Joel Esler: updates

Showing posts with label updates. Show all posts

Wednesday, July 28

Contrary to Recent Assertions - Snort 2.9 beta has been released, and it's awesome..

Snort 2.9 has been in the works now internally for awhile and the first beta release is out and ready for community feedback.

It's a big release with lots of enhancements, so here are the current list of things that need to be beta tested in Snort 2.9, and I'll expand upon them a bit:

* Feature rich IPS mode including improvements to Stream for inline deployments. A common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.

This feature really does away with a lot of the old react/resp/reset code and unifies all that broken code under respond3. It also allows for RST and ICMP injection into a stream in IPS mode (more reliable than IDS), so, for example, you want to cut a session off in midstream. In regular IPS mode, we can drop the connection quietly. With the new response module we can properly inject a RST (or other close) packet into a dropped stream, resetting the connection so that the end hosts don't have open TCP sockets. There is also a normalization preprocessor, (See README.normalize), which, essentially, cleans packets up. For example here a just a few things that the normalization preprocessor can do to TCP:

Remove data on SYN.

Clear the reserved bits in the TCP header.

Clear the urgent pointer if the urgent flag is not set.

Clear the urgent pointer and the urgent flag if there is no payload.

Set the urgent pointer to the payload length if it is greater than the payload length.

Clear the urgent flag if the urgent pointer is not set.

[..]

Flexresp (Flex Response) 1 and 2 are now deprecated and a new Flexresp3 has been introduced. Flexresp3 supports ALL of the flexresp1 and flexresp2 keywords and syntax. Easy to move right over.

* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links. See README.daq for details
on using Snort and the new DAQ.

Hooray! Libpcap 1.0 is now required. Hooray Libdnet! As you can read above, Snort 2.9 adds support for nfq and afpacket. In addition to ipfw, ipq, and dump that they've read already. IPQ wasn't working as well in past releases, so we replaced it with netfilterq.

* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.

This was a feature requested by one of our community people. They didn't want to see the IPs of their proxies as Source or Destination IPs in HTTP alerts. They wanted the ability to see the "real" IPs for those proxies that support "X-Forward-For" and "True-Client-IP" header fields in their packets. This output is only available if you are using the Unified2 output method.

Those of you that are NOT using Unified2 really, really need to move to it. Older, slower, output methods are eventually going to be deprecated, so please, start your upgrades.

* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.

This was a feature requested by the community as well, it came from an email I received as a request that we add something like this in Snort. The ability to yank a value out of a packet and store it for later use with other keywords. (Unlike byte_test or byte_jump that calculates the value on the fly.)

* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.

I think that one speaks for itself, but make sure you read README.SMTP in the doc/ directory of the tarball to make sure you fully understand what this does.

* Ability to "test" drop rules using Inline Test Mode. Snort will
indicate a packet would have been dropped in the unified2 and console event log if policy mode was set to inline.

This was a feature, also requested by our community. They wanted to know, for a fact, what traffic would have been dropped had the rule in question be set to drop. Again, this output is only available in Unifed2 and console, so please start moving over!

* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule
options.

Nice feature here. Base64 decoding in a rule.

* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.

Also added into README.normalize. This is to continue to support the United States Government's push to IPv6. In many environments, this is now mandatory.

* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit http://www.intel.com to find out more about
Intel Quick Assist. The following document describes Snort's
integration with the Quick Assist Technology
http://download.intel.com/embedded/applications/networksecurity/324029.pdf

This optimization is very hardware specific. Make sure you read the PDF linked above which is a joint research project underway by Sourcefire and Intel.

I'm sure more tweaks and things will be added to 2.9 before it's actual release, so I look forward to these enhancements.

Be sure and check out Snort 2.9's beta code here, at http://www.snort.org/

Safari 5.0.1 Posted this morning

Back in June I wrote a post on a problem with Safari 5 creating a black background around certain objects when moved from one application to another. For instance, when you attempt to use the "Mail this PDF" function from Preview. Well, this morning Apple released version 5.0.1 of Safari. This fixes the issue I described here, along with many others. As posted on Apple's website here, the following are fixes:

More accurate Top Hit results in the Address Field

More accurate timing for CSS animations

Better stability when using the Safari Reader keyboard shortcut

Better stability when scrolling through MobileMe Mail

Fixes display of multipage articles from www.rollingstone.com in Safari Reader

Fixes an issue that prevented Google Wave and other websites using JavaScript encryption libraries from working correctly on 32-bit systems

Fixes an issue that prevented Safari from launching on Leopard systems with network home directories

Fixes an issue that could cause borders on YouTube thumbnails to disappear when hovering over the thumbnail image

Fixes an issue that could cause Flash content to overlap with other content on www.facebook.com, www.crateandbarrel.com, and other sites when using Flash 10.1

Fixes an issue that prevented boarding passes from www.aa.com from printing correctly

Fixes an issue that could cause DNS prefetching requests to overburden certain routers

Fixes an issue that could cause VoiceOver to misidentify elements of webpages

Safari 5.0.1 also packs in a bunch of security updates. Of course Blackhat and Defcon are this week, so that may have something to do with this update being released.

Safari
Impact: Accessing a maliciously crafted RSS feed may cause files from the user's system to be sent to a remote server
Description: A cross-site scripting issue exists in Safari's handling of RSS feeds. Accessing a maliciously crafted RSS feed may cause files from the user's system to be sent to a remote server. This issue is addressed through improved handling of RSS feeds.
Credit to Billy Rios of the Google Security Team for reporting this
issue.

Safari
Impact: Safari's AutoFill feature may disclose information to websites without user interaction
Description: Safari's AutoFill feature can automatically fill out web forms using designated information in your Mac OS X Address Book, Outlook, or Windows Address Book. By design, user action is required for AutoFill to operate within a web form. An implementation issue exists that allows a maliciously crafted website to trigger AutoFill without user interaction. This can result in the disclosure of information contained within the user's Address Book Card. To trigger the issue, the following two situations are required. First, in Safari : Preferences : AutoFill, the "Autofill web forms using info from my Address Book card" checkbox must be checked. Second, the user's Address Book must have a Card designated as "My Card". Only the information in that specific card is accessed via AutoFill. This issue is addressed by prohibiting AutoFill from using information without user action. Devices running iOS are not affected.
Credit to Jeremiah Grossman of WhiteHat Security for reporting this issue.
(Nice work Jeremiah!)

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of element focus. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of element focus.
Credit to Tony Chang of Google, Inc. for reporting this issue.

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's rendering of inline elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
Credit to wushi of team509 for reporting this issue.

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of dynamic modifications to text nodes. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.
Credit? Apple Internal?

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of CSS counters. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
This issue is addressed through improved memory management.
Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for
reporting this issue.

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue exists in WebKit's handling of the :first-letter and :first-line pseudo-elements in SVG text elements. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed by not rendering :first-letter or :first-line pseudo-elements in SVG text elements.
Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of foreignObject elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through additional validation of SVG documents.
Credit to wushi of team509, working with TippingPoint's Zero Day Initiative for reporting this issue.

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of floating elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.
Credit? Apple Internal?

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of 'use' elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of 'use' elements in SVG documents. Credit to Justin Schuh of Google, Inc. for reporting this issue.

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in WebKit's handling of JavaScript string objects. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
Credit: Apple.

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A reentrancy issue exists in WebKit's handling of just- in-time compiled JavaScript stubs. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved synchronization.
Credit? Apple Internal?

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue exists in WebKit's handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of JavaScript array indices.
Credit to Natalie Silvanovich for reporting this issue.

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in WebKit's handling of regular expressions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of regular expressions.
Credit to Peter Varga of University of Szeged for reporting this issue.

WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A use after free issue exists in WebKit's handling of "font-face" and "use" elements in SVG documents. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of "font-face" and "use" elements in SVG documents.
Credit to Aki Helin of OUSPG for reporting this issue.

Safari 5.0.1 and Safari 4.1.1 address the same set of security issues. Safari 5.0.1 is provided for Mac OS X v10.5, Mac OS X v10.6, and Windows systems. Safari 4.1.1 is provided for Mac OS X v10.4 systems

The thing to remember with the above vulnerabilities is that things that are labeled "Webkit", affect more than just Safari. They could possibly affect anything using the Webkit framework. Chrome included.

Thursday, June 17

Black Background in Mail.app

I've noticed that for some reason, after you install Safari 5 on OSX, if you are to do a command where it creates an email out of a file. For instance:

Open a PDF in Preview and you want to email that to someone else, you go to File, and click "Email this PDF" (or similar) It'll create a new email message, but the background of the mail message will be black.

I've noticed this in Omnifocus as well, if I use a shortcut key to create a "To-Do" from another application by using the "Clipping" function, the background of the "To-Do" will be black.

Well, at least in Mail there is a fix.

If you want to keep the email HTML, Command -A will select the contents of the email, Cut it (not copy it), (command x), then repaste it with Option-Shift-Command-V (Paste and Match Style -- this is in the Edit menu). Or... You can change the email to Plain Text (which will get rid of the black box), Plain Text is in the Format menu. Or Command Shift T.

Plain Text is usually better anyway.

Tuesday, June 8

Safari 5.0 and Safari 4.1 patches

About the security content of Safari 5.0 and Safari 4.1.

Apple posted Safari 5.0 for 10.5.8 and 10.6, and Safari 4.1 for 10.4.11 yesterday and above is a link to the full patch list (and it's quite extensive)

The things patched in this update are below:

ColorSync (Windows versions only)

Phishing

Handling of PDF files

Arbitrary code execution (Windows only)

Webkit (tons of updates here including the infamous wushi exploits from team509, also lots of mentions of Chris Evans and Mark Dowd. Nice work guys.)

Check the full list at the above URL for complete details.

Wednesday, May 5

Chrome 5 is freaking fast.

I've been using Chrome since it came out for the Mac awhile back, off and on, and staying current with the beta builds. However, this build that came out yesterday is AMAZING.

Chrome 5, as a result of some "tuning" they have been doing with the Chrome rendering and javascript engines is noticeably faster. There are some lovely bar graphs on Google's blog here. But, stupid graphs aside, I've noticed a difference this morning when loading my regular webpages (my gmail page, my gmail calendar, my me.com account, etc.) Anything that can load the whole me.com interface in about 2 seconds is a freaking fast browser.

Nice job on this one Google.

To the readers: If you have the ability to check it out, do so. It's pretty impressive.

Monday, May 3

Verizon to block outbound port 25 for residential customers

For those of you that have Verizon Home Internet (FiOS or other), Verizon is about to start blocking outbound port 25.

Why?

Why is Verizon blocking outbound port 25?

The majority of spam (unsolicited email) on the Internet is caused by malicious software viruses that take control of infected computers. These viruses direct the infected machines to send email through port 25. Verizon takes spam very seriously. Verizon blocks outgoing connections on port 25 to prevent infected computers from being used by spammers to send unsolicited email. Outbound port 25 blocking is a standard industry method to control spam.

For more information, click the link below:

Verizon | High Speed Internet - Your Attention Needed: Re-configure Your Email Settings to Send Email.

Monday, April 26

PulledPork v0.4.1 released!

New Features/changes:

- Flowbit tracking! - This means that all flowbits are not enabled when a specific base ruleset is specified (security etc...) but rather all flowbits are now tracked, allowing for only those that are required to be enabled.

- Adjusted pulledpork.conf to account for new snort rules tarball naming and packing scheme, post Snort 2.8.6 release.

- Added option to specify all rule modification files in the master pulledpork.conf file - feature request 19.

- Added capability to specify base ruleset (see README.RULESETS) in master pulledpork.conf file.

- Handle preprocessor and sensitive-information rulesets

Bug Fixes:

- 18 - non-rule lines containing the string sid:xxxx were being populated into the rule data structure, added an extra check to ensure that this does not occur

- Cleaned up href pointers, syntatical purposes only...

- Modified master config to allow for better readability on smaller console based systems

- Error output was not always returning full error

Be sure and go here to download the newest update!

http://code.google.com/p/pulledpork/

Be sure and read my other two posts in order to make sure you are fully up to date with everything going on.

New VRT Rulepack changes

There has been a lot of confusion between the rule update packs. Some people would see the word "snortrules-snapshot-CURRENT_s.tar.gz" in the rulepack name, or the "snortrules-snapshot-2.8_s.tar.gz" name, and not know which ones to use, or which version of rulepack to use with which version of Snort, so hopefully with this change we've eliminated that confusion. Now the Snort RulePacks are specific to "Version released".

What does that mean for you?

If you are using 2.8.5.3 and are updating to 2.8.6 (recommended)

You need to go into your oinkmaster / pulledpork / wget / any updater that you are using, and change the name of the rulepack you are grabbing to the version that is specific to your environment, so if you are changing to 2.8.6, you will not only need to update to 2.8.6, but you will also need to change your rulepack name to:

snortrules-snapshot-2860.tar.gz

If you are using 2.8.5.3, and are NOT planning to update to 2.8.6 at this time

You STILL need to go into your oinkmaster/pulledpork/wget/any updater that you are using and change the name of the rulepack you are pulling to the version that is specific to your environment.

In short, everyone that uses Snort will need to make this change. For the next 30-days, the "snortrules-snapshot-CURRENT.tar.gz" and "snortrules-snapshot-2.8.tar.gz" links will symlink to the "snortrules-snapshot-2853.tar.gz". So if you update to 2.8.6 you will need to change to the appropriate rulepack.

These symlinks will exist for the next 30-days.

If you are a Snort VRT rules subscriber (aka, you pay for it), the symlinks will be of use to you for 30-days, however, you are strongly encouraged to make the change now so that after the symlinks are removed, you won't get 404 errors.

If you are NOT a Snort VRT rules subscriber (aka, registered user, you don't pay for it, and you get the rulepack after the "30-day free window" is lifted) you need to make the change. So for example, if snortrules-snapshot-CURRENT.tar.gz is in your rule download URL, you need to update it to snortrules-snapshot-2853.tar.gz (or snortrules-snapshot-2860.tar.gz if you update). The Symlinks will NEVER apply to you, as the new packages won't be available to registered users for 30 days.

If you are running a version of Snort that is < 2.8.5.3.

You will need to modify oinkmaster / pulledpork / wget / whatever update system you are using to remove 2.8.5.3 version specific rule keywords or Snort will fail to load. Please update to 2.8.5.3 at least, or move to 2.8.6.

Snort.conf

The Snort.conf file that is in each rulepack is ALSO version specific now. (Yeah!)

The rulepacks will also be significantly smaller because of the fact that since the rulepacks are locked to the version of Snort they support, only the SO rules for the specific rulepack version are included. For instance, the 2853 rulepack will only contain SO rules for 2.8.5.3.

Also be sure and read the VRT blog for further information: http://vrt-sourcefire.blogspot.com

Snort 2.8.6 is released!

[*] New Additions
* HTTP Inspect now splits requests into 5 components -
Method, URI, Header (non-cookie), Cookies, Body.
Content and PCRE rule options can now search one or more of these buffers.

HTTP server-specific configurations to normalize the HTTP header and/or cookies have been added.

Support gzip decompression across multiple packets.

* Added a Sensitive Data preprocessor, which performs detection of Personally Identifiable Information (PII). A new rule option is available to define new PII. See README.sensitive_data and the Snort Manual for configuration details.

* Added a new pattern matcher and related configurations. The new pattern matcher is optimized to use less memory and perform at AC speed.

[*] Improvements
* Addressed problem to resolve output obfuscation affecting packets when Snort is inline.

* Preprocessors with memcap settings can now be configured in a "disabled" state. This allows you to configure that memcap globally, but only enable the preprocessor in targeted configurations.

Go to http://www.snort.org to download the latest release! I have two more posts that will be coming out later today with further updates, so make sure you read those as well. Also, make sure you read the VRT blog for further information: http://vrt-sourcefire.blogspot.com

Monday, March 29

Security Update 2010-002 / Mac OS X v10.6.3

About the security content of Security Update 2010-002 / Mac OS X v10.6.3.

Apple just posted 10.6.3 which included a ton of security updates in the following pieces of software, so go update:

AppKit

Application Firewall

AFP Server

Apache

ClamAV

CoreAudio

CoreMedia

CoreTypes

CUPS

curl

Cyrus IMAP

Cyrus SASL

DesktopServices

Disk Images

Directory Services

Dovecot

Event Monitor

FreeRADIUS

FTP Server

iChat Server

ImageIO

Image RAW

Libsystem

Mail

Mailman

MySQL

OS Services

Password Services

perl

PHP

Podcast Producer

Preferences

PS Normalizer

QuickTime

Ruby

Server Admin

SMB

Tomcat

unzip

vim

Wiki Server

X11

xar

Tuesday, March 9

VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?

VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?.

I don't know how to say it anymore than this:

Matt Olney wrote a damn, a DAMN good post about APT on the VRT blog, and if you read my blog, and you don't go over to the VRT blog and read that post.. Heck I don't care if you don't read another post by the VRT that they have written in the past (although, you SHOULD! They put a LOT of time into their posts!) you should read this one.

Matt, whom I play Xbox with nearly every night, talk to on a regular basis, and consider to be my friend.. I just wanted to let you know, seriously...

Damn fine job sir.

Monday, February 1

Google to kill off IE6 support in 2010

In a big move by Google I just received an email letting me know that Google will be phasing out support for IE6 in Google Apps in 2010.

"In order to continue to improve our products and deliver more sophisticated features and performance, we are harnessing some of the latest improvements in web browser technology. This includes faster JavaScript processing and new standards like HTML5. As a result, over the course of 2010, we will be phasing out support for Microsoft Internet Explorer 6.0 as well as other older browsers that are not supported by their own manufacturers."

I think this is a phenominal move by a company as big as Google to say "not anymore". I wish other companies would take such a firm stance against my other pet peeves. You know, ActiveX, Flash, and Silverlight.

Thursday, January 28

One thing I forgot to mention about the iPad

People are already criticizing it because it doesn't have Flash on it (it runs the iPhone OS). I say to those people, GOOD.

Flash is, as the last year has shown us, a horrible piece of programming and it needs to die. HTML5 will kill it off for the most part, and it needs to stay dead. I don't think that Flash will be around much longer, and frankly, I'm not sad about it.

In the next few years, now that the iPhone is as big as it is, iPad will be all over the place (I think), flash will be dead, and developers will be rewriting their webpages to use things like H.264 and HTML5. There will still be things like the "Punch the monkey" banner ads that need to use flash (and various other games), but those people that develop those games, welp, looks like it may be time to move on.

Monday, January 11

PulledPork 0.3.4 released

I know plenty of you that read my blog are interested in Snort Rules, and are always open to the management of Snort rules in an easier fashion. Often, in the past our (our being the 'Snort Professionals') recommendation has been "Oinkmaster". Perl program, pretty stable, kept rules up to date and such. Well, Oinkmaster kind of died in terms of support so one of our own guys at Sourcefire stepped up for the community and put out, for free, Pulled-Pork. (Originally called "Baconator", but we asked him to change the same so that Wendy's didn't sue.)

Anyway, JJ, the author of Pulled-Pork, a fellow Sourcefire employee, and the guy that runs openpacket.org released version 0.3.4 of Pulled-Pork today. It has some very significant updates that we hope Snort users will be keen on.

For some time, within the Sourcefire interface, you can start off the creation of your policies (and the further updating of your policies) from one of three "bases". Connectivity, Balanced, or Security.

Connectivity focused on Connectivity over security, less interruptions from the IPS and more dropping of traffic that is obviously evil

Balanced focused on a good balance of the above and below.

Security focused more on the Security of the network the Sourcefire sensor was providing more than people getting to Facebook.

VRT makes these categories up, and they make up which rules go into which categories. In the Sourcefire product, if you are "inline", each one of these above standard bases have a certain number of rules that are set to drop by default. Obviously, less at the Connectivity over Security, and more set to drop in Security over Connectivity.

The way that we get this information out to the Sourcefire customers is through "metadata" within a rule. If a rule is written as so:

"alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:4;)"

See the section I have in bold above? That's the metadata, it tells, in which of the three categories I named above, what the rule should do in that instance. In this case, since this rule is looking for traffic that is exiting the network and going back to an attacker, we want to drop this at all costs. So that's what the metadata says. First the name of the policy, then the state.

This feature has been reserved for the automated (notice automated) use for our Sourcefire customers, but has always been available for our open-source Snort users. Until now.

Pulled-Pork 0.3.4 allows the Open-Source users to use these three policies automatically, of course, you have to choose which policy you want to use with the "-I" command parameter.

If you were using pulled-pork in the past, you can't just copy over the pulledpork.conf file into this new instance, you'll need to use the new .conf file that comes with this release, but, in a matter of about 5 minutes, I had the new pulledpork up and running and my Snort instance is now running the "-I security" policy, PulledPork generated a changelog for me, and restarted Snort via a HUP (which you can specify in the pulledpork.conf file).

So, someone that is familiar with Snort, and .conf files, you should be up and running a great security policy in about 5-10 minutes.

Good job JJ and the VRT!

For further information, please go to JJ's blog post on the release and download it at the link he has there on his blog.

Friday, October 10

Apple Security Update 2008-007

I wish my 1000th post on the blog was way more insightful than this, but it's not going to be. I'll have to write something that really reflects a 1000th post. But it will be 1001.

Introducing Apple Security Update 2008-007. Just released last night:

Security Update 2008-007

Apache

CVE-ID: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Apache 2.2.8

Description: Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Apache version 2 is not bundled with Mac OS X Client systems prior to version 10.5. Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default. Further information is available via the Apache web site at http://httpd.apache.org/

Certificates

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Root certificates have been updated

Description: Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.

ClamAV

CVE-ID: CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914

Available for: Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in ClamAV 0.93.3

Description: Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution. This update addresses the issues by updating to ClamAV 0.94. ClamAV is not bundled on Mac OS X Client systems. Further information is available via the ClamAV website at http://www.clamav.net/

ColorSync

CVE-ID: CVE-2008-3642

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of ICC profiles in images. Credit: Apple.

CUPS

CVE-ID: CVE-2008-3641

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user

Description: A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the 'lp' user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges. This update addresses the issue by performing additional bounds checking. Credit to regenrecht working with TippingPoint's Zero Day Initiative for reporting this issue.

Finder

CVE-ID: CVE-2008-3643

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A file on the Desktop may lead to a denial of service

Description: An error recovery issue exists in Finder. A maliciously crafted file on the Desktop which causes Finder to unexpectedly terminate when generating its icon will cause Finder to continually terminate and restart. Until the file is removed, the user account is not accessible via Finder's user interface. This update addresses the issue by generating icons in a separate process. This issue does not affect systems prior to Mac OS X v10.5. Credit to Sergio 'shadown' Alvarez of n.runs AG for reporting this issue.

launchd

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Applications may fail to enter a sandbox when requested

Description: This update addresses an issue introduced in Mac OS X v10.5.5. An implementation issue in launchd may cause an application's request to enter a sandbox to fail. This issue does not affect programs that use the documented sandbox_init API. This update addresses the issue by providing an updated version of launchd. This issue does not affect systems prior to Mac OS X v10.5.5.

libxslt

CVE-ID: CVE-2008-1767

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Processing an XML document may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution. Further information on the patch applied is available via http://xmlsoft.org/XSLT/ Credit to Anthony de Almeida Lopes of Outpost24 AB, and Chris Evans of Google Security Team for reporting this issue.

MySQL Server

CVE-ID: CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079

Available for: Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in MySQL 5.0.45

Description: MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution. These issues only affect Mac OS X Server systems. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0-67.html

Networking

CVE-ID: CVE-2008-3645

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A local user may obtain system privileges

Description: A heap buffer overflow exists in the local IPC component of configd's EAPOLController plugin, which may allow a local user to obtain system privileges. This update addresses the issue through improved bounds checking. Credit: Apple.

CVE-ID: CVE-2007-4850, CVE-2008-0674, CVE-2008-2371

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in PHP 4.4.8

Description: PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/ These issues only affect systems running Mac OS X v10.4.x, Mac OS X Server v10.4.x, or Mac OS X Server v10.5.x.

Postfix

CVE-ID: CVE-2008-3646

Available for: Mac OS X v10.5.5

Impact: A remote attacker may be able to send mail directly to local users

Description: An issue exists in the Postfix configuration files. For a period of one minute after a local command-line tool sends mail, postfix is accessible from the network. During this time, a remote entity who could connect to the SMTP port may send mail to local users and otherwise use the SMTP protocol. This issue does not cause the system to be an open mail relay. This issue is addressed by modifying the Postfix configuration to prevent SMTP connections from remote machines. This issue does not affect systems prior to Mac OS X v10.5 and does not affect Mac OS X Server. Credit to Pelle Johansson for reporting this issue.

PSNormalizer

CVE-ID: CVE-2008-3647

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in PSNormalizer's handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PostScript files. Credit: Apple.

QuickLook

CVE-ID: CVE-2008-4211

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution

Description: A signedness issue exists in QuickLook's handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of Microsoft Excel files. This issue does not affect systems prior to Mac OS X v10.5. Credit: Apple.

rlogin

CVE-ID: CVE-2008-4212

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Systems that have been manually configured to use rlogin and host.equiv may unexpectedly permit root login

Description: The manpage for the configuration file hosts.equiv indicates that entries do not apply to root. However, an implementation issue in rlogind causes these entries to also apply to root. This update addresses the issue by properly disallowing rlogin from the root user if the remote system is in hosts.equiv. The rlogin service is not enabled by default in Mac OS X, and must be manually configured in order to be enabled. Credit to Ralf Meyer for reporting this issue.

Script Editor

CVE-ID: CVE-2008-4214

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: A local user may gain the privileges of another user that is using Script Editor

Description: An insecure file operation issue exists in the Script Editor application when opening application scripting dictionaries. A local user can cause the scripting dictionary to be written to an arbitrary path accessible by the user that is running the application. This update addresses the issue by creating the temporary file in a secure location. Credit: Apple.

Single Sign-On

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: The sso_util command now accepts passwords from a file

Description: The sso_util command now accepts passwords from a file named in the SSO_PASSWD_PATH environment variable. This enables automated scripts to use sso_util more securely.

Tomcat

CVE-ID: CVE-2007-6286, CVE-2008-0002, CVE-2008-1232, CVE-2008-1947, CVE-2008-2370, CVE-2008-2938, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461

Available for: Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in Tomcat 6.0.14

Description: Tomcat on Mac OS X v10.5 systems is updated to version 6.0.18 to address several vulnerabilities, the most serious of which may lead to a cross site scripting attack. These issues only affect Mac OS X Server systems. Further information is available via the Tomcat site at http://tomcat.apache.org/

CVE-ID: CVE-2008-2712, CVE-2008-4101, CVE-2008-2712, CVE-2008-3432, CVE-2008-3294

Available for: Mac OS X v10.5.5, Mac OS X Server v10.5.5

Impact: Multiple vulnerabilities in vim 7.0

Description: Multiple vulnerabilities exist in vim 7.0, the most serious of which may lead to arbitrary code execution when working with maliciously crafted files. This update addresses the issues by updating to vim 7.2.0.22. Further information is available via the vim website at http://www.vim.org/

Weblog

CVE-ID: CVE-2008-4215

Available for: Mac OS X Server v10.4.11

Impact: Access control on weblog postings may not be enforced

Description: An unchecked error condition exists in the weblog server. Adding a user with multiple short names to the access control list for a weblog posting may cause the Weblog server to not enforce the access control. This issue is addressed by improving the way access control lists are saved. This issue only affects systems running Mac OS X Server v10.4. Credit: Apple.

Subscribe in a reader

Apple Security Update 2008-007

I wish my 1000th post on the blog was way more insightful than this, but it's not going to be. I'll have to write something that really reflects a 1000th post. But it will be 1001.

Introducing Apple Security Update 2008-007. Just released last night:

Security Update 2008-007

Apache

Certificates

ClamAV

ColorSync

CUPS

Finder

launchd

libxslt

MySQL Server

Networking

Postfix

PSNormalizer

QuickLook

rlogin

Script Editor

Single Sign-On

Tomcat

Weblog

Subscribe in a reader

Monday, September 15

OSX Update 10.5.5 and Security Update 2008-006

Just hitting the streets, as we speak, Apple released OSX update 10.5.5. Built into 10.5.5 is Security Update 2008-006, marking the 6th major security update of the year. So aside from the ton of updates in 10.5.5 for OSX Leopard, check out the below updates included with it.

Keep in mind that Security Update is not just for 10.5 (OSX Leopard), being that it is also available for 10.4, Desktop and Server releases.

This update releases updates to the following items:

ATS -- Apple Type Services -- CVE-2008-2305

BIND --

10.5 -- Updated to 9.4.2-P2

10.4.11 -- Updated to 9.3.5-P2

ClamAV -- Antivirus included with OSX Server

Updated to version 0.93.3.

CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, CVE-2008-3215

Directory Services x2 -- (Something I found interesting -- Vulnerability reported by the "IT Department of the West Seneca Central School District". Not your usual reporter. Very nice) -- CVE-2008-2329

Finder x2 -- CVE-2008-2331, CVE-2008-3613

ImageIO x4 -- CVE-2008-2327, CVE-2008-2332, CVE-2008-3608, CVE-2008-1382

Kernel -- CVE-2008-3609

libresolv -- CVE-2008-1447

Login Windows x2 -- CVE-2008-3610, CVE-2008-3611

mDNSResolver -- CVE-2008-1447

OpenSSH -- CVE-2008-1483, CVE-2008-1657

QuickDraw Manager -- CVE-2008-3614

Ruby -- CVE-2008-2376

SearchKit -- CVE-2008-3616

System Configuration -- CVE-2008-2312 (For 10.4.11)

System Preferences x2 -- CVE-2008-3617, CVE-2008-3618

Time Machine -- CVE-2008-3619

VideoConference -- CVE-2008-3621

Wiki Server -- CVE-2008-3622

So, all in all, quite a few updates here in this one.

Subscribe in a reader

OSX Update 10.5.5 and Security Update 2008-006

Subscribe in a reader

Friday, September 12

iPhone 2.1 actually lists its updates?!

Very uncharacteristic for Apple, but the update screen for 2.1 actually lists its updates.

Wow.

Decrease in call set-up failures and call drops
Significantly improved battery life for most useres
Dramatically reduced time to backup to iTunes
Improved email reliability, notably fetching email from POP and exchange accounts.
Faster installation of 3rd party applications.
Fixed bugs causing hangs and crashed if you have lots of 3rd party applications
Improved performance in text messaging
Faster loading and searching of contacts
Improved accuracy of the 3G signal strength display
Repeat alert up to two additional time for incoming text messages
Option to wipe data after ten failed passcode attempts
Genius playlist creation.

Thanks for letting us know all these things Apple, please keep up the straightforwardness in updates!

Subscribe in a reader

iPhone 2.1 actually lists its updates?!

Very uncharacteristic for Apple, but the update screen for 2.1 actually lists its updates.

Wow.

Decrease in call set-up failures and call drops
Significantly improved battery life for most useres
Dramatically reduced time to backup to iTunes
Improved email reliability, notably fetching email from POP and exchange accounts.
Faster installation of 3rd party applications.
Fixed bugs causing hangs and crashed if you have lots of 3rd party applications
Improved performance in text messaging
Faster loading and searching of contacts
Improved accuracy of the 3G signal strength display
Repeat alert up to two additional time for incoming text messages
Option to wipe data after ten failed passcode attempts
Genius playlist creation.

Thanks for letting us know all these things Apple, please keep up the straightforwardness in updates!

Subscribe in a reader

Joel Esler

Pages

Wednesday, July 28

Contrary to Recent Assertions - Snort 2.9 beta has been released, and it's awesome..

Snort 2.9 has been in the works now internally for awhile and the first beta release is out and ready for community feedback.

Safari 5.0.1 Posted this morning

Thursday, June 17

Black Background in Mail.app

Tuesday, June 8

Safari 5.0 and Safari 4.1 patches

Wednesday, May 5

Chrome 5 is freaking fast.

Monday, May 3

Verizon to block outbound port 25 for residential customers

Monday, April 26

PulledPork v0.4.1 released!

New VRT Rulepack changes

Snort 2.8.6 is released!

Monday, March 29

Security Update 2010-002 / Mac OS X v10.6.3

Tuesday, March 9

VRT: APT: Should your panties be in a bunch, and how do you un-bunch them?

Monday, February 1

Google to kill off IE6 support in 2010

Thursday, January 28

One thing I forgot to mention about the iPad

Monday, January 11

PulledPork 0.3.4 released

Friday, October 10

Apple Security Update 2008-007

Apple Security Update 2008-007

Monday, September 15

OSX Update 10.5.5 and Security Update 2008-006

OSX Update 10.5.5 and Security Update 2008-006

Friday, September 12

iPhone 2.1 actually lists its updates?!

iPhone 2.1 actually lists its updates?!

Search This Blog