Happy birthday, disk drive
Today is the 50th anniversary of the first computer system that had a disk drive. See here for more info.
Keywords:
0 comment(s)
PHP - shared hosters, take note.
PHP is a popular server side scripting language.
PHP's (security) settings are typically controlled from a php.ini file. This allows the system administrator to control settings such as such as safe_mode and open_basedir.
People managing shared hosting machines often control the settings on a more granular level in the apache configuration (httpd.conf) as they can set it there per directory and allow for the different hosted sites to have different settings.
This latter method of limiting scripts can be overcome from inside the scripts themselves. Details are trivially available.
So that leaves:
update:
Stefan Esser from the hardened php project wrote in with a quick workaround: add "ini_restore" to the list of disabled functions in php.ini:
While at it: those hardening scripts available at the hardened-php site should really be applied in a hosting situation. They protect against this vulnerability already. And perhaps a close look for the beta "suhosin" would not be a bad idea either.
If you are interested in securing PHP, you might also be interested in the PHP 6 comments and the Tip of the Day on php from Johannes.
update:
Steve wrote in to suggest that -in addition to disabling ini_restore- you might want to look at disabling ini_set as well.
--
Swa Frantzen -- Section 66
0 comment(s)
PHP's (security) settings are typically controlled from a php.ini file. This allows the system administrator to control settings such as such as safe_mode and open_basedir.
People managing shared hosting machines often control the settings on a more granular level in the apache configuration (httpd.conf) as they can set it there per directory and allow for the different hosted sites to have different settings.
This latter method of limiting scripts can be overcome from inside the scripts themselves. Details are trivially available.
So that leaves:
- Control PHP settings from the php.ini file if possible;
- If you are a shared hosting provider: check the CVS repository, reportedly the needed fixes have been checked in (unconfirmed);
- Cross your fingers and wait for the next release of PHP (the current releases are reportedly affected).
update:
Stefan Esser from the hardened php project wrote in with a quick workaround: add "ini_restore" to the list of disabled functions in php.ini:
disable_functions=...,ini_restoreThis is much easier than trying to find the fix in the source code till the next release of PHP.
While at it: those hardening scripts available at the hardened-php site should really be applied in a hosting situation. They protect against this vulnerability already. And perhaps a close look for the beta "suhosin" would not be a bad idea either.
If you are interested in securing PHP, you might also be interested in the PHP 6 comments and the Tip of the Day on php from Johannes.
update:
Steve wrote in to suggest that -in addition to disabling ini_restore- you might want to look at disabling ini_set as well.
--
Swa Frantzen -- Section 66
Microsoft security patches for September 2006
Overview of the September 2006 Microsoft patches.
0 comment(s)
| # | Affected | Known Problems |
Known Exploits | Microsoft rating | ISC rating (*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| re-released MS06-040 | Server Service CVE-2006-3439 |
Re-released to fix known problems KB921883 |
Multiple botnets actively exploiting this. | Critical |
PATCH NOW |
PATCH NOW |
| re-released MS06-042 | Internet Explorer (MSIE) CVE-2006-3280 CVE-2006-3450 CVE-2006-3451 CVE-2006-3637 CVE-2006-3638 CVE-2006-3639 CVE-2006-3640 CVE-2004-1166 CVE-2006-3869 new: CVE-2006-3873 |
Re-released to fix the known problems with MSIE6SP1 KB918899 |
Well known vulnerabilities |
Critical |
PATCH NOW |
Important |
| MS06-052 | Microsoft Queue System (MSQS) - Pragmatic General Multicast (PGM) CVE-2006-3442 |
No reported problems KB919007 |
No known exploits yet |
Important |
Critical | Critical (**) |
| MS06-053 | Indexing Service CVE-2006-0032 |
No reported problems KB920685 |
No known exploits yet | Moderate |
Less urgent |
Important |
| MS06-054 | Publisher CVE-2006-0001 |
No reported problems KB910729 |
No known exploits yet | Critical |
Critical | Less urgent |
We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
The key is that the separation between server and client is how you use the machine, we rated the MSIE issues in MS06-042 lower due to most administrators being smart enough never to surf the web on a server. Still, if you installed a windows server license on your laptop and surf the web with it, it is at high risk even if it is a "server" licensed version of the OS.
--
Swa Frantzen -- Section 66
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
The key is that the separation between server and client is how you use the machine, we rated the MSIE issues in MS06-042 lower due to most administrators being smart enough never to surf the web on a server. Still, if you installed a windows server license on your laptop and surf the web with it, it is at high risk even if it is a "server" licensed version of the OS.
--
Swa Frantzen -- Section 66
Qwest having problems? (ALL FIXED)
We've started noticing some problems with Qwest's network. We've had no reports as to the cause, and we are sure that Qwest is working on it.
The Internet Health Report confirms the outage. Click here.
More to come as we know more.
"According to the Qwest NOC this outage was due to a fiber cut in Oklahoma that created an internal routing loop. I just called into the NOC and this is the info they gave me. We saw an outage for approximately 25 minutes and the Qwest NOC confirmed this."
Glad to see they got it all fixed.
The Internet Health Report confirms the outage. Click here.
More to come as we know more.
UPDATE #1
Reader Eric writes in to tell us:"According to the Qwest NOC this outage was due to a fiber cut in Oklahoma that created an internal routing loop. I just called into the NOC and this is the info they gave me. We saw an outage for approximately 25 minutes and the Qwest NOC confirmed this."
Glad to see they got it all fixed.
Keywords:
0 comment(s)
Adobe Flash player upgrade time
Adobe released its APSB06-11 advisory on some patched versions of it's flash player today. These upgrades address multiple vulnerabilites in relation to input validation. They lead to arbitrary code execution.
Upgrading to the latest greatest version: 9.0.16.0 is highly recommended.
Apple Mac OS X users as well as Windows users are urged to upgrade. It's important as content vectors are something the dark sides likes to embrace.
CVE-2006-3014
CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
CVE-2006-4640
A reader pointed us to the knowledge base article for more information on how to deploy it using e.g. a msi.
Another reader pointed us to Linux (and actually Solaris as well) users also need to upgrade their flash players. [They need to stay with the version 7 player, but have an upgrade waiting nevertheless].
--
Swa Frantzen -- Section 66
0 comment(s)
Upgrading to the latest greatest version: 9.0.16.0 is highly recommended.
Apple Mac OS X users as well as Windows users are urged to upgrade. It's important as content vectors are something the dark sides likes to embrace.
CVE-2006-3014
CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
CVE-2006-4640
A reader pointed us to the knowledge base article for more information on how to deploy it using e.g. a msi.
Another reader pointed us to Linux (and actually Solaris as well) users also need to upgrade their flash players. [They need to stay with the version 7 player, but have an upgrade waiting nevertheless].
--
Swa Frantzen -- Section 66
Microsoft Security Bulletin MS06-054
A remote code execution vulnerability exists in Publisher. An attacker could exploit this vulnerability when Publisher parses a file with a malformed string.
If a user were logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
Mitigating Factors:An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Publisher file that is used to attempt to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful a user must open an attachment that is sent in an e-mail message.
Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.
By default, Publisher is only installed on the Professional Suites of Office.
Recommendation: If you use publisher, patch now, consider limiting user rights for day-to-day use, even for those that need administrative access.
Keywords: microsoft
0 comment(s)
×
![modal content]()
Diary Archives
© 2024 SANS™ Internet Storm Center
Developers: We have an API for you! 
Comments