Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability

Microsoft Windows ASX File Parsing Remote Buffer Overflow Vulnerability

Overview
Internet Storm Center features daily handler diaries with summarizing and analyzing new threats to networks and internet security events. Diaries range from 0day vulnerability announcements to the latest software update releases. If it's security related, we'll probably put up a diary about it!
The ISC homepage https://isc.sans.edu always displays the last 24 hours of diaries. The top and bottom of every diary, wherever it is listed, contains a previous/next navigation link that will iterate through all the diaries in order. You can click the title to view the full diary page.
What's in a Diary?
A Diary title is always an active link so you can right-click and copy to send to a friend or co-worker you think would be interested in the information. Alternatively, there is a Share menu to the right of the title if you want to publicly share on any number of social networking sites!!
Under the title you will see the original published date and the last updated date if any changes have been logged to the diary. Below that you will see the name of the handler that authored the diary and version number. The Rate this diary is currently disabled but should be back soon.
The number of comments displays how many comments have been added and is a link that will take you straight to the comments section below the diary. You can leave a comment if you are logged to your ISC/DShield account. Not logged in? No worries, just click the link, login and you should be brought right back to leave your comment. The Alias will default to what you have set in Your Information https://isc.sans.edu/myinfo.html but you can change it to whatever you want. Every comment is vetted by the handlers and inappropriate or blatant ads are removed.
The diary content will vary. It can contain anything from just a few lines of text, sometimes with web links, to a full tutorial with illustrated graphics. A handler will have their own custom signature at the end of every diary posted. If an announcement is short and doesn't require a lot of detail, a handler may post a oneliner which is highlighted with a different background/border and generally just one sentence.
A Keywords list follows the diary content. This is a individually linked list that will take you to a page displaying a table of all the diaries that contain that same keyword, along with the date published and author.
How can I find past dairies?
The easiest way to find past diaries is to search for keywords as explained here https://isc.sans.edu/diary/ISC+Feature+of+the+Week+ISC+Search/12496. ALL the diaries can be listed by date on the Diary Archives page https://isc.sans.edu/diaryarchive.html. This is useful if you know the general timeframe or title text of a specific diary or just want to skim titles as an entire month is shown at once.
The site footer always contains some of the most recent Diary Archives in the center as well as a link to all the archives page. The homepage also lists some more of the most recent diaries as well as a link to the Diary Archives page https://isc.sans.edu/diaryarchive.html. There is also a link to the archives after every comment section on the diary page.
How can I get these diaries you speak of?
Well, you can make https://isc.sans.edu your default browser page so you don't miss anything.
You can also receive full or title only diaries by subscribing in your favorite RSS reader. The links can be found here https://isc.sans.edu/xml.html#rss

Let us know in the section below if you have suggestion or feeback about our diaries or send us any questions or comments in the contact form at https://isc.sans.edu/contact.html
--


Adam Swanger, Web Developer (GWEB)


Internet Storm Center (http://isc.sans.edu)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

U.S. Internet service providers should take new steps to protect subscribers against cyberattacks, including notifying customers when their computers are compromised, the chairman of the U.S. Federal Communications Commission said Wednesday.

When online marketing firm Hubspot started in 2006, the company's IT needs were not very taxing, but they expanded quickly as the company realized success.

An organization that represents CIOs and other healthcare IT leaders is protesting government plans to delay a deadline requiring a new medical coding system.

The target website was http://www.getinvolveducf.com University of Central Florida Office of Student Involvement and the leaked information was announced to us via twitter.

High-profile attacks on Nortel, RSA and others have thrust cyberespionage attacks into the spotlight ahead of RSA Conference 2012

Understanding IPv6 security issues can be a challenge, but the protocol's co-inventor says enterprises can no longer afford to ignore IPv6 security concerns.

Advantech WebAccess Multiple Remote Vulnerabilities

Amazon's newest offering, announced Wednesday, is designed to ease application development and automate business processes.

U.S. Internet service providers should take new steps to protect subscribers against cyberattacks, including notifying customers when their computers are compromised, the chairman of the U.S. Federal Communications Commission said Wednesday.

Prices of DDR3 DRAM memory used in laptops and desktops have dipped to an all-time low of around $1, and will continue to fall, which could help PC makers pack more memory into computers, analysts said.

Verizon's 4G LTE network has been knocked offline again just two months after its last serious outage.

For most of my life, I've been a single screen kind of guy. I spent the vast majority of the last several years working from a 13-inch MacBook. When I did eventually add a 27-inch Cinema Display to the mix, it took at least two weeks before I was willing to finally stop piling all my windows into roughly the same amount of space as that MacBook screen.

The New York Times reported Wednesday that Google's new Android-based goggles will be priced between $250 and $600, and include a 3G or 4G data connection along with motion and GPS sensors.

The United States is the fourth friendliest country in the world for global cloud interoperability, according to a new study from the Business Software Alliance. But, the organization said a "patchwork" of laws and regulations around the world is holding back cloud adoption internationally.

As many as 200,000 systems connected to the Internet could be hijacked by hackers exploiting bugs in Symantec's pcAnywhere, including up to 5,000 point-of-sale programs that collect credit card data, a researcher said today.

The Business Software Alliance surveyed 24 countries that comprise lion's share of global information and communication technologies market to identify the most cloud-friendly policy environments. Where does the U.S. rank?

Exploit code targeting a newly identified vulnerability in Symantec's pcAnywhere computer remote control product has been published on the Internet, exposing its users to possible attacks that disrupt the software's functionality.

The U.S. Federal Trade Commission should force Google to halt its plan to consolidate user identities across its services and fine the company for violating an October privacy settlement with the agency, privacy group the Center for Digital Democracy said in a complaint filed Wednesday.

The U.S. Federal Communications Commission must block Verizon Wireless from buying wireless spectrum from cable providers because two proposed deals would concentrate too much spectrum in the hands of one company, a coalition of advocacy groups said.

Microsoft has filed a formal complaint with the European Commission against Motorola Mobility for alleged abuse of essential patents.

[ MDVSA-2012:023 ] libxml2

Multiple XSS in Chyrp

SMART Storage today announced an MLC-based SAS SSD that it says approaches the resiliency and performance of an SLC NAND flash drive that it said is suitable for top tier enterprise use.

@D35m0nd142 has discovered and rediscovered a few vulnerable sites that carry big names. Its not the first time either that D35m0nd142 has hacked and exploited high profile sites as we have seen close to 100 over the past few months.

[ MDVSA-2012:022 ] libpng

Multiple security vulnerabilities in Tremulous 1.1.0, GPP1, and unofficial MG and TJW engines

[SECURITY] [DSA 2415-1] libmodplug security update

[SECURITY] [DSA 2414-1] fex security update

Security B-Sides Announces 2012 Speaker Line-Up and Participants at B-Sides ... MarketWatch (press release) "2012: The End of Security Stupidity" panel by Amit Yoran, Kevin Mandia, Ron Gula and Roland Cloutier -- "So you want to be the CSO" by Daniel Blander -- "Across the Desk: Different Perspectives on InfoSec Hiring and Interviewing" by Lee Kushner ... and more »

When it comes to giving Uncle Sam his due, we're dealing with an embarrassment of riches. Want to use an online service to prepare and file your tax return? You've got at least five online tax preparation sites to pick from. More comfortable with traditional desktop products? I've looked at both TurboTax Premiere 2011 from Intuit and At Home Premium 2011 from H&R Block. And if you're turning to an iPhone or iPad for an increasing number of day-to-day tasks, tax app makers have something to offer as well.

Dolibarr 'adherents/fiche.php' SQL Injection Vulnerability

freelancerKit SQL Injection and HTML Injection Vulnerabilities

Fork CMS Cross Site Scripting and Local File Include Vulnerabilities

The Apache Foundation released version 2.4.1 of its popular web server, including a number of interesting changes [1]. Among the features, I would like to highlight some of the security relevant changes:
- more granular logging. Logging is always a tedious and often overlooked security component. Apache 2.4 will allow for log levels to be configured on a per-directory level.
- various changes to timeouts. We had a number of tools over the last few years that attacked web servers by exhausting connections. The new timeout changes may help with that, but over all, I don't think there is a simple fix for this problem.
- changes to the proxy configuration. Some use apache not just as a web server, but as a proxy to restrict access to resources, or as a load balancer. This can help with security, but in the past, bugs in Apache's implementation of these features has caused problems.
- Apache now includes a mod_session that will have Apache take care of sessions. This includes support for encrypted sessions, and support for session based authentication. Really have to see how this will all work in more detail. It appears that headers will be used to add data to sessions. This could be a new opportunity to exploit http response splitting. Note that the session information may be stored on the client, not just the server. Unencrypted sessions on the client could pose interesting security issues.
- mod_ssl has been improved to allow it to check for invalid client certificates via OCSP.
Version 2.4.1 is now available for download. I recommend you start testing it, but hold off on using it in production until some of the features have been debugged.
[1] http://httpd.apache.org/docs/2.4/new_features_2_4.html
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

AT&T is rolling out its 4G LTE service in selected markets across the country. How does the new network stand up to Verizon's more mature offering in terms of availability, speed and price?

Microsoft's Windows 8 operating system will have the U.K. version of English as a display language option, to address customers in that country, and some other countries like South Africa, India, Ireland, and Australia that use the version of the language.

RabidHamster R4 File Disclosure and Multiple Buffer Overflow Vulnerabilities

Yoono Extension 'create' Field HTML Injection Vulnerability

DIARY-US MEETINGS/WEEK AHEAD Reuters ... at Morgan Stanley Tech Conf 27 Feb 22:10 Parametric Tech Corp. at Morgan Stanley Tech Conf 27 Feb 22:10 Scripps Networks Interactive at Morgan Stanley Tech Conf 27 Feb 23:00 Akamai Tech at AGC West Coast Info Sec & Growth Conf 27 Feb 23:40 ANCESTRY ... and more »

With the beta of Windows Server 8 to be released in the next few weeks, Microsoft executives said the next-generation OS is focused squarely on storage.

Node-inspired development environments and cloud platforms are rapidly remaking the Web application stack

BCA, Bangladeshi cyber army, a self claimed largest hacking group in bangladeshi has taken the CBI offline and as a result the sites been down for some time now due to the attack.

SANS Institute Makes its Largest Training Event of the Year, SANS 2012 ... Bradenton Herald SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security ...

Posted by InfoSec News on Feb 22

http://www.cato-at-liberty.org/cybersecurity-hype/

By Jim Harper
Cato @ Liberty
February 21, 2012

The approving response of an IT security professional last week pointed
me to a story about cybersecurity in which I’m featured. The story and
accompanying video are called: “Is Cyberwar Hype Fuelling a
Cybersecurity-Industrial Complex?” It’s a really good look at how
government contractors, many former government officials, are working...

Posted by InfoSec News on Feb 22

http://blogs.computerworld.com/19755/transparency_grenade_detonate_cyberwar_weapon_to_leak_sensitive_data

By Darlene Storm
Security Is Sexy
Computerworld
February 21, 2012

While there's plenty of cyberwar talk and hackers hitting sites before
leaking information like a weapon, now there's grenade to aid such
exploitation. A hacker / artist who helped create Newstweek, a hidden
device that hardware hackers could use to distort or...

Posted by InfoSec News on Feb 22

http://www.gulf-times.com/site/topics/article.asp?cu_no=2&item_no=487800&version=1&template_id=36&parent_id=16

Gulf News
21/2/2012

The Supreme Council of Information and Communication Technology
(ictQATAR) has issued two policies for government agencies aimed at
better securing government information and assets.

The Government Information Assurance Policy and the BlackBerry Security
Policy both address information assurance...

Posted by InfoSec News on Feb 22

http://www.informationweek.com/news/security/vulnerabilities/232601182

By Mathew J. Schwartz
InformationWeek
February 21, 2012

Code has been published that attackers could use to crash fully patched
versions of pcAnywhere on any Windows PC, without first having to
authenticate to the PC.

The exploit details arrived Friday in the form of a Pastebin post from
Johnathan Norman, director of security research at Alert Logic.
Advertised as a...

Posted by InfoSec News on Feb 22

http://www.bankinfosecurity.com/interviews.php?interviewID=1395

By Eric Chabrow
Bank Info Security
February 20, 2012

IT security practitioners who employ the RSA public-private key
cryptography needn't lose sleep about its efficacy, despite new research
that raises questions on how it creates large prime numbers to generate
secret keys. IT security authority Gene Spafford says.

Information Security Media Group asked the Purdue...

Fisfe.org.ar, Industrial Federation of Santa Fe has been hacked and had a a couple of admin accounts leaked via pastebin by hackers using the team handle Revolution Hackers.

CVS CVE-2012-0804 'proxy_connect()' Heap Buffer Overflow Vulnerability

The latest attack is on an iran based website that is a self claimed website for Top engineering teams. @S3rverexe has claimed to of hacked the server, which is true as you can see from the defacing and the data leaked as well as this he states he has control of the server (rooted).

A group of hackers going by the name of VViP Team have hacked an official australian sony website thats dedicated to the VAIO, www.sonyvaio.com.au, as a result of the hack the website has been left defaced.

Samba 'AndX' Request CVE-2012-0870 Heap Based Buffer Overflow Vulnerability

Turkish hackers have started to join the middle east cyber war that has been brewing over the past couple of weeks. the hackers who are using the handle SLYHACKER has uploaded a mass defacement of over 300 websites that are Israeli based to zone-h.

The website lanacion.com.ar has seen a dump of over 500+ accounts leaked in the format of usernames, ids, emails and passwords which are encrypted.

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

While I started working on comparing various OS X hardening guides (see the prior diary from a couple of days ago), Apple announced one important new security feature in OS X 10.8 (Mountain Lion). The new operating system to be released this summer will include a white listing system based on iOS. iOS has received a lot of criticism for its closed nature, but so far, I have to admit it has worked pretty well. We have heard very little about iOS malware while Android malware appears to start steal the show from Windows malware (it got a while to go, but all the news lately appears to be about Android malware).
iOS uses a pretty simple and effective security model to fight malware: Whitelisting. All software installed on an iOS device has to be digitally signed. In order to be digitally signed, the software has to be reviewed by Apple. Only software that uses standard Apple vetted APIs is considered trustworthy to be signed, making it difficult to sneak in malicious code. If malicious software slips through, it can be recalled later.
Over the last few years, the opposite model, blacklisting (Anti Malware) has failed spectacularly. Even many desktop users now use third party whitelisting software which is usually more granular then what Apple proposes.
Apple's approach allows for essentially three different settings:
- Only allow Apple approved software (pretty much what iOS does)

- allow Apple approved software, but also allow software signed with specific additional certificates (you could use this to sign your own software. Kind of like accepting the certificate from an iOS developer for testing)

- allow all software (pretty much unlocked in iOS terms)
There are some specific limitations to Apple's approach:
- the signatures are only tested during install. If malicious software passes the install, it will not be inspected further.

- only executables are checked. A malicious PDF may still cause havoc, even if it may no longer be able to then download and install additional malware



The best part in my opinion is that the functionality was already pushed out to systems as part of the last OS X update (10.7.3). So you can already experiment with the feature and see how well it works (or doesn't work). I am running it now for a while off and on and so far, haven't experienced any ill effects, aside from it blocking me once or twice from installing software. Each time, I just disabled it temporarily (which could be considered a weakness).
The command line utility spctl can be used to enable or disable the feature. spctl --enable will enable it, spctl --disable disable it. You need to be root to run the utility.




------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The Wi-Fi Alliance will launch a program to simplify the use of Wi-Fi hotspots in July, making it easier for both users and mobile operators to get off strained cellular networks.

Got problems with insider threats? Need help securing your wireless LAN because of employees bringing their own devices on to your network? Know how to protect your Android device?

Dell's fourth-quarter earnings were weighed down by weak consumer PC sales and by pricing and supply issues caused by the floods in Thailand, Dell said on Tuesday.

Growing enterprise interest in Big Data analytics is beginning to drive partnerships between vendors of traditional relational database management technologies and purveyors of Apache Hadoop.

Apache HTTP Server CVE-2011-3639 'mod_proxy' Reverse Proxy Security Bypass Vulnerability

BYOD policy issues are a big concern for enterprises grappling to secure employee smartphones and tablets, say analysts previewing RSA 2012.

Symantec's PCAnywhere Vulnerable to Source Code Attack eWeek A researcher found that pcAnywhere's source code was relatively unchanged from 10 years ago, according to an anonymous submission to the InfoSec Institute Feb. 17. Most changes to the code over the past few years were made to ensure the software keeps ... Researcher Releases Exploit Code That Can Allegedly Crash PcAnywherePCWorld Researcher: 200000 Windows PCs vulnerable to pcAnywhere hijackingARNnet all 30 news articles »

RETIRED: LightDM '.Xauthority' Arbitrary File Access Vulnerability

LightDM 'xsession_setup()' Symlink Attack Local Privilege Escalation Vulnerability

After watching customers continually download and install one of the vendor's free, limited products from the company website, Silver Peak CEO Rick Tinsley was interested to see how they would respond to the same access to its more advanced products.

Canonical has unveiled software that will give Android smartphones the ability to run full desktop computer sessions on computer monitors and television sets.

Just months after Twitter and Google failed to reach an agreement for Realtime Search, the microblogging site has inked a deal with Russian search engine firm Yandex.

Renewed rumors that Microsoft will publish iPad editions of some of its Office applications surfaced today, with one analyst calling the move a tough decision.

Oracle has given customers running version 12.0 of its E-Business Suite software a reprieve from extended support fees, which would have kicked in this month, increasing the maintenance payments they were already making.

Intel is exploring whether it can branch out as a foundry by opening its chip manufacturing facilities to more third-party customers, the company said on Tuesday.