Welcome to the Network Security website at the IAS

This website is intended to bring you the latest news, how to's, tools and resources in Information Security.  Security Awareness of our Faculty, Members and Staff is key in creating a safer computing environment.

The three major Principles of Information Security, Availability, Integrity and Confidentiality, will be covered throughout the security awareness program at the Institute.  For a description of these principles, please see our About section.

In keeping with the spirit of the Institute, I encourage questions and open discussions about security.  And if you discover anything out of the ordinary, please feel free to bring it to my attention so that we can work together to create a more productive, safer environment.

Thanks,
Brian Epstein <security@ias.edu>
twitter: @epepepep


Sendmail NULL Character CA SSL Certificate Validation Security Bypass Vulnerability

http://www.securityfocus.com/bid/37543

"Sendmail is prone to a security-bypass vulnerability because the
application fails to properly validate the domain name in a signed CA
certificate, allowing attackers to substitute malicious SSL certificates
for trusted ones.

Successfully exploiting this issue allows attackers to perform
man-in-the-middle attacks or impersonate trusted servers, which will aid
in further attacks.

Versions prior to Sendmail 8.14.4 are vulnerable."

Adobe Flash Media Server Directory Traversal Vulnerability

http://www.securityfocus.com/bid/37420

"Adobe Flash Media Server is prone to a directory-traversal
vulnerability because it fails to sufficiently sanitize user-supplied input.

Exploiting this issue can allow an attacker to load arbitrary Dynamic
Linked Libraries (DLLs) present on the server. This could help the
attacker launch further attacks. "

This affects Adobe Flash Media Server 3.5.2 and prior.
This affects Adobe Flash Media Server 3.0.4 and prior.

GnuTLS X.509 Certificate Serial Number Decoding Remote Security Vulnerability

http://www.securityfocus.com/bid/38959/info

"An attacker can exploit this issue to potentially execute arbitrary
code, trigger denial-of-service conditions, or bypass certificate
revocation list (CRL) checks, causing clients to accept expired or
invalid certificates from servers."

This affects GNU GnuTLS 1.2, specifically with RHEL4.

GNU Tar and GNU Cpio Remote Buffer Overflow Vulnerability

http://www.securityfocus.com/bid/38628/info

"GNU Tar and GNU Cpio are prone to a remote buffer-overflow
vulnerability because the applications fail to perform adequate boundary
checks on user-supplied data.

An attacker can exploit this issue to execute arbitrary code with the
privileges of the user running the affected application. Failed exploit
attempts will result in a denial-of-service condition.

This issue affects the following:

Sendmail NULL Character CA SSL Certificate Validation Security Bypass Vulnerability

http://www.securityfocus.com/bid/37543

"Sendmail is prone to a security-bypass vulnerability because the
application fails to properly validate the domain name in a signed CA
certificate, allowing attackers to substitute malicious SSL certificates
for trusted ones.

Successfully exploiting this issue allows attackers to perform
man-in-the-middle attacks or impersonate trusted servers, which will aid
in further attacks.

Versions prior to Sendmail 8.14.4 are vulnerable."

APPLE-SA-2010-03-30-2 iTunes 9.1 fixes 7 vulnerabilities

http://support.apple.com/kb/HT1222

iTunes 9.1 has been released which fixes 7 vulnerabilities. It affects
the following OS's:

Windows 7
Vista
XP
Mac OS X v10.4.11 or later

These vulnerabilities could lead to: arbitrary code execution, DoS
(including prolonged DoS after reboot), memory data disclosure,
privilege escalation.

It is recommended that iTunes be udpated to the latest version for all
users.

Thanks,
Brian

APPLE-SA-2010-03-30-1 QuickTime 7.6.6 fixes 16 security vulnerabilities

http://support.apple.com/kb/HT1222

Apple has released QuickTime 7.6.6 which fixes 16 security
vulnerabilities. This affects QuickTime installed on the following OS's.

Windows 7
Vista
XP SP2
XP SP3
Mac OS X v10.5.8

Vulnerabilities include: arbitrary code execution and/os local DoS.

Mac OS X v10.6 incorporates QuickTime within. Mac OS X v10.6.3 includes
the update to QuickTime 7.6.6.

APPLE-SA-2010-03-29-1 Security Update 2010-002 / Mac OS X v10.6.3 fixes 69 vulnerabilities

http://support.apple.com/kb/HT1222

Apple has released Mac OS X v10.6.3 which addresses several security
vulnerabilities. This includes arbitrary code execution with spell
check, firewall rule inactivation, non-authorized AFP mounting,
directory traversal, and more.

In all, 69 vulnerabilities were patched.

It is recommended that Mac OS X v10.6.x users update to v10.6.3 to
mitigate these risks.

Thanks,
Brian

Pages