Friday, October 28, 2011

QuickTime 7.7.1 available

Unpatched QuickTIme is one of the primary ways by which Windows gets infected, so if you use QuickTime instead of my preferred media player VLC, you should patch.  Apple's security bulletin is here:

About the security content of QuickTime 7.7.1

QuickTime 7.7.1

  • QuickTime

    Available for: Windows 7, Vista, XP SP2 or later

    Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution

Thursday, October 20, 2011

More info on why you should update Java JRE ASAP

If you have Java installed (XP users check "Add/Remove Programs", Vista/Windows 7 users check "Programs and Features") you either need to uninstall it or update it. Two articles which are 'less user-hostile (most people say "more user-friendly") that the links I posted earlier are here:

Critical Java Update Fixes 20 Flaws — Krebs on Security

Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software. Nearly all of the Java vulnerabilities can be exploited remotely to compromise vulnerable systems with little or no help from users.

If you use Java, take some time to update the program now.

That, IMHO, should read "If you have Java installed,  update the program now.

Java update plugs 20 critical security holes | ZDNet
Summary: The patch, which provides a fix for the SSL Beast attack, comes at a time when anti-malware vendors are reporting an “unprecedented wave” of exploits against vulnerabilities in Java.

Oracle has shipped a critical Java update to fix at least 20 security vulnerabilities, some serious enough to cause remote code execution attacks.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company warned in an advisory.

According to Oracle, 19 of the 20 vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Links to the Java downloads are in yesterday's blog entry Oracle releases BEAST-patched version of Java.

Wednesday, October 19, 2011

Oracle releases BEAST-patched version of Java

System Admins have another patch to roll out.  This one is IMHO not critical high-priority for internal computers which do little on the Internet, but it should be rolled out to your heavier Internet-using computers, especially roaming laptops as they would probably be more susceptible to the MITM attacks that BEAST requires.

Oracle updates Java to stop SSL-chewing BEAST • The Register
Firefox developers said Tuesday that they have no plans to keep the browser from working with the Java software framework now that Oracle has released a patch that prevents it from being used to decrypt sensitive web traffic.

In a blog post published in late September and updated on Tuesday, Mozilla recommends that Firefox users update their Java plug-in to lower their chances of falling victim to attacks that silently decrypt data protected by the SSL, or secure sockets layer, protocol used by millions of websites. Firefox developers had said previously that they were seriously considering disabling the Java plug-in as a way of preventing the exploit.

Short for Browser Exploit Against SSL/TLS, BEAST was first demonstrated late last month at a security conference in Argentina, where researchers Juliano Rizzo and Thai Duong used the attack to recover an encrypted authentication cookie used to access a PayPal user account in less than two minutes. Oracle has more about the Java update here.

Oracle's bulletin is here:
Oracle Java Critical Patch Update - October 2011
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 20 new security fixes across Java SE, of which 6 are applicable to JRockit.

Download Java from here: Java SE Downloads. You probably want Java JRE 6u29 as JRE 7u1 is primarily for developers.

Thursday, October 13, 2011

iTunes, Windows, iOS, OS X, and Safari all updated this week

It's going to be a busy week for sysadmins.  On Tuesday Microsoft issued the monthly update set and Apple updated iTunes.  Both patch sets fix critical flaws, and I haven't seen any reports of problems so business admins should roll out the patch sets ASAP.  Anyone who is still using IE needs to patch ASAP as all current versions of IE have a vulnerability which allows "drive-by" infection.  See the last article below.

In addition, Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4 were also patched. I HAVE SEEN REPORTS OF BUGS WITH THE iOS 5 UPDATE SO HOLD OFF ON UPDATING YOUR iDevice.

Critical Security Updates from Microsoft, Apple — Krebs on Security
Microsoft and Apple today released security updates to fix a slew of critical security problems in their software. Microsoft’s patch batch fixes at least 23 vulnerabilities in Windows and other Microsoft products. Apple’s update addresses more than 75 security flaws in the Windows versions of iTunes.
Microsoft Fixes 23 Vulnerabilities Including Critical IE Flaws

Microsoft issued its monthly security bulletins today, which include two updates rated as “critical” and which could allow remote code execution. The first, MS11-078, is for a vulnerability in .NET Framework and Microsoft Silverlight. The second critical fix is for MS11-081, a cumulative security update for Internet Explorer. There were six other updates issued that were ranked as “important.”

Microsoft also issued guidance for prioritization of patching. Click on the image below for a full-size chart.

Assessing the risk of the October 2011 security updates - Security Research & Defense - Site Home - TechNet Blogs
Today we released eight security bulletins. Two have a maximum severity rating of Critical with the other six having a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Apple slaps another security band-aid on iTunes | ZDNet
Apple has shipped iTunes 10.5 to fix mountains of security problems that expose Windows users to dangerous hacker attacks.

The security patch, available for Windows 7, Windows Vista and Windows XP SP2, fixes a total of 79 documented vulnerabilities.  The most serious of these flaws could allow remote code execution attacks via booby-trapped image or movie files.

US-CERT Current Activity: Apple Releases Multiple Security Updates
added October 12, 2011 at 04:11 pm

Apple has released security updates for Apple iOS, Safari 5.1.1, OS X Lion v10.7.2, iWork 09, and Apple TV 4.4 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, and bypass security restrictions.
ISC Diary | Apple iTunes 10.5

Apple released iTunes 10.5 for Windows and Mac OS X. For those following Apple this comes as no big surprise as there are functionality changes expected due to the imminent release of a new iPhone model. What is however a bit surprising is that they also released an impressive list of fixed vulnerabilities in the windows version of iTunes.

Even more interesting is that that list also mentions that  e.g. "For Mac OS X v10.6 systems, this issue is addressed in Security Update 2011-006" or "For OS X Lion systems, this issue is addressed in OS X Lion v10.7.2". And those are respectively a security update and an OS update that are not yet released at the time of writing.

ISC Diary | Microsoft Black Tuesday Overview October 2011

Overview of the October 2011 Microsoft patches and their status.

Internet Explorer 9 haunted by 'critical' security vulnerabilities | ZDNet

By Ryan Naraine | October 11, 2011, 12:03pm PDT

Summary: Microsoft
fixes drive-by download flaws in the latest version of its dominant
Internet Explorer browser and warns that exploits could emerge within 30

Microsoft’s shiny new Internet Explorer 9 browser contains critical security vulnerabilities that expose users to drive-by download attacks, the company warned today.

The IE warning highlights this month’s batch of security patches from Microsoft where the company shipped eight security bulletins (two critical, six important) to cover gaping holes in Internet Explorer, .NET Framework & Silverlight, Microsoft Windows, Microsoft Forefront UAG and Microsoft Host Integration Server.follow Ryan Naraine on twitter

According to Microsoft, the IE vulnerabilities could be exploited if a user simply surfs to a maliciously rigged website.

The IE update (MS11-081),
available for all users or Microsoft Windows and all versions of
Internet Explorer, covers at least eight documented security holes in
the world’s most widely used browser.

The most severe vulnerabilities could
allow remote code execution if a user views a specially crafted Web page
using Internet Explorer. An attacker who successfully exploited any of
these vulnerabilities could gain the same user rights as the local user.
Users whose accounts are configured to have fewer user rights on the
system could be less impacted than users who operate with administrative
user rights.

Monday, October 3, 2011

99.8% of Commercial Exploits caused by failure to patch


According to Danish security company CSIS, most Windows infections by commercial malware are the result of failure to patch a few vulnerable apps:  Java JRE (37%), Adobe Reader/Acrobat (32%), Adobe Flash (16%), Internet Explorer (10%), Windows Help (3%), and Apple Quicktime (2%).  MSIE and Windows Help are patched automatically by Windows Update (which home users should have enabled and which business sysadmins should be managing), but the other applications all need to be updated separately.

That said, I do NOT enable automatic patching of those applications on my business systems for several reasons.  First, patches have been known to break things, and an automatically-applied patch that shuts down tens or hundreds of computers on a business network can be very expensive in downtime.  Second, the malware authors have taken advantage of automatic-patching prompts by simulating them (see notes 1 and 2 below).  Home and small-business users should use the Secunia Online Software Inspector to scan their systems to see what needs patching and then patch.  Secunia also offers the Secunia Personal Software Inspector (PSI) (for home users only), but since this monitors your system and reports back to Secunia, for privacy reasons I do not recommend using it.

As of this blog post, Java JRE is at version 6.0.27 (a.k.a. 6u27), Adobe Reader at 9.4.6 or 10.1.1 (8.3.1 is also safe, but ARv8.x will not be patched after next month), Adobe Flash Player is at (both for IE and Firefox), and Apple QuickTime is at version 7.70.80.  Subscribe to this blog page or check back here frequently as I will be posting the latest version numbers of these apps every time they're updated.

Java, Adobe vulns blamed for Windows malware mayhem • The Register
"99.8 per cent of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages"
  1. Flashback Mac Trojan poses as Adobe Flash update, opens backdoor | Naked Security
  2. Fake Java Update uses your PC in DDoS Offensive - MalwareCity : Computer Security Blog
    Updated Mon 03 Oct 2011 09:46 MST: correct Adobe version from 10.0.1 to 10.1.1