Newly found Vulnerabilities 05/16/08:
We are aware of public reports of a spear-phishing attack circulating via email messages that claim to be petitions from the US Tax Court. These messages appear to be legitimate because they may contain very specific information about the message recipient. The message requests that the user follow a link to download additional information about the petition, but if a user clicks on this link, malicious code may be installed on the system.We encourage users to do the following to help mitigate the risk:
Review the alert posted by the United States Tax Court regarding this issue.
Do not follow unsolicited web links received in email messages.
Install anti-virus software and keep virus signature files up to date.
http://serchez.net
Friday, May 16, 2008
Debian and Ubuntu OpenSSL and OpenSSH Vulnerabilities
Newly found Vulnerabilities 05/16/08:
Debian and Ubuntu have released multiple security advisories to address vulnerabilities in their OpenSSL package and other cryptographic application packages that rely on it. These vulnerabilities are due to weaknesses in the random number generator that is used to create SSL and SSH cryptographic keys. As a result of the vulnerability, the keys generated using the flawed OpenSSL package may be weak. Exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to conduct brute force attacks and obtain sensitive information. These vulnerabilities may affect any Debian-based systems, such as Ubuntu, and may indirectly affect other systems if these weak keys have been imported into them.We encourage users to review the following advisories and apply any necessary workarounds or updates:
Debian Security Advisory DSA-1571-1
Debian Security Advisory DSA-1576-1
Ubuntu Security Notice USN-612-1
Ubuntu Security Notice USN-612-2
Ubuntu Security Notice USN-612-3
Ubuntu Security Notice USN-612-4
Ubuntu Security Notice USN-612-5
Ubuntu Security Notice USN-612-6
Additional information about these vulnerabilities is available in the Vulnerability Notes Database.
http://serchez.net
Debian and Ubuntu have released multiple security advisories to address vulnerabilities in their OpenSSL package and other cryptographic application packages that rely on it. These vulnerabilities are due to weaknesses in the random number generator that is used to create SSL and SSH cryptographic keys. As a result of the vulnerability, the keys generated using the flawed OpenSSL package may be weak. Exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to conduct brute force attacks and obtain sensitive information. These vulnerabilities may affect any Debian-based systems, such as Ubuntu, and may indirectly affect other systems if these weak keys have been imported into them.We encourage users to review the following advisories and apply any necessary workarounds or updates:
Debian Security Advisory DSA-1571-1
Debian Security Advisory DSA-1576-1
Ubuntu Security Notice USN-612-1
Ubuntu Security Notice USN-612-2
Ubuntu Security Notice USN-612-3
Ubuntu Security Notice USN-612-4
Ubuntu Security Notice USN-612-5
Ubuntu Security Notice USN-612-6
Additional information about these vulnerabilities is available in the Vulnerability Notes Database.
http://serchez.net
Cisco Releases Security Advisories
Newly found Vulnerabilities 05/16/08:
Cisco has released three security advisories to address vulnerabilities in Cisco Unified Communications Manager, Unified Presence, and the Content Switching Module. These vulnerabilities may allow an attacker to cause a denial-of-service condition on the affected system.We encourage users to review the following Cisco Security Advisories and apply any necessary updates or workarounds:
Cisco Unified Communications Manager Denial of Service Vulnerabilities - cisco-sa-20080514-cucmdos
Cisco Unified Presence Denial of Service Vulnerabilities - cisco-sa-20080514-cup
Cisco Content Switching Module Memory Leak Vulnerability - cisco-sa-20080514-csm
http://serchez.net
Cisco has released three security advisories to address vulnerabilities in Cisco Unified Communications Manager, Unified Presence, and the Content Switching Module. These vulnerabilities may allow an attacker to cause a denial-of-service condition on the affected system.We encourage users to review the following Cisco Security Advisories and apply any necessary updates or workarounds:
Cisco Unified Communications Manager Denial of Service Vulnerabilities - cisco-sa-20080514-cucmdos
Cisco Unified Presence Denial of Service Vulnerabilities - cisco-sa-20080514-cup
Cisco Content Switching Module Memory Leak Vulnerability - cisco-sa-20080514-csm
http://serchez.net
Microsoft Releases May Security Bulletin
Newly found Vulnerabilities 05/16/08:
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Office, Live OneCare, Antigen, Windows Defender, and Forefront Security as part of the Microsoft Security Bulletin Summary for May 2008. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.We encourage users to review the bulletins and follow best-practice security policies to determine which updates should be applied.
http://serchez.net
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Office, Live OneCare, Antigen, Windows Defender, and Forefront Security as part of the Microsoft Security Bulletin Summary for May 2008. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.We encourage users to review the bulletins and follow best-practice security policies to determine which updates should be applied.
http://serchez.net
Saturday, May 10, 2008
Mozilla Releases Thunderbird 2.0.0.14
Newly found Vulnerabilities 05/10/08:
Mozilla has released Thunderbird 2.0.0.14 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to escalate privileges or execute arbitrary code.We encourage users to review Mozilla Foundation Security Advisories 2008-14 and 2008-15 and to update to Thunderbird 2.0.0.14.
http://serchez.net
Mozilla has released Thunderbird 2.0.0.14 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to escalate privileges or execute arbitrary code.We encourage users to review Mozilla Foundation Security Advisories 2008-14 and 2008-15 and to update to Thunderbird 2.0.0.14.
http://serchez.net
Microsoft Releases Advance Notification for May Security Bulletin
Newly found Vulnerabilities 05/10/08:
Microsoft has issued a Security Bulletin Advance Notification indicating that its May release cycle will contain four bulletins, three of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows and Office. The notification also states that there will be one important bulletin for Windows Live OneCare, Antigen, Defender, and Forefront Security. Release of these bulletins is scheduled for Tuesday, May 12.
http://serchez.net
Microsoft has issued a Security Bulletin Advance Notification indicating that its May release cycle will contain four bulletins, three of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows and Office. The notification also states that there will be one important bulletin for Windows Live OneCare, Antigen, Defender, and Forefront Security. Release of these bulletins is scheduled for Tuesday, May 12.
http://serchez.net
Mcrosoft Releases Windows XP Service Pack 3
Newly found Vulnerabilities 05/10/08:
Microsoft has released Service Pack 3 for Windows XP. Service Pack 3 includes multiple Hotfixes and security updates and is available through Automatic Updates and Windows Update. Users should note that Windows XP SP3 does not include Internet Explorer 7, however it does include updates to both IE 6 and IE 7, and will update whichever version is currently installed.We encourage users to review the release notes for Service Pack 3 for Windows XP and apply any necessary updates.
http://serchez.net/
Microsoft has released Service Pack 3 for Windows XP. Service Pack 3 includes multiple Hotfixes and security updates and is available through Automatic Updates and Windows Update. Users should note that Windows XP SP3 does not include Internet Explorer 7, however it does include updates to both IE 6 and IE 7, and will update whichever version is currently installed.We encourage users to review the release notes for Service Pack 3 for Windows XP and apply any necessary updates.
http://serchez.net/
Tuesday, May 6, 2008
PHP 5.2.6 Released
Newly found Vulnerabilities 05/06/08:
PHP has released version 5.2.6 to address multiple vulnerabilities. These vulnerabilities include:
an error in FastCGI SAPI which may result stack-based buffer overflow
an integer overflow in printf()
an error in init_request_info(), which may result in a buffer overflow
an error in cURL, which may result in safe_mode bypass improper handling of input passed to escapeshellcmd() a boundary error in the bundled version of the PCRE library
These vulnerabilities may allow an attacker to execute arbitrary code, bypass security restrictions, or cause a denial-of-service condition.We encourage users to review the PHP 5.2.6 Release Announcement and update to version 5.2.6.
http://serchez.net
PHP has released version 5.2.6 to address multiple vulnerabilities. These vulnerabilities include:
an error in FastCGI SAPI which may result stack-based buffer overflow
an integer overflow in printf()
an error in init_request_info(), which may result in a buffer overflow
an error in cURL, which may result in safe_mode bypass improper handling of input passed to escapeshellcmd() a boundary error in the bundled version of the PCRE library
These vulnerabilities may allow an attacker to execute arbitrary code, bypass security restrictions, or cause a denial-of-service condition.We encourage users to review the PHP 5.2.6 Release Announcement and update to version 5.2.6.
http://serchez.net
Common Data Fromat Buffer Overflow Vulnrability
Newly found Vulnerabilities 05/06/08:
NASA has issued an advisory regarding vulnerability in Common Data Format (CDF) version 3.2 and earlier. This vulnerability is due to a buffer overflow condition in the handling of specially-crafted CDF files. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.We encourage users to review the NASA advisory and update to CDF 3.2.1 to help mitigate the risk.
http://serchez.net
NASA has issued an advisory regarding vulnerability in Common Data Format (CDF) version 3.2 and earlier. This vulnerability is due to a buffer overflow condition in the handling of specially-crafted CDF files. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.We encourage users to review the NASA advisory and update to CDF 3.2.1 to help mitigate the risk.
http://serchez.net
Tuesday, April 29, 2008
WordPress Vulnerabilities
Newly found Vulnerabilities 04/29/08:
WordPress has released version 2.5.1 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to bypass security restrictions or conduct a cross-site scripting attack.We encourage users to review the WordPress 2.5.1 release notes and apply any necessary updates.
http://serchez.net
WordPress has released version 2.5.1 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to bypass security restrictions or conduct a cross-site scripting attack.We encourage users to review the WordPress 2.5.1 release notes and apply any necessary updates.
http://serchez.net
Saturday, April 26, 2008
Compromined Websites Hosting Malicious JavaScript
Newly found Vulnerabilities04/26/08:
We are following reports of SQL injection attacks that have compromised a large number of legitimate websites. The compromised websites contain injected JavaScript that attempts to exploit multiple, known vulnerabilities. Users who visit a compromised website may unknowingly execute malicious code.We encourage users to do the following to help mitigate the risks of this and similar attacks:
Regularly apply software updates and patches provided by vendors.
Disable JavaScript and
http://serchez.net
We are following reports of SQL injection attacks that have compromised a large number of legitimate websites. The compromised websites contain injected JavaScript that attempts to exploit multiple, known vulnerabilities. Users who visit a compromised website may unknowingly execute malicious code.We encourage users to do the following to help mitigate the risks of this and similar attacks:
Regularly apply software updates and patches provided by vendors.
Disable JavaScript and
http://serchez.net
HP Software Update Vulnerabilities
Newly found Vulnerabilities04/26/08:
We are aware of reports of multiple vulnerabilities affecting HP Software Update. These vulnerabilities are due to insecure methods in multiple ActiveX controls. Exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code or view or modify sensitive information.We encourage users to do the following to help mitigate the risks:
Review the HP Support document and update to HP Software Update v4.000.010.008.
Set the kill bit for the CLSIDs listed in the HP Support document.
Disable ActiveX as described
http://serchez.net
We are aware of reports of multiple vulnerabilities affecting HP Software Update. These vulnerabilities are due to insecure methods in multiple ActiveX controls. Exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code or view or modify sensitive information.We encourage users to do the following to help mitigate the risks:
Review the HP Support document and update to HP Software Update v4.000.010.008.
Set the kill bit for the CLSIDs listed in the HP Support document.
Disable ActiveX as described
http://serchez.net
Thursday, April 24, 2008
IRS Rebate Phishing Scam
Newly found Vulnerabilities 04/24/08:
We are aware of a public report indicating that a phishing scam is circulating. This scam is related to the U.S. Internal Revenue Service economic stimulus rebate and arrives via email messages that appear to be from the IRS. The messages include text that attempts to convince users to follow a link to a website before a deadline to expedite the rebate process. This website requests that the user provide bank account information.We encourage users to do the following to help mitigate the risks:
Do not follow unsolicited web links received in email messages.
http://serchez.net
We are aware of a public report indicating that a phishing scam is circulating. This scam is related to the U.S. Internal Revenue Service economic stimulus rebate and arrives via email messages that appear to be from the IRS. The messages include text that attempts to convince users to follow a link to a website before a deadline to expedite the rebate process. This website requests that the user provide bank account information.We encourage users to do the following to help mitigate the risks:
Do not follow unsolicited web links received in email messages.
http://serchez.net
Wednesday, April 23, 2008
Apple Quicktime Vulnerability Report
Newly found Vulnerabilities 04/23/08:
We are aware of a public report of a new vulnerability in Apple QuickTime. The report indicates that if a user opens a specially crafted QuickTime file, an attacker may be able to execute arbitrary code. This vulnerability may have several attack vectors, such as visiting a malicious or compromised website.We encourage users to use caution when opening QuickTime files.
http://serchez.net/
We are aware of a public report of a new vulnerability in Apple QuickTime. The report indicates that if a user opens a specially crafted QuickTime file, an attacker may be able to execute arbitrary code. This vulnerability may have several attack vectors, such as visiting a malicious or compromised website.We encourage users to use caution when opening QuickTime files.
http://serchez.net/
Tuesday, April 22, 2008
ICQ Vulnerability
Newly found Vulnerabilities04/22/08:
We are aware of public reports of vulnerability in ICQ 6. This vulnerability is due to a heap buffer overflow condition in the Personal Status Manager feature that occurs when processing specially crafted status messages. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.We encourage users to update to ICQ 6.0.0.6059 to help mitigate the risks.
http://serchez.net
We are aware of public reports of vulnerability in ICQ 6. This vulnerability is due to a heap buffer overflow condition in the Personal Status Manager feature that occurs when processing specially crafted status messages. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.We encourage users to update to ICQ 6.0.0.6059 to help mitigate the risks.
http://serchez.net
Saturday, April 19, 2008
Rootkit
By: Serafin Sanchez (04/14/08)
A rootkit is a program or combination of several programs designed to take fundamental control in Unix terms root access, in Windows terms Administrator access of a computer system, without authorization by the system owners. Access to the hardware is rarely required as a rootkit is intended to seize control of the operating system running on the hardware. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are also Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system.
Rootkits may have originated as regular, though emergency, applications, intended to take control of an unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Mac OS X, Linux and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.
The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system. If an intruder could replace the standard administrative tools on a system with a rootkit, the modified tools would give the intruder administrative control over the system while concealing his activities from the legitimate system administrator. Rootkits were so named because they allowed an intruder to become a root user (system administrator) of a Unix system.
A successfully installed rootkit allows unauthorized users to act as system administrators, and thus to take full control of the rootkitted system. Secondary to this purpose, most rootkits typically hide files, network connections, blocks of memory, or registry entries on Windows systems from other programs used by system administrators to detect specially privileged accesses to computer system resources. However, a rootkit may masquerade as or be intertwined with other files, programs, or libraries with other purposes. It is important to note that while the utilities bundled with a rootkit may be maliciously intended, not every rootkit is always malicious. Rootkits may be used for both productive and destructive purposes.
Types
There are at least five kinds of rootkits: firmware, virtualized, kernel, library, and application level kits.
Firmware -A firmware rootkit uses device or platform firmware to create a persistent malware image. The rootkit can successfully hide in firmware because firmware is not often inspected for code integrity. John Heasman demonstrated the viability of firmware rootkits in both ACPI firmware routines and in a PCI expansion card ROM.
Virtualized - T-hese rootkits work by modifying the boot sequence of the machine to load themselves instead of the original operating system. Once loaded into memory, a virtualized rootkit then loads the original operating system as a Virtual Machine, thereby enabling the rootkit to intercept all hardware calls made by the guest OS. The SubVirt laboratory rootkit, developed jointly by Microsoft and University of Michigan researchers, is one example of a Virtual Machine based rootkit (VMBR); Blue Pill is another.
Kernel level - Kernel level rootkits add additional code and/or replace portions of an operating system, including both the kernel and associated device drivers. Most operating systems don't enforce any security distinctions between the kernel and device drivers. As such, many kernel mode rootkits are developed as device drivers or loadable modules, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. This class of rootkit is perceived as dangerous simply because of the unrestricted security access the code has obtained, regardless of the features the rootkit may employ. Any code operating at the kernel level may have serious impacts on entire system stability if mistakes are present in the code. The first and original rootkits did not operate at the kernel level, but were simple replacements of standard programs at the user level. Although traditionally security advances were made first on Unix systems, the first kernel rootkit was developed for Windows NT 4.0 and released in the mid-1990's by Greg Hoglund.
Kernel rootkits can be especially dangerous because they can be difficult to detect. The reason they can be difficult to detect is because they operate at the same level as the operating system, thus they can modify or subvert any request made by software on the running system. In a situation such as this, the system itself cannot be trusted. An accepted proper response in such a case is to perform system analysis offline using a second 'trusted' system and mounting the hard drive of the infected system as a resource.
Library level - Library rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. They can be found, at least theoretically, by examining code libraries under Windows the term is usually DLL for changes or against the originally distributed (and so presumably rootkit free) library package. In practice, the variety of modified libraries distributed with applications and ServicePacks makes this harder than it should have been.
Application level - Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.
Rootkit binaries can often be detected by signature or heuristics based antivirus programs, at least until they're run by a user and are able to attempt to conceal themselves. There are inherent limitations for any program that attempts to detect rootkits while the program is running under the suspect system. Rootkits are suites of programs that modify many of the tools and libraries upon which all programs on the system depend. Some rootkits attempt to modify the running kernel via loadable modules on Linux and, and through VxDs, virtual external drivers, on MS Windows platforms. The fundamental problem with rootkit detection is that if the operating system currently running has been subverted, it cannot be trusted, including to find unauthorized modifications to itself or its components. In other words, actions such as requesting a list of all running processes, or a list of all files in a directory, cannot be trusted to behave as intended by the original designers. Rootkit detectors running on live systems currently only work because the rootkits they can detect have not yet been developed to hide themselves fully.
The best, and most reliable, method for rootkit detection is to shut down the computer suspected of infection, and then check its storage by booting from an alternative medium a rescue CD-ROM or USB flash drive. A non-running rootkit cannot (ideally) hide its presence, and most established antivirus programs will identify rootkits armed via standard OS calls (which are often tampered with by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference, the presence of a rootkit infection should be assumed. Running rootkits attempt to protect themselves by monitoring running processes and suspending their activity until the scanning has finished; this is more difficult if the rootkit is not allowed to run.
http://serchez.net/
A rootkit is a program or combination of several programs designed to take fundamental control in Unix terms root access, in Windows terms Administrator access of a computer system, without authorization by the system owners. Access to the hardware is rarely required as a rootkit is intended to seize control of the operating system running on the hardware. Typically, rootkits act to obscure their presence on the system through subversion or evasion of standard operating system security mechanisms. Often, they are also Trojans as well, thus fooling users into believing they are safe to run on their systems. Techniques used to accomplish this can include concealing running processes from monitoring programs, or hiding files or system data from the operating system.
Rootkits may have originated as regular, though emergency, applications, intended to take control of an unresponsive system, but in recent years have been largely malware to help intruders gain access to systems while avoiding detection. Rootkits exist for a variety of operating systems, such as Microsoft Windows, Mac OS X, Linux and Solaris. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules, depending on the internal details of an operating system's mechanisms.
The term rootkit or root kit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system. If an intruder could replace the standard administrative tools on a system with a rootkit, the modified tools would give the intruder administrative control over the system while concealing his activities from the legitimate system administrator. Rootkits were so named because they allowed an intruder to become a root user (system administrator) of a Unix system.
A successfully installed rootkit allows unauthorized users to act as system administrators, and thus to take full control of the rootkitted system. Secondary to this purpose, most rootkits typically hide files, network connections, blocks of memory, or registry entries on Windows systems from other programs used by system administrators to detect specially privileged accesses to computer system resources. However, a rootkit may masquerade as or be intertwined with other files, programs, or libraries with other purposes. It is important to note that while the utilities bundled with a rootkit may be maliciously intended, not every rootkit is always malicious. Rootkits may be used for both productive and destructive purposes.
Types
There are at least five kinds of rootkits: firmware, virtualized, kernel, library, and application level kits.
Firmware -A firmware rootkit uses device or platform firmware to create a persistent malware image. The rootkit can successfully hide in firmware because firmware is not often inspected for code integrity. John Heasman demonstrated the viability of firmware rootkits in both ACPI firmware routines and in a PCI expansion card ROM.
Virtualized - T-hese rootkits work by modifying the boot sequence of the machine to load themselves instead of the original operating system. Once loaded into memory, a virtualized rootkit then loads the original operating system as a Virtual Machine, thereby enabling the rootkit to intercept all hardware calls made by the guest OS. The SubVirt laboratory rootkit, developed jointly by Microsoft and University of Michigan researchers, is one example of a Virtual Machine based rootkit (VMBR); Blue Pill is another.
Kernel level - Kernel level rootkits add additional code and/or replace portions of an operating system, including both the kernel and associated device drivers. Most operating systems don't enforce any security distinctions between the kernel and device drivers. As such, many kernel mode rootkits are developed as device drivers or loadable modules, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. This class of rootkit is perceived as dangerous simply because of the unrestricted security access the code has obtained, regardless of the features the rootkit may employ. Any code operating at the kernel level may have serious impacts on entire system stability if mistakes are present in the code. The first and original rootkits did not operate at the kernel level, but were simple replacements of standard programs at the user level. Although traditionally security advances were made first on Unix systems, the first kernel rootkit was developed for Windows NT 4.0 and released in the mid-1990's by Greg Hoglund.
Kernel rootkits can be especially dangerous because they can be difficult to detect. The reason they can be difficult to detect is because they operate at the same level as the operating system, thus they can modify or subvert any request made by software on the running system. In a situation such as this, the system itself cannot be trusted. An accepted proper response in such a case is to perform system analysis offline using a second 'trusted' system and mounting the hard drive of the infected system as a resource.
Library level - Library rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. They can be found, at least theoretically, by examining code libraries under Windows the term is usually DLL for changes or against the originally distributed (and so presumably rootkit free) library package. In practice, the variety of modified libraries distributed with applications and ServicePacks makes this harder than it should have been.
Application level - Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means.
Rootkit binaries can often be detected by signature or heuristics based antivirus programs, at least until they're run by a user and are able to attempt to conceal themselves. There are inherent limitations for any program that attempts to detect rootkits while the program is running under the suspect system. Rootkits are suites of programs that modify many of the tools and libraries upon which all programs on the system depend. Some rootkits attempt to modify the running kernel via loadable modules on Linux and, and through VxDs, virtual external drivers, on MS Windows platforms. The fundamental problem with rootkit detection is that if the operating system currently running has been subverted, it cannot be trusted, including to find unauthorized modifications to itself or its components. In other words, actions such as requesting a list of all running processes, or a list of all files in a directory, cannot be trusted to behave as intended by the original designers. Rootkit detectors running on live systems currently only work because the rootkits they can detect have not yet been developed to hide themselves fully.
The best, and most reliable, method for rootkit detection is to shut down the computer suspected of infection, and then check its storage by booting from an alternative medium a rescue CD-ROM or USB flash drive. A non-running rootkit cannot (ideally) hide its presence, and most established antivirus programs will identify rootkits armed via standard OS calls (which are often tampered with by the rootkit) and lower level queries, which ought to remain reliable. If there is a difference, the presence of a rootkit infection should be assumed. Running rootkits attempt to protect themselves by monitoring running processes and suspending their activity until the scanning has finished; this is more difficult if the rootkit is not allowed to run.
http://serchez.net/
Friday, April 18, 2008
Microsoft Releaes Security Advisory 951306
Newly found Vulnerabilities 04/18/08:
Microsoft has released a Security Advisory to address vulnerability in Windows. This vulnerability may allow an authenticated attacker to execute code with LocalSystem privileges. We encourage users to review Microsoft Security Advisory 951306 and apply the workarounds.
http://serchez.net
Microsoft has released a Security Advisory to address vulnerability in Windows. This vulnerability may allow an authenticated attacker to execute code with LocalSystem privileges. We encourage users to review Microsoft Security Advisory 951306 and apply the workarounds.
http://serchez.net
Thursday, April 17, 2008
Mozilla Releases Firefox 2.0.0.14
Newly found Vulnerabilities 04/18/08:
Mozilla has released Firefox 2.0.0.14 to address vulnerability in the JavaScript engine. This vulnerability is due to memory corruption errors during JavaScript garbage collection. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Products that use the Mozilla rendering engine, such as Thunderbird and SeaMonkey, may also be affected.We encourage users to review Mozilla Foundation Security Advisory 2008-20 and apply any necessary updates or workarounds.
http://serchez.net
Mozilla has released Firefox 2.0.0.14 to address vulnerability in the JavaScript engine. This vulnerability is due to memory corruption errors during JavaScript garbage collection. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Products that use the Mozilla rendering engine, such as Thunderbird and SeaMonkey, may also be affected.We encourage users to review Mozilla Foundation Security Advisory 2008-20 and apply any necessary updates or workarounds.
http://serchez.net
Apple Releases Saari 3.1.1
Newly found Vulnerabilities 04/18/08:
Apple has released Safari 3.1.1 to address multiple vulnerabilities in Safari and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct cross-site scripting attacks, or spoof the contents of the browser address bar.We encourage users to review Apple's About the security content of Safari 3.1.1 document and upgrade to Safari 3.1.1 to help mitigate the risks
http://serchez.net
Apple has released Safari 3.1.1 to address multiple vulnerabilities in Safari and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct cross-site scripting attacks, or spoof the contents of the browser address bar.We encourage users to review Apple's About the security content of Safari 3.1.1 document and upgrade to Safari 3.1.1 to help mitigate the risks
http://serchez.net
Wednesday, April 16, 2008
Federal Subpoena Spear-Phishing Attack
Newly found Vulnerabilities 04/17/08:
We are aware of public reports of a spear-phishing attack circulating via email messages that claim to be federal subpoenas. These messages appear to be legitimate because they can contain very specific information about the message recipient. The message requests that the user follow a link to download additional information about the case, but if a user clicks on this link, malicious code may be installed on the system.We encourage users to do the following to help mitigate the risk:
Review the alert posted by the U.S. Courts regarding this issue.
Do not follow unsolicited web links received in email messages.
Install anti-virus software and keep virus signature files up to date.
http://serchez.net
We are aware of public reports of a spear-phishing attack circulating via email messages that claim to be federal subpoenas. These messages appear to be legitimate because they can contain very specific information about the message recipient. The message requests that the user follow a link to download additional information about the case, but if a user clicks on this link, malicious code may be installed on the system.We encourage users to do the following to help mitigate the risk:
Review the alert posted by the U.S. Courts regarding this issue.
Do not follow unsolicited web links received in email messages.
Install anti-virus software and keep virus signature files up to date.
http://serchez.net
Subscribe to:
Posts (Atom)
