Mozilla released Firefox 3.52. today that patches two vulnerabilities related to how the browser uses SSL certificates.  Updating to this version via the auto update should protect against man-in-the-middle attacks that were discovered by Dan Kaminsky (Mr. DNS) and Moxie Marlinspike at last week’s Black Hat conference.

We recommend upgrading to Firefox 3.5.2 across the board to eliminate this vulnerability.

Tags: Black Hat, firefox, mozilla, Vulnerabilities

Author: Christopher

Last Thursday Adobe patched 12 bugs in their Flash application, three of these were caused by Microsoft.  For at least a week hackers have been exploiting at least one of these vulnerabilities.  You can find the full details of the security bulletin on Adobe’s website under Security Advisories.

The report refers to ten vulnerabilities that can potentially lead to compromised systems by allowing hackers to execute their own code.  Windows, Mac, and Linux machines were address in this patch, although Solaris is still set for a future update.

July 10th Microsoft notified Adobe about vulnerabilities in Microsoft’s ATL (Active Template Library), two weeks prior to public announcement.  Microsoft security team has been investigating these ATL for flaws since early 2008.  “[Microsoft] was moving very fast to pull resources together to help us do triage on our products,” said Brad Arkin, Adobe’s director for product security and privacy.

“The hard part was determining what was vulnerable,” said Brad. “It’s easy to rebuild a test version, but then we had to make sure [that] works and make sure we didn’t break it.”

Patched versions of the Flash Player  for Windows, Mac and Linux can be downloaded from Adobe’s Web site.   Users can use Flash’s built-in automatic update mechanism to grab the new versions.

It is a step in the right direction to see Adobe take vulnerabilities in their products more seriously and address these issues in a timely fashion.

Tags: Adobe, bugs, Flash, microsoft, Vulnerabilities

Author: Christopher

There are currently known vulnerabilities with DNS servers across all implementations.  These vulnerabilities are not vendor specific, in fact all DNS distributions are vulnerable.  I recommend all organizations develop an action plan immediately to identify and patch all DNS servers, applications, and clients on all networks in your control.

These vulnerabilities expose vulnerable DNS servers to DNS cache poisoning, this potentially can effect proper email delivery and what website you actually visit when entering a URL into a browser.

DNS specifically calls for 16 bit transaction ID field, which would require 32,768 “guesses” to predict the ID.  Many implementations use a smaller number of bits, and thus would require considerably fewer guesses.

US-CERT has an excellent write up on this vulnerability here.

You can find patch specifics for Microsoft here.

If you are running BIND 8, there is currently no solution and no plans to fix this problem for this platform, it is highly recommended to immediately look at upgrading to BIND 9.

If you only apply one patch in 2008, this should be it!

If you are using DNS from your ISP, you may still be vulnerable!

To assist organizations in containing this issue, I put together a few actions steps to get everyone on track.

1. Identify all DNS servers on your network and any networks you are responsible for.  To be sure, you may want to run a port scan for anything listening on UDP port 53.
2. Identify vendors responsible for each and every DNS server found from step 1.
3. Refer to US-Cert for links to each vendor to the appropriate patch documentation.
4. Patch all Servers.
5. Repeat for all DNS Clients, although these patches are more focused on DNS Servers.

It is highly recommended all servers be patched before the Black Hat convention on August 6th when more information will be disclosed.

UPDATE:

You can check your upstream DNS Servers here:
http://www.doxpara.com/

Tags: BIND, DNS, DNS Cache Poisoning, US-CERT, VU#800113, Vulnerabilities, Vulnerability

Author: Christopher