McAfee SiteAdvisor says 'SANS, you are Bad!'
We've received reports from Nate and some others today that when they go to various SANS websites today, McAfee SiteAdvisor is showing a red status saying the site is 'bad'.
When we look at the site reports, giac.org and sans.edu are bad simply because they have links to the sans.org web site. The sans.org web site is now considered bad because of two links in CVA newsletters that point to exploit samples on 3rd party web sites.
We have submitted a comment via the SiteAdvisor web site and are simply waiting to hear back if they change the site status in their database.
Same bat-time, same bat-channel. Its still the SANS web site with the same content that has been there for quite some time.
Update 1: McAfee is working on updating the status of the SANS web site. Currently, when you go to the site, you still get a red SiteAdvisor button, but if you click on 'View Site Details', they now show the site as being green. Hopefully the data being used to feed the button display will change soon.
Update 2: McAfee has resolved this and the sans.org, sans.edu and giac.org sites are now all displaying a 'green' status from Site Advisor.
David Goldsmith
DNS Cache Poisoning Issue Update
Ok, we have a confirmed instance where the DNS cache poisoning vulnerability was used to compromise a DNS server belonging to AT&T. This PCWorld article covers the incident. The original article makes it sound as though the Metasploit site was 'owned' by this incident when really the issue was that the AT&T DNS server was compromised and was providing erroneous IP addresses to incoming queries. This updated PCWorld article clarifies the first one.
Additional details can be found in this Metasploit blog post.
So we've moved from "the bad guys are out there" past "the invaders are at the gate" and on to "the bad guys are slipping inside". If your organization has not yet patched your DNS servers (see here) , please do so now.
We may be raising our InfoSec status to yellow soon to help raise attention to the serious nature of this issue.
David Goldsmith
Serious 0-Day Flaw in Oracle WebLogic Server and WebLogic Express -- Workaround Released
Oracle has released an emergency workaround that corrects a 0-day flaw in WebLogic Server and WebLogic Express, specifically with the Apache Connector, which is remotely exploitable without authentication.
Oracle's security advisory can be found here. The security advisory points to this document which contains recommendations for two workarounds that you should implement to help mitigate the vulnerability until Oracle can release a patch.
More information about the issue can be found at the ZDnet blog post.
Thanks to Frank for the original heads-up.
Update: Changed diary to reflect that only a work-around has been released and not a patch. Received 3 lashes with a Cat5 cable from Jason, Jim and Richard. ;-)
David Goldsmith
Comments