Advisory #263 - Microsoft (Multiple), Apple (Multiple), Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #263 - Microsoft (Multiple), Apple (Multiple), Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #263
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 7 days 1.2 Apple (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - > 7 days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 SSL Certificates Not as Safe as Once Thought 2.2 Arrested for Being Critical of Government Policy 2.3 2009 To Be The Year Of... 2.4 1234567890 on Black Friday 2.5 Google Demonstrates Risk of Filtering Systems ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows Visio SQL Server Internet Explorer -- Technical Description -- MS09-001 - SMB. Remote Code Execution. Replaces MS08-063. Critical MS09-002 - Internet Explorer. Multiple Remote Code Execution. Replaces MS08-073 and MS08-078. Critical MS09-003 - Exchange. Multiple Code Execution and Denial of Service. Replaces MS08-039. Critical MS09-004 - SQL Server. Code Execution. Replaces MS08-040 and MS08-052. Important MS09-005 - Visio. Code Execution. Replaces MS08-019. Important. -- Description -- Microsoft's security patch releases for the first two months of 2009 have only seen five patches released, three of them Critical. While the remaining two patches have only been rated by Microsoft as Important, they do relate to code execution vulnerabilities and there is still significant risk associated with not applying the patches for those vulnerabilities. Microsoft, and most of the antivirus / antimalware industry, have been focussed on the problems associated with Conficker / Downadup, the worm which has been spreading across the globe, using a range of different means to infect vulnerable systems. It is considered extremely important that these patches are applied as soon as possible. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx http://www.microsoft.com/technet/security/bulletin/ms09-003.mspx http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx http://www.microsoft.com/technet/security/bulletin/ms09-005.mspx -- External Tracking Data -- CVE-ID: CVE-2008-4114 (MS09-001) CVE-ID: CVE-2008-4834 (MS09-001) CVE-ID: CVE-2008-4835 (MS09-001) CVE-ID: CVE-2009-0075 (MS09-002) CVE-ID: CVE-2009-0076 (MS09-002) CVE-ID: CVE-2009-0098 (MS09-003) CVE-ID: CVE-2009-0099 (MS09-003) CVE-ID: CVE-2008-5416 (MS09-004) CVE-ID: CVE-2009-0095 (MS09-005) CVE-ID: CVE-2009-0096 (MS09-005) CVE-ID: CVE-2009-0097 (MS09-005) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 Apple (Multiple) - Remote Hacker Automatic Control -- Products Affected -- OS X 10.4.x OS X 10.5.x -- Technical Description -- AFP Server - Denial of Service Apple Pixlet Video - Denial of Service and Arbitrary Code Execution CarbonCore - Denial of Service and Arbitrary Code Execution CFNetwork - Cookie handling Certificate Assistant - File manipulation ClamAV - Multiple arbitrary code execution CoreText - Denial of Service and arbitrary code execution CUPS - Denial of service DS Tools - Information Disclosure fetchmail - Multiple Denial of Service Folder Manager - Permissions Issue FSEvents - Information Disclosure Java - Multiple privilege elevation Network Time - Configuration Change perl - Denial of Service and arbitrary code execution Printing - Privilege elevation python - Multiple arbitrary code execution Remote Apple Events - Multiple Denial of Service and Information Disclosure Safari RSS - Arbitrary code execution servermgrd - Information disclosure SMB - Denial of Service and arbitrary code execution SquirrelMail - Multiple Cross Site Scripting issues X11 - Multiple arbitrary code execution XTerm - Information disclosure -- Description -- Apple has released a number of updates in the last several days, providing Security Update 2009-001, an update for Safari for Windows and a Java update. Due to the broad range of services and software being updated with the Updates, and the severity of the vulnerabilities being patched, it is considered extremely important that the Updates are applied as soon as possible. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://support.apple.com/kb/HT1222 -- Updates Available -- http://www.apple.com/support/downloads/ -- External Tracking Data -- CVE-ID: CVE-2009-0142 (AFP Server) CVE-ID: CVE-2009-0009 (Apple Pixlet Video) CVE-ID: CVE-2009-0020 (CarbonCore) CVE-ID: CVE-2009-0011 (Certificate Assistant) CVE-ID: CVE-2008-5050 (ClamAV) CVE-ID: CVE-2008-5314 (ClamAV) CVE-ID: CVE-2009-0012 (CoreText) CVE-ID: CVE-2008-5183 (CUPS) CVE-ID: CVE-2009-0013 (DS Tools) CVE-ID: CVE-2007-4565 (fetchmail) CVE-ID: CVE-2008-2711 (fetchmail) CVE-ID: CVE-2009-0014 (Folder Manager) CVE-ID: CVE-2009-0015 (FSEvents) CVE-ID: CVE-2008-2086 (Java) CVE-ID: CVE-2008-5340 (Java) CVE-ID: CVE-2008-5342 (Java) CVE-ID: CVE-2008-5343 (Java) CVE-ID: CVE-2008-1927 (perl) CVE-ID: CVE-2009-0017 (Printing) CVE-ID: CVE-2008-1679 (python) CVE-ID: CVE-2008-1721 (python) CVE-ID: CVE-2008-1887 (python) CVE-ID: CVE-2008-2315 (python) CVE-ID: CVE-2008-2316 (python) CVE-ID: CVE-2008-3142 (python) CVE-ID: CVE-2008-3144 (python) CVE-ID: CVE-2008-4864 (python) CVE-ID: CVE-2007-4965 (python) CVE-ID: CVE-2008-5031 (python) CVE-ID: CVE-2009-0018 (Remote Apple Events) CVE-ID: CVE-2009-0019 (Remote Apple Events) CVE-ID: CVE-2009-0137 (Safari RSS) CVE-ID: CVE-2009-0138 (servermgrd) CVE-ID: CVE-2009-0139 (SMB) CVE-ID: CVE-2009-0140 (SMB) CVE-ID: CVE-2008-2379 (SquirrelMail) CVE-ID: CVE-2008-3663 (SquirrelMail) CVE-ID: CVE-2008-1377 (X11) CVE-ID: CVE-2008-1379 (X11) CVE-ID: CVE-2008-2360 (X11) CVE-ID: CVE-2008-2361 (X11) CVE-ID: CVE-2008-2362 (X11) CVE-ID: CVE-2006-1861 (X11) CVE-ID: CVE-2006-3467 (X11) CVE-ID: CVE-2007-1351 (X11) CVE-ID: CVE-2008-1806 (X11) CVE-ID: CVE-2008-1807 (X11) CVE-ID: CVE-2008-1808 (X11) CVE-ID: CVE-2007-1351 (X11) CVE-ID: CVE-2007-1352 (X11) CVE-ID: CVE-2007-1667 (X11) CVE-ID: CVE-2009-0141 (XTerm) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 SSL Certificates Not as Safe as Once Thought Over time, security practices that were once thought to be safe change. Many years ago it was believed that viruses could not propagate through email, images, or web pages attack your system or network. Those beliefs have all been shown to be inaccurate as attack methods evolve and researchers discover new weaknesses and new ways to exploit and expose those weaknesses. One of the more recent mantras, which has become a key part of ensuring Internet users stay safe online, is to always look for the lock icon or https at the start of the URL when passing sensitive personal or financial information across the Internet to an otherwise trusted remote site (banking, online shopping, etc). The presence of a SSL certificate that matched the site name (for more advanced users) meant that no one on the network was listening in to the transaction. As phishers and other malware authors became more skilled, the sites being used to capture personal data began obtaining certificates of their own that matched their not-quite-right URLs and others shifted their focus to the victim's own system, intercepting and siphoning off the data before it was encrypted in the browser and sent across the network. Recently there have been a couple of cases to cause alarm amongst security watchers, raising the possibility that SSL certificates are not as secure and as much of a panacea against attack as many thought. It was discovered late last year that it is possible through some Certificate Authorities (CAs, the companies that are trusted to issue the SSL certificates that your browsers trust) to obtain authorised certificates for any domain, even when you don't represent it. This means that someone setting out to create a fake yourbank.com domain can obtain a valid SSL certificate for that domain and point it to their fake-yourbank.com site and not have any alerts raised in any web browser. At the recent CCC conference it was shown that it is possible, given the right set of circumstances, to create a fake Intermediate CA due to weaknesses in the methods used by some Root CAs in issuing their certificates. By creating a fake Intermediate CA, it is then possible to issue valid SSL certificates for any domain at all, and they will all be accepted as valid by visitors' browsers. This is a more concerning development, since it means that once the Intermediate CA has been created, there does not need to be a request made to a valid CA to obtain a certificate for each malicious domain. For all users it means another thing to be careful of when going online and that even a valid-looking SSL certificate may no longer actually be valid. 2.2 Arrested for Being Critical of Government Policy The AFP has reported on an interesting case in South Korea, where a blogger was arrested for critical commentary he had posted about the economic decisions of the South Korean government. Although it isn't unheard of for people to be arrested for what they post online, especially where that information is highly critical of the government (or governments) in power, it does appear odd that the South Korean government took this step against a popular online commentator who had several key economic downturn predictions come true in recent months, based on his critical commentary. With the successful prediction of the failure of Lehman Brothers, local currency devaluation, and local stock market crashes, the commentator's credibility was enhanced and so when he claimed that the government had taken active measures to support the South Korean won, it was a step too far for the government. While South Korea does maintain laws that could see a five year prison term or even a 50 million won fine for the posting / distribution of false reports and stories online, it now places the burden of proof on the government to demonstrate that the claims were false, though official charges have yet to be laid. The anonymity of the internet allowed a jobless self-educated man to become an influential financial commentator, it was being overly critical with the government's economic decisions (at least as far as the government sees it) which led to his arrest and pending charges. With the government on one side and the opposition, freedom of speech groups, and civil liberties groups on the other, this case has grabbed attention far more than many of the previous South Korean arrests for online commentary ever had. 2.3 2009 To Be The Year Of... If 2009 is going to be the year of anything, it may as well be the year of data loss, which conveniently has also been every year for the last few years. Around the time of the inauguration of President Obama, came news of what could be the largest single breach of credit card information to date. The potential scope of the breach is staggering. With around 100 million transactions a month passing through systems belonging to Heartland, and malware in place to capture that data for an unknown period of time, there could be an immense number of cards and details that have been breached as a result. Names, numbers and expiration dates were the information claimed to have been compromised, but it is easy enough to clone fake cards from this data, and with a range of other data that should be readily available to professional data thieves, sufficient information to reconstitute the missing cardholder data (which, it is claimed, has not been compromised). The choice of the inauguration day for disclosure of the breach is seen by some as a method to play down the importance of what took place, or even to avoid the negative press and significant attention that have followed major breaches in recent years, such as that which followed the TJ Maxx data breach. Why the information was not made public when Heartland were initially made aware of the problem in 2008 is not known, but it is bound to come to light in the inevitable law suits that will follow. More than 250,000 businesses across the United States were supplying transaction information to Heartland processing systems. What this means for consumers is that it isn't really a matter of where they went shopping, with so many retailers potentially having had transaction data intercepted the risk of a customer having their data intercepted is much higher than if a single retailer or retail chain was compromised (such as happened with TJ Maxx). Another reason why this case is gaining some attention is the claim that Heartland were assessed as PCI compliant. Whether that compliance was still valid at the time of the ongoing data interception hasn't been made clear, but it has already split the Information Security community into two camps. Many PCI supporters are rushing to defend the system against claims that it doesn't really achieve much by way of actual security. PCI DSS falls into the same sort of general traps as ISO 17799:2005 and ISO 27001. It is great to be able to wave a certification in the air as part of marketing claims, but when it comes down to actual implementation and effective security, doing what is necessary to meet certification isn't going to do much to stop what is, undoubtedly in the case of a financial payments processor, a motivated attacker. It may even provide the attacker with a clearer picture as to what assumptions the company has made in achieving certification and what they may or may not be observing with their ongoing security posture. If you're a supporter of PCI, or even if you're not, it is prudent to at least be cognizant that PCI isn't a be all for Information Security. It can be extremely useful, when properly applied and understood, but it should never be used as a crutch to claim effective security procedures are in place. If some of the other cases (breaches of USAJobs.gov and Monster.com) to receive coverage this month can be looked at as bellwethers of the year ahead, then 2009 is going to be another year where the Information Security industry will continue to be playing catchup and there are going to be many more high profile cases of massive data loss and compromise. 2.4 1234567890 on Black Friday Strange things tend to happen when notable timestamps are reached. It may not seem like it would be much of a problem, but the whole Y2K concern was a result of the fear that systems and software that were coded to handle two digit years and not four digit years would have major problems with the roll over from 1999 to 2000, seeing 00 as representing 1900, and not 2000. More succinctly, it was a problem of how to handle systems that were not designed to handle anything other than the century in which they were created. Another unique timestamp will be encountered in a little over a week's time, with POSIX time reaching 1234567890 at 23:31:30 UTC on February 13th, 2009. Other than making for an interesting number it should give programmers and QA staff something to think about. Are there any test cases or unexpected code entry points that might have been left behind and which can be triggered by the above timestamp (which would make for an easy to remember test case)? Having 1234567890 go past might be a useful hint that timekeeping problems will eventually be an issue for most software. Just as many of the developers of software affected by Y2K hadn't considered their software still being in use at the change of century, there is still a lot of software in use that is either having problems due to time and date related errors, or will soon be. If you are having trouble telling when the 1234567890 time is going to be, the following is a helpful site, where you can see just how long it is until that time, or if it has already been. 2.5 Google Demonstrates Risk of Filtering Systems Over the weekend it has been hard to avoid the news that Google inadvertently marked the whole Internet as dangerous and "may harm your computer", at least that was what search results were returning. What had happened, according to Google, was that the filtering list being used to identify which sites are malicious had accidentally included a wildcard operator. The inclusion of the '/' entry meant that, with the system Google has implemented, all URLs on the web were inadvertently identified as malicious. There was initial confusion about where the error had been introduced, with initial reporting suggesting that it had originated with stopbadware.org, which is the non-profit that Google works with to build their list of potentially malicious sites. While both Google and StopBadware have issued statements, there is still some ambiguity as to where the error was introduced. The consensus is that it was introduced at Google, and the sharing of information with StopBadware was just the normal data exchange. Many people have for the first time seen the problems that can happen when over-reliance on filtering systems breaks down. It doesn't matter whether the systems are proactive or reactive in their performance, similar problems plague both types. This recent case shows what can happen when a simple human error occurs, but there is criticism of the technologies that operate these systems. Even after the systems were repaired (total exposure was about an hour in the worst cases), there were still false positives that littered the system. If sites like BitDefender.com are listed as malicious, even temporarily, then how can the full system be trusted to be accurate on an unknown site? Probably the best way to approach it is to treat the Internet and malicious site identification systems like Antivirus applications. Most of the time, they will work as advertised, helping identify the most common malicious sites, but there will always be a lag between when malicious data challenges users, and when detection picks it up. There will also always be a defined and present risk of false positives, otherwise innocent sites and data misidentified as malicious. Use of these systems is recommended, with the caveat that nothing can trump common sense and careful Internet use. At the end of the day, even a trusted, trustworthy site can be compromised in a heartbeat, so users should always apply caution on the Internet. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free embeddable forum powered by Nabble | Forum Help |
