This week’s “on the road” edition of WatchGuard Security Week in Review comes to you from the sunny Gold Coast of Australia, where I’ve spent the week learning about the latest mobile attacks, cloud threats, and SCADA security issues with the vibrant Australian security community. In this week’s video podcast, I quickly summarize a few of the presentations I saw at AusCERT this year.

Of course, normal security news continued marching along despite my little jaunt to the land down under. So I also cover this week’s important software updates, some new malware variants, and a potentially catastrophic antivirus update mistake. If you’re ready to catch up on the week’s most interesting security stories, check out the video below.

If you’d like to read the original sources for many of these stories, be sure to check out the Reference section. Also, make sure to post any feedback or questions in the comments section below, and share this podcast with your friends if you like it. Cheers!

(Episode Runtime: 5:35)

Direct YouTube Link: http://www.youtube.com/watch?v=KI9astTaRjU

Episode References:

• Paul Vixie talks DNSChanger at AusCERT - The Register
• Mark Fo on SCADA forensics - AusCERT
• Quicktime security update - Apple
  • Also a Leopard security update- Apple
• Chrome 19 security update – The Register
• Fake Google Chrome Installer Malware - Information Week
• New Zeus variant targets Facebook, Gmail, and Hotmail -eWeek
• Avira update kills windows computers - ZDNet

— Corey Nachreiner, CISSP (@SecAdept)

Though the primary theme for this week was, “patch, patch, patch,” I saw many other interesting, non-update related security stories in the news as well. This week’s vlog packs all those stories into a brisk eight and a half minutes. Topics include:

• Highlights on Microsoft, Adobe, and Apple security updates
• FBI lobbying for online wiretaps
• Warnings of Gas Pipeline Cyber Attacks
• Some new Geo-aware malware
• A seemingly big Twitter breach
• Some hacker arrests

For details on all these stories, and a few security tips along the way, check out the latest WatchGuard Security Week in Review video below.

As always, if you don’t have time for a video but want to check out individual stories later, you can find links to all the issues I cover in the ”Reference” section at the end of this post. You can also let us know what you think about this video series in the comments section.

Finally, I’m attending AusCERT next week; a security conference in Australia. Though I plan to release an episode next week, I will either post it significantly earlier or later than normal, due to the time zone difference. So keep your eyes peeled for next week’s episode, but don’t expect it at the regular time.

(Episode Runtime: 8:31)

Direct YouTube Link: http://www.youtube.com/watch?v=guqTuUatEwc

Episode References:

• Software Updates
  • Microsoft Patch Day
    • Consolidated Office alert - WatchGuard Security Center
    • Consolidated Windows+ alert - WatchGuard Security Center
  • Adobe
    • Consolidated Adobe alert - WatchGuard Security Center
    • Last week’s Flash alert - WatchGuard Security Center
  • Apple
    • OS X and Safari alert - WatchGuard Security Center
• FBI wants backdoors in products - CNET
• DHS warns of gas pipeline cyber attacks - CNN
• Geo-aware malware leverages 4square - The Register
• Attackers steal 55,000 Twitter credentials – Airdemon
  • Twitter debunks attack – Mashable
• Scotland Yard arrests Team Poison hackers - BBC News

— Corey Nachreiner, CISSP (@SecAdept)

Summary:

• These vulnerabilities affect: All current versions of OS X 10.6.x (Snow Leopard) and OS X 10.7.x (Lion).
• How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a malicious web site, or into downloading and viewing various images or media files.
• Impact: Various results; in the worst case, an attacker executes code on your user’s computer. Attackers could combine these issues to gain full control of your Mac.
• What to do: OS X administrators should download, test and install OS X 10.7.4 or Security Update 2012-002 as soon as possible, or let Apple’s Software updater do it for you.

Exposure:

Late Yesterday, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes around 36 (number based on CVE-IDs) security issues in 19  components that ship as part of OS X or OS X Server, including QuickTime, the Kernel, Time Machine, and many others. Some of the corrected vulnerabilities include:

• Local File Vault Password Disclosure Vulnerability. File Vault is an OS X component that encrypts files on a Mac, while Login Window is the component that allows you to log in to your Mac. Earlier this week, researchers disclosed a flaw in Apple’s File Vault that potentially exposes your password locally. The researcher found that when you upgrade OS X Snow Leopard to OS X Lion, the upgrade process sets a debug flag, which results in your passwords being stored to a local log file, in clear text. This means anyone with local access to that Mac can see the passwords for everyone that logged into that system.  Today’s Login Window update corrects this issue, preventing your passwords from being stored in this file. However, it does not clear out any existing passwords already in the log. To learn how to manually clear these logs, see this article.

• Multiple ImageIO Buffer Overflow Vulnerability. ImageIO is one of the components that helps OS X handle and display various images. It suffers from four security vulnerabilities (two being buffer overflow vulnerabilities) involving the way it handles TIFF image files. Though these vulnerabilities differ technically, most of them share the same general scope and impact. If an attacker can trick you into viewing a specially crafted image file (perhaps hosted on a malicious website), he could exploit the worst of these flaws to either crash an image application or to execute attack code on your Mac, with your privileges. The attacker could also exploit other vulnerabilities described in Apple’s alert to gain full control of your Mac.

• Several QuickTime Vulnerabilities. QuickTime is the popular video and media player that ships with OS X (and iTunes). QuickTime suffers from four security issues (number based on CVE-IDs) involving how it handles certain  video files and streaming media. While the vulnerabilities differ technically, they share the same basic scope and impact. If an attacker can trick one of your users into viewing a maliciously crafted content in QuickTime, she could exploit any of these flaws to execute code on that user’s computer, with that user’s privileges. Again, attackers could then leverage other flaws described in Apple’s alert to gain complete control of your Mac.

Apple’s alert also describes many other code execution vulnerabilities, as well as some Denial of Service (DoS) flaws, elevation of privilege vulnerabilities, and information disclosure flaws. Components patched by this security update include:

Please refer to Apple’s OS X 10.6.x and 10.7.x alert for more details.

Note: Apple also released a Safari alert and update, which fixes four vulnerabilities in the Mac and Windows version of Apple’s web browser. Attackers could leverage at least one of these flaws in a drive-by download attack. If you use Safari on a Mac or PC, you should update it to version 5.1.7, or let Apple’s automatic updater do it for you.

Solution Path:

Apple has released OS X Security Update 2012-002 and OS X 10.7.4 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can, or let Apple’s automatic Software Update utility do it for you.

• OS X Lion Update 10.7.4 (Client)
• OS X Lion Update 10.7.4 (Client Combo)
• OS X Lion Update 10.7.4 (Server)
• OS X Lion Update 10.7.4 (Server) Combo
• Security Update 2012-002 Server (Snow Leopard)
• Security Update 2012-002 (Snow Leopard)

Mac or PC Safari users should also update it to version 5.1.7.

For All Users:

These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack. Therefore, installing these updates is the most secure course of action.

Status:

Apple has released updates to fix these flaws.

References:

• May 2012 OS X  Security Update
• May 2012 Safari  Security Update

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Summary:

• These vulnerabilities affect: Adobe Shockwave Player, Flash Professional, Photoshop, and Illustrator
• How an attacker exploits them: Multiple vectors of attack, including enticing your users to open malicious files or visit specially crafted web sites
• Impact: Various results; in the worst case, an attacker can gain complete control of your computer
• What to do: Install the appropriate Adobe patches immediately, or let Adobe’s updater do it for you.

Exposure:

Today, Adobe released four security bulletins describing vulnerabilities in many of their popular software packages, including Shockwave Player, Flash Professional, Photoshop, and Illustrator.

A remote attacker could exploit the worst of these flaws to gain complete control of your computer. The summary below details some of the vulnerabilities in these popular software packages.

• APSB12-13: Five Shockwave Code Execution Vulnerabilities

• APSB12-12: Flash Professional Buffer Overflow Vulnerability

• APSB12-11: Photoshop TIFF Handling Vulnerability

Photoshop is a popular image editing program. Photoshop CS5.5 (for Windows and Mac) suffers from two vulnerabilities; a vulnerability involving its inability to properly handle specially crafted TIFF images, and an unspecified buffer overflow vulnerability. By tricking you into downloading and opening a malicious image in Photoshop, an attacker can exploit the TIFF flaw to execute code on your machine, with your privileges. If you have local admin privileges, the attacker gains complete control of your computer. Adobe doesn’t describe how an attacker might leverage the second buffer overflow vulnerability.

Adobe Priority Rating: 3 (Patch at your discretion)

• APSB12-10:  Five Illustrator Code Execution Vulnerabilities

Illustrator is Adobe’s vector drawing software. It suffers from five unspecified memory corruption vulnerabilities. Adobe doesn’t describe these flaws in any other detail, other than calling them code execution vulnerabilities. If forced to guess, we assume that if you handle specially crafted, Illustrator-compatible files (perhaps an image), an attacker could exploit this flaw to execute code on your computer with your privileges. Again, if you are an administrator, the attacker gains full control.

Adobe Priority Rating: 3 (Patch at your discretion)

While we’re on Adobe updates, if you haven’t installed the early Flash Player update that Adobe released last week, we recommend you do so immediately. That update is much more severe than the ones released today.

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you.

NOTE: Adobe has chosen to only release some of these fixes as paid updates (CS6). If you didn’t already plan to pay for these updates, you will have to decide if these security issues change your mind. On a positive note, attackers don’t often target the products in question (Photoshop, Illustrator, Flash Professional). Nonetheless, it’s difficult for us not to recommend the latest security updates, and we wish that Adobe had extended these security updates to previous versions as well.

• APSB12-13: Upgrade to Shockwave 11.6.5.635
• APSB12-12: Your only recourse is upgrading to Flash Professional CS6, which is a paid update.
• APSB12-11: Your only recourse is upgrading to Photoshop CS6, which is a paid update.
• APSB12-10: Your only recourse is upgrading to Illustrator CS6, which is a paid update.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods. A properly configured UTM device may mitigate the risk of some of these issues. That said, it cannot protect you from local attacks, nor can it prevent attacks that leverage normal HTTP traffic. Therefore, installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches correcting these issues.

References:

• Adobe Security Update APSB12-10
• Adobe Security Update APSB12-11
• Adobe Security Update APSB12-12
• Adobe Security Update APSB12-13

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Summary:

• These vulnerabilities affect: All current versions of Windows and its optional .NET Framework component. One bulletin also affects Office and Silverlight
• How an attacker exploits them: Multiple vectors of attack, including enticing your users into running specially crafted documents or into visiting web sites with malicious content
• Impact: In the worst case, an attacker can gain complete control of your Windows computer
• What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released four security bulletins describing 15 vulnerabilities that primarily affect Windows and its optional .NET Framework component. However, one of the bulletins also affects Office and Silverlight. Each vulnerability affects different versions of these products to varying degrees. However, a remote attacker could exploit the worst of them to gain complete control of your Windows PC. We recommend you download, test, and deploy these updates – especially the critical ones — as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

• MS12-034: Various Vulnerabilities in Windows, Office, .NET Framework, and Silverlight

This unusual Microsoft bulletin fixes ten seemingly dissimilar vulnerabilities in four different Microsoft products; Windows, Office, the .NET Framework, and Silverlight. Microsoft combined them into one bulletin since the flaws affect related files found in all of these products.

The ten vulnerabilities differ quite widely, and include various code execution vulnerabilities, drive-by download type issues, local privilege elevation flaws, and even a Denial of Service (DoS) vulnerability. According to the bulletin, researchers or attackers have publicly disclosed three of these vulnerabilities before they were patched, and attackers have leveraged at least one in limited targeted attacks.

We suspect the font and image handling vulnerabilities pose the most risk to typical users. The components Windows uses to handle TrueType fonts and EMF images both suffer from multiple code execution flaws. If an attacker can lure one of your users into interacting with a specially crafted image or TrueType font, he can exploit these flaws to gain access to that user’s computer, with that user’s privileges. If your user has local administrator privileges, the attacker gains full control of the user’s computer. Attackers could embed these malicious fonts and images in web sites, documents, or emails, but some of these attack vectors require more user interaction than others to succeed. Since this bulletin fixes many serious vulnerabilities in many products — one of which attackers have already started exploiting in the wild — we recommend you download, test, deploy the updates as quickly as possible. Note, this update fixes flaws related to the advanced Duqu attack we’ve talked about in previous posts.

Microsoft rating: Critical

• MS12-035: Two .NET Framework Remote Code Execution Vulnerabilities

The .NET Framework is software framework used by developers to create new Windows and web applications. In computing, serialization is the process of converting a data structure or object to a state that allows for digital storage or transmission. Unfortunately, the .NET Framework suffers from two code execution vulnerabilities involving its serialization process. If an attacker can entice a user who’s installed the .NET Framework to a specially crafted web site, he can exploit these flaws to execute code on that user’s computer, with that user’s privileges. As always, if your users have local administrator privileges, attackers can leverage these flaws to gain full control of their computers. This flaw can also affect custom .NET Framework-based programs, which you might develop and run in-house. If you use the .NET Framework in your network, you should apply this update as quickly as you can.

Microsoft rating: Critical

• MS12-032: TCP/IP Elevation of Privilege Flaw and Firewall Bypass

Two of Windows’ networking components suffer from security flaws. The Windows TCP/IP stack suffers from a local elevation of privilege flaw involving the way it binds IPv6 addresses to local network interfaces. By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials.

Also, the Windows host-based Firewall suffers from a firewall bypass vulnerability. Apparently, the Windows firewall doesn’t properly apply outbound firewall policies to broadcast packets. Attackers with access to your Windows computers could exploit this issue to get past outbound firewall policies you may have applied to your Windows computer. While this flaw doesn’t allow external attackers to gain access to your system, it could make it easier for malware that infects your system to make its command and control (C&C) connection back to the attacker.

Microsoft rating: Important

• MS12-033: Partition Manager Elevation of Privilege Flaw

In computing, disk partitioning is the act of dividing your hard drive into more than one logical storage unit. Windows ships with the Partition Manager component to allow you to partition your hard drive. Unfortunately, the Partition Manager suffers from an elevation of privilege vulnerability having to do with how it interacts with another Windows component (specifically, the Plug and Play Configuration Manager). By running a specially crafted program, a local attacker could leverage this flaw to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials, which significantly lowers the severity of this issue.

Microsoft rating: Important

Solution Path:

Microsoft has released Windows patches that correct all of these vulnerabilities. You should download, test, and deploy the appropriate Windows patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these updates for you.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find the various updates:

• MS12-034
• MS12-035
• MS12-032
• MS12-033

For All WatchGuard Users:

Attackers can exploit these flaws in many ways, including by convincing users to run an executable file locally. Since your gateway WatchGuard appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.

That said, WatchGuard’s firewalls and XTM security appliances can mitigate the risk of many of these flaws. For instance, though attackers may leverage the Windows Firewall flaw to bypass host-based firewall policies, that attack will not trick our gateway firewall. Furthermore, if you use our Gateway Antivirus our appliance may block the malware attackers try to deliver to your computer when leveraging these vulnerabilities.

Status:

Microsoft has released patches correcting these issues.

References:

• Microsoft Security Bulletin MS12-032
• Microsoft Security Bulletin MS12-033
• Microsoft Security Bulletin MS12-034
• Microsoft Security Bulletin MS12-035

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

Summary:

• These vulnerabilities affect: Most current versions of Microsoft Office for Windows and Mac, and related products like Visio Viewer and the Office Compatibility Packs
• How an attacker exploits them: Typically, by enticing you to open maliciously crafted Office documents
• Impact: An attacker can execute code, potentially gaining complete control of your computer
• What to do: Install the appropriate Office patches as soon as possible, or let Windows Update do it for you.

Exposure:

Today, Microsoft released three security bulletins describing eight vulnerabilities specifically affecting Microsoft Office and its related components. Some of these issues affect Office running on either Windows or Mac computers, while others also affect components like the Office Compatibility Pack and Visio Viewer.

Microsoft also released a fourth Office-related bulletin (MS12-034), which affects many other Microsoft products as well. Since this fourth bulletin also affects Windows users, we will detail it in our upcoming Windows alert. If you use Office, you should also refer to this Windows bulletin, and apply its update as well.

Microsoft’s three Office-specific bulletins describe eight code execution vulnerabilities, all of which involve the way Office (and its related applications) handle different types of documents. These document-handling flaws differ technically, but share the same general scope and impact. If an attacker can entice one of your users to download and open a maliciously crafted Office document, she can exploit any of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

The only difference of note between these flaws is which type of Office document attackers use to trigger them. The affected Office documents include Rich Text Files (RTF) opened in Word, Excel (XLS) documents, and Visio (VSD, VSS, etc.) files.

If you’d like to learn more about each individual flaw, drill into the “Vulnerability Details” section of the security bulletins listed below:

• MS12-029: Word RTF Code Execution Vulnerability, rated Critical
• MS12-030: Multiple Excel Code Execution Vulnerabilities, rated Important
• MS12-031: Visio Viewer Code Execution Vulnerability, rated Important

Solution Path

For All WatchGuard Users:

Many WatchGuard appliances can block incoming Office documents. However, most administrators prefer to allow these file types for business purposes. Nonetheless, if Office documents are not absolutely necessary to your business, you may consider blocking them using our proxies, at least until you install these patches.

If you would like to use our XTM and Firebox appliance’s proxy policies to block the affected documents, follow the links below for general proxy instructions:

• XTM Appliance with WSM 11.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Microsoft has released Office updates to fix these vulnerabilities.

References:

• MS Security Bulletin MS12-029
• MS Security Bulletin MS12-030
• MS Security Bulletin MS12-031

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

In their May security bulletin summary, Microsoft highlights seven security bulletins that fix 23 vulnerabilities in four primary products, including:

• Windows
• Office
•  .NET Framework
• Silverlight

They rate three of these bulletins as Critical, which typically means remote attackers can exploit them to gain control of affected computers.

The two most serious flaws appear to be a vulnerability in Word (MS12-029) involving the way it handles Rich Text Files (RTF), and ten flaws that affect Office, Windows, the .NET Framework, and Silverlight (MS12-034); many of which also have to do with how these products handle documents or fonts. I would apply these updates in the same order Microsoft recommends in their summary post.

I’ll share more details about these issues, and how to fix them, in consolidated alerts I’ll post here shortly.

[UPDATE] I mistakenly published an unfinished version of this post as I was writing it. This may have resulted in you receiving an email containing the incomplete post. I apologize for the confusion this may have caused, and the extra email.  — Corey Nachreiner, CISSP (@SecAdept)

• This vulnerability affects: Adobe Flash Player  11.2.202.233 and earlier, running on all platforms (including Android)
• How an attacker exploits it: By enticing users to visit a website containing malicious Flash content
• Impact: In the worst case, an attacker can execute code on the user’s computer, potentially gaining control of it
• What to do: Download and install the latest version of Adobe Flash Player (version 11.2.202.235 for computers)

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash. Although Flash is optional, 99% of PC users download and install it to view multimedia web content. It runs on many operating systems, including mobile operating systems like Android.

In a security bulletin released today, Adobe announced a patch that fixes a critical vulnerability in Adobe Flash Player 11.2.202.233 and earlier, running on all platforms (including Android platforms).

Adobe’s bulletin describes the serious flaw as an “object confusion” vulnerability (CVE-2012-0779), and warns that attackers are currently exploiting it in the wild. They don’t describe the object confusion issue in detail, but they do describe its impact. If an attacker can entice one of your users to visit a malicious website, or into handling specially crafted Flash content, he could exploit this flaw to execute code on that user’s computer, with that user’s privileges. If your users have administrator privileges, the attacker could gain full control of their computers.

So far, Adobe has only seen attackers exploiting this vulnerability against Windows computers, which is why they rate this a “Priority 1” issue for Windows, and recommend you apply the updates as soon as possible (within 72 hours).   However, the vulnerability technically affects other platforms as well, so I recommend you update any Flash capable device as soon as you can.

Solution Path

Adobe has released new versions of Flash Player (11.2.202.235 for computers and the latest 11.1.11x.x for Android) to fix these issues. If you allow Adobe Flash in your network, you should download and install the new versions immediately. If you’ve enabled Flash Player’s recent “silent update” option, you will receive this update automatically.

• Download Flash Player for your computer:

• Download the latest Android Flash Player from Google Play [Visit from your Android device]

For All WatchGuard Users:

If you choose, you can configure the HTTP proxy on your XTM appliance to block Flash content. Keep in mind, doing so blocks all Flash content, whether legitimate or malicious.

Our proxies offer many ways for you to block files and content, including by file extension, MIME type, or by using very specific hexidecimal patterns found in the body of a message – a technique sometimes referred to as Magic Byte detection. Below I list the various ways you can identify various Flash files:

File Extension:

• .flv –  Adobe Flash file (file typically used on websites)
• .fla – Flash movie file
• .f4v – Flash video file
• .f4p - Protected Flash video file
• .f4a – Flash audio file
• .f4b – Flash audiobook file

MIME types:

• video/x-flv
• video/mp4 (used for more than just Flash)
• audio/mp4 (used for more than just Flash)

FILExt.com reported Magic Byte Pattern:

• Hex FLV: 46 4C 56 01
• ASCII FLV: FLV
• Hex FLA:  D0 CF 11 E0 A1 B1 1A E1 00

(Keep in mind, not all the Hex and ASCII patterns shared here are appropriate for content blocking. If the pattern is too short, or not unique enough, blocking with them could result in many false positives) 

If you decide you want to block Flash files, the links below contain instructions that will help you configure your Firebox proxy’s content blocking features using the file and MIME information listed above.

• XTM Appliance with WSM 11.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP Proxy?

• Firebox X Edge running 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy

• Firebox X Core and X Peak running Fireware 10.x
  • How do I block files with the FTP proxy?
  • How do I block files with the HTTP proxy?
  • How do I block files with the POP3 proxy?
  • How do I block files with the SMTP proxy?

Status:

Adobe has released updates to fix these Flash vulnerabilities.

References:

• April 2012 Adobe Flash Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept)

This week’s security summary podcast includes information about Microsoft’s upcoming Patch Day, stories about three interesting new malware variants, and updates to a few stories from previous episodes. Watch the video below for the details.

If you’d prefer to read, see the “Reference” section for links to all these security stories. I’ve seen a few late-breaking stories since I shot this week’s video, so be sure to check out those updates below. Also, don’t forget to share your thoughts or feedback in the comments section. (Episode Runtime: 8:37)

Direct YouTube Link: http://www.youtube.com/watch?v=guqTuUatEwc

Episode References:

• Microsoft’s May Patch Day notification – WatchGuard Security Center
• Interesting Malware:
  • Cross-platform Java malware - ZDNET
  • U.S. Dept. of Justice ransomware - ThreatPost
  • Android drive-by download malware (NotCompatible) - Ars Technica
    • Lookout’s analysis of NotCompatible – Lookout Blog
• Updates to Past Stories:
  • VMware source code
    • Attacker plans to release VMware source Saturday - Computing.co.uk
    • UPDATE: VMware releases emergency patches related to source leak – VMware
  • Flashback Updates
    • Flashback variant uses Twitter C&C - Security Week
    • Oxford University’s OxCERT talks about Flashback - OxCERT
  • Oracle Patch Day update fixes zero day exploit - Oracle
• LATE BREAKING UPDATE
  • Adobe releases critical Flash patch for zero day exploit – Adobe

— Corey Nachreiner, CISSP (@SecAdept)

According to May’s advanced notification post, Microsoft plans to release several security bulletins next Tuesday, fixing 23 flaws affecting Windows, Office, the .NET Framework, and Silverlight. Microsoft rates three of these bulletins as Critical.

In a nutshell, this month’s Patch Day looks fairly average. If forced to pick a theme, I’d say next week’s update leans towards Office-centric patches. At least two of the bulletins will probably fix Word and Excel document parsing flaws, which attackers could leverage to hijack your computer. While this month’s Patch Day won’t break any records, you’ll still want to download test and deploy Microsoft’s Critical updates as soon as you can, since they often allow remote attackers to gain full control or your machine.

I’ll know more about Microsoft’s May Update, and will post detailed information here on Tuesday, May 8th. — Corey Nachreiner, CISSP (@SecAdept)