Metasploit acquired by vulnerability management firm Rapid7

Metasploit Project has a new owner now - Rapid7.

It appears that HD Moore will start as CSO of Rapid7 and as Chief Architect of Metasploit.    

Critical Acrobat 0-day vulnerability used in targeted attacks

Adobe has confirmed a new zero-day vulnerability affecting to Windows, Mac and Unix versions of Adobe Acrobat and Adobe Reader. The exploit seen in targeted attacks was made for Adobe Acrobat 9.1.3 for Windows.

However, the vendor is developing a patch for older 8.x and 7.x versions as well.

The issue has been widely covered in this Finnish language article.

According to Trend Micro the length of malicious PDF files is 117,049 bytes.      

PakBugs.com forum online again

PakBugs.com is online after the offline period of several days.

Some of the forum's articles generate 500 Internal Server Errors or typical 404 errors at time of writing.

The underground forum is known about hacking tools, selling CVV codes etc. The forum has more than 12 000 registered members.

I wrote about the forum's userlist disclosure on unmoderated security mailing list in Tietoviikko magazine's article yesterday (link here in Finnish).

Update: The forum is gone - again.

Patch for iPhone SMS vulnerability released

Apple has recently released a fix for iPhone SMS vulnerability. More details can be found via The Register story.

The security update is known as iPhone OS 3.0.1 update. Apple's technical document is located here.

Targeted attacks in the wild - now with PowerPoint

New Office vulnerability used in targeted attacks is in the wild.

Microsoft has confirmed the existence by releasing a Security Advisory #969136.

The CVE entry for this vulnerability is CVE-2009-0556.

The affected Office versions are Microsoft Office PowerPoint 2003 SP3, 2002 SP3, 2000 SP3, and Office 2004 for Mac.

Microsoft uses name Exploit:Win32/Apptom.gen for .PPT documents exploiting the 0-day issue.

Adobe JBIG2 security update is here

The update for critical JBIG2 code execution vulnerability affecting Adobe Acrobat and Reader products has been released recently. The advisory is located here and as expected there is no patch for older 8.x versions yet.

The newest version knows the version number Acrobat 9.1.

If you are using Adobe Reader visit the address get.adobe.com/reader ASAP.

Additionally, OS X's Preview and several Linux PDF viewers are waiting for the patch still.

German intelligence has tapped foreign computers

From the article pointing to German language Spiegel.de article:

The German foreign intelligence service, the Bundesnachrichtendienst (BND), has eavesdropped on 2,500 PCs in the last couple of years.
News magazine Der Spiegel broke the news on its website this weekend.
According to the magazine, information saved on HDDs was copied and transferred to Pullach, where the BND is headquartered.
In various other cases, keyloggers were installed to capture passwords for email accounts.
....

Happy Safer Internet Day

It's February again and this Tuesday is Safer Internet Day - again.

According to a new research       

into the web habits of 20,000 14 to 19-year-olds across Europe found that 51% enjoy unfettered access to any and every website.
....

Here in Finland we use the term Tietoturvapäivä.

Microsoft SDL meets CWE/SANS Top25 list

Microsoft has released a document describing how the Secure Development Lifecycle (SDL) model maps to so-called CWE/SANS Top25 List, i.e. "25 Most Dangerous Programming Error" list released earlier in January.

Item-by-item type analysis as a Word document has been released too. The link is being included to this MSDN blog entry.

Unpatched MS SQL Server vulnerability being exploited

Microsoft has confirmed a code execution type vulnerability in Microsoft SQL Server affecting to following versions:

-Microsoft SQL Server 2000 SP4
-SQL Server 2005 SP2
-SQL Server 2000 Desktop Engine (MSDE 2000) SP4
-SQL Server 2000 Desktop Engine (WMSDE), and
-Windows Internal Database (WYukon) SP2.

MS Security Advisory #961040 is located here.

It appears that this sp_replwritetovarbin extended stored procedure issue is related to finding of SEC Consult.

Copper thefts threaten critical infrastructure in United States

According to FBI report

"....
Copper thieves are threatening US critical infrastructure by targeting electrical sub-stations, cellular towers, telephone land lines, railroads, water wells, construction sites, and vacant homes for lucrative profits.
...."

Link:
fbi.gov/hq/majorthefts/coppertheft_120308b.htm

Covered at Wired's Threat Level Blog too.

Finnish police investigating forged invitations to president’s reception

Here in Finland

number of fake invitations to the president's annual Independence Day reception had been sent to people the president's office had not invited.

Lieutenant-Commander Janne Muurinen considers this a security threat.

It really is a serious threat. There is no information about this kind of attempts during the past years.

According to news sources the police laboratory is investigating these invitation cards and fingerprints have been taken from the person reporting about the invitation.

Blog birthday and new job

This weblog had a birthday in October. Exactly on 6th October, three years ago (huh!) the blog was opened.

It's time to say a big Thank You, readers!

The total number of the entries is 2731 today.

I have started a new job in Finnish security company in October too. My position is Security Consultant.

Windows RPC worm (MS08-067) in the wild

The worm-type exploitation has started. More information has been released at
www.f-secure.com/weblog/archives/00001526.html.

The worm component has reportedly detection name Exploit.Win32.MS08-067.g and the kernel component Rootkit.Win32.KernelBot.dg, in turn.

Kaspersky detect the new malware wave as Exploit.Win32.MS08-067.g

and Microsoft as Exploit:Win32/MS08067.gen!A.

Windows RPC vulnerability (MS08-067) FAQ document written by the author has been updated to include these detection names.

Sophos uses name Mal/Generic-A, in turn.

Several updates to Windows RPC vulnerability FAQ done

The FAQ document includes the following new information (from Revision History):

1.2 26-10-2008 Major updates to Trojan section, added credits, information of non-affected dll versions and Snort rule reference
1.3 27-10-2008 Added information about the various file names and sizes, a separate Arpoc section and Nessus plugin reference

Robert E. Lee writes about discussion around the TCP/IP DoS issue

Robert E. Lee of Outpost24 has posted a new entry entitled A more detailed response to Gordon "Fyodor" Lyon's post describing the recent state of TCP/IP issue, i.e. discussion around the TCP/IP protocol stack Denial Of Service vulnerability.

There is a FAQ type section included too.

Apple's massive Security Update 2008-007 has arrived

Apple's latest Security Update 2008-007 addresses tens of vulnerabilities.

Here are some useful references:

support.apple.com/kb/HT3216

secunia.com/advisories/32222/

Flaws in CUPS, QuickLook, libxslt etc. enable code execution and a patch for PHP, Tomcat etc. is being included too.

Mozilla Firefox 3.0.3 is out

This new version fixes the Password Manager bug reported in this week's FF3.0.2 release.

Release Notes available here.

Download links to localized versions:

www.mozilla.com/en-US/firefox/all.html

References of Kauhajoki school shooting case

From Telegraph.co.uk:

The shooting at a school in Kauhajoki comes less than a year after the Scandinavian country was shocked by the murder of eight people at a school by a gun-weilding teenager.

Pekka-Eric Auvinen, 18, killed seven fellow pupils and the headmistress at Jokela High School in Tuusula, 30 miles north of the capital Helsinki and around 200 miles from Kauhajoki where the most recent shootings took place. Auvinen turned the gun on himself while surrounded by heavily armed police in November last year and died later in hospital.

He carried out the killings after uploading a film titled Jokela High School Massacre to YouTube, the video-sharing website.

www.metro.co.uk/news/world/article.html?YouTube_gunman_dead_after_school_shooting&in_article_id=321740&in_page_id=64

www.yle.fi/news/left/id102382.html

CNN Europe:
www.cnn.com/2008/WORLD/europe/09/23/finland.school.shooting/?iref=hpmostpop

Helsingin Sanomat:
www.hs.fi/english/article/bBREAKING+NEWSb+School+shooting+in+Kauhajoki+-+Nine+dead+many+injured/1135239657999

Wikipedia article:
en.wikipedia.org/wiki/Kauhajoki_shooting_incident

YouTube profile (suspended) of Matti Juhani Saari, 22:
www.youtube.com/user/Wumpscut86

Updated: Found mirrored here.

Update #2: Nickname (deleted) from IRC-Galleria.

Update #3: Wumpscut86 mirror page

Videos from Iltalehti.fi's Netti-TV:
www.iltalehti.fi/nettitv/?28011561

It appears that YouTube videos entitled 'massacre in kauhajoki' have been deleted from YouTube.

Terrorism cell data stick missing

Really, really bad UK news this week:

A police force said it was investigating the loss of a computer memory stick.

West Midlands Police said it could not comment on the contents of the device, but local media reports suggested it held "top-secret information on terror suspects".

A force spokeswoman said: "We can confirm West Midlands Police is investigating the loss of a data memory stick.

We are conducting searches in an attempt to recover the lost item.
We will not comment in relation to the contents of that memory stick.

...."