Monday, March 29, 2010

Huge Mac OS X Security Patch set released Monday, 28 March

If you run a Mac, it's time to get patching.

Apple plugs 88 Mac OS X security holes | Zero Day | ZDNet.com
Apple today released one of its biggest Mac OS X security updates in recent memory, covering a whopping 88 documented vulnerabilities.

The Mac OS X v10.6.3 update, which is considered “critical,” covers flaws that could lead to remote code execution, information disclosure and denial-of-service attacks.

In some scenarios, a malicious hacker could take complete control of a Mac-powered machine if a user simply views a malicious image or movie file.

In another case, a Mac user running spell-check could have his/her machine hijacked by hackers.

The update covers critical vulnerabilities in AppKit, QuickTime,CoreMedia, CoreTypes, DiskImages, ImageIO and Image RAW.

It also covers holes in several open-source components, including Apache, ClamAV, MySQL, PHP.

Here’s the full list of the patched vulnerabilities.

US-CERT Current Activity
Apple Releases Security Update 2010-002 and Mac OS X v10.6.3
added March 29, 2010 at 02:37 pm

Apple has released Security Update 2010-002 and Mac OS X v10.6.3 to address multiple vulnerabilities that affect a number of applications. These vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, cause a denial-of-service condition, bypass security restrictions, or operate with elevated privileges.

US-CERT encourages users and administrators to review Apple Article HT4077 and apply any necessary updates to help mitigate the risks.

Scores of flaws fixed in mammoth Apple security update - SC Magazine US
Apple on Monday issued updates to Mac OS X Snow Leopard and Leopard to correct scores of security vulnerabilities that could allow an attacker to access user data, execute arbitrary code, obtain system privileges, or cause a denial-of-service condition, Apple said in its advisory.

More technical details here:APPLE-SA-2010-03-29-1 Security Update 2010-002 / Mac OS X v10.6.3

Special IE Patch due tomorrow

Rafts of stories about this one. More info after I test it out, but it should not affect anyone using Firefox or Google Chrome.

US-CERT Current Activity
Microsoft Releases Advance Notification for Out-of-Band Security Bulletin
added March 29, 2010 at 07:16 pm

Microsoft has issued a Security Bulletin Advance Notification indicating that it will be releasing an out-of-band security bulletin. This bulletin will address a vulnerability in Microsoft Internet Explorer 6 and Internet Explorer 7. The notification states that release of this bulletin is scheduled for March 30, 2010. Additional information can be found in Microsoft Security Advisory 981374 and in the Vulnerability Notes Database.

US-CERT will provide additional information as it becomes available.
Microsoft to Issue Emergency IE Fix — Krebs on Security
Microsoft Corp. said today it plans to break from its regularly scheduled monthly software update cycle to issue a patch on Tuesday for a security hole in its Internet Explorer Web browser that hackers have been exploiting lately.

Microsoft normally releases security updates on “Patch Tuesday,” the second Tuesday of each month. But this Tuesday, Mar. 30, Microsoft will release a cumulative update for Internet Explorer that fixes a critical software flaw in IE 6 and IE 7. The browser flaw lets hackers break into vulnerable systems remotely, with little help from users.
Sunbelt Blog: Microsoft out-of-band patch tomorrow
Microsoft said today it will issue an out-of-band patch tomorrow for a vulnerability in Internet Explorer 6 and 7 that is being actively exploited.
Internet Explorer - Special Security Update on March 30, 2010 - Harry Waldron - IT Security
Microsoft will be releasing a special security update tomorrow for versions 6 and 7 of Internet Explorer. This early release will better protect IE users from current threats circulating in the wild. Please apply these changes as prompted tomorrow to protect your PC. Better yet, move to IE8 if you use Windows XP or Vista.

Internet Explorer - Out of Band Security Update on March 30, 2010
http://blogs.technet.com/msrc/archive/2010/03/29/internet-explorer-cumulative-update-releasing-out-of-band.aspx

Internet Explorer - Out of Band Security Update Details
http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx

Key vulnerability patched described in Microsoft Security Advisory 981374
http://www.microsoft.com/technet/security/advisory/981374.mspx
Microsoft: Emergency IE patch coming tomorrow | Zero Day | ZDNet.com
The IE patch will also include fixes for several other vulnerabilities:
The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on all versions of Internet Explorer that are not related to this attack.

From the MSRC blog:

Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version to benefit from the improved security protection it offers.

We recommend that customers install the update as soon as it is available. Once applied, customers are protected against the known attacks related to Security Advisory 981374. We have been monitoring this issue and have determined an out-of-band release is needed to protect customers. For customers using automatic updates, this update will automatically be applied once it is released. Additionally, because Security Bulletin MS10-18 is a cumulative update, it will also address nine other vulnerabilities in Internet Explorer that were planned for release on April 13.

Tuesday, March 23, 2010

Firefox 3.6.2 released to fix critical security issue

I have patched my copy and have no issues other than having to tweak a couple of add-ons to make them work with 3.6.2. All of the stories below have links to more info.

US-CERT Current Activity
The Mozilla Foundation has released Firefox 3.6.2 to address multiple security issues, including a critical vulnerability that may allow a remote attacker to execute arbitrary code.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

* Review the Firefox 3.6.2 release notes.
* Review Mozilla Foundation Security Advisory 2010-08.
* Upgrade to Firefox 3.6.2

Additional information regarding this vulnerability, including a workaround for users who cannot upgrade, can be found in the Vulnerability Notes Database.

Official Mozilla blog entry:
Firefox 3.6.2 Released at Mozilla Security Blog
Mozilla has accelerated its timetable and released Firefox 3.6.2 ahead of schedule. This release contains a number of security fixes, including a fix to Secunia Advisory SA38608 which was previously discussed on this blog when we were first made aware of and were then able to confirm the issue.

For additional information please see Mozilla Foundation’s Security Advisory MFSA-10-08 as well as the Firefox 3.6.2 Release Notes. We urge users to promptly update to this release by selecting “Check for Updates…” from the “Help” menu, or by visiting https://www.mozilla.com/ for a free download.

Other reports:

Tuesday, March 16, 2010

Follow-up to Patch Tuesday: Problems with Excel Patch, MS hustles on new IE Patch

If you held off on patching Excel as I advised in my last post, you did the right thing. Check your list of installed Excel patches -- if it looks like Chinese to you, that's because it is. I got caught by this one. Follow the procedure in the article linked to here:
Microsoft admits Office patch gaffes
Microsoft confirmed today that a security update for its Excel spreadsheet had turned English text in an important Windows tool into Chinese.

The admission was the second in the past two days from Microsoft's Office team of a gaffe involving a recent security update.

Friday's announcement involved the seven-patch update Microsoft shipped on Tuesday for Excel. "We have received reports from some of our Excel 2003 and Excel 2002 customers that after installing update KB978471 or KB978474, they are seeing non-English text in the 'Add or Remove Programs' tool (Win[dows] XP) or the 'Programs and Features' --> 'Installed Updates' view (Vista, Win[dows] 7)," Microsoft said in an entry published early today on the "Office Sustained Engineering" blog.

The two updates Microsoft referenced, KB978471 and KB978474 , were the patch collections for Excel 2002 and Excel 2003, respectively.

According to Microsoft , the patches are displayed in "Add or Remove Programs" in simplified Chinese rather than the intended English. "If English text ... is a requirement, there is a two-part workaround available," said Microsoft as it told users to first uninstall Tuesday's Excel update, then download and install a revamped version.

Today's snafu wasn't as serious as the one Microsoft acknowledged Thursday, also on the Office blog .
The article continues with more information about potential problems which won't affect any of my clients or users. The article also says
... a Feb. 9 non- security hotfix that added support for .Net 4.0 to Office 2007 caused the suite's programs to crash when they were run on Windows Server 2008 R2 or Windows Server 2008 with Terminal Services.

Some users claimed that the update also made Internet Explorer 8 (IE8) crash when working with SharePoint 2007.
If you do follow this procedure - remove the patch using Add/Remove Programs, then download it and install it manually, your Add/Remove Programs list will be correct, but your "Installed Patches" information inside Microsoft Update will still show the old patch, as installed by Microsoft Update, rather than the correct patch as installed manually.

In other Microsoft security-related news, if you must run IE, upgrade to IE8. Your better bet is to replace IE with Mozilla Firefox (with the NoScript and Adblock Plus add-ons for anything but Microsoft Updates.

Microsoft hustles on IE patch, tests fix
yesterday, Microsoft offered an automated "Fix it" tool to disable the component in the "iepeers.dll" file that contains the vulnerability. The free tool works on machines powered by Windows XP or Windows Server 2003. That workaround was an addition to those that Microsoft recommended last Tuesday, which included disabling scripting, enabling DEP (data execution prevention) and upgrading to IE8.

Rival browsers, including Mozilla's Firefox, Google's Chrome and Opera Software's Opera, are also safe from the in-the-wild attacks aimed at IE6 and IE7.

The newest zero-day is the second this year that Microsoft has admitted hackers have exploited before a patch was ready. In mid-January, Microsoft said that a flaw in IE had been used to attack several companies' networks, including Google's and Adobe's. Microsoft patched the vulnerability on Jan. 21 in an out-of-band update.

Microsoft's next scheduled Patch Tuesday is April 13, more than four weeks away.

More articles:
Stopgap IE Fix, Safari Update Available — Krebs on Security
Microsoft has issued a stopgap fix to shore up a critical security hole in older versions of its Internet Explorer browser. Meanwhile, exploit code showing would-be attackers how to use the flaw to break into vulnerable systems is being circulated online.

Microsoft offers 'fix-it' workaround for IE zero-day | Zero Day | ZDNet.com
Microsoft has released a one-click “fix-it” workaround to help Web surfers block malware attacks against an unpatched vulnerability in its flagship Internet Explorer browser.

The workaround ffectively disables peer factory in the iepeers.dll binary in affected versions of Internet Explorer.

The workaround, available here, comes on the heels of the public release of exploit code into the freely available Metasploit pen-testing framework.

follow Ryan Naraine on twitter

Microsoft confirmed the availability of exploit code for the issue and again urged users to upgrade to Internet Explorer 8, which is not vulnerable to this issue.

The company urged IE users to test the Fix-It workaround thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of web folders, may be affected.

In light of all the recent security issues with IE (all versions), it escapes me why anyone responsible for security on their networks would continue to run IE for day-to-day Internet work. Even if you have legacy applications or websites which require IE, you should run another browser for everything else.

Tuesday, March 9, 2010

Patch Tuesday, and a Zero-Day attack against IE6/7

Today is Patch Tuesday. I patched my main XP workstation and it did not require a reboot. The SANS page March 2010 - Microsoft Patch Tuesday Diary is rating one of the two patches CRITICAL but not PATCH NOW. The CRITICAL patch affects Excel, so if you don't use Excel much, wait a few days before patching.

ZDNet's Zero Day blog has details of a recent Microsoft Security Advisory. If you use IE to browse the Internet (Mozilla's Firefox web browser is much safer) and can upgrade to IE8 (Windows 2000 users cannot), do so. If you don't use IE except to do Windows Updates, don't bother.

New Microsoft IE zero-day flaw under attack | Zero Day | ZDNet.com
A zero-day (unpatched) vulnerability in Microsoft’s Internet Explorer is being exploited in the wild, the company warned in an advisory issued today.

On the same day it issued software fixes as part of its Patch Tuesday schedule, Microsoft released a pre-patch advisory to warn of the risk of remote code execution attacks against users of IE 6 and IE 7.

From the advisory:
Our investigation so far has shown that Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.

The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Microsoft said it was aware of targeted attacks attempting to use this vulnerability. No other details on the attacks were offered.

Update Thu 11 Mar 2010 10:18 MST: The exploit is not only in the wild, it has now been built in to the hacker/security toolkit Metasploit, which means we can expect many more malicious websites to start using it.

IE zero-day flaw leaks out; Exploit code published | Zero Day | ZDNet.com
Using obvious clues from a McAfee blog post, an Israeli hacker was able to pinpoint the latest Internet Explorer zero-day vulnerability and create working exploit code. The exploit code, which provides a clear roadmap to launch drive-by download attacks against IE 6 and IE 7 users, is being fitted into the Metasploit point-and-click tool.

... the availability of public exploit code is sure to light a fire and raise the likelihood of an emergency update before next month’s Patch Tuesday.

Monday, March 8, 2010

Strange but true: Energizer Bunny software can infect your computer

I've seen this reported several places this morning:

Energizer battery charger contains backdoor | Zero Day | ZDNet.com
The United States Computer Emergency Response Team (US-CERT) has warned that the software included in the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

In an advisory, the US-CERT warned that he installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory.


Also reported here: Energizer Bunny's software infects PCs
US-CERT urged users who had installed the Energizer software to uninstall it, which disables the automatic execution of the Trojan. Alternately, users can remove the Arucer.dll from Windows' "system32" directory, then reboot the machine.

Both US-CERT and Symantec have published advisories about the Trojan.

Energizer said it has removed the software from its download site, and added that although it had offered similar software for Mac OS X, only the Windows version had been infected.