This month has certainly been interesting.
A couple of zero days in widely deployed software were discovered by virtue of active exploitation out there in the world…
An Adobe Acrobat and Reader zero day [demo exploits], with an official patch expected next month (there is an unofficial patch).
A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.
Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Adobe is planning to make updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, available by March 18th.[...]
Update: Adobe has released the security updates for Acrobat and Acrobat Reader 9.
A potential Microsoft Excel zero day, with more information to be determined.
Microsoft is investigating new public reports of a vulnerability in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability.
As always, exploiting vulnerabilities for which patches are available is working quite nicely too – just look at Conficker having a ball.
Why Conficker has been able to proliferate so widely may be an interesting testament to the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches [2]. Some reports, such as the case of the Conficker outbreak within Sheffield Hospital’s operating ward, suggest that even security-conscious environments may elect to forgo automated software patching, choosing to trade off vulnerability exposure for some perceived notion of platform stability [8]. On the other hand, the density of where the vast bulk of Conficker victims are concentrated may also suggest other reasons, such as the wide use of unregistered (pirated) Windows releases, which Microsoft does not patch [9].
Browser usability with https continues getting hammered as well.
This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation below.
The djbdns package has come under fire, of particular note.
Summary: Weaknesses in dnscache’s outgoing query management and caching policies allow an attacker to poison arbitrary DNS records in far less time than previously believed possible.
Versions Effected: All current versions of djbdns (< =1.05)
(And, now I know about zinq.)
And, to end on a lively, off-topic note, fall fashion in New York is usually a favorite of mine, and the Fall 2009 season combined that general preference with up my alley trends (already visible on the streets of New York) – comforting protective and edgier futuristic clothing, dark somber and rich powerful colors (e.g., royal blue, plum purple, forest green), playing with construction and textures (e.g., velvet, tweed, leather, satin), asymmetrical geometrical strong-shouldered architectural designs. Because of these trends, many shows had at least a few pieces that I loved, making for my much wider appreciation of the designs of a variety of designers this season. Some of my favs…
- Yet again, Proenza Schouler – This collection veered slightly softer and perhaps nodded to their earlier days, yet still maintained the edge and architecture I have come to love. In a season where those I thought would shine seemed to go astray, these guys hit the mark.
- Rodarte – This collection had singular point of view, with the same silhouette and structure throughout; however, the play with construction, textures, and even a pop of color kept it so interesting that I could not wait to see what would come next.
- Ralph Lauren – This collection was like walking out into a clean, clear, crisp fall day and inhaling deeply. I said it over and over – it feels like a breath of fresh air. The simplicity, elegance, and beauty of the clothing was remarkable.
Of course, given the trends and my high expectations, I must note there were a number of train wrecks out there too. The two main categories I saw: 1) designs that looked plain silly, gaudy, and/or obnoxious, a way too literal translation of the 1980s; and 2) designs that looked stiff, heavy, and/or just plain burdensome, too much like wearing actual medieval armor, scratchy carpeting, or sound absorbing curtains.