Defense in Depth

Following a security researcher's announcement of a massive, multivendor patch release, Cisco on Tuesday issued a patch for its products vulnerable to DNS cache-poisoning attacks.

In an advisory, Cisco cited its IOS software, Network Registrar, Application and Content Networking System, and Global Site Selector used in combination with Cisco Network Registrar among those directly affected by the vulnerability announcement.

Earlier Tuesday, Microsoft released its patch for the same DNS vulnerability.

A security researcher has responsibly disclosed a fundamental flaw within the Domain Name System (DNS), the addressing scheme behind the common names used on the Internet. Currently, it may be possible to guess these transaction ID values in advance and assert a malicious server as the authoritative DNS server for a popular bank or e-commerce site. The news was announced Tuesday.

Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with … Read more

Microsoft today released its July 2008 security bulletin highlighting items all considered important but not critical. They are for Domain Name Service in Windows, Windows Explorer within Windows Vista, Outlook Web Access (OWA), and Microsoft SQL servers. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-037: Important

Entitled "Vulnerabilities in DNS Could Allow Spoofing (953230)," this bulletin is for users of Windows 2000, Windows XP, and Windows Server 2003; not affected are users of Windows Vista (both 32-bit and 64-bit editions) and Windows Server … Read more

A leading Mac OS X researcher says Apple has not kept the iPhone operating system up to date with patches it has issued for the desktop.

The iPhone runs a stripped-down version of Mac OS 10.5 and automatically checks for security updates. The last update for the phone, 1.1.4, was issued in February.

That means iPhone users are still vulnerable to a flaw discovered by Charlie Miller in March.

During the CanSecWest conference, Miller found and used a buffer overflow in Safari in the Apple WebKit to win a $10,000 "Pwn to Own" contest. … Read more

Google released a free tool Tuesday that should help Web developers find and fix cross-site vulnerabilities.

The tool, RatProxy, is described by Google as "a semi-automated, largely passive Web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex Web 2.0 environments."

The tool is versatile, detecting and ranking a broad class of vulnerabilities. Included are script injections, cross-site trust attacks, content-serving vulnerabilities, cross-site request forgeries (XSRF), and cross-site scripting (XSS).

RatProxy runs on Linux, FreeBSD, … Read more

Last weekend, several hundred Lithuanian Web sites were defaced with pro-Soviet and anti-Lithuanian slogans, according to The New York Times.

Last Friday, Lithuanian government sites were warned of an impending Web attack and mounted appropriate defenses. Several hundred commercial sites did not do so and over the weekend took the brunt of the attack. By Monday, most all of the sites had been restored.

As with last year's Estonian denial-of-service attacks, the new attacks appear to be in reaction to a law outlawing the display of Soviet symbols in Lithuania. Germany has similar laws outlawing the display of Nazi … Read more

On Thursday, Opera released version 9.51. The new version fixes a few security vulnerabilities and resolves some stability issues. One of the fixes addresses an arbitrary code execution vulnerability that was not previously made public.

Meanwhile, Mozilla released Firefox 2.0.15 with a dozen security fixes, including a few remote-execution vulnerabilities.

Current Firefox 2 users should, however, upgrade to Firefox 3, which includes antimalware protection and other security features.

On Thursday, Microsoft announced four security bulletins for Patch Tuesday next week. The pre-announcement is intended as a heads up for IT departments before Patch Tuesday. All four are considered important, the second-most serious ranking by the software giant.

Among the important patches, two affect vulnerabilities within Windows, with one potentially causing remote code execution, while the other involves spoofing. Another bulletin affects Windows and Microsoft SQ Server and involves privilege elevation. The final bulletin affects Microsoft Exchange Server and also involves privilege elevation

Early Wednesday, antivirus vendor Sophos reported that some visitors to the Sony PlayStation site may have been prompted to download an antivirus scanner.

Pages promoting the PlayStation games SingStar Pop and God of War contained SQL-injected code. Visitors to those specific game pages would see a fake antivirus scan , then a message that their computer was infected with different viruses and Trojan horses. Warned, the user would then be asked to purchase the scanner to remove the bogus malware.

The injected code linking to the scanner has since been removed.

Sophos said the attack could have downloaded malicious payloads, but … Read more