Did someone hear a thud? Something big just dropped.
Oh, Oracle patches again. Gotcha.
From PC World:
Oracle on Tuesday will release a patch update that includes 24 security fixes for its database, application server and other products.
Ten of the patches affect Oracle’s database, and two of the vulnerabilities addressed can be remotely exploited over a network without the need for a username and password, Oracle said.
Now, riddle me this. How many companies will roll out the aforementioned patches before the summer?
(Image used under CC from poyang Flickr feed)
There are a couple of problems with the Android phone in the new this evening. The first of which concerns how Android processes SMS messages.
Hmm. Why does this one ring a bell?
From oCERT:
a specific malformed SMS message can be crafted to trigger a condition that disconnects the mobile phone from the cellular network. The malformed SMS message consists of a badly formatted WAP Push message which causes an Java ArrayIndexOutOfBoundsException in the phone application (android.com.phone).
The other problem involves a denial of service problem with the Dalvik API.
A specific malicious application can be crafted so that if it is downloaded and executed by the user, it would trigger the vulnerable API function and restart the system process. The same condition could occur if a developer unintentionally places the vulnerable function in a place where the execution path leads to that function call. Triggering this bug is considered a DoS condition.
Congrats to researchers Charlie Miller, Collin Mulliner and Emmanouel Kellinis. Patches have been released by the vendor for both of these issues.
Hmm. So, rather than affect attendance for their conference Oracle has opted to hold off releasing security patches? Um, yeah.
From Computer World:
Oracle database administrators who are worried they might have to skip Oracle’s user conference next month to fiddle with security updates can relax. Oracle is cutting them a break and releasing its next set of patches a week later than planned.
The updates, which are released on a set schedule every three months, had been due for release on Oct. 13, slap in the middle of Oracle’s OpenWorld conference in San Francisco. But after thinking things over, Oracle has decided to delay the patches. They’re now due on Oct. 20.
Now, does this mean that we can expect to see a metric pantload of zerodays hit in early October? The thought occurred.
Here is a copy of the email from Oracle Security on the topic.
Critical Patch Update – October 2009
There is a change in the previously announced release date of the October 2009 Critical patch Update.
Since many Oracle customers with responsibility for deploying the Critical Patch Update within their respective organizations will be attending Oracle OpenWorld October 11-15, 2009, the October 2009 Critical Patch Update originally scheduled to be published on Tuesday, October 13th 2009, will be released on October 20th 2009.
Please note: This date change only impacts the October 2009 Critical Patch Update. As usual, Oracle will issue a pre-release announcement on the Thursday before the publication of the Critical Patch Update (Thursday, October 15th). All other aspects of the Critical Patch Update (where to find the documentation, how to download the patches, etc.) remain the same.
The next four Critical Patch Update release dates are:
* October 20, 2009
* January 12, 2010
* April 13, 2010
* July 13, 2010You will be notified via email once the Critical Patch Update for October 2009 has been released.
Sincerely,
Oracle Security Alerts
This is starting to wear on my nerves. This non-stop parade of patches is really tiresome. It would be rather lovely if code could be written well. Then again it makes for job security.
Ugh.
From The Register:
Microsoft plans to issue two emergency patches next week that fix vulnerabilities in the Internet Explorer browser and Visual Studio developer suite that allow attackers to remotely execute malware.
The patches, which will be delivered on Tuesday, will be only the third time Microsoft has issued an out-of-band security patch in the past 25 months. That suggests the updates are serious enough to warrant the extra fuss. Typically, the company issues patches on the second Tuesday of each month to allow administrators time to plan for and test the updates.
According to the bulletin one is for a “moderate” problem with Visual Studio and a “critical” in Internet Exploder Explorer both of which result in remote access. For the advance notification from Microsoft read on.
Just in case you might have missed it, Oracle released an major security update yesterday. The patch contains 43 fixes.
I’m wondering, how many people diligently apply these patches? Frequently I see environments where the database is long overdue for a patch set. How about your environment?
From Network World:
Sixteen of the patches are for various database versions. The most severe vulnerability, which affects versions 9.2.0.8 and 9.2.0.8DV, “can potentially allow an attacker to gain full control of a vulnerable server,” according to a post on Oracle’s global product security blog. Other patches are for various 10g and 11g versions.
For a run down of the problems addressed, here are a list of the advisories from Secunia.
Oracle Products Multiple Vulnerabilities | Secunia
Oracle BEA WebLogic Products Multiple Vulnerabilities | Secunia
Oracle BEA WebLogic Portal Privilege Escalation | Secunia
For the full CPU posting from Oracle you can find that here.
Tuesday March 10th and it’s once again Patch Tuesday for all you Microsoft users. Yesterday’s release was a very straightforward and light load of fixes but spanned all supported versions of Windows. Some specific updates pushed out are MS09-006, MS09-007, and MS09-008. MS09-006 is a update for the Windows kernel vulnerability that is labeled critical for Windows 2000 SP4 all the way up to Vista SP1. The other two updates fix vulnerabilities in SChannel and DNS/WINS Server respectively and is important for Windows 2000 SP4 up to XP SP3 and Server 2003. Other than that the only things to look out for are the ordinary Malicious Software Removal Tool and Windows Mail spam filter. Full write up.
Possibly more interesting than that is the fact that Symantec and Adobe released updates on the same day under unusual circumstances. George Hulme has a good write up of the situation the he posted this afternoon. To sum it up Adobe has been working on a fix for their recent zero-day and announced it would be released March 11th. They decided to release it yesterday, March 10th, which happened to be Patch Tuesday which can be commended for getting it out early but for most working in the trenches that are operations probably wasn’t appreciated.
On top of that Symantec released a patch with the filename PIFTS.exe, which looks up the Symantec product and version on a system and reports it back. Well this report back happened to not be signed because of human error and sent up some firewall flares for most users. This must have been a Help Desk nightmare along with the Adobe issue on Patch Tuesday. Not only a Help Desk problem, if the users decided to search what PIFTS.exe was on their own it is reported that malicious sites recognized this and made their sites appear at the top of those searches. Good write up on the PIFTS.exe and malicious site issue on SC Magazine found here.
This onslaught of patches and patch mishaps must have really affected a lot of companies big and small as they had their time allotted for the Microsoft patches to be pushed. Anybody who works in operations and is part of the team responsible for patch management knows the trials of Patch Tuesday when that is the only issue to deal with. The fact that Adobe pushed their release up and Symantec had an inexcusable mistake all on the same day can really bring things down. Not only can this cause a headache for the people on the team responsible for pushing these patches but if the team required more than one patch in the same day at 3 separate times you are going to have some angry users who aren’t going to restart their machines for you. Heat will be felt all along the food chain and $DIETY forbid if somebody clicked on a site taking advantage of the PIFTS.exe curiosity. Productivity won’t be the only issue that companies will have to deal with this Patch Tuesday or for the rest of the week for that matter.
Tags: microsoft, security, patch tuesday, ms09-006, ms09-007, ms09-008, symantec, adobe, pifts.exe, patch hell
Adobe pulls it out ahead of their March 11th “by when” date. The patch for Adobe Flash Player is…wait, what? Adobe is having bad month it appears. Today they released a patch for Flash Player, NOT Acrobat Reader (yet).
From Adobe:
A potential vulnerability has been identified in Adobe Flash Player 10.0.12.36 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit this potential vulnerability. Additional vulnerabilities have been addressed in this update. Adobe recommends users update to the most current version of Flash Player available for their platform.
The Belgian security site (great reading by the way) Security4all pointed out this interesting tidbit.
Additionally, there is an iDefense report on this issue. What interested me was the Disclosure Timeline:
08/25/2008 – Initial Contact
09/22/2008 – PoC Requested
11/05/2008 – PoC Sent
11/06/2008 – Clarification requested
12/05/2008 – Clarification Sent
12/07/2008 – Additional Clarification Sent
02/19/2009 – Draft bulletin received
02/24/2009 – Coordinated Public Disclosure
Odd timeline.
Adobe Security Advisory
Get yer patch on. NOW!
UPDATE: And yes, thx mubix, one of the affected pieces of software mentioned in the advisory was AIR 1.5.
SCADA, there is a term that tends to scare the crap out of little children and small furry animals these days thanks to the FUD factories. The disconnect is often painful to read about. I have read that SCADA systems are easily hacked into and the perception that one gets from reading these stories is that all hell has broken loose and that Nero is halfway through his solo. Rather frustrating to a flaw. We hear talking heads say that the “cyberterrorists” are gunning for critical infrastructure. When they attack it will be catastrophic.
Well, piss on that.
Why? Simple. That’s the least of the problems that face critical infrastructure. We hear news reports about how insecure control systems are and how SCADA is so “hackable” but, has anyone stopped to wonder why that might be? The press has set upon critical infrastructure of late for the low hanging fruit. “If it bleeds, it leads”. Well, that much is true. The sector is bleeding but, not for the lack of a responsible crew manning the battlements. No, much more dire than that. Critical infrastructure has been taken hostage by its vendors. Often a patch set will come out for Windows, Linux et cetera and being diligent folks they try to roll out the security patches only to be thwarted by the vendors.
Why?
Because the vendors have not “certified” the patches with regards to their software. A process that can often take an exceptional amount of time. The end result being that without that nebulous “certification” they will refuse to support their customers if they forge ahead with the application of said security patches.
A sad state of affairs.
Critical Infrastructure needs to get the attention it requires. The highest levels of government need to start paying close attention to these vendors that, through negligence, indifference or apathy, are jeopardizing the security of their national infrastructures. They need to have their feet held to the fire.
A batch of security issues have been addressed by Sun for the Java JDK/JRE. Please update your instances.
From Secunia:
Description:
Some vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of service), or compromise a vulnerable system.
1) Java Runtime Environment (JRE) creates temporary files with insufficiently random names. This can be exploited to write arbitrary JAR files and perform restricted actions on the affected system.
2) Multiple errors in the JRE image processing implementation can be exploited to cause buffer overflows.
3) Multiple errors in the JRE when processing GIF images can be exploited to cause buffer overflows.
4) Multiple errors in the JRE when processing fonts can be exploited to cause buffer overflows.
5) An error in the JRE can be exploited to establish network connections to arbitrary hosts.
6) An error when launching Java Web Start applications can be exploited by an untrusted application to e.g. read, write, or execute local files with the privileges of the user running the application.
7) An error can be exploited by an untrusted Java Web Start application to obtain the current username and the location of the Java Web Start cache.
8. An error in Java Web Start can be exploited to perform restricted actions (e.g. modify system properties).
9) An error in Java Web Start and Java Plug-in can be exploited to hijack HTTP sessions.
10) An error in the JRE applet class loading functionality can be exploited to read arbitrary files and establish network connections to arbitrary hosts.
…and it goes on like this. For the full listing please check out the advisory over on Secunia.
To the bloggers out there using Wordpress as their platform of choice its time to upgrade. This release addresses a couple of security issues.
From Wordpress:
WordPress 2.6.5 is immediately available and fixes one security problem and three bugs. We recommend everyone upgrade to this release.
The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.
Please note that the jump from 2.6.3 to revision 2.6.5 is intentional. There is not, nor will ever be, a version of Wordpress at 2.6.4 due to a fake code release.
Right, on yer bike.
