Thursday, December 29, 2005

Antivirus Vendor Response Time

Saw this on the Full-Disclosure mailing list. Interesting response times on the various AV product "vendors" out there. Not comprehensive, mind you, as some of the comments point out.

Wednesday, December 28, 2005

Unpatched Microsoft Windows WMF Vulnerability

If you haven't heard by now, there is an unpatched exploit in how Windows handles WMF files. Since this handling is done with System level privileges, you guessed it, complete control of the system. Secunia sent out an advisory this morning and I noticed that Sunbelt Software had posted about it in their blog.

Secunia Advisory
Sunbelt Software Blog (with example)

Friday, December 23, 2005

New version of HTTPrint available

A new version of HTTPrint is available for download. As of this post, that version is 3.01 beta. If you aren't familiar with HTTPrint, it is a web server fingerprinting tool. One of those best practices out there is to deactivate the banner your web server would normally return in the RESPONSE header. However, even with the banner removed (or altered to look like something different... for instance, having an IIS server say it's an Apache server), there are fingerprinting techniques based on how different web servers behave to determine exactly what web server is being connected to. Yes, this can detect an IIS server fairly easy, even if you're using URLScan.

One of the reasons for the new version may be due to a security advisory. The banner coming back isn't properly sanitized before being inserted into an HTML report that HTTPrint generates. Therefore if someone has a web server with a banner specially crafted to be malicious, the report HTTPrint produces could be affected accordingly, meaning anyone viewing the report could be hit. The latest version fixes this problem.

Secunia advisory - httprint Server Banner Script Insertion and Denial of Service

Thursday, December 22, 2005

Symantec Antivirus Vulnerability

Symantec should be posting an advisory soon for a heap overflow issue when dealing with RAR archive files. The original notice about there being an issue was posted to the Full Disclosure mailing list.

Full Disclosure: Symantec Antivirus Library Remote Heap Overflows
Symantec Advisory: Symantec AntiVirus Decomposition Buffer Overflow

Wednesday, December 21, 2005

VMware Vulnerability

There is a serious vulnerability in all versions of VMware except ESX server. Basically, in the affected versions, an attacker can escape the virtual machine in order to execute commands on the host. There is an update available from VMware to fix the issue.

Wednesday, December 14, 2005

Circumventing Group Policy...

If you haven't read Mark Russunovich's latest blog post entitled Circumventing Group Policy as a Limited User and you're responsible for systems and/or security, you need to. This goes back to the concept of saying what is authorized as opposed to blocking what is not. The same issue we see on the network side, but now a problem on the systems side.