AusCERT Week in Review for 31st of August 2012

Date: 31 August 2012 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=16276 Greetings, This was the week dominated by vulnerabilities in Java, with much attention being given to CVE-2012-4681, although two other related vulnerabilities were also part of the mix. When the post " Let's start the week with a new Java 0-day in Metasploit" went public, it received plenty of attention, demonstrating that this vulnerability was not only very reliable, but was also able to be exploited on Windows, OS X, Linux, mobile devices - most anything that ran Java. AusCERT published bulletin "ESB-2012.0819 Oracle Java 7 Security Manager Bypass Vulnerability" to notify people of the seriousness of CVE-2012-4681, and that no patch was available. Esteban Guillardoy of Immunity Products posted to their blog an in-depth analysis of CVE-2012-4681, describing its history and suggesting that it "will shortly become the penetration test Swiss knife for the next couple of years". They also identified the presence of more than one vulnerability. Various exploits were described in detail. Quite soon after these postings, exploits for CVE-2012-4681 appeared in the Blackhole, Redkit, Sakura and likely other exploit kits multiplying their capacity for reliable badness. Finally Oracle came to the rescue with "Oracle Security Alert for CVE-2012-4681" patching four vulnerabilities including CVE-2012-4681 in Java SE products, JDK and JRE 6 & 7. Mozilla blessed the world with new releases of Firefox, Thunderbird and SeaMonkey. A good amount of security bugs were fixed and a few features added, like an instant messaging chat client now included in Thunderbird, for those with Facebook, Twitter, Gtalk, IRC or Jabber accounts. Also of interest, just in case you were sceptical about malware targeting mobile devices, mobile variants of the FinFisher trojan was identified in circulation. At the University of Toronto's Citizen Lab, researchers reported sighting mobile variants of FinSpy for Android, BlackBerry, iOS, Symbian and Windows Mobile. So if you've not already attended to them, here are my top 5 patches/actions for the week: 1) ASB-2012.0120 - ALERT [Win][UNIX/Linux][Mobile] Oracle JDK and JRE 6 & 7: Execute arbitrary code/commands - Remote with user interaction Urgent is an understatement for this. Patch early, patch often - if you've not patched Java yet and are reading this, stop and patch it now. 2) ASB-2012.0119 - [Win][UNIX/Linux][Mobile] Mozilla Firefox, Thunderbird & SeaMonkey: Multiple vulnerabilities Web browsers are often the last line of defence between the badness of the Internet and users. Care for your browsers and keep them patched. 3) ESB-2012.0820 - ALERT [Appliance] Cloud Tiering Appliance: Administrator compromise - Remote/unauthenticated Administrator compromise by providing specially crafted malicious file during authentication process is most undesirable, especially on this kind of an appliance. If you have one, patch it now. 4) ESB-2012.0826 - [Win] Novell iPrint: Execute arbitrary code/commands - Remote with user interaction Novell iPrint on Windows can be a common combination for some. If it's a combination in your enterprise, avoid some grief and patch it now. 5) ESB-2012.0827 - ALERT [Win] HP iNode Management Center: Execute arbitrary code/commands - Remote/unauthenticated If your organisation doesn't filter TCP/9090 on the border, and you use this product, then take the time to apply the patch. Stay safe, Marco