From alertmailinglist at skiifwrald.com Thu Aug 13 20:24:20 2009 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Thu, 13 Aug 2009 14:24:20 +0400 Subject: [Sunnet Alert] Advisory #269 - Microsoft (Multiple), OS X (Multiple), Safari (Multiple), Multiple News Message-ID: <44B9CA7E-74BB-4F90-BCE6-80E50A174299@beskerming.com> S?nnet Beskerming Alert List Advisory #269 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,please contact info at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 2 days 1.2 OS X (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 7 days 1.3 Safari (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 2 days ====================================== /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Hiding Content in PDF files 2.2 Microsoft's Out-of-Cycle Patches Could be Tip of Iceberg 2.3 How Will the New York Times Get Readers to Pay? 2.4 News Corporation to Charge for Online Content ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows, Publisher, ISA Server, ActiveX, Virtual PC / Virtual Server -- Technical Description -- MS09-036 - ASP.NET. Denial of Service. Important MS09-037 - ATL. Arbitrary code execution. Replaces MS08-048, MS07-047. Critical MS09-038 - WMF. Arbitrary code execution. Critical MS09-039 - WINS. Arbitrary code execution. Replaces MS09-008 Critical MS09-040 - MSMQ. Arbitrary code execution. Important MS09-041 - Workstation Service. Denial of Service / Privilege Escalation. Important MS09-042 - Telnet. Arbitrary code execution. Important MS09-043 - Office Web Components. Arbitrary code execution. Replaces MS08-017. Critical MS09-044 - Remote Desktop. Arbitrary code execution. Critical -- Description -- Microsoft released nine patches with the August Security patch release, as well as two out-of-cycle patches after July's release (not covered here). Five Critical patches, and four Important patches were released, addressing remote code execution, denial of service, and elevation of privilege vulnerabilities across Windows, Office, Visual Studio, .NET, and ISA Server. One of the patches, MS09-044 is also available for OS X clients that use the Remote Desktop Connection Client for Mac. Several of the patched vulnerabilities, including those patched with the out-of-cycle patches, have public vulnerability data readily available or are under active exploitation. MS09-029 and MS09-035 have also been re-released this month. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms09-036.mspx http://www.microsoft.com/technet/security/bulletin/ms09-037.mspx http://www.microsoft.com/technet/security/bulletin/ms09-038.mspx http://www.microsoft.com/technet/security/bulletin/ms09-039.mspx http://www.microsoft.com/technet/security/bulletin/ms09-040.mspx http://www.microsoft.com/technet/security/bulletin/ms09-041.mspx http://www.microsoft.com/technet/security/bulletin/ms09-042.mspx http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx http://www.microsoft.com/technet/security/bulletin/ms09-044.mspx -- External Tracking Data -- CVE-ID: CVE-2009-1536 (MS09-036) CVE-ID: CVE-2008-0015 (MS09-037) CVE-ID: CVE-2008-0020 (MS09-037) CVE-ID: CVE-2009-0901 (MS09-037) CVE-ID: CVE-2009-2493 (MS09-037) CVE-ID: CVE-2009-2494 (MS09-037) CVE-ID: CVE-2009-1545 (MS09-038) CVE-ID: CVE-2008-1546 (MS09-038) CVE-ID: CVE-2009-1923 (MS09-039) CVE-ID: CVE-2009-1924 (MS09-039) CVE-ID: CVE-2008-1922 (MS09-040) CVE-ID: CVE-2009-1544 (MS09-041) CVE-ID: CVE-2009-1930 (MS09-042) CVE-ID: CVE-2009-0562 (MS09-043) CVE-ID: CVE-2009-1136 (MS09-043) CVE-ID: CVE-2009-1534 (MS09-043) CVE-ID: CVE-2009-2496 (MS09-043) CVE-ID: CVE-2009-1133 (MS09-044) CVE-ID: CVE-2009-1929 (MS09-044) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 OS X (Multiple) - Remote Hacker Automatic Control -- Products Affected -- OS X 10.4.11 OS X 10.5.x -- Technical Description -- BIND - Denial of service due to poor handling of dynamic DNS update messages. This is not enabled by default on OS X but is included with the default system bzip2 - Denial of service due to memory flaw in bzip2 CFNetwork - Impersonation possible due to poor control of displayed messages ColorSync - Arbitrary code execution due to interpreting malicious ColorSync profile CoreTypes - Improved notification to users that a content type may not be safe Dock - Multitouch gestures on a locked system could allow control of applications and Expose Image RAW - Arbitrary code execution when handling malicious Canon RAW images ImageIO - Arbitrary code execution when handling malicious EXIF data and OpenEXR and PNG images Kernel - Privilege elevation through fcntl vulnerability launchd - Denial of service due to connection exhaustion with some inetd-based services Login Window - Arbitrary code execution due to poor handling of specific text strings MobileMe - User Impersonation due to poor handling of user credentials Networking - Arbitrary code execution due to poor handling of AppleTalk network traffic Networking - Denial of Service due to poor handling of simultaneous file descriptor handling XQuery - Arbitrary code execution due to poor handling of XML content -- Description -- Apple have released Security Updates 2009-003 and 2009-004 for the 10.5 and 10.4.11 OS X versions. Incorporated in the 2009-003 Security Update is the latest point release, bringing OS X 10.5 to 10.5.8. A number of -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://support.apple.com/kb/HT1222 APPLE-SA-2009-08-05-1 Security Update 2009-003 / Mac OS X v10.5.8 APPLE-SA-2009-08-12-1 Security Update 2009-004 -- Updates Available -- Apple Software Update application via the Apple Menu http://www.apple.com/support/downloads/ -- External Tracking Data -- CVE-ID: CVE-2009-0696 (BIND) CVE-ID: CVE-2008-1372 (bzip2) CVE-ID: CVE-2009-1723 (CFNetwork) CVE-ID: CVE-2009-1726 (ColorSync) CVE-ID: CVE-2009-1727 (CoreTypes) CVE-ID: CVE-2009-0151 (Dock) CVE-ID: CVE-2009-1728 (Image RAW) CVE-ID: CVE-2009-1722 (ImageIO) CVE-ID: CVE-2009-1721 (ImageIO) CVE-ID: CVE-2009-1720 (ImageIO) CVE-ID: CVE-2009-2188 (ImageIO) CVE-ID: CVE-2009-0040 (ImageIO) CVE-ID: CVE-2009-1235 (Kernel) CVE-ID: CVE-2009-2190 (launchd) CVE-ID: CVE-2009-2191 (Login Window) CVE-ID: CVE-2009-2192 (MobileMe) CVE-ID: CVE-2009-2193 (Networking) CVE-ID: CVE-2009-2194 (Networking) CVE-ID: CVE-2008-0674 (XQuery) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.3 Safari (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Safari 4.0.2 and earlier -- Technical Description -- CoreGraphics - Arbitrary code execution from visiting a webpage. Windows only ImageIO - Arbitrary code execution when handling malicious EXIF data. Windows only Safari - Possible phishing situation. All platforms WebKit - Multiple, including arbitrary code execution from visiting a webpage. All platforms -- Description -- Apple have released version 4.0.3 of their Safari browser, for both OS X and Windows platforms, addressing a number of serious vulnerabilities, the worst of which could lead to arbitrary code execution on vulnerable systems. This arbitrary execution could be through something as simple as visiting a website. -- Recommended Action -- Updating to Safari 4.0.3 will protect against opportunistic compromise of your Internet browser and is recommended due to the impact of the vulnerabilities patched. -- Source -- http://support.apple.com/kb/HT1222 APPLE-SA-2009-08-11-1 Safari 4.0.3 -- Updates Available -- Apple Software Update application via the Apple Menu http://www.apple.com/safari/download/ -- External Tracking Data -- CVE-ID: CVE-2009-2468 (CoreGraphics) CVE-ID: CVE-2009-2188 (ImgeIO) CVE-ID: CVE-2009-2196 (Safari) CVE-ID: CVE-2009-2195 (WebKit) CVE-ID: CVE-2009-2200 (WebKit) CVE-ID: CVE-2009-2199 (WebKit) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Hiding Content in PDF files Didier Stevens' work with demystifying the inner workings of the PDF file format has attracted attention over recent months and his most recent discovery holds promise for adding PDF files to the list of formats that can be used to hide surreptitious content from prying eyes, with the added benefit that it is effectively hidden from the PDF reader that is parsing the encompassing document. To encourage further research and work into this particular aspect of PDF wrangling, he has released a tool that can be used to create a secretly embedded PDF while also providing a detailed step through of the process involved. It really boils down to the handling of case-sensitive names in the file itself. Because the correct means to reference an embedded file is via /EmbeddedFiles, the corruption to /Embeddedfiles means that a specification-compliant PDF reader should just ignore that and continue on with parsing the rest of the file. Of course, if a non-standard PDF reader is used, then the hidden content may not be so hidden anymore. Recovering the hidden content can be as simple as changing a single hex value. As Didier points out, there are plenty of methods available to make the hidden content even harder to find and encounter. As a speaker at the upcoming Brucon security conference in Brussels, it is guaranteed that there is going to be plenty more interesting material relating to PDF manipulation and discovery to be presented there. 2.2 Microsoft's Out-of-Cycle Patches Could be Tip of Iceberg Microsoft released two out-of-cycle security updates, MS09-034 and MS09-035, earlier this week to address a set of vulnerabilities affecting Internet Explorer and Visual Studio (MS09-034 and MS09-035 respectively). Interestingly, the non-standard patch release isn't a result of attacks already taking place, rather it is to enhance the protections already provided by MS09-032, which did address the known attacks against the ATL (Active Template Library) weaknesses patched across all three patches. So why release the patches if there is nothing going on to target the particular vulnerabilities, why not wait until the next scheduled monthly release? According to the Security Research & Defense blog, the patch release is because "additional information regarding these vulnerabilities has been growing over the past few weeks.". With Black Hat and DefCon taking place before the next scheduled patch release, it is probable that discussion of the vulnerabilities would take place and new attacks emerge post-conferences. While both the Visual Studio and Internet Explorer updates are related, based on the ATL weaknesses, the Internet Explorer update also incorporates other fixes, which it would not be prudent waiting until the next scheduled update for. Why is it important to apply the patches as soon as possible? One particular aspect of the addressed vulnerabilities would allow an attacker to bypass the killbit check and effectively run disabled ActiveX controls in Internet Explorer. This would open the floodgates for many historical vulnerabilities and attacks to become valid again. The Internet Explorer update is designed to block the known attack routes and time will tell if Microsoft has been successful in arresting all the methods available to target the vulnerabilities. The extended problem that is now faced is the unknown number of ActiveX controls that have been compiled and built using the vulnerable version of ATL (which the Visual Studio update replaces). Microsoft have announced their willingness to incorporate killbits for vulnerable controls in future security updates, so all developers need to do is contact Microsoft. With the vulnerable libraries being available for 12 years, the scope of the potential problems facing end users is immense, hence the urgency to apply the Internet Explorer patch as a matter of priority. 2.3 How Will the New York Times Get Readers to Pay? At a time when traditional media markets are suffering for advertising, there have been a number of ideas floated for how to attract and maintain customers, from micro-transactions, where readers pay a tiny fee per article that they read, to monthly access fees and locking articles away from the casual reader. There has been quite a lot of talk from different organisations about what they are planning to do and what they might do, but when a major media organisation steps forward and states that content that has previously been advertising-supported only for revenue will soon be going behind a so-called pay-wall, it suggests that this sort of future is closer than many have feared. Recent reporting links the New York Times media group to a decision to be made in August about how exactly to take the previously openly accessible content of the New York Times and associated outlets to a user-pays basis online. The Wall Street Journal is well known as probably the most successful news outlet to serve their content to paying customers online, but it is largely focussed on financial news, and could still be argued to be a niche provider. If the New York Times goes ahead with the plan to make users pay, it would be the first significant non-niche newspaper group to do so. With information freely available from a range of sources online, with global newspapers and media sources only a few keystrokes away, does the New York Times Group have what it takes to be able to keep on attracting customers once it takes its content away from free public view? The New York Times used to provide a similar service, TimesSelect, however the premium service was closed two years ago, only bringing around $10 million USD in revenue annually. That might be fine for a smaller organisation, but it isn't enough to keep something like the New York Times going. It might not have much choice if it wants to keep alive and a powerful media outlet, with more than half its market value wiped out in the last 12 months alone. Trying to become a lean and efficient organisation has also resulted in the reduction of staffing numbers to almost a third of where they were five years ago. With other organisations, such as the Associated Press also making moves to have users pay for access to content it might just be a matter of waiting long enough to have enough providers locking away their content before it becomes cost effective. On the other hand, news bodies that continue to release information without this encumbrance are likely to see a surge in popularity and the companies locking away their content could easily see a loss in readership, mindshare, and revenues. Monetizing website viewers, especially on sites which deliver unique and valuable content is a prickly question that every site owner and operator has to deal with at some time. When the New York Times makes its decision about how to increase monetization of readers it will be worth watching to see how it affects not only news organisations but also the nature of content production and publication on the Internet in general. 2.4 News Corporation to Charge for Online Content Following on from our recent article covering the dilemma facing the New York Times and how it is struggling to find an appropriate means to drive sufficient revenue from its online assets to make it cost worthy to continue offering them and to be able to be profitable. News Corporation has announced that it will soon be making all of its online sites fee-based for access to news and other content. As with the New York Times, News Corporation has been suffering from falling revenues, with $3.4 billion USD lost in the twelve months ending June. For a company that grew from being a newspaper owner into becoming a major media conglomerate that also has exposure in Cable news, Satellite television, as well as newspapers all over the globe. While one of News Corporation's online assets already works successfully through a fee-based portal, the Wall Street Journal is still something of a niche newspaper compared to the broader appeal other titles within the News Corporation stable. How News Corporation assets are going to make their offerings sufficiently differentiated and value-added over free or advertising- supported news sources is not known, but it will have to be something spectacular. Many of the assets held by News Corporation are generally regarded as tabloid-quality, not only for their printing format, but also for the standard of reporting and content provided. Is the market willing to pay for this content large enough to be worthwhile? With such a massive hole in earnings, it looks like News Corporation doesn't have much choice. News Corporation's move will open the door for other organisations to follow, not least of which being the New York Times, but it all hinges on the move being profitable for News Corporation. When state- sponsored news agencies such as the BBC, and the Australian Broadcasting Corporation, continue to exist and deliver original and quality researched reporting for no cost to the end user (thanks to licence payers or tax-payers), it is going to make it difficult to claim that what is available commercially is better to the extent that it is worth paying directly for it rather than viewing it through advertising support. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.