14 Patches Coming From Microsoft For February

Microsoft will release 14 bulletins for next Tuesday’s update.

3 items are rated “critical” and 11 are rated as “important”.





  • All three critical items deal with remote code execution vulnerabilities in Windows.
  • The important rated bulletins consist of vulnerabilities in Windows, Office, IE, Media Player and Publisher.
    • Seven remote code execution vulnerabilities
    • Three elevation of privileges issues
    • One information disclosure flaw

Get ready to drop some patches next week.  These remote code execution vulnerabilities will only remain “important” for as long as it takes to reverse engineer the patch code and identify the changes.  After that, they become critical.

Important SolarWinds & HP Vulnerabilities

Digital Defense has posted a couple of vulnerabilities in some pretty popular and common products that customers and colleagues may want to be aware of.  I would recommend assessing the relevance of these disclosures to your environments, and taking mitigating action where appropriate.  Consider the potential of insider as well as external attack.  The information and access that either of these two vulnerabilities offers is just too yummy for a malicious or driven attacker to pass up.

1) SolarWinds Storage Manager Server SQL Injection Authentication Bypass

Severity:  High

Vulnerability Description:  The ‘LoginServlet’ page on port 9000 of the SolarWinds Storage Manager Server is vulnerable to a SQL injection within the ‘loginName’ field.  An attacker can leverage this flaw to bypass authentication to the Storage Manager application or to execute arbitrary SQL commands and extract sensitive information from the backend database using standard SQL exploitation techniques.  Additionally, an attacker may be able to leverage this flaw to compromise the database server host operating system.

SolarWinds has not yet provided a patch to address the issue. Digital Defense, Inc. recommends restricting access to the affected port until an update has been produced by the vendor.

2) HP JetDirect Device Page Directory Traversal  (CVE-2011-4785)

Severity:  High

Vulnerability Description:  The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root.  An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc.  Information obtained from an affected host may facilitate further attacks against the host.  Exploitation of this flaw is trivial using common web server directory traversal techniques.

Known Affected:

  • HP LaserJet 4650
  • HP LaserJet P3015
  • HP LaserJet 2430

At this time, HP has been notified of the vulnerability and has released a patch which addresses the issue for HP LaserJet P3015.


Oracle SCN Vulnerability

Over the past two months, InfoWorld has been researching a flaw in Oracle’s flagship database software that could have serious repercussions for their customers, potentially compromising the security and stability of Oracle database systems.  There is a very detailed article at the link provided above, and a follow-up from InfoWorld here.  The “boiled down” version:

The flaw could make any unpatched Oracle Database vulnerable to attack, and could pose a special risk to large Oracle customers with interconnected databases.  Both vulnerabiilties stem from a mechanism that most Oracle DBAs seldom deal with.  At the core of this issue is the System Change Number (SCN) in Oracle.  This is a number that increments sequentially with every database commit and is crucial to normal Oracle database operation.  The SCN is also incremented through linked database activities.

The SCN “time stamp” is the key to maintaining data consistency in Oracle, allowing the database to respond to every query with the appropriate version of data at a given point in time.  It works like a clock for database transactions, and like time, cannot move backwards.

When Oracle databases link to each other, they synchronize to a common SCN to maintain data consistency.  This is the highest SCN carried by any participating Oracle database instance because the SCN clock runs forwards only.  Only very basic permissions are required to make a connection that can cause one database to increment the SCN on another.

Oracle’s architects knew the SCN needed to be a massive integer.  It is a 48-bit number (281,474,976,710,656).  It would take eons for an Oracle database to eclipse that number of transactions and cause problems, or so you might think… Continue reading

78 Oracle Patches Coming

Here come some more patches for January.  Oracle will release 78 security fixes for vulnerabilities in its database, middleware and applications, next Tuesday.

  • The highest CVSS Base Score among the MySQL bugs is 5.5, which falls into the “medium” range.
  • 27 of those are intended for the MySQL database product.
  • 1 of the vulnerabilities can be exploited over a network without log-in credentials.
  • 2 fixes are for Oracle’s database application.
  • 11 patches are for Fusion Middleware.
  • 5 Fusion Middleware bugs can be remotely exploited with no user authentication required.

On the application front:

  • E-Business Suite is getting 3 patches
  • Supply chain app suite will receive 1
  • PeopleSoft will get 6
  • JD Edwards will have 8.

17 patches will be released for Sun products, including 6 that can be remotely exploited with no credentials. Affected products include GlassFish Enterprise Server and the Solaris OS.  Another 3 patches are for Oracle’s virtualization technology, including VirtualBox.

Sharpen up your deployment tools…

Security Technical Implementation Guide for Mobile Devices

It looks like 2012 is going to become the year of BYOD, or Bring Your Own Device.  Expect this trend to continue to heat up, and boil over as the year progresses.  Everyone wants to pare down the number of devices that hang off their belts, and at the same time, maximize their connectivity.  Work and personal communications are going to comingle if BYOD is permitted, and there are some issues that need to be considered by all.

If you don’t have a policy regarding personal devices, or even if you do, it should probably be reviewed with this trend in mind.  The largest concern that I see from the user end of the issue is personal data may be lost if the corporate policy is to wipe devices that contain company information when lost, stolen, or an employee leaves.  From the employers’ perspective, I see the largest concern to be that of data and malware control.  If it is not a corporate device, can it, should it, and will it be scanned, monitored, and patched against vulnerabilities or unlicensed / undesired software?  If not it could pose a serious threat vector to the organization.

The US Department of Defense has released its latest draft STIG specs for Android, Windows Mobile, BlackBerry, and iOS based devices.  This STIG provides policy, training, and operating procedure security controls for the use of mobile devices (smartphones and tablets).  Interesting to a gear-head if their significant other bought them an iPad for Christmas, or their boss cares just as much.  It is worth reviewing the STIGs, even if you don’t apply the specs, just to be aware of the available options, findings, and recommendations. Continue reading

HP Printer Vulnerabilities

Boing-Boing has an interesting article up, regarding a presentation at the recent Chaos Communications Congress, Ang Cui’s “Print Me If You Dare“.   Ang explained how he reverse-engineered the firmware-update process for HP printers.  He discovered that he could load arbitrary code into any printer by embedding it in a document.  As part of his presentation, he sent a document to a printer that contained malicious code that copied the documents it printed and posted them to the Internet.  In his second demo, he took over a remote printer with a malicious document, causing that printer to scan and compromise vulnerable PCs, turning the printer into a proxy that gave him access through the firewall.

Printers are everywhere.  We use them and ignore them daily.  They are sitting on our networks and are intended to be shared resources.  They contain some pretty powerful server components, a fairly substantial amount of RAM and disk space, and are virtually ignored when we consider patch and vulnerability management.  I have been involved in at least one incident that involved using a network connected printer as the hub of malicious operations.  Hiding in plain site is a pretty clever strategy.

I would encourage anyone that has an HP printer to apply the latest firmware patch ASAP, because malware could be crafted to take over your printer, and then falsely report that it has already had the patch applied.  This is not just an HP problem though.  Got printers?  Get ’em up-to-date, and create a plan to keep them that way.

nCircle 360Suite Updated

nCircle-Logo Vulnerability Management vendor nCircle has announced new versions of every product in the Suite360 product line, enabling organizations to improve security, manage change and configuration, measure and report on compliance.  The updates add new features, performance enhancements and increased coverage allowing nCircle customers to scan their networks for over 48,000 information security risk conditions.

nCircle products have always focused on creating actionable security and compliance intelligence.  This release adds valuable features that make it even easier for customers to achieve continuous monitoring, improve security and prove compliance.  I highly recommend them. Continue reading