Infosecurity.US

Steve Benson: Persian Lights…

Marc Handelman — Thu, 02 Sep 2010 11:35:50 +0000

New, Pernicious BotNet Emerges

Marc Handelman — Thu, 02 Sep 2010 11:30:00 +0000

A botnet, first discovered in March via a Honeypot deployment by Arbor Networks, as reared up and taken out several hundred sites, both in the United States and the People’s Republic of China... Oops… More information regarding the botnet, dubbed ‘YoyoDdos’ appears after the jump.

via DarkReading’s Kelly Jackson Higgins: :New DDoS Botnet Hits Nearly 200 Websites“

“A new botnet built for knocking websites offline has attacked mostly Chinese and some U.S. sites, according to researchers. About 90 percent of the command and control servers running YoyoDdos, the nickname given the botnet by researchers at Arbor Networks who have been studying and tracking it, have IP addresses in China, and two-thirds of its victim websites are out of China. The botnet has attacked around 180 websites so far, including 32 in the U.S. “It is a pretty active botnet,” says Jeff Edwards, a research analyst with Arbor who has been analyzing the botnet, which first appeared in Arbor’s honeypot servers back in March. “We’ve detected a lot of attacks coming out of it … [around] ten unique victims a day.” The malware itself isn’t particularly sophisticated, however. “It’s pretty typical of a lot of malware we see,” he says. “It’s a fairly non-sophisticated piece of malware, but effective.”…”

VMWare Announces ESX Console Security Update

Marc Handelman — Wed, 01 Sep 2010 12:05:53 +0000

VMWare INC. (NYSE: VMW) has announced the second service console security update of the summer, focusing on the the virtualization company’s ESX product line. So-called 3rd party packages have been patched, including samba, perl, cpio, tar and last but not least krb5; related CVEs are: CVE-2005-4268, CVE-2010-0624, CVE-2010-2063, CVE-2010-1321, CVE-2010-1168and CVE-2010-1447. More information, inclusive of linkage and the release notice, appears after the jump.

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– ————————————————————————

VMware Security Advisory

Advisory ID: VMSA-2010-0013
Synopsis: VMware ESX third party updates for Service Console
Issue date: 2010-08-31
Updated on: 2010-08-31 (initial release of advisory)
CVE numbers: CVE-2005-4268 CVE-2010-0624 CVE-2010-2063CVE-2010-1321 CVE-2010-1168 CVE-2010-1447
– ————————————————————————

1. Summary

ESX 3.5 Console OS (COS) updates for COS packages perl, krb5, samba, tar, and cpio.

2. Relevant releases

VMware ESX 3.5 without patches ESX350-201008405-SG,ESX350-201008407-SG, ESX350-201008410-SG, ESX350-201008411-SG,ESX350-201008412-SG.

Notes:
Effective May 2010, VMware’s patch and update release program during Extended Support will be continued with the condition that all subsequent patch and update releases will be based on the latest baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1, ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section “End of Product Availability FAQs” at http://www.vmware.com/support/policies/lifecycle/vi/faq.html for details. Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan to upgrade to at least ESX 3.5 and preferably to the newest release available.

3. Problem Description

a. Service Console update for cpio

The service console package cpio is updated to version 2.5-6.RHEL3.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-4268 and CVE-2010-0624 to the issues addressed in this update.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX affected, patch pending
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX ESX350-201008405-SG
ESX 3.0.3 ESX affected, patch pending

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

b. Service Console update for tar

The service console package tar is updated to version
1.13.25-16.RHEL3

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-0624 to the issue addressed in this
update.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX affected, patch pending
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX ESX350-201008407-SG
ESX 3.0.3 ESX affected, patch pending

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

c. Service Console update for samba

The service console packages for samba are updated to version
samba-3.0.9-1.3E.17vmw, samba-client-3.0.9-1.3E.17vmw and
samba-common-3.0.9-1.3E.17vmw.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-2063 to the issue addressed in this
update.

Note:
The issue mentioned above is present in the Samba server (smbd) and
is not present in the Samba client or Samba common packages.

To determine if your system has Samba server installed do a
‘rpm -q samba`.

The following lists when the Samba server is installed on the ESX
service console:

– ESX 4.0, ESX 4.1
The Samba server is not present on ESX 4.0 and ESX 4.1.

– ESX 3.5
The Samba server is present if an earlier patch for Samba has been
installed.

– ESX 3.0.3
The Samba server is present if ESX 3.0.3 was upgraded from an
earlier version of ESX 3 and a Samba patch was installed on that
version.

The Samba server is not needed to operate the service console and
can be be disabled without loss of functionality to the service
console.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX not applicable
ESX 4.0 ESX not applicable
ESX 3.5 ESX ESX350-201008410-SG
ESX 3.0.3 ESX affected, patch pending

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

d. Service Console update for krb5

The service console package krb5 is updated to version 1.2.7-72.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1321 to the issue addressed in this
update.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX affected, patch pending
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX ESX350-201008411-SG
ESX 3.0.3 ESX affected, patch pending

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

e. Service Console update for perl

The service console package perl is updated to version
5.8.0-101.EL3.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-1168 and CVE-2010-1447 to the issue
addressed in this update.

Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected

hosted * any any not affected

ESXi any ESXi not affected

ESX 4.1 ESX affected, patch pending
ESX 4.0 ESX affected, patch pending
ESX 3.5 ESX ESX350-201008412-SG
ESX 3.0.3 ESX affected, patch pending

* hosted products are VMware Workstation, Player, ACE, Server, Fusion.

4. Solution

Please review the patch/release notes for your product and version
and verify the md5sum of your downloaded file.

ESX 3.5
——-

ESX350-201008405-SG (cpio)
——————-
http://download3.vmware.com/software/vi/ESX350-201008405-SG.zip
md5sum: e1d5464ab9886f93dc47ffe7b50e6246
http://kb.vmware.com/kb/1026130

ESX350-201008407-SG (tar)
——————-
http://download3.vmware.com/software/vi/ESX350-201008407-SG.zip
md5sum: 574013a102fb523c7a97c1acb05f63ea
http://kb.vmware.com/kb/1026132

ESX350-201008410-SG (samba)
——————-
http://download3.vmware.com/software/vi/ESX350-201008410-SG.zip
md5sum: c5224cf4218a3636b70207b8d269d024
http://kb.vmware.com/kb/1026134

ESX350-201008411-SG (krb5)
——————-
http://download3.vmware.com/software/vi/ESX350-201008411-SG.zip
md5sum: c0f8b642f8eddd91c959e262d1b7f181
http://kb.vmware.com/kb/1026135

ESX350-201008412-SG (perl)
——————-
http://download3.vmware.com/software/vi/ESX350-201008412-SG.zip
md5sum: 30e176f34e49c055b0485dfc921fbf81
http://kb.vmware.com/kb/1026137

5. References

CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1447

– ————————————————————————

6. Change log

2010-08-31 VMSA-2010-0013
Initial security advisory after release of patches for ESX 3.5
on 2010-08-31

– ———————————————————————–
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk

E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware security response policy
http://www.vmware.com/support/policies/security_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html

—–BEGIN PGP SIGNATURE—–
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFMfeTAS2KysvBH1xkRAugBAJ4wrbYo7zxKyRfw9A6yfaHH316Q9QCePw/v
wJqQq9eENKM9xSfHoZYXnLg=
=v3+b
—–END PGP SIGNATURE—–

Nick Anderson: Egg

Marc Handelman — Wed, 01 Sep 2010 11:50:47 +0000

Doppelgänger Infinitus

Marc Handelman — Wed, 01 Sep 2010 11:40:57 +0000

Fascinating write-up targeting quantum probabilities, and, of course, those pesky doppelgängers… Additional, and possibly duplicate data appears post-seite springen..

via NewScientist’s Rachel Courtland: “Infinite doppelgängers may explain quantum probabilities“

AN IDENTICAL copy of you is also reading this story. This twin is the same in every way, living on an Earth and in a universe that looks exactly like our own. And there may be an infinite number of them. Such doppelgängers could be a natural consequence of our present conception of the universe. Now, some physicists say they could pose a serious problem for quantum mechanics. But a possible fix may also be in sight, and it could help tie abstract quantum concepts to concrete physical causes. In the uncertain, fuzzy world of quantum mechanics, particles do not have fixed properties until they are observed. Instead, objects that obey quantum rules exist in a “superposition” of all their possible states simultaneously. Schrödinger’s famous cat, for example, is both alive and dead until we take a peek inside the booby-trapped box in which it has been placed.

Robert Ariall: Iran For Cover

Marc Handelman — Wed, 01 Sep 2010 11:35:57 +0000

Data Leakage Wednesdays: Old Printer Vector

Marc Handelman — Wed, 01 Sep 2010 11:30:49 +0000

News, via the inimitable Dan Goodin, spot-on reporter-at-large (I kid-you-not, Mr. Goodin is one of the most talented technical reporters on the planet) in San Francisco, California for The Register, details what we have always known, but were to afraid to ask: How far doth my printer wander… Especially after it’s retired and the data contained therein goes astray…. More information regarding this fascinating vector for data leakage, leverage, and theft, makes it magically -delicious appearance after the now, nearly ubiquitous page break.

via The Register’s Dan Goodin: “How an ancient printer can spill your most intimate secrets“

“Researchers have devised a novel way to recover confidential messages processed in doctors’ offices and elsewhere by analyzing the sounds made when documents are reproduced on dot-matrix printers. This so-called side-channel attack works by recording the “acoustic emanations” of a confidential document being printed, and then processing it with software that translates the sounds into words. The method recovers as much as 95 per cent of the printed words when an attacker has contextual knowledge about the text being printed, such as the words included in a medical prescription or a living-will declaration. Up to 72 per cent of the text can be recovered when no context is known. The attack, which so far works only on English text, was carried out under what the researchers described as “realistic — and arguably even pessimistic — circumstances,” in which there was no shielding from ambient noise such as that made by people chatting in a nearby waiting room. Despite the wide availability of inkjet and laser printers, about 60 per cent of doctors in Germany continue to use dot-matrix devices. About 30 per cent of banks in Germany do so as well, according to the researchers. Countries such as Germany, Switzerland, and Austria require carbon-copy-capable dot-matrix printers to be used for printing prescriptions for narcotics, they said…”

XKCD: Exoplanets

Marc Handelman — Tue, 31 Aug 2010 18:00:41 +0000

Apple Releases Magic Footpad, Raises Ante On Bipedal Computer Controls

Marc Handelman — Tue, 31 Aug 2010 11:45:19 +0000

Ah yes… News of the release of another highly useful, yet subtle designed Apple Inc (NasdaqGS: AAPL) peripheral gas hit the interwebs… A short snippet and linkage appears after the jump.

via Scoopertino’s Stephanie Weehawk:”Multi-Touch goes Multi-Toe: Introducing Magic Footpad“

“Cupertino, CA — Only two weeks after Apple released Magic Trackpad, the other shoe has dropped. Or should we say foot. Now comes Magic Footpad, which brings the joy of Multi-Touch to the ten lower digits. Magic Footpad measures 2.5′ x 2.5′, fitting perfectly under your desk, and connects via Bluetooth. Though it looks similar to Magic Trackpad, it is significantly more capable. Magic Footpad recognizes individual toes, allowing you to use gestures common to other Apple trackpads (tap, swipe, double-swipe, etc.). In addition, it recognizes over 30 classic dance steps, including Cha-Cha, Rhumba, Merengue and the Twist. In networked offices, it also supports Line Dancing.”

Science Tuesday: Asteroidal Discoveries Mapped, 01980 – 02010

Marc Handelman — Tue, 31 Aug 2010 11:40:24 +0000

via The Book of Joe