What is happening in the security world this month and how does it affect you? Let’s take a look at important September security updates from around the globe.
Microsoft
This month, Microsoft’s patches came out early. While this sounds like a good thing, it was actually a mistake on Microsoft’s part. They “fixed” this by unpublishing the patches for a few days and then re-releasing them at the correct time. The problem with this is that cyber terrorists had advance notice to prepare and launch their attacks before the patches were again available.
The patches covered various issues in Windows and Office, but the one that has been causing the largest concern is MS11-071. Problems occur when a user opens a legitimate .rtf, .txt or .doc file that is in the same directory as a malicious dynamic link library (DLL). Though it is a trifle difficult to exploit – requiring a two-stage attack – attackers still utilize this hole, so patching is a priority.
If you have to prioritize, patch workstations first, with emphasis on those workstations that are running with local administrator rights.
Adobe
As you may have heard, Adobe took the “most attacked” badge away from Microsoft in early 2010. Adobe’s September update applies to both Reader and Acrobat, so if you read PDF’s, it’s update time! Failure to apply the updates will put your system at risk of malware, and since this sort of malware is often used to steal money out of your bank account, updating would be good.
The latest Adobe Reader, version X, is designed to be much more secure than earlier versions. If you are able to upgrade, you should do so. Be aware that by November, Adobe will officially stop supporting version 8 of their Reader and Acrobat software. This means if you’re not on versions 9 or X by the end of the year, you’re asking for trouble.
Oracle
Like Adobe, Oracle likes to release updates on a regular, quarterly schedule. Unlike Adobe, Oracle just violated their planned schedule with their CVE-2011-3192 patch. This is the same problem that affected Apache last month, but since Oracle embeds Apache into their products, it took a while longer to patch.
In short, the patching is easy and free. Your Oracle site will be down briefly and then quickly come back up. If you choose NOT to patch this one, an attacker can bring your site down any time they like. At this point, we don’t think they can steal data from an unpatched system, however, being able to remotely kill your site is a form of power that many won’t be able to pass up.
Cisco
If you run Cisco Unified Service Monitor, Cisco Unified Operations Manager or CiscoWorks LAN Management, be aware that attackers can run whatever they like on your unpatched systems. There is no workaround for this issue other than applying the patches… so apply them, please.
Learn more. Additional details.
DigiNotar
In case you hadn’t heard, the company DigiNotar was recently* broken into. This company generates SSL certificates, and due to the compromise, sites like Yahoo, Facebook, Twitter and Google are believed to be at risk. Sadly, the industry is at a point where there are few good solutions to this sort of problem. All major browsers released updates that blocked the DigiNotar certificates, using the principle that if we don’t know the certificates are good, they’re bad. However, that means that you have to apply browser updates to make them work.
The report by Fox-IT, the company that investigated the breach, shows some basic security precautions were missing:
- No centralized logging, thus breaches are difficult to identify and investigate
- Weak passwords, so attackers could get in more easily
- Unpatched servers, so attackers could get in more easily
- No antivirus protection, so even basic malware would assist in an attack
The big takeaway here is that the Internet is a shared infrastructure. If one big player falls down on the job like DigiNotar did, it puts us all at risk. The best we can do is keep our systems updated and use web filtering technologies that are SSL-aware so they can alert us if something changes. This is an area to watch, as these sorts of attacks are on the rise.
Learn more. Additional details.
* Reports vary as to whether the attacker got into DigiNotar in July 2011 or in May 2009… so things may have been bad for a long long time.
UPDATE: Due to this attack, the Dutch government has ordered DigiNotar to stop business and the company has declared bankruptcy
PCI
If you accept credit cards, you probably fall under PCI requirements. The big news this month is there are now standards for point-to-point encryption. There is a rumor that there will be a certification program soon, but as of right now, no product is certified. However, this is a good time to look at your network and consider whether everything is as protected as it should be.
Learn more. Detailed PCI specifications.
With luck, we’ll have certified devices to recommend in a few months. Until then, we’ll do our best to keep you informed.
FROGS
Despite the fact that attackers sometimes appear to move more quickly than we as defenders, I don’t like to end on a down note. Thus, enjoy a recently-discovered frog that meows like a cat!