Microsoft Windows XP/2003/Vista memory corruption0day

3APA3A just posted the following e-mail to the FD list, so if anyone is looking for details on the Vista 0-day mentioned earlier. Here's the mail that was sent: Dear full-disclosure@lists.grok.org.uk, Since it's already wide spread on the public forums and exploit is published on multiple sites and there is no way to stop it, I think it's time to alert lists about this. On the one of Russian forums: http://www.kuban.ru/forum_new/forum2/files/19124.html message was published by NULL about vulnerability in Windows on processing MessageBox() with MB_SERVICE_NOTIFICATION flag and message/caption beggining with \??\. Vulnerability seems to be memory corruption in kernel and causes system crash or hang after few attempts. It seems to happen because message is logged to event log and may point to some problem with event logs processing. Vulnerability details and code may be found here: http://www.security.nnov.ru/Gnews944.html There is potential remote exploitation vector if some service uses user-supplied input for MessageBox() function. Messenger service is not vulnerable in this way, because it prepends user-supplied input with additional string. I contacted Microsoft on this issue on December, 16.

Too much effort to carry around a laptop and an RSA token?

This is classic!! Security By Oblivity

Month Of Apple Bugs, Beginning January 1st 2007

As you all know I am a huge fan of Apple's OS X operating system, but I am also heavily involved in information security as well. I personally think that something like this is one of the best things that can happen to Apple's operating system, I also think that the timing is perfect as well, as this will put some strain on Apple to get these fixed in a timely manner. On the 9th of January Steve Jobs will be giving his keynote at Macworld, so I am guessing this means that most of Apple's techies will be working to find any bugs in any of the new kit that will obviously be getting announced. Having the Month Of Apple Bugs at this time, will hopefully show us all just how seriously Apple takes the security of it's operating system. The really great thing with this is though that any bugs found by LMH and KF will hopefully help to make OS X even more secure once they have been patched, and if Apple plays this hand right, it could also show MS how things are supposed to be done in the security world. I don't know whether this second part will happen, but it's a nice thought at least. I guess we'll just have to wait and see what happens. Either way, I think that January is going to be a damn good month!

Does Microsoft really take security seriously?

I've been wondering about the above question for a while now, and I really can't wait to sit face to face with an MS security person next month and ask them that exact question. It seems of late all of their effort has been going into releasing Vista, and well, even that isn't exactly secure is it? There are already a couple of 0-day's floating around the net for Vista, now I'm sure that no company in their right mind would have rolled Vista out into the production networks yet (well, aside from MS anyway), but this is still a major threat. The folks over at SANS have updated the list of MS vulnerabilities that have still not been patched, and these are known to be getting exploited. The oldest one of these goes back to the 19th July this year, that's over 6 months old! This really makes me wonder what they hell they are playing at. MS has a lot more money that any security researchers/hackers do, and well if the vulnerabilities can be found, they can be patched. So I would really like to know why these are taking so damn long. In total SANS have 9 vulnerabilities listed, I seem to think that there may be a couple more on top of that as well! The list of vulnerabilities can be found here. So what are everyone else's views on this situation?

Thornography Tour

So last night we went to go and see Cradle Of Filth at the Astoria in London, and well aside from messing my knee up before we even got to the gig, it was an amazing night! Up until last night I would have always rated Iron Maided as the best band that I have ever seen live, well even though I was in pain through the Cradle concert last night, Cradle seriously blew Maiden away. The one thing that sucks the most though is that last night was the last leg of their European tour, and next year they will be touring the U.S, so I guess that I'm going to have to wait a while before seeing them again. Seeing live Cradle music videos on the TV really doesn't do them any justice, as the live shows that I've seen on Tv have always had really poor sound. Last night however the sound was perfect, loud, clear and they sounded as good, if not better live than they do on their albumns. I think that they managed to play everything off of the new albulm Thornography last night, as well as some real classics such as "Her Ghost in The Fog", and my all time favourite "Nymphetamine". The only thing that was really wierd about the whole night, was that there was a hell of a lot of tiny little kiddie's there, probably between the ages of 13-16, which just seemed really wrong, but hey. If you like metal at all, do yourself a favour and go and see this band live!

Passed Sun Certified Systerm Administrator Exam! (Well, the first one anyway)

So I spent a couple of days preparing for the exam (CX-310-200), and then yesterday I went and sat the exam. Considering I went into the exam with an open mind, and no idea at all if I was going to pass or fail. I was really happy when I finally walked out of the tiny little testing room, and eventually got to look at my results and saw the word PASS! I must say though, I've been working with Solaris for a good few years now, and I would hate to try the exam if I hadn't, okay granted I could have spent a lot more time preparing for the exam, but hey, I always managed to find something better to do than study. Today I booked the 2nd exam (CX-310-202) for the 19th January, for this next one though, I'm going to have to get some serious studying in, as I think that this next one is going to be a bit of a nightmare. All going well though, after the 19th January, I should be SCSA certified. I then need to start preparing for the other exams that I got vouchers for, before the vouchers are no longer valid. The two that I still have to do, before I take on anything new are the Sun Certified Java Programmer (SCJP), and the Cisco Certified Network Associate (CCNA). I'm hoping to get both of them behind me by the end of March next year, but we'll see what happens between now and then I guess.

Backdooring MP3 Files

GNUCITIZEN has got a damn good write up on backdooring mp3 files, and I'd definetly recommend it to anyone who's interested in the security implications of this. This is a cross platform problem, due to a "feature" in the latest version of Apple's Quicktime. I use the term "feature" loosly here, as it is a security issue, but so far Apple are failing to admit this. Anyway, here's the link: Backdooring MP3 Files

GSEC Gold

So after spending what felt like a year working on on my paper for the GSEC Gold certification, I finally got it finished thanks to the great advisor that was working on it with me. I got an e-mail come through letting me know that my paper has been accepted, and that I passed!

So I went to go and check the SANS site to see if my paper had been added and well, I couldn't wipe the grin off my face for the whole day. My paper ended up in the honors section of the GIAC site!

If anyone's interested the paper's titled "Securing Apache on Mac OS X", it covers securing OS X, Apache, PHP, mod_security, and setting up SSL.

You can find it online here: Securing Apache on OS X

Other news is, that I found out that I can send photo's from my cell phone, right onto this blog, so that's pretty cool, and hence the reason that I am updating this blog again, and why there are pictures of our 2 cats as well.

I'm hoping to put a load more articles up here in the near future as well, but I've also got a load of studying to do as well, as this coming Wednesday I'm sitting the Solaris 10 certification exam, well part one anyway. So wish me luck.

Well, let's see how long this round of blogging lasts shall we?

Now Playing:
The Promise of Fever from the album "Damnation and a Day" by Cradle Of Filth

Monty

Oscar

Scary RFID uses

Just saw this and as interesting as this is, it's just damn scarey to be honest. Oh yeah, and maybe I'll start using this damn blog thing again, now that xmas is coming up. Anyway here's the link: http://www.rfidlowdown.com/2006/12/cool_surprising.html

OS X As A Pentesting OS

Just added the above entry on the SecuriTeam site, so go and check it out and give me your feedback. http://blogs.securiteam.com/index.php/archives/246

SecuriTeam Blog

Hey All, Well this blog may not be getting updated with any new security articles, as they will all be getting posted on Securiteam's site located at http://blogs.securiteam.com from now on. This one will still have daily rants, and most OS X related stuff though. xyberpix

New Email worm doing the rounds rather rapidly.

Just got this off of the F-Secure blog, so c'mon people time to update those virus defs. "The worm, named as Email-Worm.Win32.VB.bi seems to be spreading quite aggressively, it is already 3rd in our Virus Statistics. It is a simple mass-mailer written in Visual Basic. Please see the virus description for more details. We detect the worm with FSAV update version 2006-01-18_02." Summary Email-Worm.Win32.VB.bi is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software. Detailed Description

Installation to system Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations: %Windows%\rundll16.exe %System%\scanregw.exe %System%\Update.exe %System%\Winzip.exe where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe" Spreading in e-mails The worm collects e-mail addresses from files with following extensions: .HTM .DBX .EML .MSG .OFT .NWS .VC .MBX .IMH .TXT .MSF And from the files with the following string in name: CONTENT TEMPORARY The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following: The Best Videoclip Ever School girl fantasies gone bad A Great Video Fuckin Kama Sutra pics Arab sex DSC-00465.jpg give me a kiss *Hot Movie* Fw: Funny :) Fwd: Photo Fwd: image.jpg Fw: Sexy Re: Fw: Part 1 of 6 Video clipe You Must View This Videoclip! Miss Lebanon 2006 Re: Sex Video My photos The message body may be one of the following: Note: forwarded message attached. Hot XXX Yahoo Groups Fuckin Kama Sutra pics ready to be FUCKED ;) Note: forwarded message attached. forwarded message attached. VIDEOS! FREE! (US$ 0,00) i attached the details. Thank you. >> forwarded message ----- forwarded message ----- i just any one see my photos. It's Free :) The worm can attach itself as executable file. It uses one the following names in attachment: 007.pif School.pif 04.pif photo.pif DSC-00465.Pif image04.pif 677.pif New_Document_file.pif eBook.PIF document.pif DSC-00465.pIf Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following: Attachments[001].B64 3.92315089702606E02.UUE SeX.mim Original Message.B64 WinZip.BHX eBook.Uu Word_Document.hqx Word_Document.uu The filename inside MIME-encoding is one of the following: Attachments[001].B64 [spaces] .sCR 3.92315089702606E02.UUE [spaces] .sCR SeX,zip [spaces] .sCR WinZip.zip [spaces] .sCR ATT01.zip [spaces] .sCR WinZip.zip [spaces] .sCR Word.zip [spaces] .sCR Word XP.zip [spaces] .sCR Spreading in shared folders The worm searches for remote shared folders and tries to copy itself using one of the following filenames: \Admin$\WINZIP_TMP.exe \c$\WINZIP_TMP.exe \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe Other details The worm attempts to disable several security-related programs.

iPod Video 60GB

Well, I got one of these lovely little toys the other day, thankfully it came at just the right time as my Archos Jukebox was on it's last legs, and really wasn't going to last too much longer at all. I went for the white one, and well it really is a lovely little piece of kit. Considering I've never had an iPod before the scroll wheel takes a bit of getting used to, but after that it's such a breeze to use. The fact that it's 60GB in size as well is brilliant! So far I've managed to get all my mp3's, 3 videos and 2 video podcasts on it, as well as sync my address book and calender. The video version also comes with a few games on it, my fav of these has got to be the music game, it plays a few seconds of a song, and gives you 4 options to pick which song is currently playing. The longer you leave the song playing for, the less points you get. I thought that I really would've known my music a lot better than I do, I'll say that much. I am really paranoid about scratching the screen though, as right now it looks great and I really want to keep it that way, so roll on pay-day so that I can order a case for the thing. Video playback on the iPod video is truely amazing, I never would have thought that the quality would be as high as it is. My Archos Jukebox could play video, which when I got it was really cool, but the quality seriously sucked, and the size of the screen really didn't help matters either. Even though iPods are not the cheapest MP3 players on the market, I really doubt I'll ever buy another MP3 player that's not an iPod. I'm hoping that I never have to, but we'll have to see how technology changes in the coming years. If you're in the market for an MP3 player, head over to somewhere that'll let you play around on the iPod video for a few minutes and see what you think, I doubt you'll be disappointed.

gDisk

Finally, some's developed something that I've missed since the days that I was running Linux. A Gmail drive extension for OS X. What this means is that you can use all that cool space, 2 GB at the moment that Google gives you to store mail, as an external hard drive! Great for those offsite backups as well, you know, all the things that really matter. Fine it's not enough space to upload your iMovie files, but hey, you'd want to keep them private anyway. Well, here's the link to the OS X one gDisk: http://gdisk.sourceforge.net/ Here's the one's for Linux and Windows respectively as well: Linux http://richard.jones.name/google-hacks/gmail-filesystem/gmail-filesystem.html Windows http://www.viksoe.dk/code/gmail.htm Have fun!

Technorati Tags: Security, UK

How To Install Apple's Front Row on any Mac running OS X 10.4.3 or later.

I was trying to figure out a way to do this after watching Steve Jobb's latest keynote, and seeing the shiny new iMac's. Well, after a little bit of Googling, someone's already figured out how to do this, and it runs perfectly on my 15" Powerbook. For info on how to get it running head over to http://www.andrewescobar.com/frontrow , and follow the directions. Have fun.