From alertmailinglist at skiifwrald.com Wed Jul 14 15:45:32 2010 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Wed, 14 Jul 2010 15:15:32 +0930 Subject: [Sunnet Alert] Advisory #280 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #280 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 1 Day ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Torrent Supersite User Database Compromised 2.2 The Times and The Sunday Times Disappear Behind Pay Wall 2.3 Pornographic Top Level Domain Approved by ICANN 2.4 AusCERT Replaced by CERT Australia for Government Services 2.5 As Adobe Contemplates Monthly Patch Cycle, Critical Vulnerability Threatens ===================================== 1. SECURITY 1.1 Microsoft Windows - Remote Hacker Automatic Control -- Products Affected -- Windows, Office -- Technical Description -- MS10-042 - Windows. Remote Code Execution. Critical MS10-043 - Windows. Remote Code Execution. Critical MS10-044 - Office. Remote Code Execution. Critical MS10-045 - Office. Remote Code Execution. Replaces MS09-060. Important -- Description -- As part of July's Security Bulletin release, Microsoft have released four bulletins, two Critical Windows updates, one Critical Office update, and one Important Office update. One of the bulletins (MS10-042) targets an actively exploited vulnerability and is considered highly critical to apply. All vulnerabilities are for remote code execution vulnerabilities. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms10-jul.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms10-042.mspx http://www.microsoft.com/technet/security/bulletin/ms10-043.mspx http://www.microsoft.com/technet/security/bulletin/ms10-044.mspx http://www.microsoft.com/technet/security/bulletin/ms10-045.mspx -- External Tracking Data -- CVE-ID: CVE-2010-1885 (MS10-042) CVE-ID: CVE 2009-3678 (MS10-043) CVE-ID: CVE-2010-0814 (MS10-044) CVE-ID: CVE 2010-1881 (MS10-044) CVE-ID: CVE-2010-0266 (MS10-045) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Torrent Supersite User Database Compromised With all of the legal, semi-legal, and illegal uses for torrent files, the presence of specialised torrent search engines and trackers is bound to attract the attention of groups who would go to any length to find out the identities of users who frequent the sites. One of the largest such sites, Pirate Bay, has had more than 4 million of its users compromised when Argentinian attackers contacted KrebsonSecurity to provide evidence of having compromised the user database (more information from the hackers themselves. Despite the risks of SQL injection having been well understood for a number of years, it is reported that it was via a series of SQL injections that the attackers were able to gain the key access needed to the user database. What exacerbates the immediate privacy concern about identities being linked to online accounts, is the account activity, which includes the torrent activity (also searchable through the main Pirate Bay search interface), but also allows linking of email and IP addresses to these accounts, a virtual goldmine of information for groups seeking to identify and prosecute file sharers. With such a valuable lode of information, many of the groups seeking to prosecute file sharers would have a strong financial interest in gaining access to the data extracted from the database, but the Argentinians behind the attack have so far only sought to inform users that their information may be at risk. As with any claim of information disclosure or capture, the concern is how viable and current is the data that has been obtained. When tested by Brian Krebs, the Argentinians were able to provide him with the correct account details for a user account that he had set up, demonstrating that the information is, if not actually live, current enough to be most valuable. There is a variety of responses from the file sharing community to this particular breach, but as is pointed out, the key identifying element, the IP address of users, can be extracted from the torrent swarms, but in this case it is all collected in a centralised manner, making the job of data mining that much simpler. 2.2 The Times and The Sunday Times Disappear Behind Pay Wall After talking about it for some time, Rupert Murdoch has gone ahead with plans to make his online media offerings only available to fee-paying customers. As of this month, online users who want to view The Timesand The Sunday Times content will have to pay to read anything more than the headlines and synopsis that is displayed on the site's front page. This isn't the first News Corporation holding to go behind a pay wall online, with the financial newspaper, Wall Street Journal, having modest success with this business model. The difficulty will be applying what works for a niche, specialist case to a general news provider, one where there are numerous other equivalent providers that are available for no cost, other than the advertising present on the sites. Other major news outlets that have tried and failed to implement pay per view for news and analysis online include The New York Times, which was forced to drop a controversial scheme after readers complained. What might cause the most trouble for this most recent move is the pricing model. As explained in theWelcome Page at The Times, the pricing is ?1 per day, or ?2 per week, something which might be a little bit steep for daily access, and maybe even too steep for weekly access to a site which carries very similar news to other outlets. Other news providers, who are also looking at implementing some form of fee-based news presentation online, will be looking with interest to see the outcome of this particular effort by News Corporation. If it is successful, other newspapers and organisations are sure to follow. If it isn't, it may be some time before another news organisation tries to implement something similar. 2.3 Pornographic Top Level Domain Approved by ICANN As new top level domains go, the decision by ICANN to approve the establishment of the .xxx domain is sure to lead to a financial goldmine for the backers of the domain, ICM Registry, but isn't really going to do anything in order to reduce the amount of pornography on the rest of the Internet. Just because a pornography-specific top level domain has been created, there's no viable way to force non-.xxx domains onto this particular domain. While the backers point out easier filtering as one of the strong points, it conveniently ignores the fact that the same problem of filtering the rest of the internet remains. Modifying filters to incorporate this new domain is only going to take a couple of lines of code and isn't really a major issue. The major issue remains reliably identifying pornographic content that exists everywhere else. It has previously been argued that it would be simpler to create a .kids domain and rigorously enforce the content and sites permitted to create a safer area of the Internet than to create the .xxx domain and mark it as adult material. That hasn't changed with the introduction of .xxx, but the future may still see .kids come into creation, especially as one of the Registrars promoting the domain is ICM Registry. With more than 100,000 pre-registered domains already taken before the top level domain is expected to launch in 2011, there will be a fair amount of activity on the domain, but it will take time to see if it becomes like .biz, .info, .name and many of the other infrequently utilised top level domains, or can gain the recognition of some of the better known top level domain stalwarts. 2.4 AusCERT Replaced by CERT Australia for Government Services Confusing names aside, the announcement earlier this month that the Australian Government would no longer be contracting services from AusCERT, the University of Queensland-based organisation, instead CERT Australia would be established by the government to provide those services, derived from its predecessor, GovCERT. It appears somewhat strange that the Government has decided to establish what seems to be a parallel service provider, which is meant to be "the sole supplier of national CERT services to the community and the point of contact for international CERTs". There is several years of history behind AusCERT which will need to be overcome in order for this statement to become a reality. Comments from the current director of AusCERT suggest that the newly established CERT Australia would have a primary focus on critical infrastructure. Based on the sort of issues that have been raised and managed through various global CERTs over the last few years, it would appear that AusCERT is still better placed to be the handler and processor of that information, even if CERT agencies don't really carry a lot of high profile or public awareness. CERT Australia is just the latest step in the ongoing Cybering of Australian governmental agencies. In January, the Department of Defence established the Cyber Security Operations Centre (CSOC), and the CERT Australia announcement came at the launch of the National Cyber Security Information Exchange. With the Commonwealth government pushing to be seen as a central hub for collation and dissemination of "Cyber Security Information", becoming a "trusted broker of information" and integrating with "national security and intelligence agencies", there is a lot of ground to cover in order to make itself relevant. Is it all just window dressing? According to the Attorney-General, the online "global cyber-security environment" is getting worse, not better. The fact that it's just Information Security dressed up in a fancy new name (which sound like it should have been forgotten about in the early 90s) can't be hidden. Unfortunately for the Government, it is highly probable that this new agency will have even less visibility and relevance than AusCERT and will go on to be a reactive bit-player in Information Security rather than the proactive leader they want it to be. 2.5 As Adobe Contemplates Monthly Patch Cycle, Critical Vulnerability Threatens There has been talk recently of Adobe moving towards a monthly patch release cycle, after successfully introducing a quarterly patch cycle in the middle of 2009. If it were to be introduced, it would be another big step in Adobe's improving stance on security in its products. That isn't to say that Adobe always get it right. Late last week, Adobe issued an advisory of a critical vulnerability in Adobe Flash Player, across all supported operating systems, as well as a critical library associated with Adobe Reader and Acrobat 9.x. From Adobe's bulletin, a successful attack against the vulnerability could lead to a crash of the application and possible remote code execution ("potentially allow an attacker to take control of the affected system", in Adobe's words). While such a vulnerability is Critical, add in that it is apparently being targeted in the wild, with attacks against both Flash and pdf, and it becomes a much more serious problem. Adobe haven't issued a date for release of the fix, but in the interim, updating to Flash Player 10.1 apparently mitigates against the Flash Player vulnerability, and removing access to the authplay.dll file will mitigate against the Adobe Reader and Acrobat issue (there is also downgrading to 8.x versions, which are listed as "confirmed not vulnerable"). What the authplay.dll library does is to allow pdf files to contain embedded Flash (SWF) content. Attempting to view a file with this embedded information after disabling the library can lead to a crash or error message, but not result in an exploitable situation for the user. With the widespread use of Flash for advertising and interactive content on the Internet, and the use of PDF files for greater control over document formatting and display than other document formats, this is a major problem that needs to be addressed by Adobe as quickly and securely as they can. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.