Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2011-05-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VUPEN Security pwns Google Chrome

Published: 2011-05-09
Last Updated: 2011-05-10 00:23:39 UTC
by Rick Wanner (Version: 1)
5 comment(s)

French security research group, VUPEN, announced earlier today that they have managed to subvert Google Chrome's sandbox to permit execution of code.

The announcement, which is light on details, and a demo are available on VUPEN's website. The most interesting aspect of the announcement was the declaration "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services." Apparently this list does not include Google. Definitely an interesting twist on responsible disclosure.

Update: Further details and Google's response are available on Brian Kreb's blog.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

 

Keywords: Chrome VUPEN
5 comment(s)

Patch for BIND 9.8.0 DoS Vulnerability

Published: 2011-05-09
Last Updated: 2011-05-09 19:55:06 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

The other ISC (isc.org) released a patch for BIND 9.8.0. The new version, 9.8.0-P1 [1] fixes a flaw that can lead to a server crash [2]. Only version 9.8.0 is vulnerable, and only if RPZ (response policy zone) is configured.

RPZ is a new feature introduced in BIND 9.8.0. This feature allows recursive name servers to selectively modify responses according to local policies. Usually, recursive name servers will not modify responses, but just forward them to the host that sent the original request. 

In order to use RPZ in BIND 9.8.0, it has to be compiled with the "--enable-rpz-nsip" or the "--enable-rpz-nsdname" option. These options make a new configuration direction available: "response-policy".

Four different policies can be used:

1. NXDOMAIN : replace all NXDOMAIN responses with a single CNAME record. This can be used to redirect users to a default host.

2. NODATA: similar to NXDOMAIN but can be used to redirect to a wildcard record.

3. NO-OP: Does nothing, and can be used to define exceptions for which NODATA/NXDOMAIN should not apply.

4. CNAME: replaces responses that return actual data other then NXDOMAIN. This can be used to apply block lists.

To configure this feature, you define a "response-policy" zone, and then the zone file will list the detailed policies. For more details, see section 6.2.6.20 of the BIND 9.8 administrator reference manual [3].

[1] http://ftp.isc.org/isc/bind9/9.8.0-P1/RELEASE-NOTES-BIND-9.8.0-P1.html
[2] http://www.isc.org/CVE-2011-1907
[3] http://ftp.isc.org/isc/bind/9.8.0/doc/arm/

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: bind dns rpz
0 comment(s)

Serious flaw in OpenID

Published: 2011-05-09
Last Updated: 2011-05-09 19:54:53 UTC
by Rick Wanner (Version: 1)
0 comment(s)

 

Last Thursday the OpenID foundation announced a serious weakness in the Attribute Exchange extension to OpenID which permits sites to exchange information between endpoints. Essentially, it is possible to pass information through Attribute Exchange unsigned, which could potentially permit an attacker to modify the information.
 
There are no known exploits at this time, and the major sites that use OpenID have been contacted and have deployed a fix. For the rest of you who have applications using OpenID the recommendation is to update the OpenID4Java library to 0.9.6 final.
 
Futher details are available at the Threatpost blog and the Ping Talk Blog.

 

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

0 comment(s)
Diary Archives