From security em unicamp.br Mon Jun 1 09:02:40 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 1 Jun 2009 09:02:40 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidades em implementacao do NTP Message-ID: <20090601120239.GA96757@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidades em implementacao do NTP To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Fri, 29 May 2009 15:51:52 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o boletim do US-CERT intitulado "ntpd autokey stack buffer overflow (VU#853097)", que trata de uma vulnerabilidade critica na implementacao NTP da NTP Public Services Project - a implementacao mais popular do protocolo. O protocolo Network Time Protocol (NTP) e' utilizado para sincronizacao do relogio de sistemas computacionais. Foi descoberta uma vulnerabilidade critica na funcionalidade autokey do daemon NTPD, um esquema de autenticacao para o protocolo NTP proposto por David L. Mills. Duas outras vulnerabilidades com grau de severidade menor foram divulgadas pelo NTP Public Services Project. Um atacante pode criar um pacote do protocolo NTP que explora a vulnerabilidade descrita em CVE-2009-1252 e depois envia-lo para um servidor NTP afetado, causando buffer overflow e assim permitindo que codigo malicioso seja executado com os privilegios do usuario utilizado pelo processo ntpd. Administradores de sistemas frequentemente configuram este servico para execucao com usuario "root", o que aumenta o impacto desta vulnerabilidade. O CAIS recomenda que se utilize, sempre que possivel, um usuario sem privilegios de "superuser" para servicos de rede. SISTEMAS AFETADOS . Release Stable: versoes anteriores a 4.2.4p7 . Release Development: versoes anteriores a 4.2.5p74 A implementacao OpenNTPD (OpenBSD) nao e' afetada por esta vulnerabilidade. CORRECOES DISPONIVEIS Recomenda-se atualizar os sistemas para as versoes disponiveis em: . NTP Project Download Page http://www.ntp.org/downloads.html Caso nao seja possivel realizar a atualizacao imediatamente e' possivel mitigar a vulnerabilidade simplesmente desabilitando a autenticacao Autokey. Esta configuracao vulneravel e' indicada pela linha "crypto pw password" no arquivo de configuracao ntp.conf, onde "password" e' a senha que foi configurada previamente. E' necessario recarregar o daemon apos esta alteracao. MAIS INFORMACOES . ntpd autokey stack buffer overflow (VU#853097) http://www.kb.cert.org/vuls/id/853097 . Security Notice - Remote exploit if autokey is enabled http://support.ntp.org/bin/view/Main/SecurityNotice . [ntp:announce] NTP 4.2.4p7 Released http://lists.ntp.org/pipermail/announce/2009-May/000062.html . NTP Bugzilla - limited buffer overflow in ntpq https://support.ntp.org/bugs/show_bug.cgi?id=1144 . NTP Bugzilla Windows ntpd should secure UDP 123 with SO_EXCLUSIVEADDRUSE https://support.ntp.org/bugs/show_bug.cgi?id=1149 . NTP Bugzilla - Remote exploit if autokey is enabled https://support.ntp.org/bugs/show_bug.cgi?id=1151 Identificador CVE (http://cve.mitre.org): CVE-2009-0159, CVE-2009-1252 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes oferecidas pelos fabricantes. Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBSiAuzukli63F4U8VAQEXMwP+L8FIfW502WTvoiJxtAhNoSzPPedws8/R zjdpmKSxhqHy6iajJq4CDlaucbTQv8c+6tRL9EG7za8YU+VHMYV767YVQK8OLlvn p2aTD245pfEV9KB7MDIN5toFyIoeFO3Wn9lS2+UilTc4MM85C8GGEobhE2ChSHes w8Kbre5gjow= =AgPV -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jun 8 10:59:25 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 8 Jun 2009 10:59:25 -0300 Subject: [SECURITY-L] Cursos CERT.br: Calendario 2009 Message-ID: <20090608135924.GA29299@unicamp.br> From: "CERT.br" Subject: [certbr-anuncios] Cursos CERT.br: Calendario 2009 To: certbr-anuncios em listas.cert.br Date: Fri, 5 Jun 2009 18:10:35 -0300 Organization: Computer Emergency Response Team Brazil Estão abertas as inscrições para os cursos do CERT.br que serão oferecidos em 2009: * Information Security for Technical Staff Turma: 03 a 07 de agosto de 2009 Encerramento das inscrições: 08 de julho de 2009 * Fundamentals of Incident Handling Turma: 14 a 18 de setembro de 2009 Encerramento das inscrições: 21 de agosto de 2009 * Overview of Creating and Managing Computer Security Incident Response Teams Turma: 21 de setembro de 2009 Encerramento das inscrições: 21 de agosto de 2009 * Advanced Incident Handling for Technical Staff Turma: 09 a 13 de novembro de 2009 Encerramento das inscrições: 16 de outubro de 2009 Os formulários de inscrição para os cursos estão disponíveis na página: http://www.cert.br/cursos/inscricao/ Mais informações sobre os outros cursos podem ser obtidas na página: http://www.cert.br/cursos/ Atenciosamente, -- CERT.br http://www.cert.br/ From security em unicamp.br Mon Jun 15 09:02:56 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 15 Jun 2009 09:02:56 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-160A -- Microsoft Updates for Multiple Vulnerabilities Message-ID: <20090615120255.GA60691@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-160A -- Microsoft Updates for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Tue, 9 Jun 2009 16:30:01 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-160A Microsoft Updates for Multiple Vulnerabilities Original release date: June 09, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Office * Microsoft Internet Explorer Overview Microsoft has released updates that address vulnerabilities in Microsoft Windows, Office, and Internet Explorer. I. Description As part of the Microsoft Security Bulletin Summary for June 2009, Microsoft released updates to address vulnerabilities that affect Microsoft Windows, Office, and Internet Explorer. II. Impact A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a vulnerable application to crash. III. Solution Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for June 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for June 2009 - * Microsoft Windows Server Update Services - * US-CERT Vulnerability Notes for Microsoft June 2009 updates - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-160A Feedback VU#983731" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History June 09, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSi7EY3IHljM+H4irAQKpUwgAqcYG1SVf4dPt7wevUx9UIKyw/RWG/wCI +ns9UEmk4Pbdu8Tj+snDsNxxOnvdUGnWzfbuBFrzexr+u3zY0BgvBQ50eaYnYyVn Iv9yxxxKfdvQEQIiPi/5gWl05k4axYdSjEYLZqNkQIj1VvqJOhCWaHKPsJZykdZq ZZLd8aFxxM7fj0RrKeorXGiApw45kP9a133EN7NRf8CvYsNKnUTMYVPC2bTaq0Jb HCjjEOwBWaP6YjqQ1laVslCHzOVpFzQnkl+IKBsoDAu1397KjwobIR340YyW6K4g ckdod5TwdG77KOcNZHAp+uQMffGOaCfqj/MFk7qEYxN7/0gJXuB8mQ== =9e4w -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jun 15 12:15:40 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 15 Jun 2009 12:15:40 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA09-161A -- Adobe Acrobat and Reader Vulnerabilities Message-ID: <20090615151540.GE61678@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA09-161A -- Adobe Acrobat and Reader Vulnerabilities To: technical-alerts em us-cert.gov Date: Wed, 10 Jun 2009 12:02:14 -0400 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-161A Adobe Acrobat and Reader Vulnerabilities Original release date: June 10, 2009 Last revised: -- Source: US-CERT Systems Affected * Adobe Reader versions 9.1.1 and earlier, 8.1.5 and earlier, and 7.1.2 and earlier * Adobe Acrobat (Standard, Professional, and 3D) versions 9.1.1 and earlier, 8.1.5 and earlier, and 7.1.2 and earlier Overview Adobe has released Security Bulletin APSB09-07, which describes several buffer overflow vulnerabilities that could allow a remote attacker to execute arbitrary code. I. Description Adobe Security Bulletin APSB09-07 describes several memory-corruption vulnerabilities that affect Adobe Reader and Acrobat. Some of these vulnerabilities occur when Adobe Reader and Acrobat handle files with specially crafted JBIG2 streams. An attacker could exploit these vulnerabilities by convincing a user to load a specially crafted Adobe Portable Document Format (PDF) file. Acrobat integrates with popular web browsers, and visiting a website is usually sufficient to cause Acrobat to load PDF content. II. Impact An attacker may be able to execute arbitrary code. III. Solution Update Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB09-07 and update vulnerable versions of Adobe Reader and Acrobat. Disable JavaScript in Adobe Reader and Acrobat Disabling Javascript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu: * Open the Edit menu. * Select Preferences. * Choose JavaScript. * Un-check Enable Acrobat JavaScript. Prevent Internet Explorer from automatically opening PDF documents The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF documents in the web browser Preventing PDF documents from opening inside a web browser will partially mitigate this vulnerability. This workaround may also mitigate future vulnerabilities. To prevent PDF documents from automatically being opened in a web browser, do the following: * Open Adobe Acrobat Reader. * Open the Edit menu. * Choose the Preferences option. * Choose the Internet section. * Un-check the Display PDF in browser check box. Do not access PDF documents from untrusted sources Do not open unfamiliar or unexpected PDF documents, particularly those hosted on websites or delivered as email attachments. See Cyber Security Tip ST04-010. Additional workarounds are available in Vulnerability Note VU#568153. IV. References * Adobe Security Bulletin APSB09-07 - * Vulnerability Note VU#568153 - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA09-161A Feedback VU#568153" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History June 10, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSi/XyHIHljM+H4irAQI1UAf/XkvVGoLfOjb04Rzn7CpnYNzPp4E2JA2d PvPZ8DEVOJqR7aMNRA+VYwBcFOOHYEMnkTB7LmPdhAm6UxwaX+ZZ2v10CWXQ+BXQ GD5vBUK+wS78nD9jahrtLMlCYa0/uO1UYN9AdUyJE0+F5c/Z9JasBNGCCMR4nqbT 21kzQPyORyy1RuaTb6uBqBYrLqpTOJUe3XQw5Fweqnfd5bQgbOheqFpyRBW6vVmj T3v+QjNk4jO71j7qq6HeTz7hWdlvzha9f0tIWrBC801Ez9ofS5+q9NHp2cY/NI/x tNYQDhshjlvB9AFGpAN53Hd2h9ovJ6Iljcx87rGMWODd0ZsYGJY8BA== =1L9P -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Jun 15 16:32:47 2009 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 15 Jun 2009 16:32:47 -0300 Subject: [SECURITY-L] CAIS-Alerta: Resumo dos Boletins de Seguranca Microsoft - Junho 2009 Message-ID: <20090615193245.GH61678@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Resumo dos Boletins de Seguranca Microsoft - Junho 2009 To: pop-seg em cais.rnp.br, rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Mon, 15 Jun 2009 13:51:27 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, A Microsoft publicou 10 boletins de seguranca em 9 de junho, que aborda ao todo 28 vulnerabilidades que afetam produtos Microsoft. A exploracao destas vulnerabilidades permite desde a divulgacao de informacoes ate a execucao remota de codigo. No momento da publicacao deste resumo ha' exploracao ativa das vulnerabilidades descritas nos boletins MS09-019, MS09-020, MS09-022, MS09-025 e MS09-026. SEVERIDADE . Critica - MS09-018: Vulnerabilidades no Active Directory Vulnerabilidades que permitem a execucao remota de codigo - MS09-019: Vulnerabilidades no Internet Explorer Atualizacao acumulativa que corrige 8 vulnerabilidades - MS09-021: Vulnerabilidades no Microsoft Office Excel Vulnerabilidades que permitem a execucao remota de codigo - MS09-022: Vulnerabilidades no Windows Print Spooler Vulnerabilidades que permitem a execucao remota de codigo - MS09-024: Vulnerabilidade no Microsoft Works Vulnerabilidade que permite a execucao remota de codigo - MS09-027: Vulnerabilidades no Microsoft Office Word Vulnerabilidade que permite a execucao remota de codigo . Importante - MS09-020: Vulnerabilidades no IIS Vulnerabilidades que permitem a elevacao de privilegios de um dado usuario - MS09-025: Vulnerabilidades no Kernel Windows Vulnerabilidades que permitem a elevacao de privilegio de um dado usuario - MS09-026: Vulnerabilidade no RPC Vulnerabilidade que permite a elevacao de privilegio de um dado usuario . Moderada - MS09-023: Vulnerabilidade no Windows Search Vulnerabilidade que permite a divulgacao de informacoes restritas . Baixa - Nenhum boletim O sistema de classificacao de severidade das vulnerabilidades adotado pelo CAIS neste resumo e' o da propria Microsoft. O CAIS recomenda que se aplique, minimamente, as correcoes para vulnerabilidades classificadas como Criticas e Importantes. No caso de correcoes para vulnerabilidades classificadas como Moderadas o CAIS recomenda que ao menos as recomendacoes de mitigacao sejam seguidas. . Critica - Vulnerabilidades cuja exploracao possa permitir a propagacao de um worm sem a necessidade de interacao com o usuario. . Importante - Vulnerabilidades cuja exploracao pode resultar no comprometimento de confidencialidade, integridade ou disponibilidade de dados de usuarios ou a integridade ou disponibilidade de recursos de processamento. . Moderada - exploracao e' mitigada significativamente por fatores como configuracao padrao, auditoria ou dificuldade de exploracao. . Baixa - uma vulnerabilidade cuja exploracao seja extremamente dificil ou cujo impacto seja minimo. CORRECOES DISPONIVEIS Recomenda-se fazer a atualizacao para as versoes disponiveis em: . Microsoft Update https://www.update.microsoft.com/microsoftupdate/ . Windows Server Update Services http://www.microsoft.com/windowsserversystem/updateservices/default.mspx MAIS INFORMACOES . Microsoft Security Bulletin Summary for June 2009 https://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx . SANS ISC Handler's Diary 2009-06-09: Microsoft June Black Tuesday Overview http://isc.sans.org/diary.html?storyid=6538 . MS09-018: Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055) http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx . MS09-019: Cumulative Security Update for Internet Explorer (969897) http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx . MS09-020: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483) http://www.microsoft.com/technet/security/Bulletin/MS09-020.mspx . MS09-021: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462) http://www.microsoft.com/technet/security/bulletin/ms09-021.mspx . MS09-022: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501) http://www.microsoft.com/technet/security/Bulletin/MS09-022.mspx . MS09-023: Vulnerability in Windows Search Could Allow Information Disclosure (963093) http://www.microsoft.com/technet/security/Bulletin/MS09-023.mspx . MS09-024: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632) http://www.microsoft.com/technet/security/bulletin/MS09-024.mspx . MS09-025: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537) http://www.microsoft.com/technet/security/Bulletin/MS09-025.mspx . MS09-026: Vulnerability in RPC Could Allow Elevation of Privilege (970238) http://www.microsoft.com/technet/security/Bulletin/MS09-026.mspx . MS09-027: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514) http://www.microsoft.com/technet/security/bulletin/ms09-027.mspx . Microsoft Security Vulnerability Research & Defense http://blogs.technet.com/swi/ . Microsoft Brasil Security http://www.microsoft.com/brasil/security . Technet Brasil - Central de Seguranca http://www.technetbrasil.com.br/seguranca . Windows Live OneCare http://safety.live.com/site/pt-BR/default.htm Identificador CVE (http://cve.mitre.org): CVE-2009-1134, CVE-2009-1138, CVE-2009-1139, CVE-2009-1140, CVE-2009-1141, CVE-2009-0228, CVE-2009-0229, CVE-2009-0230, CVE-2009-0239, CVE-2009-0549, CVE-2009-0557, CVE-2009-0558, CVE-2009-0559, CVE-2009-0560, CVE-2009-0561, CVE-2009-1122, CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126, CVE-2009-1528, CVE-2009-1529, CVE-2009-1530, CVE-2009-1531, CVE-2009-1532, CVE-2009-1535, CVE-2009-1533, CVE-2007-3091 O CAIS recomenda que os administradores mantenham seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes oferecidas pelos fabricantes. Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF: http://www.rnp.br/cais/alertas/rss.xml Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Made with pgp4pine 1.76 iQCVAwUBSjZ8F+kli63F4U8VAQHuUgQAhAievZvzld2AJaDq+qVgAZHuWLyTSjoD P3AWN4IqAdJp3lfke+ZIU77b7nxtJcKBmINk35yJvIlE3akUbuCHfQm37SXLNXpS Gi1GuKm5Wc6GXahwQDZ+AksgN3Xlv+aZNXMRrIaRxI5nuc8+krKK3EZFLeHo8KCM WvMlH43iqf0= =1QfD -----END PGP SIGNATURE----- ----- End forwarded message -----