Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server

Looks like there has been another vulnerability discovered in the BlackBerry Enterprise Server PDF distiller of the BlackBerry Attachment Service.

Looks like there has been another vulnerability discovered in the BlackBerry Enterprise Server PDF distiller of the BlackBerry Attachment Service. This vulnerability is scoring 7.8 on the CVSS scale, so it is a high risk vulnerability.  You should apply the patch to your BES server ASAP.

See http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB24761 for the details from RIM.

If you haven’t already done so, you really should have the attachment service running in a segmented network in order to prevent the spread of malware. The PDF distiller has required quite a few patches in the past few years and is, in my opinion, the weakest point in the whole BES architecture.  See the BlackBerry technical notes on how to achieve segmentation here.

VLC media player auto-update and vulnerability

Secunia has published an advisory about new vulnerabilities found in VLC Media Player.

I just picked up an advisory from Secunia about VLC Media Player vulnerabilities. There are 9 vulnerabilities. Three are related to A/52, DTS and MPEG audio decoders. Three are about the AVI, ASF and Matroska demuxer. The other three are about the XSPF playlist, the ZIP and RTPM implementation.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted file.

There is no CVE Reference and unfortunately cannot figure out a CVSS score.  You can find the original advisory (VideoLAN-SA-1003) here:
http://www.videolan.org/security/sa1003.html

There are two interesting things about this one.  One, as of right now (April 25, 2010 at 22:39 GMT-6), the fixed version for Windows (1.0.6) is still not available on the Video LAN web site.  That’s a bit unusual because, typically, the vendor likes to make sure the patch/updated version of the vulnerable software is available before publishing the vulnerability on their on web site.  The second thing that’s interesting is that the auto-update does not seem to work in my installed version (1.0.1).

I thought that maybe I had a problem in my home LAN that caused the auto-update to fail.  I fired up Wireshark and did a quick sniff of the traffic when trying to get VLC to update.  I used the Follow TCP Stream feature and it was quickly apparent that the problem wasn’t with me at all.  The GET that VLC sent got a 206 Partial Content

HTTP/1.1 206 Partial Content
Content-Type: text/plain
Accept-Ranges: bytes
ETag: “3280753111”
Last-Modified: Mon, 01 Feb 2010 23:15:18 GMT
Content-Range: bytes 0-485/486
Content-Length: 486
Date: Mon, 26 Apr 2010 04:24:08 GMT
Server: lighttpd/1.4.19

1.0.5
http://www.videolan.org/mirror-geo-redirect.php?file=vlc/1.0.5/win32/vlc-1.0.5-win32.exe
Due to a bug in the update feature of your on of VLC, the automatic download of the new VLC will fail.

You have to download VLC 1.0.5 from VideoLAN’s website: http://www.videolan.org

VLC 1.0.5 is a minor release of 1.0.x version of VLC. It fixes a few bugs, updates the codecs and the compiler for Windows, and should improve decoding speed. It also improves and update many translations.

Well, might as well download 1.0.5 for now and use the auto-update to check the 1.0.6 fix.

Adobe Reader is vulnerable yet again

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities. Here’s the low-down.

I figured it would happen eventually, but not quite so soon. It appears that Adobe Reader is suffering from at least two more zero-day vulnerabilities – less than two months after the JBIG2 vulnerability.  Here’s the low-down.

All currently supported shipping versions of Adobe Reader and Acrobat (9.1, 8.1.4, and 7.1.1 and
earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions
for all platforms (Windows, Macintosh and UNIX) to resolve this issue.  The vulnerabilities are in the JavaScript engine of the Adobe products.  This, by the way, affects both Adobe Reader and Adobe Acrobat.  The vulnerabilities exist in two JavaScript functions; getAnnots() and spell.customDictionaryOpen() and both allow remote code execution.  One way to protect yourself is to disable JavaScript – see the simple instructions from F-Secure.

Many people made this recommendation when the last vulnerability was uncovered (jbig2 vulnerability), but it just seems to be louder this time; find an alternative reader to the Adobe Reader product.  If you need an idea for what is available out there, take a look at PDFreaders.org.  I know that I have made the recommendation where I work, but it might not be that easy.  Corporations sometimes will rely heavyly on Adobe Reader to view custom business forms that are used on a daily basis with customers.  That reliance will often show itself in the in-house applications that make calls directly to the Adobe DLL.

You can read a bit more about the challenges of replacing Adobe Reader and Acrobat here.

Perimeter defense is useless!

I think it is well known by security experts that the old perimeter defense model just does not work any more. A firewall does give some protection, but users are constantly asking that ports be opened so that they can access services outside of the corporate network. Not only that, but there is not much to prevent malicious traffic to go through your ports that are already opened. Should we ditch the firewall? No, but you should add more layers to your defense. In this post, I will list of the defenses you should have in your environment.

I think it is well known by security experts that the old perimeter defense model just does not work any more. A firewall does give some protection, but users are constantly asking that ports be opened so that they can access services outside of the corporate network.  Not only that, but there is not much to prevent malicious traffic to go through your ports that are already opened.  Should we ditch the firewall?  No, but you should add more layers to your defense.  In this post, I will list of the defenses you should have in your environment.

Whenever such a user requests to have yet another port to be opened, you should make sure that you restrict as much as possible the end-points that can make use of that port you are opening up. For example, John asks that a port be opened so he can establish a VNP connection from the corporate LAN to a business partner, you should make sure that only John’s IP address is allowed to use that port and that there is only one outside IP address that John can reach on that port.

Firewall management is not what keeps me up at night though. What keeps my up at night is the fact that it is so easy to create tunnels from inside my network to the outside over well known ports, such as port 80 or 443 in order to access anything that you would normally block at the firewall. That plus the fact that now you cannot browse most web sites with first installing such things as Flash player and Adobe PDF reader.

A recently vulnerability in Adobe Reader for which there is no patch as of now (Adobe said they will release one on March 11th) is a rather scary one.  This type of vulnerability can be exploited without the user even opening the malicious PDF! How can you defend yourself against that?!  You should have as many layers as possible in order to prevent that malicious PDF from succesfully penetrate your network.  The Verison Business Security Blog has a very good list of steps that can be taken to protect yourself against that threat.  of course, you could always drop Abode Reader altogether.

In general though, that approach can be applied against any threats.  Here are the different layers you should have in place in order of priority:

  1. A firewall.  I would venture to guess that everyone out there has that one in place.  Make sure that a regular review of what rules you have in place is done.
  2. Intrusion Detection (IDS) or better yet, Intrusion Prevention (IPS).  If you can affort it, TippingPoint is probably a leader in that field and works great.  At the very least, you should have Snort in your network.
  3. Don’t allow your users to be local administrators.  Most of the people that get infected with malware  and virus are logged on with local administrator rights.  That’s a very bad idea.  Lock down those users!
  4. Anti-Virus on every machines.  AV is not perfect as it is a reactive technology, but it will catch a lot of what is out there.  Anti-Virus products now can do more than just detecting and cleaning virus.  The can block use of certain ports on your hosts (such as port 25 for e-mails or ports typically used for IRC).
  5. Host-based Intrusion Detection System (HIDS).  This technology is starting to catch on in corporate environments.  This is basically the equivalent of having ZoneAlarm on each desktop, but centrally managed by the corporate IT.
  6. Last but not least, patching!  Make sure that you are current in your OS patches and your application patches.  That is not always easy in corporate environment since it sometimes requires careful testing and planning.

In my experience, the mobile users are the weak links.  Once they take their laptops outside of the corporate LAN, many of those defensive layers, such as IPS and the firewall, are no longer there to protect them.  That’s why you need to have strong defenses on the workstations, such as disk encryption and HIDS.

Can anyone think of other layers that should be in place?