[Sunnet Alert] Advisory #267 - Microsoft (Multiple), Safari, Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Fri Jun 12 12:43:09 EST 2009
Sûnnet Beskerming Alert List Advisory #267
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Once you've had a chance to read through this advisory, come back and
answer the following question.
Did you like the timeliness of the advisory?
Our premium subscribers get this sort of service on every advisory -
same day coverage of security discoveries and full details on all
external tracking data that we have discovered, to help keep you
informed and form a well-rounded opinion and assessment of the risk to
you, your systems, and your data.
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
1.2 Safari (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Dealing With Disasters - Not Being Afraid of a Sick Pig
2.2 Pace Moves to Suppress Reverse Engineering Discussion
2.3 Challenging Security Researchers and Coming off Second-Best
2.4 Claims of T-Mobile Hack Raise More Questions Than Answers
2.5 T-Mobile Responds to Hack Claims - Nothing to See, Please Move On
2.6 Critique of Apple's Security Stance Nothing New - But Still
Worthwhile
2.7 Microsoft Money Joins Encarta on the Scrapheap
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows
Office
Internet Explorer
IIS
Word
-- Technical Description --
MS09-018 - Windows. Remote code execution and Denial of Service.
Replaces MS08-060 and MS08-035. Critical
MS09-019 - Internet Explorer cumulative Update. Multiple remote code
execution vulnerabilities. Replaces MS08-014. Critical
MS09-020 - IIS. Privilege Escalation. Important
MS09-021 - Office. Multiple random code execution. Replaces MS-009,
MS08-057, MS08-074. Critical
MS09-022 - Windows. Remote code execution and others. Replaces
MS07-021. Critical
MS09-023 - Windows Search. Information Disclosure. Moderate
MS09-024 - Works converters. Code execution. Replaces MS08-072.
Critical
MS09-025 - Windows Kernel. Multiple Privilege Escalation. Replaces
MS09-006. Important
MS09-026 - Windows. Remote code execution. Replaces MS07-058. Important
MS09-027 - Word. Multiple random code execution vulnerabilities.
Replaces MS08-072. Critical
-- Description --
Microsoft has released ten patches for June, along with the remaining
updates for MS09-017 (effectively making it eleven patches). The
patches include several critical updates for Windows, a cumulative
update for Internet Explorer, and a patch for a recently disclosed
IIS privilege escalation vulnerability. Six patches were rated as
Critical, three as Important, and the final patch as Moderate.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx
http://www.beskerming.com/services/176/Patch_Briefing
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-019.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-021.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-022.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-023.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-024.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-025.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-026.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-027.mspx
-- External Tracking Data --
Upgrade to get details
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 Safari - Remote Hacker Automatic Control
-- Products Affected --
Safari 3.x
Safari 4.0 Beta
-- Technical Description --
CFNetwork - Multiple vulnerabilities leading to code execution or
information disclosure.
CoreGraphics - Multiple vulnerabilities leading to code execution.
ImageIO - PNG handling flaw leading to arbitrary cod execution and
denial of service.
International Components for Unicode - XSS due to poor filtering of
Unicode
libxml - Multiple vulnerabilities leading to code execution
Safari - Possible information disclosure due to poor handling of
privacy related material and possible code execution.
WebKit - Multiple vulnerabilities, leading to remote code execution
in the worst case.
-- Description --
Apple have released version 4 of their web browser, Safari,
addressing numerous serious vulnerabilities across both OS X and
Windows platforms. Due to the critical nature of the vulnerabilities
patched, it is considered extremely important that the update is
applied at the earliest possible opportunity.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://support.apple.com/kb/HT1222
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
Upgrade to get details
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Dealing With Disasters - Not Being Afraid of a Sick Pig
A holistic approach to Information Security takes into consideration
more than just electronic assets and elements. Social engineers, for
example, rely upon exploiting people to gain access to what they are
after. Another non-electronic element is Disaster Recovery and all of
the associated crisis management that comes with it.
Winter is less than a week away for countries in the Southern
Hemisphere, and along with the cold weather comes cold and flu season.
Every year companies are placed under strain as whole sections of
their workforce fall ill or are forced to take time off work to care
for family members who are ill. This can lead to real losses of
efficiency and productivity, but it is next to impossible to actually
predict who is more likely to become ill, and what areas of business
are going to suffer the most.
This year swine flu has seen more people than ever concerned about the
slightest sniffle and cough and, so far, it hasn't affected large
numbers worldwide to differentiate it significantly from normal
influenza. Widespread publicity and government action to help mitigate
the spread of affected individuals has many hoping that it is nothing
more than a scare, and will not be the next Spanish Influenza (which
was also a swine flu originating from the Americas). The low
percentages of people infected, compared to the overall population,
seems to support this argument. With the ability for an infectious
person to travel around the globe before symptoms present, the slow
spread of swine flu is further reinforcement for those hoping that it
is not going to be a significant problem.
That has been the case up to now. With the flu season getting into
full swing in the Southern Hemisphere, the doubling of swine flu cases
overnight in Australia might be enough to give people some pause. Even
though the total number of infected people is less than 150 (at the
time of writing), the scare amongst some people is that this could be
the first real sign of an exponential growth in the numbers of
infected people. Others are less concerned.
Whether the rate of growth is exponential or linear doesn't really
matter, a range of actions are going on in the community that are
going to force businesses to begin looking at maintaining operations
on reduced staffing levels. Various schools have been closed (and some
are now reopening), there are people and families all over the country
entering into a 'stay-at-home' isolation, and there is the chance that
passengers on a cruise ship in Australian waters will be all placed
into isolation.
If you or your workplace don't have a Disaster Recovery plan in place,
then now would be a good time to look at making one. The biggest
problem that this flu season presents, even if swine flu is no worse
than a normal flu, is in dragging away a significant percentage of
employees for a week to two weeks at a time, even if they are
completely healthy.
Can your business continue to operate with 10%, 20%, 30% of employees
away from work? Are there any localised points of vulnerability where
the loss of one or two key individuals will bring productivity to a
halt? Can your business survive on limited or no turnover if all
productivity is ceased? Can your healthy employees at home still carry
out work remotely? If so, how secure is the interconnect with the
workplace? Are you going to risk the security of your data and
business to continue operations because you can't otherwise afford the
productivity loss?
The answers to questions such as these should form the core of your
Disaster Recovery plan. Once the plan is established, you should
review it regularly to ensure the recovery actions and assessed risks
are still relevant. The start of flu season is as good a time as any
to do so.
A doubling of confirmed swine flu cases in 24 hours is significant,
even with small overall numbers of infected individuals. The world
will now be watching Australia to see what could be to come for the
major population centres in the Northern hemisphere when winter next
rolls around.
If it was possible to accurately predict and plan for events taking
place, then there would be no need for Disaster Recovery planning, but
by being prepared for disastrous events and having a plan to recover
from them it means that you and your business will survive with more
resilience once normal operations are resumed (and they will be
resumed more quickly). Get some benefit from the increased public
awareness of swine flu and take the opportunity to get your Disaster
Recovery plans sorted out before you actually need to implement them.
2.2 Pace Moves to Suppress Reverse Engineering Discussion
As a follow on to our post about McAfee pulling content before it
could be read by many, is a case where a company has taken steps to
unpublish third party information that has already been published.
The Reverse Engineering Mac OS X site was running a series of entries
on reverse engineering / decompiling Pace protected OS X binaries,
only now the entries have been pulled pending threat of litigation
from Pace.
All that had been published to that point had been exploratory posts
probing possible entry points to bypass the Pace binary obfuscation
and protection and recover the binaries to a point where they could be
explored more readily from a better understood point of view. Efforts
from Pace (specifically the InterLok application) to prevent the
attaching of debuggers only drew the reverse engineers in further -
taunting them with a disassembly they couldn't easily accomplish.
This time around, the RSS feed of the Reverse Engineering Mac OS X
site didn't provide the full posted content, so it seemed that the
content posted up to that point had been lost for good - it was
unlikely that it would have been replicated across other sites to any
significant extent.
Since the content had been online for a couple of weeks, webcrawlers
had been able to index the posts and their full content is still
residing in various search engine caches across the Internet.
As the site's operator, fG! points out "One thing is certain, you
can't acomplish security by obscurity ! You can't simply stop
knowledge because these days information flows at a bigger rate than
ever. Disclosure is the only way to improve products!", with the
following caution for those trying to reproduce the cached but missing
entries "About Pace? I'm in contact with their lawyer and I have been
asked to remove all information about this. If you have mirrored the
three Pace posts and code (I'm pretty sure I'm not the only one who
mirrors important info right away) please do not make it publicly
available. Pace will wave you with DMCA and it's not worth the
trouble. Keep it for yourself, please".
Is there enough interest in reverse engineering OS X to generate a
Streisand Effect, or will Pace be successful in seeing this
information banished from the wider Internet?
2.3 Challenging Security Researchers and Coming off Second-Best
Challenging the security community to do something that you are basing
a core part of your business on is always a risky move. It is
something that you really need to get right the first time, or else it
is going to be quite an embarrassing experience and is likely to cost
reputation if news of the defeat is widespread.
A new webmail provider, which has based a core component of their
service offering around offering "The most secure email accounts on
the planet" might have to reconsider both their claims and their
approach after a $10,000 USD challenge to break into a specified email
account was defeated through a series of web based
With a big push of PR highlighting this challenge, it isn't going to
go down well that the breach took place so quickly. Even if there were
restrictive rules in place as to how the attack might be carried out,
this isn't going to stop anyone who is attacking for real from using
whatever means are at their disposal to access their victim's accounts.
From the description of the attacks carried out, the weakness is in
how the user credentials and authentication is managed once the user
has logged into the system (based on the described requirement for the
attacker to launch it from a valid account), and relies upon the user
having scripting permitted for the attack to work (from an IDG
writeup, it seems that NoScript is enough to prevent the attack from
being functional). This and other Cross Site Scripting flaws allow for
credentials to be stolen, and for a victim's account to be taken over
completely.
One of the researchers involved with the successful compromise of the
targeted account has indicated that detailed information about the
attack methodology will be released early next week.
Depending on the nature of the attack, this could pose problems for
other service providers that rely upon physically separate channels
for two-factor authentication, particularly in the case where messages
sent to cell phones are used as the second authentication factor (as
it is with this email provider and a number of banks which use it as a
selling point of the security of their services).
2.4 Claims of T-Mobile Hack Raise More Questions Than Answers
Claims have been made by an unknown party that they have compromised
the US cellular network carrier T-Mobile and have managed to extract
all of the corporate data, including databases, confidential
documents, scripts and programs from company servers and full
financial data up to the present time.
Issuing the public announcement over a weekend means that it is going
to take some time for T-Mobile to investigate the claims and make a
formal statement, but already there are elements which suggest scam,
and some which suggest that the material is legitimate.
Leaning towards scam is the claimed ignorance by T-Mobile's
competitors when they were approached with the data the hackers claim
to have. This might just be that the hackers relied upon emails to
reach the competitors, and with the email address pwnmobile at ... they
were likely to end up in the spam bin before anyone would be able to
see the material on offer. There are better ways to reach people than
through unsolicited email, but there are increased risks with taking
this approach.
Previous cases where there have been attempts to sell company secrets,
especially for major public companies, have ended with major law
enforcement attention and the approached company often aiding law
enforcement in stopping the attempt. With greater corporate and public
awareness of data loss and theft, it is more likely in the modern
environment that competitors will call law enforcement and gain
positive PR than to risk prosecution and damages by purchasing their
competitor's secrets.
Leaning towards legitimacy are anonymous online comments from people
claiming to have worked for T-Mobile in the past verifying that at
least some of the details posted correlate with the systems and
servers that they knew existed within the company. The other aspect
which suggests legitimacy is the level of detail in the material
posted, which amounts to a tabulated network description.
So far, based on the table of possible servers, applications, IPs and
locations, there is nothing that can be done to further verify the
accuracy of the claims by this unknown group. Not enough information
is available to say either way, and it is now up to T-Mobile or the
group to release further information that will clarify the situation.
The arguments for an actual compromise are much weaker than the
arguments for it not being real and it is considered much more likely
that it is a hoax.
It doesn't matter which one is actually true at the moment. The very
public offer for sale of the material is going to cause more harm than
good for the group behind it. For the seventh largest
telecommunications provider in the world (Morgan Stanley, 2008), with
32 million customers in the US alone, T-Mobile is a very large target
to be taking on, and the use of an anonymising email service may not
be as secure as the group thinks it is, with Safe-mail keeping their
client data protected up to the point it is necessary to comply with
legal requirements, something that is probably going to happen soon.
It is staggering to think how much data is represented by what the
hackers have claimed and how long it must have taken to exfiltrate
that information from the corporate networks, if the hackers do have
it, all without the awareness of T-Mobile's Information Security staff.
Other claims have been made that the group responsible is the same one
that claimed to have penetrated Checkpoint, extracting the full source
code for VPN1.
At the end of the day it could just be another bit of drama played out
on the Full-Disclosure mailing list, but it could also be the first
public sign of one of the most significant network breaches in recent
history.
2.5 T-Mobile Responds to Hack Claims - Nothing to See, Please Move On
Following on from our recent article on a claimed successful attack
against the telecommunications giant, T-Mobile, it appears that the
situation still remains a little murky, with reports claiming that the
company has both confirmed and denied that a breach took place.
Ignoring for a moment the most recent statements by T-Mobile, the
original claim of a hack seemed to offer tabulated internal network
data as proof of successful compromise of the company. This is the
sort of information that would be easy to extract in a single file,
and is something that would be expected to exist in any non-trivial
network to aid administrators with keeping the network and associated
systems operating smoothly. While having possession of the file
reduces the need for an attacker to manually map out the network, it
isn't something that many would consider overly damaging, especially
if network and system security was robust.
Perhaps if a company had thrown all their intrusion and detection
system eggs into the basket of Network Intrusion over Host Intrusion
Detection Systems (NIDS vs HIDS), then possession of this list would
allow an attacker to immediately commence extremely targeted attacks
against single systems, hoping to avoid triggering the NIDS (which
should be triggering on the external access in the first place), but
it should be triggering a properly managed HIDS. The flip side is that
having an attacker in possession of a well-enumerated network map
makes it simpler for them to target systems which might have an
unpatched vulnerability, or which have a degraded HIDS, when their
network mapping activity should have triggered on a properly managed
NIDS.
A blended approach, with both systems in place and properly managed
isn't going to be overly threatened by an attacker having possession
of a network map. All it means is that the timeline between initial
contact with the network / company systems and compromise / extraction
of sensitive data is compressed, reducing the available opportunity to
detect, trap and stop the hack and data extraction.
T-Mobile's statements seem to support this point of view,
acknowledging that the information published did exist in a file
(again there are conflicting reports about the validity of this
statement), which has now been identified, and that an investigation
is now ongoing to determine the extent and severity of any breach that
took place.
The downside for external observers is that T-Mobile are not obliged
to make public the results of their internal investigation, and if it
is confirmed that personal data was affected for customers, then it
could take some time for that information to come out. If affected
customers are notified individually, it may never be known just how
significant any breach might have been.
Truth, as it is in many cases like this, will lie somewhere between
the extremes being put forward (no or minimal hack and full network
access and compromise), but it is more likely to lie towards a minor
network penetration and data extraction - after all, the information
that was published had to come from somewhere.
It is entirely possible that the information was the result of
improperly disposed of hardware or a lost storage device.
At the least, it put some excitement back into the old Full-Disclosure
mailing list.
A big welcome, by the way, to those reading this article from within T-
Mobile's network. Yes, we know you're there. If you, or any of our
readers would like to get in touch with us, we're always happy to
discuss analysis and material beyond what is published.
2.6 Critique of Apple's Security Stance Nothing New - But Still
Worthwhile
Apple is a company that is notoriously secretive about their internal
security processes and, although they have become more open about
acknowledging the source of bugs reported to them when they fix them,
they remain steadfastly tight-lipped at almost all other times when it
comes to discussing security matters.
That isn't to say that the company doesn't keep on top of what is
going in the world outside of Apple, nor engage with researchers and
Information Security companies. Despite this, many still hold the
impression that Apple is stand-offish and uncaring / oblivious to the
bugs in their products. For some, this point of view has tainted all
dealings with the company and has seen some researchers go to publicly
disclose vulnerability information before notifying Apple, whereas
other vendors in the same situation would have been notified ahead of
a co-ordinated or a delayed public release of vulnerability data.
Articles such as this one do little to help commonly held views,
especially when it is picked up and reported as Apple struggling with
security, even if it isn't the complete message of the original article.
Rich Mogull puts forward a reasoned, well-thought out series of
arguments in the original article, but it is nothing new. Nothing that
hasn't already been put forward to Apple, both publicly and privately
many times before. This doesn't mean that making these arguments is
worthless.
It's not.
As Adobe has recently shown (and Microsoft some years before that), it
is possible for a large software company to change how it approaches
Information Security management, patch issuing, and dealing with
security-concerned consumers and Information Security researchers.
Even if Apple do not change their stance based on the most recent
hirings and articles published by concerned Information Security and
Apple system users, continuing to highlight and publicise the
importance of taking these recommended steps keeps the ideas out in
the open and being turned over, ready for a time when they might be
more warmly received within Apple.
2.7 Microsoft Money Joins Encarta on the Scrapheap
Following their decision earlier this year to cut Encarta from their
product line, Microsoft have announced that they will be ceasing
production and sale of Microsoft Money (now Microsoft Money Plus) from
June 30 this year. Affected products are all of the Microsoft Money
family (Essentials, Plus Deluxe, Plus Premium, Plus Home & Business).
Citing increasing competition from banks, brokerage firms, and
websites as viable options for traditional Money customers, Microsoft
stopped providing annual updates last year, and will stop all online
services by January 31, 2011. Reading deeper into the linked FAQ it
clearly states that Microsoft Money products can not be activated or
reactivated after January 31, 2011. This means that after that date if
the system running Microsoft Money is replaced, or the software is
otherwise transferred to a new system, it will not and can not be
activated.
End users purchasing the software between now and the end of the month
need to be aware that the effective life of their software could be
eighteen months, and that they need to have alternate plans for
handling their financial data after that date. If the system running
Microsoft Money continues to operate happily beyond that point, the
loss of online functionality can be largely replaced by manual updates
of tax and stock quote data, but this does limit the effectiveness of
the product.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list