Security News Roundup: Security researchers to demonstrate WPA packet injection

This week's security events include news that there will be just two updates for Microsoft's Patch Tuesday this month, the appearance of an exploit for Adobe Reader spotted in- the-wild, Adobe releasing an update to resolve a ColdFusion vulnerability, and news that security researchers will demonstrate WPA packet injection for the first time.
Just two updates for October's Patch Tuesday

System administrators still reeling from last month's bumper Patch Tuesday will be glad to know that they can rest easier this month. For the month of October, Microsoft will be releasing only two updates, with one rated as "critical" and the other as "important."

Organizations are advised to exercise vigilance in patching the critical flaw, as it involves a vulnerability in Windows XML Core Services 3.0, used extensively by Windows to manipulate XML data. Consequently, affected versions of the operating system range from Windows 2000, XP, Server 2003, Vista, and Server 2008. In addition, this flaw is also present in XML Core Services 4.0 and 6.0, although this is viewed as less critical.

In a written statement, Don Leatham of Lumension Security (formerly PatchLink) urged IT administrators to patch this vulnerability. Leatham noted that, left unaddressed, the flaw could compromise the integrity of a company's sensitive information -- due to the fact that this vulnerability impacts a broad range of Microsoft platforms.

The second bulletin is related to the same XML issue, though specific to Office 2003 and Office SharePoint Server. Still, it could still result in a remote code execution flaw, and hence should not be taken lightly.

Flaws targeting Acrobat spotted in-the-wild

Days after initial announcements of a serious Adobe Reader flaw, working exploits were spotted in the wild. The exploit in this case leverages on CVE-2008-2992 by means of a crafted format string argument to execute arbitrary code. The delivery mechanism is by means of a malformed PDF file.

Bojan Zdrnja over at SANS Internet Storm Center highlighted a sample that was sent to him by one of his readers:

Unfortunately, Wayne [the reader] is right - these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it's interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection.

Zdrnja also noted that none of the AV products detected his malicious PDF sample -- not really surprising given how new it is.

At this point, Adobe has updated Adobe Reader 8.1.2 and Acrobat 8.1.2 to address the vulnerabilities. Given the popularity of the PDF file format, and the ease of delivery via e-mail, it is more important than ever to ensure that patching and upgrading are promptly executed.

Adobe eliminates Cold Fusion vulnerability

Adobe has issued a security fix for its ColdFusion. The patch eliminates a vulnerability that allows attackers to circumvent existing restrictions on a server operating in a shared hosting environment.

According to Adobe, ColdFuson 8.0, 8.0.1 as well as ColdFusion MX 7.0.2 are affected. You can check out the Adobe security bulletin here for patch instructions.

Security researchers to demonstrate WPA packet injection

German Security researcher Erik Tews and co-researcher Martin Beck have found a way to break the Temporal Key Integrity Protocol (TKIP) key used by the Wi-Fi Protected Access (WPA) encryption standard. At next week's PacSec 2008 security conference in Tokyo, the duo will give a presentation on this titled, "Gone in 900 Seconds: Some Crypto Issues with WPA." They will also leverage on their findings to demonstrate data injection into the WPA traffic between a router and a laptop.

The precise method to achieve the data injection has yet to be made public, though it is known that it involves breaking the Temporal Key Integrity Protocol (TKIP) key of the Wi-Fi Protected Access (WPA). This was achieved by tricking a WPA router to disgorge large amount of data, coupled with a "mathematical breakthrough" to crack TKIP without using a dictionary attack. To be clear, the team has not managed to crack the actual encryption keys used to secure data in WPA, so WPA appears to remain secure at this junction.

Moving ahead, the obvious solution at this point would be to change to the WPA2 encryption scheme, which uses the more robust Advanced Encryption Scheme (AES) encryption instead of TKIP.

Are you using wireless in your organization? Are you using WPA or WPA2 at this point?

Feel free to discuss the various security events here.


Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.


This week's security events include news that there will be just two updates for Microsoft?s Patch Tuesday this month, of the appearance of an exploit for Adobe Reader spotted in- the-wild, Adobe releasing an update to resolve a ColdFusion vulnerability, and news that security researchers will demonstrate WPA packet injection for the first time.

Neon Samurai
Neon Samurai

The home router allows for mixed so except for one irregular device that requires wpa, everything is using wpa2.

Michael Kassner
Michael Kassner

From what I've read the attack vector is not for the weak at heart and is actually only one way. So I wouldn't be too worried as of yet.


I think it will be interesting on what exploits can come out of the packet injection. But yeah, I think its a good idea to just go to WPA2 if there is a choice. For pure WPA shops at the moment, I suppose waiting another few more days for more details won't hurt. Regards, Paul Mah.


It doesn't seem to be very far along yet, currently the best way would be to get ahold of a users laptop or throw in an autohack USB drive while their not looking at a coffe shop to recover the key. Of course with pretty much any encryption except maybe using RADIUS with your WPA2 AES getting physical access to a machine would get your right in to the key. Cheers,

Neon Samurai
Neon Samurai

If it can be done with a manual process now, it will become weaponized for the kiddies soon enough. I wouldn't react irrationally though either; for me, just a reason to clean up my outstanding weak connections at home. No need to wait until it's a five minute aircrack job. Actually, I think the only outstanding gadget is getting WPA2 or WPA/AES working with wpa_supplicant under Backtrack2. Currently, it forces me to use wpa_psk (wpa/tkip) though any newer distribution seems to manage wpa2 without an issue.

Editor's Picks