Friday, February 29

Microsoft chops Vista retail prices

Okay, wait.

HAHAHAHAHAA.

Okay, I'm over it. Apparently Microsoft can't sell Vista fast enough so they decided to cut prices. News flash MSFT, I don't think it's the price (although that doesn't help), is the damn 6 different versions and horrible codebase to begin with that keep people from going to Vista. The suggested price for Vista Ultimate dropped from $299 from $219, while Home Premium fell from $159, to $129.

It didn't work with XP Home, XP media edition, and XP pro! What makes you think that 6 versions would be better than 3?

Just buy a Mac people. Come on, seriously, do you really need more of an excuse?

 Subscribe in a reader

Microsoft chops Vista retail prices

Okay, wait.

HAHAHAHAHAA.

Okay, I'm over it. Apparently Microsoft can't sell Vista fast enough so they decided to cut prices. News flash MSFT, I don't think it's the price (although that doesn't help), is the damn 6 different versions and horrible codebase to begin with that keep people from going to Vista. The suggested price for Vista Ultimate dropped from $299 from $219, while Home Premium fell from $159, to $129.

It didn't work with XP Home, XP media edition, and XP pro! What makes you think that 6 versions would be better than 3?

Just buy a Mac people. Come on, seriously, do you really need more of an excuse?

 Subscribe in a reader

Wednesday, February 27

iPhone SDK

Next week on March 6th, Apple, will have an event at the Cupertino Apple Campus to announce, what looks like an SDK.  From the image, I don't think they are going to actually ANNOUNCE an SDK.  They are going to announce their roadmap.  I could be wrong on this one, but that's the way I read the news blast.  "iPhone Software Roadmap".  Roadmaps are usually just an idea of how things are going to go, not really a product announcement.  

The picture has three interesting pictures on it.  One says "SDK", one says "Software Update", and another says "Enterprise".  This leads me to believe that Apple is going to have a Software Update first, then we're going to get the SDK.

But the enterprise logo is interesting.  Does that signal iPhone's exchange capability that I know Apple is working on?  (BTW -- The only reason I know this is because of the job postings on Apple's website wanting developers to integrate the iPhone and Exchange).

But I don't know, we'll see I guess.

 Subscribe in a reader

iPhone SDK

Next week on March 6th, Apple, will have an event at the Cupertino Apple Campus to announce, what looks like an SDK.  From the image, I don't think they are going to actually ANNOUNCE an SDK.  They are going to announce their roadmap.  I could be wrong on this one, but that's the way I read the news blast.  "iPhone Software Roadmap".  Roadmaps are usually just an idea of how things are going to go, not really a product announcement.  

The picture has three interesting pictures on it.  One says "SDK", one says "Software Update", and another says "Enterprise".  This leads me to believe that Apple is going to have a Software Update first, then we're going to get the SDK.

But the enterprise logo is interesting.  Does that signal iPhone's exchange capability that I know Apple is working on?  (BTW -- The only reason I know this is because of the job postings on Apple's website wanting developers to integrate the iPhone and Exchange).

But I don't know, we'll see I guess.

 Subscribe in a reader

Tuesday, February 26

Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC

Posted today, "Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC" is a remote Denial of Service against OSX 10.5.1, 10.5.2, Freebsd 5.5, 4.9.0, and NetBSD 3.1.

It appears that the only reason for this DoS to exist is basically, a typo.

See? Copy and Paste from Exploit:
" * ipcomp6_input does not verify the success of the first call
* to m_pulldown (m -> md typo?).
*
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!m) {
* ->
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!md) {"


New MacBooks and MacBook Pros

In what is basically a simple refresh of the product line, Apple put out new Macbooks and Macbook Pro's this morning, with each one getting new processors.

The MacBook Pros got a multitouch trackpad inherited from the MacBook Air, and instead of having two models of 15" laptop, and one of the 17"...  there is just now one model of the 15, and two of the 17.  So clearly Apple is going towards "bigger is better".  The second 17 offering simply more screen resolution.

Each laptop possess 802.11n capability for the fastest wireless, and of course an ethernet jack as well.

 Subscribe in a reader

Random IDS musings

I've seen alot of traffic lately on the snort-users list about how to clean out a database periodically and it got me thinking..

Basically the basis of the story is that people want to clean out the events from their DB on a periodic basis, 1 month, 2 months, whatever. Basically I look at it like this then, why are there events in your database that are that old?

If you have events in your IDS DB, you should look at them. That's the reason you have an IDS/IPS. To review the events (and in the case of IPS, prevent the attacks) and make sure the evil hax0rs are not getting you. If you have events in your current DB that are a month old, that tells me either one of two things:
A) You don't care about your alerts
B) You have too many alerts, and you don't have a system.

So let me help you get a system.

Make an archive DB (for the people using BASE, then this is pretty simple), now, you have two db's. One current, and one archive.

1) Events come in from Snort via barnyard into your current DB.
2) You review these events. Any events that you skip over, take note of them. Do you need this alert? Is applicable to your network? Do you KNOW if it's applicable to your network?
3) Any events that you take a look at, did it actually affect your network or was it someone banging on the door (script kiddie)? If it was a skript kiddie, what are you going to do about it? Block them at your firewall? Send their ISP a cease and desist letter? If you are going to do nothing then DELETE THE ALERT. Why keep it? You aren't going to do anything about it, so who cares?
4) Now, say when you are reviewing alerts, you come across something you need to investigate. Good. Take note of it and come back later. Leave it in your current db, get through the rest of your alerts.
5) Through your alerts? Good. Come back to the ones you still have in your current db. Do you need to take further action on these guys? Yes? Investigation time? Okay, well then you need to save the alert, so move it to your archive db. When you are done with your investigation in your archive db, then delete the alert.

Basically my point here is, don't keep alerts for no reason. Now, let's go back to #2.
For instance, if you are running web-php rules, but aren't running any webservers that run PHP on them, do you need the rules? Don't subscribe to the philosophy of "if the IDS isn't alerting, then how do I know it's working?". If you want to make sure your IDS is working, then write some kind of script to email you the statistics or something from the Snort process to make sure it's analyzing traffic. If you ALWAYS skip over a particular event, then WHY are you making your IDS run the rule? Shut it off!

Let's take a look at a network. Small one. One bsd box, 2 osx boxes, 2 windows boxes, and 1 linux box. Now, in your network these may be thousands of machines on tons of subnets. The network size doesn't matter, you can take the same philosophy.

Your frag3 and your stream5 preprocessors need to be tuned to the OSes. Done? k.

Now, take your network and look at it. What services are you running, what versions of those services? What OSes? What vulnerabilities are present on your network? Now, figure those things out and turn off the rules in Snort you don't need.

Now, this is where you say to me that this is a pain in the butt, and Snort has tens of thousands of rules, with more coming out each month, blah blah, etc. etc.

Well, that's where Sourcefire comes in. We have things like RNA, we have things like Adaptive IPS/IDS that will do all that FOR YOU, leaving you with the relevant alerts, things you HAVE to look at! But rather than this turning into a sales pitch, I am simply trying to get you to think about how to work with your data. Do you need to keep all that data? or can you fine tune it?

Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC

Posted today, "Apple MACOS X xnu <= 1228.3.13 ipv6-ipcomp remote kernel DoS POC" is a remote Denial of Service against OSX 10.5.1, 10.5.2, Freebsd 5.5, 4.9.0, and NetBSD 3.1.

It appears that the only reason for this DoS to exist is basically, a typo.

See? Copy and Paste from Exploit:
* ipcomp6_input does not verify the success of the first call
* to m_pulldown (m -> md typo?).
*
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!m) {
*
* md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
* if (!md) {"

New MacBooks and MacBook Pros

In what is basically a simple refresh of the product line, Apple put out new Macbooks and Macbook Pro's this morning, with each one getting new processors.

The MacBook Pros got a multitouch trackpad inherited from the MacBook Air, and instead of having two models of 15" laptop, and one of the 17"...  there is just now one model of the 15, and two of the 17.  So clearly Apple is going towards "bigger is better".  The second 17 offering simply more screen resolution.

Each laptop possess 802.11n capability for the fastest wireless, and of course an ethernet jack as well.

 Subscribe in a reader

Monday, February 25

Yep, new Macbook part numbers are in Best Buy's database


Posted from Engadget.  Take a look at the "In Stock Date" and the "Out Stock Date".  I guess it's easy to see when the new computers are coming and when they are leaving.

Yep, new Macbook part numbers are in Best Buy's database

Filed under:

Our tip jar, it brings us so much joy -- and it brings you, dear reader, this printout of what's purported to be the Best Buy database listing for one of those heretofore-unknown MacBook model numbers. You'll note that whatever MB402LL/A turns out to be, it's said to be in stock on March 2nd, which is just a few days away -- but also note that current MacBook Pros have MA-series model numbers, while the regular MacBook has traditionally carried the MB designation. That's interesting, but we doubt a $1,999 MacBook is about to surface -- besides, the current MacBook box is 15 inches square, smaller than the 19 inches listed here. (Yes, we measured.) As always, we'll see when we see -- come on Tuesday, you're almost here.

Yep, new Macbook part numbers are in Best Buy's database


Posted from Engadget.  Take a look at the "In Stock Date" and the "Out Stock Date".  I guess it's easy to see when the new computers are coming and when they are leaving.

Yep, new Macbook part numbers are in Best Buy's database

Filed under:

Our tip jar, it brings us so much joy -- and it brings you, dear reader, this printout of what's purported to be the Best Buy database listing for one of those heretofore-unknown MacBook model numbers. You'll note that whatever MB402LL/A turns out to be, it's said to be in stock on March 2nd, which is just a few days away -- but also note that current MacBook Pros have MA-series model numbers, while the regular MacBook has traditionally carried the MB designation. That's interesting, but we doubt a $1,999 MacBook is about to surface -- besides, the current MacBook box is 15 inches square, smaller than the 19 inches listed here. (Yes, we measured.) As always, we'll see when we see -- come on Tuesday, you're almost here.

Microsoft to employees: We're still buying Yahoo!

In an internal email to MSFT employees Kevin Johnson, President of the Services and Platform division, says that they are still pursuing the Yahoo buy-out,  and that until MSFT's deal to purchase Yahoo is finalized, Yahoo should still be seen as rivals.

So it's looks like the battle isn't over yet.  Hostel takeover from MSFT time? 

 Subscribe in a reader

Microsoft to employees: We're still buying Yahoo!

In an internal email to MSFT employees Kevin Johnson, President of the Services and Platform division, says that they are still pursuing the Yahoo buy-out,  and that until MSFT's deal to purchase Yahoo is finalized, Yahoo should still be seen as rivals.

So it's looks like the battle isn't over yet.  Hostel takeover from MSFT time? 

 Subscribe in a reader

Saturday, February 23

Microsoft throws open the door

If you haven't heard about it already, Microsoft has published a ton of their protocols on their MSDN page.  Everything from Windows Update to Remote Desktop.  What is (MSFT) trying to do here?  Are they going for the "open up the OS, we're moving to the online services" market?  I guess we'll see.

What will this lead to?  Well, people will try and make things interoperable, find the bugs, publish the bugs, exploits will reign down, cats and dogs, living together, MASS HYSTERIA.

But this may be nice for security researchers as well.  No more having to brute-force reverse engineer MSFT's protocols.  They are out in the open now.  

 Subscribe in a reader

Microsoft throws open the door

If you haven't heard about it already, Microsoft has published a ton of their protocols on their MSDN page.  Everything from Windows Update to Remote Desktop.  What is (MSFT) trying to do here?  Are they going for the "open up the OS, we're moving to the online services" market?  I guess we'll see.

What will this lead to?  Well, people will try and make things interoperable, find the bugs, publish the bugs, exploits will reign down, cats and dogs, living together, MASS HYSTERIA.

But this may be nice for security researchers as well.  No more having to brute-force reverse engineer MSFT's protocols.  They are out in the open now.  

 Subscribe in a reader

Friday, February 22

Okay, so the blog lives to be down another day

Verizon made a liar out of me.  They apparently had problems with the transferring of my phone number from my old provider to Verizon.  So let me gripe for a second, because it took me about 2 hours to get this answer.

1) I hate voice operated prompts: "Please say Support, Billing, Order Status, or help menu"  I say "Order Status", the computer says back to me "What Support question can I help you with?"  AHHHHHH!!!

2) Oh, and if you order FIoS, they tell you to check your order status online.  But when you do, and it says "for further information, please click here.  Then you click there, under "To find out the status of your FIoS order, please see the online order status screen here."  Essentially taking you back a screen.  AHHHHHHH!!!

3) Verizon says they can't install the tv and internet until the phone order comes through (seems broke).

4) Hold Sucks.

5) I want my damn FIoS.
 Subscribe in a reader

Okay, so the blog lives to be down another day

Verizon made a liar out of me.  They apparently had problems with the transferring of my phone number from my old provider to Verizon.  So let me gripe for a second, because it took me about 2 hours to get this answer.

1) I hate voice operated prompts: "Please say Support, Billing, Order Status, or help menu"  I say "Order Status", the computer says back to me "What Support question can I help you with?"  AHHHHHH!!!

2) Oh, and if you order FIoS, they tell you to check your order status online.  But when you do, and it says "for further information, please click here.  Then you click there, under "To find out the status of your FIoS order, please see the online order status screen here."  Essentially taking you back a screen.  AHHHHHHH!!!

3) Verizon says they can't install the tv and internet until the phone order comes through (seems broke).

4) Hold Sucks.

5) I want my damn FIoS.
 Subscribe in a reader

Blog may be down

The blog may be down for a bit today, I am switching ISP's to Verizon FIOS.  Well, I hope I am, the guy isn't here yet, and it snowed last night... so I hope I am switching today.

But anyway, just want to let you know the blog may be down for a bit or something while I get the DNS and ports and everything figured out.   Thanks!

 Subscribe in a reader

Blog may be down

The blog may be down for a bit today, I am switching ISP's to Verizon FIOS.  Well, I hope I am, the guy isn't here yet, and it snowed last night... so I hope I am switching today.

But anyway, just want to let you know the blog may be down for a bit or something while I get the DNS and ports and everything figured out.   Thanks!

 Subscribe in a reader

Wednesday, February 20

Thanks

I just wanted to thank all of you guys that sent me a Happy Birthday. I guess most people found out through Plaxo and everyone else found out from there. But I literally (actually?) received about 50 emails today wishing me Happy Birthday. Thank you all very much.

Thanks

I just wanted to thank all of you guys that sent me a Happy Birthday. I guess most people found out through Plaxo and everyone else found out from there. But I literally (actually?) received about 50 emails today wishing me Happy Birthday. Thank you all very much.

Recent Template Changes

As you probably have noticed, (or been annoyed by), I've changed the template again. Obviously I am experimenting with different code and layouts and looks.

I like the darker colors with the lighter fonts, but people write into me and tell me that it's hard to read. So I change it a bit. It's a never ending cycle. Basically, you can't make everyone happy. But I can at least try. ;)

So, I'm going to experiment with this blog layout for a bit. See how it goes.

Recent Template Changes

As you probably have noticed, (or been annoyed by), I've changed the template again. Obviously I am experimenting with different code and layouts and looks.

I like the darker colors with the lighter fonts, but people write into me and tell me that it's hard to read. So I change it a bit. It's a never ending cycle. Basically, you can't make everyone happy. But I can at least try. ;)

So, I'm going to experiment with this blog layout for a bit. See how it goes.

Tuesday, February 19

Snort Drinking Game by Erek Adams

Today I went looking for the "Snort Drinking Game". A joke made by Erek Adams, who, unfortunately for all those involved with Snort and his family + friends, passed away last October. So, in honor of Erek, I repost HIS drinking game here. I did NOT make it, this is EREK's. However, the game is getting a bit hard to find (only via the WayBack machine was I able to find it), now that Erek's servers are gone.

So, in honor of him:

Welcome to the Snort-Users Drinking Game!
version 1.00
By Erek Adams
The most current version of this can be found at
http://www.theadamsfamily.net/~erek/snort/drinking_game.txt . Please send
suggestions/updates to erek@theadamsfamily.net.

-----
WARNING: Excessive use of alcohol can be dangerous to your health. Please
play this game sensibly. If you start to feel ill or sick, stop playing!
Alcohol poisioning is not fun, and you can kill yourself!

Please be sensible! This is for _fun_ only!!

And if you don't like alcohol, please use your beverage of choice!
-----

Instructions: Don't read your snort-users email for a month. Or failing
that, you could use the archives. Start with the first email message for the
month. Read it. If an item from the following lists is in the email, take
the penalty drink. If not, go onto the next message. Repeat until you can't
read anymore, or have a empty bottle. ;-)

Please note: These are culmative! Be careful, as you could have SIX+ drinks
from one email!

Lets Begin!!

Take one drink if.....

The question is answered in the documentation.
The question is answered in the FAQ.
The writer doesn't know how use Google.
The reply is "RTFM"
The reply is "It's in the FAQ"
Writer is using Red Hat's broken pcap.
"Why aren't portscans showing up in ACID?"
"Why is snort not reporting dropped packets the right way on Linux?"
Marty complains about Red Hat's brokeness.
Writer is using "Linux 8" or "Linux 9".
Writer has a .sig over 4 lines.
Writer posts a packet capture with the IP's XXX'ed out, but still leaves
them in the hex decode below.
The drinking game starts it's own thread.

Take two drinks if.....

Writer obviously has _never_ read any docs.
Writer obviously doesn't know how to compile.
"How can I auto update the rules?"
Writer asks "Where is signature XX?" and that's already in the rules.
Writer says "It's broken." and includes _nothing useful_ about the
setup.
Someone reply's to a digest mode email, and includes the whole digest.
A virus scanner kicks email back to the list.
Writers .sig contains a "The contents of this email.." style discalimer.
Post contains a "Stupid Management Tricks" story.
Message says "Please unsubscribe me from this list."
Message is _entirely_ blank.
Confirmation/signup email gets sent to the entire list.
Someone posts a non RFC-1918 IP and remarks that "it's not being used
by anyone."
Someone replys to a message and has more 'header cruft' in thier message
than content--Thank you Lotus Notes....
You post a message to the list and get a "I am out of the office
message...."
If you realize that _YOU_ were the reason another penalty drink was
added to the Drinking Game.
You hit "Reply to All" instead of "Reply" and you start you response
with the words "Hey Sexy!"
Writer says "I've searched Google and can't find the answer." and the
answer is in the first 10 results.

Take three drinks if.....

The message has "Whitehats.com is down" or "Where's another
Whitehats?"
Someone wants the file vision18.conf.gz.
"Can snort email me alerts?"
"Can snort page me with alerts?"
Writer is using an old version (non-current release) of snort.
Writer becomes offended at "Kickass P0rn."
Writer becomes offended at comments in source code.
Writer isn't even sure what snort does.
Writer starts an OS Holy War.
Someone posts in HTML-ized email.
Posters .sig or disclaimer is longer than the reply.
Writer has no clue that http://www.snort.org/ exists.
Someone has to correct your drink totals for a penalty.
Someone posts thier IP asking for a portscan.
Writer obviously thinks that Red Hat == Linux.
Writer places the question and or email in the subject and leaves the
body of the email blank.
You move your mailserver from coast to coast w/o a temp box setup and
your bounces get you unsubscribed from the snort-users list. *sigh*
You post more than one message to the list and get back a "I am out of
the office..." message for _each_ post you made.
You have a broken vacation message that responds to the each post made
to a mailing list.
You realize that you just posted a "Hey Sexy!" response to a worldwide
mailing list.... From your _work_ email address.

And the Big Penalty Drink:

If you realize you are drinking to your own post, DOUBLE the penalty.
IOW, if you posted a HMTL-ized email, take six (yes, 6) drinks.

Snort Drinking Game by Erek Adams

Today I went looking for the "Snort Drinking Game". A joke made by Erek Adams, who, unfortunately for all those involved with Snort and his family + friends, passed away last October. So, in honor of Erek, I repost HIS drinking game here. I did NOT make it, this is EREK's. However, the game is getting a bit hard to find (only via the WayBack machine was I able to find it), now that Erek's servers are gone.

So, in honor of him I've found it and placed it here, plus we've updated it:

http://blog.joelesler.net/the-snort-drinking-game

Saturday, February 16

Snort Hints

I recently received a question via the blog email. Email read:

"I'm a new Snort user in a IDS class and I'm getting the following error message about my bad traffic rule. however, if I comment out this rule it still appears in every successive rule. I have also open the bad traffic rule file and I see no "!any" syntax. Can you give some more advice?

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: c:\snort\rules/bad-traffic.rules(27) => !any is not allowed
Fatal Error, Quitting..
C:\Snort\bin>

Additionally, I get this error message if I'm trying to run a custom rule named testing.rule:

ERROR: Unable to open rules file:
c:\snort\rules/TESTING.rules or C:\snort\etc\c:\snort\rules/TESTING.rules
Fatal Error, Quittting...
Any advice here also?"


Now, this looks like two separate problems. Let's look at the first one.

The (27) in Bold above tells you exactly what line you have the error on. You can find this in vi by starting vi like this: "vi +27 bad-traffic.rules". This will open the file bad-traffic.rules at exactly line 27. Well, I asked the guy, "What is line 27?"

"alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)"

Okay, so the error is "!any is not allowed". The only "any" I see here is the any after EXTERNAL_NET. So that tells me that something is screwed in the Snort.conf. So, how do you have your variables configured I asked.

"var HOME_NET 192.168.0.0/24
var HOME_NET any
var EXTERNAL_NET !$HOME_NET"


Was the answer I got. Well what happens here is Snort reads the variables in the snort.conf file from top to bottom, so the last HOME_NET that was configured is "any". Then EXTERNAL_NET is read "!any". Which you can't do. What happens is the header of the rule winds up being:

"alert tcp !any any <> any 0" See how that doesn't work?

Now, for the second question..

Looks like a simple misconfiguration of the RULE_PATH variable. The RULE_PATH variable is by default "../rules" so it just looks like testing.rules isn't in that area. So, you either have to reset that to the correct path, or put your rules in the RULE_PATH directory.

I posted these hints and this email with permission from the guy who wrote the question in to me, with the promise that I remove his name. No problem. Thanks.

If you have questions, feel free to write me. However, as I will tell you in #snort on IRC, and as I will tell you in forums. We are not here to help you do your homework. Every year at the same time we start getting a ton of really basic questions from users in IRC and on the Snort-Users list. There has to be a class at a University out there somewhere that is giving assignments.

Last year we got a classic one on the snort-users list. It was a direct copy and paste of the assignment asking us to answer his questions for him.

I'm definitely not saying that this guy that wrote me is in a class like that, since this kind of question happens all the time, it just happens to be that time of year.

New Template

I switched templates from the green one that I used to have this newer template made over here by TemplatesForBlogger. I think it looks rather nice, except I see that it has at least one error in it. I've noticed that if I put two paces after a period, like you are supposed to, you get this funky character.  See?  Right there.

Any CSS and Html people know what the issue is?  I suck at HTML and CSS.

Go, Walk no.. Run to CostCo

If you are lucky enough to have a CostCo in your area, go ahead and go. Went there today, and they had a nice deal on Thumbdrives. You can get 3 2Gb Sandisk Retractable USB Cruizer Drives for 48 bucks. (16 dollars a piece). So it's slighty cheaper (or about the same as) Newegg.com's prices here. Except, you get 3.

I think it's a good deal, at least comparable. Hell, I remember spending 89 dollars for my 512 Mb thumbdrive back in the day, and that was a steal. Now 2 Gb ones are McDonalds money. (Reference:  McDonalds money means "roughly the same as it would cost my family to eat at McDonalds"

Toshiba to give up on HD DVD

According to a Source that Reuters has, HD-DVD is done.  

Money Quote: "TOKYO (Reuters) - Toshiba Corp is planning to give up on its HD DVD format for high definition DVDs, conceding defeat to the competing Blu-Ray technology backed by Sony Corp, a company source said on Saturday."

Glad I went the Blu-Ray route.

New Template

I switched templates from the green one that I used to have this newer template made over here by TemplatesForBlogger. I think it looks rather nice, except I see that it has at least one error in it. I've noticed that if I put two paces after a period, like you are supposed to, you get this funky character.  See?  Right there.

Any CSS and Html people know what the issue is?  I suck at HTML and CSS.

Go, Walk no.. Run to CostCo

If you are lucky enough to have a CostCo in your area, go ahead and go. Went there today, and they had a nice deal on Thumbdrives. You can get 3 2Gb Sandisk Retractable USB Cruizer Drives for 48 bucks. (16 dollars a piece). So it's slighty cheaper (or about the same as) Newegg.com's prices here. Except, you get 3.

I think it's a good deal, at least comparable. Hell, I remember spending 89 dollars for my 512 Mb thumbdrive back in the day, and that was a steal. Now 2 Gb ones are McDonalds money. (Reference:  McDonalds money means "roughly the same as it would cost my family to eat at McDonalds"

Toshiba to give up on HD DVD

According to a Source that Reuters has, HD-DVD is done.  

Money Quote: "TOKYO (Reuters) - Toshiba Corp is planning to give up on its HD DVD format for high definition DVDs, conceding defeat to the competing Blu-Ray technology backed by Sony Corp, a company source said on Saturday."

Glad I went the Blu-Ray route.

Friday, February 15

Google Calendar and iCal Syncing

Well, I wanted a way for my wife to be able to accept events on her iCal, have it sync, automatically to her Blackberry, and even more, sync automatically with my iCal.  So, I found a nifty Google app called Google Mobile Sync for the Blackberry that automatically syncs the Blackberry and Google Calendar.  Great.  That's what I needed.

So I made a calendar in Google Calendar under my wife's Google account and tied the Blackberry to that.

Now I had to get her iCal (where she presently has all her events) to be able to sync with her Google Calendar.  Here is the tricky part.  You can read and subscribe to a Google Calendar, even setting permissions, per user, but you can't write to a Google Calendar (you can't use webdav from iCal to publish to Google Calendar.  That sucks.  (Hey Google, fix this, I know a couple of you read this blog.  I have logs, I have logs...)

So I found this app called SpanningSync which syncs your Google Calendar and you iCal (both ways).  Which is essentially the solution.  Only problem with this solution that I see is that you have to pay for the app.   I mean, I don't mind paying for software, I think coders should get paid too, but 65 bucks?  It's a tad bit much.  If it were, say 29 bucks for lifetime usage, then that would be the way to go.  Anyway, I hope this helps you all.

Google Calendar and iCal Syncing

Well, I wanted a way for my wife to be able to accept events on her iCal, have it sync, automatically to her Blackberry, and even more, sync automatically with my iCal.  So, I found a nifty Google app called Google Mobile Sync for the Blackberry that automatically syncs the Blackberry and Google Calendar.  Great.  That's what I needed.

So I made a calendar in Google Calendar under my wife's Google account and tied the Blackberry to that.

Now I had to get her iCal (where she presently has all her events) to be able to sync with her Google Calendar.  Here is the tricky part.  You can read and subscribe to a Google Calendar, even setting permissions, per user, but you can't write to a Google Calendar (you can't use webdav from iCal to publish to Google Calendar.  That sucks.  (Hey Google, fix this, I know a couple of you read this blog.  I have logs, I have logs...)

So I found this app called SpanningSync which syncs your Google Calendar and you iCal (both ways).  Which is essentially the solution.  Only problem with this solution that I see is that you have to pay for the app.   I mean, I don't mind paying for software, I think coders should get paid too, but 65 bucks?  It's a tad bit much.  If it were, say 29 bucks for lifetime usage, then that would be the way to go.  Anyway, I hope this helps you all.

Mossberg previews Lenovo's 'Air-killer' X300

I read this article about Lenovo's (Thinkpad) MacBook Air 'Killer' X300, and kinda threw up in my mouth a little bit.

So let's take a look. This thing has 3 USB ports (as opposed to the MacBook Air's 1), it has a DVD Drive, (Air doesn't), has Wifi, and an optional 3G or GPS receiver, a removable battery (air doesn't -- well, easily) and not one, but TWO mouse pointing devices.

So there are pros and cons.

Lenovo --
Has more USB, Apple could do with more USB devices.
DVD Drive, I think Apple did the right thing here and killed the DVD drive. In fact, I think that they will kill off the optical drive in all systems and start shipping their software on USB sticks. Think about how much THAT would save in shipping costs.
Removable Battery -- Okay, well, I'd like to have the ability to easily swap out the MacBook Air's battery. So I kinda have to agree with it.
The Lenovo is thicker, uglier, and really Lenovo, wtf is with TWO mice? The red stick and the trackpad? I have never met anyone, ever that likes the red stick. The trackpad has become the standard, please get with the program. I remember seeing a laptop not too long ago that had the stick, the trackpad, AND the damn trackball. 3 mice. Seriously. Knock it off. Go with the trackpad it seems to work.
Has a slot for a 3G card. Now THAT is what the Macbook Air is lacking. They need the express card slot.

MacBook Air --
Sexy. The Lenovo is the typical Thinkpad ugly ass computer.
Simple. It's a damn Mac!
Lacks more USB
Lacks Optical Drive (so what?)
Lacks Removable Battery

Bottom line, it depends on what you are looking for. Personally I'd like the MacBook Air, but there are too many drawbacks. However, I'd buy it simply because it's a Mac and I refuse to use anything else as my desktop (well, I'd use a bsd or a linux distro as well I guess, but given the option, I'd use a Mac 100%). But I have a Macbook pro. I love this computer, I am writing on it right now. I think the MacBook Pro has it going on.

There is a certain demographic that the MacBook Air is aimed towards, and I think it will sell well in that demographic.

In other news, the same website is reporting that Best Buy is out of the 15in MacBook Pro. Which usually means that Apple has a new one right around the corner. Thinner? Sleeker? Better?

Wordpress plugin exploit

Wordpress seems to be getting it's butt kicked lately with all the xploits that are coming out for it and it's plugins. In a new one just published to milw0rm today, this one deals with "Simple Forum". I guess there is no rest for the exploit writers out there, even if this one does seem rather weak. Especially when the tag line at the bottom of the exploit reads: "i AM NOT HACKER". Instead of the much better "I am not A hacker". It's all in the details.

The Difference between two operating systems

Often I am critized because I rave on and on about the Mac platform and constantly put down Microsoft without ever actually saying why I hate (MSFT) so much.

Its simply because its hard to explain. When you are using Microsoft Windows, let's say XP because that's what I am forced to use, you get the overwhelming sense of misplacement. Things don't function as they should, icons, toolbars, and menus feel out of place and not well constructed. The whole OS just feels like a kludge. Like it was designed by a commitee, on a white board, and no one in the room was told "no" to any idea.

Installing apps is insane. Next, next, next, agree, ok, next, done, reboot (sometimes). Now yes there are a bunch of mac programs that do the same thing, especially the ones from Apple itself but I think the apps that really get it right on the Mac platform are the ones that, when you download them, they automount and present you with two icons. The one for the program you just downloaded, and a shortcut icon for the Applications folder. All you have to do is a one second drag and drop from left to right. The program installs. Done.

That's the way it should be.

This article that I just read really hits the nail in the head. I enjoyed reading it it prompted many of the thoughts that I just wrote up there. So excuse if you read some redundancy.

Take a read. Its a great article.

Wordpress plugin exploit

Wordpress seems to be getting it's butt kicked lately with all the xploits that are coming out for it and it's plugins. In a new one just published to milw0rm today, this one deals with "Simple Forum". I guess there is no rest for the exploit writers out there, even if this one does seem rather weak. Especially when the tag line at the bottom of the exploit reads: "i AM NOT HACKER". Instead of the much better "I am not A hacker". It's all in the details.

The Difference between two operating systems

Often I am critized because I rave on and on about the Mac platform and constantly put down Microsoft without ever actually saying why I hate (MSFT) so much.

Its simply because its hard to explain. When you are using Microsoft Windows, let's say XP because that's what I am forced to use, you get the overwhelming sense of misplacement. Things don't function as they should, icons, toolbars, and menus feel out of place and not well constructed. The whole OS just feels like a kludge. Like it was designed by a commitee, on a white board, and no one in the room was told "no" to any idea.

Installing apps is insane. Next, next, next, agree, ok, next, done, reboot (sometimes). Now yes there are a bunch of mac programs that do the same thing, especially the ones from Apple itself but I think the apps that really get it right on the Mac platform are the ones that, when you download them, they automount and present you with two icons. The one for the program you just downloaded, and a shortcut icon for the Applications folder. All you have to do is a one second drag and drop from left to right. The program installs. Done.

That's the way it should be.

This article that I just read really hits the nail in the head. I enjoyed reading it it prompted many of the thoughts that I just wrote up there. So excuse if you read some redundancy.

Take a read. Its a great article.

Thursday, February 14

Teen hax0rs iPhone. Again.

In the quest for people to keep hacking the iPhone (at least, I guess party until the SDK comes out), the Register is running an article about a teen that has re-hacked the iPhone on the new 1.1.3 firmware.  Except this time it wasn't like exploiting the tiff flaw.  This was much harder.

Money quote: "The latest salvo was fired late last week, following a 24-hour hacking spree by Geohot that was broken up by only three hours of sleep. It turns out the latest firmware contained modifications to the device's memory registers to prevent unlocking. Geohot worked around those changes by finding another, much higher register that was vulnerable."

When the SDK comes out, I am sure some of the hacking (or the pace of it) will probably slow down, because people will actually have a legit way of getting apps on the iPhone.  However, there will be a certain percentage that will be interested in it because of the SIM card unlocks.

>People want to be able to take their phones to other networks.  I have a buddy of mine that has his on T-Mobile.

But I know alot of people that have hacked their iPhones for the apps.  I used to have my iPhone hacked, but then the firmware update (1.1.1)? came out that allowed me to download music directly on the phone.  That's all I wanted.  After I got that, there really wasn't any other apps I was interested in.

There are a couple Apps I would like Apple to come out with.
1) A to-do syncer
2) Notes syncer
3) .mac syncing OTA
4) iChat interface.

If Apple had those features on the iPhone (while the top two are also updates to iTunes, pretty much), I'd be pretty happy.
Thanks goes to Craig who sent me this article.

Teen hax0rs iPhone. Again.

In the quest for people to keep hacking the iPhone (at least, I guess party until the SDK comes out), the Register is running an article about a teen that has re-hacked the iPhone on the new 1.1.3 firmware.  Except this time it wasn't like exploiting the tiff flaw.  This was much harder.

Money quote: "The latest salvo was fired late last week, following a 24-hour hacking spree by Geohot that was broken up by only three hours of sleep. It turns out the latest firmware contained modifications to the device's memory registers to prevent unlocking. Geohot worked around those changes by finding another, much higher register that was vulnerable."

When the SDK comes out, I am sure some of the hacking (or the pace of it) will probably slow down, because people will actually have a legit way of getting apps on the iPhone.  However, there will be a certain percentage that will be interested in it because of the SIM card unlocks.

>People want to be able to take their phones to other networks.  I have a buddy of mine that has his on T-Mobile.

But I know alot of people that have hacked their iPhones for the apps.  I used to have my iPhone hacked, but then the firmware update (1.1.1)? came out that allowed me to download music directly on the phone.  That's all I wanted.  After I got that, there really wasn't any other apps I was interested in.

There are a couple Apps I would like Apple to come out with.
1) A to-do syncer
2) Notes syncer
3) .mac syncing OTA
4) iChat interface.

If Apple had those features on the iPhone (while the top two are also updates to iTunes, pretty much), I'd be pretty happy.
Thanks goes to Craig who sent me this article.

Wednesday, February 13

Handler posting

I was the Handler of the Day today at the ISC.  I posted absolutely nothing.  I apologize to you all that were expecting me to write something.  I was very busy today with work related stuff, and to be honest, not much came into the ISC today that we haven't already seen or posted about.  I would say about 90% of the emails that came in today (100+) were about the Trend Micro whoopsie.  Out of the remaining 10%, I'd say a bunch were about the Adobe vulnerabilities.  Two things we have written about already, so, not much to say today.

I had to work with Snort, some rules, and a few pcaps today for a customer.  So I am tired ;)

Tuesday, February 12

Apple releases Apple TV "Take 2" software update

In Apple's quest to update, um, pretty much every thing they have, Apple TV's update has hit the streets as well.  Apple is on a roll.

Apple releases Apple TV "Take 2" software update

Apple on Tuesday quietly released its much-anticipated Apple TV "Take 2" software update, which introduces a brand new on-sreen interface and allows users to rent high definition movies directly from their widescreen TVs. The update is available f...

URL: http://www.appleinsider.com/article.php?id=3740


iLife Support Update 8.2

Apple is cranking out the updates recently.  Wow!  This is probably the third or forth upgrade in the past week.  Go ahead Apple!

Apple describes this one as: "This update supports system software components shared by all iLife ’08 applications to improve their stability and performance. "

 Subscribe in a reader

Apple releases Apple TV "Take 2" software update

In Apple's quest to update, um, pretty much every thing they have, Apple TV's update has hit the streets as well.  Apple is on a roll.

Apple releases Apple TV "Take 2" software update

Apple on Tuesday quietly released its much-anticipated Apple TV "Take 2" software update, which introduces a brand new on-sreen interface and allows users to rent high definition movies directly from their widescreen TVs. The update is available f...

URL: http://www.appleinsider.com/article.php?id=3740


Leopard Graphics Update

I received an email today at the ISC talking about the Quicktime update and I thought to myself "there is another one? Didn't we just get Quicktime 7.4.1?"  So I clicked on Software Update to see if there was, turns out, no, there wasn't a new Quicktime Update, but there is an update called "Leopard Graphics Update" which is downloading right now to my machine.

So, aside from the 10.5.2 that rolled out last night, there is also the Leopard Graphics Update.  So make sure you grab that one as well.

 Subscribe in a reader

SC Magazine Interview

I was contacted today by a writer for SC Magazine named Dan Kaplan.   He wanted me to shed some light on what I thought about the OSX update that just came out and specifically, if I thought that OSX would become increasingly a target for future vulnerabilities as Apple's Market Share continued to go up.

The article is live and you can get to it here.  Thanks Dan for putting in a few of my comments.  However, I wrote, practically a whole blog entry for him (overkill I guess ;), and thought that I should post what I wrote to him on the blog here.

Feel free to comment.

"The patches really strike me as Apple listening to it's users and really taking it's competition in the OS space to heart. Apple has always prided itself on being different yet being able to implement functionality in a coherent product. They have realized that it's not about the features of the OS, or trying to make it "pretty", it's about how the user approaches the product. How can they make it easier and make it an easy product to use and figure out.

Along the lines of listening to it's users -- a lot of people didn't like Stacks, (the fan), they liked the list format that was popular in Tiger. So Apple put that back in. Some people didn't like the translucent menu bar, so Apple gave you a way to turn it off. There was no obvious way to tell when a Time Machine backup last occurred without opening System Preferences and looking it up. Or there was no way to tell when a backup was taking place. So Apple put an icon in the menu bar to tell you. Taking it a step further, even allowing you to click on "Back Up Now", forcing the backup. Figuring out better interoperability with 3rd party routers with Back to My Mac and iChat. Figuring out how to make a consistent user experience. All of this to me shows that Apple is listening to their users, making features that users really like present in the product.

Apple furthermore having the Leopard Graphics Update come out really shows where Apple shines. Having the hardware and software coupled together allows Apple to maintain a better user experience for their customers. The ability to upgrade drivers through a patch, pushed down from the vendor, without the user having to go to 30 different sites to update their BIOS, their graphics drivers, their OS patches, etc... This really makes for a consistent user experience. The ability for Apple users to get ALL of their updates in the SAME place, just by going to Software Update. It's priceless in my opinion. I'd like to see more convergence in this space as well. The ability for a user to click on Software Update, and not only get patches for OSX, but also for third party applications, such as Firefox or Thunderbird even the Cisco VPN client. Having all these updates come from a single location would be ideal.

As for the security updates, of course, as OSX gains market share, it will become increasingly a target. That is inevitable. However, Apple has made the decision in the past to kill legacy hardware and software. They killed off an entire OS! (OS 9 -- Classic) Sometimes at the detriment of their users. However, they don't have to deal with driver issues and hardware/software issues that Windows has been plagued with for years. Windows has had to drag all this old code along in each of their OS updates, and while Microsoft has made a lot of progress in recent years with the security of it's platform, the same old Spyware, Malware, Trojans, Worms, and Viruses are still a problem. I believe that OSX increasingly will be in the crosshairs of the malware/spyware/trojans/worm/virus/exploit writers, and there is recent evidence of this when it comes to the Safari browser and Quicktime. Apple has been dealing a lot better with the community and those that find vulnerabilities in OSX, communicating better between researchers and the Product Security Department.

Apple also integrates alot of Open Source code into their Operating System, take a patch for Samba that just came out with the 10.5.2 (Security Update 2008-0001). Samba is a piece of Open Source code that allows for interoperability with Windows networks. While the vulnerability isn't one of Apple's, but that of Samba's. Apple integrates Samba's code, so Apple is also responsible for patching OSX as well. "



 Subscribe in a reader

iLife Support Update 8.2

Apple is cranking out the updates recently.  Wow!  This is probably the third or forth upgrade in the past week.  Go ahead Apple!

Apple describes this one as: "This update supports system software components shared by all iLife ’08 applications to improve their stability and performance. "

 Subscribe in a reader

Leopard Graphics Update

I received an email today at the ISC talking about the Quicktime update and I thought to myself "there is another one? Didn't we just get Quicktime 7.4.1?"  So I clicked on Software Update to see if there was, turns out, no, there wasn't a new Quicktime Update, but there is an update called "Leopard Graphics Update" which is downloading right now to my machine.

So, aside from the 10.5.2 that rolled out last night, there is also the Leopard Graphics Update.  So make sure you grab that one as well.

 Subscribe in a reader

Monday, February 11

Mac OSX 10.5.2 and Security Update 2008-0001 hit the streets

Listed below are all the updates for Leopard 10.5.2 and Security Update 2008-0001.  All in all, this is a much needed and timely update.  All in all, it looks to be huge.  (Downloading right now on my MacBook Pro, the size shows 180 Mb.

Active Directory

  • Addresses issues which could hinder or prevent binding Mac OS X 10.5.x clients to Active Directory domains.

AirPort

  • Improves connection reliability and stability
  • Includes 802.1X improvements.
  • Resolves certain kernel panics.

Back to my Mac

  • Adds support for more third-party routers, as detailed in this article.

Dashboard

  • Improves performance of certain Apple Dashboard widgets (such as Dictionary).
  • Addresses an issue in which Dashboard widgets may no longer be accessible after switching to or from an account that has Parental Controls enabled.

Dock

  • Updates Stacks with a List view option, a Folder view option, and an updated background for Grid view.

Desktop

  • Addresses legibility issues with the menu bar with an option to turn off transparency in Desktop & Screen Saver preferences.
  • Adjusts menus to be slightly-less translucent overall.

iCal

  • Improves iCal so that it accurately reflects responses to recurring meetings.
  • Addresses an issue in which a meeting may remain on the calendar after being cancelled.
  • Addresses stability issues related to .Mac syncing of iCal calendars.
  • Resolves an intermittent issue in which editing an event with attendees would cause the event to shrink and not register that the event was updated.

iChat

  • Addresses an issue with simultaneously-logged in accounts in which iChat sounds generated from one account might be heard in another account.
  • Fixes an issue in which iChat idle time is affected by Time Machine backups.
  • Improves connectivity when running iChat behind a router that doesn’t preserve ports.
  • Enables logged chats from previous versions of iChat to open faster and more reliably.
  • Addresses an issue with text chats in which users may be unable to receive messages from the sender.
  • Addresses an issue that may prevent rejoining an AIM chat room without reopening iChat.
  • Addresses video chat compatibility issues with AIM 6 and third-party routers.
  • Fixes an issue with case-sensitivity of AIM handles.

iSync

  • Adds support for Samsung D600E and D900i phones.

Finder

  • Addresses an issue in which Finder could unexpectedly quit when displaying folder contents in Column view.
  • Addresses an issue in which Finder could unexpectedly quit when accessing Users and Groups in a Get Info pane.
  • Resolves an issue that prevented setting permissions on a folder alias.
  • Resolves an issue in which the Eject command could write to a disc in the optical drive.
  • Fixes an issue in which the scroll bar might disappear when deleting a file within a folder that includes files that are out of view.
  • Fixes an issue in the Sharing & Permissions section of Get Info windows, in which the gear icon appears to be gray/disabled after authentication.
  • Addresses an issue in which the Show Icon Preview preference might not be not saved when turning it off.
  • Fixes an issue that could occur when trying to print an image from the Finder. 

Mail

  • Addresses an issue with Message menu's "Mark As Read" choice.
  • Fixes an issue in which duplicate On My Mac folders may appear in the sidebar after upgrading to Leopard.
  • Improves the accuracy of the Data Detectors feature.
  • Resolves an issue with scrolling through a Note that is displayed using the split view in the message window.
  • Fixes an issue with deleting messages located in the Drafts folder.
  • Fixes an issue in which dragging the icon in the Safari URL field into a Mail message creates an attachment instead of a link.
  • Addresses an issue found when opening a item in the Notes folder that is not a Note.
  • Fixes an issue that may prevent RSS feeds from being delivered in Mail.
  • Resolves an issue in which a selected message could "flash" from blue to gray when in Organize by Thread mode.
  • Fixes an issue with scrolling between multiple To Dos in an email message.
  • Fixes an issue in which the body of email messages with certain MIME structures may not be displayed.
  • Improves performance with America Online (AOL) account-based messages in Mail.
  • Addresses issues with some ISPs during automatic set-up in Mail.
  • Addresses an issue in which Mail might not send mail on some networks to some SMTP servers.
  • Mail now automatically disables the (unsupported) third-party plugin GrowlMail version 1.1.2 or earlier to avoid issues.
  • Adds an option to view large icons in the Mailbox list.

Networking

  • Addresses a hanging issue that may occur when connecting to an AFP network volume.

Parental Controls

  • Improves stability when opening the Parental Controls System Preferences pane.
  • Fixes an issue that may prevent changes to the email address for permission requests.
  • Addresses an issue with printer administration for a guest account enabled with Parental Controls.
  • Addresses an issue with setting printer administration privileges from another Mac on the local network.
  • Fixes an issue that could prevent certain applications from being allowed.
  • Addresses accuracy issues with the web content filter. 

Preview

  • Improves stability when scrolling through a PDF document.
  • Fixes an issue that prevents tabbing within a PDF document after clicking on the PDF.
  • Improves the Mail Document feature so that email attachments are more reliably created from Print Preview. 

Printing

  • Addresses an issue in which remote printers may be deleted when the computer is put to sleep.
  • Improves printing performance when using some Microsoft Office applications.
  • Resolves an issue with some printing options, such as landscape orientation, number of copies, two-sided printing, and so forth that may not have functioned with some printers shared by Microsoft Windows.
  • Adds support for certain printers connected to the USB port of an AirPort Extreme or AirPort Express base station.
  • Resolves a stalling issue that could occur when installing certain Canon printing software from a disc.

RAW Image

  • Adds RAW image support for several cameras, as detailed in this article.

Safari

  • Addresses issues with Safari reliably resolving certain domains.

Login and Setup Assistant

  • Addresses an issue in which Setup Assistant could unexpectedly appear each time Mac OS X 10.5 starts up.
  • Improves stability and performance during log in.

System

  • Improves the accuracy of the grammar checker.
  • The computer will now shut down if an automatic disk repair does not succeed during startup. 

Time Machine

  • Adds a menu bar option for accessing Time Machine features (the menu extra can be enabled in Time Machine preferences).
  • Improves backup reliability when computer name contains slash or non-ASCII characters.
  • Fixes an issue in which the backup disk displayed in the Finder may be out of sync with the disk chosen for Time Machine.
  • Addresses issues in which some external drives are not recognized by Time Machine.
  • The status menu now appears by default.

Other

  • Improves general stability when running third-party applications.
  • Addresses an issue in which the incorrect search results may be displayed for certain Automator Find/Filter actions.
  • Addresses an issue with the Latvian and Russian keyboard layouts.
  • Addresses an issue in which the backlight could turn off before Energy Saver's backlight setting.

And as for Security Update 2008-0001

Mac OS X v10.5.2 / Security Update 2008-001


  • Directory Services

    CVE-ID: CVE-2007-0355

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A local user may be able to execute arbitrary code with system privileges

    Description: A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved bounds checking. This has been described on the Month of Apple Bugs web site (MOAB-17-01-2007). This issue does not affect systems running Mac OS X v10.5 or later. Credit to Kevin Finisterre of Netragard for reporting this issue.

  • Foundation

    CVE-ID: CVE-2008-0035

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution

    Description: A memory corruption issue exists in Safari's handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.5.

  • Launch Services

    CVE-ID: CVE-2008-0038

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: An application removed from the system may still be launched via the Time Machine backup

    Description: Launch Services is an API to open applications or their document files or URLs in a way similar to the Finder or the Dock. Users expect that uninstalling an application from their system will prevent it from being launched. However, when an application has been uninstalled from the system, Launch Services may allow it to be launched if it is present in a Time Machine backup. This update addresses the issue by not allowing applications to be launched directly from a Time Machine backup. This issue does not affect systems prior to Mac OS X v10.5. Credit to Steven Fisher of Discovery Software Ltd. and Ian Coutier for reporting this issue.

  • Mail

    CVE-ID: CVE-2008-0039

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Accessing a URL in a message may lead to arbitrary code execution

    Description: An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message. This update addresses the issue by displaying the location of the file in Finder rather than launching it. This issue does not affect systems running Mac OS X v10.5 or later.

  • NFS

    CVE-ID: CVE-2008-0040

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: If the system is being used as an NFS client or server, a remote attacker may cause an unexpected system shutdown or arbitrary code execution

    Description: A memory corruption issue exists in NFS's handling of mbuf chains. If the system is being used as an NFS client or server, a malicious NFS server or client may be able to cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through improved handling of mbuf chains. This issue does not affect systems prior to Mac OS X v10.5. Credit to Oleg Drokin of Sun Microsystems for reporting this issue.

  • Open Directory

    Available for: Mac OS X v10.4.11, Mac OS X v10.4.11 Server

    Impact: NTLM authentication requests may always fail

    Description: This update addresses a non-security issue introduced in Mac OS X v10.4.11. An race condition in Open Directory's Active Directory plug-in may terminate the operation of winbindd, causing NTLM authentications to fail. This update addresses the issue by correcting the race condition that could terminate winbindd. This issue only affects Mac OS X v10.4.11 systems configured for use with Active Directory.

  • Parental Controls

    CVE-ID: CVE-2008-0041

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Requesting to unblock a website leads to information disclosure

    Description: When set to manage web content, Parental Controls will inadvertently contact www.apple.com when a website is unblocked. This allows a remote user to detect the machines running Parental Controls. This update addresses the issue by removing the outgoing network traffic when a website is unblocked. This issue does not affect systems prior to Mac OS X v10.5. Credit to Jesse Pearson for reporting this issue.

  • Samba

    CVE-ID: CVE-2007-6015

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

    Description: A stack buffer overflow may occur in Samba when processing certain NetBIOS Name Service requests. If a system is explicitly configured to allow "domain logons", an unexpected application termination or arbitrary code execution could occur when processing a request. Mac OS X Server systems configured as domain controllers are also affected. This update addresses the issue by applying the Samba patch. Further information is available via the Samba web site at http://www.samba.org/samba/history/security.html Credit to Alin Rad Pop of Secunia Research for reporting this issue.

  • Terminal

    CVE-ID: CVE-2008-0042

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

    Description: An input validation issue exists in the processing of URL schemes handled by Terminal.app. By enticing a user to visit a maliciously crafted web page, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved validation of URLs. Credit to Olli Leppanen of Digital Film Finland and Brian Mastenbrook for reporting this issue.

  • X11

    CVE-ID: CVE-2007-4568

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Multiple Vulnerabilities exist in X11 X Font Server (XFS) 1.0.4

    Description: Multiple vulnerabilities in X11 X Font Server (XFS), the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security

  • X11

    CVE-ID: CVE-2008-0037

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Changing the settings in the Security Preferences Panel has no effect

    Description: The X11 server is not reading correctly its "Allow connections from network client" preference, which can cause the X11 server to allow connections from network clients, even when the preference is turned off. This update addresses the issue by ensuring the X11 server reads its preferences correctly. This issue does not affect systems prior to Mac OS X v10.5.



 Subscribe in a reader

Handler Shift on Wednesday

Looks like I am the Handler for the Internet Storm Center on Wednesday.  The day after 12 patches hit the intarwebz from (MSFT).   I don't do alot of postings (read: usually any) during the day when I am on shift, (because I am working!) and on Wednesdays there is usually so much email we have a hard time keeping up.  

Everyone writing in asking why the ISC rated something Critical, when it's not.  (BTW -- it takes alot for us to make a determination between Client and Server).  If you don't know what I am talking about, tune in tomorrow around noon EST.  You'll see.


 Subscribe in a reader

Mac OSX 10.5.2 and Security Update 2008-0001 hit the streets

Listed below are all the updates for Leopard 10.5.2 and Security Update 2008-0001.  All in all, this is a much needed and timely update.  All in all, it looks to be huge.  (Downloading right now on my MacBook Pro, the size shows 180 Mb.

Active Directory

  • Addresses issues which could hinder or prevent binding Mac OS X 10.5.x clients to Active Directory domains.

AirPort

  • Improves connection reliability and stability
  • Includes 802.1X improvements.
  • Resolves certain kernel panics.

Back to my Mac

  • Adds support for more third-party routers, as detailed in this article.

Dashboard

  • Improves performance of certain Apple Dashboard widgets (such as Dictionary).
  • Addresses an issue in which Dashboard widgets may no longer be accessible after switching to or from an account that has Parental Controls enabled.

Dock

  • Updates Stacks with a List view option, a Folder view option, and an updated background for Grid view.

Desktop

  • Addresses legibility issues with the menu bar with an option to turn off transparency in Desktop & Screen Saver preferences.
  • Adjusts menus to be slightly-less translucent overall.

iCal

  • Improves iCal so that it accurately reflects responses to recurring meetings.
  • Addresses an issue in which a meeting may remain on the calendar after being cancelled.
  • Addresses stability issues related to .Mac syncing of iCal calendars.
  • Resolves an intermittent issue in which editing an event with attendees would cause the event to shrink and not register that the event was updated.

iChat

  • Addresses an issue with simultaneously-logged in accounts in which iChat sounds generated from one account might be heard in another account.
  • Fixes an issue in which iChat idle time is affected by Time Machine backups.
  • Improves connectivity when running iChat behind a router that doesn’t preserve ports.
  • Enables logged chats from previous versions of iChat to open faster and more reliably.
  • Addresses an issue with text chats in which users may be unable to receive messages from the sender.
  • Addresses an issue that may prevent rejoining an AIM chat room without reopening iChat.
  • Addresses video chat compatibility issues with AIM 6 and third-party routers.
  • Fixes an issue with case-sensitivity of AIM handles.

iSync

  • Adds support for Samsung D600E and D900i phones.

Finder

  • Addresses an issue in which Finder could unexpectedly quit when displaying folder contents in Column view.
  • Addresses an issue in which Finder could unexpectedly quit when accessing Users and Groups in a Get Info pane.
  • Resolves an issue that prevented setting permissions on a folder alias.
  • Resolves an issue in which the Eject command could write to a disc in the optical drive.
  • Fixes an issue in which the scroll bar might disappear when deleting a file within a folder that includes files that are out of view.
  • Fixes an issue in the Sharing & Permissions section of Get Info windows, in which the gear icon appears to be gray/disabled after authentication.
  • Addresses an issue in which the Show Icon Preview preference might not be not saved when turning it off.
  • Fixes an issue that could occur when trying to print an image from the Finder. 

Mail

  • Addresses an issue with Message menu's "Mark As Read" choice.
  • Fixes an issue in which duplicate On My Mac folders may appear in the sidebar after upgrading to Leopard.
  • Improves the accuracy of the Data Detectors feature.
  • Resolves an issue with scrolling through a Note that is displayed using the split view in the message window.
  • Fixes an issue with deleting messages located in the Drafts folder.
  • Fixes an issue in which dragging the icon in the Safari URL field into a Mail message creates an attachment instead of a link.
  • Addresses an issue found when opening a item in the Notes folder that is not a Note.
  • Fixes an issue that may prevent RSS feeds from being delivered in Mail.
  • Resolves an issue in which a selected message could "flash" from blue to gray when in Organize by Thread mode.
  • Fixes an issue with scrolling between multiple To Dos in an email message.
  • Fixes an issue in which the body of email messages with certain MIME structures may not be displayed.
  • Improves performance with America Online (AOL) account-based messages in Mail.
  • Addresses issues with some ISPs during automatic set-up in Mail.
  • Addresses an issue in which Mail might not send mail on some networks to some SMTP servers.
  • Mail now automatically disables the (unsupported) third-party plugin GrowlMail version 1.1.2 or earlier to avoid issues.
  • Adds an option to view large icons in the Mailbox list.

Networking

  • Addresses a hanging issue that may occur when connecting to an AFP network volume.

Parental Controls

  • Improves stability when opening the Parental Controls System Preferences pane.
  • Fixes an issue that may prevent changes to the email address for permission requests.
  • Addresses an issue with printer administration for a guest account enabled with Parental Controls.
  • Addresses an issue with setting printer administration privileges from another Mac on the local network.
  • Fixes an issue that could prevent certain applications from being allowed.
  • Addresses accuracy issues with the web content filter. 

Preview

  • Improves stability when scrolling through a PDF document.
  • Fixes an issue that prevents tabbing within a PDF document after clicking on the PDF.
  • Improves the Mail Document feature so that email attachments are more reliably created from Print Preview. 

Printing

  • Addresses an issue in which remote printers may be deleted when the computer is put to sleep.
  • Improves printing performance when using some Microsoft Office applications.
  • Resolves an issue with some printing options, such as landscape orientation, number of copies, two-sided printing, and so forth that may not have functioned with some printers shared by Microsoft Windows.
  • Adds support for certain printers connected to the USB port of an AirPort Extreme or AirPort Express base station.
  • Resolves a stalling issue that could occur when installing certain Canon printing software from a disc.

RAW Image

  • Adds RAW image support for several cameras, as detailed in this article.

Safari

  • Addresses issues with Safari reliably resolving certain domains.

Login and Setup Assistant

  • Addresses an issue in which Setup Assistant could unexpectedly appear each time Mac OS X 10.5 starts up.
  • Improves stability and performance during log in.

System

  • Improves the accuracy of the grammar checker.
  • The computer will now shut down if an automatic disk repair does not succeed during startup. 

Time Machine

  • Adds a menu bar option for accessing Time Machine features (the menu extra can be enabled in Time Machine preferences).
  • Improves backup reliability when computer name contains slash or non-ASCII characters.
  • Fixes an issue in which the backup disk displayed in the Finder may be out of sync with the disk chosen for Time Machine.
  • Addresses issues in which some external drives are not recognized by Time Machine.
  • The status menu now appears by default.

Other

  • Improves general stability when running third-party applications.
  • Addresses an issue in which the incorrect search results may be displayed for certain Automator Find/Filter actions.
  • Addresses an issue with the Latvian and Russian keyboard layouts.
  • Addresses an issue in which the backlight could turn off before Energy Saver's backlight setting.

And as for Security Update 2008-0001

Mac OS X v10.5.2 / Security Update 2008-001


  • Directory Services

    CVE-ID: CVE-2007-0355

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A local user may be able to execute arbitrary code with system privileges

    Description: A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved bounds checking. This has been described on the Month of Apple Bugs web site (MOAB-17-01-2007). This issue does not affect systems running Mac OS X v10.5 or later. Credit to Kevin Finisterre of Netragard for reporting this issue.

  • Foundation

    CVE-ID: CVE-2008-0035

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution

    Description: A memory corruption issue exists in Safari's handling of URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of URLs. This issue does not affect systems prior to Mac OS X v10.5.

  • Launch Services

    CVE-ID: CVE-2008-0038

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: An application removed from the system may still be launched via the Time Machine backup

    Description: Launch Services is an API to open applications or their document files or URLs in a way similar to the Finder or the Dock. Users expect that uninstalling an application from their system will prevent it from being launched. However, when an application has been uninstalled from the system, Launch Services may allow it to be launched if it is present in a Time Machine backup. This update addresses the issue by not allowing applications to be launched directly from a Time Machine backup. This issue does not affect systems prior to Mac OS X v10.5. Credit to Steven Fisher of Discovery Software Ltd. and Ian Coutier for reporting this issue.

  • Mail

    CVE-ID: CVE-2008-0039

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: Accessing a URL in a message may lead to arbitrary code execution

    Description: An implementation issue exists in Mail's handling of file:// URLs, which may allow arbitrary applications to be launched without warning when a user clicks a URL in a message. This update addresses the issue by displaying the location of the file in Finder rather than launching it. This issue does not affect systems running Mac OS X v10.5 or later.

  • NFS

    CVE-ID: CVE-2008-0040

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: If the system is being used as an NFS client or server, a remote attacker may cause an unexpected system shutdown or arbitrary code execution

    Description: A memory corruption issue exists in NFS's handling of mbuf chains. If the system is being used as an NFS client or server, a malicious NFS server or client may be able to cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through improved handling of mbuf chains. This issue does not affect systems prior to Mac OS X v10.5. Credit to Oleg Drokin of Sun Microsystems for reporting this issue.

  • Open Directory

    Available for: Mac OS X v10.4.11, Mac OS X v10.4.11 Server

    Impact: NTLM authentication requests may always fail

    Description: This update addresses a non-security issue introduced in Mac OS X v10.4.11. An race condition in Open Directory's Active Directory plug-in may terminate the operation of winbindd, causing NTLM authentications to fail. This update addresses the issue by correcting the race condition that could terminate winbindd. This issue only affects Mac OS X v10.4.11 systems configured for use with Active Directory.

  • Parental Controls

    CVE-ID: CVE-2008-0041

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Requesting to unblock a website leads to information disclosure

    Description: When set to manage web content, Parental Controls will inadvertently contact www.apple.com when a website is unblocked. This allows a remote user to detect the machines running Parental Controls. This update addresses the issue by removing the outgoing network traffic when a website is unblocked. This issue does not affect systems prior to Mac OS X v10.5. Credit to Jesse Pearson for reporting this issue.

  • Samba

    CVE-ID: CVE-2007-6015

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution

    Description: A stack buffer overflow may occur in Samba when processing certain NetBIOS Name Service requests. If a system is explicitly configured to allow "domain logons", an unexpected application termination or arbitrary code execution could occur when processing a request. Mac OS X Server systems configured as domain controllers are also affected. This update addresses the issue by applying the Samba patch. Further information is available via the Samba web site at http://www.samba.org/samba/history/security.html Credit to Alin Rad Pop of Secunia Research for reporting this issue.

  • Terminal

    CVE-ID: CVE-2008-0042

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

    Description: An input validation issue exists in the processing of URL schemes handled by Terminal.app. By enticing a user to visit a maliciously crafted web page, an attacker may cause an application to be launched with controlled command line arguments, which may lead to arbitrary code execution. This update addresses the issue through improved validation of URLs. Credit to Olli Leppanen of Digital Film Finland and Brian Mastenbrook for reporting this issue.

  • X11

    CVE-ID: CVE-2007-4568

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Multiple Vulnerabilities exist in X11 X Font Server (XFS) 1.0.4

    Description: Multiple vulnerabilities in X11 X Font Server (XFS), the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating to version 1.0.5. Further information is available via the X.Org website at http://www.x.org/wiki/Development/Security

  • X11

    CVE-ID: CVE-2008-0037

    Available for: Mac OS X v10.5 and v10.5.1, Mac OS X Server v10.5 and v10.5.1

    Impact: Changing the settings in the Security Preferences Panel has no effect

    Description: The X11 server is not reading correctly its "Allow connections from network client" preference, which can cause the X11 server to allow connections from network clients, even when the preference is turned off. This update addresses the issue by ensuring the X11 server reads its preferences correctly. This issue does not affect systems prior to Mac OS X v10.5.



 Subscribe in a reader