AusCERT Week in Review for 2nd November 2012
Date: 02 November 2012
Original URL: http://www.auscert.org.au/render.html?cid=7066&it=16543
About a month ago, in the Week in Review for the 12th of October, you may recall I made note of the impressive response from Google towards a nasty WebKit (SVG) vulnerability (CVE-2012-5112) which has CVSS v2 Base Score of 10.0. Discovered by security researcher Pinkie Pie at the Pwnium 2 competition, it was patched in Google Chrome within 10 hours of discovery.
At the time I wondered; "how soon can we expect a patch from Apple for Safari and their iDevices? How soon until other vendors using WebKit patch their products? Time will tell." Well time did tell.
Apple today have released a security update for iOS and Safari to mitigate CVE-2012-5112, about a month after the Google Chrome team. Based on this behaviour, those running Chrome on OS X, it will likely get quicker vulnerability fixes than their WebKit cousins running Safari.
I'm curious now to know how many other vendors supporting WebKit based browsers are yet to patch CVE-2012-5112. No wonder 'Zero-day' vulnerabilities are exploited for months before they're attended to.
No one likes to have their stuff stolen. Consider then the 3.6 million social security numbers and 387,000 credit card numbers that were stolen from the US state of South Carolina this past week. It has been estimated that this impacts on 75% of that State's residents. While the criminal(s) responsible would have likely exploited some vulnerabilities to access the relevant database, it appears design was also a contributing factor.
This sad event should loom large as a massive cautionary tale to all Governments anywhere in the world, and any organisation that collects and maintains the personal details of people. How safe is your infrastructure?
Related to this, the Australian federal Attorney-General Nicola Roxon has released a discussion paper "Australian Privacy Breach Notification". Due to the importance of this matter, and that it relates to individuals and organisations alike, I'd recommend all voting Australian citizens to read and consider this discussion paper. It directly impacts on your future.
Described as a "lurking epidemic", medical devices are not immune to buggy software. In the case of the Symbiq drug infusion system however the result could be a wrong dose being given to patients, with the related health ramifications. No patches for this bug are currently available.
What can be done about all the buggy software in our lives? Respected computing elder Dr Peter G. Neumann suggests we need to take Albert Einstein’s aphorism to heart: “Everything should be made as simple as possible, but no simpler.” as “complex systems break in complex ways”. If you care about information security, take the time to read this insightful article.
So if you've not already attended to them, here are my top 5 patches/actions for the week:
1) ESB-2012.1038 - ALERT [Appliance] 3S CoDeSys: Execute arbitrary code/commands - Remote/unauthenticated
Industrial control systems can be used all over the place; factories, power plants, military and nautical applications too. Via the vulnerabilities in CoDeSys, with appropriate network access it's possible to execute ladder logic on their PLCs. Ouch! This is worthy of urgent attention.
2) ESB-2012.1030 - [UNIX/Linux][Debian] exim4: Execute arbitrary code/commands - Remote/unauthenticated
Mail servers are critical infrastructure. While there are a few hoops that need to be jumped through, having your mail server execute arbitrary code via an email from a malicious DNS server is not nice. Priority patch!
3) ESB-2012.1049.2 - ALERT [Apple iOS] iOS: Multiple vulnerabilities
For about a month you've been vulnerable to CVE-2012-5112. Do something about it now.
4) ESB-2012.1050 - ALERT [Win][Mac][OSX] Safari: Multiple vulnerabilities
5) ASB-2012.0148 - [Win][UNIX/Linux][Mobile] Mozilla Firefox, Thunderbird & SeaMonkey: Multiple vulnerabilities
Web browsers are often the last line of defence between the badness of the Internet and users. Care for your browsers and keep them patched.