Security Update FOR QuickTime 7.1.6

Reading SANS tonight points out that there are security updates FOR QuickTime 7.1.6 (Mac and Windows) available from Apple Downloads (May 29, 2007). Now, I am running v7.1.6 and my auto-update tells me everything is ok … but my client certainly hasn’t downloaded this patch that I am aware of.

About Security Update (QuickTime 7.1.6 for Windows)
This update is recommended for all users and improves the security of QuickTime 7.1.6.

So how do you know if your client is patched?

[1] Quicktime Security Update for 7.1.6 (Yes, really!) [SANS]
[2] Apple Downloads [Apple]
[3] Security Update (QuickTime 7.1.6 for Windows) [Apple]

Backup Script for Ghost v8.3

A quick little CMD script to stop a Ghost server, backup the config files, then restart the server.
Useful for testing … and recovery when you test goes ‘a little too far!’ Not overly elegant but quite useful;

:: GHOST-BACKUP.cmd
:: Contributor: ME
:: Created: 29 May 2007
:: Updated: 29 May 2007
:: Status: Current
:: Subject: Ghost server config backup
:: files backed up to drive “Z:”

for /f “tokens= 2,3,4 delims=/- ” %%i in (‘date /t’) do set yymmdd=%%k_%%i_%%j

:: ===STOP GHOST SERVER===
C:
cd “C:\Program Files\Symantec\Ghost\”
ngserver.exe -stop

:: ===COPY FILES ===
Z:
cd Z:\BACKUP-Ghost
mkdir %yymmdd%
copy “C:\Program Files\Symantec\Ghost\privkey.crt” Z:\BACKUP-Ghost\%yymmdd%\privkey.crt
copy “C:\Program Files\Symantec\Ghost\pubkey.crt” Z:\BACKUP-Ghost\%yymmdd%\pubkey.crt
xcopy “C:\Program Files\Symantec\Ghost\db\*.*” Z:\BACKUP-Ghost\%yymmdd%\db\*.* /s /Y

:: ===START GHOST SERVER===
C:
cd “C:\Program Files\Symantec\Ghost\”
ngserver.exe -start

:end

VirusScan 8.5i updates for reporting

Ahhh, grasshopper there will come a day of reckoning.

It seems that the settings we had previously been using [1, 2] for our VirusScan setting files was excellent for a VirusScan 8.0i install and survived and upgrade to 8.5i if it had been pre-installed. The settings did not work when applied to VS 8.5i because the registry keys have changed … *crunch*

Blocking P2P with VirusScan8.5i
A registry change, modify the UserDefinedDetection settings to suit your needs, remember the more you add the slower the file processing so ‘think smart’

Windows Registry Editor Version 5.00
;Contributor: Me
;Created: 15 September 2005
;Updated: 25 May 2007 (path for VS 8.5i)
;Status: Current
;
;Subject: Registry file to add Virus Scan v8.5i – User Defined Unwanted Programs
; Removal of selected P2P applications

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\NVP]
“DetectJokes”=dword:00000001
“DetectSpyware”=dword:00000001
“DetectPotentiallyUnwantedApps”=dword:00000001
“DetectPasswordCrackers”=dword:00000001
“DetectAdware”=dword:00000001
“DetectRemoteAdminTools”=dword:00000001
“DetectionExclusions”=”"
“DetectDialers”=dword:00000001
“DetectKeyLoggers”=dword:00000000
“UserDefinedDetection_0″=”BitLord.exe:BitLord (Torrent Client)”
“UserDefinedDetection_1″=”g3torrent.exe:G3 Torrent Client”
“UserDefinedDetection_2″=”Btdownloadgui.exe:BitTorrent (Torrent Client)”
“UserDefinedDetection_3″=”Btmaketorrentgui.exe:BitTorrent (Torrent Client)”
“UserDefinedDetection_4″=”Azureus.exe:Azureus (Torrent Client)”
“UserDefinedDetection_5″=”Azureus2.jar:Azureus (Torrent Client)”
“UserDefinedDetection_6″=”BitComet.exe:BitComet (Torrent Client)”
“UserDefinedDetection_7″=”Emule.exe:eMule (P2P Client)”
“UserDefinedDetection_8″=”Edonkey2000.exe:eDonkey 2000 (P2P Client)”
“UserDefinedDetection_9″=”klrun.exe:Kazaa Lite Resurrection (P2P Client)”
“UserDefinedDetection_10″=”khancer.exe:KaZaa Lite / K-Lite (P2P Client)”
“UserDefinedDetection_11″=”Morpheus.exe:Morpheus (P2P Client)”
“UserDefinedDetection_12″=”Shareaza.exe:Shareaza (P2P Client)”
“UserDefinedDetection_13″=”LimeWire.exe:LimeWire (P2P Client)”
“UserDefinedDetection_14″=”LimeWire.jar:LimeWire (P2P Client)”
“UserDefinedDetection_15″=”BearShare.exe:BearShare (P2P Client)”
“UserDefinedDetection_16″=”KCeasy.exe:KCeasy (P2P Client)”
“UserDefinedDetection_17″=”Gnucleus.exe:Gnucleus (P2P Client)”
“UserDefinedDetection_18″=”Ares.exe:Ares (P2P Client)”
“UserDefinedDetection_19″=”warez.exe:Warez P2P (P2P Client)”

VirusScan 8.5i Central reporting
we have a registry key change for this one too.

Windows Registry Editor Version 5.00
;Contributor: Me
;Created: 15 September 2005
;Updated: 25 May 2007 (path for VS 8.5i)
;Status: Current
;
;Subject: Configure Virus Scan v8.5i – to use REDMOND as Alert server

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\Alert Client\VSE]
“SuppressAlertsBelow”=dword:00000001
“bLocalEventLog”=dword:00000001
“LocalConfig”=dword:00000001
“RemoteConfig”=dword:00000001
“Centralized Alerting Path”=”"
“Alert Manager Server Path”=”\\\\REDMOND”
“AlertType”=dword:00000004
“bSendSNMP”=dword:00000000
“SuppressAlerts”=”"
“bXMLForwarding”=dword:00000001

[1] Blocking P2P with VirusScan8.0i
[2] VirusScan 8.0i Central reporting

Disabling the P2P client in Opera

Other than as the need arises in the course of research, teaching, learning or other University business, the use of University facilities with any of the so-called peer-to-peer filesharing systems imposes an unreasonable burden, and in many cases would also be in breach of copyright. — Regulation 8.1.R7 Guidelines [3]

In our environment Opera is currently listed as a “level-C” supported software for both Mac and Windows – ed-IT may be able to help with some queries. These products are not supported as such, but are recognized by ed-IT

With the introduction of the BitTorrent P2P client with Opera 9, we need to remove the P2P client in any of our installs. This is not too difficult;

How can I disable the BitTorrent client in Opera?

Starting with version 9, Opera has a built-in client for BitTorrent, to simplify downloading and sharing of Torrent files.

Some may prefer to use a different third-party BitTorrent client with Opera, while others are on networks where all P2P activity is banned. Fear not, you can still use Opera!

The BitTorrent client in Opera can easily be disabled, and system administrators can apply this policy to all users.

…

System-wide

For a system-wide policy, simply add the following two lines to the system fixed file:

[BitTorrent]
Enable=0

Write-protect the system fixed file. Opera’s BitTorrent client is now disabled, and can not be re-enabled by other means than editing the system fixed file.

A quick trip to the System Administrator’s Handbook gives us the details for the System fixed file.

System fixed file

The system fixed file allows the system administrator to define settings that cannot be overridden by the individual user, such as proxy settings. On Linux the path to this file is /etc/opera6rc.fixed. On Windows, it is called “opera6.ini” and is located in the system directory. The system directory varies between system versions, but normally the placement would be \WINDOWS\SYSTEM32 on Windows XP, and \WINDOWS\SYSTEM on Windows 9x.

Note that the system fixed file overrides anything that is specified in the “opera6.ini” user file.

This means, for example, that if you set:

[User Prefs]
Home URL=http://www.opera.com/

in the system fixed file, then it is not possible to set another global home page in Opera. While these options remain visible to the user, they cannot be changed if specified in the system fixed file.

Not too hard at all, and it allows us to keep Opera in the environment without the risk of the P2P traffic and legal exposure.

[1] How can I disable the BitTorrent client in Opera? [Opera Support]
[2] System Administrator’s Handbook [Opera Support]
[3] 1.1 Peer-to-peer in Regulation 8.1.R7 Guidelines [Unimelb]

Mac OS X : Security Update 2007-005

Security Update 2007-005 was released on 24 May 2007 for Mac OS X 10.3.9 and Mac OS X 10.4.9. Successful exploitation of these issues can result in arbitrary code execution, denial of service, escalation of privileges, and other.

Threat level = Medium

Security Update 2007-005

Alias Manager

CVE-ID: CVE-2007-0740

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Users may be misled into opening a substituted file

Description: In certain circumstances, an implementation issue in Alias Manager will not show identically-named files contained in identically-named mounted disk images. By enticing a user to mount two identically-named disk images, an attacker could mislead the user into opening a malicious program. This update addresses the issue by performing additional validation of mountpaths. Credit to Greg Bolsinga of Blurb, Inc. for reporting this issue.

BIND

CVE-ID: CVE-2007-0493, CVE-2007-0494, CVE-2006-4095, CVE-2006-4096

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Multiple vulnerabilities in BIND, the most serious of which is remote denial of service

Description: BIND is updated to version 9.3.4. Further information is available via the ISC web site at http://www.isc.org/index.pl?/sw/bind/

CoreGraphics

CVE-ID: CVE-2007-0750

Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: An integer overflow vulnerability exists in the handling of PDF files. By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of PDF files. This issue does not affect systems prior to Mac OS X v10.4.

crontabs

CVE-ID: CVE-2007-0751

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: The daily /tmp cleanup script may lead to a denial of service

Description: Filesystems mounted in the /tmp directory may be deleted when the daily cleanup script is executed, which may lead to a denial of service. This update addresses the issues by updating the daily cleanup script to prevent find commands from descending into mounted filesystems.

fetchmail

CVE-ID: CVE-2007-1558

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: fetchmail password disclosure may be possible

Description: fetchmail is updated to version 6.3.8 to address a cryptographic weakness that could lead to the disclosure of fetchmail passwords. Further information is available via the fetchmail web site at http://fetchmail.berlios.de/fetchmail-SA-2007-01.txt

file

CVE-ID: CVE-2007-1536

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Running the file command on a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution

Description: A heap buffer overflow vulnerability exists in the file command line tool, which may lead to an unexpected application termination or arbitrary code execution. This update addresses by performing additional validation of files that are passed to the file command.

iChat

CVE-ID: CVE-2007-2390

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution

Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in iChat. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets in iChat.

mDNSResponder

CVE-ID: CVE-2007-2386

Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: An attacker on the local network may be able to cause a denial of service or arbitrary code execution

Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, an attacker on the local network can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.

PPP

CVE-ID: CVE-2007-0752

Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: A local user may obtain system privileges

Description: An implementation issue exists in the PPP daemon when loading plugins via the command line, which allows a local user to obtain system privileges. This update addresses the issue through validation of user privileges. This issue does not affect systems prior to Mac OS X v10.4. Credit to an anonymous researcher working with the iDefense VCP for reporting this issue.

ruby

CVE-ID: CVE-2006-5467, CVE-2006-6303

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Denial of service vulnerabilities in the Ruby CGI library

Description: Multiple denial of service issues exist in the Ruby CGI library. By sending maliciously crafted HTTP requests to a web application using cgi.rb, an attacker could trigger an issue which may lead to a denial of service. This update addresses the issues by applying the Ruby patches.

screen

CVE-ID: CVE-2006-4573

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Multiple denial of service vulnerabilities in GNU Screen

Description: The screen command line tool is updated to address multiple denial of service vulnerabilities. Further information is available via the GNU web site at http://lists.gnu.org/archive/html/screen-users/2006-10/msg00028.html

texinfo

CVE-ID: CVE-2005-3011

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: A vulnerability in texinfo may allow arbitrary files to be overwritten

Description: A file handling issue exists in texinfo, which may allow a local user to create or overwrite files with the privileges of the user running texinfo. This update addresses the issue through improved handling of temporary files.

VPN

CVE-ID: CVE-2007-0753

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: A local user may obtain system privileges

Description: A format string vulnerability exists in vpnd. By running the vpnd command with maliciously crafted arguments, a local user can trigger the vulnerability which may lead to arbitrary code execution with system privileges. This update addresses the issue by performing additional validation of the arguments passed to vpnd. Credit to Chris Anley of NGSSoftware for reporting this issue.

–

[1] About Security Update 2007-005 [Apple]

Psst bud … want an Ethereal Frodo?

Found on eBay last night …

Gday
even though I made and have had this bloke for a while now I’ve only just started using him in LOTR games. I was originally very happy with the work I did on the model but, to be totaly honest, he’s pretty easy to misplace in between games and even during them. So, although it was a lot of effort to convert him then get him to actually be invisible and ethereal its time to let him go. Its just too much work for me to keep track of where he is. I’m never even 100% sure I’ve got him when I’ve got him.

Postage is high because with a model of this rarety and coolness its just silly to take chances so it will only be sent registered and must be signed for at the other end.

Although I will take every care to seal the package I take no responsibility if this ethereal model somehow slips through the packaging and is lost forever.

Good luck and enjoy

Q: Does this model come with a base?
A: I cant remember. I am pretty sure I made up a scenic base but its also ethereal and I cant, with any certainty, tell if its still there or not. My kids used this one a bit so it may have come loose mate.

Q: Hi, it’s not clear to me from the picture – is the ethereal Frodo painted or unpainted?
A: I’ve got to be honest mate. Although I’m not normally a good painter, I really did a great effort with this model. About 3 times in fact. Unfortunately, the paint never seemed to stay on past a day or so.

[1] Ethereal Frodo [eBay]

IT Security Policy

Information Technology Security Policy (PDF)
This document defines policies of The University of Melbourne to assist in ensuring the security of the University’s Information Technology (IT).
- approved by the Information Strategy Committee on 14 April 2003

IT Security Policy Guidelines (PDF)
- 02 Dec 2003

8.1.R7 – COMPUTING AND NETWORK FACILITIES RULES (PDF)
Regulation 8.1R7 defines overall requirements governing the use of IT facilities at the University.
- 13 Dec 2004

8.1.R8 – SECURITY OF LOCAL AREA NETWORKS (“LANs”) (PDF)
- 17 May 1996

[1] Policy Documentation [Unimelb]

Amnesty Report 2007 – Australia in summary

“The politics of fear is fuelling a downward spiral of human rights abuse in which no right is sacrosanct and no person safe.”
– Irene Khan, Secretary General of Amnesty International. [1]

…

Australia in summary[2]
During 2006, governments and armed groups deliberately fomented fear to erode human rights. The international community was too often impotent or weak-willed in the face of major human rights crises, and old-fashioned repression reared its head in the guise of new anti-terror laws and attacks on freedom of speech.

Both national and international bodies condemned the state of Indigenous human rights in Australia, including poor housing conditions and the high rates of sexual abuse and violence against Indigenous women and children. The Australian Government introduced new counter-terrorism measures, posing a threat to human rights, and continued to support trial by the US Military Commission although it fell below international standards. Violence against women was again a cause for concern, especially the low rates of conviction in sexual assault cases, and more than 1,000 refugees remained on three-year Temporary Protection Visas. In a further erosion of their human rights, the High Court ruled these visas would not be renewed if the individuals were unable to prove continued need for protection.

In a victory for human rights, the prime minister was forced to withdraw proposed legislation to settle refugees outside Australia, due to lack of support, and the Australian Government was instrumental in the fight against the illegal arms trade in the region.

…

Powerful governments and armed groups are deliberately fomenting fear to erode human rights and to create an increasingly polarised and dangerous world, said Amnesty International today as it launched the Amnesty International Report 2007, an annual assessment of human rights worldwide. [4]

…

[1] Amnesty International Australia [AI Australia]
[2] Annual Report 2007: The state of the world’s human rights (2007-May-23) [AI Australia]
[3] The report on Australia (pdf size: 40kb) [AI Australia]
[4] MEDIA RELEASE – Annual Report 2007: Politics of creating fear [AI Australia]

Two more out of sequence patches from MS

Ahhhh, more unscheduled machine restarts …

Bulletin	KB number	Description	Severity	Impact	Software
Advisory 927891	927891	Fix for Windows Installer (MSI)	Microsoft Update	–	Windows
Advisory 937696	937696	Release of Microsoft Office Isolated Conversion Environment (MOICE) and File Block Functionality for Microsoft Office	MOICE	–	Office 2003, 2007

Note: To Install MOICE, you must have the Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats.

[1] Two Advisories on Non-Security Updates (2007-05-22) [MSRC Blog]
[2] Microsoft Advisories (2007-05-23) [SANS]

SSH to Merlin from OS-X

This is a grand old chestnut that keeps appearing;

Support: you cannot use JellyFissh for accessing Merlin …
LITE: ?!
Support: … you need to use MacSSH
LITE: ?!!

If you go looking for information, I feel your pain! The Merlin Support documentation, what there is left of it, has been migrated to a staff intranet site [1] (no search capability, and not listed in the Uni search engine). I have some copies of the old, and I mean old, telnet documentation [2] that gives a bit of an overview.

I am not sure that the support guys know that MacSSH was a Mac Classic application and we no longer use it!

WHAT DO YOU NEED TO KNOW?

1.) As OS X has a built in SSH client there is not a lot of extra development for SSH clients. Why re invent the wheel? Merlin has been configured to allow for the built in SSH client — use keyboard mapping (S)

2.) Jellyfissh is not actually an SSH client per se, it is a GUI wrapper around the native OS X SSH client (Therefore the keyboard mapping is the same as the native client).

3.) Note that Apple’s implementation of the Terminal program (post Jaguar 10.2) only supports the F1 to F12 function keys and no other special keys.

You CAN use Jellyfissh from OS X

[1] Merlin Support [ACS Staff Intranet] {Staff Login required}
[2] TELNET (KeyMap) [ed-IT]