ISC2 Blog

The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered.  This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.

Week Ending:  Friday, July 24, 2009

Infrastructure Report for 20 July 2009

Are you paying attention to the issues associated with Twitter?  No.  Perhaps you should!

 32. July 16, BBC News – (International) Twitter calls lawyer over hacking. The microblogging service Twitter is taking legal advice after hundreds of documents were hacked into and published by a number of blogs. TechCrunch has made public some of the 310 bits of material it was sent. It posted information about Twitter’s financial projections and products. “We are in touch with our legal counsel about what this theft means for Twitter, the hacker and anyone who accepts...or publishes these stolen documents,” said a co-founder of Twitter. In a blog posting he wrote that “About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. “From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.” The co-founder went on to stress that “the attack had nothing to do with any vulnerability in Google Apps.” He said this was more to do with “Twitter being in enough of a spotlight that folks who work here can be a target.” It is believed a French hacker who goes by the moniker “Hacker Croll” illegally accessed the files online by guessing staff members’ passwords. Source: http://news.bbc.co.uk/2/hi/technology/8153122.stm

Infrastructure Report for 21 July 2009

So you trust Linux.  You might want to read the following and learn more! 

40. July 17, The Register – (International) Clever attack exploits fully-patched Linux kernel. A recently published attack exploiting newer versions of the Linux kernel is getting plenty of notice because it works even when security enhancements are running and the bug is virtually impossible to detect in source code reviews. The exploit code was released on July 17 by an individual who works for grsecurity, a developer of applications that enhance the security of the open-source OS. While it targets Linux versions that have yet to be adopted by most vendors, the bug has captured the attention of security researchers, who say it exposes overlooked weaknesses. Linux developers “tried to protect against it and what this exploit shows is that even with all the protections turned to super max, it’s still possible for an attacker to figure out ways around this system,” said a senior security researcher at Immunity. “The interesting angle here is the actual thing that made it exploitable, the whole class of vulnerabilities, which is a very serious thing.” The vulnerability is located in several parts of Linux, including one that implements functions known as net/tun. Although the code correctly checks to make sure the tun variable does not point to NULL, the compiler removes the lines responsible for that inspection during optimization routines. The result: When the variable points to zero, the kernel tries to access forbidden pieces of memory, leading to a compromise of the box running the OS. Source: http://www.theregister.co.uk/2009/07/17/linux_kernel_exploit/

Infrastructure Report for 22 July 2009

You would think that Adobe applies its own fixes to its downloadable products.  Think again!

33. July 20, IDG News Service – (International) Adobe doles out bug-filled PDF Reader to users. Adobe delivers an out-of-date version of Reader to users who download the popular application from its Web site, a security company warned on July 20. The edition Adobe currently offers includes at least 14 security vulnerabilities that have been patched by the company in the last two months. Danish vulnerability tracking vendor Secunia first noticed that Adobe was offering an outdated Reader when users of its Personal Software Inspector (PSI) utility, which scans Windows PCs for unpatched applications, started complaining when the tool said they were running a vulnerable version, even though they had just downloaded the PDF viewer. “There was some confusion about Adobe Reader,” said the manager of the PSI partner program. “Users had downloaded the latest Reader, but still PSI was telling them that it was vulnerable.” At first, Secunia suspected that PSI was throwing off a “false positive,” but that was not the case. “Adobe.com ships software with known vulnerabilities,” the manager said. The version now hosted on Adobe’s Web site is Reader 9.1, an edition that was released March 10 to plug several holes, including one that had been actively exploited by hackers since at least January 9, 2009. Adobe has issued two security updates since then. The first, released May 12, patched another “zero-day” bug in Reader, while the second, issued June 9, fixed at least 13 critical flaws reported by outside researchers and secretly patched an unspecified number of bugs found by Adobe’s own security team. Computerworld confirmed that Adobe’s Web site offers Reader 9.1 to users who download the application. Adobe did not reply to a request for comment on why it posts an out-of-date edition on its site. Source: http://news.idg.no/cw/art.cfm?id=9993F159-1A64-6A71-CE634C98EC3363A7

Infrastructure Report for 23 July 2009

Running Firefox 3.0.nn rather than 3.5.n?  If so, here are some patches you need!

35. July 21, CNET News – (International) Firefox 3.0.12 patches five critical problems. Mozilla on July 21 released Firefox 3.0.12, an update to the open-source browser that fixes five critical security vulnerabilities and fixes a handful of other bugs. “We strongly recommend that all Firefox 3.0.x users upgrade to this latest release,” Mozilla said on its developer blog. “If you already have Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting ‘Check for Updates...’ from the Help menu.” Version 3.0.12 fixes five critical problems and one high-level security problem, according to the Mozilla security advisory site. Mozilla is trying to move people to the newer Firefox 3.5, which offers faster JavaScript program execution, new privacy features, and a handful of technologies geared for more powerful Web applications. And Mozilla is pushing the new browser hard. Security and stability fixes for the 3.0.x series will end in January 2010. Source: http://news.cnet.com/8301-1009_3-10292587-83.html?part=rss&tag=feed&subj=News-Security

Infrastructure Report for 24 July 2009

This is one patch that needs to be applied promptly!

30. July 23, Computerworld – (International) Adobe promises patch for seven-month old Flash flaw. Adobe Systems Inc. on July 23 admitted its Flash and Reader software have a critical vulnerability and promised it would patch both next week. One security researcher, however, said Adobe’s own bug-tracking database shows that the company has known of the vulnerability for nearly seven months. In a security advisory posted around 10 p.m. Eastern time on July 22, Adobe acknowledged that earlier reports were on target. “A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems,” the company said. The “authplay.dll” mentioned in the advisory is the interpreter that handles Flash content embedded within PDF files, and is present on any machine equipped with Reader and Acrobat. Adobe said it would patch all versions of Flash by July 30, and Reader and Acrobat for Windows and Mac no later than July 31. Until a patch is available, Adobe said users could delete or rename authplay.dll, or disable Flash rendering to stymie attacks within malformed PDF files. Adobe did not offer any similar workaround for Flash and could only recommend that “users should exercise caution in browsing untrusted websites.” Source: http://www.computerworld.com/s/article/9135826/Adobe_promises_patch_for_seven_month_old_Flash_flaw

Note:  The DHS only maintains the last ten days of their reports online.  To obtain copies of earlier reports or complete summaries, go to:

 http://dhs-daily-report.blogspot.com/