Sans has the story on a security vulnerability involving specifically crafted .cab files affecting a WIDE range of SOPHOS antivirus products (from desktop to server.)
The main result of the vulnerability is arbitrary code execution, which is a bad thing…. PureMessage and MailMonitor users may be more at risk because, of course, it requires scanning of .cab files to be enabled.
Oracle released 36 patches in mid-April as part of their quarterly patch cycle…. unfortunately, not all of the patches were released. Apparently they hadn’t finished testing and users were advised to look for the updates around the first of May. Well, guess what – they’re not out yet and the word is that they won’t be until May 15th. This is one example of why I think it’s unwise to say that patches will be released on X date on a regular schedule. They should be releasing them as soon as they have the patch tested and ready.
This is going to sound familiar to those that have been here before, but I’ve just had a once over of a batch of machines that are going to get thrown away tomorrow and felt compelled to make a list of the top ten things to do before you throw away, give away, pitch or otherwise dispose of your computer…..
Sometime during the winter, I recall President Bush visited the NSA headquarters if I’m not mistaken and there was some press footage of him shaking hands in a very important looking techy monitoring room. A network operations center of some sort. I think they called it the Threat Operations Center. There was one backdrop that was quite impressive and made the rounds in some of the photos of the visit. There was the ISC threat meter, dshield, a square showing updates of exploit tools and vulnerabilities, viruses, intrusion detection signature updates, etc… all packed into a nice size screen.
Now that the April patches have been patched…. it’s time to look forward to what updates we’ll be seeing from Microsoft this coming Tuesday May 9th… There are 3 expected updates for May, 2 for Windows and one for Exchange Server. The Exchange update is listed as critical as is AT LEAST one of the two Windows patches.
In the last couple days there have been new security releases of both clamantivirus (0.88.2 is now the current) and Mozilla-Firefox (1.0.3 is the current release over there). If you use either of these programs you should be looking to update. I’ve been busy looking at getting src.rpm’s recompiled here for various Mandr-ake/iva’s and if time allows I’ll even upload the latest. It sure feels like firefox has been getting rebuilt about every week or two lately though.
Looks like an interesting patch day. Looks like there are several bugs covered by the cumulative IE patch… Sans has a good writeup (7 CVE issues addressed by this 1 patch….) Also the Eolas ActiveX settlement (“Eolas Patent Patch”) solution seems to be included in this bundle. Also a MDAC and a Windows Explorer (not to be confused with the Internet Explorer) patch. (The Windows Explorer AND MDAC bugs are Remote code execution vulnerabilities…)
Since, I’ve still got a few older Mandrake 10 installs that I’m maintaining as mailservers, there aren’t supported security fixes for various things anymore… Friday there was news of a new clamantivirus to fix some security flaws with 0.88, new version is 0.88.1 I’ve taken the cooker srpm and recompiled for 10.0, so… for my convenience (and that of anyone with an older Mandrake box…) the links will be below.
There is ANOTHER IE vulnerability that’s come across the news in the last week. It seems that this is currently only a Proof of Concept, I’ll have to check and see if anyone’s reported seeing this in the wild…, but essentially a race condition between a Macromedia flash file and web content can allow a forged address bar location… in other words it might say www.google.com in the address bar, but you’re actually looking at www.evilhackerplayground.org….
The multi-OS virus may be a proof of concept, but it could be a sign of bad things to come. Let’s face it, there have been viruses that have taken advantage of multiple ways of spreading (email/open network shares/instant messengers…) It would almost make sense that even though it’s POC…. it may be quickly incorporated into future virus strategies….