| |
 |
 |
 |
|
|
|
|
Date: 04 January 2013
Click here for printable version
Greetings and Happy New Year to All,
This may have been a half-week for many of us but there was no shortage of security issues. A Turkish Registrar is believed to have accidentally issued two intermediate CA certificates instead of regular SSL certificates during 2011, and subsequently an unauthorised digital certificate created by one of those intermediate CAs was found for *.google.com during the Christmas break. Google’s Chrome browser was responsible for discovering the unauthorised certificate and had already provided protection since December 24, 2012.
Other browser vendors have or are in the process of revoking the rogue certificates, with Microsoft issuing an advisory on Thursday 3 January. Similarly Mozilla will follow with an update on Tuesday 8 January. Until a user’s browser is updated, he or she is vulnerable to spoofing, phishing, man-in-the-middle and similar attacks.
This breach may serve as a reminder to us all of the fragile nature of public key infrastructure, should an element in the chain of trust be compromised. Not wanting to bring up the unfortunate events of the now defunct DigiNotar following their CA infrastructure intrusion in 2011, perhaps it’s sufficient to suggest that any organisation in a position of trust should take advantage of this potentially quieter time of the year to review policy and procedure for security flaws. Whether it’s digital certificates, personal data, financial data or intellectual property, there are those with malicious intentions actively dreaming up clever ways to compromise that data!
Speaking of which, a vulnerability in Microsoft’s Internet Explorer versions 6, 7 and 8 is being actively exploited by the use of drive-by-downloads. The seriousness of this prompted Microsoft to issue a temporary fix whilst preparing a permanent patch. Internet Explorer versions 9 and 10 are not vulnerable, however if you’re locked into a managed operating environment and cannot upgrade, you can at least apply the temporary fix.
Our top security bulletins this week include the Microsoft advisories mentioned above, as well as an update to the MoinMoin wiki engine to fix a remotely exploitable code execution vulnerability that is being actively exploited:
1) ESB-2013.0001 - ALERT [Win] Internet Explorer: Execute arbitrary code/commands - Remote with user interaction
2) ESB-2013.0011 - ALERT [Win] Microsoft Windows: Provide misleading information - Remote/unauthenticated
3) ESB-2013.0005 - ALERT [Win][UNIX/Linux][Debian] moin: Execute arbitrary code/commands - Existing account
Have a great weekend!
Mike.
|
|
|
|
 |
|
 |
|
|