Caution With MS13-061 !!

Patch3Microsoft has pulled its MS13-061 Exchange patch.  After reports of content damage to Exchange Server 2013 after deployment, Microsoft has withdrawn the MS13-061 update for Exchange Server released this past Tuesday.  MS013-61 is very important because it allows someone to send an email and get arbitrary code to run on the Exchange server itself.  It’s already publicly disclosed so expect the bad guys to move on this quickly.

Problems do not affect Exchange Server 2007 or 2010 and Microsoft says that those versions can proceed with testing and deployment.  In the meantime, they have removed the patch from Windows Update and other distribution systems.

Knowledge Base article KB2874216 explains the problem in more detail and provides remediation guidance.

Problems:

  • The content index (CI) for mailbox databases shows “Failed” on the affected server.
  • The Microsoft Exchange Search Host Controller service is missing.
  • You see a new service that is named “Host Controller service for Exchange.”

The KB article describes 2 registry key changes to make. After rebooting the server, the problem should be bypassed.

That is 2 months in a row that MS has pulled a buggy patch back from distribution.

OpenX Ad Server Source Compromised

Weak LinkOpenX is a tool used by hosting providers and webpage developers to provide ads on webpages.  Rotating banner ads have been an attack vector that has been quite popular and effective in the recent past.  This is probably one reason why.

An announcement this week from the OpenX ad server team noted that a backdoor had recently been discovered in their official source code distributions, that has been present since November 2012.  This vulnerability only applies to the free downloadable open source product, OpenX Source.

Exploitation is occurring in the wild, with attacks consisting of simple POST requests to a specific file that allows for remote code execution on the affected server. Users are urged to follow instructions being provided by the community for checking their servers, and rebuilding any that are impacted immediately.

References:

Busy Day For Patches

Happy Valentines Day everyone.  Our vendors are bringing us the gifts of security vulnerability patches.  Lots of them.  Yes, it’s extra work for our IT teams, but removing these vulnerabilities could mean that we all get to keep our jobs, and remain in business.  I was hearing on the news today that Nortel is now coming clean regarding the fact that hackers 0wn3d their network for roughly 10 years, with full and complete access to everything.

Wonder how they got that?

Where is Nortel today?  Something to think about…

Microsoft released the expected batch of 9 patches:

  • MS12-008: Critical Remote Code Execution Vulnerabilities in Windows Kernel-Mode Drivers
  • MS12-009: Important Elevation of Privilege Vulnerabilities in Ancillary Function Driver
  • MS12-010: Critical Cumulative Security Update for Internet Explorer
  • MS12-011: Important Elevation of Privilege Vulnerabilities in Microsoft SharePoint
  • MS12-012: Important Remote Code Execution Vulnerability in Color Control Panel
  • MS12-013: Critical Remote Code Execution Vulnerability in C Run-Time Library
  • MS12-014: Important Remote Code Execution Vulnerability in Indeo Codec
  • MS12-015: Important Remote Code Execution Vulnerabilities in Microsoft Visio Viewer 2010
  • MS12-016: Critical Remote Code Execution Vulnerabilities in .NET Framework and Silverlight  (This one I would recommend holding off on, as Microsoft is expected to re-release after identifying a “metadata (logic) error”.)

Microsoft has also released Update Rollup 1 for Exchange Server 2010 SP2 http://www.microsoft.com/download/en/details.aspx?id=28809 to the Download Center.

Adobe released 2 Security Bulletins:

  • APSB12-02: Critical Security update available for Adobe Shockwave Player.  This update addresses critical vulnerabilities in Adobe Shockwave Player 11.6.3.633 and earlier versions on the Windows and Macintosh operating systems.  These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
  • APSB12-04: Important Security update available for RoboHelp for Word.  This update addresses an important vulnerability in RoboHelp 9 (or 8) for Word on Windows.  A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word.

There have also been vulnerabilities and patches announced for Mozilla Thunderbird, Firefox, and an as yet unpatched local exploit POC code release for Yahoo Instant Messanger 11.5.

UPDATE: Oracle released also patches fixing 14 vulnerabilities in:

  •  JDK and JRE 7 Update 2 and earlier
  • JDK and JRE 6 Update 30 and earlier
  • JDK and JRE 5.0 Update 33 and earlier
  • SDK and JRE 1.4.2_35 and earlier
  • JavaFX 2.0.2 and earlier

http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

Start planning, testing, and patching, folks.

How Was FBI Call Compromised?

I am pretty sure that everybody knows that the FBI and Scotland Yard were embarassed recently by the notorious hacking group, Anonymous, when they spilled the beans that they were now watching the watchers, listening in to a confidential phonecall taking place between investigators accross the pond.  If you haven’t heard it, find it here.  The New Statesman has an overheated article here that can provide additional details.

So how did this brazen and seemingly high tech hack take place?  A conference call was arranged two weeks earlier by FBI agent Timothy Lauster, who wanted to discuss on-going investigations into Anonymous and other hacktivist groups.  In an email to Scotland Yard’s e-crimes unit, the time, date and phone number to call were provided, along with the pass code for entry. Continue reading

Google Won’t Remove CounterClank Apps

Google will not remove the 13 apps reported by Symantec containing “software development tools” that enable the theft of data because they do not violate Google’s terms of service.  Lookout Mobile Security said in a blog post Friday that it doesn’t consider the applications malware, but it does appear to be an “aggresive form” of an ad networking scheme, and should be taken seriously.  I would agree with that assessment, simply because it is a new pin on an old tactic, however I would still consider this malware to the extent that spyware was once considered in a similar light.  It has proven to be a real problem with real impacts, and has been used in a multitude of nefarious endeavors.

See this SC Magazine article for more coverage and details.

Important SolarWinds & HP Vulnerabilities

Digital Defense has posted a couple of vulnerabilities in some pretty popular and common products that customers and colleagues may want to be aware of.  I would recommend assessing the relevance of these disclosures to your environments, and taking mitigating action where appropriate.  Consider the potential of insider as well as external attack.  The information and access that either of these two vulnerabilities offers is just too yummy for a malicious or driven attacker to pass up.

1) SolarWinds Storage Manager Server SQL Injection Authentication Bypass

Severity:  High

Vulnerability Description:  The ‘LoginServlet’ page on port 9000 of the SolarWinds Storage Manager Server is vulnerable to a SQL injection within the ‘loginName’ field.  An attacker can leverage this flaw to bypass authentication to the Storage Manager application or to execute arbitrary SQL commands and extract sensitive information from the backend database using standard SQL exploitation techniques.  Additionally, an attacker may be able to leverage this flaw to compromise the database server host operating system.

SolarWinds has not yet provided a patch to address the issue. Digital Defense, Inc. recommends restricting access to the affected port until an update has been produced by the vendor.

2) HP JetDirect Device Page Directory Traversal  (CVE-2011-4785)

Severity:  High

Vulnerability Description:  The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root.  An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc.  Information obtained from an affected host may facilitate further attacks against the host.  Exploitation of this flaw is trivial using common web server directory traversal techniques.

Known Affected:

  • HP LaserJet 4650
  • HP LaserJet P3015
  • HP LaserJet 2430

At this time, HP has been notified of the vulnerability and has released a patch which addresses the issue for HP LaserJet P3015.

https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03140700

Cisco IronPort Vulnerability

Advisory ID: cisco-sa-20120126-ironport

Cisco IronPort Email Security and IronPort Security Management Appliances contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.  Fixed software versions or patches are not yet available.  Configuration workarounds that mitigate this vulnerability are available.

Cisco IronPort Email Security Appliance (C-Series and X-Series) versions prior to 7.6.0 and IronPort Security Management Appliance (M-Series) versions prior to 7.8.0 are affected by the FreeBSD telnetd remote code execution vulnerability documented by Common Vulnerabilities and Exposures (CVE) identifier CVE-2011-4862.  This one scores a 19 out of 20 on the CVSS score (BASE & TEMPORAL), so you may want to exercise the workaround on this one.

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport