Pages

Monday, December 22

Immaculate Collection

(Preface: I wrote this around January of 2007 and simply forgot about it. I wrote it around the time that Marty was writing these posts: here. Also when Richard was writing these posts here.)


I started playing with Sguil again recently, and for the benefit of those that don’t know, Sguil is a Snort based “NSM” system. It uses Snort and some other tools brought together in one interface to provide better analysis and results. The main factor of Sguil is that it runs something like Tcpdump, Snort, or Daemonlogger in order to dump ALL traffic to disk.

I bought my good friend Richard Bejtlich’s “The Tao of Network Security Monitoring” book earlier this year.


Richard has the theory of: “collect all packets, because without all packets the total picture isn’t seen”. In principle, I agree. I used to use this methodology heavily in my last job, and it worked quite well at the time.


While he also goes on to say that IDS “alerting” has its place, without “context” (the surrounding traffic on the network) the alert will make no sense. I don’t know if I rightly agree with that statement as a whole. Let me explain my difference in “context”.


At my company, Sourcefire, we make a product called “RNA” which stands for “Real-Time Network Awareness”. This product coupled with our IPS’s and Defense Center make an extremely powerful tool for analyzing “alert traffic”. Let me give you an example.


Simple Example:

Hacker attacks your network with an exploit against IIS servers. If any of you have ever seen something like this before in your analyst lives, you probably know that they will either 1) Prescan your network for open http ports, or 2) just automate the attack so no prescan takes place, just the attack, very quickly.


If you have plain vanilla Snort, you will get an alert for every one of these attempts. Using the “Collection” theory, we would also collect all traffic for these connections and we are able to see which attacks got through the firewall, not which ones didn’t. You can even take it this a step further and rebuild the session to see what took place (if anything). This is a lot of data. We’re talking a pcap file that is containing not only all these hundreds of potential connections, but every other connection that is taking place on the network at the same time.


Now, there is nothing wrong with that if:

A) You have the hard drive space.

B) You have the time.

  1. Your machines doing the sniffing can keep up.
  2. You have the personnel to manage all the time, data, and storage.


The problem with it is, at modern network speeds, and the speed at which a program would have to write this stuff to disk, something would give. Now I am not talking at your 500 Mbit/s speeds. I’m talking about the majority of the networks that I deal with that are >1 Gig/s. Whether it be the hard drive, memory, or whatever, but something would buffer somewhere, and more than likely you are going to drop packets. Again, I’m not saying that this is totally a bad idea, I’m just bringing up cons to the pros.


But lets look at it a different way. RNA profiles the hosts on your network, both pre-attack and during, in real-time. RNA knows which machines are running IIS (if any) and which ones aren’t. So it already knows if you will be affected by the IIS exploit attempt.


When these alerts come back to the DC (Defense Center), the DC correlates the RNA event with the Intrusion Sensor alert and the “fat rises to the top” as it were. The DC knows to say “Hey, this attack affects IIS version 5, and only version 5, on Windows...etc..” This is technology that Sourcefire has invented and patented.


So instead of you now having to analyze 100’s of alerts and 1000’s of packets, hey, I only have “these two machines” over here running IIS, and the DC told me that I need to look at these alerts first. Are the other alerts still recorded? Yes, but now I know through the correlation which machines will receive a greater IMPACT from the attack. The two IIS machines. My other Apache boxes aren’t affected at all, so who really cares.


Lets take it a step further. Say the exploit was against IIS 5.0. Well, our two machines are running IIS 6.0. (I’m inferring patch level with this example)


So do we really care? Well, we might like to know, hey, there was an attempt, that’s great, but it doesn’t affect us, we’re not vulnerable to it, lower the IMPACT, and lets move on to the next alert.


If you were collecting packets using the “Immaculate Collection” theory, you’d have to analyze all these streams to make sure that each IIS/Apache/etc.. box returned 404 and whatever else error codes.


Could we do that with Snort? Yes, of course we could. But if RNA knows our network already, then is it important to us? Or is it just informational at this point?


Take it a step further. Think about the exploits that affect browsers, Mail Clients, versions of SSH, telnet, snmp, etc.. RNA already knows these services and applications on your network. Before the attack even takes place.


Single glances allow us to look at these 1000’s of alerts, and say hey, these 2 machines are running IIS, but we’re not vulnerable to the attack. In a matter of seconds.


If you’ve ever heard Marty Roesch speak, you’ll know that it is his belief that “Humans” basically can’t make the decisions for the IDS. Why don’t we let RNA tune it directly? But that’s for a totally different post, one that Marty has covered on his blog as well.


Of course there are strong points to both sides of the discussion. Share your thoughts in the comments.







® Snort, Daemonlogger, RNA, Defense Center, and Sourcefire are all registered trademarks of Sourcefire, Inc.

Monday, November 24

10 things I hate about Outlook, and you should too

Okay, so, it should be strikingly obvious that I probably hate Outlook. I stopped using Outlook in 2001, had to use it for a customer for awhile, and my love for it hasn’t gotten any fonder.


  1. Non-Standards compliant. Really Microsoft? You didn’t like how all the other email programs that have been around for years have been doing it? You had to go create that MIME format crap that not only isn’t standards compliant, but that every other email program has issues with.
  2. Calendar invites. Seriously? Why are Outlook’s Calendar invites so screwed up when sending them to people not on the same Exchange server as you? CALDAV anyone?
  3. Exchange? Didn’t like the standards based email servers that were out there? Had to go create one? “But there wasn’t one that did all these “X” features on one server” Wa. Cry me a river. Apple did it. Yeah so what they had to invent a couple open standards and submit them.
  4. Top-Posting by default?! Seriously? Lotus Notes you are guilty too, don’t think I am letting you off the hook. Although I will give you credit, Microsoft, for finally building in bottom posting into “Windows Mail”. How many years did it take you? And then, it’s only in Windows Mail!? Why not Outlook! Oh and Google, Gmail top posting? You should be ashamed. Going totally against an RFC! Mail.app for OSX. GUILTY.
  5. Tasks. Really? I can drag an email to the bottom left and make a task, I can even drag an email over to the right and make it a task. I can FLAG an email and it will make it a task, but if I move the email out of the Inbox, the task goes away. Awesome job there.
  6. PST -- Yet another “our own special standard” email thing from Microsoft. Good job! How about you store things in mbox? How about it? Did you know you can define a PST size up to 33TB? Are you serious? I’d love for the IT department to try and backup someone’s 33TB PST. That’s awesome!
  7. Inline Picture attachments. God forbid you should actually display these inline like I told you to. Oh, and I can’t drag the picture to where it should be in the email? I have to go to Insert and do 3 menu calls? Seriously? If I drag it into the email, it places a picture as an attachment? What if I am trying to explain to someone which screen to click on, and you don’t format my email correctly.
  8. No real-time Spellcheck? Seriously? You do it in Word! That means I have to select Word as my email editor? I have to launch a separate application to write an email!?
  9. Contact suggestion. There is a whole painful hurt of explanation I can do about this section here... not suggesting a contact if it’s in my address book? Not knowing which people I email the most? Which email address am I sending to if my contact has multiple email addresses?
  10. Spam Filter. Does one even exist? Does it work? Thunderbird’s Spam filtering kicks ASS compared to Outlooks.


Basically, if you are using Outlook, and you aren’t on an Exchange server, why are you using Outlook? Use something else. God I hate Outlook.


10 things I hate about Outlook, and you should too

Okay, so, it should be strikingly obvious that I probably hate Outlook. I stopped using Outlook in 2001, had to use it for a customer for awhile, and my love for it hasn’t gotten any fonder.


  1. Non-Standards compliant. Really Microsoft? You didn’t like how all the other email programs that have been around for years have been doing it? You had to go create that MIME format crap that not only isn’t standards compliant, but that every other email program has issues with.
  2. Calendar invites. Seriously? Why are Outlook’s Calendar invites so screwed up when sending them to people not on the same Exchange server as you? CALDAV anyone?
  3. Exchange? Didn’t like the standards based email servers that were out there? Had to go create one? “But there wasn’t one that did all these “X” features on one server” Wa. Cry me a river. Apple did it. Yeah so what they had to invent a couple open standards and submit them.
  4. Top-Posting by default?! Seriously? Lotus Notes you are guilty too, don’t think I am letting you off the hook. Although I will give you credit, Microsoft, for finally building in bottom posting into “Windows Mail”. How many years did it take you? And then, it’s only in Windows Mail!? Why not Outlook! Oh and Google, Gmail top posting? You should be ashamed. Going totally against an RFC! Mail.app for OSX. GUILTY.
  5. Tasks. Really? I can drag an email to the bottom left and make a task, I can even drag an email over to the right and make it a task. I can FLAG an email and it will make it a task, but if I move the email out of the Inbox, the task goes away. Awesome job there.
  6. PST -- Yet another “our own special standard” email thing from Microsoft. Good job! How about you store things in mbox? How about it? Did you know you can define a PST size up to 33TB? Are you serious? I’d love for the IT department to try and backup someone’s 33TB PST. That’s awesome!
  7. Inline Picture attachments. God forbid you should actually display these inline like I told you to. Oh, and I can’t drag the picture to where it should be in the email? I have to go to Insert and do 3 menu calls? Seriously? If I drag it into the email, it places a picture as an attachment? What if I am trying to explain to someone which screen to click on, and you don’t format my email correctly.
  8. No real-time Spellcheck? Seriously? You do it in Word! That means I have to select Word as my email editor? I have to launch a separate application to write an email!?
  9. Contact suggestion. There is a whole painful hurt of explanation I can do about this section here... not suggesting a contact if it’s in my address book? Not knowing which people I email the most? Which email address am I sending to if my contact has multiple email addresses?
  10. Spam Filter. Does one even exist? Does it work? Thunderbird’s Spam filtering kicks ASS compared to Outlooks.


Basically, if you are using Outlook, and you aren’t on an Exchange server, why are you using Outlook? Use something else. God I hate Outlook.


Tuesday, November 4

Why is your Blog named Finshake?


Someone wrote in and asked me why I named my blog “Finshake”. Well..


Finshake is an internal joke between me and the guys in VRT at Sourcefire. A while ago, I was an author on the “Snort IDS and IPS toolkit” book from Syngress. Well, with the rush to deadlines and things, there are several mistakes in the book. Okay, so there are alot of mistakes made in the book...


Well, one of the biggest mistakes in the book, actually happened in my chapter. (Chapter 6). I was talking about TCP Session initiation and TCP Session tear down and how Snort interprets those. In the final book, I wanted pictures of the TCP Handshake for session initiation, and the TCP exchange for session tear down.


In my copy of the manuscript I simply indicated where the pictures should go:





I didn’t actually draw the pictures. I knew Syngress had the pictures from the 2.1 book, and I just asked them to use those.


So in my final proofread of the pdf that I got from the publisher:



The place holder was there, but no picture. Oh well.


The picture was inserted later, and no one ever checked to see if the picture was right. 


So it’s become such a funny joke around the VRT, someone made the suggestion that I should rename my blog “Finshake”. (Since obviously, Session initiation does NOT take place with a “FIN” packet!?)

Monday, November 3

Research

Okay, so MS08-067 Worm(s). I got some intel from some various listservers that I belong to about a new worm (or worms) that were starting to be seen in the wild. So I got a few url’s to play with and started poking around. Note, these are not all the url’s that I tried to get the exploit/worm from. They are not all of the same worm, and they may or not be related... BTW -- I am not a very good malware analyzer, Just an FYI.


It appears, one of the variants of this worm that I am looking at attempts to spread, not only though network vulnerabilities (08-067), but also through P2P networks like Emule.


So, I tried to get one of the files, named 6767.exe in this case. This EXE file does several things, some of which are very unclear as to the reason... as I said, I’m not a malware guy...




This exe downloads, and upon execution (again, in my particular sample, I am sure it will change), from a network perspective, on MY machine, it didn’t do anything. I have read several write ups of the 6767.exe variant, and I saw what it was “supposed” to do. But in my particular example, it didn’t do anything. I don’t know if it some kind of virtual machine detection in it, and that’s why it didn’t execute? I don’t know. Just throwing that out there. Maybe it has some kind of sleep function so that it won’t execute right away.. making reverse engineering difficult. (boring!) For a list of what it does to a machine, take a look here. At this point I am more interested in how it spreads, not really what it does to the machine.


So, I downloaded a second sample “10wrjcenew.exe”, and executed it.


It tried to download two files, the first was “mimi.1268772” from ls.lenovowireless.net, and the second was pp.av from “218.4.137.213”. After this pp.av file was downloaded, the malware then attempted to register my computer on ce.10wrj.com. With this string:





This connection succeeded, but was immediately terminated. Since this particular HTTP connection was tried over and over again to register, and since the mac address is a vmware mac address, I can only guess that the machine receiving the Client Registration knows which mac addresses are vmware and doesn’t attempt to infect those? Just a theory. I found some interesting information about this here.


The two files were saved, actually on the desktop (because the malware I had executed was sitting on the Desktop), and were named svchost.exe and winlogon.exe.


So, you can tell that this is a completely different worm from the first one I tried.


Then, after that, scanning commenced on port 139 to try and find other hosts. Now I have a double NAT going on here, (172.16 addresses (vmware) are being bridged out to 192.168 (home network) addresses, then translated to the internet.. I didn’t notice it, but the worm must have looked up my ‘external’ address at some point because the malware never did scan my local subnet, it only scanned the public address scheme of my local subnet. Upon further review of the malware through other websites, I also found this to be the case.


After successfully connecting (which didn’t happen in my case) on port 139, it then exploits the other machine on port 445. Which is detected by Snort through rules:


[1:7224:8] NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian overflow attempt

[3:14817:1] NETBIOS SMB srvsvc NetrpPathCononicalize unicode little endian path cononicalization stack overflow attempt

[3:14783:1] NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt


So I suggest you check out the newest subscription ruleset through Sourcefire at www.snort.org. Like I said, I am not a malware guy, I just did some clicking around to see what was out there and what it did. I haven’t reversed a binary in almost 4 years. Who has the time!? ;)


Subscribe in a reader

Sunday, October 26

Apple Store Photos

I moved my Gallery of Apple Store Photos to MobileMe. I travel to an Apple Store if I am in the city with one. Check out the gallery over there on the right, or click right here.

Thanks.

Subscribe in a reader

Apple Store Photos

I moved my Gallery of Apple Store Photos to MobileMe. I travel to an Apple Store if I am in the city with one. Check out the gallery over there on the right, or click right here.

Thanks.

Subscribe in a reader

Thursday, October 23

ISC Podcast Episode Eleven Posted

Hey everyone, sorry it has taken so long to get around to recording another podcast episode. Travel schedules have been very crazy between us lately. Anyway, enough excuses, here is episode eleven. Thanks for all the emails asking me where it is! :) It helps to remind me....

All the podcasts
Just this podcast
Podcast through iTunes

Subscribe in a reader

CRCError

Recorded CRCError podcast last night, I've edited some of it, but I thought I would post something about the website on here. Well.. it's down. So wtf right?

Well something about the hosting company where the server is hosted is retarded or something, I don't know the whole drama or the issue, but we're working to get the server back up, and then punch the hosting provider in the face.



Subscribe in a reader

ISC Podcast Episode Eleven Posted

Hey everyone, sorry it has taken so long to get around to recording another podcast episode. Travel schedules have been very crazy between us lately. Anyway, enough excuses, here is episode eleven. Thanks for all the emails asking me where it is! :) It helps to remind me....

All the podcasts
Just this podcast
Podcast through iTunes

Subscribe in a reader

CRCError

Recorded CRCError podcast last night, I've edited some of it, but I thought I would post something about the website on here. Well.. it's down. So wtf right?

Well something about the hosting company where the server is hosted is retarded or something, I don't know the whole drama or the issue, but we're working to get the server back up, and then punch the hosting provider in the face.



Subscribe in a reader

Tuesday, October 21

Mark Wahlberg Talks to Animals

This has been cracking me up for like the past 3 days. I love it.



Of course it has a sequel as well:




Subscribe in a reader

Mark Wahlberg Talks to Animals

This has been cracking me up for like the past 3 days. I love it.



Of course it has a sequel as well:




Subscribe in a reader

Tuesday, October 14

Google Calendar Syncing, MobileMe, and iCal

Recently I've had to start keeping my Calendar on Google Calendar. (For a really good reason, and, it's not the free version of Google Calendar either.) However, I didn't know how I was going to get my iCal to publish to Google Calendar, AND sync with MobileMe at the same time.

Well I started trying to connect iCal to Google Calendar via CalDAV, which I wrote about in an earlier post. However, Google's implementation of CalDAV is still kinda broke. You can't really schedule people's time, you can't see their availability, you can't call people up from the address book, and you can't have To-Do's on the calendar that you are syncing, so that breaks a bunch of stuff for me.

So I was going to try and just keep my calendar on iCal, and have it publish to Google Calendar, well, that wasn't going to work either for a couple reasons. I actually can't remember all the reasons right now, but it had to be something really big for me to abandon it right away.

So I started looking into Apps that would sync my calendars for me. So I came up with BusySync.

So I took the following steps, since my calendar was maintained in iCal, YMMV, but good luck:
1. I exported my iCal calendar and put it on my desktop.
2. Logged into Google Calendar and imported my iCal calendar into Google Calendar (took a few seconds, I have a rather large calendar).
3. Deleted my local calendar in iCal.
4. Fired up BusySync and told BusySync to Sync my Google Calendar to local iCal.
5. Viola.

Since BusySync syncs a calendar to a "local" calendar (as opposed to a "subscribed" calendar) everything works fine, in fact, MobileMe will sync your calendar right down to your iPhone.

Problem Solved.

Subscribe in a reader

Google Calendar Syncing, MobileMe, and iCal

Recently I've had to start keeping my Calendar on Google Calendar. (For a really good reason, and, it's not the free version of Google Calendar either.) However, I didn't know how I was going to get my iCal to publish to Google Calendar, AND sync with MobileMe at the same time.

Well I started trying to connect iCal to Google Calendar via CalDAV, which I wrote about in an earlier post. However, Google's implementation of CalDAV is still kinda broke. You can't really schedule people's time, you can't see their availability, you can't call people up from the address book, and you can't have To-Do's on the calendar that you are syncing, so that breaks a bunch of stuff for me.

So I was going to try and just keep my calendar on iCal, and have it publish to Google Calendar, well, that wasn't going to work either for a couple reasons. I actually can't remember all the reasons right now, but it had to be something really big for me to abandon it right away.

So I started looking into Apps that would sync my calendars for me. So I came up with BusySync.

So I took the following steps, since my calendar was maintained in iCal, YMMV, but good luck:
1. I exported my iCal calendar and put it on my desktop.
2. Logged into Google Calendar and imported my iCal calendar into Google Calendar (took a few seconds, I have a rather large calendar).
3. Deleted my local calendar in iCal.
4. Fired up BusySync and told BusySync to Sync my Google Calendar to local iCal.
5. Viola.

Since BusySync syncs a calendar to a "local" calendar (as opposed to a "subscribed" calendar) everything works fine, in fact, MobileMe will sync your calendar right down to your iPhone.

Problem Solved.

Subscribe in a reader

Monday, October 13

1001

Some insight.

So, here I am at 1,001 posts. What do I have to say? Absolutely nothing more than what I said at 900. Do what you do, say what you say, and people will be interested.

Between my 900 and my 1000 posts, I've picked up about 200% more readers (rss subscribers) and average about 500% more hits a day.

Recently I've picked up a bunch more readers through subscriptions, it's basically like a heartbeat diagram that keeps going up. When my name is mentioned somewhere, or I do a post on the ISC or something, I get a huge influx of readers, then it dies off a little bit, but a few stick around to see what nonsense I have to ramble about. It hasn't been much lately as I've been pretty busy with work and what not.

I'll try and get more active in the future. I promise. I've just got alot going on right now, I'm lucky if I can get through my email.

Speaking of which, I need to do another "processing" email post, as I've changed alot about that.

Subscribe in a reader

1001

Some insight.

So, here I am at 1,001 posts. What do I have to say? Absolutely nothing more than what I said at 900. Do what you do, say what you say, and people will be interested.

Between my 900 and my 1000 posts, I've picked up about 200% more readers (rss subscribers) and average about 500% more hits a day.

Recently I've picked up a bunch more readers through subscriptions, it's basically like a heartbeat diagram that keeps going up. When my name is mentioned somewhere, or I do a post on the ISC or something, I get a huge influx of readers, then it dies off a little bit, but a few stick around to see what nonsense I have to ramble about. It hasn't been much lately as I've been pretty busy with work and what not.

I'll try and get more active in the future. I promise. I've just got alot going on right now, I'm lucky if I can get through my email.

Speaking of which, I need to do another "processing" email post, as I've changed alot about that.

Subscribe in a reader

Friday, October 10

Apple Security Update 2008-007

I wish my 1000th post on the blog was way more insightful than this, but it's not going to be. I'll have to write something that really reflects a 1000th post. But it will be 1001.


Introducing Apple Security Update 2008-007. Just released last night:

Security Update 2008-007
  • Apache

CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Apache 2.2.8

Description: Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default. Further information is available via the Apache web site at http://httpd.apache.org/

  • Certificates

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Root certificates have been updated

Description: Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.

  • ClamAV

CVE-ID: CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914

Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in ClamAV 0.93.3

Description: Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating to ClamAV 0.94. ClamAV is not bundled on Mac OS X Client systems. Further information is available via the ClamAV website at http://www.clamav.net/

  • ColorSync

CVE-ID: CVE-2008-3642

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ICC profiles in images. Credit: Apple.

  • CUPS

CVE-ID: CVE-2008-3641

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user

Description: A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges. This update addresses the issue by performing additional bounds checking. Credit to regenrecht working with TippingPoint's Zero Day Initiative for reporting this issue.

  • Finder

CVE-ID: CVE-2008-3643

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A file on the Desktop may lead to a denial of service

Description: An error recovery issue exists in Finder. A maliciously crafted file on the Desktop which causes Finder to unexpectedly terminate when generating its icon will cause Finder to continually terminate and restart. Until the file is removed, the user account is not accessible via Finder's user interface. This update addresses the issue by generating icons in a separate process. This issue does not affect systems prior to Mac OS X v10.5. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

  • launchd

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Applications may fail to enter a sandbox when requested

Description: This update addresses an issue introduced in Mac OS X v10.5.5. An implementation issue in launchd may cause an application's request to enter a sandbox to fail. This issue does not affect programs that use the documented sandbox_init API. This update addresses the issue by providing an updated version of launchd. This issue does not affect systems prior to Mac OS X v10.5.5.

  • libxslt

CVE-ID: CVE-2008-1767

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of Google Security Team for reporting this issue.

  • MySQL Server

CVE-ID: CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079

Available for: Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in MySQL 5.0.45

Description: MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. These issues only affect Mac OS X Server systems. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.html

  • Networking

CVE-ID: CVE-2008-3645

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A local user may obtain system privileges

Description: A heap buffer overflow exists in the local IPC component of configd's EAPOLController plugin, which may allow a local user to obtain system privileges. This update addresses the issue through improved bounds checking. Credit: Apple.

  • PHP

CVE-ID: CVE-2007-4850, CVE-2008-0674, CVE-2008-2371

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in PHP 4.4.8

Description: PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues only affect systems running Mac OS X v10.4.x, Mac OS X Server v10.4.x, or Mac OS X Server v10.5.x.

  • Postfix

CVE-ID: CVE-2008-3646

Available for: Mac OS X v10.5.5

Impact: A remote attacker may be able to send mail directly to local users

Description: An issue exists in the Postfix configuration files. For a period of one minute after a local command-line tool sends mail, postfix is accessible from the network. During this time, a remote entity who could connect to the SMTP port may send mail to local users and otherwise use the SMTP protocol. This issue does not cause the system to be an open mail relay. This issue is addressed by modifying the Postfix configuration to prevent SMTP connections from remote machines. This issue does not affect systems prior to Mac OS X v10.5 and does not affect Mac OS X Server. Credit to Pelle Johansson for reporting this issue.

  • PSNormalizer

CVE-ID: CVE-2008-3647

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in PSNormalizer's handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PostScript files. Credit: Apple.

  • QuickLook

CVE-ID: CVE-2008-4211

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution

Description: A signedness issue exists in QuickLook's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Microsoft Excel files. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.

  • rlogin

CVE-ID: CVE-2008-4212

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Systems that have been manually configured to use rlogin and host.equiv may unexpectedly permit root login

Description: The manpage for the configuration file hosts.equiv indicates that entries do not apply to root. However, an implementation issue in rlogind causes these entries to also apply to root. This update addresses the issue by properly disallowing rlogin from the root user if the remote system is in hosts.equiv. The rlogin service is not enabled by default in Mac OS X, and must be manually configured in order to be enabled. Credit to Ralf Meyer for reporting this issue.

  • Script Editor

CVE-ID: CVE-2008-4214

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A local user may gain the privileges of another user that is using Script Editor

Description: An insecure file operation issue exists in the Script Editor application when opening application scripting dictionaries. A local user can cause the scripting dictionary to be written to an arbitrary path accessible by the user that is running the application. This update addresses the issue by creating the temporary file in a secure location. Credit: Apple.

  • Single Sign-On

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: The sso_util command now accepts passwords from a file

Description: The sso_util command now accepts passwords from a file named in the SSO_PASSWD_PATH environment variable. This enables automated scripts to use sso_util more securely.

  • Tomcat

CVE-ID: CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461

Available for: Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Tomcat 6.0.14

Description: Tomcat on Mac OS X v10.5 systems is updated to version 6.0.18 to address several vulnerabilities, the most serious of which may lead to a cross site scripting attack. These issues only affect Mac OS X Server systems. Further information is available via the Tomcat site at http://tomcat.apache.org/

  • vim

CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432, CVE-2008-3294

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in vim 7.0

Description: Multiple vulnerabilities exist in vim 7.0, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files. This update addresses the issues by updating to vim 7.2.0.22. Further information is available via the vim website at http://www.vim.org/

  • Weblog

CVE-ID: CVE-2008-4215

Available for: Mac OS X Server v10.4.11

Impact: Access control on weblog postings may not be enforced

Description: An unchecked error condition exists in the weblog server. Adding a user with multiple short names to the access control list for a weblog posting may cause the Weblog server to not enforce the access control. This issue is addressed by improving the way access control lists are saved. This issue only affects systems running Mac OS X Server v10.4. Credit: Apple.

Subscribe in a reader

Apple Security Update 2008-007

I wish my 1000th post on the blog was way more insightful than this, but it's not going to be. I'll have to write something that really reflects a 1000th post. But it will be 1001.


Introducing Apple Security Update 2008-007. Just released last night:

Security Update 2008-007
  • Apache

CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Apache 2.2.8

Description: Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default. Further information is available via the Apache web site at http://httpd.apache.org/

  • Certificates

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Root certificates have been updated

Description: Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.

  • ClamAV

CVE-ID: CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914

Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in ClamAV 0.93.3

Description: Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating to ClamAV 0.94. ClamAV is not bundled on Mac OS X Client systems. Further information is available via the ClamAV website at http://www.clamav.net/

  • ColorSync

CVE-ID: CVE-2008-3642

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ICC profiles in images. Credit: Apple.

  • CUPS

CVE-ID: CVE-2008-3641

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user

Description: A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges. This update addresses the issue by performing additional bounds checking. Credit to regenrecht working with TippingPoint's Zero Day Initiative for reporting this issue.

  • Finder

CVE-ID: CVE-2008-3643

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A file on the Desktop may lead to a denial of service

Description: An error recovery issue exists in Finder. A maliciously crafted file on the Desktop which causes Finder to unexpectedly terminate when generating its icon will cause Finder to continually terminate and restart. Until the file is removed, the user account is not accessible via Finder's user interface. This update addresses the issue by generating icons in a separate process. This issue does not affect systems prior to Mac OS X v10.5. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

  • launchd

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Applications may fail to enter a sandbox when requested

Description: This update addresses an issue introduced in Mac OS X v10.5.5. An implementation issue in launchd may cause an application's request to enter a sandbox to fail. This issue does not affect programs that use the documented sandbox_init API. This update addresses the issue by providing an updated version of launchd. This issue does not affect systems prior to Mac OS X v10.5.5.

  • libxslt

CVE-ID: CVE-2008-1767

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of Google Security Team for reporting this issue.

  • MySQL Server

CVE-ID: CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079

Available for: Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in MySQL 5.0.45

Description: MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. These issues only affect Mac OS X Server systems. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.html

  • Networking

CVE-ID: CVE-2008-3645

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A local user may obtain system privileges

Description: A heap buffer overflow exists in the local IPC component of configd's EAPOLController plugin, which may allow a local user to obtain system privileges. This update addresses the issue through improved bounds checking. Credit: Apple.

  • PHP

CVE-ID: CVE-2007-4850, CVE-2008-0674, CVE-2008-2371

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in PHP 4.4.8

Description: PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues only affect systems running Mac OS X v10.4.x, Mac OS X Server v10.4.x, or Mac OS X Server v10.5.x.

  • Postfix

CVE-ID: CVE-2008-3646

Available for: Mac OS X v10.5.5

Impact: A remote attacker may be able to send mail directly to local users

Description: An issue exists in the Postfix configuration files. For a period of one minute after a local command-line tool sends mail, postfix is accessible from the network. During this time, a remote entity who could connect to the SMTP port may send mail to local users and otherwise use the SMTP protocol. This issue does not cause the system to be an open mail relay. This issue is addressed by modifying the Postfix configuration to prevent SMTP connections from remote machines. This issue does not affect systems prior to Mac OS X v10.5 and does not affect Mac OS X Server. Credit to Pelle Johansson for reporting this issue.

  • PSNormalizer

CVE-ID: CVE-2008-3647

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in PSNormalizer's handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PostScript files. Credit: Apple.

  • QuickLook

CVE-ID: CVE-2008-4211

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution

Description: A signedness issue exists in QuickLook's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Microsoft Excel files. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.

  • rlogin

CVE-ID: CVE-2008-4212

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Systems that have been manually configured to use rlogin and host.equiv may unexpectedly permit root login

Description: The manpage for the configuration file hosts.equiv indicates that entries do not apply to root. However, an implementation issue in rlogind causes these entries to also apply to root. This update addresses the issue by properly disallowing rlogin from the root user if the remote system is in hosts.equiv. The rlogin service is not enabled by default in Mac OS X, and must be manually configured in order to be enabled. Credit to Ralf Meyer for reporting this issue.

  • Script Editor

CVE-ID: CVE-2008-4214

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A local user may gain the privileges of another user that is using Script Editor

Description: An insecure file operation issue exists in the Script Editor application when opening application scripting dictionaries. A local user can cause the scripting dictionary to be written to an arbitrary path accessible by the user that is running the application. This update addresses the issue by creating the temporary file in a secure location. Credit: Apple.

  • Single Sign-On

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: The sso_util command now accepts passwords from a file

Description: The sso_util command now accepts passwords from a file named in the SSO_PASSWD_PATH environment variable. This enables automated scripts to use sso_util more securely.

  • Tomcat

CVE-ID: CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461

Available for: Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Tomcat 6.0.14

Description: Tomcat on Mac OS X v10.5 systems is updated to version 6.0.18 to address several vulnerabilities, the most serious of which may lead to a cross site scripting attack. These issues only affect Mac OS X Server systems. Further information is available via the Tomcat site at http://tomcat.apache.org/

  • vim

CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432, CVE-2008-3294

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in vim 7.0

Description: Multiple vulnerabilities exist in vim 7.0, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files. This update addresses the issues by updating to vim 7.2.0.22. Further information is available via the vim website at http://www.vim.org/

  • Weblog

CVE-ID: CVE-2008-4215

Available for: Mac OS X Server v10.4.11

Impact: Access control on weblog postings may not be enforced

Description: An unchecked error condition exists in the weblog server. Adding a user with multiple short names to the access control list for a weblog posting may cause the Weblog server to not enforce the access control. This issue is addressed by improving the way access control lists are saved. This issue only affects systems running Mac OS X Server v10.4. Credit: Apple.

Subscribe in a reader

Sunday, October 5

Thursday, October 2

An actual meeting held via iChat

Earlier this week, me and three of my coworkers held a 4-way iChat Video Conference as a meeting. It worked great.

Of course, as bandwidth decreases, the video codec is dynamically reduced, however, the 4 of us had a face to face video/audio chat for over an hour about some code testing. It worked great. I've been using iChat to do one-on-one meetings with one person for a couple years now, however, never had the opportunity to have a call with 4 people. (Never had the bandwidth to sustain it before), and now that I have FiOS... awesome.


Subscribe in a reader

An actual meeting held via iChat

Earlier this week, me and three of my coworkers held a 4-way iChat Video Conference as a meeting. It worked great.

Of course, as bandwidth decreases, the video codec is dynamically reduced, however, the 4 of us had a face to face video/audio chat for over an hour about some code testing. It worked great. I've been using iChat to do one-on-one meetings with one person for a couple years now, however, never had the opportunity to have a call with 4 people. (Never had the bandwidth to sustain it before), and now that I have FiOS... awesome.


Subscribe in a reader

Monday, September 29

Physical Fitness #2

Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.

Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.

Subscribe in a reader

Physical Fitness #2

Oh yeah, I ran again. Except this time I got to mile 1, didn't hurt. So I decided to keep going.

Got to mile 2, still didn't feel it. Got to Mile 3, still not tired, but I decided not to kill my legs, just in case, and cut it short at 3.25 miles. Felt pretty good, wasn't sore or anything, so good stuff. I'll just keep ramping it up just a little bit every time until I get back up to my comfortable distance.

Subscribe in a reader