Abysssec outs Linux vulnerability

By Robert Westervelt, News Director, SearchSecurity | Sep 6, 2010

0 comments

Digg

 Email

 Print

A group of security researchers began issuing what they said will be a month-long list of undisclosed bugs, as well as detailed binary analysis of known vulnerabilities. The first zero-day: A Linux-based Web hosting console.

The Abysssec Security Team said it would disclose vulnerabilities in software made by Adobe Systems, Microsoft, Mozilla, Apple, HP, Novel and other vendors. The Month of Abysssec Undisclosed Bugs issued two advisories Wednesday: A detailed binary analysis for a bug affecting previous versions of Adobe Reader and Adobe Flash and a zero-day flaw affecting cPanel, a Linux-based server Web hosting console.

Abysssec is made up of several anonymous researchers who specialize in penetration testing and binary code analysis. The group is trying to highlight its Exploit Database, an archive of exploits and vulnerable software collected from mailing lists and submissions.

The researchers issued a binary analysis of an invalid pointer vulnerability in Adobe Flash Player and Adobe Reader. An Adobe spokesperson said the analysis was one of 32 vulnerabilities addressed by Adobe on June 10 and June 29 in Adobe Reader.

"Since the majority of attacks we are seeing are exploiting software installations that are not up to date on the latest security updates, Adobe always strongly recommends that users follow security best practices by installing the latest security updates as the best possible defense against those with malicious intent," the spokesperson said.

Abysssec also issued a low-level zero-day vulnerability. The cPanel flaw, a restriction bypass vulnerability, can only be locally exploited by an attacker.

"Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks," the organization said in its security advisory. "It can help attacker to bypass restrictions such as mod_security , Safemod and disable functions."

"Month of bug" campaigns have been used in the past to get software makers to move quickly in patching their products and get vendors to change their policies for vulnerability handling and disclosure. The last such campaign took place last year by Aviv Raff, who documented API flaws in the social networking platform Twitter. Raff also worked with Metasploit creator H.D. Moore on the "Month of Browser Bugs" project in 2006. A vulnerability researcher known as LMH followed the bug campaign, launching a Month of Kernel and Month of Apple bugs.

0 comments

Digg

 Email

 Print