Thursday, March 13, 2008

Daily Report

• According to the Associated Press, a state fire marshal says a Danvers chemical plant in Massachusetts that exploded in November 2006 was storing twice the combustible substances it was permitted to keep. Twenty people were hurt, but there were no deaths. (See item 6)

• The Associated Press reports a common new technology for monitoring defibrillators is vulnerable to hacking and even to reprogramming that could stop the devices from delivering a lifesaving shock, according to research to be released Wednesday and due to be presented and published May 19 at a conference of the Institute of Electrical and Electronic Engineers Symposium on Security and Privacy. (See item 26)

Information Technology

34. March 12, IDG News Service – (National) Two years after patch, another IE FTP flaw. A flaw in the way Microsoft’s Internet Explorer browser processes FTP commands could let attackers steal or erase data from a victim’s FTP site. The bug, which affects users of IE 6 and the unsupported IE 5 browser, gives an attacker a way of hijacking the victim’s FTP sessions. But a successful attack would be very hard to accomplish and would only work in very precise, targeted attacks, security experts said. The attacker would need to know the victim’s username on the FTP server and the victim would have to already be logged into the server, using IE. Under those conditions, the victim could be sent a malicious FTP link that would then execute commands on the victim’s FTP server. The FTP problem does not affect IE 7, Microsoft said Tuesday. The software vendor has not heard of any attacks that take advantage of this vulnerability and has determined that any successful attack would only lead to the unauthorized disclosure of data, the company said in a statement.
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9067998&taxonomyId=17&intsrc=kc_top

35. March 11, Computerworld – (National) Researcher posts attack code for RealPlayer bug. A noted ActiveX researcher yesterday revealed a bug in RealNetworks’ RealPlayer that could be exploited by attackers to hijack Windows machines running Internet Explorer. The researcher, who has uncovered other ActiveX control vulnerabilities in MySpace, Facebook, and Yahoo software in the last two months, posted findings to the Full Disclosure security mailing list on Monday that fingered RealPlayer as flawed. “It is possible to modify heap blocks after they are freed and overwrite certain registers, possibly allowing code execution,” he said in his message to the mailing list. He also posted proof-of-concept attack code and said he is trying to come with a working exploit. Danish vulnerability tracker Secunia rated the RealPlayer bug as “highly critical,” its second-highest ranking, and it said that the flawed ActiveX control – the “rmoc3260.dll” file is the culprit – can be exploited by the usual method of tricking users into visiting malicious or compromised Web sites. Secunia confirmed the vulnerability, and added that at minimum, the newest build of RealPlayer 11 is “buggy.”
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam__malware_and_vulnerabilities&articleId=9067859&taxonomyId=85

36. March 11, InformationWeek – (National) Microsoft patch Tuesday fixes a dozen Office flaws. Microsoft on Tuesday fixed 12 vulnerabilities in four security bulletins, all of which affect Microsoft Office. The chief technology officer of Shavlik Technologies says the fact that all the vulnerabilities found reside in Microsoft Office supports the current belief that client-side vulnerabilities are more likely to bear fruit for hackers than the server side vulnerabilities. MS08-014 (maximum severity of Critical) addresses a zero-day vulnerability in Microsoft Office Excel that Microsoft acknowledged in January. It could allow an attacker to take over an affected system if the victim opens a maliciously crafted Excel file. The manager of the vulnerability research lab at Qualys, said that macro vulnerabilities in Excel have been a recurring problem for about a decade. While exploits for the Excel flaw have been spotted in the wild, he said that damage appears to be relatively limited. He also said it is difficult to be certain, because not all damage arising from exploitation of the vulnerability has been publicized. The usual method of exploiting this kind of flaw is enticing a user to open a file. “This is a concern because there’s no simple firewall adjustment that can address this,” he said. MS08-015 (maximum severity of Critical) addresses a new, privately reported vulnerability in Microsoft Office Outlook. The flaw could allow an attacker to read and re-route a user’s e-mail messages. MS08-016 (maximum severity of Critical) repairs two new, privately reported vulnerabilities in Microsoft Office 2000. The vulnerabilities could allow an attacker to subvert an affected system. MS08-017 (maximum severity of Critical) fixes two new, privately reported vulnerabilities in Microsoft Office Web Components. As above, these flaws could allow attackers to take control of an affected system. The four bulletins affect various versions of Microsoft Office. In the case of MS08-014, Mac versions of Office 2004 and Office 2008 are also affected.
Source:
http://news.yahoo.com/s/cmp/20080312/tc_cmp/206903046;_ylt=AoMVsxgQlxEh_tGTzZQay2ODzdAF

Communications Sector

37. March 12, Reuters – (International) Mobile firms seek India govt. meeting on BlackBerry. Mobile phone operators are seeking more talks to discuss Indian government security concerns, which a newspaper said, could lead to the termination of BlackBerry services in India, an industry official said on Wednesday. The Business Standard, citing unnamed sources, reported that Indian security agencies want BlackBerry-manufacturer Research in Motion (RIM) to give them access to algorithms needed to decrypt messages, or face a termination of the service at the end of March. “Government wants some security concerns to be addressed and we are trying for an effective dialogue with the security agencies and the department of telecommunications,” said the director general of the nine-member Cellular Operators’ Association of India. The paper said security agencies, the department of telecommunications, RIM executives and Indian operators offering BlackBerry services would meet on March 14, although this could not be confirmed. One analyst said it would not make sense for RIM to disclose its algorithms as that was their competitive advantage. The Business Standard said BlackBerry had an estimated 400,000 subscribers in India, while a program manager of ICT practice for South Asia andMiddle East at consultancy Frost & Sullivan put it at more than half a million. RIM’s spokesman for India said BlackBerry services were offered in India by four providers, Vodafone, Bharti Airtel, Reliance Communications and BPL Mobile.
Source: http://news.yahoo.com/s/nm/20080312/tc_nm/blackberry_india_dc;_ylt=AqFDB7gV7as98Gm6uBggJSX67rEF

38. March 11, St. Louis Business Journal – (Missouri) Verizon Wireless upgrades emergency services to St. Louis customers. Verizon Wireless users in St. Louis County who dial 911 for emergency services will now be able to have their location pinpointed within 150 meters thanks to a plan ratified by the wireless company and St. Louis County. The federal government requires wireless carriers to provide E911 service to its customers. Under the new plan, the enhanced 911 (E911) Phase II service allows authorities to identify the estimated location of customers within 150 meters or less when they make an emergency call. E911 Phase II should be available within the next four months, Verizon said. Source: http://www.bizjournals.com/stlouis/stories/2008/03/10/daily29.html?ana=from_rss

No comments: