-
December 21st, 2005, 11:00 PM
#1
ISC Update: VMWare vulnerability announced/fixed and more fun from Symantec
Hello all-
Don't mean to keep updating from ISC - but my ticker for it just went off and I thought you should be updated:
VMWare vulnerability announced and fixed (NEW)
Link: http://isc.sans.org/diary.php?storyid=950
Story so far:
Published: 2005-12-21,
Last Updated: 2005-12-21 21:28:46 UTC by Jim Clausing (Version: 1)
A report showed up on the bugtraq and vulnwatch mailing lists in the last few hours about a vulnerability (discovered by Tim Shelton) in a number of VMWare products (including Workstation, GSX, ACE, and player), that would allow the attacker to escape the virtual machine and execute code in the underlying host OS. There are new builds which correct the issue (VMWare Workstation 5.5 is now up to build 19175, e.g.) dated 20 Dec on their website, and the bulletin has a timeline section that states that VMWare acknowledged the vulnerability when they released the new builds. This one is pretty significant for folks who use VMWare for malware analysis or even to isolate/sandbox their web browsing and you are urged to update to the latest build or disable NAT as soon as possible. From looking at the bulletin, it appears that Mr. Shelton has created a Metasploit module to exploit this vulnerability.
The vulnwatch article is here.
The Secunia advisory is here
VMWare's response is here.
---------------------------------
Jim Clausing, jclausing at isc.sans.org
Also - update from news on a new vulnerability for the AV RAR Library spanning many AV products from Symantec... hmm... open-source AV scanners are starting to look good right-about-now.
Symantec AV RAR library vulnerability
Link: http://isc.sans.org/diary.php?storyid=949
Story so far:
Symantec AV RAR library vulnerability (NEW)
Published: 2005-12-21,
Last Updated: 2005-12-21 20:19:58 UTC by Jim Clausing (Version: 2(click to highlight changes))
Yesterday, Alex Wheeler released details of a vulnerability that appears to span many Symantec A/V products in the routines for decoded RAR compressed files. Symantec is apparently working feverishly on a fix, but for the moment the recommendation is to disable scanning of these files (which I suppose is fine if we can convince the users not to open/uncompress them until Symantec has a fix or they can be scanned by some other A/V product) or block them completely at gateways/proxies. We are not currently aware of exploits in the wild, but the concern is that this has occurred so close to the end-of-year holidays, even if a fix does come out in the next few days, will people be around to apply it.
For complete details see, the Bugtraq posting, the Secunia advisory, and what I believe is Alex's paper.
We'll bring you more info as it becomes available.
Update: Symantec is apparently distributing a new pattern/definition that may detect the malformed RAR files while they continue to work on fixing the underlying vulnerability.
----------------------
Jim Clausing, jclausing at isc.sans.org
In case the links in the quote don't work, please refer to the Storm Center: http://isc.sans.org/index.php
\"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|