Security update available for Adobe Flash Player

Adobe has released security updates for Adobe Flash Player 11.5.502.149 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.262 and earlier versions for Linux, Adobe Flash Player 11.1.115.37 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.32 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

The Adobe Flash version information page can be found here: http://www.adobe.com/software/flash/about/

More information:
http://www.adobe.com/support/security/bulletins/apsb13-05.html

Microsoft’s Patch Tuesday solves 57 (critical) security vulnerabilities

Today is the regular Patch Tuesday for Microsoft, and this time the update will solve 57 different vulnerabilities (in 12 different packages depending on which software you’re using).
Five of these packages are listed as critical, so it’s important that you run Windows Update as soon as you can on your clients/servers.
There is always the question of “should I update now, or should I wait until others have reported that the patch works okay?”. To me, testing the patches in a non-production environment and then deploy in production as well as quickly as posible goes without saying, but those who doesn’t have that ability need to assess the risk.

This risk of patching can of course mean that you run into a bug with the patch, while the risk of Not updating means that attackers will most certain be looking into which issues were fixed and how they can be exploited – and then exploit it on the systems which haven’t been already patched. In my opinion, the risk of not patching outweighs the risk of patching.

More information:
http://technet.microsoft.com/en-us/security/bulletin/ms13-feb

Basefarm SIRT Newsletter #2

Basefarm SIRT weekly newsletter #2
Year – Week: 2013 – 06

Basefarm SIRT is the Security Incident Response Team of the Basefarm Group. We are posting weekly newsletters with the latest security information which we find interesting to the Basefarm Blog.

Preface
As you remember from last week, The New York Times had been severely compromised for four months before it was noticed (during which time their anti-virus software only located 1 our of 55 malwares on their servers). The New York Times believes that the hackers gained entry through a spear-phishing attack, which means employees was sent emails containing malware attachments or links to sites with malware. Since then, Wall Street Journal, Washington Post, US Federal Reserve and Twitter (where it seems the attackers gained access to information of 250 000 accounts) has also come forward that they were compromised.

So what does this show?
Amongst other things, no matter what security systems are in place, no company can with a straight face say they are never going to be compromised. There will always be some ways in, so the goal is making sure there are as few of those as possible, which is why we try to do as much proactive security work as we can.

The reality is unfortunately that the easiest way in is usually through you – a human that clicks on a phishing mail or gets a malware payload through one of your outdated plugins. Cisco released their 2013 Annual Security Report, and it shows that most malware today gets into your system through your common news or business sites, and they do so by compromising ad networks said sites are using.

Sources:
http://www.networkworld.com/news/2013/020113-lesson-learned-in-cyberattack-on-266335.html
http://www.nytimes.com/2013/02/02/technology/washington-posts-joins-list-of-media-hacked-by-the-chinese.html
http://blog.twitter.com/2013/02/keeping-our-users-secure.html
http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html


Important Software Security updates

Java 7 (Update 13) / Java 6 (Update 39)
http://www.java.com/en/download/index.jsp

Firefox (18.0.2)
http://www.getfirefox.com/

Adobe Flash (11.5.502.149 (Win and Mac), 11.3.379.14 (Windows 8) and 11.2.202.262 (Linux))
http://get.adobe.com/flashplayer/

For those using Firefox, you can go to the following page to see if your plugins are up-to-date:
https://www.mozilla.org/en-US/plugincheck/

Security tips
In the rise of the latest plugin vulnerabilities causing havoc on the web (Java and Flash), we suggest that those who have the ability to do so should enable click-to-play in their browsers. Doing this means that plugins such as Java (which should be fully disabled by default in your main browser anyway) or Adobe Flash won’t automatically load in your browser unless you click on the object.

You can find information on click-to-play for your browser at these locations:
http://www.ghacks.net/2012/07/21/configuring-chromes-click-to-play-feature/
https://blog.mozilla.org/security/2012/10/11/click-to-play-plugins-blocklist-style/

Security news
Microsoft and Symantec hijacks the “Bamital” Botnet
http://krebsonsecurity.com/2013/02/microsoft-symantec-hijack-bamital-botnet/

Canada Joins the DNSSEC Party
http://www.darkreading.com/blog/240147786/canada-joins-the-dnssec-party.html

China is world’s most malware-ridden nation
http://www.net-security.org/malware_news.php?id=2404

Where do you get malware from?
http://www.securitybistro.com/blog/?p=5384
http://www.net-security.org/secworld.php?id=14355

High Risk Flash Vulnerability

Unfortunately, there have been multiple zero-day exploits released for a couple of versions of Adobe Flash today. This could potentially mean that the news site you browse daily could be using ads from an ad-network which has been compromised and serves malware to your system (it’s actually one of the most common way of being compromised today, see “more information”). We advise everyone to update their Adobe Flash plugin as soon as possible to put yourself at a lesser risk of being compromised.

You can download the latest version of Adobe Flash here: http://get.adobe.com/flashplayer/
You can verify which version of Adobe Flash you have installed, as well as see the latest version available, on this url: http://www.adobe.com/software/flash/about/

More information:
http://www.adobe.com/support/security/bulletins/apsb13-04.html
http://www.securitybistro.com/blog/?p=5384

Java (1.7.0_13) update fixes 50 security vulnerabilities

Oracle has released another update of Java (1.7.0_13). For those who need Java, it is strongly advised to update as soon as you can.
You can download the latest version here: http://www.java.com
Those running Windows can either chose to turn on automatic updates to be sure to always have the latest version: http://www.java.com/en/download/help/java_update.xml
Remember to delete any previous installed Java versions from your system when you update. See http://java.com/en/download/faq/remove_olderversions.xml for assistance with this.

We’d like to remind everyone about these three points though:
If you don’t need Java at all – uninstall it: http://www.java.com/en/download/uninstall.jsp www.java.com/en/download/help/mac_uninstall_java.xml

If you need Java for stand-alone applications such as Minecraft, disable Java in your browsers: http://www.java.com/en/download/help/disable_browser.xml

If you need Java in your browser, disable it in your Primary browser and keep it active in a secondary browser. This way, you will only have Java activated in the secondary browser when you have the need to visit your banking site or such:

If you need it for stand-alone applications such as Minecraft, disable Java in browsers
In Firefox, select “Tools” from the main menu, then “Add-ons,” then click the “Disable” button next to any Java plug-ins.
In Safari, click “Safari” in the main menu bar, then “Preferences,” then select the “Security” tab and uncheck the button next to “Enable Java.”
In Chrome, type or copy “Chrome://Plugins” into your browser’s address bar, then click the “Disable” button below any Java plug-ins.
In Internet Explorer, follow these instructions for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.

More info:
https://blogs.oracle.com/security/entry/february_2013_critical_patch_update

Basefarm SIRT Newsletter #1

Basefarm SIRT NEWSLETTER #1
Year – Week: 2013 – 05

Welcome to the first weekly security newsletter from your Basefarm SIRT team! In this newsletter we try to collect the latest weekly security news that we find worthwhile. As always, we continue sending out flash messages for critical issues that we find, but that does not mean the information is any less important for those who want to have safe and secure systems. We’d love to get feedback, so please send thoughts, suggestions, things we should add etc. to sirt@basefarm.com .

For those who aren’t familiar with what a SIRT team is, you can find information here:
http://www.cert.org/csirts/csirt_faq.html

Preface
It’s been quite a busy week with WordPress and UPnP vulnerabilities affecting millions of servers and networks. The biggest world wide news story of the week was of course the fact that the New York Times found out that their network had been compromised by Chinese hackers who got access to email accounts of senior staff, stole passwords for the corporate network for every New York Times employee and gained direct access to 53 personal computers of The New York Time employees. This went on for four months before it got noticed. The latest report from Arbor also shows that the DDoS attacks rose quite a bit during 2012 (+20% in bandwidth, +11% higher packet rates and a +41% rise in complex (multi-vector) DDoS attacks).

Important Software Security updates
iOS 6.1 for those with an iPhone.
http://support.apple.com/kb/HT5642

VLC Player 2.0.6 is available for those using VLC as their media player.
http://www.videolan.org/security/sa1302.html

Opera 12.13 is available for those using the Opera Browser.
http://my.opera.com/desktopteam/blog/2013/01/30/12-13-final-released

Security tips
Secure your passwords in Firefox
Setting a master password
Firefox: “Tools -> Options -> Security / Passwords -> Use a master password”
Thunderbird: “Tools -> Options -> Privacy -> Passwords -> Set Master Password”
Changing your master password
Firefox: “Tools -> Options -> Security / Passwords -> Change Master Password”
Thunderbird: “Tools -> Options -> Privacy -> Passwords -> Change Master Password” (not shown unless a master password is set)
http://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

Security news
Chinese hackers sit inside the network of New York Times for months without being spotted.
http://www.wired.com/threatlevel/2013/01/new-york-times-hacked/

US Cyber Command Seeks to Quintuple Cybersecurity Force.
http://www.washingtonpost.com/world/national-security/pentagon-to-boost-cybersecurity-force/2013/01/19/d87d9dc2-5fec-11e2-b05a-605528f6b712_story.html

Israel Strengthening its Cyber Stance.
http://www.businessweek.com/news/2013-01-27/israeli-troops-swap-guns-for-computers-as-cyber-attacks-increase

FBI Investigating Leak of US Stuxnet Involvement.
http://www.washingtonpost.com/world/national-security/fbi-is-increasing-pressure-on-suspects-in-stuxnet-inquiry/2013/01/26/f475095e-6733-11e2-93e1-475791032daf_story.html

UPnP Vulnerability

On Tuesday, computer security firm Rapid 7 released information that they found approximately 23 million products connected to the Internet that are susceptible to being completely taken over by anyone with bad willed intent, and another 40 million can be shut down remotely by someone who wants to. The vulnerability affects 1500 vendors (including vendors such as Linksys, D-Link and Netgear) and almost 7000 products (ranging from routers, TVs, Media Devices etc). So, if you are for example running a Linksys WRT610N router at home that you use when connecting to the VPN at the office, then someone could potentially access this router and set up a man-in-the-middle attack in order to get your credentials or whatever they want to do. Due to the amount of devices affected, it’s suggested by the vendors that you simply disable UPnP in your router or other devices unless you explicitly need it. You can find information on how to do this on the page of your vendor.

Rapid7-Chart-on-UPnP
Chart courtesy of Rapid7

More information:
http://www.kb.cert.org/vuls/id/922681
http://www.wired.com/threatlevel/2013/01/plug-n-play-security-flaws/
http://en.wikipedia.org/wiki/Man-in-the-middle_attack

High risk Ruby on Rails vulnerability

Most users tend to run Ruby on Rails 3.2 these days, but some still run Rails 3.0 or 2.3.
Those who do can not update their application to run Rails 3.2 and need to run Rails 3.0 or 2.3 are strongly advised to update their Rails to 3.0.20 or 2.3.16.

To quote the authors of rails;
“I’d like to announce that 3.0.20, and 2.3.16 have been released. These releases contain one extremely critical security fix so please update IMMEDIATELY.”

“Impact
– ——
The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing
backends. One of the backends involves transforming the JSON into
YAML, and passing that through the YAML parser. Using a specially
crafted payload attackers can trick the backend into decoding a subset
of YAML. ”

More information:
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo

High Risk WordPress vulnerability

WordPress pushed out version 3.5.1 of its open source blogging platform yesterday, fixing 37 bugs including several cross-site scripting (XSS) errors and a vulnerability that could have allowed an attacker to expose information and compromise an unpatched site.

Until yesterday, the aforementioned vulnerability, discovered by security researchers Gennady Kovshenin and Ryan Dewhurst, affected all versions of the platform. This particular problem could be exploited with a server-side request forgery (SSRF) attack and remote port scanning using pingbacks. Essentially, if left unpatched, an attacker could have forced a server into sending packets of information from the attacker to another server, even if it was behind a firewall.

The update also fixes the following XSS errors:
Two instances of cross-site scripting via shortcodes and post content.
A XSS vulnerability in the external library Plupload.

Due to the nature of this release, it’s advised that anyone running WordPress have their WordPress installations updated.

Further information can be found here:
http://wordpress.org/news/2013/01/wordpress-3-5-1/
http://core.trac.wordpress.org/query?milestone=3.5.1
http://threatpost.com/en_us/blogs/wordpress-fixes-37-bugs-latest-update-012513

LinkedIn Phishing mails

There’s been a couple of reports this week about a mail arriving that looks like it’s from LinkedIn. It’s quite a good fake; unless you mouse-over the links inside it and look at where they go before clicking, you might very well fall victim.
If you do click, you’ll be redirected to a malicious webpage attempting to run Java and (presumably) take over your computer. It’s possible that it also attempts to use Flash and/or other exploits for the same purpose.

If you’ve clicked on this link your computer may be compromised, so please have your computer thoroughly scanned for malware by multiple scanners.

More information: http://blog.webroot.com/2013/01/24/fake-linkedin-invitation-notifications-themed-emails-lead-to-client-side-exploits-and-malware/