[Sunnet Alert] Advisory #260 - Microsoft (Multiple), OS X (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Fri Oct 17 21:26:28 EST 2008
Sûnnet Beskerming Alert List Advisory #260
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - More than 7 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 If You Can't Take The Heat, Get Out of The Kitchen
2.2 If you build it, will they come?
2.3 Survey Results Unsurprisingly in Favour of Company That Paid for
Them
2.4 Governments Listen to You - Just Not The Way You Think
2.5 Fact Checking Helps
2.6 Don't Forget Your Oracle Patches
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows
Office
-- Technical Description --
MS08-056 - Office. XSS. Moderate.
MS08-057 - Excel. Remote Code Execution. Replaces MS08-043. Critical
MS08-058 - Internet Explorer. Remote Code Execution. Replaces
MS08-045. Critical
MS08-059 - Host Integration Server. Remote Code Execution. Critical
MS08-060 - Windows Active Directory. Remote Code Execution. Replaces
MS08-035. Critical
MS08-061 - Windows Kernel. Privilege Elevation. Replaces MS08-025.
Important
MS08-062 - Internet Printing (IIS). Remote Code Execution. Important
MS08-063 - Windows File Sharing. Remote Code Execution. Replaces
MS06-063. Important
MS08-064 - Windows. Privilege Elevation. Replaces MS07-066, MS07-022.
Important
MS08-065 - Windows 2000 Message Queuing. Remote Code Execution.
Important
MS08-066 - Windows Ancillary Function Driver. Privilege Elevation.
Important
-- Description --
October's Security Patch Release from Microsoft has seen 11 patches
provided. Four of the patches were identified as Critical, six as
Important, and one as Moderate. An advisory release was also
provided, but not listed with a MS08- number, which provided killbit
settings for a number of third party ActiveX controls and set the
killbit for Microsoft controls mentioned in MS02-044, MS08-017,
MS08-041, MS08-052. Several of the patched vulnerabilities were under
active attack prior to patch release and sample exploit code has since
been released for several other vulnerabilities. It is imperative
that these patches are applied at the earliest opportunity.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-057.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-059.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-060.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-061.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-062.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-063.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-064.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-065.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-066.mspx
-- External Tracking Data --
CVE-ID: CVE-2008-4020 (MS08-056)
CVE-ID: CVE-2008-4019 (MS08-057)
CVE-ID: CVE-2008-3471 (MS08-057)
CVE-ID: CVE-2008-3477 (MS08-057)
CVE-ID: CVE-2008-2947 (MS08-058)
CVE-ID: CVE-2008-3472 (MS08-058)
CVE-ID: CVE-2008-3473 (MS08-058)
CVE-ID: CVE-2008-3474 (MS08-058)
CVE-ID: CVE-2008-3475 (MS08-058)
CVE-ID: CVE-2008-3476 (MS08-058)
CVE-ID: CVE-2008-3466 (MS08-059)
CVE-ID: CVE-2008-4023 (MS08-060)
CVE-ID: CVE-2008-2250 (MS08-061)
CVE-ID: CVE-2008-2251 (MS08-061)
CVE-ID: CVE-2008-2252 (MS08-061)
CVE-ID: CVE-2008-1446 (MS08-062)
CVE-ID: CVE-2008-4038 (MS08-063)
CVE-ID: CVE-2008-4036 (MS08-064)
CVE-ID: CVE-2008-3479 (MS08-065)
CVE-ID: CVE-2008-3464 (MS08-066)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 OS X (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
OS X 10.4.x
OS X 10.5.x
-- Technical Description --
Apache - Multiple vulnerabilities
Certificates - Updated Root certificates
ClamAV - Multiple vulnerabilities, the worst of which being remote
code execution
ColorSync - Arbitrary code execution when handling malicious images
CUPS - Arbitrary code execution with 'lp' privileges
Finder - Denial of Service
launchd - Failure of applications to enter sandbox mode
libxslt - XML processing may lead to arbitrary code execution
MySQL Server - Multiple vulnerabilities, the worst of which being
remote code execution
Networking - Privilege elevation
PHP - Multiple vulnerabilities, the worst of which being remote code
execution
Postfix - Mail may be sent to local users arbitrarily by remote
attackers
PSNormalizer - Arbitrary code execution when handling malicious
PostScript files
QuickLook - Handling malicious Excel files may lead to arbitrary code
execution
rlogin - Unexpected root access possible with rlogin and host.equiv
Script Editor - Privilege elevation
Single Sign-On - Feature enhancement
Tomcat - Multiple vulnerabilities, update to 6.0.18
vim - Update to 7.2.0.22 to address multiple vulnerabilities
Weblog - Access control failure
-- Description --
Last week, Apple released APPLE-SA-2008-10-09 Security Update
2008-007 for OS X 10.4.x and 10.5.x systems. Numerous system
components received critical security patches, including for
vulnerabilities that could lead to remote system compromise.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://support.apple.com/kb/HT1222
-- Updates Available --
Security Update 2008-007 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/
-- External Tracking Data --
CVE-ID: CVE-2007-6420 (Apache)
CVE-ID: CVE-2008-1678 (Apache)
CVE-ID: CVE-2008-2364 (Apache)
CVE-ID: CVE-2008-1389 (ClamAV)
CVE-ID: CVE-2008-3912 (ClamAV)
CVE-ID: CVE-2008-3913 (ClamAV)
CVE-ID: CVE-2008-3914 (ClamAV)
CVE-ID: CVE-2008-3642 (ColorSync)
CVE-ID: CVE-2008-3641 (CUPS)
CVE-ID: CVE-2008-3643 (Finder)
CVE-ID: CVE-2008-1767 (libxslt)
CVE-ID: CVE-2007-2691 (MySQL Server)
CVE-ID: CVE-2007-5969 (MySQL Server)
CVE-ID: CVE-2008-0226 (MySQL Server)
CVE-ID: CVE-2008-0227 (MySQL Server)
CVE-ID: CVE-2008-3645 (Networking)
CVE-ID: CVE-2007-4850 (PHP)
CVE-ID: CVE-2008-0674 (PHP)
CVE-ID: CVE-2008-2371 (PHP)
CVE-ID: CVE-2008-3646 (Postfix)
CVE-ID: CVE-2008-3647 (PSNormalizer)
CVE-ID: CVE-2008-4211 (Quicklook)
CVE-ID: CVE-2008-4212 (rlogin)
CVE-ID: CVE-2008-4214 (Script Editor)
CVE-ID: CVE-2007-6286 (Tomcat)
CVE-ID: CVE-2008-0002 (Tomcat)
CVE-ID: CVE-2008-1232 (Tomcat)
CVE-ID: CVE-2008-1947 (Tomcat)
CVE-ID: CVE-2008-2370 (Tomcat)
CVE-ID: CVE-2008-2938 (Tomcat)
CVE-ID: CVE-2007-5333 (Tomcat)
CVE-ID: CVE-2007-5342 (Tomcat)
CVE-ID: CVE-2007-5461 (Tomcat)
CVE-ID: CVE-2008-2712 (vim)
CVE-ID: CVE-2008-4101 (vim)
CVE-ID: CVE-2008-2712 (vim)
CVE-ID: CVE-2008-3432 (vim)
CVE-ID: CVE-2008-3294 (vim)
CVE-ID: CVE-2008-4215 (Weblog)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 If You Can't Take The Heat, Get Out of The Kitchen
When United Airlines' stock recently tanked on an out of date news
report, questions were asked about the appropriateness of relying upon
automated news reporting for making critical financial decisions, or
really any decision.
Sun Sentinel, and parent The Tribune, might have been quick to blame
Google for the incident, but the core problem was that there was no
dated byline on the article to provide context for either human
readers or Google's automated crawlers. With the only date on the page
displaying the article being the current day's date, what conclusions
could a reader draw from the article other than the wrong ones? Unless
a reader is in the habit of conducting string matches in every article
they read against historical news, then they aren't going to pick this
up easily. The fact that it doesn't appear as breaking news might
provide some context, but where would you assume the error lay if you
came across the article without other context?
Google's subsequent actions of highlighting the article in their email
alerts relating to United Airlines, and listing it in their Google
News archives, merely meant that more people were now aware that the
Sun Sentinel was carrying an article on a United Airlines bankruptcy.
It was when humans stepped in and rewrote the article for other news
services, particularly those that investors were relying on, that the
situation compounded and was the critical error that eventually led to
the loss of market value for United Airlines. Without access to other
context, there wasn't much else that the readers could have done other
than to trust a service that, up to that point, may have been
extremely reliable.
Each time the story was picked up and re-reported, from the Sun
Sentinel, to Google, to the stock research firm (where the human re-
report tied the story to the current date), to Bloomberg, legitimacy
was added and this contributed to the final downfall.
With almost daily bailouts and failures in the lending markets could
jumpy investors (gamblers?) be blamed for going all in on another
bankruptcy report? Yes.
The investors who allowed their decisions to be swayed by an
inaccurate report need to shoulder responsibility for their actions,
but the stock research firm and Bloomberg need to be asked the hard
questions over how they let this happen and why their monitoring
systems (if any) didn't flag this as possibly inaccurate. Who knows
just how many stop loss orders were activated as a result of the
initial slide in price? If all of the sales based on misinformation
took place before the stop loss orders kicked in, but resulted in
depressing the stock price below this floor, it no longer matters
where the information came from, the market was going to be flooded
with United Airlines stock that not many people were going to want to
hang on to.
If nothing else, this is a classic example of a Swiss Cheese failure
(Reason's model). It wasn't a single cause of failure, but a number of
procedural and design errors that chained together, with poor or non-
existent active and latent defences, to almost wipe United Airlines
off the stock market.
When a small (debatable) error on one website can lead to a major
company almost being destroyed in a matter of minutes it suggests that
something is seriously wrong with how much trust is placed into
unverified information and how much value is then applied to that
information.
In the rush to be first to the news, you shouldn't leave behind your
critical thinking skills. Garbage In will result in Garbage Out, every
time.
2.2 If you build it, will they come?
Despite many people exhorting that all it takes to get online traffic
is to build it, and people will come, sometimes it doesn't turn out
that way, as the University of Illinois is currently finding out.
Earlier this year, the University of Illinois set out to establish an
online campus that would allow students to obtain degrees online,
however the response has been underwhelming, to say the least.
Online degree programs have always been regarded with dubiousness,
however the idea of delivering degrees online is only one step removed
from degrees by correspondence that many universities offer for
students who work or otherwise can't attend classes full-time. Having
ready access to a network connection means that coursework can include
media and improved learning aids that can not really be delivered
through the mail.
Expecting 5,000 students by the five year mark, fewer than 150
students have taken up the opportunity with the University of Illinois
since the system went online.
One of the biggest problems with the University of Illinois' online
campus seems to be that the whole concept relied upon University
departments creating new coursework and material in order to create
online degree programs. It has rapidly become apparent that there
aren't too many departments with the time or interest to create new
coursework for the system.
This is an excellent demonstration of what can happen when you don't
adequately plan for how a concept is to be implemented before actually
trying to implement it. Social networks rely upon their users for most
of their content and relevance, but it seems that online degree
programs (at least the legitimate ones) aren't as simple to establish.
Perhaps a better approach would be to have arranged with the various
high demand courses to be created ahead of time and then placed
online. Achieving accreditation, as suggested in the article, could
help somewhat.
2.3 Survey Results Unsurprisingly in Favour of Company That Paid for
Them
Any time that the results of a new survey are announced, especially a
survey that seems to paint a company in a positive light, questions
must be asked as to who is responsible for the funding and setup of
the particular survey or analysis. Generally, it is the company being
reported on favourably that is funding the survey, even if the survey
is being run by a nominally independent organisation.
This pattern of behaviour seems to be most obvious in Information
Technology, where the survey and associated analysis seem to be the
method-du-jour for companies to gain favourable press and to make it
look like an independent source is painting them in a positive light.
If a business purchasing decision can be based off such a report, then
it is all the better for the original company.
The Harrison Group recently ran a survey, paid for by Microsoft, that
found that companies running incorrectly licenced versions of Windows
were more likely to run into problems such as system failures and loss
of customer data. With Microsoft paying for the survey, was any
different result really to be expected?
With unlicenced systems almost certainly using digital perfect copies
of licenced software, why should there be any difference with how
stable the systems are? One of the suggestions put forward in the
article is that whoever is responsible for the copied software has
slipstreamed something malicious in with it. It would be more likely
that a company that is unwilling to spend funds on licenced software
would be unwilling to spend funds on properly maintaining their
systems - and so be more likely to encounter problems extending from
not maintaining their systems than they would from just having
unlicenced software.
In order to see a result like that, though, we are going to have to
wait until a system administration service provider runs their own set
of surveys.
2.4 Governments Listen to You - Just Not The Way You Think
It should have come as no real surprise that Skype's China-based
partner had been intercepting, logging, and even blocking text
messages traversing the Skype network through China. A Canadian
research group discovered the activity after breaching the insecure
Chinese servers (which in itself was a dubious activity, but since the
data was available from a web server that was outward facing, it can
be argued that it was permissable).
Based on a previously disclosed set of text filters, the modified
filters allowed for a broader set of communications to be intercepted
and logged, apparently without Skype's knowledge. As the original
filter was described, it was meant to drop text messages that had been
deemed inappropriate and not transmit them anywhere. The modified
system seems to have resulted in the messages being transmitted to
centralised servers for further storing.
It is interesting that the tracking servers appeared to have been
compromised by others before the research group came along. This opens
up some interesting possibilities to pressure people of interest,
based on intercepting already intercepted messages. It would be
possible to alert people to the fact they are being routinely logged,
even for traffic that does not match any filterable words, as well as
lean on people by blackmailing them into doing what you ask them to -
after all, you have copies of their text conversations.
2.5 Fact Checking Helps
In the last few weeks there have been a handful of standout cases
where poor reporting on an issue, including fake reports, led to
significant negative outcomes for the companies involved. A couple of
weeks ago it was a poorly dated news article about a United Airlines
bankruptcy from several years ago that led to massive stock market
losses for United Airlines, and most recently it has been a fake
report about Steve Jobs having a heart attack that led to an immediate
drop of 2% on Apple's stock, which recovered but still closed down 3%
for the day.
Apple's famed reputation for secrecy makes it more likely that rumour
and speculation will gain traction amongst Apple-watchers, but if
investors allow themselves to be led based on nothing more than
baseless rumour, it might go someway to explaining some of the
volatility in recent stock and commodity markets. Any time an incident
such as this takes place there are immediately whispers about stock
market manipulation having taken place.
It is often said that people are smart and reasonable as individuals,
but place them in a group and they become dumb, panicky herd-driven
creatures. With the stock market being made up of a massive herd of
investors, panicky and flighty responses can take place based on
speculative and poorly referenced rumours, leading to major changes in
the value (at least in the short term) of a stock.
On a smaller scale, malware authors and distributors have been
spamming our inboxes for some time with fake news stories in an
attempt to gain hits on their sites for drive-by downloads or clicks
on malware-loaded content. Pink sheet stock pump and dump scams are
also very similar, but on a smaller scale. In each case, falsified or
exaggerated "news" is being pushed to users in an attempt to
compromise a system or manipulate a stock.
What stands out from the recent cases is the seeming unwillingness for
reporting organisations to admit responsibility for spreading the
false or outdated news. If they hadn't picked up on the story, then
nothing would have happened, yet when it comes time to apportion
blame, it seems like they can't point the finger fast enough at
someone else. In both of the recent cases it wasn't until the
misrepresented story appeared on "legitimate" and "trustworthy" sites
that the problems really began for the companies involved.
Rather than stand up and admit that they contributed to this latest
event, CNN have handed over as much detail as possible on the alleged
source of the Steve Jobs rumour to the SEC.
You can argue as much as you like about whether it is "New Media"
versus "Old Media", but ultimately it is a case of poorly verifying
content that has been published. The same problems still take place in
print and broadcast media and it doesn't take too much searching to
turn up errata columns where these errors are hopefully addressed.
2.6 Don't Forget Your Oracle Patches
In a week when Microsoft released eleven patches, and an advisory, and
Apple released a Security Update (actually released last week), some
people might have been forgiven for missing Oracle's quarterly patch
release, which coincided with Microsoft's releases this month.
41 vulnerabilities were patched in the release for a broad range of
Oracle products, including Siebel, BEA, PeopleSoft and JD Edwards
applications.
The next quarterly mass update from Oracle is due on January 13, 2009,
which matches with Microsoft's scheduled patch release for January 2009.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list