From alertmailinglist at skiifwrald.com Sun Dec 13 01:27:51 2009 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Sun, 13 Dec 2009 01:57:51 +1030 Subject: [Sunnet Alert] Advisory #273 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #273 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 3 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Shrinking InfoSec Budgets or not, it can Still go Wrong 2.2 Security Irony from Microsoft and Symantec ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows Office Internet Explorer -- Technical Description -- MS09-069 - Windows. Denial of service. Replaces MS06-025. Important MS09-070 - Windows. Remote code execution. Important MS09-071 - Windows. Code execution. Critical MS09-072 - Internet Explorer. Remote code execution. Replaces MS09-054. Critical MS09-073 - Office. Remote code execution. Replaces MS09-010, MS09-024. Important MS09-074 - Office. Remote code execution. Replaces MS08-018. Critical -- Description -- Microsoft have released six patches for the December Security Bulletin Update. Two of the patches are rated Critical, with the remainder as Important. All of the patches deal with code execution vulnerabilities in some form and four replace earlier security bulletins. The most critical patch is the Internet Explorer cumulative update (MS09-072), however it is imperative that all patches are applied at the earliest opportunity. Only one patched vulnerability was known about publicly prior to patch release. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms09-dec.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms09-069.mspx http://www.microsoft.com/technet/security/bulletin/ms09-070.mspx http://www.microsoft.com/technet/security/bulletin/ms09-071.mspx http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx http://www.microsoft.com/technet/security/bulletin/ms09-073.mspx http://www.microsoft.com/technet/security/bulletin/ms09-074.mspx -- External Tracking Data -- Upgrade to get tracking details -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Shrinking InfoSec Budgets or not, it can Still go Wrong Information Security is a difficult thing to get right, especially when new attack methods and vulnerabilities are continually being discovered and exploited, and defensive practices and methodologies change and evolve over time. It is also difficult to justify an often costly process (though it doesn't always have to be) that has no readily apparent return. Mix in a healthy dose of snake oil and the result is something that daunts many people and traps the over-confident. Melbourne's The Age newspaper recently reported that companies are beginning to cut back their Information Security expenditure, even in the face of continuing threats and growing levels of breaches and other attacks against systems. With a continuing financial crisis, it shouldn't be much of a surprise to see budgets shrinking, but the risk is that it opens up systems and data stores to easier risk of compromise. That compromise may not happen before budgets are improved, but it is still a risky step. With the various business failures and high profile breach reporting that has taken place in the last couple of years, the assessment may even be that a breach isn't necessarily a major problem. It is telling, though, that the study that brought forward these figures was commissioned by an Information Security vendor, McAfee. At the other end of the scale, a report via Gov InfoSecurity highlights the failure of a $433 million USD project undertaken by the Los Alamos National Laboratory to secure classified computer networks over several years. The project achieved some results, but the systems and networks are still apparently plagued with significant weaknesses that do not adequately protect the data on the systems. For an institution where classified research is carried out, and one that is also partly responsible for research on nuclear weapons, this reporting can only be an embarrassment. 2.2 Security Irony from Microsoft and Symantec Security is a very difficult thing to get right, whether it is a company that has committed itself to overcoming historical security flaws and implementing a secure development process, such as Microsoft, or a company that exists to deliver Information Security services and products to governments, businesses, and consumers, such as Symantec. One of Microsoft's most recent vulnerabilities that has been disclosed is a flaw in their XSS protection built into Internet Explorer 8. This component, which is designed to re-encode websites while rendering them, in order to nullify any embedded XSS, apparently contains a vulnerability that can actually end up being used to introduce an XSS attack to a site that otherwise would not be vulnerable (by virtue of the fact that it modifies the rendering of the page as it loads). The exact details of the vulnerability have not been disclosed, but the timing and apparent source (Google) of the news is interesting, given Microsoft's recent discovery of a vulnerability in a Google product. Given that Microsoft were apparently notified of the vulnerability some time ago, it does seem a little bit of tit-for-tat rather than responsible vulnerability handling from both parties. In Symantec's case, a site dedicated to supporting PC Doctor for Japanese and South Korean clients was found to have a SQL Injection vulnerability, that allowed the disclosure of sensitive client data and product registration details. It isn't the first time that the Romanian hacker Unu has found vulnerabilities with Symantec's online offerings, with a similar flaw found earlier this year. While Symantec played down the severity of that particular vulnerability, it seems that this time they have admitted that this flaw is severe. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.