From alertmailinglist at skiifwrald.com Sun Jan 17 22:24:03 2010 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Sun, 17 Jan 2010 22:54:03 +1030 Subject: [Sunnet Alert] Advisory #274 - Microsoft Windows, Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #274 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Manual Control - Time Since Discovery - 5 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Critical Acrobat and Reader Vulnerability - a Month to Patch 2.2 SQL Injections Strike Again ===================================== 1. SECURITY 1.1 Microsoft Windows - Remote Hacker Manual Control -- Products Affected -- Windows -- Technical Description -- MS10-001 - Windows. Remote code execution. Replaces MS09-029. Critical -- Description -- Microsoft's first Security Bulletin release for 2010 has seen a single bulletin released, addressing a single flaw with the OpenType Font Engine. Although the patch is only Critical for Windows 2000 systems, it is applicable to all supported Windows versions and can lead to remote code execution for all. There was no public awareness of the vulnerability or exploit attempts ahead of patch release. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms10-001.mspx -- External Tracking Data -- CVE-ID: CVE-2010-0018 (MS10-001) -- Threat Matrix -- U O Home User 8 8 (Critical) Corporate 8 8 (Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Critical Acrobat and Reader Vulnerability - a Month to Patch In a little over a week from now, Adobe are planning to release a security patch for a vulnerability affecting Adobe Reader and Acrobat 9.2 and earlier versions on Windows, OS X and Unix systems. The extent of the vulnerability is that it can allow an attacker to take over a vulnerable system when a victim is tricked into opening a malicious file and was reportedly being attacked in the wild prior to Adobe's security advisory release on December 15. Like many of the Adobe Acrobat and Reader vulnerabilities that have come before, this particular vulnerability lies with how the applications process JavaScript content within applicable files. Prior advice, given for earlier vulnerabilities, to disable the processing of JavaScript in Reader and Acrobat, still stands. Doing so will mitigate against this style of PDF vulnerability, but still leaves users vulnerable to other embedded attacks. The problem with this secured step is that whenever reader detects that a file contains JavaScript, and JavaScript support has been disabled, it will prompt the user to re-enable it. All this means is that users need to be on their toes when their systems prompt them to reverse an action that they previously took to improve their system's security. Adobe has come a long way with its vulnerability handling and security response, something it should be commended for. However, leaving a critical vulnerability that can lead to system compromise untouched for a month, especially one that is already being attacked in the wild, is a gutsy call, especially when information about the vulnerability has not been updated since December 15. Given that user apathy is considered responsible for a significant percentage of vulnerable situations (and ultimately successful attacks), the time delay between vulnerability discovery and patch release seems almost excessive, but it is still an improvement over not acknowledging the presence of the vulnerability and keeping the intended patch release date obscure. 2.2 SQL Injections Strike Again One of the golden rules of developing websites is that any time that users are able to enter data of any sort on the site, that data should be validated before anything is done with it in the site's back end. This process of validation is designed not only to provide the site with usable input, but also to ensure any weaknesses in the site's code aren't inadvertently exploited due to misplaced punctuation. Correctly validated input is also an essential element of having a secure site, whether those who are probing your security are doing so for malicious reasons or not. Getting it right can be difficult, even for companies that are in the business of Information Security. Of the various forms of website vulnerabilities that result from improperly validated user input, SQL injection (SQLi) is one of the more dangerous. Improperly validated input that is passed directly to a database could allow an attacker to pass SQL commands as part of their input. With this going direct to the database it allows the attacker to retrieve data or take control over the database in the worst case. Just how bad a problem SQLi is depends on the level of permissions granted to the website when it interacts with the database server. A tightly restricted database user account will limit an SQLi to data extraction from databases and tables that the site normally interacts with. On the other hand, a fully privileged database account (sadly all too common for many sites) can allow an attacker to add, read, delete data and manipulate the database setup, or even have full access to all other databases on the database server. All this through nothing more than text entered on a website. It is still a major problem, with recent reports identifying more than 100,000 sites that have been compromised since November as a result of a single coordinated attack. It isn't just everyday sites that come under attack, with Kaspersky coming under renewed attack. Although the attack wasn't against the main Kaspersky site, a successful attack against branded partner sites still is an embarrassing result for the Information Security software developer. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.