Tenable Network Security Podcast Episode 125 - "Detecting Quicktime Vulnerabilities, Hotel Hackers"

Announcements

• New Nessus Feature Added: CSV Export
• Tenable Network Security Named Top ‘Cyber Warrior’ at Baltimore SmartCEO VOLT Awards
• Check out our video channel on YouTube which contains new Nessus and SecurityCenter 4 tutorials.
• We're hiring! - Visit the Tenable website for more information about open positions.
• You can subscribe to the Tenable Network Security Podcast on iTunes!
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, SecurityCenter, LCE, and PVS and get answers from the experts at Tenable? Join Tenable's Discussion Forum for custom scripts, announcements, and more!

New & Notable Plugins

Nessus

• QuickTime for Windows Versions prior to 7.7.2 Vulnerabilities - A long list of stack, heap, and integer overflows in Quicktime is fixed with this set of patches for Quicktime running on Windows. I'm curious to see if there are exploits available and how modern protections against them will work, or not.
• SolarWinds Storage Manager Server LoginServlet SQL Injection - This is usually bad: "The version of SolarWinds Storage Manager running on the remote host has a SQL injection vulnerability in the 'loginName' parameter of the 'LoginServlet' page." This typically means you don't need credentials to exploit the vulnerability, and access to the database via SQL injection can lead to shell access and the ability to download the data contained on the system.
• Pidgin OTR (Off-the-Record) Format String Vulnerability - I've used OTR for some time now to prevent attackers from snooping on my IM conversations. It sounds like this could be exploited if you accepted a key from someone who was sending a malicious OTR key, thus triggering the format string vulnerability.

Passive Vulnerability Scanner (PVS)

• Apple Hardware Detection - Often, when I perform internal assessments, I find all sorts of strange devices on the corporate network, including Apple hardware. The ability to passively monitor the network for such devices typically yields interesting results.
• Google Chrome Versions Prior to 19.0.1084.46 Vulnerabilities - Browser vulnerabilities showcase the power of PVS to ensure all of your clients are running software that does not contain vulnerabilities.
• QuickTime for Windows Versions prior to 7.7.2 Vulnerabilities - Same vulnerabilities detected by Nessus, but this one is for PVS.

SecurityCenter Report Templates

• Apple Safari, QuickTime and iTunes - This report template is focused on vulnerabilities detected in popular Apple software installed on Windows and Mac OS X hosts. The sample shown was cut from one of nine chapters and provides a five-day vulnerability trend demonstrating some initial success with the remediation of iTunes vulnerabilities.
• Antivirus Software Check - This report template focuses on antivirus software that isn't up-to-date or isn't functioning properly. It relies on Nessus plugin 16193, Antivirus Software Check, and its many dependent antivirus detection plugins which are developed and maintained by the Tenable Research Team.

Stories

1. You travelers in hotels, please send ViewSource/pcaps - I'm just sayin', if you're an attacker, and you want to compromise lots of people's computers quietly, and you want those people to be juicy business/corporate targets, you put a bunch of malware in hotel networks. There is plenty of opportunity to do it too, such as dropping off your own access points (you'd earn lots of sky miles!), compromise the hotel's existing WiFi network (now we're talking!), or compromise some of the infrastructure networking gear.
2. Introducing EMET v3 - I've heard good things about this tool. Curious about two things: 1) How easy is it to manage in an enterprise environment?, and 2) How easy is it to slip and exploit and a payload by it?
3. From LOW to PWNED [10] Honorable Mention: FCKeditor - Chris Gates admits, this class of vulnerabilities in the "FCKEditor" Cold Fusion script is typically a medium- to high-risk-level vulnerability. The ability to upload a file to the web server can easily lead to shell access, so watch for this one in your scan results.
4. CSS-Only Clickjacking - (NOTE: Do not click anything on the page linked to in this story!). I found this little tidbit when scouring through my RSS feeds yesterday. It presents a method by which you can obscure the true link a user is clicking, to well, in this case, make them "Like" you on Facebook or "Follow" you on Twitter. Clickjacking is a pretty evil attack, and my concern is how many of these techniques are actually out there.
5. Microsoft Adopts CVRF Format for Security Bulletins - I don't know about you, but I rather enjoy the ASCII art and clever humor in vulnerability release bulletins. However, Microsoft is trying to make this a standard: "For many customers, a machine-readable markup framework for security releases might not be a pressing need. For instance, home-computer users or small businesses may choose to install security updates automatically. However, many business customers spend time “copying and pasting” our security bulletin content into their risk management systems, spreadsheets and corporate notification emails manually as part of their IT security compliance and remediation task list." Go Microsoft and save the day from people copying and pasting!
6. Microsoft program breach led to early RDP vulnerability exploit - The leak came from China: "The software giant said Hangzhou DPTech Technologies Co., Ltd., breached the terms of its non-disclosure agreement under the MAPP program when it leaked information about the vulnerability ahead of the patch release. Security vendors that are members of Microsoft’s trusted MAPP program receive vulnerability data and patching information before the public to give engineers time to develop protections for their security products." There is a joke in there about "picking your partners," but hey, it was only a remotely-exploitable vulnerability for the most popular operating system in the world.
7. Cable companies expand free Wi-Fi - This is great, a giant open wireless network for attackers to, well, attack: "The way it will work is that customers of any of these cable companies can look for the CableWiFi network and through a simple sign-on process connect using the same credentials as when accessing their own providers' Wi-Fi networks. Once subscribers have signed on once to any of the "CableWiFi" networks, they will be able to automatically authenticate onto any other CableWiFi network, the companies said in a press release." I wonder what would happen if you started broadcasting "CableWiFi" and asked people to login?
8. Cyberwar: You're Doing It Wrong! - Short video of Marcus Ranum and his views on "Cyberwar."