June Updates and Patch Report

It’s “Patch Tuesday” week again, so let’s summarize several of the more important updates and patches.

Microsoft

Did you know there were two sets up updates this month? The normal Tuesday updates came out as expected, but before that, there was a special update to make sure this week’s updates were trustworthy. What happened is that Flame made the news and a part of the malware was designed to take advantage of a flaw with Microsoft certificates. So, to fix it, Microsoft had to release an update… but since that certificate was part of the update process, it had to be released early.

If you did not apply the update when it first came out, you’ll probably be okay. However, this is yet another example of why it’s important to stay on top of these. If you fall behind, not only are you unprotected against current threats, but you also cannot trust the updates that are waiting in the wings. If you are worried about falling behind, it may be time to consider patch management software.

The second round included updates for Remote Desktop, Internet Explorer and .Net. The IE one is being exploited, so update your workstations and laptops ASAP. Also, if you are one of the many companies exposing Remote Desktop to the internet, this is a very good example as to why that isn’t the best strategy. The flaw made public this week allows people to access those systems without logging in. If you are accessing RDP directly over the internet, it’s time to stop. There are some extremely simple and cost effective (some even free) VPN solutions out there. Please use them.

More details are here and here.

The Always-Expanding Hack List

If you regularly use LinkedIn, Last.fm, Twitter and/or eHarmony, it’s time to change your passwords. It’s also time to trust the users of those sites a little bit less. When a password breach occurs, not only is your data at risk, but so are all of your social connections. If one of your friends had a weak password, someone could log into their account and view all the information you share with them. While there’s nothing we can do directly in response to these attacks other than change our passwords, we really need to start putting more pressure on these sites to ensure they are protecting our data with better than minimal standards. If you are in the position of storing customer data, you might want to review your own processes, too. It’d be better to do that before a breach.

Adobe

Adobe has released an update for … ColdFusion. If you’re not using ColdFusion, you don’t have to worry about Adobe patches this month. Also, if you’re running ColdFusion 10, you’re good. Kind of a shocker, I know.

If you’re running an older version of ColdFusion, read the details here.

VMware

It’s out … it’s finally out!  If you’re running vSphere 5, you can read the hardening guide.  This is a guide to both hardening AND assessing VMware infrastructures. Basically, all the auditors now have guidance, so expect them to get more annoying about it. Also, expect your assessors to have more documentation backing up why certain changes should be made. A good plan would be to actually make them! It’s usually going to make sense for you and the time you spend arguing would be better spent fixing issues.

I know that making some changes to a virtual environment can affect a lot of servers, but guess what happens if a flaw in your system is abused? I am firmly of the mind that a planned outage is much better than an unplanned one. Please harden your infrastructure.

Apple

Sadly, Apple did not release an IOS hardening guide. Instead, they just lifted the curtain a little bit and gave us a peek inside with the IOS security specs. If you are writing policies around mobile devices and have to support Apple, you should probably read this. It will also help you assess MDM solutions.

PHP

If you’re running PHP, you should know it’s being attacked.  Keep it updated and if you can, seriously consider layering PHP-Suhosin, Mod_Security2 and AppArmor around it. PHP is good for developers, but it’s also good for attackers. If you want to use it for the former, you have to accept the risk from the latter.

MySQL

Please excuse the tech speak here. If you are running MySQL and it was compiled with GCC using SSE, people can likely log into your system with the wrong password. Details are here. This issue is known to affect Ubuntu 64bit, OpenSUSE 64bit, Debian Unstable 64bit, Fedora and Arch Linux. Luckily, the more commonly used Ubuntu 32bit, Red Hat Enterprise Linux and the official binaries from MySQL are not affected.

In general, you should apply the patch immediately when available. You should also only expose your MySQL interface to the applications that need them and to the DBA’s network. Most real world problems involving this vulnerability involve people who chose to make MySQL accessible over the internet. Like RDP, there are almost no good reasons to do this … so don’t.

Last.fm leaks passwords

LinkedIn wasn’t the only major web presence with a security breach last week. Popular streaming music service, Last.fm, sent out emails this weekend to their 40+ million subscribers regarding a password breach and were quick to point out the breach only affected a “small fraction” of users and that “this follows recent password leaks on other sites …” I suppose if everyone else is doing it, you might as well join in on the fun!

As a Last.fm user, I received one of their customer emails. Unfortunately, it went straight to my Spam box and I didn’t see it until this morning. Here’s what it said:

Much like the LinkedIn breach, the same rules for changing your password that Josh outlined last week apply with Last.fm. In case you missed his post, read it here. Otherwise, here are Josh’s tips for creating a strong password:

  • Change your password to something random, long and complex… at least 20 characters.
  • Do not use this password anywhere else.
  • If you don’t remember these sorts of passwords easily, use a tool like KeePassLastPass or1Password.
  • If you are responsible for the security of others, get them to change their passwords too.

Isn’t that easy? Now go and change your Last.fm password and your LinkedIn one, too, if you haven’t already done so. And if you’re looking for love via eHarmony (data breach last Wednesday), change that password, as well!