| |
 |
 |
 |
|
|
|
|
Date: 19 October 2012
Click here for printable version
Greetings,
For many, this week has been rather eventful in infosec-land.
Oracle dropped another mega-massive patch upon us, and then followed up with a Java SE Critical Patch. Between them some very significant vulnerabilities, many with a CVSS score of 10, were mitigated.
Despite the fixes in Java, according to heise Security, the security researcher Adam Gowdiak, who identified many of the Java vulnerabilities recently patched confirmed that a critical security hole that allows attackers to break out of the Java sandbox continues to exist in Java. "According to the researcher, Oracle told him that the October CPU was already in its final testing phase when he reported the vulnerability. Therefore, this vulnerability and another, less critical hole will be closed at the next scheduled Java patch day on 19 February 2013."
With that in mind, and that Java is likely to remain brittle for some time to come, mitigating risk makes sense. Respected security researcher Brian Krebs has suggested that an approach to Java should be "unplugging it from the browser and adopting a two-browser approach. For example, if you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it."
Just in case you have colleagues who are reluctant to test and push patches when they become available, feel free to direct them to an article by Andy Greenberg at Forbes. In a nut shell Greenberg describes data from real-world workstations and explains that 'Zero-Day' vulnerabilities are exploited for about 10 months on average before they are identified and patched. So when patches are made available for the various parts of your Enterprise, think of them as being 10 months late, and don't waste another month having them do their intended job of fixing a vulnerability.
Let's pretend for argument's sake that you have a vendor that prevents you from applying operating system and other patches because they are unsure how it may impact on their complete product. What could possibly go wrong? Lots really, especially if the products are medical devices in hospitals. Compromised and infected hosts are apparently "Rampant" in hospitals and there are concerns that they may harm patients. On one occasion malware infected fetal monitors used on women with high-risk pregnancies were unable to record or track patient data. [4]
Patch early, patch often :)
So if you've not already attended to them, here are my top 5 patches/actions for the week:
1) ASB-2012.0143 - ALERT [Win][UNIX/Linux] Oracle Products: Multiple vulnerabilities
Bigger than Ben-Hur, this patch has something for everyone. It's massive and provides fixes to 109 CVEs. Take the time and read it as it will most likely impact on you.
2) ASB-2012.0144 - ALERT [Win][UNIX/Linux] Oracle JDK, JRE, SDK, and JavaFX: Multiple vulnerabilities
With vulnerabilities that have publicly documented ways of exploiting, this patch need to be urgently applied.
3) ESB-2012.0998 - [Mac][OSX] Java for OS X: Multiple vulnerabilities
Apple need to have Java patched too :)
4) ESB-2012.1006 - [Win] CA ARCserve Backup:
Multiple vulnerabilities
Remote code execution is not a nice thing to have happen to you. If you use this, patch it.
5) ESB-2012.0989 - [Win] Symantec Ghost Solution Suite: Multiple vulnerabilities
Ditto :)
Happy patching,
Marco
|
|
|
|
 |
|
 |
|
|