From alertmailinglist at skiifwrald.com Thu Aug 12 19:00:53 2010 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Thu, 12 Aug 2010 17:00:53 +0800 Subject: [Sunnet Alert] Advisory #281 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #281 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 1 Day ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Early Reports Point to Dismal Result for Times Paywall 2.2 Australian Government [REDACTED] Public [REDACTED] Retaining Internet Traffic 2.3 Critical Windows Flaw Gets Out of Cycle Patch From Microsoft 2.4 Australian Opposition Will Block ISP-level Internet Filtering ===================================== 1. SECURITY 1.1 Microsoft Windows - Remote Hacker Automatic Control -- Products Affected -- Windows, Office, Internet Explorer, .NET, Silverlight -- Technical Description -- MS10-047 - Windows. Elevation of Privilege. Replaces MS10-021. Important MS10-048 - Windows. Elevation of Privilege. Replaces MS10-032. Important MS10-049 - IIS, SChannel. Remote Code Execution. Critical MS10-050 - Windows Movie Maker. Remote Code Execution. Replaces MS10-016. Important MS10-051 - XML Core Services. Remote Code Execution. Replaces MS08-069. Critical MS10-052 - MP3 Codecs. Remote Code Execution. Critical MS10-053 - Internet Explorer. Remote Code Execution. Replaces MS10-035. Critical MS10-054 - SMB Server. Remote Code Execution. Critical MS10-055 - Cinepak Codec. Remote Code Execution. Critical MS10-056 - Word. Remote Code Execution. Replaces MS09-068, MS09-027, MS10-036. Critical MS10-057 - Excel. Remote Code Execution. Replaces MS10-036, MS10-038. Important MS10-058 - TCP/IP. Elevation of Privilege. Important MS10-059 - Tracing Feature. Elevation of Privilege. Important MS10-060 - .NET, Silverlight. Remote Code Execution. Replaces MS09-061. Critical -- Description -- August's Security Bulletin release from Microsoft saw 14 bulletins released, in line with the Advance Notification from last week. Six bulletins were rated Important, with the remainder as Critical. An out-of-cycle bulletin (MS10-046) was released at the start of last week to address a remote code execution vulnerability affecting all versions of Windows that could be triggered through .LNK and .PIF filetypes. Several patched vulnerabilities have already been reverse engineered to develop exploit code, though exploit code was only believed to have been available for MS10-048 vulnerabilities ahead of bulletin release. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms10-047.mspx http://www.microsoft.com/technet/security/bulletin/ms10-048.mspx http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx http://www.microsoft.com/technet/security/bulletin/ms10-050.mspx http://www.microsoft.com/technet/security/bulletin/ms10-051.mspx http://www.microsoft.com/technet/security/bulletin/ms10-052.mspx http://www.microsoft.com/technet/security/bulletin/ms10-053.mspx http://www.microsoft.com/technet/security/bulletin/ms10-054.mspx http://www.microsoft.com/technet/security/bulletin/ms10-055.mspx http://www.microsoft.com/technet/security/bulletin/ms10-056.mspx http://www.microsoft.com/technet/security/bulletin/ms10-057.mspx http://www.microsoft.com/technet/security/bulletin/ms10-058.mspx http://www.microsoft.com/technet/security/bulletin/ms10-059.mspx http://www.microsoft.com/technet/security/bulletin/ms10-060.mspx -- External Tracking Data -- CVE-ID: CVE-2010-1888 (MS10-047) CVE-ID: CVE-2010-1889 (MS10-047) CVE-ID: CVE 2010-1890 (MS10-047) CVE-ID: CVE-2010-1887 (MS10-048) CVE-ID: CVE 2010-1894 (MS10-048) CVE-ID: CVE-2010-1895 (MS10-048) CVE-ID: CVE 2010-1896 (MS10-048) CVE-ID: CVE-2010-1897 (MS10-048) CVE-ID: CVE-2009-3555 (MS10-049) CVE-ID: CVE 2010-2566 (MS10-049) CVE-ID: CVE-2010-2564 (MS10-050) CVE-ID: CVE-2010-2561 (MS10-051) CVE-ID: CVE-2010-1882 (MS10-052) CVE-ID: CVE-2010-1258 (MS10-053) CVE-ID: CVE 2010-2556 (MS10-053) CVE-ID: CVE-2010-2557 (MS10-053) CVE-ID: CVE 2010-2558 (MS10-053) CVE-ID: CVE-2010-2559 (MS10-053) CVE-ID: CVE 2010-2560 (MS10-053) CVE-ID: CVE-2010-2550 (MS10-054) CVE-ID: CVE 2010-2551 (MS10-054) CVE-ID: CVE-2010-2552 (MS10-054) CVE-ID: CVE-2010-2553 (MS10-055) CVE-ID: CVE-2010-1900 (MS10-056) CVE-ID: CVE 2010-1901 (MS10-056) CVE-ID: CVE-2010-1902 (MS10-056) CVE-ID: CVE 2010-1903 (MS10-056) CVE-ID: CVE-2010-2562 (MS10-057) CVE-ID: CVE-2010-1892 (MS10-058) CVE-ID: CVE 2010-1893 (MS10-058) CVE-ID: CVE-2010-2554 (MS10-059) CVE-ID: CVE 2010-2555 (MS10-059) CVE-ID: CVE-2010-0019 (MS10-060) CVE-ID: CVE-2010-1898 (MS10-060) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Early Reports Point to Dismal Result for Times Paywall It has been less than a month since The Times and The Sunday Times disappeared behind a paywall and the only available information about the relative success or failure of the move has been what third party web traffic monitors are claiming. Traffic monitors such as Alexa are showing decreases of more than 60% in just a month and the time on the site decreasing by a third. While this doesn't provide a detailed breakdown of just where on the site users are headed or end up, the reduction in time spent on the website is more likely to be a better indicator of users hitting the paywall and then leaving soon afterwards, rather than paying and continuing to browse and get some value from their payment. Coverage from competing newspaper, The Guardian, suggests that the figure is closer to 90%, and othercoverage suggests that the damage is even greater than that. As some have pointed out, if the move was a success, then it would have been trumpeted loudly from the other, still freely accessible online, News Corporation assets, something which has been conspicuously absent. Until audited figures can be obtained from News Corporation, the full extent of any increase or decrease of readership will only be an educated guess at best. 2.2 Australian Government [REDACTED] Public [REDACTED] Retaining Internet Traffic In less than a month Australians will be going to the polls to elect a new Federal Government. In the run up to the last federal election, there were promises and counter promises from both major parties to enact some form of Internet filtering, something that moved forward post-election, but has attracted criticism along the way. This time around, the arguments being put forward sound very similar to last time, with both parties expected to support some form of Internet filtering. What has surprised, and shocked, many is the release of a heavily redacted document detailing plans to require ISPs to retain traffic for law enforcement access, irrespective of whether a user is suspected of any wrongdoing. With so much information redacted, the document almost appears to be a parody of itself. With the government pushing for the ability to retain and peruse Internet traffic at will, the hiding of the content of a consultation paper mocks the idea of the Australian public having a transparent government and the ability to observe the machinations of policymaking. There is no evidence that the document has any security information on it whatsoever, despite the name of the file. The only handling limitation that can be seen is "Not for further distribution". Claims that parties involved have been sworn to secrecy don't make sense off the released document alone. Either there are further documents that are classified appropriately that provide the guidance and establish the primacy for secrecy, or the government needs to revisit how to use established procedure to handle and control the flow of information and not make it up as they go along. If it's secret, then make it so. If it isn't sensitive, then don't hide it. Rationale given for redacting so much information is that the government wants to avoid "premature unnecessary debate" which, combined with the unredacted data "could potentially prejudice and impede government decision making". It is hard to avoid considering Even more baffling is the redaction of terminology in the definitions section of the document. What possible sensitivity could there be in acronyms or Information Security specific terminology that isn't already alluded to by the plan to store all Internet traffic? The unredacted questions that were passed to industry members make it seem like a requirement to store all network traffic is nothing more than a formality. The question will be a matter of when, not if. With the similar schools of thought on Internet filtering on both sides of parliament, even a change of power is unlikely to see this plan go away in its entirety. At least the Australian Government gets the idea of redacting information correct, physically blacking out informaiton, then scanning it back into electronic form, but it's disturbing that this is the most positive aspect of the release of this document. The EU's Data Retention Directive is cited at the start of the redacted document, so this may give an insight into what the government may be planning. Article six of the Directive directs member states of the EU to retain data for no less than six months, and no more than two years, from the time of communication. Normally known for its strong stance on the rights to privacy of its citizens, and to have their data protected, the EU's retention policy has good intentions but doesn't seem to meld well with these extant concepts. There is push back beginning to take place but this has so far only targeted national implementations and not the overarching EU directive. The road to hell is paved with good intentions. The more reactionary reader might argue that the road to a totalitarian state is also paved with good intentions and that free is becoming a dirty four letter word. Perhaps Hayek's The Road to Serfdom should be on more political reading lists. Perhaps the best comment comes from several years ago, with similar arguments for similar filtering attempts in Australia "The fact of the matter is that no Australian family today need be exposed to the type of material that (the Australia Institute report) highlighted," ... "No other countries in the world, other than a few totalitarian regimes, have subjected their populations to mandatory filtering". 2.3 Critical Windows Flaw Gets Out of Cycle Patch From Microsoft It might have started slow, but reports of a major vulnerability in Windows systems that surfaced following July's security bulletin release by Microsoft has been deemed important enough for Microsoft to release out-of-cycle bulletin, a week ahead of the scheduled August Security Bulletin release. Initial detection of the vulnerability was a result of it being discovered in malware that was targeting Windows-based SCADA systems and as more information came to light over subsequent days, the vulnerability took on worse and worse proportions. Microsoft's current advisory on the issue highlights that it affects all currently supported versions of Windows (XP SP3, 2003, Vista, 2008, 7), as well as the recently unsupported Windows 2000 and XP SP2. At fault is the way that the Windows Shell handles processing of shortcuts, in particular rendering the icons of shortcuts. This can be triggered via USB drives, remote shares, WebDAV, or even embedded in otherwise safe documents. From Microsoft's current advisory, it is even possible to trigger this through a normal website, provided that the icon file is present for the browser to attempt to render (at least pass off to the system for processing). The at risk file extensions are currently reported as .lnk and .pif, which makes filtering against very difficult to achieve without causing issues for wider system usefulness and stability. Microsoft's non-patch mitigation recommendation is to disable the displaying of shortcut icons via the Registry, and to disable the WebClient service, though this will impact applications relying upon the WebClient service for functionality. To trigger the vulnerability, a user has to open or browse to a folder that has a malicious .lnk or .pif file in it, irrespective of the folder's location. If autorun is enabled, any external media, USB devices, for example can trigger the vulnerability just by being attached to a Windows system. Actually needing to interact with the file itself is not required, merely to the folder containing it. While the .lnk or .pif file can be located anywhere, the executed code has to be positioned in a known location in order to be properly targeted and launched. Unless the at-fault code is a piece of code that has survived from Windows XP, through the various iterations of Microsoft's secure development initiatives, and made its way into all other versions of Windows without a problem being noticed, it would imply that the underlying vulnerability is a design error. Either way, flawed initial implementation that was then re-used, or design fault, the entire Windows line is at risk of arbitrary code execution through some very simple actions. About the only redeeming factor for the moment is the very targeted usage that the malware has had and that it has not yet been able to target the vulnerability automatically across networks, though it can be triggered through different vectors. Windows administrators are strongly urged to apply the bulletin as soon as it is released this week. With the late notice of the release, it is likely the first that many will know about it is when it appears ready for installation. With its applicability across all Windows systems and its seemingly simple method of execution, this vulnerability is sure to be an attack vector for many years to come. The use of legitimate digital certificates to sign the current malware has some researchers scratching their heads as to just how well connected the malware writers may be. On the positive side, Microsoft has opened the specification for .lnk files, so perhaps many eyes will make for shallow bugs. The other side of that is the release date for the specification is only a couple of days before the malware was reported as being detected, so there's always the possibility that someone discovered their own vulnerability in the specification and targeted as a result of that. There is always the Security - Nonesection, which is somewhat telling. 2.4 Australian Opposition Will Block ISP-level Internet Filtering Polls in Australia's Federal election are only two weeks away, and there has been some interesting movement from one of the main parties on the subject of Internet filtering. While both major parties have strongly been in favour of national filtering of Internet connections, there has been little to suggest that the current plan of action would change no matter which party is elected into power in two weeks time. Suddenly that has changed, with the current opposition announcing to the national broadcaster's youth radio network that they will not support the current government's push for mandated ISP-level filtering of all user connections. This stance has been welcomed by Internet advocacy groups, but the statement only amounts to what they will do if returned to Opposition, not what they will do if they are voted into power. It is reassuring to see that the complaints from ISPs and user groups that the current plan for filtering is not feasible. It would seem, from the comments made, that the Coalition's preferred method of filtering implementation would be to place the power to filter in the user's hands, allowing them to decide for themselves if they and their family will use filtering software to restrict their Internet access, without adversely affecting the experience of other users, who do not want restrictions on their access. The opposition spokesman indicated that a more in depth comment on Internet filtering will be coming in the future, but with only two weeks before the election they are running out of time to put forward something that is either similar to the current government's plan (and a fairly restrictive extension of what they themselves put forward when last in power) or something that gives the decision to filter to the actual users and provides a fairer and more balanced approach than previously suggested. Although the national broadcaster has traditionally been seen as slightly left-leaning in its bias (i.e. slightly in support of the Labour party, the current government, with an even stronger left-leaning bias on its youth newtork - more in support of Democrats and Greens), and the comments on stories posted tend to support this slight bias (though each side claims the network is biased in favour of their opponents), the comments posted to coverage of this news are almost overwhelmingly in support of the Coalition. Many going so far as to say that this particular announcement is enough to have swung their vote in favour of the Opposition. For others it has been enough to input significant uncertainty into their vote, but not enough to swing it across to the Opposition. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.