32nd Week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 32nd week of 2010. I am Jay Johnson and these are the headlines:

Adobe confirms remote code-execution flaw in Acrobat Reader again (pause)
A simple hack can use Google Street View data to stalk its victims while
A demo on how to hack into GSM networks (pause)
Emergency patch closes LNK hole in Windows and Finally
Two critical vulnerabilities in iPhone's iOS exploited in jailbreak

And now for this week's newswire details
A security researcher has uncovered another vulnerability in Adobe Reader that allows hackers to execute malicious code on computers by tricking their users into opening booby-trapped files. Charlie Miller, principal security analyst at Independent Security Evaluators, disclosed the critical flaw at last week's Black Hat security conference in Las Vegas. It stems from an integer overflow in a part of the application that parses fonts, he said. That leads to a memory allocation that's too small, allowing attackers to run code of their choosing on the underlying machine. There are no reports of the flaw being targeted for malicious purposes. Brad Arkin, senior director of product security and privacy at Adobe, said members of the company's security team attended Miller's talk and have since confirmed his claims that the vulnerability can lead to remote code execution. The team is in the process of developing a patch and deciding whether to distribute it during Adobe's next scheduled update release or as an out-of-band fix that would come out in the next few weeks.

(pause)
A security researcher has devised an attack suitable for stalking and similarly creepy endeavors that uses JavaScript and geo location data from Google to pinpoint a victim's precise location. In a talk titled How I Met Your Girlfriend, at the Black Hat conference last week, hacker Samy Kamkar demoed the technique, which he cleverly dubbed an XXXSS. Kamkar lures the victim to a website that uses JavaScript to extract her router's Media Access Control address and report the unique identifier to the hacker. If JavaScript is unpalatable for some reason, there are other ways to do this. Kamkar plugs the pilfered MAC address into Google Location Services. Within seconds, he has a map showing the victim's location within a few hundred feet. Over the past few years, Kamkar has used XSS, or cross-site scripting, exploits to achieve a variety of hacks. As the author of the Samy Worm, he served a brief stint in jail for unleashing a self-replicating exploit in 2005 that added more than 1 million friends to his MySpace account and in the process knocked the site out of commission. More recently, he's used XSS to burrow into firewalls and home routers. Of course, a few things have to happen for the attack to work. First, the router needs to be set to use the default administrative password, or it needs to be a model that doesn't require credentials to access its system information page and the router's MAC address must already have been recorded by Google's ubiquitous fleet of Street View cars, which roam the earth snapping pictures and sniffing select Wi-Fi data.

(pause)
A researcher at the DefCon hackers' meet has demonstrated kit for spoofing GSM base stations, allowing even those on a limited budget to intercept phone calls and text messages. The audience attending the talk by Chris Paget was able to see their own handsets transferring to his spoofed base station, with calls receiving a recorded message explaining that the security had been compromised. The demonstration would presumably have been a lot less impressive if Las Vegas had better 3G coverage. The basis of the attack isn't new the attacker sets up a base station advertised as belonging to a compatible network operator and handsets locally switch to the stronger signal. In a live attack the base station then connects to the real cellar network and passes authentication tokens back and forth as though it wasn't there. GSM communications are supposed to be encrypted between the genuine networks at the handset, but in some countries strong encryption isn't allowed so the network informs the handset not to encrypt the communications. The handset is supposed to pop up a warning when this happens, but doesn't, so rogue base stations can ask the handset not to encrypt anything and then listen in.

(pause)
Microsoft has published the unscheduled MS10-046 update to close the LNK hole in Windows. A flaw in the Windows shell that occurs in analyzing the parameters of LNK and PIF files can be exploited to launch arbitrary programs when icons are displayed. For the attack to succeed, users merely need to open a folder with specially crafted files on an infected USB stick, in a network share, or a WebDAV folder, for instance. All operating systems supported by Microsoft are affected from Windows XP (SP3) to Windows 7 and Server 2008 R2. Users who already employ the Fix-it tool as a workaround will have to undo the workaround after the update has been installed if they want to see the icons again. Criminals have already put malware into circulation to infect PCs by exploiting the flaw one Trojan even disseminated itself via the LNK hole in Daimler AG's network.

(pause)
According to Vupen Security the PDF vulnerability exploit that allows iPhones to be jailbroken, to run non-Apple App Store apps, is actually two critical vulnerabilities. The vulnerabilities exist in iOS 3.x, 4.0 and 4.01 and affect iPhones, iPads and iPod touch devices. The first vulnerability is, as previously reported, in the PDF rendering functionality of the iPhone, which allows an attacker to execute arbitrary code by inducing the processing of embedded font data to corrupt memory. This flaw in the Compact Font (CFF) handling can be exploited by merely tricking a user into visiting a specially crafted page. The second vulnerability is an error in the kernel, which allows attackers to elevate privileges and bypass the sandbox restrictions in iOS. The jailbreakme.com site uses a crafted page which identifies which model of iPhone, iPad or iPod Touch is being used and sends the browser to view one of twenty customised PDF files. The JailbreakMe site only removes the restrictions on the device which block it from running applications that aren't from the App Store and installs the Cydia application store. Security vendors are warning that it could be possible for criminals to make use of the same vulnerabilities to create malware for the iPhone. The PDF rendering functionality is part of Apple's Safari browser, developed by Apple, and not an external or third party application. An Apple spokesperson told News Agency that the company was aware of the reports and was investigating.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.