Date: 08 June 2012
Click here for printable version
The calm feeling of the past few weeks has given way to back to back action
As analysis of the Flame malware reveals more of its 'features' to the world,
those impacted have taken appropriate action, including Microsoft this week.
Infosec researchers have long dreaded the theoretical scenario where
Microsoft's Windows Update is being used to deliver malware. This week we've
discovered it's no longer a theory with Flame including forged MS Terminal Server certificates.
I tip my hat to whomever is responsible for Flame, as they've just opened
Pandora's box and let loose a collection of new malware technologies that
garden variety malware writer will soon copy. Thanks a lot... (not)
So if you've not already attended to them, here are my top 5 patches/actions
for the week:
1) ESB-2012.0516 - ALERT [Win] Microsoft Windows: Access confidential data - Remote/unauthenticated
If you run Windows on anything, then you should have already applied
Microsoft's out of band patch mentioned in MS Security Advisory (2718704). A
2) ESB-2012.0518 - ALERT [Win][UNIX/Linux] BIND: Denial of service - Remote/unauthenticated
Given that the Berkeley Internet Name Domain (BIND) servers provide much of the
translation between humans using URLs all over the place, and computers and
devices chatting away via IP addresses, then a remote denial of service against
BIND could spoil things for many. Updated packages already exist for Debian and
RedHat. A high priority.
3) ASB-2012.0082 - [Win][UNIX/Linux] Firefox , Thunderbird, and SeaMonkey: Multiple vulnerabilities
Mozilla Firefox & Thunderbird must be feeling lucky at version 13 with a
collection of important bugs squashed. If you use Firefox or Thunderbird then
patching it is a must. Updated packages have been released for RedHat and
Debian. Enterprise Windows users should consider using their favourite delivery
method to update Mozilla products on their clients machines.
4) ESB-2012.0514 - [Debian] nut:
Denial of service - Remote/unauthenticated
Network UPS Tools is a suite of software used across various *nix flavours,
Linux distributions as well as being available for OS X and Windows. It can
talk to Solar Controllers, but more likely to be communicating with an
Uninterruptible Power Supply. This update fixes CVE-2012-2944 which is quite
desirable as a remote denial of service resulting in electric-power outage on
devices connected to your UPS is best avoided. A high priority.
5) ASB-2012.0083 - [Win][UNIX/Linux][Mobile] LinkedIn: Access privileged data - Existing account
The breach of 6.5 million unsalted LinkedIn passwords was well publicised and
its likely that most of them have been cracked by now. Resist the temptation to
type your LinkedIn password on a site that offers to tell you if it's been
stolen or not. Instead, take this as a good opportunity to change your LinkedIn
password to something new and unrelated to previous ones. While you're at it,
if you have a Last.fm or eHarmony account they've also been breached and will
need new passwords.
The moral of the story is; don't store password hashes as salt free SHA1. Are
you doing this on any of the applications you develop or manage? Some salt is
necessary for the health of your users.