June 29th Adobe Patch Day

Don’t forget that Adobe is planning to release updates for Reader for Windows, Macintosh and UNIX, and Acrobat for Windows and Macintosh to resolve critical security issues, including CVE-2010-1297 referenced in Security Advisory APSA10-01 on June 29, 2010.  Plan your deployment strategy now.

Note that these updates represent an accelerated release of the July 13th quarterly security update.  Adobe is not expected to release additional updates for Reader and Acrobat on July 13, 2010.

Quiet Lately…

The Toronto G20 Summit has kept me distracted from anything other than work, so I have neglected my blog a bit.  I hope to have more time once the summit has wound down.
Word out to the Law Enforcement teams downtown today and through the rest of the G20 week. May your days be peaceful, uneventful, and punctuated with mutual respect. Thanks for being there, and doing what you do daily. Be careful out there.
To those amongst us that feel the need to protest, no matter what the cause.  Please keep it peaceful.  There is enough unnecessary violence in the world.  Make your point, be heard, and demonstrate why the rest of us should be concerned, supportive, and informed.

Internet Security Book for Kids, Teens, Adults FREE

As unstructured summertime looms, kids and teens are likely to be spending more time on the Internet and texting.   Now, a free downloadable book is available to help them stay safer online and while using a mobile device.  Own Your Space, the industry-leading Internet security book was first written by Linda McCarthy, a 20-year network and Internet-security expert.  This all-new free edition — by McCarthy, security pros, and dedicated teenagers — teaches youths and even their parents how to keep themselves “and their stuff” safer online.

The flexible licensing of Creative Commons, and industry-leading corporate sponsors have made it possible for everyone on the Internet to access Own Your Space for free via myspace.com/ownyourspace, facebook.com/ownyourspace.net, and www.ownyourspace.net.


Google Threatens Microsoft With 0-day

Fresh from the Stupid Human Tricks Department.  A Google engineer published attack code that exploits a zero-day vulnerability in Windows XP today, giving hackers another new way to hijack and infect systems with malware.   Real security experts objected to the engineer disclosing the bug just five days after it was reported to Microsoft.  In my opinion, it just proves that there is a political peeing contest going on between these two companies.  Google should know better, Google staff should know better, and all “researchers” would serve the public better to use common sense and ethics, regardless of the response they get from vendors when reporting.  We don’t arm the local population to increase the safety around Jane & Finch, why would providing attack vectors improve security on the Internet?  Knucklehead…

Microsoft said it is investigating the vulnerability and would have more information on next steps later today.  According to Tavis Ormandy who works for Google in Switzerland, hackers can leverage a flaw in Windows’ Help and Support Center, which lets users easily access and download Microsoft help files from the Web and can be used by support technicians to launch remote support tools on a local PC.  He posted details of the vulnerability and proof-of-concept code to the Full Disclosure mailing list on Thursday.  His attack scenario works against all major browsers, including IE8 and is even easier to exploit when the machine has Windows Media Player installed, (installed by default with all versions of Windows).  The attack is complicated and involves several steps, but his attack code works.  Switching browsers is not a solution.  “They are all equally vulnerable”.

Ormandy also slammed the concept of “responsible disclosure,” a term applied to bug reports submitted privately to vendors, giving developers time to craft a patch before the information is publicly released.  “This is another example of the problems with bug secrecy.  Those of us who work hard to keep networks safe are forced to work in isolation without the open collaboration with our peers.”  I smell a funny barnyard smell, what about you, Tavis?  How exactly is releasing attack code for an unpatchable vulnerability that impacts every XP system in the world, allowing remote code execution and backdoor insertion, and silent stealthy operation,  doing me and my busines any favours, OR keeping my networks safe with all of your “hard work”?

Microsoft is not pleased with Ormandy for giving it less than a week to deal with his report.  I empathize with them in this case, and will have to start viewing Google in a whole new light.  What happened to “Do no evil”?  Irresponsible is evil, Googlers, and it often sneaks up behind you to bite.


CAUTION: When Good Sites pWn

The Register reports that more than 100,000 webpages, some belonging to newspapers, police departments, and other large organizations, have been hit by an attack over the past few days that redirects visitors to a website that attempts to install malware.

The mass compromise appears to have affected sites running a banner-ads module on top of Microsoft’s Internet Information Services using ASP.net. Intljobs.org, The Wall Street Journal‘s wsj.com, and tomtom.com.tw have all been affected, in addition to The Jerusalem Post and the police department website for the UK county of Strathclyde.

The sites were infected using SQL injection exploits, which allow attackers to tamper with a server’s database by typing commands into search boxes and other user-input fields.  The attackers planted iframes on the compromised sites that redirected visitors to robint.us.  Malicious javascript on that site attempted to infect end users with malware dubbed Mal/Behav-290 according to anti-virus firm Sophos.

Adobe Patches Coming

Expect a bunch of out-of-cycle patches from adobe this week and possibly next, intended to replace the next scheduled patch release.   Adobe said it will issue a patch for a critical vulnerability being exploited in the wild with an update for Flash Player by Thursday, and for Reader and Acrobat by June 29th.  The Flash Player 10 update will support Windows, Macintosh, and Linux, with the date for the release of a Solaris version still to be determined.  The Reader and Acrobat update expected in about 3 weeks will support Windows, Mac, and Unix.

In addition to addressing CVE-2010-1297, the June 29th patch will also resolve a number of responsibly disclosed vulnerabilities.


Linksys WAP54G Insecure Debug Interface

Linksys WAP54G is a wireless access points that allow wireless clients connectivity to wired networks.  It supports 802.11b and 802.11g protocols, with data rates up to 54Mbit/s.  Linksys WAPs are quite popular in the home and small business market.

A debug interface allowing for the execution of root privileged shell commands is available on dedicated web pages on the device.  Hardcoded credentials, that cannot be changed by user, can be used for accessing the debug interface.


  • Remote access and modifications to access point settings and configuration.
  • Remote extraction of sensitive information such as credentials for logging into the administration interface, Wi-FI SSIDs and passphrases.
  • Remote download and execution of malicious applications.
  • “Remote blind” attacks, where malicious web pages are used by an attacker over the Internet to execute code on a victim access point with private addressing, by leveraging a user browser as a 3rd party “reflector”, may also be possible.

 Additional information available at http://www.icysilence.org