[Sunnet Alert] Advisory #266 - Microsoft PowerPoint, Apple (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Wed May 13 20:16:36 EST 2009
Sûnnet Beskerming Alert List Advisory #266
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Once you've had a chance to read through this advisory, come back and
answer the following question.
Did you like the timeliness of the advisory?
Our premium subscribers get this sort of service on every advisory -
same day coverage of security discoveries and full details on all
external tracking data that we have discovered, to help keep you
informed and form a well-rounded opinion and assessment of the risk to
you, your systems, and your data.
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft PowerPoint
- Remote Hacker Automatic Control
- Time Since Discovery - Same day
1.2 Apple (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - Same day
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 What is the Future for File Sharing?
2.2 GeoCities is Dead. Long Live GeoCities
2.3 AutoRun To Be Disabled, But Not Completely
2.4 Borland Acquired, 3D Realms Rumoured Closed, May 6 is a Sad Day
for Software
2.5 Devil Is In The Details For May 2009 Microsoft Security Update
2.6 Apple Patches Safari 3 & 4, Releases 10.5.7 Update
=====================================
1. SECURITY
1.1 Microsoft PowerPoint - Remote Hacker Automatic Control
-- Products Affected --
PowerPoint 2000, 2002 (XP), 2003, 2004 (OS X), 2007, 2008 (OS X)
Works 8.5, 9.0
-- Technical Description --
MS09-017 - PowerPoint. Multiple Random Code Execution. Replaces
MS08-051, MS08-052. Critical
-- Description --
Microsoft's patch release for May has seen only a single patch
released, a Critical update for PowerPoint. The patch addresses
multiple remote code execution vulnerabilities with several versions
of PowerPoint. What has raised eyebrows across the Information
Security industry is the decision to release the patch for only some
of the affected software versions, leaving OS X and Works users in the
cold, while patches are still being prepared for their platforms.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-may.mspx
http://www.beskerming.com/premium/patch_pack.html
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-017.mspx
-- External Tracking Data --
Upgrade to get details
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.2 Apple (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Safari 3.x
Safari 4.0 Beta
OS X 10.5.x
OS X 10.4.11 (Security Update 2009-002 only)
-- Technical Description --
Apache - Multiple Cross Site Scripting and response injection flaws -
Updates to Apache 2.2.11
ATS - Malicious CFF font may lead to arbitrary code execution
BIND - Spoofing attack through DNSSEC - Updates to 9.3.6-P1 / 9.4.3-P1
CFNetwork - Information disclosure and arbitrary code execution
CoreGraphics - Multiple arbitrary code execution risks from malicious
PDF file handling, including a JBIG2 arbitrary code execution
vulnerability
Cscope - Arbitrary code execution
CUPS - Information Disclosure and remote printer control
Disk Images - Multiple arbitrary code execution vulnerabilities
enscript - Multiple arbitrary code execution vulnerabilities -
Updates to enscript 1.6.4
Flash Player plug-in - Multiple arbitrary code execution
vulnerabilities - Updates to Flash Player plugin 10.0.22.87 / 9.0.159.0
Help Viewer - Multiple arbitrary code execution vulnerabilities
iChat - Information disclosure (SSL Chats downgrade to plaintext)
International Components for Unicode - Cross Site Scripting
IPSec - Multiple denial of service vulnerabilities
Kerberos - Multiple denial of service and arbitrary code execution
vulnerabilities
Kernel - Privilege elevation
Launch Services - Repeated denial of service
libxml - Arbitrary code execution
Net-SNMP - Denial of service vulnerability - Updates to 5.4.2.1
Network Time - Spoofing and arbitrary code execution
Networking - System shut down due to network traffic.
OpenSSL - Information disclosure
PHP - Multiple arbitrary code execution vulnerabilities - Updates to
5.2.8
QuickDraw Manager - Arbitrary code execution when opening malicious
PICT files
ruby - Multiple vulnerabilities - Updates to 1.8.6-p287
Safari - Multiple arbitrary code execution vulnerabilities (10.5 only)
Spotlight - Office file handling could lead to arbitrary code execution
system_cmds - Re-prioritising login command shell
telnet - Denial of service / arbitrary code execution
WebKit - Arbitrary code execution due to handling of SVGList objects
X11 - Multiple FreeType, libpng and xterm vulnerabilities leading to
arbitrary code execution - Updates FreeType to 2.3.8 (and then patches
it), libpng to 1.2.35
-- Description --
MReleased at the same time as Microsoft's May Security Patch are a
series of patches from Apple. Safari has received a bulk update, for
both the 3.x stable line and the Public Beta for 4. Both updates
address the same set of underlying vulnerabilities in libxml, Safari,
and WebKit, all of which could lead to arbitrary code execution. Also
released, and probably of more interest for most users, is Security
Update 2009-002, which is also the 7th point release for OS X 10.5. OS
X 10.5.7 contains a large number of patches and updates, and is
massive. The .6 to .7 updater weighs in at 442 MB, while the
ComboUpdate (from any previous point release of 10.5) is 729 MB.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://support.apple.com/kb/HT1222
-- Updates Available --
http://www.apple.com/support/downloads/
-- External Tracking Data --
Upgrade to get details
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 What is the Future for File Sharing?
From the time that computers began being available for the home
hobbyist, there has been file sharing and copyright infringement. What
has changed over time is the methods used to share the files. With the
rapid growth in the use of the Internet, and the introduction of newer
technologies that make the sharing and discovery of files far easier
than before, file sharing has come within the reach of the everyday
user in a way that could never have been imagined before.
Paralleling this has been high profile court cases against site
operators has helped keep some of the most popular methods over the
years in check. The most recent high profile file sharing court case,
against the operators of The Pirate Bay, already appears to have had
some effect on the availability and use of BitTorrent trackers.
Despite ongoing argument about the validity of the court case and the
sentences handed down, including some spectacular claims of bias and
inappropriate conflicts of interest, the current outcome is reported
to have seen a number of public and not-so-public BitTorrent trackers
voluntarily close. Many of these closures have been of trackers based
in Sweden and are likely a direct result of the Pirate Bay's court
case. When the largest tracker site on the Internet is successfully
prosecuted (pending appeal), it sends a message to similar sites
hosted in the same country that they might be next on the target list.
With a successful prosecution precedent set, many smaller operators
are looking to cut their risk exposure and close down.
Since BitTorrent is a non-centralised means of distributing content,
the only centralised component being a place to record and point users
towards content locations, it probably isn't going to take very long
for new trackers to appear and take up some of the slack that the
Pirate Bay has now created (despite being still available, just not
hosted in Sweden). New sites are more likely to be private trackers
with enforced ratios than the high profile sites like The Pirate Bay.
Smaller private trackers have always been around and are the means by
which a lot of the most desirable torrents trickle down to the public
sites. Because they tend to carry content that is extremely sensitive
and close to the original source, are comprised of users who are very
aware of what their ratios are and how they are proceeding, and are
what investigators should be focusing on, their existence and
accessibility is usually a closely guarded secret.
This might make it harder for the casual file sharer to access
content, but there will always be a way for that information to be
had, eventually trickling down.
In the long run there may be some new sources coming online to help
access files, but overall there isn't really going to be much of a
change. Many of the sites that are closing will probably reappear
under a different name, hosted in another country, just that little
bit further out of reach of investigators. With the borderless nature
of the Internet, this isn't really going to affect end users all that
much. Avid file sharers might hope for the day when copyright laws are
amended to reflect the modern reality of digital content and extremely
simple bit-perfect duplication of that content, but that isn't likely
to happen until generations that grew up with the internet and on-tap
file sharing take political and business power.
Avid file sharers would rather investigators and the various content
associations focus on the sources of the leaked information, which
more often than not seems to be from within those very organisations
(or at least member companies) rather than slamming the end users who
consume it.
Attacking the technology used to distribute content, or sites that
point to what is available isn't going to help in the long run and
will only ensure the survival of file sharing, just maybe in a
slightly different format. What technology is going to emerge to
replace BitTorrent as the most popular file sharing method of the next
decade isn't known, but it is guaranteed that it will trace a similar
arc of emergence into popularity and decline into obscurity through
prosecution that other file sharing technologies have followed before.
2.2 GeoCities is Dead. Long Live GeoCities
For many people who came to the Internet in the mid to late 1990s, the
personal webpage craze was only just beginning and there were a
handful of stalwart providers that gave budding Internet users all the
room they needed to have garish colour schemes, poorly designed
animated gifs and all the flashing under construction signs they could
find.
Tripod, Angelfire, and GeoCities were an effective triumvirate of free
and nearly free web space providers, encouraging the formation and
collection of communities long before the emergence of LiveJournal,
MySpace, Blogspot, Facebook, and any number of other online
communities that now litter the web.
Part of that history is going to disappear forever before the end of
the year, with Yahoo! set to close down GeoCities completely before
the end of 2009. With the yet-to-be-dated closure coming up, Yahoo!
have now stopped accepting new user accounts on the online community
and will be notifying existing users of the various steps that they
can take if they want to save their site when GeoCities finally closes.
One of the options that will be put forward is Yahoo!'s fee-based Web
Hosting service, something which may not be acceptable to users who
are accustomed to free consumer level services. Angelfire and Tripod
continue to offer free services, and for users who wish to keep their
sites alive on a part of Internet history, they provide an alternative
that originates from the same timeframe as GeoCities did.
2.3 AutoRun To Be Disabled, But Not Completely
AutoRun is an innovation that over the years has been a blessing and a
curse for computer users. The Windows feature that allows software to
start automatically when removable media is attached to / inserted
into a Windows machine has made life easy for many computer users who
would be lost without having software to guide them through an
installation process or other use of material on the storage medium.
The downside is that, since other software can be run through this
capability, it was only a short period of time before it began being
abused for malware installation. While AutoRun has been around for a
number of years, it is still being used as part of installers and
malware spreading mechanisms even today. Conficker, the worm that has
attracted the most attention over the last six months uses AutoRun
capabilities to aid in its spread, using it as an alternative
infection mechanism to targeting the MS08-067 vulnerability over a
network.
Microsoft has recently moved to turn off Autorun for good, at least
for media that isn't optical (of-course malware can be inserted on CD-
R media as easily as it can CD-RW). This change is being sold as a
means to address changes in the Threat Landscape, but with AutoRun
malware having been around for a number of years, it is the recent
spike in popularity of malware using it as an infection route that has
led Microsoft to make this decision. It would have been nice for end
users if this had been done some years ago, before it became too much
of a security problem (Microsoft provides graphs showing a significant
uptick over the last 18 months), but at least something is being done
slowly now.
The downside for most users is that this feature will be making it
into Windows 7, and not for the current versions, though there are
readily available registry fixes that can disable AutoRun for existing
Windows versions. Microsoft has indicated that they are planning to
release fixes for Vista and XP to bring this improvement to those
systems as well.
Many system administrators have tried to keep AutoRun disabled over
the years, but found that patches from Microsoft would strangely re-
enable it from time to time. Until Microsoft releases the changes for
Vista and XP, there are plenty of sample Registry fixes that can
easily be found online which can be applied to temporarily disable
AutoRun for these systems.
As good as the change seems on the surface, the detailed explanation
of what is being done is less promising than it is being made out for.
The primary change, of modifying AutoPlay to ignore AutoRun
information on non-optical media will prevent the confusion-based
social attack that Conficker is currently using, where the AutoRun
information presents identical to a subsequent core Windows option,
the only difference being it presented as "Install or run program",
and not as "General options", which is the core Windows function
category.
The second part of the change, primarily for optical media is that the
"Install or run program" option is renamed to "Install or run program
from your media". With some thumb drives capable of reporting as
optical media, and Microsoft's decision to treat such media as optical
media, adding three little words isn't going to stop the infection
mechanism that is in use. Why is Microsoft allowing some USB mass
storage devices to be treated as optical media is because this
determination is made at the hardware level and is something that
should be next to impossible to spoof through the data on the drive.
Assumptions like this have been shown to be false in the past and it
is a question of how much time it will be before a means to work
around this limitation can be found, either through introducing a mini-
partition on the thumb drive that identifies as optical media, or
through some other technique.
Keeping this feature around for optical media isn't going to stop
malware like the Sony/BMG rootkits that were installed silently from
some audio CDs. What it will do is severely limit the usefulness of
USB devices like photoframes, thumb drives, cameras, CF cards, and
some external hard drives for the average user. Time will be the true
test as to whether the computer skills of the average computer user
have improved to the point that disabling AutoRun isn't going to
hinder their normal use of a system.
2.4 Borland Acquired, 3D Realms Rumoured Closed, May 6 is a Sad Day
for Software
It has long been joked that Forever would be how long it would take
for Duke Nukem Forever to be released. Famous as what is probably the
longest running unreleased in-development software title in existence
(first announced in 1997), Duke Nukem Forever may have suffered a
terminal blow with the reported closure of 3D Realms, the developer of
the title-in-waiting and successor to the ever-popular Duke Nukem 3D.
Before fans of the Duke cry in despair, it pays to look at just what
is contained in the available news about the supposed closure. All
available reports at the time of writing this article cite a single
article as the source for this information (linked to above). Links to
a claimed announcement on the 3D Realms forums can not be reached and
so leave the news as a single source, uncorroborated report.
This doesn't mean that it is untrue, though without the forums to
provide at least some sort of corroboration, it is a speculative claim
based on private reporting. It is strange that, for news of such
magnitude, no formal press release has been issued by either 3D Realms
or Take Two, and here, and certainly nothing on the front pages for
the companies at this time. Press releases are present that are dated
after the apparent leaking of the news, so it is possible that the
whole thing is a hoax.
On the other hand, the news may be under a moratorium until a certain
time and date and the leak is going to be verified in the near future.
3D Realms, apparently, is still hiring, something that a closed
company wouldn't be expected to do.
The soap opera that has been the development of Duke Nukem Forever
seems to have taken another plot twist, but at this stage, there is
nothing that can definitively be verified. There are many possible
responses to all of this. The forums at 3D Realms could have been
compromised and false information could have been leaked that way. On
the other hand, with a slow economy, it isn't out of the realm of
reality that a sudden closure of the company has taken place.
It may be that Shacknews have got one of the biggest scoops of gaming
history, but until open reporting emerges that doesn't cite the
Shacknews article as its only source (even the forums at 3D Realms
should be regarded as a tertiary source, at best), the reaction of
gamers around the world are going to have to hang in the balance. Even
the Wikipedia entries for 3D Realms and Duke Nukem Forever have been
updated to report the closure as fact, based solely on the Shacknews
article.
For some, the news that Borland has been acquired by Micro Focus might
be of more immediate importance, coming at the same time as the
apparent closure of 3D Realms.
If the 3D Realms news is true, then it makes the 6th of May a sad day
for the history of modern computing. Borland, a stalwart provider of
development tools (Turbo Pascal and Turbo C will be either fond or
hated memories for many developers) and consumer software (Quattro
Pro, dBase) from the early 1980s and 1990s is now no longer an
independent entity, though the name may live on in some way. 3D
Realms, the evolution of the original Apogee gaming company from the
early 1990s, likewise is bound to be remembered fondly for the
milestone titles that it did release, Duke Nukem 3D and Max Payne
chief amongst them.
It would seem that 3D Realms could be all out of gum.
2.5 Devil Is In The Details For May 2009 Microsoft Security Update
In the last 24 hours Microsoft released the May 2009 Security Update,
a single update for every version of PowerPoint from Office 2000
(PowerPoint 2000), through to Office 2007 (PowerPoint 2007).
Fourteen individual vulnerabilities, as identified by distinct CVE
numbers, are being addressed, all of which could lead to remote code
execution on at least some of the versions of PowerPoint. PowerPoint
2000, 2002 (XP), and 2003 are the versions affected by most of the
vulnerabilities.
Somewhat surprisingly, several of the vulnerabilities have been
identified as affecting Office 2004 and 2008, the OS X versions of
Office, as well as Microsoft Works 8.5 and 9.0. The surprising part
isn't that the vulnerabilities affect those software versions, rather
that MS09-017 will not patch those software versions. In reasoning
given on both the Microsoft Security Response Center, and Security
Research & Defense blogs, the argument is that Microsoft saw the best
opportunity to patch the complete line of Windows PowerPoint versions
at the same time, while patches for the remaining affected software
are in the pipeline for eventual release. Rather than hold up the
release of the Windows PowerPoint update to ensure every affected
software version is patched at the same time, the decision was made to
ensure platform integrity of patching and to take the patch to the
majority of users.
This hasn't gone down well with some people in the Information
Security industry. The argument that attackers reverse engineer
patches to find the patched vulnerabilities and means to attack them
is a fair one, but when there have been vulnerabilities available for
some of the patched issues, in particular one that affects PowerPoint
2000, 2002 (XP), 2003, and 2004 (OS X), prior to the patch release, it
just makes the need to release and apply patches even more critical.
This isn't the worst thing that can happen from differential patching.
Since the same particular vulnerability is present across platforms,
and is a remote code execution vulnerability, reverse engineers on
Windows will be able to determine an attack vector against the Works
versions of PowerPoint and the OS X versions, and have a clear run
against those targets until Microsoft is able to release patches for
those versions. Microsoft's argument that the patch release will
provide coverage for the clear majority of users is fair enough, but
just how large is the attack surface presented by the installed base
of Works and OS X Office? Works is pushed as the solution for a home
user, and OS X installations of Office would be in use in environments
where interaction and file transfer between Windows and OS X is
expected.
According to the SRD team, the sample exploits that they tested
against for the Windows PowerPoint versions could not reliably exploit
the OS X versions, but they still could. There is no guarantee that a
more reliable exploit will not soon emerge.
One of the changes introduced by this update, which could catch a
number of legacy systems (and thus those that most need protection),
is the removal of support for PowerPoint 4 files. Quite rightly the
SRD team point out that Office has not been able to create this sort
of file since at least Office XP, and support for it has already been
removed in Office 2007 and since SP2 for Office 2003. Rather than
modifying Office to prevent handling of this file format, it is a
Registry entry that disables support, something which even Microsoft
provides a workaround for. A lot of the vulnerabilities addressed were
related to this file format, but it still is an interesting approach
to address the vulnerability - through Registry patching. It has a lot
of parallels to the ActiveX patches that have been released in the
past - many of them have been Registry entries disabling components,
rather than addressing the component binaries directly.
2.6 Apple Patches Safari 3 & 4, Releases 10.5.7 Update
Released at the same time as Microsoft's May Security Patch are a
series of patches from Apple. Safari has received a bulk update, for
both the 3.x stable line and the Public Beta for 4. Both updates
address the same set of underlying vulnerabilities in libxml, Safari,
and WebKit, all of which could lead to arbitrary code execution.
Also released, and probably of more interest for most users, is
Security Update 2009-002, which is also the 7th point release for OS X
10.5. OS X 10.5.7 contains a large number of patches and updates, and
is massive. The .6 to .7 updater weighs in at 442 MB, while the
ComboUpdate (from any previous point release of 10.5) is 729 MB.
Contained within this major update is security patches for a whole
range of embedded services and features, including those in the
separate Safari patches.
As with each prior system point release, Apple have introduced a
number of improvements to the system. This includes improved video
playback on NVIDIA-equipped systems, improved Apple Dashboard widgets,
expanded support for RAW images across more cameras, reliability and
stability enhancements to a range of applications (iCal, Mail) and
system utilities (Printing, Parental Controls) as well as general
system enhancement.
Safari users who have not installed the version 4 Beta will find that
Safari is updated to 3.2.3 as part of the 10.5.7 update, so should not
expect to see a separate standalone update for Safari once the
underlying OS update has been applied. Since the announcement of the
updates for the Safari 4 Beta, it would seem that Apple have pulled
the update for some unknown reason. The update doesn't show from a
search on the Apple Support website, and users have reported that it
doesn't show in the Software Update window until after the 10.5.7
update has been applied. The 10.5.7 update will provide coverage for
the libxml and WebKit issues, and users who are concerned that their
actual Safari application remains at risk and will not apply this
patch can downgrade back to 3.2.3, which is provided through the
10.5.7 release.
These updates can be found through the Software Update option under
the Apple menu, or can manually be found at the Apple website, with
the 10.5.7 point update available direct from here. Further technical
details are available from Apple.
User reaction to the updates can be found all over the Internet, but
from the forums at MacRumors, it would appear that most users aren't
having trouble with the updates.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list