July Updates and Patch Report

After a lovely week off, I am now back in the country and reviewing what happened in the security world while I was gone. To my shock, the answer is… not much. This is probably the first vacation I’ve had in years when the bad guys took a break too.

Did interesting things happen last week? Of course they did. For example, I got to pet two otter cubs, take photos of venomous reptiles without protective glass and hold a grey fox in my lap. However on the security front, we’ve got a few updates here and there, and that’s about it. Sure, there’s news that various attackers have gotten incrementally better at this or that, but that’s not really news. That’s just what they do. Of course, since that’s what they do, it really should be what you do as well. However, that’s well off topic for this post.

Microsoft

We finally have an update to the MSXML problem. That is unless you run version 5.0, but who’d do a silly thing like that? The problem affecting Visual Basic DLLs is also addressed. Both of these issues are being actively exploited, so you should apply those patches immediately.

The patches also include critical issues on servers and workstations that involve Internet Explorer, TLS encryption flaws and file and directory name handling. Luckily, it doesn’t look like any of these patches are likely to cause problems, so you should probably just apply them.

Unless of course you’re running MSXML 5.0 … then you should probably replace with version 6.0.

More on these issues can be found at the SANS ISC Blog

Bonus Time

We gained an extra second last week. How did you spend yours?

If you were like some of our software/service vendors out there, you spent it crashing. This shows, yet again, that time is hard to deal with. There’s not much you can do about that, other than be aware that time isn’t as linear as we’d like, and things like leap seconds, leap years, time zone changes and such can wreak havoc on our systems.

Your best protection is to understand your extended business network better. Use a time management system internally and set it to alert you if systems start to drift. Map out how your service vendors affect your business so you can easily identify when being down is on their side as opposed to yours (I test off my cell phone, so all traffic follows an isolated path).

Basically, the more you understand how information flows through your business, the better you can identify what causes that flow to fail.

Android

Turns out Android has malware. This is probably news if your last phone was a Motorola DynaTAC. So, for those of you just now catching up, here’s the deal: phones are computers now. If you don’t treat your phone like a computer, bad things are going to happen. Use encryption, strong passwords, anti-malware and don’t go installing stupid stuff on it.

In fact, phones are bad computers! Much of the malware that runs on phones comes from applications that are, shall we say, somewhat adult in nature. Perhaps it would be better if, instead of viewing such material on a screen smaller than a mouse, people use that mouse and view it on real computer running real protections.

If you do that, you can ignore all the “OMG! Android has Malwares!!!!11!!” articles that come out over the next year.

WordPress

There is a new WordPress update out. If you’re running WordPress, install it ASAP. You can get it here, or just update it from within your dashboard. However, a caveat first. WordPress, as a platform, is great. You can post things quickly and easily. I use it all the time, myself.

But … and it’s a big but … the risk to using WordPress grows with each plugin that you install. It grows with the number of people who have the ability to post. Many site compromises occur because people host multiple sites with a large hosting company and if any one of them gets compromised, the attackers can bounce to other sites and take those over as well. Thus, if you’re running WordPress, keep all sites up-to-date, make sure all users have decent passwords and use a plugin like Exploit Scanner to check that things are set up right.

If you need help reading the results of Exploit Scanner, we’d be glad to lend a hand. Really, it’s pretty easy to secure WordPress, so it’s not that expensive to get a bit of professional help.

For your reading pleasure …

We update our security blog a couple times a week, however, we simply cannot cover every data breach or malware attack. Luckily, there are several really good blogs we read that help fill in the gaps. If you scan down the right-side of our blog, you’ll see our “blogroll” which includes nine sites we read on a near-daily basis.

Our Senior Security Engineer, Josh More, is a big fan of SANS’ Internet Storm Center and WiKIDBlog. The SANS Internet Storm Center is a collective of security professionals who provide “ a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.” The writers at WiKIDBlog tend to think outside of the box and often have some unique solutions to common security problems. They also champion two-factor authentication “without the hassle factor!”

Our blogroll also contains some of our partners, including Bit9, Barrier1, Smoothwall, Sourcefire, Sophos and Zix. Bit9, Sourcefire and Sophos update their blogs quite often and have very informative posts. And if you’re not reading Sophos’ Naked Security on a daily basis, you are really missing out. Graham Cluley and Chester Wisniewski do a phenomenal job of keeping tabs on virtually every major threat wreaking havoc in cyberspace. Their blog is oftentimes rather humorous, contains insightful videos and has won numerous awards. For your money’s worth, you won’t find a better security blog.

Our blogroll contains just a few of our favorites, but there’s room to grow. Do you have any recommendations for us?

May Updates and Patch Report

It’s been a little while since I’ve written one of these posts. I had, in recent months, gotten overwhelmed by the amount of updates out there and the fact the advice really hadn’t changed. If you’re not going to read the entire post, just follow these two rules of thumb:

1) Apply patches to all applications on all systems as soon as you possibly can.

2) If you skip rule 1, be prepared to reinstall the OS and all apps on any system at any time.

That’s it.  Now, let’s get into some recent happenings:

 

Microsoft

Last week, Microsoft released several updates with many of them being critical. Workstations, once again, are affected by Office updates. If abused, a special file could cause these applications to take over your system.

But wait, there’s more!

Two sets of patches focus on the .NET framework and patch against code execution as well … so you don’t actually have to download a file to be placed at risk. However, unlike the Office problem, this flaw affects both workstations and servers. Getting even better, if you install the server in “server core” mode, this flaw also allows for elevation of privilege. This means that a successful attack can not only remotely take over a system, but it can break out of the permissions you set to lock things down.

Of course, given how nice these flaws are for attackers, it is not surprising that they are being exploited.

For more details, please see the reports from Sophos and SANS.

 

Apple

Apple has also released updates for many aspects of their operating system. The first set of patches focuses on Java. Over the last few weeks, an OSX+Java-focused attack called Flashback has run amok. This attack leveraged a flaw in Java that was fixed on February 14th… but not patched by Apple until April 3rd. Lucky for us, this malware was good at spreading, but not so good at being evil.

In the set of patches that came out, there were also several that focus on Safari and the disk encryption subsystem. The disk encryption problem basically exposed the encryption password (in certain cases) to people that look for it. Of course, a disk encryption solution that leaks the password is like keeping your house locked by leaving the key on the window sill. It’s just my opinion, but that’s perhaps not the best security solution.

More details on the Apple patches can be seen at ComputerWorld and Sophos.

 

Adobe

Several Adobe updates came out to address specific issues. The patched products include Flash Player, Illustrator, Photoshop, Shockwave Player and Flash Pro. Sounds good, right?  Well…

As it turns out, the Flash Player and Shockwave Player updates are free and fix the problems.  The patches for Illustrator, Photoshop and Flash Pro are free… but fix the problems by informing you that CS6 is available and that CS5 is no longer supported. Now, while it is within the rights of any company to stop supporting their products, one might argue that releasing a “security patch” that asks you to pay money and upgrade to fix the problem (assuming your hardware will run CS6) crosses the line.

There is a rumor in the industry that Adobe is backpedaling and will release updates to CS5, but they’re not out yet.

You can get the Flash player update here. Odds are that you don’t need Shockwave, so just uninstall it. Then, cross your fingers and hope that the patches for CS5 come out before your system is completely taken over and your bank account emptied to Eastern Europe. :)

This might also be a good time to check that your anti-malware software is updating and provides decent application hardening. Here’s a tip… if your anti-malware software came with your workstation, it’s probably not sufficient protection for modern attacks.

 

PHP

PHP has been updated to fix a problem in php-CGI. The php-CGI mode is available to provide better isolation for sites that run multiple virtual hosts. In this case, however, it did introduce a potential flaw. If you host multiple PHP sites on a server, please read this vulnerability report and test your system. If you’re vulnerable, apply the patches available here.

 

Bitcoin

If you were playing with the “new online currency” bitcoin and storing them in Bitconica, you probably lost money this week. A compromise of their production servers resulted in a loss of $90,000. Two months ago, a similar theft resulted in a loss of $225,000.  Some details are here.

Here’s the thing. If you are using a traditional currency, there is significant oversight on the part of the government that backs it and the banks that use it to make sure that bad things don’t happen. In a peer-to-peer currency like Bitcoin (even ignoring the lack of cryptographic analysis), there is no central governing body. Without this sort of body, the currency has no externalities and is 100% market driven. Thus, the currency will be protected by the least-accessible effort and breaches like these will continue to occur. Basically, the cost of acceptable losses is built into the currency itself and not dictated by a government. There’s nothing wrong with this, but it is a different model. Think on this before you hop on the Bitcoin train.

 

That’s it for now. I am going to do these more often for you, so they should be a bit shorter from here on out.  If I don’t cover something that you think is important, please leave us a comment and I’ll get to it on the next cycle.