Domain: auscert.org.au
Stories and comments across the archive that link to auscert.org.au.
Comments · 21
-
Errata Corrige
I'm the author of the original submission. There was a mistake in the story, as we never contacted AusCERT, but CERT Australia instead. The similarity of the names was a bit unfortunate. I apologize for this error. Could some moderator please edit the submission? Thank you!
-
Re:Actually the irony is ...
Actually the irony is that the contractor is in fact AusCERT who claim to be
:-AusCERT operates within a worldwide network of information security experts to provide computer incident prevention, response and mitigation strategies for members and assistance to affected parties in Australia.
It may not be a computer incident, lol.
-
Actually the irony is ...
Actually the irony is that the contractor is in fact AusCERT who claim to be
:-AusCERT operates within a worldwide network of information security experts to provide computer incident prevention, response and mitigation strategies for members and assistance to affected parties in Australia.
-
For reference - 2 certs
http://www.auscert.org.au/ and http://www.cert.gov.au/
http://www.auscert.org.au/render.html?cid=2
"Formed in 1993, AusCERT is one of the oldest CERTs in the world and was the first CERT in Australia to operate as the national CERT, which it did until 2010. "As always governments don't like competition - in this case for security & secrets
-
For reference - 2 certs
http://www.auscert.org.au/ and http://www.cert.gov.au/
http://www.auscert.org.au/render.html?cid=2
"Formed in 1993, AusCERT is one of the oldest CERTs in the world and was the first CERT in Australia to operate as the national CERT, which it did until 2010. "As always governments don't like competition - in this case for security & secrets
-
Re:Not News!!
Not really. First, the most it could do is infect your own files, not the system.
So only the most important files on the system, then ?
Second, you would have to run it - it can't spread by itself.
Just like most Windows "viruses", you mean ?
Do people running linux run strange executable binaries that people send them?
If most people running Linux were like most people running Windows, they would.
No. It's not like Windows, where reading your email can infect your machine.
No, it's more like opening a PDF could infect your machine.
-
Re:STILL NOT A WORM
I'm on the bubble over that. I saw plenty of references to an 80% miss rate in '05, but most seemed to be referring to an abstract of a vendor presentation to be made at a conference, which struck me as poor journalism.
http://conference.auscert.org.au/conf2005/abstracts.php
But the general manager at auscert seemed to be saying the same thing in 5/06:
-----
The survey, which was published at the start of this year's AusCERT 2006 conference on the Gold Coast, is further evidence that malware writers are targeting their attacks and testing their code to ensure it is undetectable by antivirus products before it is distributed.
According to the survey, 98 percent of respondents have deployed an antivirus application and yet 45 percent reported being infected by a virus or worm.
Graham Ingram, general manager of AusCERT, said that cybercriminals are making a "concerted effort" to defeat antivirus technology -- and they are being successful.
http://www.zdnet.com.au/news/security/soa/Antivirus-software-is-being-defeated-/0,130061744,139257227,00.htm
-----
So, how about something more up to date?
Friday, April 13, 2007
Storm Worm Blast Still Evades Antivirus
http://blogs.pcworld.com/staffblog/archives/004102.html
So why would I be on the bubble, instead of completely agreeing with you? Well, I hear the argument that since people can't be trained to not click on unverified attachments, security suites are at least *something*. In the back of my mind is the thought that if people didn't believe in these ratty security nets, perhaps they *would* change their behavior.
Another factor may lie in how corporations mitigate risk through insurance. Being able to check the AV box when seeking insurance might keep a policy affordable. -
Java version used by your broswer
If you have multiple Java versions on your computer and/or you do not know which version is used by your browser, try this page:
http://www.javatester.org/version.html
According to AusCERT, http://www.auscert.org.au/render.html?it=7664
you are vulnerable, if your JRE is:
- Sun Java Runtime Environment (JRE) 6
- Sun Java Runtime Environment (JRE) 5.0 Update 10 and prior
- Sun Java Runtime Environment (JRE) 1.4.2_14 and prior
- Sun Java Runtime Environment (JRE) 1.3.1_20 and prior -
Re:Extraordinary claims require extraordinary proo
It appears to be referring to the GIF exploit, which was patched a couple of months ago.
No, as others have pointed out it's a flaw in JPEGs and BMP files. PNGs (pretty much the only format used in J2ME in cell phones and PDAs) are safe. Here are the advisories:
http://www.auscert.org.au/render.html?it=7664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2789
The biggest concern is that arbitrary applets could be pushed to user's machines. This is mitigated by the fact that the latest JVM's have already been repaired. Thanks to the Java autoupdater, there should not be many desktops at risk.
A secondary concern is servers that accept image uploads. BMPs are usually not accepted anyway, but JPEGs could be a concern. So it is best to upgrade these. Which brings us around to your concern...The problem is that most Java enterprise software winds up becoming tightly coupled with a specific JVM. (In Oracle's case, a good half-dozen *different* JVMs!) You can't upgrade the JVM without breaking the enterprise app (trust me, I tried, they really work only with the specific JVM shipped), so you're left with vulnerable JVMs and no way to upgrade them. I don't have a solution to that problem.
For one, it is possible to upgrade these JVMs. It's a bit trickier than a standard install, but it can be done, at least inside the same VM version. (e.g. Java 1.4 apps will usually not suffer from an upgrade to 1.4.1, but a Java 5 upgrade would be disasterous.)
Secondly, I *DO* have a solution. Yell at the vendor! If they're going to stupidly integrate the JVM for no reason other than to make your life difficult (ostensibly to make it easier, yeah right) then they can take the burden of getting you a patch. Don't let the vendor off the hook until they get the problem fixed! That's just good practice, nothing to do with Java.
(Of course, a better practice is to find a vendor who doesn't stupidly integrate JVMs, but I digress.)
BTW, are you talking about Oracle AS or Oracle Database? Oracle AS would need to be patched for situations like this just in case you handle or will handle image uploads. Oracle Database would not be at risk since there is almost no chance of the database being made to parse images in its procedural code. Desktop applications are similarly unaffected unless they download arbitrary images from the internet. -
Re:here is the security flaw
I'm pretty sure this is it:
That's a different flaw in Java Web Start.
Right now, in this topic, I can see three possible links to Java flaws that "could be it". It's great that contributors to this topic have been able to dig up these links, but really, the original article should have included some details about the exploit so that we would all be in no doubt about what it actually involves. As it is, both the submission and the ZDnet article include no details at all. Nothing. What's the point of that? It's about as effective as raising the "terror alert" to "critical".
Seems that the flaw is most likely this one: http://www.auscert.org.au/render.html?it=7664 - it's an image decoding bug. -
Re:The sky is falling
Google Security Team
I see at the top where they mention the Google security team. But the article quotes only someone named Chris Gatford from "penetration testing firm Pure Hacking" and someone from "Australia's Computer Emergency Response Team"
AUSCERT ^ has issued something on this, but there is not many details. They claim the exploit is the ability for applets to escalate privileges.
Also, someone asked, but here are the versions they claim are vulnerable, for windows and solaris.
First vulnerability:
* JDK and JRE 6
* JDK and JRE 5.0 Update 10 and earlier
* SDK and JRE 1.4.2_14 and earlier
* SDK and JRE 1.3.1_20 and earlierSecond vulnerability:
* JDK and JRE 6
* JDK and JRE 5.0 Update 10 and earlier
* SDK and JRE 1.4.2_14 and earlier
* SDK and JRE 1.3.1_19 and earlierAnd a link to the Aussie security alert
-
Re:Fixed in JRE 5 Update 12?
It's fixed in:
* JDK and JRE 6 Update 1 or later
* JDK and JRE 5.0 Update 11 or later
* SDK and JRE 1.4.2_15 and later
From:
http://www.auscert.org.au/render.html?it=7664 -
AusCERT alert.
The alert is accessible at http://www.auscert.org.au/render.html?it=7664.
Not sure what all the noise is about. The security "experts" from penetration testing firm Pure Hacking are twats for blowing this all out of proportion.
-
This isn't new
This issue (I'll provide a link to the AusCERT page as the summary neglected to) was first publically announced on June 4 and fully patched by June 29th. All that's happened recently is some minor updates to the ticket. Yes it's serious, but anyone paying attention to such things will have patched already.
-
Original AusCERT
It looks like AusCERT has published on their page about this:
Quoted from
AL-2007.0071 -- [Win][Linux][Solaris] -- Sun Java Runtime Environment vulnerability allows remote compromise
1. Impact
A buffer overflow vulnerability in the image parsing code in the Java
Runtime Environment may allow an untrusted applet or application to
elevate its privileges. For example, an applet may grant itself
permissions to read and write local files or execute local
applications that are accessible to the user running the untrusted
applet.
A second vulnerability may allow an untrusted applet or application to
cause the Java Virtual Machine to hang.
Sun acknowledges, with thanks, Chris Evans of the Google Security
Team, for bringing these issues to our attention.
These issues are also referenced in the following documents:
CVE-2007-2788 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2788
CVE-2007-2789 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 2007-2789 -
I wonder if that Cisco has been patched...
For this configuration exploit, this SNMP vulnerability, this IP sequence generation problem, this ICMP vuln, this H.323 problem, and this buffer overflow.
NOTE: Some of the listed problems indicate a "Cisco 3200 Catalyst", which may not be the same as the orbiting "Cisco 3200 Mobile Access Router". IANACG (I am not a Cisco geek). -
I wonder if that Cisco has been patched...
For this configuration exploit, this SNMP vulnerability, this IP sequence generation problem, this ICMP vuln, this H.323 problem, and this buffer overflow.
NOTE: Some of the listed problems indicate a "Cisco 3200 Catalyst", which may not be the same as the orbiting "Cisco 3200 Mobile Access Router". IANACG (I am not a Cisco geek). -
I wonder if that Cisco has been patched...
For this configuration exploit, this SNMP vulnerability, this IP sequence generation problem, this ICMP vuln, this H.323 problem, and this buffer overflow.
NOTE: Some of the listed problems indicate a "Cisco 3200 Catalyst", which may not be the same as the orbiting "Cisco 3200 Mobile Access Router". IANACG (I am not a Cisco geek). -
ESB-2004.0176 -- FreeBSD-SA-04:04.tcp -- many out-
ESB-2004.0176 -- FreeBSD-SA-04:04.tcp -- many out-of-sequence TCP packets denial-of-service
http://www.auscert.org.au/render.html?it=3910&cid= 20
Topic: many out-of-sequence TCP packets denial-of-service
Category: core
Module: kernel
Announced: 2004-03-02
Credits: iDEFENSE
Affects: All FreeBSD releases
Corrected: 2004-03-02 17:19:18 UTC (RELENG_4)
2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1)
2004-03-02 17:26:33 UTC (RELENG_4_9, 4.9-RELEASE-p3)
2004-03-02 17:27:47 UTC (RELENG_4_8, 4.8-RELEASE-p16)
CVE Name: CAN-2004-0171
FreeBSD only: NO -
Re:The Complete Solution:
-
Re:Using the word "Welcome"
Here is one page I found that suggests using the world "welcome" in a login banner is asking for trouble. Has some other related info. as well.