From alertmailinglist at skiifwrald.com Thu Jun 10 16:06:36 2010 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Thu, 10 Jun 2010 15:36:36 +0930 Subject: [Sunnet Alert] Advisory #279 - Microsoft (Multiple), Multiple News Message-ID: S?nnet Beskerming Alert List Advisory #279 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 2 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Microsoft to Share Vulnerability Information with Governments Early 2.2 Snake Oil Salesmen in Identity Theft Protection 2.3 Symantec Purchasing Verisign's Authentication Business 2.4 Steam Hardware Survey Shows Surprising Number of OS X Gamers ===================================== 1. SECURITY 1.1 Microsoft Windows - Remote Hacker Automatic Control -- Products Affected -- Windows, Office, Internet Explorer, .NET, IIS -- Technical Description -- MS10-032 - Windows. Privilege Elevation. Replaces MS09-065. Important. MS10-033 - Windows. Remote Code Execution. Replaces MS09-028, MS09-047, MS08-033. Critical MS10-034 - ActiveX. Remote Code Execution. Replaces MS10-008. Critical MS10-035 - Internet Explorer. Remote Code Execution. Replaces MS10-018. Critical MS10-036 - Office. Remote Code Execution. Replaces MS08-055, MS10-017, MS10-028, MS09-068, MS09-017, MS10-023, MS10-004, MS09-027. Important MS10-037 - Windows. Privilege Elevation. Important MS10-038 - Excel. Remote Code Execution. Replaces MS10-017. Important MS10-039 - SharePoint. Privilege Elevation. Replaces MS08-077. Important MS10-040 - IIS. Remote Code Execution. Important MS10-041 - .NET. Information Disclosure. Replaces MS09-061, MS09-036. Important -- Description -- As expected from their Advance Notification, Microsoft have released ten Security Bulletins as part of June's Security Bulletin release. Eighteen earlier bulletins have been replaced, making this month's release one of the largest for some time in terms of vulnerabilities patched. Microsoft assess that most of the vulnerabilities patched will have exploit code available within a month, if it isn't already available. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx http://www.microsoft.com/technet/security/bulletin/ms10-033.mspx http://www.microsoft.com/technet/security/bulletin/ms10-034.mspx http://www.microsoft.com/technet/security/bulletin/ms10-035.mspx http://www.microsoft.com/technet/security/bulletin/ms10-036.mspx http://www.microsoft.com/technet/security/bulletin/ms10-037.mspx http://www.microsoft.com/technet/security/bulletin/ms10-038.mspx http://www.microsoft.com/technet/security/bulletin/ms10-039.mspx http://www.microsoft.com/technet/security/bulletin/ms10-040.mspx http://www.microsoft.com/technet/security/bulletin/ms10-041.mspx -- External Tracking Data -- CVE-ID: CVE-2010-0484 (MS10-032) CVE-ID: CVE 2010-0485 (MS10-032) CVE-ID: CVE-2010-1255 (MS10-032) CVE-ID: CVE 2010-1879 (MS10-033) CVE-ID: CVE-2010-1880 (MS10-033) CVE-ID: CVE 2010-0252 (MS10-034) CVE-ID: CVE-2010-0811 (MS10-034) CVE-ID: CVE 2010-0255 (MS10-035) CVE-ID: CVE-2010-1257 (MS10-035) CVE-ID: CVE 2010-1259 (MS10-035) CVE-ID: CVE-2010-1260 (MS10-035) CVE-ID: CVE 2010-1261 (MS10-035) CVE-ID: CVE-2010-1262 (MS10-035) CVE-ID: CVE 2010-1263 (MS10-036) CVE-ID: CVE-2010-0819 (MS10-037) CVE-ID: CVE 2010-0821 (MS10-038) CVE-ID: CVE-2010-0822 (MS10-038) CVE-ID: CVE 2010-0823 (MS10-038) CVE-ID: CVE-2010-0824 (MS10-038) CVE-ID: CVE 2010-1245 (MS10-038) CVE-ID: CVE-2010-1246 (MS10-038) CVE-ID: CVE 2010-1247 (MS10-038) CVE-ID: CVE-2010-1248 (MS10-038) CVE-ID: CVE 2010-1249 (MS10-038) CVE-ID: CVE-2010-1250 (MS10-038) CVE-ID: CVE 2010-1251 (MS10-038) CVE-ID: CVE-2010-1252 (MS10-038) CVE-ID: CVE 2010-1253 (MS10-038) CVE-ID: CVE-2010-1254 (MS10-038) CVE-ID: CVE 2010-0817 (MS10-039) CVE-ID: CVE-2010-1257 (MS10-039) CVE-ID: CVE 2010-1264 (MS10-039) CVE-ID: CVE-2010-1256 (MS10-040) CVE-ID: CVE 2009-0217 (MS10-041) -- Threat Matrix -- U O Home User 10 10 (Highly Critical) Corporate 10 10 (Highly Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Microsoft to Share Vulnerability Information with Governments Early Microsoft recently announced that they would be providing pre-patch vulnerability information to key "government entities". Citing examples such as Critical Infrastructure, the MSRC post asserts that governments are the key lynchpin between private and public sectors for protection against electronic attacks and provide liaison between those sectors. On the surface this seems to be a strange assertion. Most information flow seems to be from the private sector (Information Security vendors, mainly) to both the public and private sector at approximately the same time. Government-level co-ordination and response has rarely been on the forefront of this information dissemination and management. Rapid response to time-sensitive critical information isn't something that government agencies are well known for being capable of. This will bring some value to the organisations that are able to participate in this program (no doubt for a fee), but what can they do about it pre-patch? Valid and effective security practices would limit most common attack routes, and those that remain would have some business case for being kept open. Microsoft's own Advance notification gives a heads up as to the likely impact of the patches and vulnerabilities in the week before patches are released, but unless the government agencies are changing their patch deployment to same-day as release, then there isn't much else that can be gained from having advance notification. The sort of vulnerabilities that are of greatest concern to people are those that are likely to have been publicly disclosed, or already being used for targeted attacks, quite likely against government agencies. Being told that there is a new remote code execution vulnerability against Word and that effective non-patch mitigation is to avoid Word documents isn't going to help, at all. It is another step forward for Microsoft, but it might have been better delivered several years ago when they made the move to monthly patch cycles and when they made their large push towards a secure development cycle. It may be that the Defensive Information Sharing Program (DISP) will evolve into a significant aspect of future Information Security management at the nation-level, but it will have to rely upon a lot of changes to take place by all participants for this to be the case. Might this program have helped with the current Windows Canonical Display Driver issue that has been highlighted through the Security Response Center? Or would the information flow have been about what the Microsoft Active Protections Program (MAPP) partners already receive, just with the requirement to actually provide a security product removed? 2.2 Snake Oil Salesmen in Identity Theft Protection As the importance of Information Security has gained public awareness over the last several years, one of the main aspects which has attracted the most awareness and attention is the issue of Identity Theft and the many different ways that it can take place. Predictably, companies began to emerge that claimed to assist consumers and businesses with not only protecting them against identity theft but also helping people once theft had been identified and perpetrated. Aside from a few basic precautions, there isn't much that can be done to mitigate against such theft. With almost all of these basic precautions being free, the companies set up to sell these services to consumers are tapping into a lack of awareness from consumers as to how simple it is to defend against theft. With monitoring for cases of identity theft and the processes for addressing recovery, again there are only a limited set of options available to people - mostly free or low cost. Identity theft protection and monitoring companies tap into the same resources, so there is little being value added other than having someone else take responsibility for your identity. These companies are selling peace of mind for processes that are cheaper and often easier to do yourself, so they need to find some way to differentiate themselves from their competitors and attract customers and give the impression that the services they offer actually work and are much better than what you can already do yourself (they're not). One of the most public examples of this attempted differentiation, probably closer to hubris, is the example provided by LifeLock, which included their CEO's social security number as part of their advertising material as part of their claims that their processes were enough to protect people against identity theft. Only, it didn't quite work and now another company is stepping forward to offer their own identity theft services to the CEO after there were numerous examples of successful identity theft perpetrated against him. Information Technology companies in general, and Information Security companies in particular, are often regarded as nothing more than snake oil salesmen, pushing software and services that rarely live up to the marketing hype and promises. If the US Federal Trade Commission has taken enough notice of your business practices to slap you with a $12 million fine (as happened with LifeLock), then this sort of perception is only reinforced. Identity theft (really nothing more than personal fraud) is a problem, and it is a concern for all consumers with the ease by which financial services and commitment can be arranged without accurate identity verification. The most effective and most secure means to protect against it remains personal vigilance over your financial activity (real and reported) and care with sensitive personal documentation. 2.3 Symantec Purchasing Verisign's Authentication Business Symantec have recently moved to add to their service offerings with the purchase of VeriSign's authentication business, following on from GuardianEdge and PGP purchase announced last month. This acquisition, of Verisign's SSL certification services and PKI platform. This move consolidates Symantec's position as an Information Security giant and gives them more of an ability to provide complete Information Security services to end users. A good move for Symantec, it may be not be seen as such a good move by the people who have to support and manage systems with Symantec tools installed on them. Symantec has a reputation for slowing system performance and degrading system capability once its tools are installed, and for those tools to be almost impossible to uninstall due the deep hooks they place into the operating system. The deal is pending regulatory approval, but once that is through, it is expected that Verisign's authentication services will become part of Symantec within a month. 2.4 Steam Hardware Survey Shows Surprising Number of OS X Gamers It's often difficult to work out just how much market share various platforms and applications actually have. One method is to count the number of hits coming from various platforms to popular services. Valve's Steam Hardware Survey has always been a fairly interesting cross section of the sort of systems people are using for gaming, from the very top of the line systems to what would pass as an average gaming system. Like a lot of surveys, it is based off voluntary input from users, so there is always some caution urged with the results. What is interesting to note from the most recent hardware survey (May 2010), is that Mac OS X versions make up almost 8.5% of systems reporting for OS version in use. This is quite a surprising and revealing statistic. It has been less than a month since Steam for OS X has been released, and in that timeframe, market share has already risen to almost 8.5%. For a platform that has drawn the ire of gamers for its apparent non-gamer friendly list of available titles and late ports, to have such a large percentage so quickly on Steam shows that the hidden reality of OS X gamers may be larger than many people gave credence to. With Steam's service not seemingly directed at the casual gamer (despite the many casual games available on the service), there is a fairly hidden segment of gamers who have been silently waiting for the ability to game natively on their systems. With other alternatives for OS X gamers including VMWare, Parallels, Wine, Crossover, Crossover Games, Cider ports, Bootcamp, and a fairly healthy porting scene, there are an ever increasing list of options for gamers who don't want to boot out of OS X in order to get their gaming fix. Perhaps the OS X market share is heading towards the point where more game developers will target the platform, if not necessarily for simultaneous release, perhaps still for a native release at a later stage. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.