vulnerability

Note: Previously I created a quick post on creating GIFAR files.  This post is to expand on the topic with additional information and a new (and much improved) video.

Cisco has advised about multiple vulnerabilities affecting 7.1 and 7.2 PIX and ASA firewall appliances.

The LDAP vulnerability can result in unauthenticated remote access if a 7.2 code firewall is configured for L2TP or remote management access.

The VPN vulnerabilities can result in system DoS if a version 7.1 or 7.2 firewall is configured for VPN with password expiration or SSL VPN termination.

Update: Solaris has issued a kb document with information, and an Interm Security Relief Patch (ISR) to address this issue. 

On the full-disclosure list someone has posted another 0-day, this time for Solaris 10 and the upcoming 11.  Initial evidence suggests that this does not affect prior versions.  The vulnerability allows an attacker to log in as any user without authentication from remote.  Contrary to what I've read on other sites, I have been able to confirm that this includes the ability to log in as root (on Solaris 10u1 anyway).  What's even more scary is that no exploit code is required to execute, only a telnet client.

The security world thought the Month of Browser Bugs (MoBB) was somewhat scary. Well, the Month of Kernel Bugs (MoKB) is amidst us now, and we only thought that killing user's web browsers was bad - let's attempt to kill/exploit/smash the code that keeps the CPU hot. In all seriousness - I'm interested to see how far MoKB goes, as it will definitely make life interesting now that people could crash servers and workstations. So what will the final tally be for DoS, Remote Code Execution and/or Data Coruption be?

If you havn't been following the news, there is yet another 0-day unpatched vulnerability in Internet Explorer. There are a few differences than with previous vulnerabilites:

• You can get this just by viewing an HTML email
• It is already widely exploited, as it is included in WebAttacker, a "commercial" multi-exploit kit

Here's what we know you can do to protect yourself:

Recently, Symantec patched a vulnerability in AntiVirus Corporate Edition and Client Security which would allow a remote, unauthenticated user system level access via a buffer overflow.  Today, US-CERT published 19 vulnerabilities in Secure Elements Class 5 AVR, which include the possability of remote stack overflow.As Information Security professionals know, security products are only part of the security puzzle.  We should impliment them as tools to enforce our security controls, not as silver bullet fixes to the security problem.  This news illustrates the need to follow good security practices including defence-in-depth, proper network segmentation, and intrusion detection.

I highly suggest reading "Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security".

It's an in-depth (and lengthy) look at the current state of security (or rather lack of security). And while I disagree with some of the ideas presented, on the whole it is a thoughtful and insightful piece.

[Note that I'm going to be revising this article in the near future, as it doesn't reflect the whole picture] 

Inevitably when discussing the merits of Open Source Software (OSS) vs. propritary software, the (in)security of Microsoft products is brought up.  I've gathered vulnerability numbers from Secunia, and did some non-scientific analysis on them.

I compared vulnerabilities in 2005 for operating systems (RedHat Advanced Server vs. Windows 2003),  web browsers (Firefox 1.x vs. Internet Explorer 6), e-mail products (Thunderbird vs. Outlook 2003), databases (PostgreSQL 8 vs SQL Server 2000), and office products (OpenOffice.org 1.1 vs. Office 2003).

Today Microsoft has released two security patches for Microsoft Windows as follows:

[Update 12-01: There's now a Trojan in the wild that exploits this vulnerability.  Information on Delf.DH can be found at Microsoft's site.  SANS ISC handler Scott Fendley suggests that we might see an out of cycle patch for this.]

[Update 11-29: Some AV vendors have updated their definitions to protect against this.  In order to be protected, the AV engine must scan the content before it is executed by the browser, otherwise it's just a warning that you were 0wn3d.] 

Microsoft has released a security advisory about yesterday's 0-day exploit.  The advisory can be found here.

In the advisory the only technical workaround presented involves disabling active scripting or causing the browser to prompt on active scripting.  As most web pages use Javascript, this doesn't really seem like a workable solution.  Checking Microsoft Update for security patches, for example, prompts 11 times about running active content.