Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple releases QuickTime 7.4 with security fixes

Published: 2008-01-15
Last Updated: 2008-01-15 22:09:15 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Apple has just released QuickTime 7.4 which fixes several security vulnerabilities:

  • CVE-2008-0031: A maliciously crafted Sorensen 3 movie file may lead to arbitrary code execution;
  • CVE-2008-0032: A maliciously crafted movie file may lead to arbitrary code execution during the handling of Macintosh resource records;
  • CVE-2008-0033: A maliciously crafted movie file may lead to arbitrary code execution during parsing of Image Descriptor atoms;
  • CVE-2008-0036: A maliciously crafted PICT image may lead to arbitrary code execution;

Note that this update does not yet appear to resolve the critical vulnerability reported last week by Luigi Auriemma (VU #112179).

0 comment(s)

Oracle releases January 2008 Critical Patch Update

Published: 2008-01-15
Last Updated: 2008-01-15 21:02:59 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

The January 2008 Critical Patch Update contains 27 security fixes, of which the highest CVSS score is 6.8 for servers and 9.3 for Application Server clients. The following Oracle versions are affected by vulnerabilities fixed in this patch release:

Oracle Database 11g, version
Oracle Database 10g Release 2, versions,
Oracle Database 10g, version
Oracle Database 9i Release 2, versions,
Oracle Application Server 10g Release 3 (10.1.3), versions,,,
Oracle Application Server 10g Release 2 (10.1.2), versions -,,
Oracle Application Server 10g (9.0.4), version
Oracle Collaboration Suite 10g, version 10.1.2
Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.3
Oracle E-Business Suite Release 11i, versions 11.5.9 - 11.5.10 CU2
Oracle Enterprise Manager Grid Control 10g Release 1, versions,
Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48, 8.49
Oracle PeopleSoft Enterprise Human Capital Management versions 8.9, 9.0 (Absence Management Module)

More information and downloads at Oracle.

0 comment(s)

Flash UPNP attack vector

Published: 2008-01-15
Last Updated: 2008-01-15 16:55:01 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

GNUcitizen has issued a blog posting regarding a new method of exploiting UPNP-enabled devices - by having a user access a malicious SWF file. The group was able to identify how Flash can be used to generate an URLRequest to a UPNP control point, allowing an external party to reconfigure that device.

One limiting factor is that the IP address of the router needs to be known, but on most end user networks this is trivial: these machines are within well known private ranges and are generally at the .1 or .254 end of the spectrum. With further review and information pending, we suggest evaluating (as with any piece of functionality) whether there is a legitimate need to have UPNP enabled on affected devices. Some guidance from the US-CERT can be found here.

0 comment(s)

Targeted attacks: behind the media reports

Published: 2008-01-16
Last Updated: 2008-01-16 02:53:31 UTC
by Maarten Van Horenbeeck (Version: 2)
0 comment(s)

Between Christmas and New Year, I spoke at the Chaos Communications Congress in Berlin on targeted attacks. Some basic findings included:

  • Office applications are the most common targets, but utilities such as archivers that are seldom updated by the user are also commonly exploited;
  • Control servers used in the attack are generally compromised boxes themselves. The connection occurs based on a DNS lookup, not an IP address. This allows the attackers to reuse an infected machine even when the original control server is cleaned by its owners. These control servers sometimes contain port forwarders connecting to another machine, often in a different jurisdiction;
  • Initially, attacks were disabled and enabled remotely by "parking" the control hostname to localhost ( As this is a bit obvious, newer code contains checks for specific, fake IP addresses upon which the attack is temporarily disabled. Parking addresses are generally easy to spot manually, such as;
  • Hostnames are reused over several months but appear to be target-specific, while compromised IP addresses are potentially shared between targets;
  • "Memes", such as funny documents that are distributed on mailing lists, are sometimes redistributed by attackers, but containing malicious code. Users are familiar with the document being sent to them and are likely to open it.

A number of people approached me afterwards telling me that most of what they learned about the issue so far came from the media, not from their peers. When I started studying the phenomenon, my approach was to contact groups that had reported very similar attacks, such as the Falun Gong community. Information and samples from these groups allowed me to gain a better understanding of the attacks. 

Targeted attacks evolve based on economies built around the information that is targeted. When information is valuable to the attacker, he will take commensurate effort to compromise it. Depending on the value, this encourages the use of novel, untested techniques. Such techniques tend to be unreliable and fail disproportionately. Failures can be detected, understood and shared. This type of sharing is part of what I refer to as security intelligence.

If you’re worried about this type of compromise, join one of the many information sharing mechanisms your industry may offer: the United States has a fair amount of ISACs (Information Sharing and Analysis Centers), and the UK offers its WARPs (Warning, Advice and Reporting Points). These organizations allow you to share information and still rest assured it is anonymized appropriately.

We are also very interested in hearing about your experiences. The Storm Center takes your confidentiality very seriously, so please do identify what we can post and what should remain private or should only refer to as generic techniques. We appreciate your contribution.

You can download the CCC presentation here or read up on the issue further here.

Maarten Van Horenbeeck

0 comment(s)
Diary Archives