Archive for the ‘Uncategorized’ Category

Microsoft Updates for Multiple Vulnerabilities

Original release date: February 08, 2011
Last revised: –
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft Office

Overview

There are multiple vulnerabilities in Microsoft Windows, Microsoft
Office, and Internet Explorer. Microsoft has released updates to
address these vulnerabilities.

I. Description

The Microsoft Security Bulletin Summary for February 2011 describes
multiple vulnerabilities in Microsoft Windows, Microsoft Office,
and Internet Explorer. Microsoft has released updates to address
the vulnerabilities.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.

III. Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the
Microsoft Security Bulletin Summary for February 2011. That
bulletin describes any known issues related to the updates.
Administrators are encouraged to note these issues and test for any
potentially adverse effects. In addition, administrators should
consider using an automated update distribution system such as
Windows Server Update Services (WSUS).

IV. References

* Microsoft Security Bulletin Summary for February 2011 -
<http://www.microsoft.com/technet/security/bulletin/ms11-Feb.mspx>

* Microsoft Windows Server Update Services -
<http://technet.microsoft.com/en-us/wsus/default.aspx>

The popularity of social networking sites continues to increase, especially
among teenagers and young adults. The nature of these sites introduces
security risks, so you should take certain precautions.

What are social networking sites?

Social networking sites, sometimes referred to as “friend-of-a-friend”
sites, build upon the concept of traditional social networks where you are
connected to new people through people you already know. The purpose of some networking  sites  may  be  purely social, allowing users to establish
friendships  or  romantic  relationships,  while  others  may focus on
establishing business connections.

Although the features of social networking sites differ, they all allow you
to provide information about yourself and offer some type of communication
mechanism (forums, chat rooms, email, instant messenger) that enables you to connect with other users. On some sites, you can browse for people based on certain criteria, while other sites require that you be “introduced” to new
people through a connection you share. Many of the sites have communities or subgroups that may be based on a particular interest.

What security implications do these sites present?

Social networking sites rely on connections and communication, so they
encourage you to provide a certain amount of personal information. When
deciding how much information to reveal, people may not exercise the same
amount of caution as they would when meeting someone in person because
* the internet provides a sense of anonymity * the lack of physical interaction provides a false sense of security * they tailor the information for their friends to read, forgetting that others may see it * they want to offer insights to impress potential friends or associates

While  the  majority of people using these sites do not pose a threat,
malicious people may be drawn to them because of the accessibility and
amount  of personal information that’s available. The more information
malicious people have about you, the easier it is for them to take advantage
of  you.  Predators  may  form  relationships online and then convince
unsuspecting  individuals to meet them in person. That could lead to a
dangerous situation. The personal information can also be used to conduct a
social engineering attack (see Avoiding Social Engineering and Phishing
Attacks for more information). Using information that you provide about your location,  hobbies,  interests,  and friends, a malicious person could
impersonate a trusted friend or convince you that they have the authority to
access other personal or financial data.

Additionally, because of the popularity of these sites, attackers may use
them to distribute malicious code. Sites that offer applications developed
by third parties are particularly susceptible. Attackers may be able to
create customized applications that appear to be innocent while infecting
your computer or sharing your information without your knowledge.

How can you protect yourself?

* Limit  the  amount  of personal information you post – Do not post
information that would make you vulnerable, such as your address or
information about your schedule or routine. If your connections post
information about you, make sure the combined information is not more
than  you  would  be  comfortable  with strangers knowing. Also be
considerate when posting information, including photos, about your
connections.
* Remember that the internet is a public resource – Only post information
you are comfortable with anyone seeing. This includes information and
photos in your profile and in blogs and other forums. Also, once you
post information online, you can’t retract it. Even if you remove the
information from a site, saved or cached versions may still exist on
other people’s machines (see Guidelines for Publishing Information
Online for more information).
* Be  wary  of  strangers – The internet makes it easy for people to
misrepresent their identities and motives (see Using Instant Messaging
and Chat Rooms Safely for more information). Consider limiting the
people who are allowed to contact you on these sites. If you interact
with people you do not know, be cautious about the amount of information
you reveal or agreeing to meet them in person.
* Be skeptical – Don’t believe everything you read online. People may post
false or misleading information about various topics, including their
own identities. This is not necessarily done with malicious intent; it
could be unintentional, an exaggeration, or a joke. Take appropriate
precautions,  though,  and  try  to verify the authenticity of any
information before taking any action.
* Evaluate your settings – Take advantage of a site’s privacy settings.
The  default  settings for some sites may allow anyone to see your
profile, but you can customize your settings to restrict access to only
certain people. There is still a risk that private information could be
exposed despite these restrictions, so don’t post anything that you
wouldn’t  want  the  public to see. Sites may change their options
periodically, so review your security and privacy settings regularly to
make sure that your choices are still appropriate.
* Be wary of third-party applications – Third-party applications may
provide entertainment or functionality, but use caution when deciding
which applications to enable. Avoid applications that seem suspicious,
and  modify  your  settings to limit the amount of information the
applications can access.
* Use strong passwords – Protect your account with passwords that cannot
easily  be guessed (see Choosing and Protecting Passwords for more
information). If your password is compromised, someone else may be able
to access your account and pretend to be you.
* Check privacy policies – Some sites may share information such as email
addresses or user preferences with other companies. This may lead to an
increase in spam (see Reducing Spam for more information). Also, try to
locate the policy for handling referrals to make sure that you do not
unintentionally sign your friends up for spam. Some sites will continue
to send email messages to anyone you refer until they join.
* Keep software, particularly your web browser, up to date – Install
software  updates so that attackers cannot take advantage of known
problems  or  vulnerabilities  (see Understanding Patches for more
information). Many operating systems offer automatic updates. If this
option is available, you should enable it.
* Use and maintain anti-virus software – Anti-virus software helps protect
your computer against known viruses, so you may be able to detect and
remove  the  virus  before it can do any damage (see Understanding
Anti-Virus  Software  for more information). Because attackers are
continually  writing  new  viruses,  it  is important to keep your
definitions up to date.

Children are especially susceptible to the threats that social networking
sites present. Although many of these sites have age restrictions, children
may misrepresent their ages so that they can join. By teaching children
about internet safety, being aware of their online habits, and guiding them
to appropriate sites, parents can make sure that the children become safe
and  responsible  users  (see  Keeping  Children  Safe Online for more
information).

_________________________________________________________________

Author: Mindi McDowell

RealNetworks, Inc. has released an update for Windows RealPlayer
14.0.1 and prior to address a vulnerability. Exploitation of this
vulnerability may allow an attacker to execute arbitrary code.

VideoLAN has released a security advisory to address a vulnerability
in VLC Media Player. This vulnerability may allow an attacker to
execute arbitrary code.

US-CERT encourages users and administrators to review VideoLAN
security advisory VideoLAN-SA-1102 and apply any necessary updates or
workarounds to help mitigate the risks.

Some Windows applications may load external dynamic link libraries (DLLs).
When an application loads a DLL without specifying a fully qualified
path name, Windows will attempt to locate the DLL by searching a
defined set of directories. If an application does not securely load
DLL files, an attacker may be able to cause the affected application
to load an arbitrary library.

By convincing a user to open a file from a location that is under an
attacker’s control, such as a USB drive or network share, a remote
attacker may be able to exploit this vulnerability. Exploitation of
this vulnerability may result in the execution of arbitrary code.
Additional information regarding this vulnerability can be found in
US-CERT Vulnerability Note VU#707943. US-CERT encourages users and
administrators to review the vulnerability note and consider
implementing the following workarounds until fixes are released by
affected vendors:
* disable loading libraries from WebDAV and remote network shares
* disable the WebClient service
* block outgoing SMB traffic

Update 10/19/2010: The Mozilla Foundation has released Firefox 3.6.11
to address this issue. Users and administrators are encouraged to
review Mozilla Foundation Security Advisory MFSA 2010-71 and update to
Firefox 3.6.11 to help mitigate the risks. This issue is also
addressed in Firefox 3.5.14, Thunderbird 3.1.5 and 3.0.9, and
SeaMonkey 2.0.9.

Update 9/16/2010: Apple has released QuickTime 7.6.8 to address the
DLL issue in earlier versions of Quicktime for Windows. Users and
administrators are encouraged to review Apple article HT4339 and
update to QuickTime 7.6.8 to help mitigate the risks.

Update 09/10/10: Research In Motion has released security advisory
KB24242 to address the DLL issue in its BlackBerry Desktop Software
for Windows version 6.0.  This issue impacts all versions of the
BlackBerry Desktop Software and may allow an attacker to convince the
user to execute arbitrary code. Users and administrators are
encouraged to review BlackBerry security advisory KB24242 and update
to version 6.0.0.47 to help mitigate the risks.
Update 09/01/10: Microsoft has released Fix it tool 50522 to assist
users in setting the registry key value introduced with Microsoft
support article 2264107 to help reduce the risks posed by the DLL
loading behavior described in VU#707943. Users and administrators are
encouraged to review Microsoft support article 2264107 and the
Microsoft Security Research & Defense TechNet blog entry, and to
consider using the Fix it tool to help reduce the risks. Users should
be aware that setting the registry key value as described in the
support article or via the Fix it tool may reduce the functionality of
some third-party applications.

Many of the warning phrases you probably heard from your parents and
teachers are also applicable to using computers and the internet.

Why are these warnings important?

Like the real world, technology and the internet present dangers as well as
benefits. Equipment fails, attackers may target you, and mistakes and poor
judgment happen. Just as you take precautions to protect yourself in the
real world, you need to take precautions to protect yourself online. For
many users, computers and the internet are unfamiliar and intimidating, so
it is appropriate to approach them the same way we urge children to approach
the real world.

What are some warnings to remember?

* Don’t trust candy from strangers – Finding something on the internet
does not guarantee that it is true. Anyone can publish information
online, so before accepting a statement as fact or taking action, verify
that the source is reliable. It is also easy for attackers to “spoof”
email addresses, so verify that an email is legitimate before opening an
unexpected email attachment or responding to a request for personal
information (see Using Caution with Email Attachments and Avoiding
Social Engineering and Phishing Attacks for more information).
* If it sounds too good to be true, it probably is – You have probably
seen many emails promising fantastic rewards or monetary gifts. However,
regardless of what the email claims, there are not any wealthy strangers
desperate to send you money. Beware of grand promises—they are most
likely spam, hoaxes, or phishing schemes (see Reducing Spam, Identifying
Hoaxes and Urban Legends, and Avoiding Social Engineering and Phishing
Attacks  for more information). Also be wary of pop-up windows and
advertisements for free downloadable software—they may be disguising
spyware (see Recognizing and Avoiding Spyware for more information).
* Don’t advertise that you are away from home – Some email accounts,
especially  within  an  organization,  offer  a feature (called an
autoresponder) that allows you to create an “away” message if you are
going to be away from your email for an extended period of time. The
message  is  automatically sent to anyone who emails you while the
autoresponder is enabled. While this is a helpful feature for letting
your contacts know that you will not be able to respond right away, be
careful how you phrase your message. You do not want to let potential
attackers know that you are not home, or, worse, give specific details
about your location and itinerary. Safer options include phrases such as
“I  will  not  have access to email between [date] and [date].” If
possible, also restrict the recipients of the message to people within
your organization or in your address book. If your away message replies
to spam, it only confirms that your email account is active. This may
increase the amount of spam you receive (see Reducing Spam for more
information).
* Lock up your valuables – If an attacker is able to access your personal
data, he or she may be able to compromise or steal the information. Take
steps to protect this information by following good security practices
(see  the  Cyber  Security  Tips index page for a list of relevant
documents). Some of the most basic precautions include locking your
computer when you step away; using firewalls, anti-virus software, and
strong passwords; installing appropriate software updates; and taking
precautions when browsing or using email.
* Have a backup plan – Since your information could be lost or compromised
(due to an equipment malfunction, an error, or an attack), make regular
backups of your information so that you still have clean, complete
copies (see Good Security Habits for more information). Backups also
help you identify what has been changed or lost. If your computer has
been infected, it is important to remove the infection before resuming
your work (see Recovering from Viruses, Worms, and Trojan Horses for
more information). Keep in mind that if you did not realize that your
computer was infected, your backups may also be compromised.
_________________________________________________________________

Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________

Remember that the internet is a public resource. Avoid putting anything
online that you don’t want the public to see or that you may want to
retract.

Why is it important to remember that the internet is public?

Because the internet is so accessible and contains a wealth of information,
it has become a popular resource for communicating, for researching topics,
and for finding information about people. It may seem less intimidating than
actually  interacting  with  other  people because there is a sense of
anonymity. However, you are not really anonymous when you are online, and it
is just as easy for people to find information about you as it is for you to
find information about them. Unfortunately, many people have become so
familiar and comfortable with the internet that they may adopt practices
that make them vulnerable. For example, although people are typically wary
of sharing personal information with strangers they meet on the street, they
may not hesitate to post that same information online. Once it is online, it
can be accessed by a world of strangers, and you have no idea what they
might do with that information.

What guidelines can you follow when publishing information on the internet?

* View  the  internet  as  a  novel, not a diary – Make sure you are
comfortable with anyone seeing the information you put online. Expect
that people you have never met will find your page; even if you are
keeping an online journal or blog, write it with the expectation that it
is available for public consumption. Some sites may use passwords or
other  security restrictions to protect the information, but these
methods  are  not  usually used for most websites. If you want the
information to be private or restricted to a small, select group of
people, the internet is probably not the best forum.
* Be careful what you advertise – In the past, it was difficult to find
information about people other than their phone numbers or address. Now,
an  increasing amount of personal information is available online,
especially  because  people  are  creating personal web pages with
information about themselves. When deciding how much information to
reveal, realize that you are broadcasting it to the world. Supplying
your email address may increase the amount of spam you receive (see
Reducing  Spam for more information). Providing details about your
hobbies, your job, your family and friends, and your past may give
attackers enough information to perform a successful social engineering
attack (see Avoiding Social Engineering and Phishing Attacks for more
information).
* Realize that you can’t take it back – Once you publish something online,
it is available to other people and to search engines. You can change or
remove  information  after something has been published, but it is
possible that someone has already seen the original version. Even if you
try to remove the page(s) from the internet, someone may have saved a
copy of the page or used excerpts in another source. Some search engines
“cache” copies of web pages; these cached copies may be available after
a web page has been deleted or altered. Some web browsers may also
maintain a cache of the web pages a user has visited, so the original
version may be stored in a temporary file on the user’s computer. Think
about these implications before publishing information—once something is
out there, you can’t guarantee that you can completely remove it.

As a general practice, let your common sense guide your decisions about what
to post online. Before you publish something on the internet, determine what
value it provides and consider the implications of having the information
available to the public. Identity theft is an increasing problem, and the
more information an attacker can gather about you, the easier it is to
pretend to be you. Behave online the way you would behave in your daily
life, especially when it involves taking precautions to protect yourself.
_________________________________________________________________

Authors: Mindi McDowell, Matt Lytle, Jason Rafail
_________________________________________________________________

government organization.

Apple has released iOS 4.0.2 for the iPhone and iPod touch and iOS
3.2.2 for the iPad to address vulnerabilities in the FreeType and
IOSurface packages. Exploitation of these vulnerabilities may allow an
attacker to execute arbitrary code or gain system privileges.

iPhone and iPod touch users are encouraged to review Apple article
HT4291 and upgrade to iOS 4.0.2. iPad users are encouraged to review
Apple article HT4292 and upgrade to iOS 3.2.2. Additional information
regarding the vulnerability affecting the FreeType package can be
found in US-CERT Vulnerability Note VU#275247.

Relevant Url(s):
<http://support.apple.com/kb/HT4291>

<http://www.kb.cert.org/vuls/id/275247>

<http://support.apple.com/kb/HT4292>

Passwords are a common form of protecting information, but passwords alone may not provide adequate security. For the best protection, look for sites that have additional ways to verify your identity.

Why aren’t passwords sufficient?

Passwords  are beneficial as a first layer of protection, but they are
susceptible to being guessed or intercepted by attackers. You can increase
the  effectiveness of your passwords by using tactics such as avoiding
passwords that are based on personal information or words found in the
dictionary;  using  a  combination of numbers, special characters, and
lowercase and capital letters; and not sharing your passwords with anyone
else (see Choosing and Protecting Passwords for more information). However, despite your best attempts, an attacker may be able to obtain your password. If there are no additional security measures in place, the attacker may be able to access your personal, financial, or medical information.

What additional levels of security are being used?

Many organizations are beginning to use other forms of verification in
addition to passwords. The following practices are becoming more and more common:
* two-factor authentication – With two-factor authentication, you use your
password in conjunction with an additional piece of information. An
attacker who has managed to obtain your password can’t do anything
without the second component. The theory is similar to requiring two
forms of identification or two keys to open a safe deposit box. However,
in this case, the second component is commonly a “one use” password that
is  voided  as  soon as you use it. Even if an attacker is able to
intercept the exchange, he or she will still not be able to gain access
because that specific combination will not be valid again.
* personal web certificates – Unlike the certificates used to identify web
sites (see Understanding Web Site Certificates for more information),
personal web certificates are used to identify individual users. A web
site that uses personal web certificates relies on these certificates
and the authentication process of the corresponding public/private keys
to verify that you are who you claim to be (see Understanding Digital
Signatures and Understanding Encryption for more information). Because
information identifying you is embedded within the certificate, an
additional password is unnecessary. However, you should have a password
to protect your private key so that attackers can’t gain access to your
key  and  represent  themselves as you. This process is similar to
two-factor  authentication,  but  it  differs because the password
protecting your private key is used to decrypt the information on your
computer and is never sent over the network.

What if you lose your password or certificate?

You may find yourself in a situation where you’ve forgotten your password or you’ve reformatted your computer and lost your personal web certificate. Most organizations have specific procedures for giving you access to your information in these situations. In the case of certificates, you may need to  request  that the organization issue you a new one. In the case of passwords,  you may just need a reminder. No matter what happened, the organization  needs  a  way  to verify your identity. To do this, many organizations rely on “secret questions.”

When you open a new account (email, credit card, etc.), some organizations
will prompt you to provide them with the answer to a question. They may ask you this question if you contact them about forgetting your password or you request  information about your account over the phone. If your answer matches  the  answer they have on file, they will assume that they are actually communicating with you. While the theory behind the secret question has merit, the questions commonly used ask for personal information such as mother’s maiden name, social security number, date of birth, or pet’s name.
Because so much personal information is now available online or through
other public sources, attackers may be able to discover the answers to these
questions without much effort.

Realize that the secret question is really just an additional password—when
setting it up, you don’t have to supply the actual information as your
answer. In fact, when you are asked in advance to provide an answer to this
type of question that will be used to confirm your identity, dishonesty may
be the best policy. Choose your answer as you would choose any other good
password, store it in a secure location, and don’t share it with other
people (see Choosing and Protecting Passwords for more information).

While the additional security practices do offer you more protection than a
password alone, there is no guarantee that they are completely effective.
Attackers may still be able to access your information, but increasing the
level of security does make it more difficult. Be aware of these practices
when choosing a bank, credit card company, or other organization that will
have access to your personal information. Don’t be afraid to ask what kind
of security practices the organization uses.
_________________________________________________________________

Authors: Mindi McDowell, Chad Dougherty, Jason Rafail

Cisco has released a security advisory to address a vulnerability in
the Cisco Internet Streamer application that is part of the Cisco
Content Delivery System. Exploitation of this vulnerability may allow
a remote, unauthenticated attacker to obtain sensitive information,
including password files and system logs. This information could be
used to leverage subsequent attacks.

Relevant Url(s):
<http://www.cisco.com/warp/public/707/cisco-sa-20100721-spcdn.shtml>

Archives

You are currently browsing the archives for the Uncategorized category.

Search