Posts

Patch Tuesday February 2016

Yet another patch Tuesday has come upon us.
Microsoft released 13 updates, some of which fix critical issues, to address vulnerabilities in their product line. Adobe on the other hand has released patches which address 22 vulnerabilities for their Adobe Flash and Adobe Acrobat/Reader products.
Oracle also pushed out a new update – Java SE 8, Update 73.

Microsoft
Adobe

Oracle fixes vulnerabilities

Oracle have released fifty one vulnerabilities, where twelve are critical.

Oracle Java SE: 51
Oracle Database Server: 4
Oracle Fusion Middleware: 17
Oracle Enterprise Manager Grid Control: 4
Oracle E-Business Suite: 1
Oracle Supply Chain Products Suite: 2
Oracle PeopleSoft Products: 8
Oracle Siebel CRM: 9
Oracle iLearning: 2
Oracle Industry Applications: 6
Oracle Financial Services Software: 1
Oracle Primavera Products Suite: 2
Oracle and Sun Systems Products Suite: 12
Oracle Virtualization: 2
Oracle MySQL: 12

More information: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

Oracle Patches JDK/JRE

Oracle have released information about multiple critical Java vulnerabilities which affects JDK/JRE.

Affected product releases and versions
JDK and JRE 7 Update 21 and earlier
JDK and JRE 6 Update 45 and earlier
JDK and JRE 5.0 Update 45 and earlier
JavaFX 2.2.21 and earlier

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 40 new security fixes across Java SE products of which 4 are applicable to server deployments of Java.

More information: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html

Apple OS X – Java 2013-003 1.0 and Safari 6.0.4

Apple have released updates for Java and Safari. These are security updates, so users are advised to update as soon as possible by going to “Software Update”.

More information:
http://support.apple.com/kb/HT5682
http://support.apple.com/kb/HT5678

Java 7 update 17 / Java 6 update 43

Oracle has released updates to fix the latest zero day vulnerabilities being exploited in the wild for Java.

We do however suggest that users follow the guide lines in this post before installing said update: http://blog.basefarm.com/blog/2013/02/02/java-1-7-0_13-update-fixes-50-security-vulnerabilities/

You can find the download here:
http://www.java.com/

More information:
https://blogs.oracle.com/security/entry/security_alert_cve_2013_1493

Java, the gift that keeps on giving

Security researchers have released information about two exploits affecting Java 7 that when combined allows an attacker to completely bypass the Java sandbox to install malware etc.
There is at this time no fix from Oracle for this issue.
We suggest that users follow the guide lines in this post: http://blog.basefarm.com/blog/2013/02/02/java-1-7-0_13-update-fixes-50-security-vulnerabilities/

More information:
http://news.softpedia.com/news/Zero-Day-Vulnerability-Affecting-Java-7-Update-15-and-Earlier-Versions-Identified-332157.shtml
http://www.security-explorations.com/en/SE-2012-01-status.html

Basefarm SIRT Newsletter #4

BF-SIRT NEWSLETTER #4
Year – Week: 2013 – 08
https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Weekly Summary
This week, a lot of high profile companies have come forward about being victims of attacks. Companies like Apple and Facebook fell victims of Java exploits when browsing a well-known iOS developer forum, causing their computers to be taken over by attackers. This once again goes to show the importance of keeping your systems updated as much as you can and removing software you don’t need. If there’s need for a browser plugin such as Java or Adobe Acrobat Reader, then don’t have it activated in your primary browser but simply keep it enabled in a secondary browser for those specific Java websites.

NBC.com was also compromised this week, causing everyone visiting the site (many tens of thousands) to be redirected to a site serving malware. The malware exploited previously known Java and Adobe Acrobat Reader vulnerabilities to take control over the victim’s computers.

There’s also been reported by The New York Times that a unit within the Chinese Army is seen as tied to hacking against the U.S. China in turn denied this accusation.

On the good side of things, Google have released information that they have reduced the number of compromised accounts by 99.7% since their peak in 2011.

We have also launched a website for those interested in reading up on Basefarm SIRT. You can find the page here: https://www.basefarm.com/en/technical-support/Basefarm-SIRT/

Sources:

http://threatpost.com/en_us/blogs/nbc-website-hacked-leading-visitors-citadel-banking-malware-022113

http://threatpost.com/en_us/blogs/ios-developer-site-core-facebook-apple-watering-hole-attack-022013
https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766
http://googleblog.blogspot.com/2013/02/an-update-on-our-war-against-account.html
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html

Important Software Security updates
Java 7 / Java 6: http://blog.basefarm.com/?p=1085
Mozilla updates (Firefox, Thunderbird, Seamonkey): http://blog.basefarm.com/?p=1084
Google Chrome: http://blog.basefarm.com/?p=1098
Adobe Acrobat Reader: http://blog.basefarm.com/?p=1100

Security tips
In light of the latest breaches, we’d like to suggest that you have a look at the software and browser plugins you have installed on your system(s).
Unfortunately, depending on an antivirus just doesn’t cut it, as malware is transforming and mutating which means your antivirus won’t find the reported malware signature. Attackers are also applying vulnerabilities faster and faster, which means that the time between disclosure of a vulnerability to the time when it’s being exploited through ad networks or hijacked sites is much shorter these days.

The first step is to simply check which software you have installed, and uninstalling the ones you don’t have an explicit need for.
Once you have uninstalled the applications and browser plugins you don’t need, it’s time to update them.

You can check your browser plugins up-to-date status on the following page: https://browsercheck.qualys.com/

As for your software, it’s a matter of visiting the developer’s webpage and verifying that you’re using the latest version of their software.
To keep your OS automatically patched through Windows Update or Mac’s Software Update goes without saying.

Security news
Chinese Army unit is seen as tied to hacking against U.S.
http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html

China says U.S. hacking accustations lack proof
http://www.reuters.com/article/2013/02/20/us-china-hacking-idUSBRE91I06120130220

DDoS attack on on bank hid $900,000 Cyberheist
http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/

Freezing Android devices break disk encryption
http://www.net-security.org/secworld.php?id=14433

February 1st – 16th cyber attacks timeline
http://hackmageddon.com/2013/02/18/1-16-february-2013-cyber-attacks-timeline/

Java 7 update 15 / Java 6 update 41

A new version of Java has been released (version 7 update 15 and version 6 update 41), fixing four “Highly Critical” security vulnerabilities.
You can download the latest version here: http://www.java.com
Those running Windows can either chose to turn on automatic updates to be sure to always have the latest version: http://www.java.com/en/download/help/java_update.xml
Remember to delete any previous installed Java versions from your system when you update. See http://java.com/en/download/faq/remove_olderversions.xml for assistance with this.
This is the final public release of java 1.6.0 and Oracle will not provide more free security fixes for version 6.

We also suggest that users follow the guide lines in this post: http://blog.basefarm.com/blog/2013/02/02/java-1-7-0_13-update-fixes-50-security-vulnerabilities/

More information:
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

Java (1.7.0_13) update fixes 50 security vulnerabilities

Oracle has released another update of Java (1.7.0_13). For those who need Java, it is strongly advised to update as soon as you can.
You can download the latest version here: http://www.java.com
Those running Windows can either chose to turn on automatic updates to be sure to always have the latest version: http://www.java.com/en/download/help/java_update.xml
Remember to delete any previous installed Java versions from your system when you update. See http://java.com/en/download/faq/remove_olderversions.xml for assistance with this.

We’d like to remind everyone about these three points though:
If you don’t need Java at all – uninstall it: http://www.java.com/en/download/uninstall.jsp www.java.com/en/download/help/mac_uninstall_java.xml

If you need Java for stand-alone applications such as Minecraft, disable Java in your browsers: http://www.java.com/en/download/help/disable_browser.xml

If you need Java in your browser, disable it in your Primary browser and keep it active in a secondary browser. This way, you will only have Java activated in the secondary browser when you have the need to visit your banking site or such:

If you need it for stand-alone applications such as Minecraft, disable Java in browsers
In Firefox, select “Tools” from the main menu, then “Add-ons,” then click the “Disable” button next to any Java plug-ins.
In Safari, click “Safari” in the main menu bar, then “Preferences,” then select the “Security” tab and uncheck the button next to “Enable Java.”
In Chrome, type or copy “Chrome://Plugins” into your browser’s address bar, then click the “Disable” button below any Java plug-ins.
In Internet Explorer, follow these instructions for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.

More info:
https://blogs.oracle.com/security/entry/february_2013_critical_patch_update

High Risk Java Vulnerability

A new year has arrived, as has a new Java 0-day vulnerability. The vulnerability is present in all Java version up to version 7 update 10. There is currently no patch available for this, and it has already been integrated into the BlackHole exploit kit. As many of you know, Java runs on all platforms, so it doesn’t matter if you run Windows, Mac or Linux, you’re all at risk. Last time this happened, we advised you to uninstall or disable Java in your browser if you don’t have a specific need. I want to reiterate this once more. You can click on this link to see if you have Java installed: http://www.java.com/sv/download/installed.jsp

We suggest that you either uninstall Java if you have no need whatsoever for it, disable it in your Main browser (so you use a secondary browser only for your Java activity), or disable it fully in all your browsers. Information on how to do this can be found below:
Uninstalling Java on Windows 7: http://www.java.com/en/download/uninstall.jsp
Uninstalling Java on Mac: http://osxdaily.com/2012/04/07/tips-secure-mac-from-virus-trojan/

Disabling Java in browsers:
In Firefox, select “Tools” from the main menu, then “Add-ons,” then click the “Disable” button next to any Java plug-ins.
In Safari, click “Safari” in the main menu bar, then “Preferences,” then select the “Security” tab and uncheck the button next to “Enable Java.”
In Chrome, type or copy “Chrome://Plugins” into your browser’s address bar, then click the “Disable” button below any Java plug-ins.
In Internet Explorer, follow these instructions for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.

More information can be found here: http://www.kb.cert.org/vuls/id/625617

Update: Oracle have now released a patch for Java (version 7 update 11), so anyone using Java should immediately update to this version. You can do this by either updating through the Java Update or by going to http://www.java.com/en/download/index.jsp
You should however only install this update if you have need for Java, and those who has should still follow the guidance in our last mail regarding only allowing it for stand-alone-applications and/or multiple browsers.