Saturday, November 1, 2008

[Lockergnome] Computer Security ~ November 1, 2008

Found

The document has moved here.

TrendLabs | Malware Blog - by Trend Micro - PayPal’s 10th Year Anniversary Phished

Here are the latest updates for security-news@awsoda.net

"TrendLabs | Malware Blog - by Trend Micro" - 1 new article

PayPal's 10th Year Anniversary Phished

As PayPal celebrates its 10th anniversary this year, the Trend Micro Content Security Team also discovered a phishing website that uses the occasion to lure users into it’s trap. This fraudulent site informs online visitors that PayPal is throwing a party to celebrate the anniversary, supposedly as a way of letting it’s customers know how much PayPal appreciates their support.

The website looks very much like a typical PayPal page:

Figure 1.Screenshot of the phishing page.

It informs recipients that they are invited to the party, where there will be “plenty of fun, food, free flow drinks, music and dance” - and also some cash prizes as well. Like typical invitations, the page asks users to RSVP. To do this however, they must fill out a form first, and there phishers are able to steal user information.

Users who visit this site are asked for their first and last names, telephone number, country of residence, and most importantly, their PayPal email address. The page also has a non-mandatory eBay ID box. Filling out the form compromises victims accounts because phishers may then be able to access these themselves.

PayPal phishing continues to be a threat to Web users, as seen in these examples:

The phishing URL is now blocked by the Trend Micro Smart Protection Network. The technology prevents users from even accessing the page, keeping their PayPal and also eBay accounts safe from phishers.

• Email to a friend • Article Search • Related • View comments • Track comments •

•

Rate 'PayPalâ€™s 10th Year Anniversary Phished'

Friday, October 31, 2008

[Lockergnome] Computer Security ~ October 31, 2008

HTTP/1.0 301 Moved Permanently Date: Sat, 01 Nov 2008 00:03:06 GMT Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: PHPSESSID=3d83d78593671fd3a51bea8b5504b890; path=/ Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 Pragma: no-cache X-Pingback: http://www.lockergnome.com/xmlrpc.php Last-Modified: Sat, 01 Nov 2008 00:03:06 GMT Location: http://www.lockergnome.com/newsletter_templates/security_newsletter.phtml Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Security Alert: Lottery Scam via Skype in China

Websense® Security Labs(TM) ThreatSeeker(TM) Network has discovered a scam that uses a fake Skype message about a lottery to get money from the victim. The scam is becoming widespread in China.

The scam uses a phony Skype message to trick the victim into believing that he or she has won a large prize in a lottery. The message includes the address of a phishing Web site and the telephone number of a phony support center. When the victim calls the support number, the operator directs the victim to fill out the form on the phishing Web site, including bank account information. This scam combines Web-based phishing with telephone-based human interaction, a technique that is becoming more sophisticated and popular in China.

Here is how it works:

Step 1:
The victim receives a fake message from a phisher disguised as Skype representative. The message states that the recipient has won a large prize. The message includes a fake Web site, like "http://sky63.xxxxx.cn/", and a phone number, such as "0898-881-44xxx". Often the prize is as much as 100,000 RMB, plus a new car.

Step 2:
The victim calls the number and goes to the phishing Web site to enter personal and bank account information.

Step 3:
This is where the scammers get the victim's money. After filling out the form, the victim is directed to another Web page that informs the victim that he or she must pay a fee, in advance, to get the prize. The fee is often several hundred RMB.

The combination of the Skype message and the real phone number makes the lottery scam look real. The promise of a big prize--100,000 RMB and a car--makes the lure hard to resist. The victim happily pays the money. But the result is that the victim loses his or her money and, of course, there is no prize.

Websense Messaging and Websense Web Security customers are protected against these threats.

To view the details of this alert Click here

Protected by Websense Hosted Email Security — www.websense.com

iDefense Security Advisory 10.31.08: Oracle WebLogic Apache Connector

iDefense Security Advisory 10.29.08
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 29, 2008

I. BACKGROUND

The WebLogic Apache Connector is module for the Apache httpd server. It
is used to proxy requests from Apache to a backend WebLogic server. For
more information, see the vendor's site found at the following link.

http://edocs.bea.com/wls/docs60/adminguide/apache.html

II. DESCRIPTION

Remote exploitation of a stack based buffer overflow vulnerability in
Oracle Corp.'s WebLogic Server Apache Connector could allow an attacker
to execute arbitrary code with the privileges of the affected service.

A stack based buffer overflow vulnerability exists in the Apache
Connector of Oracle (formerly BEA) WebLogic Server. When parsing a
request with an invalid parameter the module uses a string without
properly validating its length. This string is copied into a fixed
sized stack buffer. This results in a stack based buffer overflow.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the affected service, usually SYSTEM. The
vulnerability is a stack based buffer overflow, and many of the modules
are not compiled with SAFESEH enabled, so it is trivial to exploit
resulting in attacker supplied code being executed.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in WebLogic
Server Apache Connector version 10.0. Previous versions may also be
affected.

V. WORKAROUND

Editing the httpd.conf file and adding 'LimitRequestFieldsize 4000' in
the global configuration area will prevent exploitation. However, users
will be unable to submit request parameters that are longer than 4000
bytes.

VI. VENDOR RESPONSE

Oracle has released a Critical Patch Update (CPU) for October 2008 which
addresses these issues. For more information, consult their advisory at
the following URL.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-4008 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

07/31/2008 Initial Vendor Notification
08/01/2008 Initial Vendor Reply
08/29/2008 Additional Vendor Feedback
10/29/2008 Coordinated Public Disclosure

IX. CREDIT

This vulnerability was discovered by Sean Larsson and Joshua J. Drake of
iDefense Labs.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
_______________________________________________
To unsubscribe, go here:
http://www.idefense.com/mailman/listinfo/idlabs-advisories

iDefense Security Advisory 10.31.08: OpenOffice EMF Record Parsing Multiple Integer Overflow Vulnerabilities

iDefense Security Advisory 10.29.08
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 29, 2008

I. BACKGROUND

OpenOffice is an open-source office application that supports reading
and writing a wide variety of file formats. For more information, see
the vendor's site found at the following link.

http://openoffice.org

II. DESCRIPTION

Remote exploitation of multiple integer overflow vulnerabilities in
OpenOffice versions 2.4.1 and earlier could allow an attacker to
execute arbitrary code with the privileges of the current user.

Integer overflow issues exist within the code responsible for parsing
multiple EMR records within an EMF file. This allows an attacker to
overflow heap memory with data they supplied.

III. ANALYSIS

Exploitation of this issue allows an attacker to execute arbitrary code
with the privileges of the current user. An attacker would need to
entice a user into opening the malformed file using OpenOffice. The
file could be distributed to users via a Web page or e-mail
attachments. Upon opening the file, exploitation of this issue would
occur and execution of arbitrary code would be possible.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in OpenOffice
version 2.4.1.

V. WORKAROUND

iDefense is currently unaware of any workaround for this issue.

VI. VENDOR RESPONSE

OpenOffice has released OpenOffice.org 2.4.2 which addresses these
issues. For more information, consult their advisory at the following
URL.

http://www.openoffice.org/security/cves/CVE-2008-2238.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-2238 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/18/2008 Initial Vendor Notification
09/19/2008 Initial Vendor Reply
09/19/2008 Request Additional Information
09/24/2008 Additional Vendor Feedback
10/29/2008 Coordinated Public Disclosure

IX. CREDIT

These vulnerabilities were reported to iDefense by several parties.
Several of the issues were reported by Sebastian Apelt and several were
also reported by Code Audit Labs http://www.vulnhunt.com.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Security Alert: Beware of Compromised Halloween-themed Web Sites

Websense® Security Labs(TM) ThreatSeeker(TM) Network has discovered that numerous Halloween-themed Web sites have been compromised as Halloween approaches and users are more likely to visit.

One particular example is a Web site selling Halloween costumes. The deobfuscation returned by ThreatSeeker shows that the JavaScript has multiple layers of obfuscation. The script contacts a malcious server in the .biz TLD. Within the ThreatSeeker network, we have seen almost ten thousand sites infected with the same obfuscation technique.

Another example is a US-based retailer using the Halloween theme to promote its products. This Web site is infected with a redirection that points to a gpack exploit kit. The ThreatSeeker network is currently tracking over thirteen-thousand sites infected with these patterns.

Not only malware authors take advantage of seasonal events. Numerous recently registered proxy Web sites are using the Halloween theme to allow users to bypass traditional URL filtering solutions.

Websense Messaging and Websense Web Security customers are protected against these threats.

To view the details of this alert Click here

Protected by Websense Hosted Email Security — www.websense.com

DHS withdraws Coast Guard's acquisition authority

Having trouble viewing this email? View as a web page.

Daily News
October 31, 2008
http://www.fcw.com
Daily News for IT professionals in government

DHS withdraws Coast Guard's
acquisition authority

FISMA bill could add $150 million to agencies' costs

More news: DHS rich in geospatial intell;
IRS and fraudulent refunds; Contractors need stronger identity management.

US-CERT Current Activity - VMware Releases Security Advisory VMSA-2008-0017

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

VMware Releases Security Advisory VMSA-2008-0017

Original release date: October 31, 2008 at 9:00 am
Last revised: October 31, 2008 at 9:00 am

VMware has released a Security Advisory indicating it has updated the
ESX packages to address vulnerabilities in libxml2, ucd-snmp, and
libtiff. Exploitation of these vulnerabilities may allow an attacker
to execute arbitrary code, spoof authenticated SNMPv3 packets, or
cause a denial-of-service condition.

US-CERT encourages users and administrators to review VMware Security
Advisory VMSA-2008-0017 and apply any necessary updates to help
mitigate the risks.

Relevant Url(s):
<http://lists.vmware.com/pipermail/security-announce/2008/000039.html>

====
This entry is available at
http://www.us-cert.gov/current/index.html#vmware_releases_security_advisory_vmsa1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSQsLD3IHljM+H4irAQKGRQf+IoSjs4m1+dxsaXLkcubx3iy79bt/el68
tVcRTjJdDkaqlMbIJsk20hVlllY9WI06/KlI+WCI3Qd3XKgygFAyWiYzdB7oUabk
4stVAdygpH+q9URX0JsSkHeLsjEfJYLEiYI0AhazOIMBEqzzSHvvbmj3IQhbDK0J
IOjnDGvkZhyORzBa0IsrJiVKi0I5s0cHvK64gqYfOZBttAS7HDCvcXur2o8ArpdP
Vg8q7YRHvs9NU798kwZmzVUWvw9Z4nRHYUcNWESNgYZ1PgF7p2fJK2Wl0Ga++Kjo
EuT3uQm5MTNMsq/vbFOmBYsrm+XTf1dYstiNZTiwucLcSpZRQhdgPQ==
=6Cdi
-----END PGP SIGNATURE-----

US-CERT Current Activity - Adobe Releases Security Advisory for PageMaker 7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

Adobe Releases Security Advisory for PageMaker 7

Original release date: October 31, 2008 at 9:31 am
Last revised: October 31, 2008 at 9:31 am

Adobe has released a Security Advisory to address vulnerabilities in
PageMaker 7.0.1 and 7.0.2. These vulnerabilities may allow an attacker
to execute arbitrary code.

US-CERT encourages users and administrators to review Adobe's Security
Advisory ASPA08-10 and apply any necessary updates to help mitigate
the risks. Note that the Adobe Security Advisory indicates that an
additional vulnerability remains unaddressed by the update.

Relevant Url(s):
<http://www.adobe.com/support/security/advisories/apsa08-10.html>

====
This entry is available at
http://www.us-cert.gov/current/index.html#adobe_releases_security_advisory_for1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSQsK73IHljM+H4irAQKsogf/TbhUFJlDqAkPKny53qwyOWqWstQbGQR0
q5KNKL+yn/qdSsNIh7dIBGCcjsznHWpMaEng9EHXfVH7QDLRDeBIA3iZP9QQLYU/
TWVd53ZTttid1+CjjAPxZAx38fYZl8iDRWQWqDw8VWCmX/O4//eQBDQoLUjvSIQc
mFtI2+D5ACALHzONtbw2XJGVOxd4e9KiLIp1UWLEUFrQmYC0LxxuKu0iR+LliwzJ
l+X8wqGXH2nLmEI8J0ZooobCZZcmhxemjRDrc8awq/g3fLSQECq3wYq3jlnDdiIX
D7ycUOBfGrEuokrn+RuULdCDMB7XKyvTaYwHmWYqT3eDBOi2zFUYyw==
=oWWv
-----END PGP SIGNATURE-----

IMPact Alert: October 31, 2008 (IMPact Index = 3)

FaceTime IMPact Alert
Friday, October 31, 2008

Current IMPact Index = 3

FaceTime Security Labs has identified the following IM and P2P-related threats.

NAME: Generic Downloader.x!42F9C9CA
RISK: Low
TYPE: Trojan
NETWORK: IRC; P2P
REMEDIATION & MORE INFO: http://www.facetime.com/securitylabs/threatdetail.aspx?id=4644

NAME: Generic Dropper!A99565CD
RISK: Low
TYPE: Trojan
NETWORK: IRC; P2P
REMEDIATION & MORE INFO: http://www.facetime.com/securitylabs/threatdetail.aspx?id=4645

NAME: Generic FakeAlert.a!42F9C9CA
RISK: Low
TYPE: Trojan
NETWORK: IRC; P2P
REMEDIATION & MORE INFO: http://www.facetime.com/securitylabs/threatdetail.aspx?id=4646

NAME: FakeAlert-AB.gen.a!5773CCF0
RISK: Low
TYPE: Spyware Worm
NETWORK: IRC; P2P
REMEDIATION & MORE INFO: http://www.facetime.com/securitylabs/threatdetail.aspx?id=4647

NAME: eneric FakeAlert.a!42F9C9CA
RISK: Low
TYPE: Trojan
NETWORK: IRC; P2P
REMEDIATION & MORE INFO: http://www.facetime.com/securitylabs/threatdetail.aspx?id=4648

NAME: Puper
RISK: Low
TYPE: Trojan
NETWORK: IRC; P2P
REMEDIATION & MORE INFO: http://www.facetime.com/securitylabs/threatdetail.aspx?id=4649

For protection against these threats, be sure you have the latest virus signature files from your anti-virus provider.

FaceTime's Unified Security Gateway (USG) is a secure Web gateway appliance that enables organizations to integrate management, security and compliance of Web usage, greynet applications including public IM, P2P, and Skype, and unified communications platforms such as Microsoft's OCS and IBM Lotus Sametime. Learn more online: http://www.facetime.com/forms/usg_eval_request.aspx.

For additional information on FaceTime's solutions, visit http://www.facetime.com or email sales@facetime.com.

For a comprehensive list of IM and P2P threats and the latest threat index visit the FaceTime Security Labs:
http://www.facetime.com/securitylabs/imp2pthreats.aspx

Regards,

FaceTime Security Labs

FaceTime Communications
1301 Shoreway
Suite 275
Belmont CA 94002

You are subscribed as security-news@awsoda.net. To unsubscribe please click here: http://www.facetime.com/securitylabs/alert_unsubscribe.aspx?e=security-news@awsoda.net

TrendLabs | Malware Blog - by Trend Micro - 2 new articles

Here are the latest updates for security-news@awsoda.net

"TrendLabs | Malware Blog - by Trend Micro" - 2 new articles

Portuguese YouTube Spam Leads Users To Japan, Then To Malware
Popular Mexican News Anchor Died!
More Recent Articles
Search TrendLabs | Malware Blog - by Trend Micro

Portuguese YouTube Spam Leads Users To Japan, Then To Malware

Our honeypots captured spammed email messages, written in Portugese, supposedly coming from the popular video sharing website YouTube.

Figure 1. Sample email message (forwarded).

The message body translates into the following:

Hello,

Attention!

Someone has published a video you appear in, and your name was mentioned in several videos this evening.

To report, Click Here!

Watch the video you appear in: (http://www.youtube.com/watch?v=Y6BS8926mVgI)

Regards,
YouTube Team

The text Para denunciar, Clique Aqui!, and the YouTube URL are actually HTML links, which interestingly point the user to a website hosted in Japan. This site then leads to the binary cartaoyoutube.exe, a banker-type Trojan designed to steal information from an infected user's computer. The pieces of information stolen from affected systems are uploaded to a remote server.

Trend Micro detects the malware as TROJ_BANLOAD.JC. It further downloads from remote websites several other malicious files commonly related to information stealing activities.

While the social engineering techniques differ - software updates, celebrity videos, sensational news - YouTube’s popularity among Internet users remains a popular tool for malware writers and spammers too in trying to influence people towards malware. The name has been used many different times in the past:

Trend Micro Smart Protection Network already blocks the spammed message and detects all the malware involved in this threat. Users are strongly advised to beware of unsolicited email messages even though they may appear to come from legitimate sources. Clicking links found in these messages almost always leads to malware or to malicious web pages.

• Email to a friend • Article Search • Related • View comments • Track comments •

•

Rate 'Portuguese YouTube Spam Leads Users To Japan, Then To Malware'

Popular Mexican News Anchor Died!

At least that’s what a new spam run tells you.

Email messages claiming to be from Esmas, the largest television network in Mexico and also the world's largest producer of Spanish language media, inform users that Joaquín López-Dóriga has died in an automobile accident. López-Dóriga is one of the more popular news anchors in Mexico. Here’s a screenshot of a spammed message:

Figure 1. Sample email message.

This same message also informs users that they can download a news video regarding the accident by clicking on the link provided in the message. By clicking on the link, however, users are unknowingly downloading a malicious executable named videoDoriga.exe instead of an actual video:

Figure 2. Users download an .EXE file instead of a video footage.

Trend Micro detects file as TROJ_CHOST.E. Deaths of prominent personalities are a common technique used by spammers to lure users into clicking links in email messages. Shocked perhaps at the unexpected news, users may want to find out more. Since the links promise more details, users are most often tricked into clicking them.

Incidentally, another celebrity was reported dead by spammers last week, in what was a phishing operation. Other spamming operations related to famous individuals include:

These spammed email messages are already blocked by the Trend Micro Smart Protection Network. The same technology also detects the Trojan on the desktop level, and provides solutions for its removal. Users are advised to refrain from clicking links in unsolicited messages. News websites remain the best avenues for checking facts.

• Email to a friend • Article Search • Related • View comments • Track comments •

•

Rate 'Popular Mexican News Anchor Died!'

Thursday, October 30, 2008

[Lockergnome] Computer Security ~ October 30, 2008

HTTP/1.0 301 Moved Permanently Date: Fri, 31 Oct 2008 00:03:09 GMT Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b PHP/5.2.6 X-Powered-By: PHP/5.2.6 Set-Cookie: PHPSESSID=64ec1f02015a7693b87083dd28e1461e; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Pingback: http://www.lockergnome.com/xmlrpc.php Location: http://www.lockergnome.com/newsletter_templates/security_newsletter.phtml/ Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Security Alert: China Telecom Hunan Site Compromise

Websense® Security Labs(TM) ThreatSeeker(TM) Network has discovered an injection attack on a Web site belonging to China Telecom Hunan, China.

Users who browse to page hxxp://**snip**.vnet.cn/ run hidden frame content. The hidden frame link points to a Web page hosted on a Chinese server, which includes Adobe Flash Player, Snapshot Viewer, MS06-014, Sina UC, UUsee, RealPlayer, and Thunder vulnerabilities.

Websense Messaging and Web Security Customers are protected against this threat.

To view the details of this alert Click here

Protected by Websense Hosted Email Security — www.websense.com

Extension Information Request Memory Corruption Vulnerability

iDefense Security Advisory 03.10.08
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 10, 2008

I. BACKGROUND

Novell eDirectory is cross platform directory server. NetWare Core
Protocol, commonly referred to as NCP, is used by eDirectory to
synchronize data between servers in the directory tree. NCP supports
various request types, one of which is the 'Get NCP Extension
Information By Name Request.'

For more information, see the vendor's site found at the following link.

http://www.novell.com/products/edirectory/

II. DESCRIPTION

Remote exploitation of a memory corruption vulnerability in Novell
Inc.'s eDirectory could allow an attacker to execute arbitrary code
with the privileges of the affected service.

The vulnerability exists due to an area of heap memory being used after
it has already been freed. By sending malformed data it is possible to
cause an area of heap memory to be freed by one thread, and then reused
after another thread allocates the same area of memory. This results in
the original thread operating on the data changed by the second thread,
which may lead to the execution of arbitrary code.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the affected service, usually SYSTEM. In
order to trigger this vulnerability, an attacker needs to send a series
of specifically timed requests and have some degree of control of the
memory layout of the process. In Labs testing, it was often difficult
to reliably trigger the vulnerability. While difficult, the possibility
of executing arbitrary code should not be ruled out.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in eDirectory
version 8.8 SP2 for Windows. The Linux version does not appear to be
affected. Previous versions may also be affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

Novell has released a patch for this vulnerability and advises that all
users of Novell eDirectory should update.

http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037180.html
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5037181.html

VII. CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

VIII. DISCLOSURE TIMELINE

03/10/2008 Initial vendor notification
03/10/2008 Public Disclosure
03/14/2008 Initial vendor reply

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

iDefense Security Advisory 10.30.08: Adobe PageMaker Key Strings Stack Buffer Overflow

iDefense Security Advisory 10.30.08
http://labs.idefense.com/intelligence/vulnerabilities/
OCT 30, 2008

I. BACKGROUND

Adobe PageMaker is document layout application, and is commonly used for
desktop publishing. For more information see the vendor's website found
at the following address.

http://www.adobe.com/products/pagemaker/

II. DESCRIPTION

Remote exploitation of a stack buffer overflow vulnerability in Adobe
Systems Inc.'s PageMaker could allow an attacker to execute arbitrary
code with the privileges of the current user.

A vulnerability exists within the handling of PMD files, the native
file format for storing PageMaker documents. When parsing a malformed
PMD file, data from the file is copied into a buffer without proper
validation. This results in an exploitable stack based buffer overflow.

III. ANALYSIS

Exploitation of this vulnerability could allow an attacker to execute
arbitrary code with the privileges of the user opening the file.
Exploitation would require that an attacker hosts a maliciously crafted
document on a website and entice users to visit the site. An attacker
could also e-mail the malicious document and use social engineering
techniques to trick the e-mail recipient into opening the document.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Adobe
PageMaker version 7.0.1 with the CVE-2007-5169 patch applied. Previous
versions may also be affected. However, Adobe InDesign CS, the
successor to PageMaker, is not affected.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

Adobe categorizes this as a critical issue and recommends affected users
patch their installations, and avoid opening PageMaker files from
untrusted or unknown sources.

A patch is available from the vendor at
http://www.adobe.com/support/security/bulletins/downloads/APSA08-10.zip

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2008-6432 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/18/2007 Initial vendor notification
12/19/2007 Initial vendor response
06/09/2008 Vendor follow-up
10/29/2008 Vendor releases patch.

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

GSA creates contract for 'green' support services

Having trouble viewing this email? View as a web page.

Daily News
October 30, 2008
http://www.fcw.com
Daily News for IT professionals in government

GSA creates contract for 'green' support services

McCain, Obama IT reps face off

More news: DISA career mentoring;
IRS progress on security; DHS tries
financial IT consolidation

Security News Collected by AWSODA-SYSTEMS

Saturday, November 1, 2008

[Lockergnome] Computer Security ~ November 1, 2008

Found

TrendLabs | Malware Blog - by Trend Micro - PayPal’s 10th Year Anniversary Phished

"TrendLabs | Malware Blog - by Trend Micro" - 1 new article

PayPal's 10th Year Anniversary Phished

More Recent Articles

Friday, October 31, 2008

[Lockergnome] Computer Security ~ October 31, 2008

Security Alert: Lottery Scam via Skype in China

iDefense Security Advisory 10.31.08: Oracle WebLogic Apache Connector

iDefense Security Advisory 10.31.08: OpenOffice EMF Record Parsing Multiple Integer Overflow Vulnerabilities

Security Alert: Beware of Compromised Halloween-themed Web Sites

DHS withdraws Coast Guard's acquisition authority

US-CERT Current Activity - VMware Releases Security Advisory VMSA-2008-0017

US-CERT Current Activity - Adobe Releases Security Advisory for PageMaker 7

IMPact Alert: October 31, 2008 (IMPact Index = 3)

TrendLabs | Malware Blog - by Trend Micro - 2 new articles

"TrendLabs | Malware Blog - by Trend Micro" - 2 new articles

Portuguese YouTube Spam Leads Users To Japan, Then To Malware

Popular Mexican News Anchor Died!

More Recent Articles

Thursday, October 30, 2008

[Lockergnome] Computer Security ~ October 30, 2008

Security Alert: China Telecom Hunan Site Compromise

Extension Information Request Memory Corruption Vulnerability

iDefense Security Advisory 10.30.08: Adobe PageMaker Key Strings Stack Buffer Overflow

GSA creates contract for 'green' support services

Subscribe via email

GO to Feeds

Blog Archive