Date: 22 June 2012
Click here for printable version
A mixed bag this week has been.
Apple will most likely cop flack for that pesky Flashback incident for some time. A possible flow on effect is the recent removal of "It doesn't get PC viruses" from the Apple website. This may or may not be an admission that OS X is not immune to malware, however advertising suggesting otherwise is probably not a great idea.
Last Tuesday was Microsoft Black Tuesday and AusCERT published Microsoft bulletin MS12-037 as an alert due to at least one of the vulnerabilities being actively exploited. This week it was reported that a trojan was using CVE-2012-1875 to compromise human rights and foreign policy websites.
Following on from the LinkedIn compromise a couple of weeks ago, LinkedIn have since stepped up their security by salting user passwords. Too little too late says one LinkedIn user, who is pursuing a $5 million class action suit.
To conclude this week's review, here are my picks for the top 5 bulletins , in no particular order:
1) ASB-2012.0093 - ALERT [Appliance] BIG-IP: Multiple vulnerabilities
This bulletin relates to previously disclosed serious vulnerabilities, including a remote unauthenticated root compromise. However, those using version 9.4.8 of BIG-IP previously had to either upgrade or implement workarounds, as advised by F5. This bulletin provides a fix for those unable to upgrade from 9.4.8.
2) ESB-2012.0568 - ALERT [Win] Symantec LiveUpdate Administrator: Administrator compromise - Existing account
This little baby requires an existing account, however do not discount the possibility of malicious internal users or the existence of default local accounts! In addition, there is proof of concept code available publicly as well as reports that the Symantec provided update does not fully address the bug. If successfully exploited, an attacker would have full control over the host on which the LiveUpdate Administrator software is installed.
3) ESB-2012.0598 - [Cisco] Cisco ASA 5500 Series & Catalyst 6500 Series ASASM: Denial of service - Remote/unauthenticated
A denial of service vulnerability was identified in Cisco ASA 5500 Series and Cisco Catalyst 6500 Series ASAM. This is a serious vulnerability due to the devices being used to protect networks and because repeated attacks could result in a sustained unavailability. Please note that the devices must be configured as follows in order to be vulnerable, as per the full advisory from the Cisco website:
Cisco ASA or Cisco ASASM is running in transparent firewall mode
Cisco ASA or Cisco ASASM has IPv6 enabled
Cisco ASA or Cisco ASASM has system logging enabled and the system is configured to log message ID 110003
4) ASB-2012.0089 - [Win][UNIX/Linux] Mozilla Firefox, Thunderbird, & SeaMonkey: Execute arbitrary code/commands - Remote with user interaction
If you can not upgrade to the most recent versions of these products you should at least upgrade to Firefox 9.0, Thunderbird 9.0, and SeaMonkey 2.6 due to a code execution vulnerability in older versions of these Mozilla products.
5) ESB-2012.0594 - [RedHat] java-1.7.0-oracle: Multiple vulnerabilities
Last but not least Red Hat was very enthusiastic with bulletins this week, particularly yesterday. Some of these were only rated low in priority, however ESB-2012.0594 was rated as critical.
Be smart and stay safe,
The AusCERT Week in Review is a roundup of the week's notable security advisories, events and AusCERT activities - brought to you from the AusCERT Coordination Centre team. For an extra perspective, follow @AusCERT on Twitter and stay connected to events as they happen.