Gladiator Research and Security

There have been reports of a new vulnerability in Microsoft Vista that would allow a local user to run code as System, which is an even higher privilege level than Administrator.  However, the user would have to be an Administrator to exploit the vulnerability, and the practical differences between Administrator and System are minimal.  So really, there is not much of a reason to be concerned.  If you see reports for an iphlpapi.dll Local Kernel Buffer Overflow, a Vista TCP/IP stack buffer overflow or a CreateIpForwardEntry2 this is the issue being referenced.  There is no need to panic.  In fact, Microsoft is not releasing an out-of-band patch for this issue, so they don’t believe it’s that critical.  Phion AG, the researcher group who found the vulnerability, has released a patch of its own, but we do not recommend you install it at this time.

With the number of web exploits rising every day, organizations are discovering that some type of content or web filtering solution is necessary.  Content filters provide a number of excellent benefits to an organization, including the ability to block access to domains that are known to house malware or exploits.  Organizations are also finding that the content filter is an excellent way to ensure that sites that are not necessary for operations and that have the potential to divert attention from users are denied.  However, many organizations are seeing users that have found that content filtering and web usage logging can be bypassed with the use of anonymous proxy servers.

GSA Reference Number: AD081120-01

Simply Put: Symantec Backup Exec versions 11.x and 12.x are vulnerable to a denial of service attack and an authentication bypass attack.  These vulnerabilities, if exploited together, can lead to a remote code exploit.  Both issues affect the Backup Exec Remote Agent.

GSA Reference Number: AD081119-01
Updated: 11-19-2008

Simply Put: Secunia is reporting a vulnerability in MDaemon’s WorldClient webmail frontend.  Attackers could send a specially-crafted email that, if viewed in the WorldClient webmail interface, could run malicious scripts or HTML code on the user’s machine without their interaction.  All the user would have to do is read the email.  The vendor has a patch available.

The amount of spam on the Internet has decreased considerably during the last week.  All signs are pointing to the takedown of McColo Corp, a US-based service provider notorious for housing spam and malware providers, as the probable reason.  Multiple articles have been written debating the pros and cons of taking down an entire service provider (some are linked below), but I think we can all agree that the reduction in spam is a welcome sight.  Gladiator’s eShield service has detected a remarkable decrease in spam of over 60% recently.  The graph below indicates our spam counts for the last month:

Microsoft’s Patch Tuesday has arrived, and there are two new security patches available.  And although only a couple of patches were released, patching this month is just as important as ever.  The first patch deals with a critical flaw in the XML Core services, which are called by Internet Explorer.  This vulnerability could allow remote code execution.  The second patch deals with the Server Message Block (SMB) protocol, used for file sharing in Windows.  This patch is rated “important” by Microsoft, and could also result in remote code execution.  Both patches are listed as “exploitable” by Microsoft.  The patches are more critical on client workstations than servers, since they affect client programs such as web browsers.  Gladiator recommends you install these patches during your standard release cycle.

A number of critical vulnerabilities have been found in older versions of Adobe Acrobat and Adobe Reader.  The vulnerabilities affect version 8 of the Adobe products, more specifically, Adobe Reader 8.1.2 and earlier versions, Adobe Acrobat Professional, 3D, and Standard 8.1.2 and earlier versions.  These vulnerabilities could potentially cause a number of issues including a denial of service or even remote code execution through a specially-crafted .pdf file, which could lead to a system take-over.