Microsoft releases security update for DoS issue in ASP.NET: DHS Open Source Infrastructure Report Jan. 4th
By Kelli Tarala | January 4, 2012
Microsoft rushed to release an out-of-band security update to resolve a denial-of-service (DoS) issue that affected ASP.NET versions 1.1 and later on all supported variants of the .NET framework. A large number of Web platforms are affected by the hash collision problem, but the company was among the first to act on it. The MS11-100 security bulletin fixes a vulnerability that exists in the way ASP.NET hashes specially crafted requests. The hash collisions that occur when malicious data is inserted into hash tables could overwhelm a server’s CPU resulting in a DoS condition. Besides this, other weaknesses are resolved in the latest security update. A phishing attack could be launched by a hacker using a spoofing vulnerability that verifies return URLs during the form authentication process. By exploiting this flaw, an attacker can redirect a user to a malicious Web site set up to obtain private data. An authentication bypass vulnerability that exists in ASP.NET forms is more difficult to exploit, but if an attacker manages to register an account on the application and knows the name of the targeted account, he could utilize a special Web request to initiate any action, including code execution, using the targeted account. Finally, an authentication ticket caching weakness allows for a cybercriminal to execute arbitrary code due to the way cached content is handled by the framework when Forms Authentication is used with sliding expiry. Combined with some social engineering, an attacker could send potential victims, ones with elevated privileges, a specially crafted link. Microsoft is not aware of any attacks taking place in the wild using these vulnerabilities, but to prevent any unfortunate incidents, users are advised to install the update.
Aggressive phishing attack targets military
A recent phishing attack is making the rounds in an e-mail which appears be from USAA, a financial services company that serves military members, their families, and veterans, DoD Live reported December 31. The e-mail subject begins with “Deposit Posted.” Members are asked to open a Zeus-infected attached file. Once opened, it launches a malicious virus that could provide access to personal information and may require a complete reinstall of the computer operating system.
Antisec hacks California Law Enforcement Association, email content leaked
As part of Project Mayhem, AntiSec hackers took down the official Web site of the California Law Enforcement Association. The site was still down January 3 and the attackers claim other sites hosted on the same domain are also “wiped off the net.” Besides defacing the Web site and posting their messages on its main page, the black hats also leaked the contents of some e-mails belonging to their staffers and billing information from customers. The e-mails sent between employees show they suspected they were victim of a data breach, but it took some time for them to change the passwords. Until they did so, the hackers managed to obtain a lot of sensitive data, including the unencrypted content of some database tables that was sent via e-mail. Among one of the e-mails, the hacktivists also found a list of personal e-mail addresses belonging to New York police chiefs. “For our next owning we bring you multiple law enforcement targets in the state of New York, who has been on our crosshairs for some time due to their brutal repression of Occupy Wall Street,” they said.
Stuxnet, Duqu and others created with ‘Tilded’ platform by the same team
After an extensive analysis of a large number of Stuxnet and Duqu drivers, Kapersky Lab experts concluded the two trojans, along with other pieces of malware, were created by the same team, using a platform called Tilded, created around 2007-2008. They believe Tilded (named so because its authors tend to use file names that start with the symbol tilde followed by a letter d (~d)) was utilized to create the two now infamous trojans, which may have been the results of simultaneous projects. The details indicate other spyware modules and programs are based on the same platform. Now, researchers present a precise timeline to show the connection between Duqu and Stuxnet, but also to show the evolution of their drivers from one year to the other. Their studies show a driver called jmidebs.sys is the connecting link between mrxcls.sys and the drivers later used in Duqu. “The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they can’t be attributed either to the more targeted Duqu Trojan due to the compilation date,” the chief security expert at Kapersky Lab said. “We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team.” In mid-2010, Tilded went through some changes that may have resulted from the need to better avoid detection by antivirus software, but also because its code could be improved.
Host storage devices vulnerable with KVM Linux virtualization
According to a kernel update advisory by Red Hat, root users in a guest system virtualized with KVM (Kernel-based Virtual Machine) can, in certain circumstances, gain read and write access to the Linux host’s storage devices. The advisory said the hole exists when a host makes available partitions or LVM volumes to the guest as “raw disks” via virtio. Privileged guest users can send SCSI requests to such volumes the host will execute on the underlying storage device – which allows the guest system to access all areas of the device rather than just permitted partitions or volumes. The hole has been rated as “important” and is listed under CVE ID 2011-4127. Further background information is available in an entry in Red Hat’s bug database and in a blog posting by a Red Hat developer. Meanwhile, kernel developers are discussing the most suitable way to fix the problem; a patch suggested by another Red Hat developer has not met the approval of Linux’s developer. He also thinks the patch is too dangerous to be integrated into the Linux main development branch at this point the main development branch is expected to produce version 3.2 of the Linux kernel in early January.
Read the Full DHS Infrastructure Report:
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Comments are closed.