May Updates and Patch Report
It’s been a little while since I’ve written one of these posts. I had, in recent months, gotten overwhelmed by the amount of updates out there and the fact the advice really hadn’t changed. If you’re not going to read the entire post, just follow these two rules of thumb:
1) Apply patches to all applications on all systems as soon as you possibly can.
2) If you skip rule 1, be prepared to reinstall the OS and all apps on any system at any time.
That’s it. Now, let’s get into some recent happenings:
Last week, Microsoft released several updates with many of them being critical. Workstations, once again, are affected by Office updates. If abused, a special file could cause these applications to take over your system.
But wait, there’s more!
Two sets of patches focus on the .NET framework and patch against code execution as well … so you don’t actually have to download a file to be placed at risk. However, unlike the Office problem, this flaw affects both workstations and servers. Getting even better, if you install the server in “server core” mode, this flaw also allows for elevation of privilege. This means that a successful attack can not only remotely take over a system, but it can break out of the permissions you set to lock things down.
Of course, given how nice these flaws are for attackers, it is not surprising that they are being exploited.
Apple has also released updates for many aspects of their operating system. The first set of patches focuses on Java. Over the last few weeks, an OSX+Java-focused attack called Flashback has run amok. This attack leveraged a flaw in Java that was fixed on February 14th… but not patched by Apple until April 3rd. Lucky for us, this malware was good at spreading, but not so good at being evil.
In the set of patches that came out, there were also several that focus on Safari and the disk encryption subsystem. The disk encryption problem basically exposed the encryption password (in certain cases) to people that look for it. Of course, a disk encryption solution that leaks the password is like keeping your house locked by leaving the key on the window sill. It’s just my opinion, but that’s perhaps not the best security solution.
Several Adobe updates came out to address specific issues. The patched products include Flash Player, Illustrator, Photoshop, Shockwave Player and Flash Pro. Sounds good, right? Well…
As it turns out, the Flash Player and Shockwave Player updates are free and fix the problems. The patches for Illustrator, Photoshop and Flash Pro are free… but fix the problems by informing you that CS6 is available and that CS5 is no longer supported. Now, while it is within the rights of any company to stop supporting their products, one might argue that releasing a “security patch” that asks you to pay money and upgrade to fix the problem (assuming your hardware will run CS6) crosses the line.
There is a rumor in the industry that Adobe is backpedaling and will release updates to CS5, but they’re not out yet.
You can get the Flash player update here. Odds are that you don’t need Shockwave, so just uninstall it. Then, cross your fingers and hope that the patches for CS5 come out before your system is completely taken over and your bank account emptied to Eastern Europe. :)
This might also be a good time to check that your anti-malware software is updating and provides decent application hardening. Here’s a tip… if your anti-malware software came with your workstation, it’s probably not sufficient protection for modern attacks.
PHP has been updated to fix a problem in php-CGI. The php-CGI mode is available to provide better isolation for sites that run multiple virtual hosts. In this case, however, it did introduce a potential flaw. If you host multiple PHP sites on a server, please read this vulnerability report and test your system. If you’re vulnerable, apply the patches available here.
If you were playing with the “new online currency” bitcoin and storing them in Bitconica, you probably lost money this week. A compromise of their production servers resulted in a loss of $90,000. Two months ago, a similar theft resulted in a loss of $225,000. Some details are here.
Here’s the thing. If you are using a traditional currency, there is significant oversight on the part of the government that backs it and the banks that use it to make sure that bad things don’t happen. In a peer-to-peer currency like Bitcoin (even ignoring the lack of cryptographic analysis), there is no central governing body. Without this sort of body, the currency has no externalities and is 100% market driven. Thus, the currency will be protected by the least-accessible effort and breaches like these will continue to occur. Basically, the cost of acceptable losses is built into the currency itself and not dictated by a government. There’s nothing wrong with this, but it is a different model. Think on this before you hop on the Bitcoin train.
That’s it for now. I am going to do these more often for you, so they should be a bit shorter from here on out. If I don’t cover something that you think is important, please leave us a comment and I’ll get to it on the next cycle.