Welcome to the Network Security website at the IAS

This website is intended to bring you the latest news, how to's, tools and resources in Information Security.  Security Awareness of our Faculty, Members and Staff is key in creating a safer computing environment.

The three major Principles of Information Security, Availability, Integrity and Confidentiality, will be covered throughout the security awareness program at the Institute.  For a description of these principles, please see our About section.

In keeping with the spirit of the Institute, I encourage questions and open discussions about security.  And if you discover anything out of the ordinary, please feel free to bring it to my attention so that we can work together to create a more productive, safer environment.

Thanks,
Brian Epstein <security@ias.edu>
twitter: @epepepep


Adobe Reader 7, 8 and 9 code execution through buffer overflow

http://www.adobe.com/support/security/advisories/apsa09-01.html

A buffer overflow in Adobe Reader allows for code execution when a user
opens a malicious PDF file.

Adobe will be releasing updates to v9 on March 11, 2009. Version 8 and
7 patches will follow soon after.

The exploit is currently active and uses Javascript embedded in the PDF
file to inject its payload into the heap.

Adobe Reader 7, 8 and 9 code execution through buffer overflow

http://www.adobe.com/support/security/advisories/apsa09-01.html

A buffer overflow in Adobe Reader allows for code execution when a user
opens a malicious PDF file.

Adobe will be releasing updates to v9 on March 11, 2009. Version 8 and
7 patches will follow soon after.

The exploit is currently active and uses Javascript embedded in the PDF
file to inject its payload into the heap.

Adobe Reader 7, 8 and 9 code execution through buffer overflow

http://www.adobe.com/support/security/advisories/apsa09-01.html

A buffer overflow in Adobe Reader allows for code execution when a user
opens a malicious PDF file.

Adobe will be releasing updates to v9 on March 11, 2009. Version 8 and
7 patches will follow soon after.

The exploit is currently active and uses Javascript embedded in the PDF
file to inject its payload into the heap.

Possible Abuse due to Misconfigured DNS Servers

Priority: 2
Severity: 2

US-CERT CIIN-09-023-01 (U//FOUO) describes a DNS amplification attack
due to misconfigured DNS Servers. Several attacks have been
orchestrated over the past weeks bringing this issue to light.

A DNS server that is vulnerable to this attack will respond to a root NS
query (".") by returning the list of root servers.

This vulnerable DNS server could then be used in a denial of service
attack against another entity.

US-CERT recommends:

Security Team creates a Rogue CA by targeting MD5 weaknesses

http://www.win.tue.nl/hashclash/rogue-ca/

A group that presented at the the Chaos Communication Congress in Berlin
showed the ability to convert a non-CA certificate into a CA
certificate, breaking the trust of the PKI.

This was done by using a large array of fast computers (200 Playstation
3's) in order to create a CSR that would force a weakly signed
Certificate. This certificate normally would not be allowed to sign
other CSRs.

Security Team creates a Rogue CA by targeting MD5 weaknesses

http://www.win.tue.nl/hashclash/rogue-ca/

A group that presented at the the Chaos Communication Congress in Berlin
showed the ability to convert a non-CA certificate into a CA
certificate, breaking the trust of the PKI.

This was done by using a large array of fast computers (200 Playstation
3's) in order to create a CSR that would force a weakly signed
Certificate. This certificate normally would not be allowed to sign
other CSRs.

Security Team creates a Rogue CA by targeting MD5 weaknesses

http://www.win.tue.nl/hashclash/rogue-ca/

A group that presented at the the Chaos Communication Congress in Berlin
showed the ability to convert a non-CA certificate into a CA
certificate, breaking the trust of the PKI.

This was done by using a large array of fast computers (200 Playstation
3's) in order to create a CSR that would force a weakly signed
Certificate. This certificate normally would not be allowed to sign
other CSRs.

Zero day (2008-12-10) exploit for Internet Explorer (961051)

http://www.microsoft.com/technet/security/advisory/961051.mspx
http://isc.sans.org/diary.html?storyid=5458

This vulnerability affects Internet Explorer in XP SP3, Vista SP0, SP1,
and Server 2008.

This vulnerability was not fixed in MS08-073 which was released
2008-12-09 (patch Tuesday).

Multiple vulnerabilities found in Drupal Core <5.13 and <6.7

http://drupal.org/user/124982

This bug affects the update mechanism in Drupal. Via cross site
scripting, a malicious user may be able to cause the superuser to
execute old updates that may damage the database.

Upgrading to 5.13 or 6.7 will mitigate the bug. Alternatively, a patch
is available that will fix this bug, although it will not update other
non-security fixes in the code.

Pages