From alertmailinglist at skiifwrald.com Fri Oct 17 21:26:28 2008 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Fri, 17 Oct 2008 21:56:28 +1030 Subject: [Sunnet Alert] Advisory #260 - Microsoft (Multiple), OS X (Multiple), Multiple News Message-ID: <0EADA276-BD1D-4B81-A9F1-0A5693F37063@beskerming.com> S?nnet Beskerming Alert List Advisory #260 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error, pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 4 days 1.2 OS X (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - More than 7 days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 If You Can't Take The Heat, Get Out of The Kitchen 2.2 If you build it, will they come? 2.3 Survey Results Unsurprisingly in Favour of Company That Paid for Them 2.4 Governments Listen to You - Just Not The Way You Think 2.5 Fact Checking Helps 2.6 Don't Forget Your Oracle Patches ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows Office -- Technical Description -- MS08-056 - Office. XSS. Moderate. MS08-057 - Excel. Remote Code Execution. Replaces MS08-043. Critical MS08-058 - Internet Explorer. Remote Code Execution. Replaces MS08-045. Critical MS08-059 - Host Integration Server. Remote Code Execution. Critical MS08-060 - Windows Active Directory. Remote Code Execution. Replaces MS08-035. Critical MS08-061 - Windows Kernel. Privilege Elevation. Replaces MS08-025. Important MS08-062 - Internet Printing (IIS). Remote Code Execution. Important MS08-063 - Windows File Sharing. Remote Code Execution. Replaces MS06-063. Important MS08-064 - Windows. Privilege Elevation. Replaces MS07-066, MS07-022. Important MS08-065 - Windows 2000 Message Queuing. Remote Code Execution. Important MS08-066 - Windows Ancillary Function Driver. Privilege Elevation. Important -- Description -- October's Security Patch Release from Microsoft has seen 11 patches provided. Four of the patches were identified as Critical, six as Important, and one as Moderate. An advisory release was also provided, but not listed with a MS08- number, which provided killbit settings for a number of third party ActiveX controls and set the killbit for Microsoft controls mentioned in MS02-044, MS08-017, MS08-041, MS08-052. Several of the patched vulnerabilities were under active attack prior to patch release and sample exploit code has since been released for several other vulnerabilities. It is imperative that these patches are applied at the earliest opportunity. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx http://www.microsoft.com/technet/security/bulletin/ms08-060.mspx http://www.microsoft.com/technet/security/bulletin/ms08-061.mspx http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx http://www.microsoft.com/technet/security/bulletin/ms08-063.mspx http://www.microsoft.com/technet/security/bulletin/ms08-064.mspx http://www.microsoft.com/technet/security/bulletin/ms08-065.mspx http://www.microsoft.com/technet/security/bulletin/ms08-066.mspx -- External Tracking Data -- CVE-ID: CVE-2008-4020 (MS08-056) CVE-ID: CVE-2008-4019 (MS08-057) CVE-ID: CVE-2008-3471 (MS08-057) CVE-ID: CVE-2008-3477 (MS08-057) CVE-ID: CVE-2008-2947 (MS08-058) CVE-ID: CVE-2008-3472 (MS08-058) CVE-ID: CVE-2008-3473 (MS08-058) CVE-ID: CVE-2008-3474 (MS08-058) CVE-ID: CVE-2008-3475 (MS08-058) CVE-ID: CVE-2008-3476 (MS08-058) CVE-ID: CVE-2008-3466 (MS08-059) CVE-ID: CVE-2008-4023 (MS08-060) CVE-ID: CVE-2008-2250 (MS08-061) CVE-ID: CVE-2008-2251 (MS08-061) CVE-ID: CVE-2008-2252 (MS08-061) CVE-ID: CVE-2008-1446 (MS08-062) CVE-ID: CVE-2008-4038 (MS08-063) CVE-ID: CVE-2008-4036 (MS08-064) CVE-ID: CVE-2008-3479 (MS08-065) CVE-ID: CVE-2008-3464 (MS08-066) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 OS X (Multiple) - Remote Hacker Automatic Control -- Products Affected -- OS X 10.4.x OS X 10.5.x -- Technical Description -- Apache - Multiple vulnerabilities Certificates - Updated Root certificates ClamAV - Multiple vulnerabilities, the worst of which being remote code execution ColorSync - Arbitrary code execution when handling malicious images CUPS - Arbitrary code execution with 'lp' privileges Finder - Denial of Service launchd - Failure of applications to enter sandbox mode libxslt - XML processing may lead to arbitrary code execution MySQL Server - Multiple vulnerabilities, the worst of which being remote code execution Networking - Privilege elevation PHP - Multiple vulnerabilities, the worst of which being remote code execution Postfix - Mail may be sent to local users arbitrarily by remote attackers PSNormalizer - Arbitrary code execution when handling malicious PostScript files QuickLook - Handling malicious Excel files may lead to arbitrary code execution rlogin - Unexpected root access possible with rlogin and host.equiv Script Editor - Privilege elevation Single Sign-On - Feature enhancement Tomcat - Multiple vulnerabilities, update to 6.0.18 vim - Update to 7.2.0.22 to address multiple vulnerabilities Weblog - Access control failure -- Description -- Last week, Apple released APPLE-SA-2008-10-09 Security Update 2008-007 for OS X 10.4.x and 10.5.x systems. Numerous system components received critical security patches, including for vulnerabilities that could lead to remote system compromise. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://support.apple.com/kb/HT1222 -- Updates Available -- Security Update 2008-007 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ -- External Tracking Data -- CVE-ID: CVE-2007-6420 (Apache) CVE-ID: CVE-2008-1678 (Apache) CVE-ID: CVE-2008-2364 (Apache) CVE-ID: CVE-2008-1389 (ClamAV) CVE-ID: CVE-2008-3912 (ClamAV) CVE-ID: CVE-2008-3913 (ClamAV) CVE-ID: CVE-2008-3914 (ClamAV) CVE-ID: CVE-2008-3642 (ColorSync) CVE-ID: CVE-2008-3641 (CUPS) CVE-ID: CVE-2008-3643 (Finder) CVE-ID: CVE-2008-1767 (libxslt) CVE-ID: CVE-2007-2691 (MySQL Server) CVE-ID: CVE-2007-5969 (MySQL Server) CVE-ID: CVE-2008-0226 (MySQL Server) CVE-ID: CVE-2008-0227 (MySQL Server) CVE-ID: CVE-2008-3645 (Networking) CVE-ID: CVE-2007-4850 (PHP) CVE-ID: CVE-2008-0674 (PHP) CVE-ID: CVE-2008-2371 (PHP) CVE-ID: CVE-2008-3646 (Postfix) CVE-ID: CVE-2008-3647 (PSNormalizer) CVE-ID: CVE-2008-4211 (Quicklook) CVE-ID: CVE-2008-4212 (rlogin) CVE-ID: CVE-2008-4214 (Script Editor) CVE-ID: CVE-2007-6286 (Tomcat) CVE-ID: CVE-2008-0002 (Tomcat) CVE-ID: CVE-2008-1232 (Tomcat) CVE-ID: CVE-2008-1947 (Tomcat) CVE-ID: CVE-2008-2370 (Tomcat) CVE-ID: CVE-2008-2938 (Tomcat) CVE-ID: CVE-2007-5333 (Tomcat) CVE-ID: CVE-2007-5342 (Tomcat) CVE-ID: CVE-2007-5461 (Tomcat) CVE-ID: CVE-2008-2712 (vim) CVE-ID: CVE-2008-4101 (vim) CVE-ID: CVE-2008-2712 (vim) CVE-ID: CVE-2008-3432 (vim) CVE-ID: CVE-2008-3294 (vim) CVE-ID: CVE-2008-4215 (Weblog) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 If You Can't Take The Heat, Get Out of The Kitchen When United Airlines' stock recently tanked on an out of date news report, questions were asked about the appropriateness of relying upon automated news reporting for making critical financial decisions, or really any decision. Sun Sentinel, and parent The Tribune, might have been quick to blame Google for the incident, but the core problem was that there was no dated byline on the article to provide context for either human readers or Google's automated crawlers. With the only date on the page displaying the article being the current day's date, what conclusions could a reader draw from the article other than the wrong ones? Unless a reader is in the habit of conducting string matches in every article they read against historical news, then they aren't going to pick this up easily. The fact that it doesn't appear as breaking news might provide some context, but where would you assume the error lay if you came across the article without other context? Google's subsequent actions of highlighting the article in their email alerts relating to United Airlines, and listing it in their Google News archives, merely meant that more people were now aware that the Sun Sentinel was carrying an article on a United Airlines bankruptcy. It was when humans stepped in and rewrote the article for other news services, particularly those that investors were relying on, that the situation compounded and was the critical error that eventually led to the loss of market value for United Airlines. Without access to other context, there wasn't much else that the readers could have done other than to trust a service that, up to that point, may have been extremely reliable. Each time the story was picked up and re-reported, from the Sun Sentinel, to Google, to the stock research firm (where the human re- report tied the story to the current date), to Bloomberg, legitimacy was added and this contributed to the final downfall. With almost daily bailouts and failures in the lending markets could jumpy investors (gamblers?) be blamed for going all in on another bankruptcy report? Yes. The investors who allowed their decisions to be swayed by an inaccurate report need to shoulder responsibility for their actions, but the stock research firm and Bloomberg need to be asked the hard questions over how they let this happen and why their monitoring systems (if any) didn't flag this as possibly inaccurate. Who knows just how many stop loss orders were activated as a result of the initial slide in price? If all of the sales based on misinformation took place before the stop loss orders kicked in, but resulted in depressing the stock price below this floor, it no longer matters where the information came from, the market was going to be flooded with United Airlines stock that not many people were going to want to hang on to. If nothing else, this is a classic example of a Swiss Cheese failure (Reason's model). It wasn't a single cause of failure, but a number of procedural and design errors that chained together, with poor or non- existent active and latent defences, to almost wipe United Airlines off the stock market. When a small (debatable) error on one website can lead to a major company almost being destroyed in a matter of minutes it suggests that something is seriously wrong with how much trust is placed into unverified information and how much value is then applied to that information. In the rush to be first to the news, you shouldn't leave behind your critical thinking skills. Garbage In will result in Garbage Out, every time. 2.2 If you build it, will they come? Despite many people exhorting that all it takes to get online traffic is to build it, and people will come, sometimes it doesn't turn out that way, as the University of Illinois is currently finding out. Earlier this year, the University of Illinois set out to establish an online campus that would allow students to obtain degrees online, however the response has been underwhelming, to say the least. Online degree programs have always been regarded with dubiousness, however the idea of delivering degrees online is only one step removed from degrees by correspondence that many universities offer for students who work or otherwise can't attend classes full-time. Having ready access to a network connection means that coursework can include media and improved learning aids that can not really be delivered through the mail. Expecting 5,000 students by the five year mark, fewer than 150 students have taken up the opportunity with the University of Illinois since the system went online. One of the biggest problems with the University of Illinois' online campus seems to be that the whole concept relied upon University departments creating new coursework and material in order to create online degree programs. It has rapidly become apparent that there aren't too many departments with the time or interest to create new coursework for the system. This is an excellent demonstration of what can happen when you don't adequately plan for how a concept is to be implemented before actually trying to implement it. Social networks rely upon their users for most of their content and relevance, but it seems that online degree programs (at least the legitimate ones) aren't as simple to establish. Perhaps a better approach would be to have arranged with the various high demand courses to be created ahead of time and then placed online. Achieving accreditation, as suggested in the article, could help somewhat. 2.3 Survey Results Unsurprisingly in Favour of Company That Paid for Them Any time that the results of a new survey are announced, especially a survey that seems to paint a company in a positive light, questions must be asked as to who is responsible for the funding and setup of the particular survey or analysis. Generally, it is the company being reported on favourably that is funding the survey, even if the survey is being run by a nominally independent organisation. This pattern of behaviour seems to be most obvious in Information Technology, where the survey and associated analysis seem to be the method-du-jour for companies to gain favourable press and to make it look like an independent source is painting them in a positive light. If a business purchasing decision can be based off such a report, then it is all the better for the original company. The Harrison Group recently ran a survey, paid for by Microsoft, that found that companies running incorrectly licenced versions of Windows were more likely to run into problems such as system failures and loss of customer data. With Microsoft paying for the survey, was any different result really to be expected? With unlicenced systems almost certainly using digital perfect copies of licenced software, why should there be any difference with how stable the systems are? One of the suggestions put forward in the article is that whoever is responsible for the copied software has slipstreamed something malicious in with it. It would be more likely that a company that is unwilling to spend funds on licenced software would be unwilling to spend funds on properly maintaining their systems - and so be more likely to encounter problems extending from not maintaining their systems than they would from just having unlicenced software. In order to see a result like that, though, we are going to have to wait until a system administration service provider runs their own set of surveys. 2.4 Governments Listen to You - Just Not The Way You Think It should have come as no real surprise that Skype's China-based partner had been intercepting, logging, and even blocking text messages traversing the Skype network through China. A Canadian research group discovered the activity after breaching the insecure Chinese servers (which in itself was a dubious activity, but since the data was available from a web server that was outward facing, it can be argued that it was permissable). Based on a previously disclosed set of text filters, the modified filters allowed for a broader set of communications to be intercepted and logged, apparently without Skype's knowledge. As the original filter was described, it was meant to drop text messages that had been deemed inappropriate and not transmit them anywhere. The modified system seems to have resulted in the messages being transmitted to centralised servers for further storing. It is interesting that the tracking servers appeared to have been compromised by others before the research group came along. This opens up some interesting possibilities to pressure people of interest, based on intercepting already intercepted messages. It would be possible to alert people to the fact they are being routinely logged, even for traffic that does not match any filterable words, as well as lean on people by blackmailing them into doing what you ask them to - after all, you have copies of their text conversations. 2.5 Fact Checking Helps In the last few weeks there have been a handful of standout cases where poor reporting on an issue, including fake reports, led to significant negative outcomes for the companies involved. A couple of weeks ago it was a poorly dated news article about a United Airlines bankruptcy from several years ago that led to massive stock market losses for United Airlines, and most recently it has been a fake report about Steve Jobs having a heart attack that led to an immediate drop of 2% on Apple's stock, which recovered but still closed down 3% for the day. Apple's famed reputation for secrecy makes it more likely that rumour and speculation will gain traction amongst Apple-watchers, but if investors allow themselves to be led based on nothing more than baseless rumour, it might go someway to explaining some of the volatility in recent stock and commodity markets. Any time an incident such as this takes place there are immediately whispers about stock market manipulation having taken place. It is often said that people are smart and reasonable as individuals, but place them in a group and they become dumb, panicky herd-driven creatures. With the stock market being made up of a massive herd of investors, panicky and flighty responses can take place based on speculative and poorly referenced rumours, leading to major changes in the value (at least in the short term) of a stock. On a smaller scale, malware authors and distributors have been spamming our inboxes for some time with fake news stories in an attempt to gain hits on their sites for drive-by downloads or clicks on malware-loaded content. Pink sheet stock pump and dump scams are also very similar, but on a smaller scale. In each case, falsified or exaggerated "news" is being pushed to users in an attempt to compromise a system or manipulate a stock. What stands out from the recent cases is the seeming unwillingness for reporting organisations to admit responsibility for spreading the false or outdated news. If they hadn't picked up on the story, then nothing would have happened, yet when it comes time to apportion blame, it seems like they can't point the finger fast enough at someone else. In both of the recent cases it wasn't until the misrepresented story appeared on "legitimate" and "trustworthy" sites that the problems really began for the companies involved. Rather than stand up and admit that they contributed to this latest event, CNN have handed over as much detail as possible on the alleged source of the Steve Jobs rumour to the SEC. You can argue as much as you like about whether it is "New Media" versus "Old Media", but ultimately it is a case of poorly verifying content that has been published. The same problems still take place in print and broadcast media and it doesn't take too much searching to turn up errata columns where these errors are hopefully addressed. 2.6 Don't Forget Your Oracle Patches In a week when Microsoft released eleven patches, and an advisory, and Apple released a Security Update (actually released last week), some people might have been forgiven for missing Oracle's quarterly patch release, which coincided with Microsoft's releases this month. 41 vulnerabilities were patched in the release for a broad range of Oracle products, including Siebel, BEA, PeopleSoft and JD Edwards applications. The next quarterly mass update from Oracle is due on January 13, 2009, which matches with Microsoft's scheduled patch release for January 2009. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.