| |
 |
 |
 |
|
|
|
|
Date: 09 November 2012
Click here for printable version
Greetings,
A lot can happen in 7 days within the world of information security, and over
the past week, it has.
At the beginning of the week much ado was made about a post to the full disclosure mailing list, and related paper [PDF] by Tavis Ormandy regarding vulnerabilities in Sophos Antivirus. This posting quickly became a flurry of alarmist messages and dire warnings in Twitter, some of which was justified, as a Metasploit module and some proof of concept code existed to exploit the vulnerabilities. What wasn't publicised quite as well was that patches for all but one of the vulnerabilities were available, and that it was a good idea to apply them promptly.
While the excellently detailed paper by Tavis with the title "Sophail: Applied attacks against Sophos Antivirus" did a good job articulating the vulnerabilities, it did seem to also express bad vibes for Sophos. This is the second such paper Tavis has directed at Sophos Antivirus.
Part of the problem is bigger than Sophos and is indeed shared by most anti-virus vendors. To be able to clobber a malicious process, anti-virus tends to run with system level privileges, making it in turn a great target for exploit so as to get the 'crown jewels' of a host. Symantec, McAffee and other vendors have suffered this in the past.
Regarding a serious vulnerability which is similar in nature to those documented in Sophos products, Symantec has stated that it has no plans to provide an update for Symantec Endpoint Protection 11. Instead, the recommendation from Symantec is to upgrade to Endpoint Protection 12.
While slightly tardy news, if you have even a passing interest in information security and have the desire to avoid a breach of your own data, then I'd recommend you take the time to read the 2012 Data Breach Investigations Report from Verizon[PDF]. Try not to read it late in the evening, or you'll likely not enjoy a peaceful night's sleep. Disturbing but important content!
Last evening the news broke that the mandatory Internet filtering scheme proposed by the Australian Federal Government was going to be dropped. While this brought some rejoicing, ISPs are now required instead to block according to Interpol's "worst of the worst" list. This list contains domains evaluated and found to be both online and distributing child sexual abuse material. Domains on this list have been checked and verified by at least two different countries and/or agencies.
So if you've not already attended to them, here are my top 5 patches/actions for the week:
1) ESB-2012.1063 - ALERT [Win] Symantec Antivirus products: Administrator compromise - Remote/unauthenticated
If you're using Symantec Endpoint Protection 11, you will not be receiving an update. Time to move to Endpoint Protection 12, or attempt to mitigate.
2) ESB-2012.1071 - ALERT [Appliance] Cisco Ironport Appliances: Multiple vulnerabilities
The combination of the Sophos vulnerabilities documented in ASB-2012.0152 within an appliance that is always on and will likely look at all the email for your Enterprise results in high risk. Patch or mitigate this urgently.
3) ASB-2012.0152 - ALERT [Win][UNIX/Linux] Sophos products: Multiple vulnerabilities
As mentioned above, lots of nasty vulnerabilities with public exploits. This should have been patched before you started reading this. Remember one denial of service vulnerability is still awaiting a patch.
4) ESB-2012.1062 - [Appliance] Fortigate UTM appliances: Multiple vulnerabilities
Having any private key that has been compromised and published in the wild is never a good thing, especially when it's on a security appliance that can be used to do a man in the middle attack on SSL traffic. Mitigating this should be an urgent priority.
5) ESB-2012.1061 - [Win][Linux][Apple iOS][Mac][OSX] Adobe Flash Player: Multiple vulnerabilities
Flash on all platforms gets plenty of malicious attention. Patch it and avoid the pain.
Stay safe,
Marco
|
|
|
|
 |
|
 |
|
|