[Sunnet Alert] Advisory #268 - Microsoft (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Sat Jul 18 02:09:33 EST 2009
Sûnnet Beskerming Alert List Advisory #268
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 4 days
======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Dealing With People Who Avoid Restrictions
2.2 Learning Information Handling Lessons From Celebrity Tragedy
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows, Excel, Wordpad, Internet Explorer, ISA Server
-- Technical Description --
MS09-028 - DirectX. Arbitrary code execution. Replaces MS08-033 and
MS09-011. Critical
MS09-029 - Embedded OpenType. Arbitrary code execution. Replaces
MS06-002. Critical
MS09-030 - Publisher. Arbitrary code execution. Important
MS09-031 - ISA Server 2006. Privilege Escalation. Important
MS09-032 - ActiveX killbits. Arbitrary code execution. Critical
MS09-033 - Virtual PC / Virtual Server. Privilege escalation.
Important.
-- Description --
Six new patches were released with Microsoft’s July patch release.
Three have been rated Critical and the remaining three as Important.
The only vulnerabilities patched with this month’s release have been
arbitrary code execution or privilege escalation vulnerabilities. It
should be noted that two of the Critical patches (DirectX and ActiveX,
MS09-028 and MS09-032) have had attacks targeting at least some of the
patched vulnerabilities ahead of patch release.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-jul.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-028.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-029.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-030.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-031.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-033.mspx
-- External Tracking Data --
CVE-ID: CVE-2009-1537 (MS09-028)
CVE-ID: CVE-2009-1538 (MS09-028)
CVE-ID: CVE-2008-1539 (MS09-028)
CVE-ID: CVE-2009-0231 (MS09-029)
CVE-ID: CVE-2009-0232 (MS09-029)
CVE-ID: CVE-2009-0566 (MS09-030)
CVE-ID: CVE-2009-1135 (MS09-031)
CVE-ID: CVE-2008-0015 (MS09-032)
CVE-ID: CVE-2009-1542 (MS09-033)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Dealing With People Who Avoid Restrictions
Whenever restrictions are imposed on people, stopping them from
carrying out certain activities, or trying to restrict their access to
information, there will always be a portion of the population that
goes out of their way to avoid and defeat these mechanisms in order to
access what is being blocked.
Sometimes this is done out of necessity, and in these cases the
restrictive blocks really are a hindrance to carrying out their work
or other activities that they have a need to do so.
Other times it is being done out of ignorance of the new, accepted
procedures. People are happy with their old ways and will work a
little bit harder at placing themselves in a position where they can
still do what they used to.
The most risky cases are where it is done out of malicious intent,
done only to prove that they can defeat the system or out of fear that
the newer restrictions aren't as useful as they could be and the users
fear approaching the network administrators and state their case
effectively.
Corporate network administrators face problems like this on a daily
basis, encountering users who fall into each group who are running
head first into the restrictions on approved applications, approved
websites, blocked websites, and approved email usage. The wrong thing
to do is to tighten the restrictions further, as it will drive some of
the casual by-passers into the camp of the willful by-passers and will
do nothing to dissuade the already willful by-passers. The number of
casual by-passers and those who need to bypass the blocks who give up
as a result are going to be outnumbered by those who now intentionally
bypass restrictions.
Some workplaces choose to punish those working around the
restrictions, irrespective of the actual reason for doing so, and this
can lead to resentment and distrust between the frustrated users and
the network gatekeepers.
There are cases in other domains that mirror what goes on with network
restrictions. With the increased concern about the spread of H1N1
influenza, some countries are using body heat scanners at points of
entry to scan for passengers who might be running a fever as an early
indication of possible influenza infection. On the surface it sounds
like a reasonable step to take and can help rapidly sort incoming
individuals into categories where it might be worth taking a closer
look at their condition to confirm the presence or lack of H1N1
infection.
As this is a potential barrier to entry to a country, it is a
restriction that is causing people to seek a way around it. Vietnam
recently reported that some incoming passengers were using fever
reducers that resulted in them passing the body heat scan despite
actually being infected with H1N1.
Just like a disaffected user introducing non-approved network hardware
or potentially malicious storage devices or software into a corporate
system, an ill person avoiding the body temperature scanner is
introducing a potential health risk to the wider population (or a
security risk to the wider user-base).
How do you handle such cases?
Banning use of relief medication by an affected individual isn't going
to work, though this is the path that many network administrators take
when dealing with users who have bypassed network restrictions. It
just forces people to take steps that are more extreme than really
necessary.
You can't always rely upon people to tell you the truth when
questioned, especially when the truth might jeopardise the holiday
that they have already commenced and have almost reached. The fear of
losing out on such an investment of time and money due to something
that feels like a cold won't be well received, especially when they
are so close to their destination.
Sometimes, that is what has to be done, each case investigated
individually and appropriate remedial action taken. Most cases
investigated should amount to nothing (though with an excellent first
filter this will rise), allowing resources to be dedicated to the
cases which are actually significant.
Applying this approach to network security can help ease perceived
restrictions for the majority of users while still managing and
actioning those cases of significant breach of policy. By
demonstrating a well-run and well-managed set of restrictions, it will
make users more comfortable to exist within the boundaries set and
will make them more comfortable about approaching administrators for
the times when the restrictions need to be bypassed.
Not everyone is going to be able to have such a system, but every step
towards such a system is going to be of benefit to the end users and
administrators alike. Such systems, both network and body temperature
scanners, need to be monitored and continually improved upon to
demonstrate that they aren't just for show and are actually effective
(at least partially) at what they claim to be doing.
2.2 Learning Information Handling Lessons From Celebrity Tragedy
In the space of a week and a half the world has lost some major
celebrities, with Billy Mays, Farrah Fawcett, Ed McMahon, and Michael
Jackson all passing away. Although each passing is tragic, it is the
sudden death of Michael Jackson that has had the most effect on the
online world, though there are reports that the deaths of the others
have also led to online scam attempts.
Jackson's unexpected death demonstrates the power that "non-reputable
sources" can have in being able to break and follow important news
that is normally ignored until a more "reputable" source picks it up.
The Internet may make it possible for anyone to have a voice, but it
also means that carrying authority and reputation with that voice
still takes time and effort. Michael Jackson's passing was first
identified and reported on by TMZ, however the "reputable" news
agencies and sources were much slower to pick up the story and run
with it. One of the primary reasons why is that they had a much
stronger reputation and weight of authority to risk running with a
potentially inaccurate story, especially one that could be damaging if
it was inaccurate. When everyone on the Internet is able to go and
visit the originating source site, then the decision to delay the
coverage of his death can result in lower overall readership of their
particular coverage of the story.
Savvy online users and the skeptical will still try to get independent
validation of the breaking story, something that came with time even
though many of the early 'reputable' stories were derived almost
exclusively from TMZ material. This sudden rush of Internet users
seeking out independent validation in a very narrow timeframe led to
some interesting side effects for Google and major news sites.
Google's side effect was that the massive wave of traffic was
initially identified as an attack and so accurate information was
withheld for a short period while Google's defences were activated to
deal with the significant but legitimate traffic flow.
Twitter was another service which found itself struggling to cope with
the increased traffic that came as a result of Jackson's death.
Various elements and features of the service were temporarily disabled
to allow it to carry the messages being created by its users.
Reportedly this was in the vicinity of 66,000 messages per hour, but
that figure seems extremely low. If the service is going to struggle
on 1,100 messages per minute, then it needs to be re-engineered to be
able to carry more capacity if it is going to have wider appeal and
usefulness.
Sites that were reliant upon third party advertising hosting found
that serving the external ads was causing bottlenecks when serving up
news reports, so much so that it made the overall sites seem
unresponsive, despite the site itself still being responsive and fully
functional.
Not only were mainstream "reputable" media sites and sources scooped
by a non-traditional source and means, but there are questions about
the appropriateness of media organisations self-censoring material
that would normally be published.
When that material is suppressed because it pertains to a reporter
that they employ it leads to accusations of double standards from
external observers.
Not only was news of the reporter's kidnapping suppressed from
traditional media sources, but an active and successful campaign was
led to keep the information suppressed from Wikipedia, where the
reporter already had a page describing their life and employment.
Critics of Wikipedia have seized on this as a clear example of how
Wikipedia is not the neutral, freely-editable source of information it
claims to be. Political and commercial interests can trump the efforts
of contributors to improve and enhance the usefulness and accuracy of
the site.
Even though each of the situations described above took place
recently, it isn't quite yet the case where people can claim that "The
Emperor has no clothes", but it is beginning to look that way. How
each situation came about and was resolved should provide lessons to
the companies and organisations involved to help them provide better
results the next time something similar takes place or else they will
find themselves with no clothes.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list