[Sunnet Alert] Advisory #269 - Microsoft (Multiple), OS X (Multiple), Safari (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Thu Aug 13 20:24:20 EST 2009
Sûnnet Beskerming Alert List Advisory #269
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 days
1.2 OS X (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 7 days
1.3 Safari (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 days
======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Hiding Content in PDF files
2.2 Microsoft's Out-of-Cycle Patches Could be Tip of Iceberg
2.3 How Will the New York Times Get Readers to Pay?
2.4 News Corporation to Charge for Online Content
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows, Publisher, ISA Server, ActiveX, Virtual PC / Virtual Server
-- Technical Description --
MS09-036 - ASP.NET. Denial of Service. Important
MS09-037 - ATL. Arbitrary code execution. Replaces MS08-048,
MS07-047. Critical
MS09-038 - WMF. Arbitrary code execution. Critical
MS09-039 - WINS. Arbitrary code execution. Replaces MS09-008 Critical
MS09-040 - MSMQ. Arbitrary code execution. Important
MS09-041 - Workstation Service. Denial of Service / Privilege
Escalation. Important
MS09-042 - Telnet. Arbitrary code execution. Important
MS09-043 - Office Web Components. Arbitrary code execution. Replaces
MS08-017. Critical
MS09-044 - Remote Desktop. Arbitrary code execution. Critical
-- Description --
Microsoft released nine patches with the August Security patch
release, as well as two out-of-cycle patches after July's release (not
covered here). Five Critical patches, and four Important patches were
released, addressing remote code execution, denial of service, and
elevation of privilege vulnerabilities across Windows, Office, Visual
Studio, .NET, and ISA Server. One of the patches, MS09-044 is also
available for OS X clients that use the Remote Desktop Connection
Client for Mac. Several of the patched vulnerabilities, including
those patched with the out-of-cycle patches, have public vulnerability
data readily available or are under active exploitation. MS09-029 and
MS09-035 have also been re-released this month.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-aug.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-036.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-037.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-038.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-039.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-040.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-041.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-042.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-043.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-044.mspx
-- External Tracking Data --
CVE-ID: CVE-2009-1536 (MS09-036)
CVE-ID: CVE-2008-0015 (MS09-037)
CVE-ID: CVE-2008-0020 (MS09-037)
CVE-ID: CVE-2009-0901 (MS09-037)
CVE-ID: CVE-2009-2493 (MS09-037)
CVE-ID: CVE-2009-2494 (MS09-037)
CVE-ID: CVE-2009-1545 (MS09-038)
CVE-ID: CVE-2008-1546 (MS09-038)
CVE-ID: CVE-2009-1923 (MS09-039)
CVE-ID: CVE-2009-1924 (MS09-039)
CVE-ID: CVE-2008-1922 (MS09-040)
CVE-ID: CVE-2009-1544 (MS09-041)
CVE-ID: CVE-2009-1930 (MS09-042)
CVE-ID: CVE-2009-0562 (MS09-043)
CVE-ID: CVE-2009-1136 (MS09-043)
CVE-ID: CVE-2009-1534 (MS09-043)
CVE-ID: CVE-2009-2496 (MS09-043)
CVE-ID: CVE-2009-1133 (MS09-044)
CVE-ID: CVE-2009-1929 (MS09-044)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 OS X (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
OS X 10.4.11
OS X 10.5.x
-- Technical Description --
BIND - Denial of service due to poor handling of dynamic DNS update
messages. This is not enabled by default on OS X but is included with
the default system
bzip2 - Denial of service due to memory flaw in bzip2
CFNetwork - Impersonation possible due to poor control of displayed
messages
ColorSync - Arbitrary code execution due to interpreting malicious
ColorSync profile
CoreTypes - Improved notification to users that a content type may
not be safe
Dock - Multitouch gestures on a locked system could allow control of
applications and Expose
Image RAW - Arbitrary code execution when handling malicious Canon
RAW images
ImageIO - Arbitrary code execution when handling malicious EXIF data
and OpenEXR and PNG images
Kernel - Privilege elevation through fcntl vulnerability
launchd - Denial of service due to connection exhaustion with some
inetd-based services
Login Window - Arbitrary code execution due to poor handling of
specific text strings
MobileMe - User Impersonation due to poor handling of user credentials
Networking - Arbitrary code execution due to poor handling of
AppleTalk network traffic
Networking - Denial of Service due to poor handling of simultaneous
file descriptor handling
XQuery - Arbitrary code execution due to poor handling of XML content
-- Description --
Apple have released Security Updates 2009-003 and 2009-004 for the
10.5 and 10.4.11 OS X versions. Incorporated in the 2009-003 Security
Update is the latest point release, bringing OS X 10.5 to 10.5.8. A
number of
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://support.apple.com/kb/HT1222
APPLE-SA-2009-08-05-1 Security Update 2009-003 / Mac OS X v10.5.8
APPLE-SA-2009-08-12-1 Security Update 2009-004
-- Updates Available --
Apple Software Update application via the Apple Menu
http://www.apple.com/support/downloads/
-- External Tracking Data --
CVE-ID: CVE-2009-0696 (BIND)
CVE-ID: CVE-2008-1372 (bzip2)
CVE-ID: CVE-2009-1723 (CFNetwork)
CVE-ID: CVE-2009-1726 (ColorSync)
CVE-ID: CVE-2009-1727 (CoreTypes)
CVE-ID: CVE-2009-0151 (Dock)
CVE-ID: CVE-2009-1728 (Image RAW)
CVE-ID: CVE-2009-1722 (ImageIO)
CVE-ID: CVE-2009-1721 (ImageIO)
CVE-ID: CVE-2009-1720 (ImageIO)
CVE-ID: CVE-2009-2188 (ImageIO)
CVE-ID: CVE-2009-0040 (ImageIO)
CVE-ID: CVE-2009-1235 (Kernel)
CVE-ID: CVE-2009-2190 (launchd)
CVE-ID: CVE-2009-2191 (Login Window)
CVE-ID: CVE-2009-2192 (MobileMe)
CVE-ID: CVE-2009-2193 (Networking)
CVE-ID: CVE-2009-2194 (Networking)
CVE-ID: CVE-2008-0674 (XQuery)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.3 Safari (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Safari 4.0.2 and earlier
-- Technical Description --
CoreGraphics - Arbitrary code execution from visiting a webpage.
Windows only
ImageIO - Arbitrary code execution when handling malicious EXIF
data. Windows only
Safari - Possible phishing situation. All platforms
WebKit - Multiple, including arbitrary code execution from visiting a
webpage. All platforms
-- Description --
Apple have released version 4.0.3 of their Safari browser, for both
OS X and Windows platforms, addressing a number of serious
vulnerabilities, the worst of which could lead to arbitrary code
execution on vulnerable systems. This arbitrary execution could be
through something as simple as visiting a website.
-- Recommended Action --
Updating to Safari 4.0.3 will protect against opportunistic
compromise of your Internet browser and is recommended due to the
impact of the vulnerabilities patched.
-- Source --
http://support.apple.com/kb/HT1222
APPLE-SA-2009-08-11-1 Safari 4.0.3
-- Updates Available --
Apple Software Update application via the Apple Menu
http://www.apple.com/safari/download/
-- External Tracking Data --
CVE-ID: CVE-2009-2468 (CoreGraphics)
CVE-ID: CVE-2009-2188 (ImgeIO)
CVE-ID: CVE-2009-2196 (Safari)
CVE-ID: CVE-2009-2195 (WebKit)
CVE-ID: CVE-2009-2200 (WebKit)
CVE-ID: CVE-2009-2199 (WebKit)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Hiding Content in PDF files
Didier Stevens' work with demystifying the inner workings of the PDF
file format has attracted attention over recent months and his most
recent discovery holds promise for adding PDF files to the list of
formats that can be used to hide surreptitious content from prying
eyes, with the added benefit that it is effectively hidden from the
PDF reader that is parsing the encompassing document.
To encourage further research and work into this particular aspect of
PDF wrangling, he has released a tool that can be used to create a
secretly embedded PDF while also providing a detailed step through of
the process involved.
It really boils down to the handling of case-sensitive names in the
file itself. Because the correct means to reference an embedded file
is via /EmbeddedFiles, the corruption to /Embeddedfiles means that a
specification-compliant PDF reader should just ignore that and
continue on with parsing the rest of the file.
Of course, if a non-standard PDF reader is used, then the hidden
content may not be so hidden anymore. Recovering the hidden content
can be as simple as changing a single hex value.
As Didier points out, there are plenty of methods available to make
the hidden content even harder to find and encounter.
As a speaker at the upcoming Brucon security conference in Brussels,
it is guaranteed that there is going to be plenty more interesting
material relating to PDF manipulation and discovery to be presented
there.
2.2 Microsoft's Out-of-Cycle Patches Could be Tip of Iceberg
Microsoft released two out-of-cycle security updates, MS09-034 and
MS09-035, earlier this week to address a set of vulnerabilities
affecting Internet Explorer and Visual Studio (MS09-034 and MS09-035
respectively).
Interestingly, the non-standard patch release isn't a result of
attacks already taking place, rather it is to enhance the protections
already provided by MS09-032, which did address the known attacks
against the ATL (Active Template Library) weaknesses patched across
all three patches.
So why release the patches if there is nothing going on to target the
particular vulnerabilities, why not wait until the next scheduled
monthly release? According to the Security Research & Defense blog,
the patch release is because "additional information regarding these
vulnerabilities has been growing over the past few weeks.". With Black
Hat and DefCon taking place before the next scheduled patch release,
it is probable that discussion of the vulnerabilities would take place
and new attacks emerge post-conferences.
While both the Visual Studio and Internet Explorer updates are
related, based on the ATL weaknesses, the Internet Explorer update
also incorporates other fixes, which it would not be prudent waiting
until the next scheduled update for. Why is it important to apply the
patches as soon as possible? One particular aspect of the addressed
vulnerabilities would allow an attacker to bypass the killbit check
and effectively run disabled ActiveX controls in Internet Explorer.
This would open the floodgates for many historical vulnerabilities and
attacks to become valid again. The Internet Explorer update is
designed to block the known attack routes and time will tell if
Microsoft has been successful in arresting all the methods available
to target the vulnerabilities.
The extended problem that is now faced is the unknown number of
ActiveX controls that have been compiled and built using the
vulnerable version of ATL (which the Visual Studio update replaces).
Microsoft have announced their willingness to incorporate killbits for
vulnerable controls in future security updates, so all developers need
to do is contact Microsoft.
With the vulnerable libraries being available for 12 years, the scope
of the potential problems facing end users is immense, hence the
urgency to apply the Internet Explorer patch as a matter of priority.
2.3 How Will the New York Times Get Readers to Pay?
At a time when traditional media markets are suffering for
advertising, there have been a number of ideas floated for how to
attract and maintain customers, from micro-transactions, where readers
pay a tiny fee per article that they read, to monthly access fees and
locking articles away from the casual reader.
There has been quite a lot of talk from different organisations about
what they are planning to do and what they might do, but when a major
media organisation steps forward and states that content that has
previously been advertising-supported only for revenue will soon be
going behind a so-called pay-wall, it suggests that this sort of
future is closer than many have feared.
Recent reporting links the New York Times media group to a decision to
be made in August about how exactly to take the previously openly
accessible content of the New York Times and associated outlets to a
user-pays basis online.
The Wall Street Journal is well known as probably the most successful
news outlet to serve their content to paying customers online, but it
is largely focussed on financial news, and could still be argued to be
a niche provider. If the New York Times goes ahead with the plan to
make users pay, it would be the first significant non-niche newspaper
group to do so.
With information freely available from a range of sources online, with
global newspapers and media sources only a few keystrokes away, does
the New York Times Group have what it takes to be able to keep on
attracting customers once it takes its content away from free public
view? The New York Times used to provide a similar service,
TimesSelect, however the premium service was closed two years ago,
only bringing around $10 million USD in revenue annually. That might
be fine for a smaller organisation, but it isn't enough to keep
something like the New York Times going.
It might not have much choice if it wants to keep alive and a powerful
media outlet, with more than half its market value wiped out in the
last 12 months alone. Trying to become a lean and efficient
organisation has also resulted in the reduction of staffing numbers to
almost a third of where they were five years ago. With other
organisations, such as the Associated Press also making moves to have
users pay for access to content it might just be a matter of waiting
long enough to have enough providers locking away their content before
it becomes cost effective. On the other hand, news bodies that
continue to release information without this encumbrance are likely to
see a surge in popularity and the companies locking away their content
could easily see a loss in readership, mindshare, and revenues.
Monetizing website viewers, especially on sites which deliver unique
and valuable content is a prickly question that every site owner and
operator has to deal with at some time. When the New York Times makes
its decision about how to increase monetization of readers it will be
worth watching to see how it affects not only news organisations but
also the nature of content production and publication on the Internet
in general.
2.4 News Corporation to Charge for Online Content
Following on from our recent article covering the dilemma facing the
New York Times and how it is struggling to find an appropriate means
to drive sufficient revenue from its online assets to make it cost
worthy to continue offering them and to be able to be profitable.
News Corporation has announced that it will soon be making all of its
online sites fee-based for access to news and other content. As with
the New York Times, News Corporation has been suffering from falling
revenues, with $3.4 billion USD lost in the twelve months ending June.
For a company that grew from being a newspaper owner into becoming a
major media conglomerate that also has exposure in Cable news,
Satellite television, as well as newspapers all over the globe.
While one of News Corporation's online assets already works
successfully through a fee-based portal, the Wall Street Journal is
still something of a niche newspaper compared to the broader appeal
other titles within the News Corporation stable.
How News Corporation assets are going to make their offerings
sufficiently differentiated and value-added over free or advertising-
supported news sources is not known, but it will have to be something
spectacular. Many of the assets held by News Corporation are generally
regarded as tabloid-quality, not only for their printing format, but
also for the standard of reporting and content provided. Is the market
willing to pay for this content large enough to be worthwhile? With
such a massive hole in earnings, it looks like News Corporation
doesn't have much choice.
News Corporation's move will open the door for other organisations to
follow, not least of which being the New York Times, but it all hinges
on the move being profitable for News Corporation. When state-
sponsored news agencies such as the BBC, and the Australian
Broadcasting Corporation, continue to exist and deliver original and
quality researched reporting for no cost to the end user (thanks to
licence payers or tax-payers), it is going to make it difficult to
claim that what is available commercially is better to the extent that
it is worth paying directly for it rather than viewing it through
advertising support.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list