| |
 |
 |
 |
|
|
|
|
Date: 11 January 2013
Click here for printable version
Greetings,
Security researchers, software developers and good old fashioned hackers have apparently returned to work following the end-of-year break, and gifted us all with a small mountain of vulnerabilities to conquer. Given there are over seventy-five AusCERT bulletins so far in 2013 to digest, we suggest utilising the tags within the subject line to assist you with prioritisation and relevance to your environment. The "impact" may be of significance for you, as it tells at a glance (for example) if the bulletin covers a vulnerability which is remotely exploitable, whether authentication is needed, or if a denial-of-service is possible.
AusCERT members can log in to their profile on the AusCERT website, and select which categories of bulletins you wish to receive via email. If you found your inbox somewhat cluttered after this week's run of bulletins, log in and update your categories today by clicking "Your Profile" at the top right of the page.
For many, the priority will now be Oracle Java, considering exploit code has been made publicly available for the vulnerability discovered this week. Unfortunately, no patch is available from the vendor at this moment in time. In the absence of a patch, AusCERT recommends disabling Java or if this is not possible, consider limiting Java users to a safe list of business-critical Internet sites. Interestingly this latest Java vulnerability is apparently a "New Year's gift", neatly packaged within a crimeware kit produced by hackers known as Blackhole and Nuclear Pack.
Earlier in the week a serious vulnerability in Ruby on Rails was discovered, and a patch was released yesterday. This worried the Dutch government sufficiently to warrant taking offline their Rails-powered citizen digital identification site.
Updates were also released earlier in the week for Adobe Flash, Reader and Acrobat, addressing significant vulnerabilities. Combined with the Oracle Java 0-day exploit mentioned above, that's all three members of my "Three Amigos"; the necessary-but-often-exploited desktop apps that represent a significant threat due to the pervasive use of their content on the Internet and high degree of user interaction. How can you defend your computer system against web-based threats that target common desktop apps? Make sure you have a defence-in-depth strategy: implement as many as you can of DSD's Top 35 mitigations.
Tuesday (or Wednesday in Australia's timezone) was Microsoft Patch Day, marked by the release of seven updates for Windows and other Microsoft products. If this wasn't enough patching for you, Mozilla also released updates for their products. By this time you may be feeling somewhat bewildered by this barrage of bulletins, so let me give you my personal pick of the lot:
1) ESB-2013.0067 - ALERT [Win][UNIX/Linux] Oracle Java: Execute arbitrary code/commands - Remote with user interaction
2) ESB-2013.0059 - ALERT [Win][UNIX/Linux][Debian] rails: Execute arbitrary code/commands - Remote/unauthenticated
3) ESB-2013.0031 - [Win][Linux][Apple iOS][Android][OSX] Adobe Flash Player: Execute arbitrary code/commands - Remote with user interaction
4) ESB-2013.0033 - [Win][Linux][OSX] Adobe Reader & Acrobat: Multiple vulnerabilities
5) ASB-2013.0003 - [Win][UNIX/Linux][Android] Mozilla Firefox, Thunderbird, & SeaMonkey: Multiple vulnerabilities
6) ESB-2013.0018 - ALERT [Win][UNIX/Linux] Adobe ColdFusion: Multiple vulnerabilities
Vulnerabilities in Java and ColdFusion are being actively exploited in the wild.
Happy patching and have a great weekend,
Mike.
|
|
|
|
 |
|
 |
|
|