From alertmailinglist at skiifwrald.com Thu Oct 15 19:50:47 2009 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Thu, 15 Oct 2009 20:20:47 +1030 Subject: [Sunnet Alert] Advisory #271 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #271 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 2 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Strange Bug Plagues Apple OS 2.2 FTC Moves to Ensure Compensated Reviews Are Clearly Identified 2.3 Charging for Online Content Won't Make it Any More Accurate 2.4 Major Phishing Attack Reports Surface in October 2.5 Anonymous Targets Australian Government Over Censorship Plan ===================================== 1. SECURITY 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control -- Products Affected -- Windows Office Internet Explorer IIS .NET -- Technical Description -- MS09-050 - Windows. Remote code execution. Critical MS09-051 - Windows. Remote code execution. Critical MS09-052 - Windows Media Player. Remote code execution. Replaces MS08-076. Critical MS09-053 - FTP Service. Remote code execution. Important MS09-054 - Internet Explorer. Remote code execution. Replaces MS09-034. Critical MS09-055 - ActiveX Killbits. Remote code execution. Replaces MS09-032. Critical MS09-056 - Windows. Spoofing. Replaces MS04-007. Important MS09-057 - Indexing Service. Remote code execution. Replaces MS06-053. Important MS09-058 - Windows. Privilege Escalation. Replaces MS07-022 and MS08-064. Important MS09-059 - LSASS. Denial of service. Important MS09-060 - Active Template Library. Remote code Execution. Replaces MS08-015. Critical MS09-061 - .NET CLR. Remote code execution. Replaces MS07-040. Critical MS09-062 - GDI+. Remote code execution. Replaces MS08-052. Critical -- Description -- A massive thirteen patches have been released by Microsoft with the October Security Bulletin release, with eight Critical updates and five Important patches being released. Patches have been issued for previously disclosed and attacked vulnerabilities including an SMB vulnerability and an IIS FTP vulnerability. Amongst the patches are a cumulative Internet Explorer update, Killbit updates, and another GDI+ patch. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx http://www.microsoft.com/technet/security/bulletin/ms09-052.mspx http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx http://www.microsoft.com/technet/security/bulletin/ms09-056.mspx http://www.microsoft.com/technet/security/bulletin/ms09-057.mspx http://www.microsoft.com/technet/security/bulletin/ms09-058.mspx http://www.microsoft.com/technet/security/bulletin/ms09-059.mspx http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx -- External Tracking Data -- Upgrade to get tracking details -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Strange Bug Plagues Apple OS News is spreading rapidly about a serious flaw affecting Apple's latest Operating System, Snow Leopard (OS X 10.6), first being made public in early September on Apple's Discussion boards. The timing for this widespread coverage is unfortunate, given the massive patch release from Microsoft with their October Security Bulletins this week. The difficult-to-reproduce bug apparently can only be triggered on systems that have been upgraded from Leopard (OS X 10.5) and which had the Guest account active prior to the upgrade being carried out. It appears that the bug, though it is very much real, is difficult to reproduce reliably. What is common to affected users is a user having logged into the Guest account, logging out, and then returning to another account, at which point it is discovered that the home directory of the non-Guest account has been wiped clean, as the Guest account is meant to be. It has been suggested that the error may be tied to how the system cleans up following use of the Guest account, which is designed to wipe itself clean following each use. The suggestion is that this wiping process is not triggered properly and so activates next time the user logs into a non-Guest account and it results in the wiping taking place not only in the Guest account but also others. Initial reporting suggested that for the bug to be triggered the user would have been forced to reboot due to a system freeze in the Guest account, though reports from other affected users provided examples where merely attempting to log into the Guest account was sufficient to wipe the home directories. From the different reports on the bug it seems likely that there is an issue with the logout / account wipe actions that are scheduled to take place following the Guest account logout. It may be something such as a race condition, where the command to clean the Guest home directory is racing against a command with higher privileges and occasionally gets to slip in under the higher privilege set and executes against more than just the Guest account. This would explain why it has been difficult to reproduce reliably. It may be a buffer overflow, where the command to erase is overflowing into the memory space of a higher privileged application. If memory randomisation (ASLR or the like) is being used by the buggy processes, it could also explain why reproduction of the flaw is so difficult - being able to reliably overwrite the higher privileged memory space is much harder than without randomisation. So far the bug has slipped through the initial OS release as well as the first update (10.6.1). Apple have acknowledged the presence of the bug and are working on addressing it, though with rumours of 10.6.2 being available soon, it isn't certain whether a fix will make it into this update. Backing up regularly is very beneficial, however backing up to an Apple Time Capsule might be as risky as using the Guest account on Snow Leopard. Time Capsules have had troubles recently with possible overheating situations leading to hard drive and power supply failures that are resulting in sudden death of the devices. Concerned users should ensure they back up regularly and avoid use of the Guest account where possible. 2.2 FTC Moves to Ensure Compensated Reviews Are Clearly Identified A recent decision by the FTC is going to require online content providers to explicitly disclose any payment or goods or services that they have received in return for providing a review on a product, and ensure advertisers can not present dramatic results and then claim that results aren't typical. The new rules aren't going to be enforceable until the start of December, but it's really only going to be relevant for sites where it isn't already plainly obvious that a commercial or in-kind relationship exists. Those sites already risk their reputation by trying to sneak a review-with-benefits in amongst their regular content. Sometimes it works, but when it fails, the loss of credibility and trust amongst their readership can be critical. This type of guerilla marketing tries to catch the potential market off-guard in an environment where they aren't expecting to be marketed to and while it can be effective, if it is exposed it tends to lead to dissatisfaction and disgust by the consumer and can see boycotts of the marketed products and the content provider who delivered the marketing. It can fall foul of existing deceptive marketing laws, so the steps being taken by the FTC are about making it clearer how the rules apply to the online environment. We don't receive sponsorship or payment for articles that discuss specific technologies or products and choose not to run advertising alongside our articles in order to maintain a clear separation of interest. Our goal is to provide you, the reader, with the best service and content possible without risking muddying our message with potential conflicts of interest. 2.3 Charging for Online Content Won't Make it Any More Accurate Attempts to get consumers of news to pay for what they are reading continue to stumble ahead. We have already covered previous announcements from News Corporation that they will be making their online content fee based, and the challenges and struggles that they and other content providers face in getting their consumers to pay for what they provide. News Corporation is continuing to move forward with their efforts to lock away their content, with both News Corporation and Associated Press making announcements at a recent Beijing conference that they are getting fed up with the "content kleptomaniacs" who are "co- opting" the content that they provide. The irony of delivering such a message in a Chinese forum appears to have been lost on those delivering the message, but it is getting to the point that, unless they hurry up and get on with locking away their content so that the market can determine for itself whether these content providers actually provide enough benefit to make it a viable business model, they are going to risk making themselves even more irrelevant to the wider public. Other content providers seem to be expanding the reach of their fee- based services, with claims that The Economist will be moving more of their historical content behind their fee-based services, and shortening the period that content is available free of charge. While there is no obvious statement at The Economist regarding this impending move (to happen tomorrow), the soon-to-be fee-based content is still available freely. The move to fee-based services might see an overall reduction in the variety and number of available services, even including those that have moved to a fee-based offering. That doesn't help continued claims of poor fact-checking, outright false claims and inability to determine trustworthiness of sources, especially previously unseen single-source reporting. Recently ZDNet were caught out when they claimed that Yahoo had turned over usernames to Iran following recent protests, a stance they have since redacted. Reputation might take a long time to build up, but it doesn't take very long to destroy, especially in an environment where the rush to be first is more important than being right. There are some organisations that are dedicated to being both when it comes to reporting and which will continue to provide news freely to readers. 2.4 Major Phishing Attack Reports Surface in October Several years ago the average computer user would not have been expected to know that phishing, identity theft, or any number of Information Security issues existed, nor how important they actually were to staying safe online and in everyday life. With the almost constant public reporting in the intervening years, it is rare that you would come across someone who hasn't heard of identity theft or phishing, or at least knows someone who has been affected by it personally (though it might be described as "a hacker did something"). Even with this increase in awareness and reporting, it is evident that people keep getting caught out, with multiple reports of phishing attacks surfacing since the start of October. Everything from vast numbers of Hotmail accounts compromised, to the potential that many other providers may have been affected, and to reports that the FBI Director was almost a victim of a phishing attempt. There still aren't many clues as to just how significant these phishing collections actually are, given that the data intercepted recently was only for the first couple of letters of the alphabet (Hotmail sample) and unknown distribution for the other cases, but it does suggest a massive number of potentially vulnerable accounts. It is a remote possibility that these data sets have been leaked from within the mail providers, or it could just be a collation of historically leaked / scraped email accounts over many years. Given that at least some of the accounts are still active and operating under the same password (as checked by other agencies) it doesn't give much weight to that particular theory. Analysis of the account details has shown that a standard dictionary attack against at least online mail services is still going to net a high number of compromised accounts. 60% of the exposed accounts were protected with nothing more than a string of numbers, or a string of purely lowercase alphabetic characters. Almost 70% of passwords were between 6 and 9 characters long (almost 90% between 6 and 12 characters) which also reduces the number of likely combinations required to try and gain access to an account. Surprisingly, of the sample studied, 90% of passwords were unique, with the most popular password (123456) only being used 64 times (around 1%). Other trends within the password distributions suggest that the accounts are the result of phishing attacks against spanish-speaking users. While there is bad news for the users who had their accounts exposed, there is some good news regarding policing those who carry out these attacks. A two-year operation of the Egyptian and US authorities has seen 100 people arrested over a series of phishing scams that targeted US financial institutions and netted $1.5 million USD for the scammers. The net return per scammer may not seem like much, especially weighed against the resources that the authorities likely applied to the investigation and capturing them, but it sends a message that the authorities are willing to take real action against something people who scam others online. 2.5 Anonymous Targets Australian Government Over Censorship Plan An entry on the ISC blog suggests that Australian government websites will be targeted later on today (September 9) in a targeted attack by "Anonymous", a loose group of other-wise unconnected individuals acting towards a common goal, commonly associated with having originated from the 4chan messageboard. The website set up as a call to action 09-09-2009.org doesn't explicitly mention the steps that will be taken as part of their plan to get their demands met, namely the resignation of current Federal Communications Minister, Stephen Conroy, and the abolition of the blacklist that forms the basis for the Federal Government's censorship plan. Despite the lack of explicit activity mentioned, if past actions linked to "Anonymous" groups are any indication, then it is highly likely that a distributed Denial of Service (dDoS) will be carried out against government sites. The statement that the group also seeks to leak and distribute the backlist as well as make freely available methods to bypass the censorship, raises the possibility that rather than carrying out a straight denial of service, the attacks may lead to the takeover of certain specific sites where information about avoiding the blacklist and planned censorship will then be published. While there is a general sense of disgust at the planned government censorship plan, it also seems that the plans for Internet filtering aren't going to be anything more than that, just plans. The wider Australian public may not know about the plans in depth, nor really care about the means to bypass the filtering. Those that do, probably already know how to achieve it and this action under the "Anonymous" banner quite likely may not lead to any significant change, either in government stance, or in wider awareness of the information that "Anonymous" is distributing. Australian's are famous for their laid- back attitudes, and this is probably going to be a situation where the laid-back attitudes will see a smaller than expected result, if any at all from the currently-unknown actions that "Anonymous" will carry out. If they are successful, then it would be a remarkable first for many reasons. Forcing a sitting Minister to resign through nothing more than Internet bluster would be astounding, as would be an "Anonymous" challenge being successful beyond a short term or a very localised area. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.