[Sunnet Alert] Advisory #263 - Microsoft (Multiple), Apple (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Tue Feb 17 13:17:00 EST 2009
Sûnnet Beskerming Alert List Advisory #263
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 7 days
1.2 Apple (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - > 7 days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 SSL Certificates Not as Safe as Once Thought
2.2 Arrested for Being Critical of Government Policy
2.3 2009 To Be The Year Of...
2.4 1234567890 on Black Friday
2.5 Google Demonstrates Risk of Filtering Systems
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows
Visio
SQL Server
Internet Explorer
-- Technical Description --
MS09-001 - SMB. Remote Code Execution. Replaces MS08-063. Critical
MS09-002 - Internet Explorer. Multiple Remote Code Execution.
Replaces MS08-073 and MS08-078. Critical
MS09-003 - Exchange. Multiple Code Execution and Denial of Service.
Replaces MS08-039. Critical
MS09-004 - SQL Server. Code Execution. Replaces MS08-040 and
MS08-052. Important
MS09-005 - Visio. Code Execution. Replaces MS08-019. Important.
-- Description --
Microsoft's security patch releases for the first two months of 2009
have only seen five patches released, three of them Critical. While
the remaining two patches have only been rated by Microsoft as
Important, they do relate to code execution vulnerabilities and there
is still significant risk associated with not applying the patches for
those vulnerabilities. Microsoft, and most of the antivirus /
antimalware industry, have been focussed on the problems associated
with Conficker / Downadup, the worm which has been spreading across
the globe, using a range of different means to infect vulnerable
systems. It is considered extremely important that these patches are
applied as soon as possible.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-jan.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-feb.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-002.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-003.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-005.mspx
-- External Tracking Data --
CVE-ID: CVE-2008-4114 (MS09-001)
CVE-ID: CVE-2008-4834 (MS09-001)
CVE-ID: CVE-2008-4835 (MS09-001)
CVE-ID: CVE-2009-0075 (MS09-002)
CVE-ID: CVE-2009-0076 (MS09-002)
CVE-ID: CVE-2009-0098 (MS09-003)
CVE-ID: CVE-2009-0099 (MS09-003)
CVE-ID: CVE-2008-5416 (MS09-004)
CVE-ID: CVE-2009-0095 (MS09-005)
CVE-ID: CVE-2009-0096 (MS09-005)
CVE-ID: CVE-2009-0097 (MS09-005)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 Apple (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
OS X 10.4.x
OS X 10.5.x
-- Technical Description --
AFP Server - Denial of Service
Apple Pixlet Video - Denial of Service and Arbitrary Code Execution
CarbonCore - Denial of Service and Arbitrary Code Execution
CFNetwork - Cookie handling
Certificate Assistant - File manipulation
ClamAV - Multiple arbitrary code execution
CoreText - Denial of Service and arbitrary code execution
CUPS - Denial of service
DS Tools - Information Disclosure
fetchmail - Multiple Denial of Service
Folder Manager - Permissions Issue
FSEvents - Information Disclosure
Java - Multiple privilege elevation
Network Time - Configuration Change
perl - Denial of Service and arbitrary code execution
Printing - Privilege elevation
python - Multiple arbitrary code execution
Remote Apple Events - Multiple Denial of Service and Information
Disclosure
Safari RSS - Arbitrary code execution
servermgrd - Information disclosure
SMB - Denial of Service and arbitrary code execution
SquirrelMail - Multiple Cross Site Scripting issues
X11 - Multiple arbitrary code execution
XTerm - Information disclosure
-- Description --
Apple has released a number of updates in the last several days,
providing Security Update 2009-001, an update for Safari for Windows
and a Java update. Due to the broad range of services and software
being updated with the Updates, and the severity of the
vulnerabilities being patched, it is considered extremely important
that the Updates are applied as soon as possible.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://support.apple.com/kb/HT1222
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
CVE-ID: CVE-2009-0142 (AFP Server)
CVE-ID: CVE-2009-0009 (Apple Pixlet Video)
CVE-ID: CVE-2009-0020 (CarbonCore)
CVE-ID: CVE-2009-0011 (Certificate Assistant)
CVE-ID: CVE-2008-5050 (ClamAV)
CVE-ID: CVE-2008-5314 (ClamAV)
CVE-ID: CVE-2009-0012 (CoreText)
CVE-ID: CVE-2008-5183 (CUPS)
CVE-ID: CVE-2009-0013 (DS Tools)
CVE-ID: CVE-2007-4565 (fetchmail)
CVE-ID: CVE-2008-2711 (fetchmail)
CVE-ID: CVE-2009-0014 (Folder Manager)
CVE-ID: CVE-2009-0015 (FSEvents)
CVE-ID: CVE-2008-2086 (Java)
CVE-ID: CVE-2008-5340 (Java)
CVE-ID: CVE-2008-5342 (Java)
CVE-ID: CVE-2008-5343 (Java)
CVE-ID: CVE-2008-1927 (perl)
CVE-ID: CVE-2009-0017 (Printing)
CVE-ID: CVE-2008-1679 (python)
CVE-ID: CVE-2008-1721 (python)
CVE-ID: CVE-2008-1887 (python)
CVE-ID: CVE-2008-2315 (python)
CVE-ID: CVE-2008-2316 (python)
CVE-ID: CVE-2008-3142 (python)
CVE-ID: CVE-2008-3144 (python)
CVE-ID: CVE-2008-4864 (python)
CVE-ID: CVE-2007-4965 (python)
CVE-ID: CVE-2008-5031 (python)
CVE-ID: CVE-2009-0018 (Remote Apple Events)
CVE-ID: CVE-2009-0019 (Remote Apple Events)
CVE-ID: CVE-2009-0137 (Safari RSS)
CVE-ID: CVE-2009-0138 (servermgrd)
CVE-ID: CVE-2009-0139 (SMB)
CVE-ID: CVE-2009-0140 (SMB)
CVE-ID: CVE-2008-2379 (SquirrelMail)
CVE-ID: CVE-2008-3663 (SquirrelMail)
CVE-ID: CVE-2008-1377 (X11)
CVE-ID: CVE-2008-1379 (X11)
CVE-ID: CVE-2008-2360 (X11)
CVE-ID: CVE-2008-2361 (X11)
CVE-ID: CVE-2008-2362 (X11)
CVE-ID: CVE-2006-1861 (X11)
CVE-ID: CVE-2006-3467 (X11)
CVE-ID: CVE-2007-1351 (X11)
CVE-ID: CVE-2008-1806 (X11)
CVE-ID: CVE-2008-1807 (X11)
CVE-ID: CVE-2008-1808 (X11)
CVE-ID: CVE-2007-1351 (X11)
CVE-ID: CVE-2007-1352 (X11)
CVE-ID: CVE-2007-1667 (X11)
CVE-ID: CVE-2009-0141 (XTerm)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 SSL Certificates Not as Safe as Once Thought
Over time, security practices that were once thought to be safe
change. Many years ago it was believed that viruses could not
propagate through email, images, or web pages attack your system or
network. Those beliefs have all been shown to be inaccurate as attack
methods evolve and researchers discover new weaknesses and new ways to
exploit and expose those weaknesses.
One of the more recent mantras, which has become a key part of
ensuring Internet users stay safe online, is to always look for the
lock icon or https at the start of the URL when passing sensitive
personal or financial information across the Internet to an otherwise
trusted remote site (banking, online shopping, etc). The presence of a
SSL certificate that matched the site name (for more advanced users)
meant that no one on the network was listening in to the transaction.
As phishers and other malware authors became more skilled, the sites
being used to capture personal data began obtaining certificates of
their own that matched their not-quite-right URLs and others shifted
their focus to the victim's own system, intercepting and siphoning off
the data before it was encrypted in the browser and sent across the
network.
Recently there have been a couple of cases to cause alarm amongst
security watchers, raising the possibility that SSL certificates are
not as secure and as much of a panacea against attack as many thought.
It was discovered late last year that it is possible through some
Certificate Authorities (CAs, the companies that are trusted to issue
the SSL certificates that your browsers trust) to obtain authorised
certificates for any domain, even when you don't represent it. This
means that someone setting out to create a fake yourbank.com domain
can obtain a valid SSL certificate for that domain and point it to
their fake-yourbank.com site and not have any alerts raised in any web
browser.
At the recent CCC conference it was shown that it is possible, given
the right set of circumstances, to create a fake Intermediate CA due
to weaknesses in the methods used by some Root CAs in issuing their
certificates. By creating a fake Intermediate CA, it is then possible
to issue valid SSL certificates for any domain at all, and they will
all be accepted as valid by visitors' browsers. This is a more
concerning development, since it means that once the Intermediate CA
has been created, there does not need to be a request made to a valid
CA to obtain a certificate for each malicious domain.
For all users it means another thing to be careful of when going
online and that even a valid-looking SSL certificate may no longer
actually be valid.
2.2 Arrested for Being Critical of Government Policy
The AFP has reported on an interesting case in South Korea, where a
blogger was arrested for critical commentary he had posted about the
economic decisions of the South Korean government.
Although it isn't unheard of for people to be arrested for what they
post online, especially where that information is highly critical of
the government (or governments) in power, it does appear odd that the
South Korean government took this step against a popular online
commentator who had several key economic downturn predictions come
true in recent months, based on his critical commentary. With the
successful prediction of the failure of Lehman Brothers, local
currency devaluation, and local stock market crashes, the
commentator's credibility was enhanced and so when he claimed that the
government had taken active measures to support the South Korean won,
it was a step too far for the government.
While South Korea does maintain laws that could see a five year prison
term or even a 50 million won fine for the posting / distribution of
false reports and stories online, it now places the burden of proof on
the government to demonstrate that the claims were false, though
official charges have yet to be laid.
The anonymity of the internet allowed a jobless self-educated man to
become an influential financial commentator, it was being overly
critical with the government's economic decisions (at least as far as
the government sees it) which led to his arrest and pending charges.
With the government on one side and the opposition, freedom of speech
groups, and civil liberties groups on the other, this case has grabbed
attention far more than many of the previous South Korean arrests for
online commentary ever had.
2.3 2009 To Be The Year Of...
If 2009 is going to be the year of anything, it may as well be the
year of data loss, which conveniently has also been every year for the
last few years.
Around the time of the inauguration of President Obama, came news of
what could be the largest single breach of credit card information to
date. The potential scope of the breach is staggering. With around 100
million transactions a month passing through systems belonging to
Heartland, and malware in place to capture that data for an unknown
period of time, there could be an immense number of cards and details
that have been breached as a result.
Names, numbers and expiration dates were the information claimed to
have been compromised, but it is easy enough to clone fake cards from
this data, and with a range of other data that should be readily
available to professional data thieves, sufficient information to
reconstitute the missing cardholder data (which, it is claimed, has
not been compromised).
The choice of the inauguration day for disclosure of the breach is
seen by some as a method to play down the importance of what took
place, or even to avoid the negative press and significant attention
that have followed major breaches in recent years, such as that which
followed the TJ Maxx data breach. Why the information was not made
public when Heartland were initially made aware of the problem in 2008
is not known, but it is bound to come to light in the inevitable law
suits that will follow.
More than 250,000 businesses across the United States were supplying
transaction information to Heartland processing systems. What this
means for consumers is that it isn't really a matter of where they
went shopping, with so many retailers potentially having had
transaction data intercepted the risk of a customer having their data
intercepted is much higher than if a single retailer or retail chain
was compromised (such as happened with TJ Maxx).
Another reason why this case is gaining some attention is the claim
that Heartland were assessed as PCI compliant. Whether that compliance
was still valid at the time of the ongoing data interception hasn't
been made clear, but it has already split the Information Security
community into two camps. Many PCI supporters are rushing to defend
the system against claims that it doesn't really achieve much by way
of actual security.
PCI DSS falls into the same sort of general traps as ISO 17799:2005
and ISO 27001. It is great to be able to wave a certification in the
air as part of marketing claims, but when it comes down to actual
implementation and effective security, doing what is necessary to meet
certification isn't going to do much to stop what is, undoubtedly in
the case of a financial payments processor, a motivated attacker. It
may even provide the attacker with a clearer picture as to what
assumptions the company has made in achieving certification and what
they may or may not be observing with their ongoing security posture.
If you're a supporter of PCI, or even if you're not, it is prudent to
at least be cognizant that PCI isn't a be all for Information
Security. It can be extremely useful, when properly applied and
understood, but it should never be used as a crutch to claim effective
security procedures are in place.
If some of the other cases (breaches of USAJobs.gov and Monster.com)
to receive coverage this month can be looked at as bellwethers of the
year ahead, then 2009 is going to be another year where the
Information Security industry will continue to be playing catchup and
there are going to be many more high profile cases of massive data
loss and compromise.
2.4 1234567890 on Black Friday
Strange things tend to happen when notable timestamps are reached. It
may not seem like it would be much of a problem, but the whole Y2K
concern was a result of the fear that systems and software that were
coded to handle two digit years and not four digit years would have
major problems with the roll over from 1999 to 2000, seeing 00 as
representing 1900, and not 2000. More succinctly, it was a problem of
how to handle systems that were not designed to handle anything other
than the century in which they were created.
Another unique timestamp will be encountered in a little over a week's
time, with POSIX time reaching 1234567890 at 23:31:30 UTC on February
13th, 2009. Other than making for an interesting number it should give
programmers and QA staff something to think about. Are there any test
cases or unexpected code entry points that might have been left behind
and which can be triggered by the above timestamp (which would make
for an easy to remember test case)?
Having 1234567890 go past might be a useful hint that timekeeping
problems will eventually be an issue for most software. Just as many
of the developers of software affected by Y2K hadn't considered their
software still being in use at the change of century, there is still a
lot of software in use that is either having problems due to time and
date related errors, or will soon be.
If you are having trouble telling when the 1234567890 time is going to
be, the following is a helpful site, where you can see just how long
it is until that time, or if it has already been.
2.5 Google Demonstrates Risk of Filtering Systems
Over the weekend it has been hard to avoid the news that Google
inadvertently marked the whole Internet as dangerous and "may harm
your computer", at least that was what search results were returning.
What had happened, according to Google, was that the filtering list
being used to identify which sites are malicious had accidentally
included a wildcard operator. The inclusion of the '/' entry meant
that, with the system Google has implemented, all URLs on the web were
inadvertently identified as malicious.
There was initial confusion about where the error had been introduced,
with initial reporting suggesting that it had originated with
stopbadware.org, which is the non-profit that Google works with to
build their list of potentially malicious sites. While both Google and
StopBadware have issued statements, there is still some ambiguity as
to where the error was introduced. The consensus is that it was
introduced at Google, and the sharing of information with StopBadware
was just the normal data exchange.
Many people have for the first time seen the problems that can happen
when over-reliance on filtering systems breaks down. It doesn't matter
whether the systems are proactive or reactive in their performance,
similar problems plague both types. This recent case shows what can
happen when a simple human error occurs, but there is criticism of the
technologies that operate these systems.
Even after the systems were repaired (total exposure was about an hour
in the worst cases), there were still false positives that littered
the system. If sites like BitDefender.com are listed as malicious,
even temporarily, then how can the full system be trusted to be
accurate on an unknown site?
Probably the best way to approach it is to treat the Internet and
malicious site identification systems like Antivirus applications.
Most of the time, they will work as advertised, helping identify the
most common malicious sites, but there will always be a lag between
when malicious data challenges users, and when detection picks it up.
There will also always be a defined and present risk of false
positives, otherwise innocent sites and data misidentified as
malicious. Use of these systems is recommended, with the caveat that
nothing can trump common sense and careful Internet use. At the end of
the day, even a trusted, trustworthy site can be compromised in a
heartbeat, so users should always apply caution on the Internet.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list