Several vulnerabilities have been found in the Windows Version of Apache. One critical code injection flaw and two lower key security bugs. The most serious of the three flaws is in a core component of Apache 2.2.14, and possibly earlier versions. The bug creates a opening that allows hackers to execute code on systems. Meaning that malware can be planted or data extracted.

 This opening stems from a bug in mod_isapi. This imliments the IS extention API. Good news though. The bug can easily be fixed by upgrading to the latest version, 2.2.15. Australia’s Sense of Security have published a video that illustrates the potential risk, with the aim to encourage people to upgrade.

The update also fixes two other bugs that are unrelated. The risks posed by these are denial of service and information disclosure. So, well worth getting this done if you run the affected version. You can find more out about those here:

http://secunia.com/advisories/38776/

It’s been reported by Neowin that Newegg has shipped out fake Intel i7 processors. Consumers have been said to have recieved  a piece of scrap metal for the processor and a clay mold for the heatsink. So not really much of an effort to counterfeit then. Intel are now in the process of investigating how this has happened and how many have been shipped.

Intel have confirmed at least one case of these fakes having been recieved by a consumer. It has been said that 300 fakes were accidently mixed in with a batch of 2,000 by Newegg’s distributor. But exactly how much of an accident this was remains to be seen. There has even been speculation that cease-and-disist letters have been sent out to websites that have published the news.

Newegg at first claimed that these fakes are “demo units”, but Intel contradicted this by confirming them to be counterfeit. However, Newegg themselves have now also confirmed the existence of these fakes. And have ended their relationship with the supplier in the following statement:

Newegg is currently conducting a thorough investigation surrounding recent shipments of questionable Intel Core i7-920 CPUs purchased from Newegg.com.

We have always taken pride in providing an exceptional experience for each customer, and we apologize for any inconvenience to our valued customers. We take matters like this extremely seriously, and are working in close cooperation with Intel and the appropriate law enforcement authorities to thoroughly investigate this incident.

Argos have exposed customers credit card details and CCV security numbers in their e-mail reciepts. A customer who checked his e-mail reciept found buried in the HTML source code, was his full credit card number and security code. Meaning that if any of these e-mails were to be intercepted the credit card details could potentialy be found, and somebody elses hard earnt money spent. The custemer who exposed this breach had recently had his details fraudulently misused, but this has not been linked to Argos.

Worryingly, it’s  unknown how long this exposure has been going on for, and the number of consumers affected. Argos have said the fault has already been corrected. They are currently working with the Infomation Commissioner’s office to deal with the breaches effects.

It seems however that the whole thing could have been easily avoided, if Argos had simply had a good content filtering product in place. This would have meant that ecryption of the e-mail reciepts was enforced, or that the data was blocked from being sent out at all. The basic default or stanadard security rules of most content filtering packages would do this.

This incident just goes to show how important it is to filter both inbound and outbound mail. And pretty awesome (in the true sense of the word), that a company as large as Argos hasn’t enforced this basic security procedure.

A servere veulnerability has been found by computer boffins in the worlds most prolific software package. The hole would allow hackers to retrieve a machine’s private cryptographic key.

The bug is in the OpenSSL cryptographic library. Which is pretty scarey stuff as the open-source package is used worldwide in OSs and applications. It could potentialy be applied to many devices. Smartphones and Media-players with anti-copying mechanisms will be most easily affected.

Wherever the origin of infomation is needed to be verified is where the OpenSSL library come in, and it does much more than just  SSL. However, the issue is said to be easily fixed. Scientist at Michigan University say applying cryptographic “salt”  to an error-checking algorithm will do the trick. This extra randomization will make the attack impossible. OpenSSL engineers are currently pushing out a patch, so don’t panic.

The process of carrying out the attack in the real world is somewhat impracticle. To grab bits of a key you have to inject slight fluctuations in a devices power supply as it is processing the encrypted data. It took the boffins over 100 hours to deduce an entire key. So..not very likely some one will actually do this is it? The boffins also said:

“This is probably not as much of a threat to a server system as it is to a consumer device, The place where this would be more applicable would be if you want to attack a Blu-ray player (where) you have an environment where someone is giving you a device that has a private key to protect intellectual property and you have physical access to the device.”

Right. So getting into a comms room and doing this to a server for over one hundred hours undetected seems unlikely. But if the machine overheats or experiences fluctuations “naturaly”, it will leek secret data. This could then be intecepted by attackers. tghe boffins have also tried natural radiation and laser sources.

It may also be possible to apply this method to other crypto libraries, such as the one created by Mozilla.

Sounds like pulling this off would take a highly trained team of covert opperatives. So I don’t think you avarage business has much to worry about.

Microsoft has confirmed a potentialy dangerous and unpatched velnerability in Internet explorer, when the F1 button is pressed in earlier versions of windows.

The bug is within the VBS that is intergrated with Internet Explorer. Making it potentialy possible to create a website that tricke the use into pressing the F1 button. The site then pushes out malware to the user. A pretty clever thechnique for getting malware onto a network, and no doubt effective. however, this only works on older versions of windows, XP, 2000 and server 2003. Vista, 7 and Server 2008 are not affected.

Micrsoft have said that they are not aware of any attacks that are using this technique. But now that the cat’s out of the bag it’s surely only a matter of time. They have criticised security researchers, saying that they should have come to them first before releasing the infomation. Microsoft published th folowing statement regarding the matter:

“Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”

The Redmond Security bods are still looking into vulnerability. But a patch is likely to be on the cards, obviuosly. MS have not said when it will arrive, but the next patch Tuesday is drawing near. Probably too near, it looks likely that the patch will not be released till April/May time.

Microsofts vision for end to end trust is based around cloud computing. They are working towards a claims-based identity metasystem, and are making a call for the prevention/disruption of cybercrime.

Scott Charney,  CVP of  Microsofts TCG said:

“End to End Trust is our vision for realizing a safer, more trusted Internet. To enable trust inside, and outside, of cloud computing environments will require security and privacy fundamentals, technology innovations, and social, economic, political and IT alignment.”

Charney further explained it is key to impliment securer identity solutions. This will provide a securer private acces to cloud and onsite applications. Thus making for a more secure internet and enterprises.

Microsoft habve also previewed their U-Prove thechnology. Aimed at online providers to protect privacy and enhance security for online transactions. Microsoft will be releasing portions of the intelectual property for U-Prove as well as open source software development kits in java and C#, for some input and evaluation.

Details have also been released inregards to a new partnership with the Fraunhofer Institute. They will be working together on a project that will intergrate U-Prove and Microsoftws identy platform with the proposed future use of electronic identycards by the German Government.

Microsoft have also released (as part of their Buisiness ready security strategy) Forefront Identity Manager 2010. Enabling polocy based ID management accross diverse environments. It will provide the customer with more end user capability and provide administrative tools to the IT Proffessional.

Microsoft’s Operation b49, an initiative to erradicate the Waledac Botnet, is also another example of how microsoft is aggresively and collectively targeting cybercrime.

Charney Said:

“We are committed to collaborating with industry and governments worldwide to realize a safer, more trusted Internet through the creative disruption and prevention of cybercrime,”

If you would like to know more about Microsoft’s vision go to http://www.microsoft.com/endtoendtrust

The security team at Microsoft are investigating a vulerability in Windows 2000 and Windows XP that coule potentially allow attackers to install malicious code onto remote computers.

Through a combination of VB Scripts and Internet Explorers online help – although interation from the user is required, possible attackers could prompt the user to press the F1 key to execute the malicious code.

It’s being investigated at the moment by the security team at Microsoft and once it’s completed – Microsoft will tell users what to do.

A vulnerability has been uncovered in the way some sites have implemented banner click counters on their flash (SWF) files.

A security consultant called MustLive said that these files contain actionscript (flash’s internal scripting language) that counts the number of banner clicks using the url or clickTAG options.

This exploit makes the webpages that they’re on vulnerable to cross site scripting (XSS) and may possibly have the ability to inject code (to make a viewer download a trojan/virus) or steal user credentials.

If you search google with the terms ‘ filetype:swf inurl:clickTAG ‘ or ‘ filetype:swf inurl:url ‘ it returns many million sites that have the potential to be exploited.

It is worth noting however that it’s not Adobe Flash that’s the source of the vulnerability – it’s poorly written and implemented actionscript.

The recently exploit that targetted the IIS FTP service on Windows 2000 has now been seen to crash windows 2003 servers even using the anonymous account – This means that the number of possible exploitable servers has increased dramatically.

The using the exploit, attackers can cause the ftp service to crash by connecting as an anonymous user – then sending specific ftp commands, the FTP service would then need to be manually restarted.

More information on the exploit can be found here

4mdc2wprys

All systems engineers and IT managers that have any responsibilty in their companys security systems should keep themselves updated with the latest exploits and techniques used by hackers.

I’m listing below the sites that I use and keep an eye on to ensure the systems that are important to my network and customers are not affected.

astalavista.net
Currently down, but coming back soon – Was always great for discussions and info on the latest exploits.

milw0rm.com
A searchable library of exploits in just about anything searchable by OS – check it out to ensure your business systems aren’t affected.

digitalmunition.com
Another site that lists security advisories – see how insecure Apple OSX is here…..

xssed.com
A cross site scripting resource database with lists of vulnerable websites, also has information on defending against XSS attacks.

secumania.org
Basically a security news site that also has lists of the latest exploits and vulnerabilities.

It’s always a good idea to try to get into the heads of the people who are trying to attack corporate networks. Keeping an eye on these sites gives you an insight into the minds and motivations of these people.