Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Reader submitted question on Social-Engineering

Published: 2007-11-27
Last Updated: 2007-11-27 21:04:19 UTC
by Joel Esler (Version: 1)
0 comment(s)

As you can imagine, here at the ISC we get thousands (tens of thousands?) of user submitted questions and suggestions.  Let me tell you what, we appreciate it.  It's what binds the galaxy together. (TM)

But we had a user submitted question today that I found particularly interesting.  Jim wrote in asking us:

"I am looking for some good policies and practices to help my help desk avoid falling victim to social engineering.  I looked around on SANS and other sites but find little more than asking a few questions to verify identity.  We are also considering a callback as a auditing step.  What do you think?"

So what DO you think readers? 

 

Joel Esler

http://www.joelesler.net

Keywords:
0 comment(s)

Lotus Notes buffer overflow in the Lotus WorkSheet file processor

Published: 2007-11-27
Last Updated: 2007-11-27 19:19:47 UTC
by Joel Esler (Version: 2)
0 comment(s)

Core Security has put out a new advisory concerning a buffer overflow in Lotus Notes. Both remotely and locally exploitable.

Core lists the vulnerable software pieces as:

- Lotus Notes version 7.x
- Lotus Notes version 8.x (not confirmed by Core)
- Lotus Notes version 6.5.6 (not confirmed by Core)
- Other software packages using Verity KeyView SDK using vulnerable
versions of l123sr.dll

Although it's prudent to keep in mind that as of now 8.x and 6.5.6 are NOT confirmed by Core (as in their advisory, and the cut and paste above).

Cut and Paste from Core's Advisory:

Lotus Notes customers should follow the instructions of the following
support Technote, which outlines the available options based on specific
versions of Lotus Notes:

http://www.ibm.com/support/docview.wss?rs=475&uid=swg21285600

Workaround 1: Delete the keyview.ini file in the Notes program directory.
This disables ALL viewers. When a user clicks View (for any file), a
dialog box will display with the message "Unable to locate the viewer
configuration file.".

Workaround 2: Delete the problem file l123sr.dll file. When a user tries
to view the specific file type, a dialog box will display with the message
"The viewer display window could not be initialized." All other file types
work without returning the error message.

Workaround 3: Comment out specific lines in keyview.ini for any references
to the problem file (l123sr.dll). To comment a line, you precede it with a
semi-colon (;). When a user tries to view the specific file type, a dialog
box will display with the message "The viewer display window could not be
initialized". For example:
[KVWKBVE]
;81.2.0.5.0=l123sr.dll
;81.2.0.9.0=l123sr.dll

Workaround 4:  Filter inbound emails with attachments with potentially
malicious files.  Lotus 1-2-3 files are usually associated to MIME
Content-Type headers set to the following strings:
application/lotus-1-2-3
application/lotus123
application/x-lotus123
application/wks
application/x-wks
application/vnd.lotus-1-2-3
Note however that workaround #4 is a simply stop gap measure that could be
circumvented by relatively unsophisticated attackers.

 

Joel Esler

http://www.joelesler.net

Keywords:
0 comment(s)

Time to update your Firefoxes! (Firefox 2.0.0.10)

Published: 2007-11-27
Last Updated: 2007-11-27 15:48:34 UTC
by Joel Esler (Version: 1)
2 comment(s)

There's a new update for Firefox out.  2.0.0.10.

Copy and Paste from Mozilla.org on the updated security features:

MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
MFSA 2007-37 jar: URI scheme XSS hazard

 

Joel Esler

http://www.joelesler.net

Keywords:
2 comment(s)
Diary Archives