DarkFiber Consulting – IT Managed Services

Mozilla Foundation has released Firefox 3.0.10 to address a memory corruption vulnerability. Exploitation of this vulnerability may result in a denial-of-service condition.

DarkFiber Consulting encourages users and administrators to review Mozilla Foundation Security Advisory MFSA 2009-23 and update to Firefox 3.0.10 to help mitigate the risk.

DarkFiber Consulting is aware of public reports of two vulnerabilities affecting Adobe Reader and Acrobat. The JavaScript methods customDictionaryOpen() and getAnnots() do not safely handle specially crafted arguments and can be manipulated to execute arbitrary code.

DarkFiber Consulting encourages users and administrators to disable JavaScript in Adobe Reader to help mitigate the risk:

1. Open the General Preferences dialog box
2. From the Edit menu, select Preferences and then choose JavaScript
3. Un-check Enable Acrobat JavaScript

Additional information regarding these vulnerabilities can be found in the Adobe PSIRT blog entry and in the Vulnerability Notes Database. DarkFiber Consulting will provide additional information as it becomes available.

DarkFiber Consulting is aware of public reports of active exploitation of a recent Adobe Reader vulnerability. This exploit appears to arrive in the form of a maliciously crafted PDF file and leverages the JavaScript buffer overflow vulnerability addressed in Adobe Security Bulletin APSB08-19. Successful exploitation may allow an attacker to execute arbitrary code or cause a denial-of-service condition. Additionally, the reports indicate that this exploit is currently undetectable by common antivirus applications.

DarkFiber Consulting encourages users and administrators to do the following to help mitigate the risk:

• Review Adobe Security Bulletin APS08-19 and update to Adobe Reader 9.
• Use caution when opening untrusted files.
• Install antivirus software and keep the virus signatures up to date.

DarkFiber Consulting is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed.

Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Detection of phalanx2 as used in this attack may be performed as follows:

• “ls” does not show a directory “/etc/khubd.p2/”, but it can be entered with “cd /etc/khubd.p2″.
• “/dev/shm/” may contain files from the attack.
• Any directory named “khubd.p2″ is hidden from “ls”, but may be entered by using “cd”.
• Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in “/etc” against the number of directories shown by “ls”.

DarkFiber Consulting encourages administrators to perform the following actions to help mitigate the risks:

• Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
• Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
• Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, DarkFiber Consulting recommends the following actions:

• Disable key-based SSH authentication on the affected systems, where possible.
• Perform an audit of all SSH keys on the affected systems.
• Notify all key owners of the potential compromise of their keys.

DarkFiber Consulting will provide additional information as it becomes available.

RealNetworks has released an update to address multiple vulnerabilities in RealPlayer. These vulnerabilities may allow an attacker to execute arbitrary code or obtain sensitive information. RealNetworks identifies the vulnerabilities as the following:

• RealPlayer ActiveX controls property heap memory corruption.
• Local resource reference vulnerability in RealPlayer.
• RealPlayer SWF file heap-based buffer overflow.
• RealPlayer ActiveX import method buffer overflow.

DarkFiber Consulting encourages users to review the RealNetworks advisory and apply the appropriate updates to help mitigate the risk.

Research In Motion has released a Security Advisory to address a vulnerability in the BlackBerry Enterprise Server. This vulnerability is due to the improper processing of PDF files within the distiller component of the BlackBerry Attachment Service. By convincing a user to open a maliciously crafted PDF attachment on a BlackBerry smartphone, an attacker may be able to execute arbitrary code on the system running the BlackBerry Attachment Service.

DarkFiber Consulting encourages users to review BlackBerry Security Advisory KB15766 and apply the resolution or implement the workarounds listed in the document to help mitigate the risk.

DarkFiber Consulting will provide additional information as it becomes available.