From alertmailinglist at skiifwrald.com Sat Jul 18 02:09:33 2009 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Fri, 17 Jul 2009 20:09:33 +0400 Subject: [Sunnet Alert] Advisory #268 - Microsoft (Multiple), Multiple News Message-ID: <6A848E8A-DA0A-4385-B09E-CB00DA4BE643@beskerming.com> S?nnet Beskerming Alert List Advisory #268 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 4 days ====================================== /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Dealing With People Who Avoid Restrictions 2.2 Learning Information Handling Lessons From Celebrity Tragedy ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows, Excel, Wordpad, Internet Explorer, ISA Server -- Technical Description -- MS09-028 - DirectX. Arbitrary code execution. Replaces MS08-033 and MS09-011. Critical MS09-029 - Embedded OpenType. Arbitrary code execution. Replaces MS06-002. Critical MS09-030 - Publisher. Arbitrary code execution. Important MS09-031 - ISA Server 2006. Privilege Escalation. Important MS09-032 - ActiveX killbits. Arbitrary code execution. Critical MS09-033 - Virtual PC / Virtual Server. Privilege escalation. Important. -- Description -- Six new patches were released with Microsoft?s July patch release. Three have been rated Critical and the remaining three as Important. The only vulnerabilities patched with this month?s release have been arbitrary code execution or privilege escalation vulnerabilities. It should be noted that two of the Critical patches (DirectX and ActiveX, MS09-028 and MS09-032) have had attacks targeting at least some of the patched vulnerabilities ahead of patch release. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms09-028.mspx http://www.microsoft.com/technet/security/bulletin/ms09-029.mspx http://www.microsoft.com/technet/security/bulletin/ms09-030.mspx http://www.microsoft.com/technet/security/bulletin/ms09-031.mspx http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx http://www.microsoft.com/technet/security/bulletin/ms09-033.mspx -- External Tracking Data -- CVE-ID: CVE-2009-1537 (MS09-028) CVE-ID: CVE-2009-1538 (MS09-028) CVE-ID: CVE-2008-1539 (MS09-028) CVE-ID: CVE-2009-0231 (MS09-029) CVE-ID: CVE-2009-0232 (MS09-029) CVE-ID: CVE-2009-0566 (MS09-030) CVE-ID: CVE-2009-1135 (MS09-031) CVE-ID: CVE-2008-0015 (MS09-032) CVE-ID: CVE-2009-1542 (MS09-033) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Dealing With People Who Avoid Restrictions Whenever restrictions are imposed on people, stopping them from carrying out certain activities, or trying to restrict their access to information, there will always be a portion of the population that goes out of their way to avoid and defeat these mechanisms in order to access what is being blocked. Sometimes this is done out of necessity, and in these cases the restrictive blocks really are a hindrance to carrying out their work or other activities that they have a need to do so. Other times it is being done out of ignorance of the new, accepted procedures. People are happy with their old ways and will work a little bit harder at placing themselves in a position where they can still do what they used to. The most risky cases are where it is done out of malicious intent, done only to prove that they can defeat the system or out of fear that the newer restrictions aren't as useful as they could be and the users fear approaching the network administrators and state their case effectively. Corporate network administrators face problems like this on a daily basis, encountering users who fall into each group who are running head first into the restrictions on approved applications, approved websites, blocked websites, and approved email usage. The wrong thing to do is to tighten the restrictions further, as it will drive some of the casual by-passers into the camp of the willful by-passers and will do nothing to dissuade the already willful by-passers. The number of casual by-passers and those who need to bypass the blocks who give up as a result are going to be outnumbered by those who now intentionally bypass restrictions. Some workplaces choose to punish those working around the restrictions, irrespective of the actual reason for doing so, and this can lead to resentment and distrust between the frustrated users and the network gatekeepers. There are cases in other domains that mirror what goes on with network restrictions. With the increased concern about the spread of H1N1 influenza, some countries are using body heat scanners at points of entry to scan for passengers who might be running a fever as an early indication of possible influenza infection. On the surface it sounds like a reasonable step to take and can help rapidly sort incoming individuals into categories where it might be worth taking a closer look at their condition to confirm the presence or lack of H1N1 infection. As this is a potential barrier to entry to a country, it is a restriction that is causing people to seek a way around it. Vietnam recently reported that some incoming passengers were using fever reducers that resulted in them passing the body heat scan despite actually being infected with H1N1. Just like a disaffected user introducing non-approved network hardware or potentially malicious storage devices or software into a corporate system, an ill person avoiding the body temperature scanner is introducing a potential health risk to the wider population (or a security risk to the wider user-base). How do you handle such cases? Banning use of relief medication by an affected individual isn't going to work, though this is the path that many network administrators take when dealing with users who have bypassed network restrictions. It just forces people to take steps that are more extreme than really necessary. You can't always rely upon people to tell you the truth when questioned, especially when the truth might jeopardise the holiday that they have already commenced and have almost reached. The fear of losing out on such an investment of time and money due to something that feels like a cold won't be well received, especially when they are so close to their destination. Sometimes, that is what has to be done, each case investigated individually and appropriate remedial action taken. Most cases investigated should amount to nothing (though with an excellent first filter this will rise), allowing resources to be dedicated to the cases which are actually significant. Applying this approach to network security can help ease perceived restrictions for the majority of users while still managing and actioning those cases of significant breach of policy. By demonstrating a well-run and well-managed set of restrictions, it will make users more comfortable to exist within the boundaries set and will make them more comfortable about approaching administrators for the times when the restrictions need to be bypassed. Not everyone is going to be able to have such a system, but every step towards such a system is going to be of benefit to the end users and administrators alike. Such systems, both network and body temperature scanners, need to be monitored and continually improved upon to demonstrate that they aren't just for show and are actually effective (at least partially) at what they claim to be doing. 2.2 Learning Information Handling Lessons From Celebrity Tragedy In the space of a week and a half the world has lost some major celebrities, with Billy Mays, Farrah Fawcett, Ed McMahon, and Michael Jackson all passing away. Although each passing is tragic, it is the sudden death of Michael Jackson that has had the most effect on the online world, though there are reports that the deaths of the others have also led to online scam attempts. Jackson's unexpected death demonstrates the power that "non-reputable sources" can have in being able to break and follow important news that is normally ignored until a more "reputable" source picks it up. The Internet may make it possible for anyone to have a voice, but it also means that carrying authority and reputation with that voice still takes time and effort. Michael Jackson's passing was first identified and reported on by TMZ, however the "reputable" news agencies and sources were much slower to pick up the story and run with it. One of the primary reasons why is that they had a much stronger reputation and weight of authority to risk running with a potentially inaccurate story, especially one that could be damaging if it was inaccurate. When everyone on the Internet is able to go and visit the originating source site, then the decision to delay the coverage of his death can result in lower overall readership of their particular coverage of the story. Savvy online users and the skeptical will still try to get independent validation of the breaking story, something that came with time even though many of the early 'reputable' stories were derived almost exclusively from TMZ material. This sudden rush of Internet users seeking out independent validation in a very narrow timeframe led to some interesting side effects for Google and major news sites. Google's side effect was that the massive wave of traffic was initially identified as an attack and so accurate information was withheld for a short period while Google's defences were activated to deal with the significant but legitimate traffic flow. Twitter was another service which found itself struggling to cope with the increased traffic that came as a result of Jackson's death. Various elements and features of the service were temporarily disabled to allow it to carry the messages being created by its users. Reportedly this was in the vicinity of 66,000 messages per hour, but that figure seems extremely low. If the service is going to struggle on 1,100 messages per minute, then it needs to be re-engineered to be able to carry more capacity if it is going to have wider appeal and usefulness. Sites that were reliant upon third party advertising hosting found that serving the external ads was causing bottlenecks when serving up news reports, so much so that it made the overall sites seem unresponsive, despite the site itself still being responsive and fully functional. Not only were mainstream "reputable" media sites and sources scooped by a non-traditional source and means, but there are questions about the appropriateness of media organisations self-censoring material that would normally be published. When that material is suppressed because it pertains to a reporter that they employ it leads to accusations of double standards from external observers. Not only was news of the reporter's kidnapping suppressed from traditional media sources, but an active and successful campaign was led to keep the information suppressed from Wikipedia, where the reporter already had a page describing their life and employment. Critics of Wikipedia have seized on this as a clear example of how Wikipedia is not the neutral, freely-editable source of information it claims to be. Political and commercial interests can trump the efforts of contributors to improve and enhance the usefulness and accuracy of the site. Even though each of the situations described above took place recently, it isn't quite yet the case where people can claim that "The Emperor has no clothes", but it is beginning to look that way. How each situation came about and was resolved should provide lessons to the companies and organisations involved to help them provide better results the next time something similar takes place or else they will find themselves with no clothes. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.