July Updates and Patch Report

After a lovely week off, I am now back in the country and reviewing what happened in the security world while I was gone. To my shock, the answer is… not much. This is probably the first vacation I’ve had in years when the bad guys took a break too.

Did interesting things happen last week? Of course they did. For example, I got to pet two otter cubs, take photos of venomous reptiles without protective glass and hold a grey fox in my lap. However on the security front, we’ve got a few updates here and there, and that’s about it. Sure, there’s news that various attackers have gotten incrementally better at this or that, but that’s not really news. That’s just what they do. Of course, since that’s what they do, it really should be what you do as well. However, that’s well off topic for this post.

Microsoft

We finally have an update to the MSXML problem. That is unless you run version 5.0, but who’d do a silly thing like that? The problem affecting Visual Basic DLLs is also addressed. Both of these issues are being actively exploited, so you should apply those patches immediately.

The patches also include critical issues on servers and workstations that involve Internet Explorer, TLS encryption flaws and file and directory name handling. Luckily, it doesn’t look like any of these patches are likely to cause problems, so you should probably just apply them.

Unless of course you’re running MSXML 5.0 … then you should probably replace with version 6.0.

More on these issues can be found at the SANS ISC Blog

Bonus Time

We gained an extra second last week. How did you spend yours?

If you were like some of our software/service vendors out there, you spent it crashing. This shows, yet again, that time is hard to deal with. There’s not much you can do about that, other than be aware that time isn’t as linear as we’d like, and things like leap seconds, leap years, time zone changes and such can wreak havoc on our systems.

Your best protection is to understand your extended business network better. Use a time management system internally and set it to alert you if systems start to drift. Map out how your service vendors affect your business so you can easily identify when being down is on their side as opposed to yours (I test off my cell phone, so all traffic follows an isolated path).

Basically, the more you understand how information flows through your business, the better you can identify what causes that flow to fail.

Android

Turns out Android has malware. This is probably news if your last phone was a Motorola DynaTAC. So, for those of you just now catching up, here’s the deal: phones are computers now. If you don’t treat your phone like a computer, bad things are going to happen. Use encryption, strong passwords, anti-malware and don’t go installing stupid stuff on it.

In fact, phones are bad computers! Much of the malware that runs on phones comes from applications that are, shall we say, somewhat adult in nature. Perhaps it would be better if, instead of viewing such material on a screen smaller than a mouse, people use that mouse and view it on real computer running real protections.

If you do that, you can ignore all the “OMG! Android has Malwares!!!!11!!” articles that come out over the next year.

WordPress

There is a new WordPress update out. If you’re running WordPress, install it ASAP. You can get it here, or just update it from within your dashboard. However, a caveat first. WordPress, as a platform, is great. You can post things quickly and easily. I use it all the time, myself.

But … and it’s a big but … the risk to using WordPress grows with each plugin that you install. It grows with the number of people who have the ability to post. Many site compromises occur because people host multiple sites with a large hosting company and if any one of them gets compromised, the attackers can bounce to other sites and take those over as well. Thus, if you’re running WordPress, keep all sites up-to-date, make sure all users have decent passwords and use a plugin like Exploit Scanner to check that things are set up right.

If you need help reading the results of Exploit Scanner, we’d be glad to lend a hand. Really, it’s pretty easy to secure WordPress, so it’s not that expensive to get a bit of professional help.

June Updates and Patch Report

It’s “Patch Tuesday” week again, so let’s summarize several of the more important updates and patches.

Microsoft

Did you know there were two sets up updates this month? The normal Tuesday updates came out as expected, but before that, there was a special update to make sure this week’s updates were trustworthy. What happened is that Flame made the news and a part of the malware was designed to take advantage of a flaw with Microsoft certificates. So, to fix it, Microsoft had to release an update… but since that certificate was part of the update process, it had to be released early.

If you did not apply the update when it first came out, you’ll probably be okay. However, this is yet another example of why it’s important to stay on top of these. If you fall behind, not only are you unprotected against current threats, but you also cannot trust the updates that are waiting in the wings. If you are worried about falling behind, it may be time to consider patch management software.

The second round included updates for Remote Desktop, Internet Explorer and .Net. The IE one is being exploited, so update your workstations and laptops ASAP. Also, if you are one of the many companies exposing Remote Desktop to the internet, this is a very good example as to why that isn’t the best strategy. The flaw made public this week allows people to access those systems without logging in. If you are accessing RDP directly over the internet, it’s time to stop. There are some extremely simple and cost effective (some even free) VPN solutions out there. Please use them.

More details are here and here.

The Always-Expanding Hack List

If you regularly use LinkedIn, Last.fm, Twitter and/or eHarmony, it’s time to change your passwords. It’s also time to trust the users of those sites a little bit less. When a password breach occurs, not only is your data at risk, but so are all of your social connections. If one of your friends had a weak password, someone could log into their account and view all the information you share with them. While there’s nothing we can do directly in response to these attacks other than change our passwords, we really need to start putting more pressure on these sites to ensure they are protecting our data with better than minimal standards. If you are in the position of storing customer data, you might want to review your own processes, too. It’d be better to do that before a breach.

Adobe

Adobe has released an update for … ColdFusion. If you’re not using ColdFusion, you don’t have to worry about Adobe patches this month. Also, if you’re running ColdFusion 10, you’re good. Kind of a shocker, I know.

If you’re running an older version of ColdFusion, read the details here.

VMware

It’s out … it’s finally out!  If you’re running vSphere 5, you can read the hardening guide.  This is a guide to both hardening AND assessing VMware infrastructures. Basically, all the auditors now have guidance, so expect them to get more annoying about it. Also, expect your assessors to have more documentation backing up why certain changes should be made. A good plan would be to actually make them! It’s usually going to make sense for you and the time you spend arguing would be better spent fixing issues.

I know that making some changes to a virtual environment can affect a lot of servers, but guess what happens if a flaw in your system is abused? I am firmly of the mind that a planned outage is much better than an unplanned one. Please harden your infrastructure.

Apple

Sadly, Apple did not release an IOS hardening guide. Instead, they just lifted the curtain a little bit and gave us a peek inside with the IOS security specs. If you are writing policies around mobile devices and have to support Apple, you should probably read this. It will also help you assess MDM solutions.

PHP

If you’re running PHP, you should know it’s being attacked.  Keep it updated and if you can, seriously consider layering PHP-Suhosin, Mod_Security2 and AppArmor around it. PHP is good for developers, but it’s also good for attackers. If you want to use it for the former, you have to accept the risk from the latter.

MySQL

Please excuse the tech speak here. If you are running MySQL and it was compiled with GCC using SSE, people can likely log into your system with the wrong password. Details are here. This issue is known to affect Ubuntu 64bit, OpenSUSE 64bit, Debian Unstable 64bit, Fedora and Arch Linux. Luckily, the more commonly used Ubuntu 32bit, Red Hat Enterprise Linux and the official binaries from MySQL are not affected.

In general, you should apply the patch immediately when available. You should also only expose your MySQL interface to the applications that need them and to the DBA’s network. Most real world problems involving this vulnerability involve people who chose to make MySQL accessible over the internet. Like RDP, there are almost no good reasons to do this … so don’t.

May Updates and Patch Report

It’s been a little while since I’ve written one of these posts. I had, in recent months, gotten overwhelmed by the amount of updates out there and the fact the advice really hadn’t changed. If you’re not going to read the entire post, just follow these two rules of thumb:

1) Apply patches to all applications on all systems as soon as you possibly can.

2) If you skip rule 1, be prepared to reinstall the OS and all apps on any system at any time.

That’s it.  Now, let’s get into some recent happenings:

 

Microsoft

Last week, Microsoft released several updates with many of them being critical. Workstations, once again, are affected by Office updates. If abused, a special file could cause these applications to take over your system.

But wait, there’s more!

Two sets of patches focus on the .NET framework and patch against code execution as well … so you don’t actually have to download a file to be placed at risk. However, unlike the Office problem, this flaw affects both workstations and servers. Getting even better, if you install the server in “server core” mode, this flaw also allows for elevation of privilege. This means that a successful attack can not only remotely take over a system, but it can break out of the permissions you set to lock things down.

Of course, given how nice these flaws are for attackers, it is not surprising that they are being exploited.

For more details, please see the reports from Sophos and SANS.

 

Apple

Apple has also released updates for many aspects of their operating system. The first set of patches focuses on Java. Over the last few weeks, an OSX+Java-focused attack called Flashback has run amok. This attack leveraged a flaw in Java that was fixed on February 14th… but not patched by Apple until April 3rd. Lucky for us, this malware was good at spreading, but not so good at being evil.

In the set of patches that came out, there were also several that focus on Safari and the disk encryption subsystem. The disk encryption problem basically exposed the encryption password (in certain cases) to people that look for it. Of course, a disk encryption solution that leaks the password is like keeping your house locked by leaving the key on the window sill. It’s just my opinion, but that’s perhaps not the best security solution.

More details on the Apple patches can be seen at ComputerWorld and Sophos.

 

Adobe

Several Adobe updates came out to address specific issues. The patched products include Flash Player, Illustrator, Photoshop, Shockwave Player and Flash Pro. Sounds good, right?  Well…

As it turns out, the Flash Player and Shockwave Player updates are free and fix the problems.  The patches for Illustrator, Photoshop and Flash Pro are free… but fix the problems by informing you that CS6 is available and that CS5 is no longer supported. Now, while it is within the rights of any company to stop supporting their products, one might argue that releasing a “security patch” that asks you to pay money and upgrade to fix the problem (assuming your hardware will run CS6) crosses the line.

There is a rumor in the industry that Adobe is backpedaling and will release updates to CS5, but they’re not out yet.

You can get the Flash player update here. Odds are that you don’t need Shockwave, so just uninstall it. Then, cross your fingers and hope that the patches for CS5 come out before your system is completely taken over and your bank account emptied to Eastern Europe. :)

This might also be a good time to check that your anti-malware software is updating and provides decent application hardening. Here’s a tip… if your anti-malware software came with your workstation, it’s probably not sufficient protection for modern attacks.

 

PHP

PHP has been updated to fix a problem in php-CGI. The php-CGI mode is available to provide better isolation for sites that run multiple virtual hosts. In this case, however, it did introduce a potential flaw. If you host multiple PHP sites on a server, please read this vulnerability report and test your system. If you’re vulnerable, apply the patches available here.

 

Bitcoin

If you were playing with the “new online currency” bitcoin and storing them in Bitconica, you probably lost money this week. A compromise of their production servers resulted in a loss of $90,000. Two months ago, a similar theft resulted in a loss of $225,000.  Some details are here.

Here’s the thing. If you are using a traditional currency, there is significant oversight on the part of the government that backs it and the banks that use it to make sure that bad things don’t happen. In a peer-to-peer currency like Bitcoin (even ignoring the lack of cryptographic analysis), there is no central governing body. Without this sort of body, the currency has no externalities and is 100% market driven. Thus, the currency will be protected by the least-accessible effort and breaches like these will continue to occur. Basically, the cost of acceptable losses is built into the currency itself and not dictated by a government. There’s nothing wrong with this, but it is a different model. Think on this before you hop on the Bitcoin train.

 

That’s it for now. I am going to do these more often for you, so they should be a bit shorter from here on out.  If I don’t cover something that you think is important, please leave us a comment and I’ll get to it on the next cycle.