Stray Thoughts...

First iPhone worm discovered

hirantha — Mon, 09 Nov 2009 06:19:46 -0600

Apple iPhone owners in Australia have reported that their smart phones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

The worm, which could have spread to other countries although there are no confirmed reports outside Australia, is capable of breaking into jail broken iPhones if their owners have not changed the default password after installing SSH. Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again

On each installation, the worm - written by a hacker calling themselves "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message:

ikee is never going to give you up

What's clear is that if you have jail broken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, "alpine". In fact, it would be a good idea if you didn't use a dictionary word at all.

The worm will not affect users who have not jail broken their iPhones or who have not installed SSH.

SophosLabs is analyzing the worm's code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labeled the "D" version) is that it tries to hide its presence by using a file path suggestive of the Cydia application.

Presently it appears that the worm does nothing more malicious than spread and change the infected user's lock screen wallpaper. However, that doesn't mean that attacks like this can be considered harmless.

TLS Man-in-the-middle on renegotiation vulnerability made public

hirantha — Fri, 06 Nov 2009 07:32:42 -0600

TLS 1.0+ and SSL 3.0+ (known from among others "https") is vulnerable to a protocol weakness where a man in the middle attack could be worked in during the renegotiation phase in modern versions of the protocol.

While the details had been offered in a meeting with the IETF, vendors and the open source implementers of SSL privately, it appears an IETF mailing list came to finding it again. That seems to have prompted the original finders to offer up their finding publicly.

There does not seem to be much you can do till the protocol is fixed. The main problem seems to be with clients using certificate authentication.

Exploiting this requires the attacker to be able to intercept the traffic.

RIM fixes random code execution vulnerability

hirantha — Fri, 06 Nov 2009 07:28:36 -0600

Affected: BlackBerry Desktop Software version 5.0 and earlier (on all platforms) - IBM Lotus Notes Intellisync

Fixed in version 5.01

CVSS score: 9.3

CVE-2009-0306

More info: KB19701

The KB contains a workaround for those not needing the Lotus Notes Intellisync functionality.

New VMware Desktop Products Released

hirantha — Wed, 28 Oct 2009 06:21:00 -0600

VMware Fusion 3.0 gone from Release Candidate to General Availability, so as VMware Workstation 7.0 and VMware ACE 2.6

New features

Nested VMs. This allows you to run ESX with guests inside of workstation
support for Windows7 (and it's associated new graphics APIs) and Windows Server 2008.
support for VMs with up to 4 processors and 32GB of memory
ALSA sound support for Linux
new "pause" feature, allowing you to pause a VM if you need some temporary processor power for your host or another VM
a new Virtual Network Editor

More Info

http://www.vmware.com/company/news/releases/fusion3-preorder.html
http://blogs.vmware.com/workstation/2009/10/workstation-7-release-candidate-available.html

Truecrypt 6.3 released

hirantha — Mon, 26 Oct 2009 13:15:00 -0600

from their version history notes:

Full support for Windows 7.
Full support for Mac OS X 10.6 Snow Leopard.
The ability to configure selected volumes as 'system favorite volumes'.

TrueCrypt is a software system for establishing and maintaining an on-the-fly-encrypted volume (data storage device).

More information here: http://www.truecrypt.org/docs/?s=version-history

Oracle Critical Patch Update Advisory - October 2009

hirantha — Tue, 20 Oct 2009 15:20:00 -0600

There are lots of vulnerabilities DBAs must act upon ASAP, although it "only" addresses 38 vulnerabilities...

16 fixes address flaws in the Oracle database (six can be exploited remotely without user interaction)
3 fixes address flaws in the Oracle Application Server (two can be exploited remotely without user interaction)
8 fixes address flaws in the Oracle Applications Suite (five can be exploited remotely without user interaction)

More (advance) information in the pre-release announcement : http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html

Cisco over-the-air-provisioning skyjacking exploit

hirantha — Thu, 27 Aug 2009 15:44:00 -0600

Cisco issued a security advisory for its 1100 and 1200 Series access lightweight points. The advisory is based on work done by wifi IDS firm AirMagnet. Cisco uses an Over-The-Air-Provisioning (OTAP) protocol that uses multicast data to find a controller. During this initialization phase, a rogue controller could respond and send a bad configuration to the access point, disabling the device.

Cisco provides an advisory here: http://tools.cisco.com/security/center/viewAlert.x?alertId=18919 .

The quick summary: Establish basic configuration options like encryption keys and preferred controller lists before deploying the device.

Vulnerability in Pidgin

hirantha — Mon, 24 Aug 2009 10:00:00 -0600

CORE security technologies published a vulnerability in libpurple. Libpurple is the backend frame work to many Instant Messenger clients.

Pidgin, Finch, Adium, Meebo, and Gaim among others. Although CORE only specifically mentions GAIM, Libpurple, Pidgin, and Adium specifically, the other libpurple based ones may be vulnerable as well.

Versions of Libpurple <= 2.5.8 (Pidgin <=2.5.8 and Adium <=1.3.5) are vulnerable. The vulnerability is an exploit in the function msn_slplink_process_msg() which handles instant messages from the MSN network.

All it takes to exploit this vulnerability is to receive a message from another MSN user. They do not have to be on your buddy list. Unless your buddy list states that you only allow specific users to contact you, it's the only mitigation step. (Other than patching or logging off of the MSN network.)

Solution:

Upgrade to a version of your respective IM client that is based off of pidgin. Non vulnerable versions of Libpurple are >=2.5.9.

Updates to VMWare Products

hirantha — Mon, 24 Aug 2009 09:04:00 -0600

VMware has released the following new security advisory, VMSA-2009-0010

This advisory results in updates to

VMware Workstation
VMware Player
VMware ACE

Thunderbird Version 2.0.0.23 released

hirantha — Mon, 24 Aug 2009 09:01:00 -0600

A new version of Thunderbird, version 2.0.0.23, is available. Thus update fixes MFSA 2009-42 (Compromise of SSL-protected communication).

If you are a Thunderbird user, it is probably best to apply this update as soon as convenient.

Note that, It appears this update, which affects multiple Mozilla products, has changed the rules for security certificates generated with wildcards. More information is available at the Fourmilab Blog.

Microsoft Windows SDK for Windows 7 and .NET Framework 3.5 SP1

hirantha — Thu, 20 Aug 2009 06:30:00 -0600

The Windows SDK for Windows 7 and .NET Framework 3.5 SP1 provides the documentation, samples, header files, libraries, and tools (including C++ compilers) that you need to develop applications to run on Windows 7 and the .NET Framework 3.5 SP1. To build and run .NET Framework applications, you must have the corresponding version of the .NET Framework installed. This SDK is compatible with Visual Studio® 2008, including Visual Studio Express Editions, which are available free of charge.

Please see the Release Notes for the full list of supported platforms, compilers, and Visual Studio versions and any late breaking issues. For detailed information about the content in this SDK, including a description of new content, please see the Getting Started section in the documentation.

Download at Microsoft Download

Firefox 3.5 new exploit

hirantha — Thu, 16 Jul 2009 10:26:00 -0600

The Mozilla security blog confirms an exploit against an unpatched vulnerability Firefox 3.5 exists and has been made public.

Do note that Heisse tried to confirm the vulnerability and only managed a crash on Vista and can't seem to make it work on Windows 7 RC1
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761

The mozilla blog above has a workaround by temporary disabling the javascript.options.jit.content setting in about:config

Alternatively one could install and use NoSCript to disable all javascript by default.

New VMWare Security Advisory

hirantha — Thu, 02 Jul 2009 08:30:00 -0600

VMWare released a new security advisory about a vulnerability in the krb5 (Kerberos) package. The vulnerability allows a remote attacker to cause a DoS or potentially execute arbitrary code on the ESX server.

According to the advisory available at http://lists.vmware.com/pipermail/security-announce/2009/000059.html all ESX versions are affected (ESXi is not affected), however, the Kerberos package is not installed by default.

Microsoft Security Essentials BETA (Morro)

hirantha — Tue, 23 Jun 2009 10:17:00 -0600

This beta is available only to customers in the United States, Israel (English only), People's Republic of China (Simplified Chinese only) and Brazil (Brazilian Portuguese only).Please visit the more information page to learn more about system requirements, our End User License Agreement and other important information.

To get the beta, just click here or on the button on the top of this page. This will take you to Microsoft Connect where you'll answer a few questions and then be able to download the Security Essentials beta.

http://www.microsoft.com/security_essentials/

Web Of Trust – Browser add-on

hirantha — Thu, 18 Jun 2009 14:59:00 -0600

WOT stands for Web Of Trust, it is a community knowledge based system where information on websites are shared. After installing the add-on, the links from search engines are tagged with extra symbols showing whether the site's "reputation" level. Very simple to understand, red means potentially bad site and green means good site.

WOT is available for both Firefox and IE . If you choose to use it, remember to contribute back to the project back by helping to rate sites as you visit them.