0rk |

Post a Comment |

3 References |

Thursday

Apr162009

Zero Day Excel Flaw Patched from February 2009

Thursday, April 16, 2009 at 04:24PM

The security bulletin describes an attackers ability to use a "malformed object" to cause a memory corruption allowing them to gain access to the system as that user. Without going into the importance of only doing general computer activities such as web surfing, reading email and performing office task as a limited user again users need to install this update. The attacker assumes the users permissions and can operate as such.

This update is available for download using the Microsoft Update tool in office. The flaw affects both Windows and Macintosh platforms. This flaw has been in the wild since February 2009 and is active across both platforms.

drStrangeP0rk |

Post a Comment |

3 References |

Mac Exploit,

Microsoft Office Macintosh,

Zero Day

Sunday

Apr052009

Proof of Concept Exploit Code Published

Sunday, April 5, 2009 at 06:08PM

Six kernel vulnerabilities have been published which affect Mac OSX including 5 which can be used to exploit 10.5.6. They can be view on Milw0rm.com, see the link to the Apple specific exploits on the sidebar. These exploits can also affect Solaris kernels and FreeBSD. FreeBSD has been patched, Mac OSX has not as of yet.

Issue one exploits a remote heap overflow in AppleTalk network stack. The second and third exploits a memory leak which can cause the kernel to run out of memory. The fourth exploit relates to HFS vfs sysctl flaw which allows for a global variable to be altered without locking the mutual exclusion object (mutex). Mutex is used to allow multiple program threads to share resources, this is done by locking the mutex from other threads. In this case the locking process does not happen causing a potential of memory corruption.

The last has been know for some time, it relates to the HFS I/O control (IOCTL) handler. User supplied code can be inserted and executed with kernel level privileges.

drStrangeP0rk |

Post a Comment |

2 References |

magmatic.com by magmatic consulting is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Based on a work at http://magmatic.com.
Permissions beyond the scope of this license may be available at http://magmatic.com.