AusCERT Week in Review - Week Ending 12/10/2012
Date: 12 October 2012
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=16461
With as many twists as an episode of Rake, this week has been anything but dull in the world of information security.
Significant patch releases from major vendors were abounding, but notable was not one or two, but four security releases published for web browsers, with both the Mozilla and Google Chrome developers heroicly responding to identified vulnerabilities.
The Mozilla team on the back of releasing Firefox & Thunderbird 16 identified a regression and a new vulnerability and patched both within hours. Thanks to their efforts, enjoy version 16.0.1
At the Pwnium 2 competition at Hack in the Box 2012 in Kuala Lumpur, Pinkie Pie identified a WebKit Scalable Vector Graphics (SVG) vulnerability (CVE-2012-5112) and exploit and received a $60,000 prize from Google for his efforts. Despite having just released Chrome 22.0.1229.92, within 10 hours after Pwnium 2 concluded the vulnerability was patched in Chrome 22.0.1229.94. Nice work!
CVE-2012-5112 received a CVSS v2 Base Score of 10.0. It's rather nasty and very exploitable.
Google Chrome is one of a number of browsers that use WebKit as their rendering engine, others including Apple's Safari browser and mobile operating systems including iOS, Android, BlackBerry Tablet OS, webOS and the Amazon Kindle ebook reader among others. WebKit has significant market share and some expect it to become the primary web rendering engine .
With mobile devices receiving much attention from the purveyors of malicious software, CVE-2012-5112 would represent a clear threat that will be exploited.
With this in mind, how soon can we expect a patch from Apple for Safari and their iDevices? How soon until other vendors using WebKit patch their products? Time will tell.
The popular and attractive Samsung Galaxy S3 phone running Android 4.0.4 was compromised in the Mobile Pwn2Own competition by Tyrone and Jacques from South Africa and Jon and Nils in the UK. Using new vulnerability via NFC they were able to upload a malicious file which allowed code execution on the phone and complete control of the device was achieved using a second vulnerability for privilege escalation. Let's hope this bug is patched as quickly as Chrome was :)
So if you've not already attended to them, here are my top 5 patches/actions
for the week:
1) ESB-2012.0974 - ALERT [Win][UNIX/Linux] BIND: Denial of service - Remote/unauthenticated
If you don't have a reliable DNS server, you don't have much. If you have BIND,
make applying this patch a priority.
2) ESB-2012.0963.2 - ALERT [Win] Microsoft Office, SharePoint Server, Word Viewer: Execute arbitrary code/commands - Remote with user interaction
With active exploits in the wild for Microsoft Word, I sure hope you've applied
this update already. No? Go do it now.
3) ASB-2012.0138 - ALERT [Win][UNIX/Linux] Google Chrome: Multiple vulnerabilities
With all the effort to get a patch out for CVE-2012-5112 so quickly, it would
be a shame not to take advantage of it quickly too.
4) ASB-2012.0139 - ALERT [Win][UNIX/Linux][Mobile] Mozilla Firefox, Thunderbird & SeaMonkey : Multiple vulnerabilities
Web browsers are often the last line of defence between the badness of the
Internet and users. Care for your browsers and keep them patched.
5) ESB-2012.0962 - [Win][Linux][Apple iOS][Mac][OSX] Adobe Flash Player: Multiple vulnerabilities
This is most always an urgent patch as flash is a favourite for abuse.