A Watchful UI

Posted by uiitsecurity on June 13, 2012 in Security

Welcome to the June edition of A Watchful UI.

Vulnerabilities and Patches
1.       Adobe Illustrator, Photoshop, Flash Player, and ColdFusion patched
2.       Apple iTunes updated to 10.6.3
3.       Google Chrome now at version 19
4.       Microsoft Windows Black Tuesday overview
5.       Microsoft Cert Update and WSUS update as a result of FLAME
6.       Microsoft XML vulnerability makes IE unsafe and so far unpatched
7.       Mozilla Firefox now at version 13 (and related applications updated)
8.       MySQL and MariaDB trivial password bypass
9.       Oracle Java updated to 6.0u33 and 7.0u5
10.   PHP on Windows actively exploited, patch still pending
11.   RealPlayer updated

News:
1.       LinkedIn, eHarmony, and Last.FM passwords exposed
2.       Beware of other forms of spear phishing – by mail

Adobe has released updates for Illustrator and Photoshop that patch vulnerabilities that could allow an attacker to take control of the system.

http://www.adobe.com/support/security/bulletins/apsb12-10.html
http://www.adobe.com/support/security/bulletins/apsb12-11.html

Adobe also released security updates for Flash Player (now at 11.3) and ColdFusion
http://www.adobe.com/support/security/bulletins/apsb12-14.html
http://www.adobe.com/support/security/bulletins/apsb12-15.html

Apple has released iTunes 10.6.3.  This update fixes a buffer overflow that existed in the handling of playlists and a vulnerability in the WebKit that could allow arbitrary code execution when visiting a malicious website.
http://support.apple.com/kb/HT5318

Google has updated Chrome to version 19.0.1084.52.  This update covers numerous critical and high rated vulnerabilities.
http://googlechromereleases.blogspot.com/2012/05/stable-channel-update_23.html

Microsoft has released 7 bulletins for Patch Tuesday.  Three of them are rated as critical and four as important.  They deal with remote code execution (RCE) and elevation of privilege.  Pay particular attention to the new Remote Desktop vulnerability.

http://technet.microsoft.com/en-us/security/bulletin/ms12-jun
http://isc.sans.edu/diary/Microsoft+June+2012+Black+Tuesday+Update+-+Overview/13453

Microsoft also released an out-of-band emergency update on June 03, to help correct a man-in-the-middle attack that could allow an attacker to impersonate Microsoft Update.  This attack is associated with the Flame malware that was recently found out in the wild.

http://technet.microsoft.com/en-us/security/advisory/2718704
http://arstechnica.com/security/2012/06/flames-god-mode-cheat-code-wielded-to-hijack-windows-7-server-2008/
A more technical description of Flame and how it utilized an MD5 collision can be found here: https://www.securelist.com/en/blog/208193566/Flame_Replication_via_Windows_Update_MITM_proxy_server

Microsoft released a critical advisory for a vulnerability in XML Core Services, 3.0, 4.0, 5.0, and 6.0 that could allow remote code execution if a user views a web page in Internet Explorer. No update has been released yet, but a Fix It has been released that blocks the attack vector.  Without the FixIt, IE is vulnerable. More information on the vulnerability can be found here:

https://technet.microsoft.com/en-us/security/advisory/2719615
Link to the Fix It: http://support.microsoft.com/kb/2719615

Mozilla has released updates for Firefox, SeaMonkey, and Thunderbird.  These updates cover a number of critical, high and moderate vulnerabilities.

http://www.mozilla.org/security/known-vulnerabilities/firefox.html
http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

A flaw in MySQL and MariaDB can allow access with any password.  All an attacker needs is a valid username. This was patched back in April so be sure you are up to date if you are running this software.
http://arstechnica.com/information-technology/2012/06/security-flaw-in-mysql-mariadb-allows-access-with-any-password-just-keep-submitting-it/
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

Oracle has released their Java SE Critical Patch Update for June.  This update has 14 new security fixes across Java products.
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

A PHP vulnerability was disclosed which results in a buffer overflow on Windows platforms and has been seen exploited in the wild.  It has not yet been patched, so be sure if you are running PHP on Windows that you take the precautions mentioned in the ISC Diary.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2376
http://isc.sans.edu/diary.html?storyid=13255

Real Player has been updated to fix a vulnerability that could allow a remote attacker to execute arbitrary code on the system.
http://service.real.com/realplayer/security/05152012_player/en/

Be sure if you have a LinkedIn, Last.fm, or eHarmony account that you change your password for that site and any other site that may be using the same credentials as all three sites have experienced major password leaks over the past week. This is also a reminder that you should never use your UI password (or even similar variants) on other sites.

http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
http://www.last.fm/passwordsecurity
http://advice.eharmony.com/blog/2012/06/06/update-on-compromised-passwords/

See also, the UI Password/Passphrase management policy section D-2, in APM 30.15:
http://www.uidaho.edu/apm/30/15

Beware of suspicious packages.

Another form of phishing attack has been brought to our attention by another institution.  In this type of attack physical mail, not email, is received indicating a possible security issue the user should be aware of.  Details are supposedly included on an enclosed CD/DVD/USB.  Individuals potentially targeted range from upper management to researchers and student assistants.

The DVD contains an executable you are directed to run that contains the details.  In reality it contains a trojan horse that snaps a screenshot every few seconds and uploads it to a remote command and control site.  The malware runs as the user, and because of the customized nature, isn’t likely picked up by antivirus.

If you receive such an unexpected package, please get in contact with ITS Security as soon as possible.  DO NOT insert the media into your system.

Always let us know if we can make enhancements to A Watchful UI, or if you have any other feedback or contributions.

Mitch Parks
Desktop Security Analyst

Zack Preston
Desktop Security Assistant

ITS-Security@uidaho.edu
Twitter: @UIITSecurity

Tags: Permalink
Follow

Get every new post delivered to your Inbox.

Join 106 other followers

%d bloggers like this: