AusCERT - AusCERT Week in Review for 15th June 2012

HOME

About AusCERT

Membership

PKI Services

Training

Publications

Sec. Bulletins

Conferences

News & Media

Services

Web Log

Site Map

Site Help

Member login

AusCERT Week in Review for 15th June 2012

Date: 15 June 2012

Click here for printable version

AusCERT Week in Review 15 June 2012

The AusCERT Week in Review is a roundup of the week's notable security advisories, events and AusCERT activities - brought to you from the AusCERT Coordination Centre team. For an extra perspective, follow @AusCERT on Twitter and stay connected to events as they happen.

Microsoft this week released a dedicated updater for untrustworthy certificates for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. This updater operates outside the existing mechanisms of Microsoft Update and CA CRLs. This extraordinary step is a response to the compromised certificates that permitted the installation of the Flame malware (and corrected last week in Microsoft Security Advisory 2718704). Installing the updater will ensure automatic flagging of untrusted certificates.

http://blogs.technet.com/b/pki/archive/2012/06/12/announcing-the-automated-updater-of-untrustworthy-certificates-and-keys.aspx

http://support.microsoft.com/kb/2677070

[http://auscert.org.au/15897] - Unauthorized Digital Certificates Could Allow Spoofing

[http://blogs.technet.com/b/msrc/archive/2012/06/03/microsoft-releases-security-advisory-2718704.aspx]

A number of 64 bit operating systems were this week updated to correct a local privilege escalation vulnerability in the Intel implementation of the AMD CPU sysret instruction. A successful attack results from the an attacker writing to arbitrary addresses in the operating system's memory and could lead to privilege escalation or guest-host VM escape. This attack was not confined to a particular platform; Microsoft, FreeBSD, RedHat, Xen were affected among others.

ESB-2012.0538 - [Win] Microsoft Windows (MS12-042) [http://www.auscert.org.au/render.html?it=15924]

ESB-2012.0541 - [RedHat] kernel: Multiple vulnerabilities [http://www.auscert.org.au/render.html?it=15927]

ESB-2012.0546 - [FreeBSD] kernel [http://www.auscert.org.au/render.html?it=15932]

US-CERT Vulnerability Note VU#649219 [http://www.kb.cert.org/vuls/id/649219]

F5 reported a vulnerability in its BIG-IP range of products that permit unauthenticated root access to an affected device. The compromise is due to the unintended publication of the SSH private key from the device. Reconfiguration or upgrade of the device is the only effective mitigation for this issue as it replaces the affected key.

https://www.auscert.org.au/render.html?it=15936

https://www.trustmatta.com/advisories/MATTA-2012-002.txt

F5 also published advisories for BIG-IP for the BIND zero-length RDATA and a FirePass SQL injection vulnerability.

[http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13660.html]

[http://support.f5.com/kb/en-us/solutions/public/13000/600/sol13656.html]

In other news, in what may be the first example of the direct application of a financial penalty for using insecure software, the online electronics retailer, Kogan.com, is charging its visitors extra for using IE7. Spoiler: the actual reason for this is, in fact, down to compatibility with site rendering on all browsers, but let's not let a positive by-product of this initiative go without some credit.

[http://www.news.com.au/technology/kogan-wages-war-on-internet-explorer-users-taxed/story-e6frfro0-1226395298505]

Marco Ostini from AusCERT will be speaking at the IT & Network Security in Mining 2012 conference, next Wednesday:

[http://www.itsecurityinmining.com.au/Event.aspx?id=723454]

Important Security Bulletins
----------------------------

Title: ASB-2012.0085 - ALERT [Win][UNIX/Linux][Mobile] Oracle JDK, JRE 7 and JavaFX: Execute arbitrary code/commands - Remote with user interaction Date: 13 June 2012

URL: [http://www.auscert.org.au/15933]

Oracle released its Critical Patch Advisory for June 2012, updating JDK, JRE 7 and JavaFX. Vulnerable systems may be targeted by attackers via a malicious Java applet or application, resulting in the execution of arbitrary code by the currently logged on user, which on a Windows system is often Administrator. Expect patches from major OS vendors; on the same day, Apple released Java for OS X 2012-004 and Java for Mac OS X 10.6 Update 9 to correct this vulnerability, with Red Hat following on Thursday. Recommendation: patch immediately.

Title: ESB-2012.0551 - [RedHat] java-1.6.0-openjdk: Multiple vulnerabilities

URL: [http://www.auscert.org.au/15939]

Title: ESB-2012.0550 - [RedHat] java-1.6.0-sun: Multiple vulnerabilities

URL: [http://www.auscert.org.au/15938]

Title: ESB-2012.0549 - [RedHat] java-1.6.0-openjdk: Multiple vulnerabilities

URL: [http://www.auscert.org.au/15937]

ESB-2012.0533 - ALERT [Win] Remote Desktop (MS12-036)

[http://www.auscert.org.au/render.html?it=15919]

Microsoft Windows Remote Desktop was patched for a vulnerability that would permit execution of arbitrary code if an attacker sends a sequence of crafted packets to the vulnerable system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Remote Desktop is not enabled by default on any Windows system. This advisory is rated Critical by Microsoft. Recommendation: patch immediately.

This week, the previous RDP advisory MS12-020 was updated due to a regression that occurred on installation of Windows 7 or Windows Server 2008 R2 Service Pack 1. Systems that were previously patched for this vulnerability should also have the update reapplied.

Title: ASB-2012.0084 - ALERT [Win][UNIX/Linux] MySQL: Unauthorised access - Remote/unauthenticated

Date: 12 June 2012

URL: [http://www.auscert.org.au/15913]

Certain builds of MySQL are vulnerable to a remote attack that could result in unauthenticated access to the database by any user - even root. This vulnerability is the result of a conversion from integer to char, with effectively 1 in every 256 attempts to log accepting any password for a chosen user, making a brute force attack against this vulnerability is trivial. The official MySQL binaries are not vulnerable, but third-party distributions have issued updates to correct this issue. Recommendation: patch immediately.

AusCERT in the Media:
---------------------

From news.com.au: Olympian's photos of ... with wife stolen by staff at computer shop NEWS.com.au

"Senior security analyst Joel Hatton of AusCERT - an emergency computer response team that provides computer incident prevention, response and mitigation ..."

More: [http://www.news.com.au/national/it-pirates-steal-olympians-sex-pics/story-e6frfkvr-1226390076239]

From Sophos: VIDEO: How to solve the AusCERT 2012 #sophospuzzle | Naked ... By Paul Ducklin

"By popular demand, here is a video explaining how to solve the puzzle we published on our AusCERT 2012 conference T-shirt. 44 solvers from 14 countries cracked it in the time allowed - find out how they did it!"

More: [http://nakedsecurity.sophos.com/2012/06/13/video-how-to-solve-the-auscert-2012-sophospuzzle/]