Google has acknowledged information about fixed versions of Website Optimizer
control scripts.
A potential XSS was reported by unnamed person.
More details at
http://websiteoptimizer.blogspot.com/2010/12/update-your-website-optimizer-scripts.html
including link to Help Center page with update
Is the affected product Secure Backup accidentally missing from the subject
line and the advisory title,
i.e. the correct title is Oracle Secure Backup Administration selector Command
Injection Remote Code Execution Vulnerability?
Juha-Matti
ZDI Disclosures [zdi-disclosu...@tippingpoint.com]
Vulnerabilities in several clientless SSL VPN products have been reported.
Gathering authentication cookies etc. is reportedly possible.
At time of writing US-CERT's advisory lists the status of about 90 vendors.
US-CERT Vulnerability Note VU#261869:
http://www.kb.cert.org/vuls/id/261869
More information via
http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx
and
https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html
Several other vendors have shipped their patches too.
Related CVE is CVE-2008-4609 -
From the statement:
June 15 2009
In the issue #66 of the Phrack magazine there was an article on exploiting TCP
Persist Timer weaknesses
(http://www.phrack.com/issues.html?issue=66id=9#article )
to cause Denial of Service conditions.
The article discusses issues similar but not the same as
The oldest documented vulnerability in computer security world is password file
disclosure vulnerability from 1965, found by Mr. Ryan Russell.
Open Security Foundation launched a competition in April to find the oldest
documented data loss incident.
They have announced that the last day to
Microsoft has released a document describing how the Secure Development
Lifecycle (SDL) model maps to so-called CWE/SANS Top25 List,
i.e. 25 Most Dangerous Programming Error list released earlier in January.
Item-by-item type analysis as a Word document has been released too. The link
is being
CVE-2009-0006 is the correct CVE identifier and it is mentioned at Apple
advisory
http://support.apple.com/kb/HT3403
too.
Juha-Matti
security curmudgeon [jeri...@attrition.org] kirjoitti:
: ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption
: Vulnerability
:
The worm-type exploitation has started. More information at
http://www.f-secure.com/weblog/archives/1526.html
The worm component has reportdly detection name Exploit.Win32.MS08-067.g and
the kernel component Rootkit.Win32.KernelBot.dg, in turn.
Symantec uses Worm category too and the name
(MS08-067) FAQ has been updated to include these
detection names:
http://blogs.securiteam.com/index.php/archives/1150
Juha-Matti
Juha-Matti Laurio [EMAIL PROTECTED] kirjoitti:
The worm-type exploitation has started. More information at
http://www.f-secure.com/weblog/archives/1526.html
The worm
The case was covered at
http://www.f-secure.com/weblog/archives/1522.html
too.
Juha-Matti
Gadi Evron [EMAIL PROTECTED] kirjoitti:
-- Forwarded message --
Date: Tue, 28 Oct 2008 20:47:48 -0700
From: Paul Ferguson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [funsec]
I have posted Frequently Asked Questions document about the Windows RPC, i.e.
Server service vulnerability MS08-067.
The document entitled as Microsoft Windows RPC Vulnerability MS08-067
(CVE-2008-4250) FAQ - October 2008 can be found at
http://blogs.securiteam.com/index.php/archives/1150
The
Several updates to Windows RPC vulnerability (MS08-067) FAQ has been done.
-major updates to Gimmiv.A Trojan section (new malware names, signature
information added)
-added Snort and Nessus references
-added credits
-added file name and size information of the malicious executables in the wild
Robert E. Lee of Outpost24 has posted a new entry describing the recent state
of TCP/IP issue,
i.e. discussion around the TCP/IP protocol stack Denial Of Service
vulnerability.
There is a FAQ type section included too.
Link:
The vendor fixed the issue remarkable quickly, but
Additionally, the Last modified field in directory listings disclosed the
timestamp of location information too.
Addresses like [EMAIL PROTECTED] disclosed confidential information about the people working in specific organizations too.
This issue was assigned to BID31000:
http://www.securityfocus.com/bid/31000
Juha-Matti
Razi Shaban [EMAIL PROTECTED] wrote:
On 2 Sep 2008 22:58:27 -, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Google's Chrome (BETA) allows files (e.g. executable files) to be
automatically downloaded to
New information about the important infrastructure issue affecting to Fedora
Project has been released today.
Mr. Paul W. Frields, Fedora Project Leader has posted an announcement about the
facts, including:
One of the compromised Fedora servers was a system used for signing Fedora
packages.
A new malware, assigned to Trojan category, was discovered on 7th Aug.
It uses malicious links including the string www.google.com.id... pointing to
.cn domains.
More information at
http://www.sophos.com/security/blog/2008/08/1632.html
and
http://blog.facebook.com/blog.php?post=25844207130
It has the following mechanism according to McAfee:
http://vil.nai.com/vil/content/v_148955.htm
They use name W32/Koobface.worm and Kaspersky (Kaspersky Labs originally
discovered this threat) uses name Net-Worm.Win32.Koobface.b.
More information here too:
The vendor Nextime Solutions has informed about the release of upcoming bugfix
version this week.
The company VP has stated that the test process of fixed version is started and
a fixed version will be delivered to customers before a new academic term.
TietoEnator sold its education business
When examining advisory SA28209
http://secunia.com/advisories/28209/
it points to reports listing vulnerabilities in several products and versions
(Verity KeyView Viewer SDK 7.x, 8.x, and 9.x) etc.
Secunia's Web site lists advisories by a specific product too, see
Blogs post has been updated to include this information too.
Juha-Matti
Juha-Matti Laurio [EMAIL PROTECTED] wrote:
A frequent source 'A' sending updated NSA-Affiliated IP resources to
Cryptome's Web site has reported the following new information:
Certain privacy/full session SSL email
Guardster Team has posted its response on 21st Dec to Cryptome:
We can assure you that we do not cooperate with the NSA or any other
government agency anywhere in the world. We invite whomever is making this statement
to provide proof, rather than making a baseless accusation.
.
Link:
A frequent source 'A' sending updated NSA-Affiliated IP resources to Cryptome's
Web site has reported the following new information:
Certain privacy/full session SSL email hosting services have been purchased/changed
operational control by NSA and affiliates within the past few months, through
The following source lists address 'abuse at dell.com' as handler of security
issues too:
http://osvdb.org/vendor_dict.php?section=vendorid=1756c=D
If security is important to the company they will reply to you and deliver the
message to the right person.
Juha-Matti
[EMAIL PROTECTED] [EMAIL
The QuickTime RTSP vulnerability reported on 23th Nov is not the only unpatched
remote vulnerability in QuickTime player.
It appears that WabiSabiLabi team has reported that there is another (they call
it zero-day vuln) flaw too, affecting to XP systems.
The CVE name for this second issue
There is a well-known unpatched code execution type vulnerability reported
originally in msjet40.dll version 4.00.8618.0 too.
This issue reported by HexView is known since March 2005:
http://www.securityfocus.com/bid/12960
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0944
We probably
A widely known Web site Cryptome has released information about backdooring
Microsoft Windows machines today.
According to the post National Security Agency has access both stand-alone
systems and networks running Microsoft products.
The post states the following:
This includes wireless
Camino 1.5.2 Release Notes document is available at
http://caminobrowser.org/releases/1.5.2/
Camino 1.5.2 contains the following improvements over version 1.5.1:
* Upgraded to version 1.8.1.8 of the Mozilla Gecko rendering engine, which includes
several critical security and stability fixes.
According to Mikko Hyppönen's post to F-Secure's blog Sony Electronics has
confirmed that they received the research report this week:
http://www.f-secure.com/weblog/archives/archive-082007.html#1266
The post says that companies have opened direct discussion channels and Sony
will receive
WiiLi.org has reported the following:
Flash player version, that is embedded in the Internet Channel, is affected by the
vulnerability in the Flash video handling code that reportedly allows of executing native
code.
http://www.wiili.org/index.php/Executing_Our_Code/Flv_vuln
The related CVE
Another source is Secunia Vendor Database at
http://secunia.com/vendor/
including links to specific vendor product pages.
(example: http://secunia.com/vendor/4/ Adobe Systems)
which helps to find the official Web pages of the vendor and the product.
- Juha-Matti
Chris Wysopal [EMAIL
Possibly no, but I was just sending this reference to the lists:
http://www.kb.cert.org/vuls/id/815960
According to public reports, this vulnerability is addressed in Adobe Acrobat
Reader 8.0.
Solution:
http://www.adobe.com/products/acrobat/readstep2.html
But it is worth of mentioning that
Additionally, the public PoC doesn't work on Preview version 3.0.8 (409) on OS
X 10.4.8.
- Juha-Matti
Larry Seltzer [EMAIL PROTECTED] wrote:
According to public reports, this vulnerability is addressed in Adobe
Acrobat Reader 8.0.
I've actually tested it. On Reader 8 Acrobat you get a
Additionally, the CVSS (Common Vulnerability Scoring System) Severity score of the issue
is 2.3, i.e. Low:
http://nvd.nist.gov/cvss.cfm?name=CVE-2006-6077vector=%28AV:R/AC:L/Au:NR/C:P/I:N/A:N/B:N%29
- Juha-Matti
3APA3A [EMAIL PROTECTED] wrote:
Dear [EMAIL PROTECTED],
It's
issue US-CERT assigned a good title:
Microsoft Word malformed pointer vulnerability
http://www.kb.cert.org/vuls/id/996892
- Juha-Matti
Alexander Sotirov [EMAIL PROTECTED] wrote:
Juha-Matti Laurio wrote:
Related to the newest MS Word 0-day
http://blogs.technet.com/msrc/archive/2006/12/10/new
After the public release we have to accept the fact that the PoC will be
possibly accessible outside of exploit sites too.
The overall risk of the issue is increasing.
To confirm the existence of PoC it was listed in several references like
http://www.securityfocus.com/bid/21589/exploit
etc.
New vulnerability in Microsoft Word has been reported.
More details available at SANS Internet Storm Center Diary:
http://isc.sans.org/diary.php?storyid=1925
Microsoft has confirmed that it is a different vulnerability than this issue
reported earlier this week:
Several updates have been done to Microsoft Word 0-day Vulnerability FAQ - December
2006, CVE-2006-5994 document during the weekend.
-added information about AV vendor protection
-added information about the state of Internet threat meters
-added several reference hyperlinks
-detailed
One of the links in previous message was erroneous, because MSRC Blog hyperlink
pointed to the wrong URL.
Correction follows:
Microsoft has confirmed that it is a different vulnerability than this issue
reported earlier this week:
http://www.microsoft.com/technet/security/advisory/929433.mspx
Related to the newest MS Word 0-day
http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
US-CERT Vulnerability Note VU#166700 released today lists the following new
technical detail:
Microsoft Word fails to properly handle malformed data structures allowing
The document describes related Trojan downloader malwares and the state of
upcoming fix etc. too.
Regards,
Juha-Matti Laurio
Finland
The related Trojans have the following names:
Troj/DwnLdr-FXG
http://www.sophos.com/security/analyses/trojdwnldrfxg.html
and
Troj/DwnLdr-FXH
http://www.sophos.com/security/analyses/trojdwnldrfxh.html
Other references released:
BID:
http://www.securityfocus.com/bid/21451
FrSIRT:
.
Password Manager is known as Passcard Manager in Netscape.
Juha-Matti Laurio,
Networksecurity.fi
Michael Scheidell [EMAIL PROTECTED] wrote:
Looks like this also affects FireFox 1.5.08.
The following vendor statement (English language) including workarounds has
been released recently:
Statement on SafeGuard(R) Easy Articles regarding Configuration File
Vulnerability:
It is worth of contacting the author of this blog entry:
http://grownupgeek.blogspot.com/2006/08/myspace-closes-giant-security-hole.html
related to serious information disclosure case during this summer.
- Juha-Matti
E Mintz [EMAIL PROTECTED] wrote:
Does anyone have a security contact for
This PowerPoint vulnerability is described at Microsoft Security Advisory
#925984
http://www.microsoft.com/technet/security/advisory/925984.mspx
It appears that the vulnerability is due to errors when executing VB script
SlideShowWindows.View.GotoNamedShow () automatically inside a PowerPoint
Security update for Windows Vector Markup Language (VML) vulnerability has been
released.
Fix is available via Microsoft Update or downloadable with links included to
MS06-055:
http://www.microsoft.com/technet/security/bulletin/ms06-055.mspx
Fix information has been added to Windows VML
party fix, using alternative
browser etc. too.
Regards,
Juha-Matti Laurio
Finland
It appears that there is no advisories published about Camino 1.0.3 release yet.
Camino 1.0.3 Release Notes document is available at
http://www.caminobrowser.org/releases/1.0.3.php
Fixed several critical security and stability issues, including those fixed in
version 1.8.0.7 of the Mozilla
To share updated information:
Recently reported PowerPoint code execution issue exploited by
Trojan.PPDropper.E is fixed in
http://www.microsoft.com/technet/security/Bulletin/MS06-012.mspx
The specific issue is Routing Slip issue, CVE-2006-0009.
New zero-day vulnerability in Microsoft PowerPoint has been disclosed.
This vulnerability is being exploited by Trojan horse Trojan.PPDropper.E.
This dropper type file reportedly works in all Windows systems,
but the vulnerability itself has been confirmed in PowerPoint 2000 Chinese
version.
when it becomes available. CVE name at title field helps
to differ several 0-day issues in Office prooducts.
The document describes related malwares as well and list of malware names
included will be updated.
Regards,
Juha-Matti Laurio
Finland
The following references are available too:
SANS ISC:
http://isc.sans.org/diary.php?storyid=1701
http://isc.sans.org/diary.php?storyid=1705
Microsoft Security Advisory #925444:
http://www.microsoft.com/technet/security/advisory/925444.mspx
US-CERT VU#377369:
Networksecurity.fi Security Advisory (06-09-2006)
Title: IBM Lotus Notes DUNZIP32.dll buffer overflow vulnerability
Criticality: High (3/3)
Affected software: IBM Lotus Notes versions 6.5.4, 5.0.10 and prior
Author: Juha-Matti Laurio juha-matti.laurio [at] netti.fi
Date: 6th September, 2006
This zero-day vulnerability and related attacks has been confirmed by Microsoft
today. This issue affects to Word version 2000.
It is also reported that Word Viewer application is not affected.
As a workaround it is possible to avoid opening Word files from unrusted
sources, including e-mail,
New FAQ document about the recently discovered 0-day vulnerability in Microsoft
Word is available.
This vulnerability has been reported especially in Office 2000 on Windows 2000
machines.
Possible other Office versions are affected as well.
This vulnerability is being exploited by Trojan from
ISC Diary has new entry published recently entitled as NT botnet submitted:
http://isc.sans.org/diary.php?storyid=1657
After the release they changed the name to botnet submitted to describe the
situation better.
The affected library of August's MS06-040, Netapi32.dll, is included to NT4.0
Several names of related Trojan and dropper have been added to Microsoft PowerPoint
Vulnerability FAQ - August 2006, CVE-2006-4274 document today.
Changes to the document have been done too:
It is known that the Trojan
-generates a hidden iexplore.exe process,
-executes as a thread of this
Several updates to Microsoft PowerPoint Vulnerability FAQ - August 2006,
CVE-2006-4274 document at
http://blogs.securiteam.com/?p=559
have been done.
* According to the new information confirmed today this is not 0-day
vulnerability, it is related to patched MS06-012:
I have constructed a FAQ document about the recent 0-day vulnerability in
Microsoft PowerPoint disclosed on Saturday.
This vulnerability is being exploited by Trojan horse TROJ_SMALL.CMZ.
The document entitled as Microsoft PowerPoint 0-day Vulnerability FAQ - August
2006, CVE-2006- (CVE
New monthly updates from Microsoft don't include patch to Msjet40.dll
vulnerability affecting Access and some other products.
There is patch to critical 0-day vulnerability in PowerPoint aka Mso.dll
vulnerability (CVE-2006-3590):
http://www.microsoft.com/technet/security/bulletin/ms06-048.mspx
Microsoft informs about ten existing Windows flaws and two Office flaws at
http://www.microsoft.com/technet/security/bulletin/advance.mspx
Some of the upcoming security bulletins have Critical severity.
Maybe it's time to release a fix to remarkable old Msjet40.dll issue reported
by HexView as
as an
LSP. I've seen literally hundreds of PCs with their network stack
buggered because the owner tried to remove NewDotNet. NewDotNet inserts
itself as an LSP.
Regards,
Mike Healan
www.spywareinfo.com
Juha-Matti Laurio wrote:
It appears that there is a new type of PowerPoint 0-day Trojan
It appears that there is a new type of PowerPoint 0-day Trojan spreading,
more details at this write-up:
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
006-071812-3213-99
What the technical details section says is:
Installs the file SNootern.dll as a layered service
Several updates to Microsoft PowerPoint 0-day Vulnerability FAQ document has
been done.
New items added, related Trojan horse payload information updated etc.
Link to the document is
http://blogs.securiteam.com/?p=508
- Juha-Matti
I have written FAQ document including 33 items about the recently reported
0-day vulnerability in PowerPoint.
This vulnerability is being exploited by Trojan horse including keylogger
features.
The document entitled as Microsoft PowerPoint 0-day Vulnerability FAQ is
located at my SecuriTeam
New CVE document
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3431
published recently confirms the information that Microsoft Excel Style handling
vulnerability aka Nanika.xls issue is a separate vulnerability.
This vulnerability mentioned affects only to Simplified Chinese,
Several updates to First Microsoft Excel 0-day Vulnerability FAQ document at
http://blogs.securiteam.com/?p=451
has been done.
* Several exploits for this vuln and other Excel issues has been released
recently
* PoC sample file Nanika.xls was posted to Bugtraq on Monday already
The related SANS Internet Storm Center Diary entry is the following:
http://isc.sans.org/diary.php?storyid=1448
This story was updated later on Wednesday to include detailed test results.
Secunia test link included to SA20825 advisory was used.
I have not reproduced it with Firefox 1.5.0.4 in
SANS Internet Storm Center states at their updated Diary entry that after more
research on this vulnerability
it appears that Mozilla Firefox is not affected to information disclosure
object.documentElement.outerHTML property vulnerability reported in Internet
Explorer.
Steven M. Christey [EMAIL PROTECTED] wrote:
* Advisories:
* http://www.microsoft.com/technet/security/advisory/921365.mspx
* http://www.securityfocus.com/bid/18422/
There are at least three separate Excel issues that were published in
the past week. These references suggest that it's the
I have written FAQ document including 23 items about the new Excel 0-day
vulnerability exploited by Trojan.
The document entitled as Microsoft Excel 0-day Vulnerability FAQ is located at
http://blogs.securiteam.com/index.php/archives/451
Permalink-type URL to the FAQ is
To share information about the new Release Notes document:
this issue has been fixed in version 4.1.2 (Free Edition)
http://www.realvnc.com/products/free/4.1/release-notes.html
http://www.realvnc.com/download.html
- Juha-Matti
This URL listed has been updated to include more recent (background)
information from Mr. Gavin Sharp on 7th May.
The original testcase URL is located at
http://www.gavinsharp.com/tmp/ImageVuln2.html
now.
- Juha-Matti
try this with Firefox 1.5.0.3
»www.gavinsharp.com/tmp/ImageVuln.html
This information is correct and the first address security-alert [at]
austin.ibm.com mentioned is a primary reporting address.
This address is located at OSVDB Vendor database too;
http://www.osvdb.org/vendor_dict.php?section=vendorid=1215c=I
listed as International Business Machines
Networksecurity.fi Security Advisory (30-03-2006)
Title: McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability
Criticality: High (3/3)
Affected software: McAfee VirusScan versions 10 Build 10.0.21 and prior
Author: Juha-Matti Laurio
Date: 30th March, 2006
Advisory ID: Networksecurity.fi
Probably you were pointing to the following vendor: FrSIRT, not FrCIRT.
Regards,
Juha-Matti
Symantec Deepsight Alert Services
SecurityMob
FrCIRT
iAlert Web
TraceAlert
SecurityTracker
Cybertrust Vulnerability/Threat Management
Vulnerability Tracking Service
X-Force Threat Analysis Service
Nullsoft has released a fixed version 5.13 now. Internet Storm Center
shared the information last night at
http://isc.sans.org/diary.php?storyid=1080
An official download link is
http://www.winamp.com/player/
- Juha-Matti
You can disable auto launching Winamp for playlist files as a
Networksecurity.fi Security Advisory (21-12-2005)
Title: dtSearch DUNZIP32.dll Buffer Overflow Vulnerability
Criticality: High (3/3)
Affected software: dtSearch versions prior than 7.20 Build 7136
Author: Juha-Matti Laurio
Date: 21th December, 2005
Advisory ID: Networksecurity.fi Security
For new list subscribers etc., was it the address 3Com_SRT [at] 3Com.com
listed at
http://csoweb4.3com.com/security/
or security [at] 3com.com
listed at independent dictionary
http://www.osvdb.org/vendor_dict.php?section=vendorid=1210c=%
etc.
If no, please try both of these!
Regards,
Help Net Security's Upcoming Conferences list at
http://www.net-security.org/conferences.php
has a good coverage for year 2005 too and is worth of checking too.
Regards,
Juha-Matti
82 matches
Mail list logo