The last two days have been pretty busy. I have been analyzing the latest Adobe vulnerability. It all began when HD alerted me to a post on Mila Parkour’s “contagio malware dump” blog. After giving the blog post a once over, it was pretty clear that he had discovered a live sample of a previously unpublished and currently unpatched vulnerability. The clearest indicator was the screen shot of the Adobe Reader “About” dialog with dropped files showing. Great image! This most definitely piqued my interest.

Read the rest of jduck’s post on the Metasploit blog

I originally thought I’d give myself a break from doing SANS stuff for a while .. then I woke up yesterday .. and with 30 days left to sit the GPEN exam I booked it! Funnily enough, straight after that I looked at signing up for 2 other SANS courses ahahhahaah.

So now I have the task of getting ready to sit in exam in 15 days after not looking at the books in over 2 months (im so bad). This is very reminicent of my GSEC study (do a search for my post) .. and I managed to nail that ok.

Anyway .. i’m whining about my GPEN when Chris is about to head off and tackle his GSE .. Good luck nerdlinger!!

Symantec’s attempts to link up with Snoop Dogg to launch a cybercrime rap contest have descended into farce after it emerged that vulnerabilities with a dedicated site can be easily rickrolled.

Read all about the awesomeness that is Snoop Dogg and Security HERE

WORD TO YOUR MOTHER!

Today Microsoft are pleased to announce the availability of the Enhanced Mitigation Experience Toolkit (EMET) version 2.0.  Users can click here to download the tool free of charge. 

For those who may be unfamiliar with the tool, EMET provides users with the ability to deploy security mitigation technologies to arbitrary applications.  This helps prevent vulnerabilities in those applications (especially line of business and 3rd party apps) from successfully being exploited.  By deploying these mitigation technologies on legacy products, the tool can also help customers manage risk while they are in the process of transitioning over to modern, more secure products.  In addition, it makes it easy for customers to test mitigations against any software and provide feedback on their experience to the vendor.

Read the full story on the TECHNET BLOG

Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications. An extremely simple HOWTO:

1. Download the DLLHijackAuditKit v2 and extract it into a local directory on the system you would like to test.

2. Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.

3. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name “Logfile.CSV”.

4. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.

5. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.

Thanks again to everyone who provided feedback (positive or negative) on the original tool, especially Rob Fuller, who let me forkbomb his system in the process of testing the new kit.

Full posting on the Metasploit blog

The Pentagon has opened the kimono on what it described as the “most significant breach of US military computers ever,” in which a flash drive in 2008 was used to infect large numbers of computers, including those used by the Central Command overseeing combat zones in Iraq and Afghanistan.

When the device was plugged into a military laptop located on an undisclosed base in the Middle East, malicious code soon linked highly sensitive machines to networks controlled by an unnamed foreign intelligence agency, Deputy Defense Secretary William J. Lynn III wrote in the first official account of the episode.

Read the full story on theregister.co.uk

This post describes the process for identifying and exploiting applications vulnerable to the DLL hijack vulnerability disclosed last week. For background information on this vulnerability, as well as remediation information, please see my post on the Rapid7 Blog.

This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker. This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless, the flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory.

In practice, this flaw can be exploited by sending the target user a link to a network share containing a file they perceive as safe. iTunes, which was affected by this flaw until last week, is associated with a number of media file types, and each of these would result in a specific DLL being loaded from the same directory as the opened file. The user would be presented with a link in the form of \\server\movies\ and a number of media files would be present in this directory. If the user tries to open any of these files, iTunes would search the remote directory for one or more DLLs and then load these DLLs into the process. If the attacker supplied a malicious DLL containing malware or shellcode, its game over for the user.

Read the rest of H D Moore’s post on the Metasploit blog

Sophos have been working to provide some useful tools to help to educate web users about the risks of social media sites.

There’s a Social Networking toolkit with videos and presentations that you can use to educate yourself or your workforce. And, they’ve also created a groovy little widget you can add to your webpages to share handy Safe Web Browsing browsing tips.

All this stuff is free and might just stop a few more people clicking that oh-so-appealing pop-up window or installing that rogue Facebook app that silently updates statuses and spams all their “friends”.

via Graham Cluey’s blog [SOPHOS]

Plenty of people are familiar with the dangers which can be associated with sharing your location online – whether it be by Twitter updates (“I’m at Heathrow airport, Terminal 3, waiting to go on two week’s holiday..”), Foursquare (“I just ousted @gcluley as the mayor of Sophos on @foursquare!”) and the newly launched Facebook Places.

But a new website called I Can Stalk U demonstrates how easy it is to unwittingly reveal your location – just by sharing a digital photo from your smartphone.

Many people may be unaware that lots of smart phones geo-tag photos that they take with information about where they were taken. The location data isn’t visible to the naked eye in the photo, it’s embedded as encoded meta-data inside the picture, alongside information about what type of camera was used, camera settings, and so forth.

That means, anyone who accesses your digital photos can (if you haven’t wiped the location meta-data) work out where you were when you take the snapshot.

And as many people upload their pictures virtually instantly to Twitter via services like TwitPic, someone could find out where you are even if you had no intention of sharing that information with the world.

You can imagine how that could be very dangerous – imagine if you had a jealous ex-partner, or if you were a celebrity with hundreds of demented fans keen to “hang out” with you.

The I Can Stalk U website appears to have been set up to raise awareness of the security problem, rather than to cause mischief, and they have helpfully provided information about how to disable geo-tagging on some of the most common smartphones.

As the world wide web increasingly becomes the world where web, with location playing an ever more important role in the information we glean from the internet, it will become increasingly important for net users to consider how this information is shared, and ensure that they are not unwittingly sharing it with unauthorised parties.

via Graham Cluey’s Blog [SOPHOS]

Remember all the controversy over electronic voting machines? Well, prepare to be paranoid once again. Researchers from the University of Michigan and Princeton University managed to hack a touch-screen direct-recording electronic (DRE) voting machine called the Sequoia AVC Edge to run Pac-Man, reminding me why I didn’t trust electronic voting machines in the first place.

The researchers hacked the supposedly “secure” voting machine by reformatting the memory card in the machine to boot in DOS instead of the default embedded operating system. Apparently the entire process of reformatting and writing config.sys files took only three afternoons. Not only that, but the security seals that are suppose to keep people from tampering with the machine can apparently be left completely intact after a fun afternoon of hacking. Doesn’t that make you feel confident about your next election? (Next thing you know the deceased will be voting–oh wait, that’s happened before. Never mind.)

This isn’t the first time voting machine security has been called in to question, and it probably won’t be the last. Some states, such as Virginia, have already banned DREs; hopefully other states will begin to follow suit. If not, I’m putting Pac-Man on my ballot in 2012!

via NetworkWorld, Switched and Engadget