Windows 7 beta gets its first security update

This is Microsoft’s first release for Windows 7 [just being optimistic,  hopefully there won’t be alot more to come in the future]. This update is supposed to patch a critical Remote Code Execution bug along with two other spoofing related vulnerabilities.

Now available on Windows Update and Microsoft Download Center.

For more details:

http://arstechnica.com/microsoft/news/2009/03/windows-7-beta-gets-its-first-security-update.ars

http://www.microsoft.com/DOWNLOADS/en/default.aspx

Advertisement

Curse of Silence Update

F-Secure apparently has a solution for this, but you would have to pay for it after 15 days. I’ve also confirmed that this attack works on at least one of the major local networks. No word yet if they have changed their settings to what was suggested to stop the attack. Sony Ericsson UiQ devices were found by F-Secure to also be vulnerable to the attack.

Nokia isn’t very worried about it since it is a denial of service attack and doesn’t allow an attacker to leach information from your cellphone. I still think it would be very annoying if I would have to do a factory reset of my phone, losing all my contacts, settings and messages. I also wouldn’t like it if my competitor knows my company uses the vulnerable phones and starts shutting down SMS capabilities until we notice it. That could potentially hit productivity and the bottom line.

I have no details of the local test done except that it exists and it was possible. If one watches the video, the victim wouldn’t even know who sent the message. The phone just stops receiving messages… in other words, Nokia’s advice in the Heise Security article is pretty useless.

Nokia which got the demo around a month before the public release and which recently acquired Symbian, is currently working on a remedy for the vulnerability. I will post it here as soon as I get word of it.

Happy New Year to All :)

A lot of people in the Philippines are probably still hungover from the long vacation from Dec 25 to Jan 4, unless of course they were part of sales, or a BPO… anyway, on to the news:

OpenVAS 2.0 was released around two weeks ago, and a respected security expert (who wishes to remain anonymous) thinks it is, “fast approaching the maturity level needed to truly compete with Nessus in the vulnerability assessment area.”

The OpenVas 2.0 press release states that:
OpenVAS is a fork of the Nessus security scanner which has continued development under a proprietary license since late 2005. Since the release of OpenVAS 1.0.0 in October 2007, the OpenVAS developers continued the auditing of the code inherited from Nessus and have added a variety of useful features for OpenVAS users, for server administrators and for developers of Network Vulnerability Tests (NVTs).

---

Some of the Philippines’ high ranking government officials may want to look into cellphone voice encryption (as mentioned in this SecurityPark.net article) before calling some other high ranking government official so that they wouldn’t need to give a televised public apology (wink).

---

Speaking of mobile phone security, there was a DOS vulnerability found in Nokia Series 60 cellphones just before new year’s eve called the “Curse of Silence”, which either stops the cellphone from receiving SMS until a factory reset is done (Series 60 2.6 and 3.0 devices) or not all SMS’s are received (Series 60 2.8 and 3.1).

This is done via the following steps (check out the demo video link below):
For Series 60 phones v2.2, 2.3, 3.0 and 3.1 attack target phones
1. create an email that has an e-mail address with more than 32 characters followed by a space.
2. set TP Protocol Identifier of SMS Message to Internet Electronic Mail
3. send message to target (eleven times to Series 60 v 3.1, only one message is needed for all other versions)

There are currently no client side workarounds published as of the moment. If ever you work for Smart Communications, Globe Telecom or Sun Cellular maybe your network team can take heed of the suggestion in the document that “network operators should filter messages with TP-PID ‘Internet Electronic Mail’ and an email address of more than 32 characters or reset the TP-PID of these messages to 0”. I also do not have a Series 60 phone mentioned in the list so I cannot test if it can affect cell phones here in the Philippines. Kindly drop me a line in case you were able to test this.

Phones affected:
S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630

More details can be found in a must see video (21 MB) and a document (6.8 KB) on the website of Tobias Engel, who is a member of the Chaos Computer Club.

---

Microblogging site Twitter had a major breach and has phishing problems reports HeiseSecurity, SCMagazineUS, and SecurityFocus. Apparently, US President elect Barack Obama’s and Britney Spears’ accounts were compromised.

In related news, (The Register) Bogus LinkedIn profiles punt malware to fools.

A security update for the popular email client Mozilla Thunderbird was recently released. (Heise Security report, SCMagazineUS report)

The recently found MD5 vulnerability links:
(SCMagazineUS) MD5 insecurity affects all internet users
(SCMagazineUS) Hackers find hole to create rogue digital certificates
(Heise Security) Verisign/RapidSSL close 25C3 MD5 vulnerability
(SecurityFocus) Survey: One in seven SSL certificates are weak

Now its Firefox’s and Opera’s turn (Updated)

Firefox and Opera both patched their software this week after new critical vulnerabilities were found in both.

Firefox
Mozilla Foundation Security Advisory 2008-60
Security Focus BID

Opera Security Advisories
http://www.opera.com/support/kb/view/921/
http://www.opera.com/support/kb/view/924/
http://www.opera.com/support/kb/view/920/
http://www.opera.com/support/kb/view/923/

IE Bug Update
(Computerworld) Hackers exploit IE bug with ‘insidious’ Word docs – ActiveX control in Word file downloads malware to unpatched PCs, says McAfee

MS08-078 and the SDL – The MSDN blog has released an analysis of the recent zero day bug of IE. In the end, the author states, “I think this bug is a great example of ‘you will never get the code 100% right, so multiple defenses are critical.'”

---

⌘+⇧+L and other useful OS X hidden features – Not Security related but I thought that some Mac heads might find this useful.

---

(Security Park) 44 per cent of EU SMBs have been attacked by cyber criminals
Adobe Flash Player for Linux Security Bulletin and Update
(Heise Security) Keyloggers under the microscope – A team assembled by honeynet specialist Thorsten Holz from the University of Mannheim has published a case study of banking trojans, keyloggers and their dropzones. “Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones” is available for download here.
(Security Park) Mobile Phone Security Tips

Info Sec News, Dec 4, 2008

In a series of twists, Apple has pulled out its quietly released Anti-virus technote, stating that it was old. Noted exploit hunter Charlie Miller said that it was much to do about nothing (take note that this is the same guy that won the $10k who hacked the MacBook Air in under two minutes). On the same day that story went out, a new Apple malware was announced in SecurityPark.com. I’ll take the same line as Apple spokesman Bill Evans in saying, “Since no system can be 100% immune from every threat, running anti-virus software may offer additional protection”.

Related Apple Recommends Anti-Virus stories:
Apple anti-virus advice was nothing new
Security Focus
Heise Security
Apple’s antivirus advice ‘big to-do about nothing,’ says researcher
New Apple Mac OS X malware discovered

 

---

 

CSO Online Interviewed Gary Hinson a few weeks ago on the future of ISO 27000

‘Dumbing down’ the security profession

Bot-wielding hackers crash eBay holiday giveaway

SonicWALL licensing snafu short-circuits protection

Online payment site hijacked by notorious crime gang

Pentagon hacker tries one more time to avoid extradition

Botnet master sees himself as next Bill Gates

U.S. report sees major terror attack by 2013, ignores cyberattack risk

Lenovo arms ThinkPads with Intel’s built-in security

High tech attacks need high tech response

---

Computer systems are supposedly attacked a few minutes after going online. Here’s just another story about it: IBM in New Zealand did an experiment which resulted in an unprotected system that was rendered useless in around two hours.

Info Sec News, Dec 2, 2008

A rootkit was found in an Enterprise Information Security software, reports Heise Security and The Register.

Another vulnerability was found in the popular VLC media player. So if you can, update.

The Chicago Tribune reports that a new round of cyber attacks has the Pentagon worried. They normally get a whole number of attacks per day, however, the magnitude and way the new attacks are being done are apparently designed to specifically attack military networks. Heise also covers the same topic here and here.

The Linux on iPhone project has released the first results of its project.

Anti-virus seems to be ineffective versus new malware that makes zombies out of PCs. Stuart Staniford talks about it in his blog.

WordPress update fixes XSS vulnerability.

Google denies security hole in GMail.

Microsoft adds malware detection to its Webmaster tools. Speaking of Microsoft, a new windows worm builds a massive botnet worth around half a million computers and growing.

For the first time, Apple quietly recommended Anti Virus software in a technote. About.com has Mac Anti-Virus recommendations. iAntivirus and ClamXav are free.