ep's blog

TLS / SSLv3 renegotiation vulnerability explained

Back in September, a vulnerability in the way we encrypt was found and quietly discussed in the security community.  It was a vulnerability that would allow malicious attackers to inject data into an encrypted conversation, thus breaking the integrity of the conversation.  When the vulnerability became public in October and mainstream in November, there was a lot of confusion about what was vulnerable, and what the risk was in using this type of encryption.

G-Sec from Luxemburg wrote this paper describing the issue in detail.

Linux Kernel KVM 'KVM_MAX_MCE_BANKS' Memory Corruption Vulnerability


The Linux kernel is prone to a memory-corruption vulnerability that
affects the Kernel-based Virtual Machine (KVM).

Local attackers can exploit this issue to execute arbitrary code with
superuser privileges. Successful exploits will completely compromise
affected computers.

Versions prior to Linux kernel 2.6.32-rc7 are vulnerable. "

It is recommended to update the kernel on affected systems.

Microsoft Excel Index Parsing Remote Code Execution Vulnerability


"Microsoft Excel is prone to a remote code-execution vulnerability.

Attackers can exploit this issue by enticing victims into opening a
specially crafted Excel ('.xls') file.

Successful exploits can allow attackers to execute arbitrary code with
the privileges of the user running the application. "

WordPress < 2.8.6 Arbitrary File Upload Vulnerability


"WordPress is prone to a vulnerability that lets attackers upload
arbitrary files. The issue occurs because the application fails to
adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and
run it in the context of the webserver process. This may facilitate
unauthorized access or privilege escalation; other attacks are also

TLS Man in the Middle (MITM) attacks based on renegotiation - patches available for RHEL3,4,5


A recent paper on TLS renegotiation showed a method for injecting
information into the encrypted stream. This could lead to successful
Man in the Middle (MITM) attacks in an already encrypted stream.

The current mitigation patch that is officially supported by RedHat is
to totally disable encryption re-negotiation. This workaround has been
patched in OpenSSL 0.9.8l.

Autocomplete Data Theft in Mozilla Firefox


"A malicious web page can extract out all the data stored within the
autocomplete history of a user's Firefox browser. The web page must
convince a user to hold down the left or right-arrow keys then the
contents of the autocomplete popup can be read. This may includes the
search history box within the browser, or other personal details."

"Mozilla fixed this issue in the 3.5.4 and releases of Firefox."

Adobe Shockwave Player Multiple Remote Code Execution and Denial of Service Vulnerabilities


"Adobe Shockwave Player is prone to a multiple remote code-execution and
denial-of-service vulnerabilities.

Attackers can exploit these issues to execute arbitrary code in the
context of the currently logged-in user and to cause denial-of-service

Versions prior to Shockwave Player for Microsoft Windows and
Apple Mac OS X are vulnerable. "

Sun Java SE November 2009 Multiple Security Vulnerabilities


"Sun has released updates to address multiple security vulnerabilities
in Java SE.

Successful exploits may allow attackers to bypass certain security
restrictions, run untrusted applets with elevated privileges, execute
arbitrary code, and cause denial-of-service conditions. Other attacks
are also possible.

These issues are addressed in the following releases:

Multiple Intel Desktop Board Models Bitmap Processing Buffer Overflow Vulnerability


Vulnerable Intel Motherboards

Intel DQ45EK 0
Intel DQ45CB 0
Intel DQ35MP 0
Intel DQ35JO 0

"Multiple Intel Desktop Board models are prone to a buffer-overflow
vulnerability because they fail to properly bounds-check user-supplied data.

Successfully exploiting this issue will allow local attackers to run
arbitrary code with elevated privileges or trigger a denial-of-service