2011 Issue #8
ScoutNews
The weekly Security update from
the makers of SecureScout
February 25, 2011
2011 Issue #8 | ScoutNews |
Table of Contents
Product Focus |
Apache Chunked Vulnerability Scanner - The S4 Apache Chunked Vulnerability Scanner is a free utility made by SecureScout that will scan up to 256 IP addresses at once to assess if any are vulnerable to the Apache Chunked Encoding buffer overflow.
Download Here:
http://www.netvigilance.com/productdownloads?productname=apachechunkedvulnerabilityscanner
This Week in Review
Online banking under attack again. How to market security internally. Libya's internet severely disrupted. US Movement against government powers to shut down internet.
Enjoy reading & Stay safe.
Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or sales@netVigilance.com
Top Security News Stories this Week
• Trojan steals session IDs, bypasses logout requests
A new banking trojan targeting U.S. customers has the ability to keep online account sessions open after customers believe they have logged off, enabling criminals to surreptitiously steal money, according to researchers at web security firm Trusteer.
Eastern European cybercrooks are using the trojan, dubbed "OddJob" by researchers, to attack banking customers in the United States, Poland and Denmark, Amit Klein, CTO of Trusteer, told SCMagazineUS.com on Tuesday.
The malware is designed to hijack a victim's online banking session using their session ID tokens - unique identifiers assigned to a user who has logged into a website, he said. But perhaps the most dangerous aspect of OddJob is that it can bypass a user's logout request, allowing fraudsters to remain connected even after a user believes they have successfully logged out.
SC Magazine
Full Story :
http://www.scmagazineus.com/trojan-steals-session-ids-bypasses-logout-requests/article/196816/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29
• How to market IT security to gain influence
CSO - What defines IT marketing? It's the business activity of presenting IT products, services, and capabilities to constituents in a way that makes them eager to fund and utilize. While many security groups focus their communication activities on end user activity awareness, they have stopped short of planning for the fundamental activity of presenting their products, services, and capabilities to their key stakeholders. There are many reasons given for missing this critical step, such as attitudes of security professionals, lack of business acumen to develop effective marketing and communications strategies, and the ever present too-much-work reason. But as security decision-makers report higher into the organization and take on more responsibility, it will be more essential than ever to have an effective marketing and advocacy plan in place.
Security marketing should be much more than just end user security awareness. Why? In order to evolve the security organization from a reactive silo of technical expertise, to a proactive business partner and enabler, stakeholders will need to be reeducated about the role and value of security, and CISOs will need to establish their own personal credibility as a C-level executive who deserves a say in strategic decision-making. Without effective internal marketing, security efforts will go unrecognized and critical initiatives will fail. For example, one security manager I recently spoke with presented an organizational-level security strategy to the CIO in the hopes of obtaining further resources and funding. But the CIO responded: "Don't you just do backups and viruses? Why do you need more resources?" This CIO actually had no idea that the security team was responsible for security risk management, project consulting and advisory, security strategy, and other nontechnical strategic security activities.
Computerworld
Full Story :
http://www.computerworld.com/s/article/9210761/How_to_market_IT_security_to_gain_influence?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ffeed%2Ftopic%2F17+%28Computerworld+Security+News%29
• Libya's Internet hit with severe disruptions
Internet traffic in Libya has plummeted to a fraction of what's normal.
(Credit:
Arbor Networks)
Libya's Internet links have been severely disrupted as chaos spreads across the country, with a defiant Col. Moammar Gadhafi today vowing to die a "martyr" rather than relinquish his grip on power.
As reports describe portions of Libya as a "war zone," and the country's deputy U.N. ambassador is saying "genocide" is under way, inbound and outbound Internet traffic has plummeted to a fraction of what's normal. Over the weekend, traffic appeared to be following a "curfew" pattern, with more restrictions imposed in the evenings, and YouTube is now almost entirely unreachable while Facebook is blocked.
Cnet Security
Full Story :
http://news.cnet.com/8301-31921_3-20035079-281.html?part=rss&subj=news&tag=2547-1_3-0-20
• Updated cybersecurity bill draws continued criticism
In light of the former Egyptian regime's move to cut off internet access as means to silence protesters, critics of a U.S. Senate proposal worry it would give the president the same type of authority in the United States, even in the legislation's revised form.
The Cybersecurity and Internet Freedom Act, introduced last week by Sens. Joe Lieberman, I-Conn.; Susan Collins, R-Maine; and Tom Carper, D-Del, aims to secure the nation's most sensitive critical cyber infrastructures.
The legislation is a revised version of a highly contested bill first introduced last year as The Protecting Cyberspace as a National Asset Act of 2010. The original bill drew harsh criticism for a provision that critics said would give the president kill-switch-like power to shut down the internet.
SC Magazine
Full Story :
http://www.scmagazineus.com/updated-cybersecurity-bill-draws-continued-criticism/article/196918/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29
• As violence escalates, Libya cuts off the Internet
IDG News Service - With violence escalating, Libya is pulling the plug on its Internet connection.
Libya's main Internet service provider, General Post and Telecommunications Company, began to cut Internet access on Friday, said Earl Zmijewski, general manager with Internet monitoring company Renesys. "They started pulling the plug around 23:18 UTC today and are currently largely off the air," he said via e-mail. That was 1:18 a.m. Saturday, local time.
Libya appears to be taking its cue from Egypt, which cut off all Internet access at the end of January as it was roiled by street protests calling for political reform.
Computerworld
Full Story :
http://www.computerworld.com/s/article/9210439/As_violence_escalates_Libya_cuts_off_the_Internet?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fs%2Ffeed%2Ftopic%2F17+%28Computerworld+Security+News%29
New Vulnerabilities Tested in SecureScout
• 14619 Adobe Acrobat / Reader library-loading vulnerability (CVE-2011-0562) (Remote File Checking)
Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2011-0570 and CVE-2011-0588.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium
References:
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
* BID: 46252
http://www.securityfocus.com/bid/46252
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
CVE Reference:
CVE-2011-0562 (cve.mitre.org, nvd.nist.gov)
• 14620 Adobe Acrobat / Reader memory corruption vulnerability (CVE-2011-0563) (Remote File Checking)
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-0589 and CVE-2011-0606.
Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: High
References:
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
* BID: 46187
http://www.securityfocus.com/bid/46187
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
CVE Reference:
CVE-2011-0563 (cve.mitre.org, nvd.nist.gov)
• 14621 Adobe Acrobat / Reader file permissions issue (CVE-2011-0564) (Remote File Checking)
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows use weak permissions for unspecified files, which allows attackers to gain privileges via unknown vectors.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
* BID: 46257
http://www.securityfocus.com/bid/46257
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
CVE Reference:
CVE-2011-0564 (cve.mitre.org, nvd.nist.gov)
• 14622 Adobe Acrobat / Reader arbitrary code execution vulnerability (CVE-2011-0565) (Remote File Checking)
Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0585.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High
References:
* BID: 46204
http://www.securityfocus.com/bid/46204
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
CVE Reference:
CVE-2011-0565 (cve.mitre.org, nvd.nist.gov)
• 14623 Adobe Acrobat / Reader image-parsing memory corruption vulnerability (CVE-2011-0566) (Remote File Checking)
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image, a different vulnerability than CVE-2011-0567 and CVE-2011-0603.
Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: High
References:
* BID: 46198
http://www.securityfocus.com/bid/46198
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
CVE Reference:
CVE-2011-0566 (cve.mitre.org, nvd.nist.gov)
• 14624 Adobe Acrobat / Reader image-parsing memory corruption vulnerability (CVE-2011-0567) (Remote File Checking)
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image, a different vulnerability than CVE-2011-0566 and CVE-2011-0603.
Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: High
References:
* BID: 46199
http://www.securityfocus.com/bid/46199
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
CVE Reference:
CVE-2011-0567 (cve.mitre.org, nvd.nist.gov)
• 14625 Adobe Acrobat / Reader library-loading vulnerability (CVE-2011-0570) (Remote File Checking)
Untrusted search path vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2011-0562 and CVE-2011-0588.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium
References:
* BID: 46255
http://www.securityfocus.com/bid/46255
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
CVE Reference:
CVE-2011-0570 (cve.mitre.org, nvd.nist.gov)
• 14626 Adobe Acrobat / Reader arbitrary code execution vulnerability (CVE-2011-0585) (Remote File Checking)
Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0565.
Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: High
References:
* BID: 46207
http://www.securityfocus.com/bid/46207
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
CVE Reference:
CVE-2011-0585 (cve.mitre.org, nvd.nist.gov)
• 14627 Adobe Acrobat / Reader input validation vulnerability (CVE-2011-0586) (Remote File Checking)
Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0565.
Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: High
References:
* BID: 46214
http://www.securityfocus.com/bid/46214
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
CVE Reference:
CVE-2011-0586 (cve.mitre.org, nvd.nist.gov)
• 14628 Adobe Acrobat / Reader input validation vulnerability (CVE-2011-0587) (Remote File Checking)
Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-0604.
Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: Medium
References:
* BID: 46251
http://www.securityfocus.com/bid/46251
* SECTRACK: 1025033
http://securitytracker.com/id/1025033
* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
* VUPEN: ADV-2011-0337
http://www.vupen.com/english/advisories/2011/0337
CVE Reference:
CVE-2011-0587 (cve.mitre.org, nvd.nist.gov)
New Vulnerabilities found this Week
• CVE-2011-1068 Microsoft CVSS 2.0 Score = 2.6
Microsoft Windows Azure Software Development Kit (SDK) 1.3.x before 1.3.20121.1237, when Full IIS and a Web Role are used with an ASP.NET application, does not properly support the use of cookies for maintaining state, which allows remote attackers to obtain potentially sensitive information by reading an encrypted cookie and performing unspecified other steps.
Test Case Impact: Vulnerability Impact: Risk: Low
References:
CONFIRM: http://blogs.msdn.com/b/windowsazure/archive/2011/02/03/windows-azure-software-development-kit-sdk-refresh-released.aspx
SECUNIA: http://secunia.com/advisories/43237
CVE Reference: CVE-2011-1068
• CVE-2011-1045 IBM CVSS 2.0 Score = 6.8
Unspecified vulnerability in the Rendition Engine (aka P8RE) 4.0.1 through 4.5.1 in IBM FileNet P8 Content Manager (CM) allows remote attackers to gain privileges via unknown vectors.
Test Case Impact: Vulnerability Impact: Risk: Medium
References:
XF: http://xforce.iss.net/xforce/xfdb/65417
VUPEN: http://www.vupen.com/english/advisories/2011/0406
BID: http://www.securityfocus.com/bid/46424
CONFIRM: http://www-01.ibm.com/support/docview.wss?uid=swg21462440
SECUNIA: http://secunia.com/advisories/43321
CVE Reference: CVE-2011-1045
• CVE-2011-1046 IBM CVSS 2.0 Score = 5.0
IBM FileNet P8 Content Engine (aka P8CE) 4.0.1 through 5.0.0, as used in FileNet P8 Content Manager (CM) and FileNet P8 Business Process Manager (BPM), does not require the PRIVILEGED_WRITE access role for all intended Object Store modifications, which allows remote attackers to change a privileged property of an object via unspecified vectors.
Test Case Impact: Vulnerability Impact: Risk: Medium
References:
XF: http://xforce.iss.net/xforce/xfdb/65448
VUPEN: http://www.vupen.com/english/advisories/2011/0423
BID: http://www.securityfocus.com/bid/46432
CONFIRM: http://www-01.ibm.com/support/docview.wss?uid=swg21462438
SECUNIA: http://secunia.com/advisories/43347
CVE Reference: CVE-2011-1046
• CVE-2011-1038 IBM CVSS 2.0 Score = 4.3
Multiple cross-site scripting (XSS) vulnerabilities in stconf.nsf in the server in IBM Lotus Sametime 8.0.1 allow remote attackers to inject arbitrary web script or HTML via (1) the messageString parameter in a WebMessage action or (2) the PATH_INFO.
Test Case Impact: Vulnerability Impact: Risk: Medium
References:
BID: http://www.securityfocus.com/bid/46471
BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/516563/100/0/threaded
CVE Reference: CVE-2011-1038
• CVE-2011-0694 RealNetworks CVSS 2.0 Score = 9.3
RealNetworks RealPlayer 11.0 through 11.1, SP 1.0 through 1.1.5, and 14.0.0 through 14.0.1, and Enterprise 2.0 through 2.1.4, uses predictable names for temporary files, which allows remote attackers to conduct cross-domain scripting attacks and execute arbitrary code via the OpenURLinPlayerBrowser function.
Test Case Impact: Vulnerability Impact: Risk: High
References:
MISC: http://www.zerodayinitiative.com/advisories/ZDI-11-076
SECTRACK: http://www.securitytracker.com/id?1025058
BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/516318/100/0/threaded
CONFIRM: http://service.real.com/realplayer/security/02082011_player/en/
SECUNIA: http://secunia.com/advisories/43268
OSVDB: http://osvdb.org/70849
CONFIRM: http://docs.real.com/docs/security/SecurityUpdate020811RPE.pdf
CVE Reference: CVE-2011-0694
• CVE-2011-1059 Apple CVSS 2.0 Score = 6.8
Use-after-free vulnerability in WebCore in WebKit before r77705, as used in Google Chrome before 11.0.672.2 and other products, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via vectors that entice a user to resubmit a form, related to improper handling of provisional items by the HistoryController component, aka rdar problem 8938557.
Test Case Impact: Vulnerability Impact: Risk: Medium
References:
CONFIRM: https://bugs.webkit.org/show_bug.cgi?id=52819
CONFIRM: http://trac.webkit.org/changeset/77705
CONFIRM: http://code.google.com/p/chromium/issues/detail?id=70315
CONFIRM: http://googlechromereleases.blogspot.com/2011/02/dev-channel-update_17.html
CVE Reference: CVE-2011-1059
• CVE-2011-0999 Linux CVSS 2.0 Score = 4.9
mm/huge_memory.c in the Linux kernel before 2.6.38-rc5 does not prevent creation of a transparent huge page (THP) during the existence of a temporary stack for an exec system call, which allows local users to cause a denial of service (memory consumption) or possibly have unspecified other impact via a crafted application.
Test Case Impact: Vulnerability Impact: Risk: Medium
References:
CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=678209
MLIST: http://openwall.com/lists/oss-security/2011/02/17/6
MLIST: http://openwall.com/lists/oss-security/2011/02/17/3
CONFIRM: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a7d6e4ecdb7648478ddec76d30d87d03d6e22b31
BID: http://www.securityfocus.com/bid/46442
CONFIRM: http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.38-rc5
CVE Reference: CVE-2011-0999
• CVE-2011-0019 redhat CVSS 2.0 Score = 7.5
slapd (aka ns-slapd) in 389 Directory Server 1.2.7.5 (aka Red Hat Directory Server 8.2.x or dirsrv) does not properly handle simple paged result searches, which allows remote attackers to cause a denial of service (daemon crash) or possibly have unspecified other impact via multiple search requests.
Test Case Impact: Vulnerability Impact: Risk: High
References:
CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=670914
CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=666076
BID: http://www.securityfocus.com/bid/46489
REDHAT: http://www.redhat.com/support/errata/RHSA-2011-0293.html
CVE Reference: CVE-2011-0019
Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues.
Their claim to be the 'security portal for information system security professionals' is well founded.
http://www.infosyssec.org/infosyssec/
Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you
just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at
ScoutNews@netVigilance.com
About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.
For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at info@netVigilance.com
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at
info-scanner@securescout.net