From alertmailinglist at skiifwrald.com Wed May 13 20:16:36 2009 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Wed, 13 May 2009 19:46:36 +0930 Subject: [Sunnet Alert] Advisory #266 - Microsoft PowerPoint, Apple (Multiple), Multiple News Message-ID: <1C28F3A3-DBC8-4EA1-8282-1E435702CB1B@beskerming.com> S?nnet Beskerming Alert List Advisory #266 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft PowerPoint - Remote Hacker Automatic Control - Time Since Discovery - Same day 1.2 Apple (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - Same day ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 What is the Future for File Sharing? 2.2 GeoCities is Dead. Long Live GeoCities 2.3 AutoRun To Be Disabled, But Not Completely 2.4 Borland Acquired, 3D Realms Rumoured Closed, May 6 is a Sad Day for Software 2.5 Devil Is In The Details For May 2009 Microsoft Security Update 2.6 Apple Patches Safari 3 & 4, Releases 10.5.7 Update ===================================== 1. SECURITY 1.1 Microsoft PowerPoint - Remote Hacker Automatic Control -- Products Affected -- PowerPoint 2000, 2002 (XP), 2003, 2004 (OS X), 2007, 2008 (OS X) Works 8.5, 9.0 -- Technical Description -- MS09-017 - PowerPoint. Multiple Random Code Execution. Replaces MS08-051, MS08-052. Critical -- Description -- Microsoft's patch release for May has seen only a single patch released, a Critical update for PowerPoint. The patch addresses multiple remote code execution vulnerabilities with several versions of PowerPoint. What has raised eyebrows across the Information Security industry is the decision to release the patch for only some of the affected software versions, leaving OS X and Works users in the cold, while patches are still being prepared for their platforms. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms09-may.mspx http://www.beskerming.com/premium/patch_pack.html http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx -- External Tracking Data -- Upgrade to get details -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) 1.2 Apple (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Safari 3.x Safari 4.0 Beta OS X 10.5.x OS X 10.4.11 (Security Update 2009-002 only) -- Technical Description -- Apache - Multiple Cross Site Scripting and response injection flaws - Updates to Apache 2.2.11 ATS - Malicious CFF font may lead to arbitrary code execution BIND - Spoofing attack through DNSSEC - Updates to 9.3.6-P1 / 9.4.3-P1 CFNetwork - Information disclosure and arbitrary code execution CoreGraphics - Multiple arbitrary code execution risks from malicious PDF file handling, including a JBIG2 arbitrary code execution vulnerability Cscope - Arbitrary code execution CUPS - Information Disclosure and remote printer control Disk Images - Multiple arbitrary code execution vulnerabilities enscript - Multiple arbitrary code execution vulnerabilities - Updates to enscript 1.6.4 Flash Player plug-in - Multiple arbitrary code execution vulnerabilities - Updates to Flash Player plugin 10.0.22.87 / 9.0.159.0 Help Viewer - Multiple arbitrary code execution vulnerabilities iChat - Information disclosure (SSL Chats downgrade to plaintext) International Components for Unicode - Cross Site Scripting IPSec - Multiple denial of service vulnerabilities Kerberos - Multiple denial of service and arbitrary code execution vulnerabilities Kernel - Privilege elevation Launch Services - Repeated denial of service libxml - Arbitrary code execution Net-SNMP - Denial of service vulnerability - Updates to 5.4.2.1 Network Time - Spoofing and arbitrary code execution Networking - System shut down due to network traffic. OpenSSL - Information disclosure PHP - Multiple arbitrary code execution vulnerabilities - Updates to 5.2.8 QuickDraw Manager - Arbitrary code execution when opening malicious PICT files ruby - Multiple vulnerabilities - Updates to 1.8.6-p287 Safari - Multiple arbitrary code execution vulnerabilities (10.5 only) Spotlight - Office file handling could lead to arbitrary code execution system_cmds - Re-prioritising login command shell telnet - Denial of service / arbitrary code execution WebKit - Arbitrary code execution due to handling of SVGList objects X11 - Multiple FreeType, libpng and xterm vulnerabilities leading to arbitrary code execution - Updates FreeType to 2.3.8 (and then patches it), libpng to 1.2.35 -- Description -- MReleased at the same time as Microsoft's May Security Patch are a series of patches from Apple. Safari has received a bulk update, for both the 3.x stable line and the Public Beta for 4. Both updates address the same set of underlying vulnerabilities in libxml, Safari, and WebKit, all of which could lead to arbitrary code execution. Also released, and probably of more interest for most users, is Security Update 2009-002, which is also the 7th point release for OS X 10.5. OS X 10.5.7 contains a large number of patches and updates, and is massive. The .6 to .7 updater weighs in at 442 MB, while the ComboUpdate (from any previous point release of 10.5) is 729 MB. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://support.apple.com/kb/HT1222 -- Updates Available -- http://www.apple.com/support/downloads/ -- External Tracking Data -- Upgrade to get details -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 What is the Future for File Sharing? From the time that computers began being available for the home hobbyist, there has been file sharing and copyright infringement. What has changed over time is the methods used to share the files. With the rapid growth in the use of the Internet, and the introduction of newer technologies that make the sharing and discovery of files far easier than before, file sharing has come within the reach of the everyday user in a way that could never have been imagined before. Paralleling this has been high profile court cases against site operators has helped keep some of the most popular methods over the years in check. The most recent high profile file sharing court case, against the operators of The Pirate Bay, already appears to have had some effect on the availability and use of BitTorrent trackers. Despite ongoing argument about the validity of the court case and the sentences handed down, including some spectacular claims of bias and inappropriate conflicts of interest, the current outcome is reported to have seen a number of public and not-so-public BitTorrent trackers voluntarily close. Many of these closures have been of trackers based in Sweden and are likely a direct result of the Pirate Bay's court case. When the largest tracker site on the Internet is successfully prosecuted (pending appeal), it sends a message to similar sites hosted in the same country that they might be next on the target list. With a successful prosecution precedent set, many smaller operators are looking to cut their risk exposure and close down. Since BitTorrent is a non-centralised means of distributing content, the only centralised component being a place to record and point users towards content locations, it probably isn't going to take very long for new trackers to appear and take up some of the slack that the Pirate Bay has now created (despite being still available, just not hosted in Sweden). New sites are more likely to be private trackers with enforced ratios than the high profile sites like The Pirate Bay. Smaller private trackers have always been around and are the means by which a lot of the most desirable torrents trickle down to the public sites. Because they tend to carry content that is extremely sensitive and close to the original source, are comprised of users who are very aware of what their ratios are and how they are proceeding, and are what investigators should be focusing on, their existence and accessibility is usually a closely guarded secret. This might make it harder for the casual file sharer to access content, but there will always be a way for that information to be had, eventually trickling down. In the long run there may be some new sources coming online to help access files, but overall there isn't really going to be much of a change. Many of the sites that are closing will probably reappear under a different name, hosted in another country, just that little bit further out of reach of investigators. With the borderless nature of the Internet, this isn't really going to affect end users all that much. Avid file sharers might hope for the day when copyright laws are amended to reflect the modern reality of digital content and extremely simple bit-perfect duplication of that content, but that isn't likely to happen until generations that grew up with the internet and on-tap file sharing take political and business power. Avid file sharers would rather investigators and the various content associations focus on the sources of the leaked information, which more often than not seems to be from within those very organisations (or at least member companies) rather than slamming the end users who consume it. Attacking the technology used to distribute content, or sites that point to what is available isn't going to help in the long run and will only ensure the survival of file sharing, just maybe in a slightly different format. What technology is going to emerge to replace BitTorrent as the most popular file sharing method of the next decade isn't known, but it is guaranteed that it will trace a similar arc of emergence into popularity and decline into obscurity through prosecution that other file sharing technologies have followed before. 2.2 GeoCities is Dead. Long Live GeoCities For many people who came to the Internet in the mid to late 1990s, the personal webpage craze was only just beginning and there were a handful of stalwart providers that gave budding Internet users all the room they needed to have garish colour schemes, poorly designed animated gifs and all the flashing under construction signs they could find. Tripod, Angelfire, and GeoCities were an effective triumvirate of free and nearly free web space providers, encouraging the formation and collection of communities long before the emergence of LiveJournal, MySpace, Blogspot, Facebook, and any number of other online communities that now litter the web. Part of that history is going to disappear forever before the end of the year, with Yahoo! set to close down GeoCities completely before the end of 2009. With the yet-to-be-dated closure coming up, Yahoo! have now stopped accepting new user accounts on the online community and will be notifying existing users of the various steps that they can take if they want to save their site when GeoCities finally closes. One of the options that will be put forward is Yahoo!'s fee-based Web Hosting service, something which may not be acceptable to users who are accustomed to free consumer level services. Angelfire and Tripod continue to offer free services, and for users who wish to keep their sites alive on a part of Internet history, they provide an alternative that originates from the same timeframe as GeoCities did. 2.3 AutoRun To Be Disabled, But Not Completely AutoRun is an innovation that over the years has been a blessing and a curse for computer users. The Windows feature that allows software to start automatically when removable media is attached to / inserted into a Windows machine has made life easy for many computer users who would be lost without having software to guide them through an installation process or other use of material on the storage medium. The downside is that, since other software can be run through this capability, it was only a short period of time before it began being abused for malware installation. While AutoRun has been around for a number of years, it is still being used as part of installers and malware spreading mechanisms even today. Conficker, the worm that has attracted the most attention over the last six months uses AutoRun capabilities to aid in its spread, using it as an alternative infection mechanism to targeting the MS08-067 vulnerability over a network. Microsoft has recently moved to turn off Autorun for good, at least for media that isn't optical (of-course malware can be inserted on CD- R media as easily as it can CD-RW). This change is being sold as a means to address changes in the Threat Landscape, but with AutoRun malware having been around for a number of years, it is the recent spike in popularity of malware using it as an infection route that has led Microsoft to make this decision. It would have been nice for end users if this had been done some years ago, before it became too much of a security problem (Microsoft provides graphs showing a significant uptick over the last 18 months), but at least something is being done slowly now. The downside for most users is that this feature will be making it into Windows 7, and not for the current versions, though there are readily available registry fixes that can disable AutoRun for existing Windows versions. Microsoft has indicated that they are planning to release fixes for Vista and XP to bring this improvement to those systems as well. Many system administrators have tried to keep AutoRun disabled over the years, but found that patches from Microsoft would strangely re- enable it from time to time. Until Microsoft releases the changes for Vista and XP, there are plenty of sample Registry fixes that can easily be found online which can be applied to temporarily disable AutoRun for these systems. As good as the change seems on the surface, the detailed explanation of what is being done is less promising than it is being made out for. The primary change, of modifying AutoPlay to ignore AutoRun information on non-optical media will prevent the confusion-based social attack that Conficker is currently using, where the AutoRun information presents identical to a subsequent core Windows option, the only difference being it presented as "Install or run program", and not as "General options", which is the core Windows function category. The second part of the change, primarily for optical media is that the "Install or run program" option is renamed to "Install or run program from your media". With some thumb drives capable of reporting as optical media, and Microsoft's decision to treat such media as optical media, adding three little words isn't going to stop the infection mechanism that is in use. Why is Microsoft allowing some USB mass storage devices to be treated as optical media is because this determination is made at the hardware level and is something that should be next to impossible to spoof through the data on the drive. Assumptions like this have been shown to be false in the past and it is a question of how much time it will be before a means to work around this limitation can be found, either through introducing a mini- partition on the thumb drive that identifies as optical media, or through some other technique. Keeping this feature around for optical media isn't going to stop malware like the Sony/BMG rootkits that were installed silently from some audio CDs. What it will do is severely limit the usefulness of USB devices like photoframes, thumb drives, cameras, CF cards, and some external hard drives for the average user. Time will be the true test as to whether the computer skills of the average computer user have improved to the point that disabling AutoRun isn't going to hinder their normal use of a system. 2.4 Borland Acquired, 3D Realms Rumoured Closed, May 6 is a Sad Day for Software It has long been joked that Forever would be how long it would take for Duke Nukem Forever to be released. Famous as what is probably the longest running unreleased in-development software title in existence (first announced in 1997), Duke Nukem Forever may have suffered a terminal blow with the reported closure of 3D Realms, the developer of the title-in-waiting and successor to the ever-popular Duke Nukem 3D. Before fans of the Duke cry in despair, it pays to look at just what is contained in the available news about the supposed closure. All available reports at the time of writing this article cite a single article as the source for this information (linked to above). Links to a claimed announcement on the 3D Realms forums can not be reached and so leave the news as a single source, uncorroborated report. This doesn't mean that it is untrue, though without the forums to provide at least some sort of corroboration, it is a speculative claim based on private reporting. It is strange that, for news of such magnitude, no formal press release has been issued by either 3D Realms or Take Two, and here, and certainly nothing on the front pages for the companies at this time. Press releases are present that are dated after the apparent leaking of the news, so it is possible that the whole thing is a hoax. On the other hand, the news may be under a moratorium until a certain time and date and the leak is going to be verified in the near future. 3D Realms, apparently, is still hiring, something that a closed company wouldn't be expected to do. The soap opera that has been the development of Duke Nukem Forever seems to have taken another plot twist, but at this stage, there is nothing that can definitively be verified. There are many possible responses to all of this. The forums at 3D Realms could have been compromised and false information could have been leaked that way. On the other hand, with a slow economy, it isn't out of the realm of reality that a sudden closure of the company has taken place. It may be that Shacknews have got one of the biggest scoops of gaming history, but until open reporting emerges that doesn't cite the Shacknews article as its only source (even the forums at 3D Realms should be regarded as a tertiary source, at best), the reaction of gamers around the world are going to have to hang in the balance. Even the Wikipedia entries for 3D Realms and Duke Nukem Forever have been updated to report the closure as fact, based solely on the Shacknews article. For some, the news that Borland has been acquired by Micro Focus might be of more immediate importance, coming at the same time as the apparent closure of 3D Realms. If the 3D Realms news is true, then it makes the 6th of May a sad day for the history of modern computing. Borland, a stalwart provider of development tools (Turbo Pascal and Turbo C will be either fond or hated memories for many developers) and consumer software (Quattro Pro, dBase) from the early 1980s and 1990s is now no longer an independent entity, though the name may live on in some way. 3D Realms, the evolution of the original Apogee gaming company from the early 1990s, likewise is bound to be remembered fondly for the milestone titles that it did release, Duke Nukem 3D and Max Payne chief amongst them. It would seem that 3D Realms could be all out of gum. 2.5 Devil Is In The Details For May 2009 Microsoft Security Update In the last 24 hours Microsoft released the May 2009 Security Update, a single update for every version of PowerPoint from Office 2000 (PowerPoint 2000), through to Office 2007 (PowerPoint 2007). Fourteen individual vulnerabilities, as identified by distinct CVE numbers, are being addressed, all of which could lead to remote code execution on at least some of the versions of PowerPoint. PowerPoint 2000, 2002 (XP), and 2003 are the versions affected by most of the vulnerabilities. Somewhat surprisingly, several of the vulnerabilities have been identified as affecting Office 2004 and 2008, the OS X versions of Office, as well as Microsoft Works 8.5 and 9.0. The surprising part isn't that the vulnerabilities affect those software versions, rather that MS09-017 will not patch those software versions. In reasoning given on both the Microsoft Security Response Center, and Security Research & Defense blogs, the argument is that Microsoft saw the best opportunity to patch the complete line of Windows PowerPoint versions at the same time, while patches for the remaining affected software are in the pipeline for eventual release. Rather than hold up the release of the Windows PowerPoint update to ensure every affected software version is patched at the same time, the decision was made to ensure platform integrity of patching and to take the patch to the majority of users. This hasn't gone down well with some people in the Information Security industry. The argument that attackers reverse engineer patches to find the patched vulnerabilities and means to attack them is a fair one, but when there have been vulnerabilities available for some of the patched issues, in particular one that affects PowerPoint 2000, 2002 (XP), 2003, and 2004 (OS X), prior to the patch release, it just makes the need to release and apply patches even more critical. This isn't the worst thing that can happen from differential patching. Since the same particular vulnerability is present across platforms, and is a remote code execution vulnerability, reverse engineers on Windows will be able to determine an attack vector against the Works versions of PowerPoint and the OS X versions, and have a clear run against those targets until Microsoft is able to release patches for those versions. Microsoft's argument that the patch release will provide coverage for the clear majority of users is fair enough, but just how large is the attack surface presented by the installed base of Works and OS X Office? Works is pushed as the solution for a home user, and OS X installations of Office would be in use in environments where interaction and file transfer between Windows and OS X is expected. According to the SRD team, the sample exploits that they tested against for the Windows PowerPoint versions could not reliably exploit the OS X versions, but they still could. There is no guarantee that a more reliable exploit will not soon emerge. One of the changes introduced by this update, which could catch a number of legacy systems (and thus those that most need protection), is the removal of support for PowerPoint 4 files. Quite rightly the SRD team point out that Office has not been able to create this sort of file since at least Office XP, and support for it has already been removed in Office 2007 and since SP2 for Office 2003. Rather than modifying Office to prevent handling of this file format, it is a Registry entry that disables support, something which even Microsoft provides a workaround for. A lot of the vulnerabilities addressed were related to this file format, but it still is an interesting approach to address the vulnerability - through Registry patching. It has a lot of parallels to the ActiveX patches that have been released in the past - many of them have been Registry entries disabling components, rather than addressing the component binaries directly. 2.6 Apple Patches Safari 3 & 4, Releases 10.5.7 Update Released at the same time as Microsoft's May Security Patch are a series of patches from Apple. Safari has received a bulk update, for both the 3.x stable line and the Public Beta for 4. Both updates address the same set of underlying vulnerabilities in libxml, Safari, and WebKit, all of which could lead to arbitrary code execution. Also released, and probably of more interest for most users, is Security Update 2009-002, which is also the 7th point release for OS X 10.5. OS X 10.5.7 contains a large number of patches and updates, and is massive. The .6 to .7 updater weighs in at 442 MB, while the ComboUpdate (from any previous point release of 10.5) is 729 MB. Contained within this major update is security patches for a whole range of embedded services and features, including those in the separate Safari patches. As with each prior system point release, Apple have introduced a number of improvements to the system. This includes improved video playback on NVIDIA-equipped systems, improved Apple Dashboard widgets, expanded support for RAW images across more cameras, reliability and stability enhancements to a range of applications (iCal, Mail) and system utilities (Printing, Parental Controls) as well as general system enhancement. Safari users who have not installed the version 4 Beta will find that Safari is updated to 3.2.3 as part of the 10.5.7 update, so should not expect to see a separate standalone update for Safari once the underlying OS update has been applied. Since the announcement of the updates for the Safari 4 Beta, it would seem that Apple have pulled the update for some unknown reason. The update doesn't show from a search on the Apple Support website, and users have reported that it doesn't show in the Software Update window until after the 10.5.7 update has been applied. The 10.5.7 update will provide coverage for the libxml and WebKit issues, and users who are concerned that their actual Safari application remains at risk and will not apply this patch can downgrade back to 3.2.3, which is provided through the 10.5.7 release. These updates can be found through the Software Update option under the Apple menu, or can manually be found at the Apple website, with the 10.5.7 point update available direct from here. Further technical details are available from Apple. User reaction to the updates can be found all over the Internet, but from the forums at MacRumors, it would appear that most users aren't having trouble with the updates. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.