October 11, 2007

From SANS NewsBites Oct. 9, 07 re: Patching

Ed Skoudis, John Pescatore and Dr. Johannes Ullrich comment on patching beyond the typical Microsoft Patch Tuesday. Please remember to patch all applications on your endpoints, the OS is just one piece of the puzzle. Browsers, office productivity apps, media players and other applications all have multiple critical vulnerabilities that we must address to properly mitigate risk. Even security products (GASP!) have flaws, so don't let your anti-virus, personal firewalls, backup software and other such apps be the weak link.



Adobe Publishes Workaround for PDF Flaw (October 5 & 8, 2007)
Adobe has acknowledged a flaw in its products that could allow an attacker to use maliciously crafted PDF files to take control of vulnerable computers. The problem affects Adobe Reader version 8.2 and earlier; Adobe Acrobat Standard, Professional and Elements 8.1 and earlier; and Adobe Acrobat 3D on systems running Microsoft Windows XP and Internet Explorer 7 (IE 7). Adobe is reportedly developing a fix for the problem in Adobe Reader and Acrobat versions 8.1 and earlier and plans to make it available by the end of October. -http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202400027-http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9041338&source=rss_topic17-http://www.adobe.com/support/security/advisories/apsa07-04.html
[Editor's Note (Skoudis): With this significant flaw, as well as the JRE flaws described elsewhere in this NewsBites, it is very clear that we need to be serious about patching third-party applications on our Windows machines. Whenever we perform a penetration test, we almost always get in via unpatched third-party software. Please, make sure you have a solid process and technical support for testing and deploying patches to non-Microsoft software on Windows machines such as PDF readers, Java Runtime Environments, iTunes, Quicktime, Flash Player, Real Player, Firefox, and others. Leverage tools such as Microsoft's SMS or third-party patch management systems. ]

Sun Patches JRE Flaws (October 3 & 5, 2007)
Sun Microsystems has released patches for 11 critical vulnerabilities in its Java Runtime Environment (JRE). The flaws affect JRE versions 1.3.1, 1.4.2, 5.0 and 6.0 on Windows, Linux and Solaris systems. The flaws could be exploited to circumvent security measures, read and manipulate data, and compromise computers. -http://www.theregister.co.uk/2007/10/05/sun_patches_java/print.html-http://www.pcworld.com/article/id,138087-c,softwarebugs/article.html-http://blogs.zdnet.com/security/?p=562-http://secunia.com/advisories/27009/-http://blogs.sun.com/security/
[Editor's Note (Pescatore): The Adobe and Sun items point out that patching is not just something that has to be done after Microsoft's Vulnerability Tuesday each month. There have been many reports of active exploits against flaws in Solaris in recent months.
(Ullrich): We all know how much fun it is to patch Java. If you don't need it, remove it. If you do need it, make sure you have a good inventory of installed versions and a fool-proof method of keeping them patched. ]

No comments: