Black Hat updates of day 1
Now that the Microsoft out-of-Band patch is released we see other major vendors coming with patches as well.
Adobe has also issued one Security Advisory and one Security Bulletin related to this issue. The Security Advisory, APSA09-04, notes that Adobe Flash leverages a vulnerable version of the ATL; however, it is only vulnerable when invoked from within Internet Explorer. Other browsers are not affected by this vulnerable version of Flash. Currently, no update is available from the vendor, but Adobe expects to supply a fix by July 30.
http://www.adobe.com/support/security/advisories/apsa09-04.html
The Security Bulletin, APSB09-11, addresses the ATL vulnerability from within Shockwave Player. Shockwave Player version 11.5.0.600 and earlier use a vulnerable version of ATL. A patch is available. We advise affected clients to upgrade to the most recent version of Shockwave Player.
http://www.adobe.com/support/security/bulletins/apsb09-11.html
Cisco Security Advisory (cisco-sa-20090728-activex), "Active Template Library (ATL) Vulnerability", also addresses the ATL vulnerability. Cisco Unity 4.x, 5.x, and 7.x use a vulnerable version of the ATL. A patch is not yet available for this issue, but workaround information is included in the vendor's advisory. The advisory also contains a list of other Cisco software that is confirmed to be not vulnerable.
http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml
Today Jeff Moss kicked Black Hat with the usual boring stuff. The only bigger surprise is that Black Hat Amsterdam will not happen anymore as they can’t find any facility in Amsterdam big enough to host the event. Instead they will move now to Barcelona which is anyhow the nicer place :-)
I was personally disappointed by the opening. InfoSecurity published already an article summarizing the keynote much better I ever could in case you are interested go to
http://www.infosecurity-us.com/view/2867/security-is-not-the-security-teams-problem-says-blackhat-keynote-speaker-douglas-merrill-/
In case you haven’t heard about it already a group of security people started there alternative event running parallel to the Black Hat. The name is BSides Las Vegas and I highly recommend to have a look if you are in Vegas. You can find the details at
http://bsides.pbworks.com/BSidesLasVegas
The major topic today which created a lot of discussions on the floor was around mobile device security. Especial as an iPhone SMS Attack is to Be Unleashed at Black Hat 2009. Tomorrow at day 2 iPhone hacker Charlie Miller will give a presentation proofing that he has discovered a way to crash the iPhone via SMS, and that the crash could ultimately lead to working attack code. Apple has just over a day left to patch the bug in its iPhone software that could let hackers take over the iPhone, just by sending out and SMS (Short Message Service) message.
LEARNING: DON’T ACCEPT ANY STRANGE LOOKING SMS!
Information week just published a nice article around other mobile device issues including Android from Google. Have a look at
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218800192
Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky’s site. They posted e-mails, passwords, and other sensitive data stolen from security experts and others on hacked site of Dan Kaminsky.
One other hot topic was security around SSL. One security researcher with the name Marlinspike was saying that almost All Implementations of SSL Are Configured to Give up Everything. It's not the SSL protocol which is the problem. It's the majority of the implementations that are utterly insecure. This includes most of the major banks, email systems, social networking sites, and so on. Even most software update mechanisms. You can find an interview with him at
http://i.cmpnet.com/infoweek/podcasts/TechRadarBlackHatMoxieMarlinSpike.mp3
By the way the weather in Vegas is great and with 110° F really warm. Most of the people prefer to stay inside and with this the conference sessions are crowded most of the time and the number of Black hat visitors around the pool area is limited. Right now we are all getting ready for the second night of Black Hat parties.
-Andreas
Adobe has also issued one Security Advisory and one Security Bulletin related to this issue. The Security Advisory, APSA09-04, notes that Adobe Flash leverages a vulnerable version of the ATL; however, it is only vulnerable when invoked from within Internet Explorer. Other browsers are not affected by this vulnerable version of Flash. Currently, no update is available from the vendor, but Adobe expects to supply a fix by July 30.
http://www.adobe.com/support/security/advisories/apsa09-04.html
The Security Bulletin, APSB09-11, addresses the ATL vulnerability from within Shockwave Player. Shockwave Player version 11.5.0.600 and earlier use a vulnerable version of ATL. A patch is available. We advise affected clients to upgrade to the most recent version of Shockwave Player.
http://www.adobe.com/support/security/bulletins/apsb09-11.html
Cisco Security Advisory (cisco-sa-20090728-activex), "Active Template Library (ATL) Vulnerability", also addresses the ATL vulnerability. Cisco Unity 4.x, 5.x, and 7.x use a vulnerable version of the ATL. A patch is not yet available for this issue, but workaround information is included in the vendor's advisory. The advisory also contains a list of other Cisco software that is confirmed to be not vulnerable.
http://www.cisco.com/warp/public/707/cisco-sa-20090728-activex.shtml
Today Jeff Moss kicked Black Hat with the usual boring stuff. The only bigger surprise is that Black Hat Amsterdam will not happen anymore as they can’t find any facility in Amsterdam big enough to host the event. Instead they will move now to Barcelona which is anyhow the nicer place :-)
I was personally disappointed by the opening. InfoSecurity published already an article summarizing the keynote much better I ever could in case you are interested go to
http://www.infosecurity-us.com/view/2867/security-is-not-the-security-teams-problem-says-blackhat-keynote-speaker-douglas-merrill-/
In case you haven’t heard about it already a group of security people started there alternative event running parallel to the Black Hat. The name is BSides Las Vegas and I highly recommend to have a look if you are in Vegas. You can find the details at
http://bsides.pbworks.com/BSidesLasVegas
The major topic today which created a lot of discussions on the floor was around mobile device security. Especial as an iPhone SMS Attack is to Be Unleashed at Black Hat 2009. Tomorrow at day 2 iPhone hacker Charlie Miller will give a presentation proofing that he has discovered a way to crash the iPhone via SMS, and that the crash could ultimately lead to working attack code. Apple has just over a day left to patch the bug in its iPhone software that could let hackers take over the iPhone, just by sending out and SMS (Short Message Service) message.
LEARNING: DON’T ACCEPT ANY STRANGE LOOKING SMS!
Information week just published a nice article around other mobile device issues including Android from Google. Have a look at
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=218800192
Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky’s site. They posted e-mails, passwords, and other sensitive data stolen from security experts and others on hacked site of Dan Kaminsky.
One other hot topic was security around SSL. One security researcher with the name Marlinspike was saying that almost All Implementations of SSL Are Configured to Give up Everything. It's not the SSL protocol which is the problem. It's the majority of the implementations that are utterly insecure. This includes most of the major banks, email systems, social networking sites, and so on. Even most software update mechanisms. You can find an interview with him at
http://i.cmpnet.com/infoweek/podcasts/TechRadarBlackHatMoxieMarlinSpike.mp3
By the way the weather in Vegas is great and with 110° F really warm. Most of the people prefer to stay inside and with this the conference sessions are crowded most of the time and the number of Black hat visitors around the pool area is limited. Right now we are all getting ready for the second night of Black Hat parties.
-Andreas