AusCERT - AusCERT Week in Review for 21st September 2012

AusCERT Week in Review for 21st September 2012

Date: 21 September 2012
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=16369

Greetings,

Well it's been a fairly eventful week this week, with the most prominent item being that of the disclosure of a serious un-patched Microsoft Internet Explorer zero-day vulnerability early in the week. The vulnerability was first disclosed by security researcher Eric Romang via his blog who stated that he had made the discovery of the exploit code while investigating a compromised web server which had been used by Chinese hackers utilising the Java exploits from August. Romang also passed the information over to the Rapid7 folks which has since been incorporated into a Metasploit module. Microsoft were reasonably quick to respond with the release of a security advisory which recommended the use of EMET (Enhanced Mitigation Experience Toolkit) as a workaround, and shortly afterwards provided a Microsoft 'Fix it' solution, which is to be followed up this Friday (US time) with an out-of-band update. The whole incident sparked a lot of conversation and thinking over here in the AusCERT CC Team, and as a result we've released a blog which highlights some of the considerations that should be made by organisations to help prepare for these kinds of eventualities.

Just a couple of days later (and in light of the IE zero-day, particularly bad timing for those organisations using a combination of Internet Explorer and Sophos Anti-Virus), Sophos appeared to have accidentally identified some of its own binaries as malware, which has caused all kinds of headaches for numerous organisations. The binaries were being falsely flagged and quarantined as 'Shh/Updater-B'. According to the comments on Sophos' nakedsecurity blog, it appears that Sophos technical support has been inundated by phone calls and their support forum has also taken a beating.

On Thursday at the ekoparty Security Conference in Argentina, security researcher Esteban Martinez Fayo, of Appsec Inc., announced a serious flaw in the logon protocol used by Oracle Database 11g releases 1 and 2 which could allow for "easy" cracking of passwords. Fayo provided the following description of the vulnerability: "This Session Key is a random value that the server generates and sends as the initial step in the authentication process, before the authentication has been completed. This is the reason why this attack can be done remotely without the need of authentication and also, as the attacker can close the connection once the Session Key has been sent, there is no failed login attempt recorded in the server because the authentication is never completed." According to Fayo, the vulnerability is correct in version 12 of the authentication protocol, however he believes that Oracle has no plans to correct the issue in version 11.1 of the protocol.

And finally, here are my picks for the week's top 5 bulletins (in no particular order):

1) ESB-2012.0898 - ALERT [Apple iOS] iOS: Multiple vulnerabilities

In conjunction with the release of the iPhone 5, Apple has released iOS 6 which corrects a staggering 192 vulnerabilities in iOS 5 for iPhones, iPads and iPod Touch devices!

2) ESB-2012.0899 - [OSX] OS X: Multiple vulnerabilities

Apple also released a major update for OS X, correcting 33 vulnerabilities in various packages such as Apache, BIND, PHP and more.

3) ASB-2012.0130 - [Win] Sophos Anti-Virus: Reduced security

Sophos accidentally released updates for Sophos Anti-virus which identified some of its own binaries as malware.

4) ASB-2012.0128.2 - UPDATED ALERT [Win] Internet Explorer: Execute arbitrary code/commands - Remote with user interaction

A serious un-patched vulnerability was identified in versions 6,7,8 and 9 of Internet Explorer on all supported versions of Windows.

5) ASB-2012.0129 - [Appliance] Siemens SIMATIC S7-1200 PLC: Provide misleading information - Remote with user interaction

And last but not least, its not a normal week unless a vulnerability has been identified in a SCADA product. It was identified that it was possible to obtain the private key of the Siemens SIMATIC S7-1200 PLC. Nasty.

Have a great weekend!
Jonathan