[Sunnet Alert] Advisory #271 - Microsoft (Multiple), Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Thu Oct 15 19:50:47 EST 2009
Sûnnet Beskerming Alert List Advisory #271
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error,pleasecontactinfo at beskerming.com to resolve the error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Once you've had a chance to read through this advisory, come back and
answer the following question.
Did you like the timeliness of the advisory?
Our premium subscribers get this sort of service on every advisory -
same day coverage of security discoveries and full details on all
external tracking data that we have discovered, to help keep you
informed and form a well-rounded opinion and assessment of the risk to
you, your systems, and your data.
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Microsoft (Multiple)
- Remote Hacker Automatic Control
- Time Since Discovery - 2 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using it,
or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Strange Bug Plagues Apple OS
2.2 FTC Moves to Ensure Compensated Reviews Are Clearly Identified
2.3 Charging for Online Content Won't Make it Any More Accurate
2.4 Major Phishing Attack Reports Surface in October
2.5 Anonymous Targets Australian Government Over Censorship Plan
=====================================
1. SECURITY
1.1 Microsoft (Multiple) - Remote Hacker Automatic Control
-- Products Affected --
Windows
Office
Internet Explorer
IIS
.NET
-- Technical Description --
MS09-050 - Windows. Remote code execution. Critical
MS09-051 - Windows. Remote code execution. Critical
MS09-052 - Windows Media Player. Remote code execution. Replaces
MS08-076. Critical
MS09-053 - FTP Service. Remote code execution. Important
MS09-054 - Internet Explorer. Remote code execution. Replaces
MS09-034. Critical
MS09-055 - ActiveX Killbits. Remote code execution. Replaces
MS09-032. Critical
MS09-056 - Windows. Spoofing. Replaces MS04-007. Important
MS09-057 - Indexing Service. Remote code execution. Replaces
MS06-053. Important
MS09-058 - Windows. Privilege Escalation. Replaces MS07-022 and
MS08-064. Important
MS09-059 - LSASS. Denial of service. Important
MS09-060 - Active Template Library. Remote code Execution. Replaces
MS08-015. Critical
MS09-061 - .NET CLR. Remote code execution. Replaces MS07-040. Critical
MS09-062 - GDI+. Remote code execution. Replaces MS08-052. Critical
-- Description --
A massive thirteen patches have been released by Microsoft with the
October Security Bulletin release, with eight Critical updates and
five Important patches being released. Patches have been issued for
previously disclosed and attacked vulnerabilities including an SMB
vulnerability and an IIS FTP vulnerability. Amongst the patches are a
cumulative Internet Explorer update, Killbit updates, and another GDI+
patch.
-- Recommended Action --
All users and administrators should apply the updates at the earliest
opportunity.
-- Source --
http://www.microsoft.com/technet/security/bulletin/ms09-oct.mspx
http://www.beskerming.com/services/176/Patch_Briefing
http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811
-- Updates Available --
http://www.microsoft.com/technet/security/bulletin/ms09-050.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-051.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-052.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-054.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-055.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-056.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-057.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-058.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-059.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-061.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-062.mspx
-- External Tracking Data --
Upgrade to get tracking details
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Strange Bug Plagues Apple OS
News is spreading rapidly about a serious flaw affecting Apple's
latest Operating System, Snow Leopard (OS X 10.6), first being made
public in early September on Apple's Discussion boards. The timing for
this widespread coverage is unfortunate, given the massive patch
release from Microsoft with their October Security Bulletins this week.
The difficult-to-reproduce bug apparently can only be triggered on
systems that have been upgraded from Leopard (OS X 10.5) and which had
the Guest account active prior to the upgrade being carried out. It
appears that the bug, though it is very much real, is difficult to
reproduce reliably. What is common to affected users is a user having
logged into the Guest account, logging out, and then returning to
another account, at which point it is discovered that the home
directory of the non-Guest account has been wiped clean, as the Guest
account is meant to be.
It has been suggested that the error may be tied to how the system
cleans up following use of the Guest account, which is designed to
wipe itself clean following each use. The suggestion is that this
wiping process is not triggered properly and so activates next time
the user logs into a non-Guest account and it results in the wiping
taking place not only in the Guest account but also others.
Initial reporting suggested that for the bug to be triggered the user
would have been forced to reboot due to a system freeze in the Guest
account, though reports from other affected users provided examples
where merely attempting to log into the Guest account was sufficient
to wipe the home directories.
From the different reports on the bug it seems likely that there is
an issue with the logout / account wipe actions that are scheduled to
take place following the Guest account logout. It may be something
such as a race condition, where the command to clean the Guest home
directory is racing against a command with higher privileges and
occasionally gets to slip in under the higher privilege set and
executes against more than just the Guest account. This would explain
why it has been difficult to reproduce reliably. It may be a buffer
overflow, where the command to erase is overflowing into the memory
space of a higher privileged application. If memory randomisation
(ASLR or the like) is being used by the buggy processes, it could also
explain why reproduction of the flaw is so difficult - being able to
reliably overwrite the higher privileged memory space is much harder
than without randomisation.
So far the bug has slipped through the initial OS release as well as
the first update (10.6.1). Apple have acknowledged the presence of the
bug and are working on addressing it, though with rumours of 10.6.2
being available soon, it isn't certain whether a fix will make it into
this update.
Backing up regularly is very beneficial, however backing up to an
Apple Time Capsule might be as risky as using the Guest account on
Snow Leopard. Time Capsules have had troubles recently with possible
overheating situations leading to hard drive and power supply failures
that are resulting in sudden death of the devices. Concerned users
should ensure they back up regularly and avoid use of the Guest
account where possible.
2.2 FTC Moves to Ensure Compensated Reviews Are Clearly Identified
A recent decision by the FTC is going to require online content
providers to explicitly disclose any payment or goods or services that
they have received in return for providing a review on a product, and
ensure advertisers can not present dramatic results and then claim
that results aren't typical.
The new rules aren't going to be enforceable until the start of
December, but it's really only going to be relevant for sites where it
isn't already plainly obvious that a commercial or in-kind
relationship exists. Those sites already risk their reputation by
trying to sneak a review-with-benefits in amongst their regular
content. Sometimes it works, but when it fails, the loss of
credibility and trust amongst their readership can be critical.
This type of guerilla marketing tries to catch the potential market
off-guard in an environment where they aren't expecting to be marketed
to and while it can be effective, if it is exposed it tends to lead to
dissatisfaction and disgust by the consumer and can see boycotts of
the marketed products and the content provider who delivered the
marketing. It can fall foul of existing deceptive marketing laws, so
the steps being taken by the FTC are about making it clearer how the
rules apply to the online environment.
We don't receive sponsorship or payment for articles that discuss
specific technologies or products and choose not to run advertising
alongside our articles in order to maintain a clear separation of
interest. Our goal is to provide you, the reader, with the best
service and content possible without risking muddying our message with
potential conflicts of interest.
2.3 Charging for Online Content Won't Make it Any More Accurate
Attempts to get consumers of news to pay for what they are reading
continue to stumble ahead. We have already covered previous
announcements from News Corporation that they will be making their
online content fee based, and the challenges and struggles that they
and other content providers face in getting their consumers to pay for
what they provide.
News Corporation is continuing to move forward with their efforts to
lock away their content, with both News Corporation and Associated
Press making announcements at a recent Beijing conference that they
are getting fed up with the "content kleptomaniacs" who are "co-
opting" the content that they provide.
The irony of delivering such a message in a Chinese forum appears to
have been lost on those delivering the message, but it is getting to
the point that, unless they hurry up and get on with locking away
their content so that the market can determine for itself whether
these content providers actually provide enough benefit to make it a
viable business model, they are going to risk making themselves even
more irrelevant to the wider public.
Other content providers seem to be expanding the reach of their fee-
based services, with claims that The Economist will be moving more of
their historical content behind their fee-based services, and
shortening the period that content is available free of charge. While
there is no obvious statement at The Economist regarding this
impending move (to happen tomorrow), the soon-to-be fee-based content
is still available freely.
The move to fee-based services might see an overall reduction in the
variety and number of available services, even including those that
have moved to a fee-based offering. That doesn't help continued claims
of poor fact-checking, outright false claims and inability to
determine trustworthiness of sources, especially previously unseen
single-source reporting. Recently ZDNet were caught out when they
claimed that Yahoo had turned over usernames to Iran following recent
protests, a stance they have since redacted. Reputation might take a
long time to build up, but it doesn't take very long to destroy,
especially in an environment where the rush to be first is more
important than being right.
There are some organisations that are dedicated to being both when it
comes to reporting and which will continue to provide news freely to
readers.
2.4 Major Phishing Attack Reports Surface in October
Several years ago the average computer user would not have been
expected to know that phishing, identity theft, or any number of
Information Security issues existed, nor how important they actually
were to staying safe online and in everyday life. With the almost
constant public reporting in the intervening years, it is rare that
you would come across someone who hasn't heard of identity theft or
phishing, or at least knows someone who has been affected by it
personally (though it might be described as "a hacker did something").
Even with this increase in awareness and reporting, it is evident that
people keep getting caught out, with multiple reports of phishing
attacks surfacing since the start of October. Everything from vast
numbers of Hotmail accounts compromised, to the potential that many
other providers may have been affected, and to reports that the FBI
Director was almost a victim of a phishing attempt.
There still aren't many clues as to just how significant these
phishing collections actually are, given that the data intercepted
recently was only for the first couple of letters of the alphabet
(Hotmail sample) and unknown distribution for the other cases, but it
does suggest a massive number of potentially vulnerable accounts.
It is a remote possibility that these data sets have been leaked from
within the mail providers, or it could just be a collation of
historically leaked / scraped email accounts over many years. Given
that at least some of the accounts are still active and operating
under the same password (as checked by other agencies) it doesn't give
much weight to that particular theory.
Analysis of the account details has shown that a standard dictionary
attack against at least online mail services is still going to net a
high number of compromised accounts. 60% of the exposed accounts were
protected with nothing more than a string of numbers, or a string of
purely lowercase alphabetic characters. Almost 70% of passwords were
between 6 and 9 characters long (almost 90% between 6 and 12
characters) which also reduces the number of likely combinations
required to try and gain access to an account. Surprisingly, of the
sample studied, 90% of passwords were unique, with the most popular
password (123456) only being used 64 times (around 1%). Other trends
within the password distributions suggest that the accounts are the
result of phishing attacks against spanish-speaking users.
While there is bad news for the users who had their accounts exposed,
there is some good news regarding policing those who carry out these
attacks. A two-year operation of the Egyptian and US authorities has
seen 100 people arrested over a series of phishing scams that targeted
US financial institutions and netted $1.5 million USD for the
scammers. The net return per scammer may not seem like much,
especially weighed against the resources that the authorities likely
applied to the investigation and capturing them, but it sends a
message that the authorities are willing to take real action against
something people who scam others online.
2.5 Anonymous Targets Australian Government Over Censorship Plan
An entry on the ISC blog suggests that Australian government websites
will be targeted later on today (September 9) in a targeted attack by
"Anonymous", a loose group of other-wise unconnected individuals
acting towards a common goal, commonly associated with having
originated from the 4chan messageboard.
The website set up as a call to action 09-09-2009.org doesn't
explicitly mention the steps that will be taken as part of their plan
to get their demands met, namely the resignation of current Federal
Communications Minister, Stephen Conroy, and the abolition of the
blacklist that forms the basis for the Federal Government's censorship
plan.
Despite the lack of explicit activity mentioned, if past actions
linked to "Anonymous" groups are any indication, then it is highly
likely that a distributed Denial of Service (dDoS) will be carried out
against government sites. The statement that the group also seeks to
leak and distribute the backlist as well as make freely available
methods to bypass the censorship, raises the possibility that rather
than carrying out a straight denial of service, the attacks may lead
to the takeover of certain specific sites where information about
avoiding the blacklist and planned censorship will then be published.
While there is a general sense of disgust at the planned government
censorship plan, it also seems that the plans for Internet filtering
aren't going to be anything more than that, just plans. The wider
Australian public may not know about the plans in depth, nor really
care about the means to bypass the filtering. Those that do, probably
already know how to achieve it and this action under the "Anonymous"
banner quite likely may not lead to any significant change, either in
government stance, or in wider awareness of the information that
"Anonymous" is distributing. Australian's are famous for their laid-
back attitudes, and this is probably going to be a situation where the
laid-back attitudes will see a smaller than expected result, if any at
all from the currently-unknown actions that "Anonymous" will carry out.
If they are successful, then it would be a remarkable first for many
reasons. Forcing a sitting Minister to resign through nothing more
than Internet bluster would be astounding, as would be an "Anonymous"
challenge being successful beyond a short term or a very localised area.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist and,
in conjunction with the tools developed by Jongsma & Jongsma Pty.
Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list