Guest post from Rodrigo Branco, Director of Vulnerability and Malware Research at Qualys

Apple just released an advisory addressing 17 security flaws in QuickTime Media Player. The update is rated critical as several of the fixed vulnerabilities can be used to achieve "Remote Code Execution". One of the critical vulnerabilities addressed is CVE-2012-0671, which I discovered and reported to Apple earlier this year.

How was the vulnerability discovered?

I found the vulnerability by manually investigating and reverse engineering the binary code of QuickTime and created a fuzzer to cover specific portions of the Apple media formats. In this particular vulnerability, QuickTime does not parse .pct media files properly, which causes a corruption in the module DllMain through a malformed file with an invalid value located at offset 0x20E. In my testing I used QuickTime Player version 7.7.1 (1680.42) on Windows XP SP 3 - PT_BR, but most likely other versions on Windows affected as well.

A PoC repro01.pct is available for interested parties and was shared with Apple on February 22, 2012 to help them locate and fix the problem.

What does this vulnerability mean?

If you use QuickTime, attackers can take total control of your machine through this vulnerability, which is triggered by playing a malicious media file that uses overly large values in the PCT image format. A typical attack would embed such a file into a webpage and use social engineering to drive users into viewing the page. So far, there have been no reports of attackers exploiting this vulnerability yet.

To put this into context, QuickTime is used by 61% of all internet enabled PCs, including 49% of all Windows PCs and 98% of all Apple computers (numbers courtesy of Qualys BrowserCheck). Even if you don't use QuickTime by default to play movies and videos, it can be used as the media player for the PCT format on all web browsers, including Chrome, Safari, Internet Explorer and Firefox.

All users, consumers and businesses alike, should download the security update as soon as possible since simply browsing to a malicious web page on any web browser can activate this vulnerability. If you're not sure whether your QuickTime plug-in is updated, you can use Qualys BrowserCheck, a free service, to check if you need to download the update.

Throughout the whole process, Apple was very professional in handling this issue and provided constant status updates upon my request. It was great to see a company of Apple's size taking a proactive role to ensure that their software and their users are protected from major vulnerabilities like this one.

A detailed advisory can be accessed at https://community.qualys.com/docs/DOC-3511

Apple just published three new software releases for Safari, OS X and iOS:

Safari 5.1.7 is described by Apple as an update that enhances performance in low memory conditions. In terms of security, Apple has made the Safari installation process plug-in aware and now disables outdated versions of the Adobe Flash plugin when they are found. After Apple's recent auto-disabling Java release, this is Apple's second action reaching across normal vendor boundaries and experimenting with common sense, best practice guidelines. Adobe's Brad Arkin agrees in his blog post, and I believe this is a good and refreshing initiative.



Mac OS X 10.7.4 is the newest version of Apple's Lion Operating System. This release fixes more than 30 vulnerabilities in the core OS, Apple Applications such as Quicktime and some included software such as Samba, Ruby and PHP. It also addresses the legacy FileVault password issue introduced in Lion 10.7.3 where a inadvertent debug flag was causing the user's password to be logged in cleartext. A update for Snow Leopard 10.6.8 that carries its applicable fixes is available as Security Update 2012-0002

iOS 5.1.1 is a new version of the Apple Operating system for iPad, iPhones, and iPods. It addresses three vulnerabilities, updating Safari and WebKit. One of the vulnerabilities in WebKit was found during Google's PWNIUM contest in March of 2012.

We recommend installing the updates as quickly as possible.

http://youtu.be/MBOlHbi_bBQ

This month, Microsoft released seven bulletins, three critical and four important, that addressed a total of 23 vulnerabilities. MS12-029 is the bulletin that should be highest on the list for most organizations, as it can be used to gain control of an end-user's machine without requiring user interaction. The bulletin provides a patch for a vulnerability in the RTF file format that can be exploited through Microsoft Office 2003 and 2007. It is rated critical because simply viewing an attached file in the preview pane of Microsoft Outlook is sufficient to trigger the exploit.

MS12-034 -- addressing 10 vulnerabilities -- is the second critical bulletin, and it applies to the broadest selection of Microsoft software this month. Here's some background to help to understand why: In December of 2011 Microsoft issued bulletin MS11-087, which patched a vulnerability in the TrueType Font handling in win32k.sys DLL that had actively been exploited by the Duqu malware. After the fix was delivered, Microsoft's internal security team started an effort to identify further occurrences of the vulnerable code in Microsoft's other software packages and found multiple products that contained the flawed code. MS12-034 now provides the patches necessary to address these "Sons of Duqu vulnerabilities," together with a number of other security fixes (9 CVEs) that were bundled into the same files. Please note that we are not aware of any malware currently exploiting this issue. See Microsoft's SRD blog for a good summary of their internal engineering process.

MS12-035 is the third critical bulletin and addresses a flaw in XBAP, a Microsoft browser based application delivery format. It is probably the least urgent bulletin to install, as it can only be exploited without user interaction by an attacker that sits in the Intranet zone of the target. Since June 2011, with the MS11-044 bulletin, Windows has changed its behavior from simply running an XBAP application to asking the user (via a popup window) whether it is ok to execute the application, which provides an additional layer of security. However, similar to our recommendation for Java, we advise users to completely disable XBAP to improve the overall robustness of your installation.

Of the remaining four important bulletins, we recommend focusing on MS12-030 for Excel and MS12-031 for Visio. Both are file-format vulnerabilities that allow an attacker to take control over the targeted machine if its user opens a specifically crafted file. As we have seen in some of the last year's data breaches, this lowers the success rate only slightly as attackers are capable of drafting a convincing e-mail that can trick a percentage of the e-mails recipients into opening such a file.

Adobe also released its monthly patches today, addressing five vulnerabilities in its Shockwave player. Three of the vulnerabilities were discovered by Rodrigo Branco, Qualys' Director of Vulnerability and Malware Research. You can find the detailed advisories published at http://www.qualys.com/research/security-advisories/. If you have any questions about the Adobe patches, you can discuss the advisories at community.qualys.com, which Rodrigo will be actively monitoring, or simply drop him an e-mail at rbranco@qualys.com

Earlier today, Adobe released an update for Adobe Flash Player. The patch addresses one critical vulnerability (CVE-2012-0779) that allows an attacker to either crash or take control of the targeted system and is made available for Windows, Mac OS X and Linux.

The patch is of highest urgency as there are attacks in the wild against the vulnerability. Adobe's security bulletin APSB12-09 states that the current exploit arrives in an e-mail as a file attachment that users have to click on in order to get infected. At the moment, the exploit only runs successfully under the combination of Windows and Internet Explorer.

Users who have opted-in to participate in the newly introduced "silent update" feature (currently only available on Windows), will have the update applied automatically on all browsers present on their system. Users of other operating systems and users that have opted-out of "silent update" need to manually install on all browsers.

An update for Android will be made available later today through Google Play.

Today, Microsoft released its Advanced Notification for May which contains seven bulletins fixing a total of 23 vulnerabilities. Three of the bulletins are critical, and four are rated important. The bulletins affect all versions of Windows, and Microsoft Office (including for Mac OS X), plus Microsoft Silverlight.

The three critical bulletins provide fixes for Microsoft Office, Silverlight and .NET, with Bulletin 2 actually impacting all three products. These bulletins will be highest priority for IT admins, especially Bulletin 1, which has critical rating for Office 2003 and 2007 which we do not see all that often. Bulletin 1 also affects Office for the Macintosh, but is rated only important on that platform.

Bulletin 4 and 5 cover Microsoft Office as well and while they are ranked only "important" provide fixes for Remote Code Execution (RCE) vulnerabilities. They should be considered high priority as Bulletin 4 affects the free Excel viewer and bulletin 5 the free Visio viewer, giving us a clue as to what file formats contains the weaknesses.

If we include this month, Microsoft will have released 35 bulletins this year, roughly on par with last year's 36, but we received them at a much steadier rate fluctuating between 6 and 9 so far. Last year, and in prior years we have seen much stronger differences ranging from 2 to 17. We are not sure this is intended, but it makes the workload much more predictable and is preferable to the more bursty release mode.

In related news, Microsoft seems to have found the leak in their MAPP program, where the originally submitted proof of concept code for the RDP vulnerability was seen in attacks in the wild. They have terminated the relationship with the offending company - Hangzhou DPTech Technologies.

Update Edited to reflect that Oracle has released a configuration workaround, not a patch

This week Oracle released an out-of-band Security alert for the CVE-2012-1675 vulnerability in the Oracle Database Server V10 and V11, addressing a 0-day vulnerability that was recently published on the full-disclosure mailing list under the name "TNS Poison" by Joxean Koret. Apparently Joxean discovered the vulnerability in 2008, then sold it to iSightPartners and was under the mistaken impression that the vulnerability was fixed in last month's CPU, when he released his advisory. More details can be found in a follow-up post on the ful-disclosure list and a video of the vulnerability being exploited can be seen here

The vulnerability is in the TNS listener part of the Oracle database server and allows an attacker to perform a man-in-the-middle attack by registering an additional database instance in the TNS listener. The listener will then start load-balancing traffic to the new instance. This allows the attacker to receive the database transactions, record them and forward them to the original database. The attacker can potentially modify the transactions and execute commands on the original database server.

While Oracle recommends addressing the vulnerability as soon as possible, we believe that the position of the Oracle databases in your network plays an important role in determining your modification roll-out. Production Oracle database installations typically do not expose their TNS listener to the Internet or even the enterprise network. A good map of your network environment will be helpful in determining where to act first.

This week Microsoft published its 12th edition of the Security Intelligence Report (SIR) covering the second half of 2011. Every six months Microsoft combines data from its Hotmail service on spam, the Microsoft Malware Protection Center (MMPC) on malware and the Microsoft Security Response Center (MSRC) on vulnerabilities, and reports on the state of Internet and Windows security.

This 12th edition contains a special case study that brings new numbers on an older, but still active threat: the Conficker Worm. Conficker first became active in 2008 and attacked a remote code execution vulnerability in Windows, addressed by Microsoft in MS08-067. At its height, it infected roughly 7 million computers and led to the founding of the Conficker Working Group that to this day is in charge of the Command and Control neutralizing mechanism developed to keep Conficker under control. Take a look at the recent book "Worm" by Mark Bowden, for a captivating and enjoyable story about the people and actions involved in investigating and combating Conficker.

In 2011 Conficker continued to be active and Microsoft collected data on 1.7 million infection attempts, both successful and unsuccessful. As we have detailed knowledge of the artifacts that Conficker leaves behind for each of its infection mechanisms, Microsoft was able to categorize the method that each attack employed to infect the systems monitored for the report. The results are quite surprising: they show that 43% of all Windows XP machines were infected through the original vulnerability, indicating that they do not have the three-year-old patch applied.

Figure 1: Conficker attack categorization

But the biggest infection vector turns out to be the credential-based attacks, which account for between 54% and 89% of all infections. Conficker has a small dictionary of passwords that is used in a brute force attack against other machines in the network and it continues to be surprisingly effective.

Reading through the report, it is clear that we have the means to block each and every attempt of conficker to infect other machines:

• the dictionary attack is very basic and is prevented even by enforcing simple password composition policies, i.e. adding number and special characters to only alpha type passwords
• the patch MS08-067 has been available for the last three years. It is well tested and its efficiency can actually be seen at the above numbers for Windows 7, which has the patch integrated in all of its versions since its release date.
• Autorun functionality can be controlled by system administrators on the Registry level, and Microsoft has recently published patches that modify the default value to safer settings, prompting users to run the programs on the USB, Network share or CD-ROM, rather than blindly executing the specified program.

In all fairness, the overall numbers are dragged down by the consumer-side of Windows. Enterprise installations have better values, almost completely eliminating the Autorun vector, and bringing the vulnerability based attacks down to 12% on windows XP. Nevertheless, credential attacks continue to be effective accounting for over 90% of all successful attempts, clearly showing that while patching has gained good acceptance, secure configurations are still a challenge.

Figure 2: Conficker in the Enterprise

The ease with which Conficker continues to propagate in our networks shows that we continue to neglect basic OS hardening techniques. Improving the definition and enforcement of password policies, prompt patching and secure configuration of OS parameters such as Autorun will prove beneficial in combating not only Conficker, but also against Malware as a whole.

I hope that this quick summary on Microsoft SIR has piqued your interest sufficiently to give the whole report a read. You can access the latest edition at its page at Microsoft.

Oracle releases its Critical Patch Updates (CPUs) on a quarterly schedule and today made public its April edition with patches for many of its product lines. Oracle patches are usually so massive (88 this quarter) and contain fixes for so many products (over 35 this quarter) that a good software inventory system becomes absolutely crucial to see where to act first and where to apply several patches in concert.

• Oracle Solaris: eight vulnerabilities in Solaris itself, including the remote CVE-2012-1694 with the highest CVSS score for Solaris of 6.4 in the advisory, plus two issues in the Glassfish application server and one in the iPlanet webserver.
• MySQL Server: a total of six vulnerabilities in all versions, but no Remote Code Execution vulnerabilities. Highest CVSS score: 6.8
• Oracle Database Server: both version 10 and 11 are affected by three remote code execution vulnerabilities, all of them in the core RDBMS server (CVE-2012-0519/10/34). Highest CVSS score is 7.1.
• Oracle Peoplesoft has a total of 15 vulnerabilities
• Oracle Middleware: 12 vulnerabilities, including a patch for the JRockit, which addresses the hash-overflow DOS vulnerability that was disclosed around last Christmas at the CCC Congress in Germany.

A large update for Oracle software users, but with a good map to the installed software, one can find the best way to update those software packages. We recommend addressing vulnerabilities on systems that are Internet accessible first. Most likely this will mean fixing Glassfish/iPlanet and Solaris vulnerabilities first, followed by MySQL. Oracle RDBMS can probably be addressed last as these systems tend to be installed in internal networks or well firewalled if they are connected to the Internet at all.

BTW, both Oracle Enterprise Linux and Oracle Java are not covered in this quarterly CPU process and receive updates on their own distinct schedules.

Oracle has pre-released its quarterly Critical Patch Update (CPU) coming on April 17. There will be 88 security patches covering over 30 product lines, including its Oracle database servers and the products acquired through Sun, the Solaris OS and the MySQL database.

A large number, 33, of the 88 patches are for the most critical class of vulnerabilities, Remote Code Execution (RCE) vulnerabilities, which are software flaws that allow a remote attacker to exploit the targeted software without prior authentication. Compare this to last quarter's release, which had 16 RCEs in 78 patches. Of the mainstream software lines, only MySQL and the Siebel Clinic product are not affected by the RCE type vulnerabilities; system administrators and users of all other software lines should be prepared to review the release with care next Tuesday.

Oracle Java will not be updated next Tuesday. Oracle releases it on a separate schedule and last updated it in February 2012. The February release closed a number of critical flaws, one of which was much discussed in the recent weeks due to its use in the attacks against Mac OS X

Apple released today a new, quite innovative version of Java for Mac OS X 10.7 and 10.6. Innovative, because the new version does not fix any vulnerabilities, but instead addresses two of the current Java on Mac landscape problems:

1. it erases the known variants of the Flashback Trojan
2. it automatically disables Java when it has not been used for the last 35 days. Users have to then re-enable it manually (in Java Preferences) when they need it.

This is exciting and to my knowledge nobody has done something like this before. It makes total sense to me: We have been telling users to disable or uninstall Java if they do not need it, but we know very well that only very security conscious users will do so. Given the task of monitoring Java use to the computer itself is a great idea and an excellent experiment in computer security. It will be interesting to see how user acceptance of such a measure will work out.

http://youtu.be/yToUSbmEZiY

This month Microsoft issued six bulletins, four critical, two important, addressing 11 distinct vulnerabilities. Organizations should focus most of their attention on MS12-027. What makes this bulletin stand out is that Microsoft is aware of attacks in the wild against it and that it affects an unsually wide-range of Microsoft products, including Office 2003 through 2010 on Windows, SQL Server 2000 through 2008 R2, BizTalk Server 2002, Commerce Server 2002 through 2009 R2, Visual FoxPro 8 and Visual Basic 6 Runtime. Attackers have been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the target into opening the file, most commonly by attaching it to an e-mail. Another possible vector is through web browsing, but the component can potentially be attacked through any of the mentioned applications.

Next is MS12-023, an update to Internet Explorer. It contains four critical vulnerabilities and affects all versions of Microsoft's browser. Attacks can exploit the vulnerabilities by setting up a malicious webpage. MS12-023 has an Exploitability Index of 1, meaning that Microsoft believes that an attack can be crafted within the next 30 days. By the way, this update does not include the fix for the vulnerability found during last month's PWN2OWN contest at CanSecWest 2012, which will probably be fixed by another IE update next month. This month's IE update also brings a more robust way of handling JavaScript self-XSS in the browser's address bar. Late last year there were several Facebook scams that used that mechanism to plant undesired content on user's walls.

MS12-024 and MS12-025 are the remaining critical vulnerabilities and address a flaw in Authenticode in Windows and a vulnerability in .NET's XBAP, the browser based application module. The flaw in MS12-024 allows malware to hitch a ride inside a legitimate software package and silently infiltrate the system as the user proceeds with the installation of the legitimate package. MS12-025 fixes a flaw in Microsoft's .NET XBAP mechanism that would allow an attacker to run arbitrary code on the machine. Similar to the situation with Java we recommend turning off XBAP in the Internet zone of Internet Explorer, since we typically associate XBAP as being used for internal application delivery only. For details on how to roll out this type of change, see this blog post by Eric Law that shows how IE9 implements this restriction already in its default configuration.

Also today Adobe released an update to Adobe Reader (APSB12-08). The update addresses both Adobe Reader 9 and 10 and contains fixes for critical vulnerabilities. Adobe assigned a "Priority Rating" of "1" to the update, which recommends installation within the next three days. In a design change, Adobe Reader 9 is now using the system-provided Flash component, rather than bringing its own. This decoupling will benefit security because it avoids the all too common situation where Adobe Reader's Flash gets out of sync with the latest updates. A similar change for Adobe Reader X is in the works.

One more thing to note: this month starts the 2 year countdown to obsolescence for Windows XP. In April of 2014 Microsoft will stop supporting XP. Nevertheless Windows XP still has an installed base of 35% worldwide with especially high rates of over 70% in some Asian countries. Organizations and end-users need to start planning for their migration to a more recent version of the OS before Microsoft stops issuing any more security updates.

Today Microsoft released its Advanced Notification for April 2012 with six bulletins addressing 11 vulnerabilities. Four of the bulletins are rated critical, two are rated important. The bulletins affect all versions of Windows, Internet Explorer and Microsoft Office, plus some of Microsoft's developer tools.

Bulletin 1 will be the highest priority. It is a critical vulnerability affecting all versions of Internet Explorer (6,7,8,9) on their respective platforms XP, 2003, Win7 and 2008 both 32 and 64 bit. Bulletin 2 is the second most critical and updates the Windows operating system, again encompassing all versions, both 64- and 32-bit. Bulletin 3 is a critical update to the .NET framework. Bulletin 4 will be challenging as it addresses a wide variety of applications including server side software. It is critical and applies to all versions of Microsoft Office, but also to SQL Server and other Microsoft server products.

One of the important bulletins also deserves attention, at least for Office 2007 SP2 users. Bulletin 6 is rated important, but allows Remote Code Execution on that platform, probably using a maliciously crafted input file as the attack vector.

Google also released a new version of its Chrome Browser today. It fixes multiple vulnerabilities and includes the updates made to Adobe Flash last week in the wake of the PWN2OWN contest at CanSecWest. If you are using Chrome you should check in the "About Chrome" page to see whether you have received the automatic update already - there should be a green checkbox.

Apple just released a critical update for the Java implementation on Mac OS X, for both Lion and Snow Leopard. This update comes almost two months after the release of the corresponding Java version by Oracle, and only a couple of days after evidence surfaced that malware authors have been using an included Java flaw (CVE-2012-0507) to attack Mac computers.

Our recommendation: apply the update as quickly as possible.

In addition, Mac users and IT admins for Macs should review whether Java is actually needed for their usage. If not Java can be disabled through the Java Preferences program, just uncheck both 64-bit and 32-bit versions.



Alternatively you can use Google Chrome which has a dialog each time you use a site that uses Java plugins. With the right discipline this can be a very effective measure to avoid attacks.



Yesterday Mozilla included Java in its "blocklisting" approach for Firefox. "Blocklisting" forbids running outdated plug-ins, unless specific approval is given. Unfortunately, this is exclusive for Windows at the moment and is not available on the Mac yet.

This week Brian Krebs posted some important news - according to his sources, the BlackHole exploit kit has been equipped with an exploit for the Java vulnerability CVE-2012-0570, released a mere month ago on Feb. 14 by Oracle. BlackHole is a widely disseminated, exploit kit, commercially available in the underground. It allows interested groups with basic computer knowledge to implement an operation to attack target machines through their web browsers by setting up malicious web sites. Used in conjunction with a malware kit such as Zeus or SpyEye, these groups can build botnets that can then be used to harvest personal information for sale, rented out for SPAM or DDoS operations or handed over to pay-per-install operators.

The quality of exploit kits play an important role in such a setup, as it concentrates the rather sophisticated attack knowledge. The kit has to select the correct exploit based on the user's configuration and the detected vulnerabilities. Most included exploits focus on older and well-known vulnerabilities (such as CVE-2010-1885 in Internet Explorer or CVE-2011-2110 in Adobe Flash), because they are the most stable and well-researched. A well-maintained target machine can usually not be penetrated with one of these off-the-shelf toolkits, as all software components are at the latest level. However, Java is difficult to update and the addition of an exploit for such new vulnerability in Java sharply increases the risk of an attack for the Internet population at large.

Our recommendation: update your Java installation to the latest version available. There are a number of tools available to help you to find out the version of Java you are running, including Oracle's own version checker. I recommend our own tool, BrowserCheck. Just point your browser to https://browsercheck.qualys.com and get a precise diagnostic on the state of your browser and its plugins, including Java and other attacker favorites such as Adobe Flash and Adobe Reader.

If you cannot update Java (or you want to make your machine or the ones that you are responsible for more resilient to future attacks) there is a configuration setting in Windows that can be used to limit Java to a few selected and trusted sites. This requires a simple modification of the Windows Registry: changing Registry Value 1C00 to Setting 0 in Zone 3 (Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3) which prohibits the Java from running in the Internet Zone.

Sites that need Java can be whitelisted under Internet Options/Security/Trusted Sites. This works across all versions of IE and is non-overridable. Google Chrome has a similar mechanism, but I like the Internet Explorer better than Google's implementation, which prompts the user for a decision on whether to run the plugin. Unfortunately most users will opt-in just to get rid of the prompt and continue to load the site, which has the potential to increase their security exposure.

Adobe released today an update APSB12-17 for its Flash player. The update addresses two vulnerabilities in the supported versions 10 and 11. The update applies to all operating systems, Windows, Mac OS X, Linux and Solaris and is rated "priority 2", meaning Adobe is not aware of an exploit code in the wild and suggests installation within the next 30 days.

The most interesting addition to this version of Flash is that Adobe included an automatic update feature. If the user opts-in (the default, see picture below) the player will in the future silently update all (this is new!) browsers on the system to the most current version of Flash. We highly recommend to opt-in; running on the latest version of Flash adds considerable resilience to one's setup, plus it avoids the chore of updating all of your installed browsers by hand. Adobe explains in a blogpost the technical details of the "background updater", which at the moment is implemented only for the Windows operating system family.

Verizon released yesterday its 2012 Data Breach Investigations Report (DBIR), full of interesting data. For the first time, Verizon distinguished between small and large organizations in the data and we see a clear difference in the maturity of their security implementations. That distinction alone offers quite a number of hints on where to focus our attention as security professionals.

The main lessons for security professionals from this report: 1) the overall results represent a continuation on the trends from the reports of previous years; and 2) many of the problems documented are within the security industry's ability to address - for both smaller and larger organizations. That's really good news.

Here's a recap of what I consider to be the most important findings for security professionals:

• 97 percent of breaches (96 percent for both preceding years) could have been avoided with simple controls.
• The types of beneficial controls cover the same areas for both small and larger organizations, but vary in their details.
• Small organizations' biggest issues are default passwords on their remote access applications (think RDP, VNC, pcAnywhere).
• Large organizations seem to have overcome the default password problem on their remote access applications but are faced with stolen login credentials and brute forcing.
• Both small and large organizations are victims of malware that criminals install to maintain access to the breached network and to send the stolen data to their servers. In small organizations, the malware is installed largely by hand, whereas large organizations face more advanced infection mechanisms: close to 50 percent were infected through e-mail attachments, drive-by-downloads and web-borne malware.

Fortunately, we have the technical solutions available today for both small and large organizations to resolve all of these issues. The challenge to the solution often lies in the lack of knowledge, rather than complexity or cost. As a security community, it's up to all of us to make successful implementations more visible and effectively promote the architects and operators who are doing it right. For an example see the work done at the US Department of State in recent years.

You can find the full DBIR report here.

http://youtu.be/RYnLPxpcbxc

We have a total of six bulletins from Microsoft this month, addressing seven distinct vulnerabilities. It's a pretty light month, but all of your focus should be on MS12-020, a critical vulnerability in Microsoft's Remote Desktop Protocol (RDP) implementation. RDP is a popular method for controlling remote Windows machines, however it is not active by default on standard Windows installations. It needs to be configured and started by the system's owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running. The vulnerability itself is accessible through the network, does not require authentication and allows code execution on the targeted machine, a highly prized combination by attackers. Microsoft has rated its exploitability index as 1, meaning that they expect working exploits to be out in fewer than 30 days.

Here are our recommendations for the RDP vulnerability to stay ahead of expected attacks:

1. Within the week apply the patch on your Windows machines that are running the RDP service and are Internet facing (you can scan for port 3389 on your perimeter if you do not have an updated map). Please note that the patch requires a reboot to become active. If you cannot apply the patch or reboot your machines, take the following countermeasures:
   • Configure the firewalls on the machines so that only trusted IPs can access port 3389
   • Activate the Network Layer Authentication (NLA) protocol, which does not have this vulnerability. NLA is available on Vista and above on the server side and client side, and Windows XP can be made NLA compatible by installing a software package from Microsoft.
2. Within the month patch the rest of your systems - both external and internal. While the main attack vector is directly through the Internet, it is likely that malware will be equipped with the exploit for the RDP vulnerability, and that it will be used for internal malware propagation.

Microsoft's five other vulnerabilities are less severe and should be applied within your normal patch cycles if the involved software is installed. For example, MS12-017 is a Denial of Service (DoS) attack against Microsoft DNS server; MS12-022 is a DLL preloading attack against Expression Design; and MS12-021 is an add-in weakness in Visual Studio. The only vulnerability publicly known is MS12-019, which is an attack against DirectWrite in the Windows Font system and can cause a DoS condition.

Microsoft today released its Advanced Notification for March 2012 with a total of six bulletins that affect all versions of Windows and two Microsoft applications, Visual Studio and Expression Design.

Bulletin 1 will be the most important; it is critical rated Remote Code Execution (RCE) and is applicable in all versions of Windows from XP to the latest Win 7 and Server 2008R2. The other RCE vulnerability is in Bulletin 5, rated important, because opening a malicious file is required for Expression Design, an application competing with Adobe's graphics tools.

Speaking of Adobe, they have released earlier this week a new version of their Flash player that addresses two vulnerabilities found by Google security engineers Fermin Serna and Tavis Ormandy. In this release they used for the first time their new "Priority" mechanism, which gives users some guidance regarding the urgency of applying patches - Priority 1 patches should be applied within 72 hours, Priority 2 within 30 days, and Priority 3 is left to the user. This particular Flash release is rated Priority 2 - fix within 30 days, but I would suggest fixing it as quickly as possible as detailed information will become available soon.

Google showed remarkable agility this week and released a new version of its Chrome browser, that addresses the vulnerability exploited on Tuesday at the Pwnium contest held at CanSecWest, where they rewarded security researcher Sergey Glazunov a prize of US$ 60,000.

http://youtu.be/6Av3FbrBp3w

Yesterday was not only Microsoft's Patch Tuesday but Oracle also provided a new version of its Java software that addresses a total of 14 vulnerabilities. Currently Java's most common version (Java 6) has five vulnerabilities that are critical. They all have a CVSS score above 9, indicating that they can be exploited through the network without authentication and are capable of providing remote control to the attacker.

We recommend installing this update as quickly as possible, as Java is frequently used as an initial access method in web-borne attacks.

Also yesterday Adobe released a new version of their Shockwave player that addresses nine vulnerabilities. While not quite a popular as Adobe Flash it has a large installed base and has seen its share of use in web based attacks. The new player is available for both Windows and Mac OS X.

Both enterprise and home users can use Qualys' BrowserCheck tool for a quick verification to see if their version of Java or Shockwave is outdated.

It turns out that this February Patch Tuesday is lighter than we had anticipated. Some of the nine bulletins should be less worrisome to IT admins: the Office vulnerability (MS12-015) is in the relatively rare Visio viewer program, MS12-011 is an XSS vulnerability in Sharepoint and MS12-014 and MS12-012 cover DLL preloading vulnerabilities, one in the now deprecated Indeo Codec and the other one in the Color Control Panel. By the way, both are prevented by the recommended work-around for DLL preloading attacks (KB2264107), released in June 2010, which you should have installed already.

Not all of the bulletins are quite so harmless though: MS12-010 fixes four vulnerabilities in Internet Explorer, which have the potential to be used for drive-by-download exploits on IE 7,8 and 9. Last month we saw how quickly attackers could react to new vulnerabilites when exploits for MS12-004 appeared within two weeks of its release on attack sites. So while none of the vulnerabilities in MS12-010 were publicly known, you should install this fix as quickly as possible.

MS12-013 is equally dangerous; attackers can exploit a flaw in a Windows DLL (msvcrt.dll) through a maliciously crafted media file run through Windows Media Player. Include this bulletin in your list of high priorities.

MS12-016 should be broadly considered. It applies to workstations, servers and even Macs; all instances of the .NET framework and Silverlight are vulnerable. Users browsing to malicious webpages can be affected and then allow remote code execution. Server administrators need to take a look: if their users are allowed to upload their own ASP.NET files to run on the machine and if the server runs under a fully trusted setting, the attacker could break out of the ASP.NET sandbox and take control of the server.

Lastly, MS12-009 addresses a vulnerability first blogged about in December 2011 in 64bit Windows 7. A security researcher with the handle w3bd3vil found the flaw through Apple's Safari browser where an overly large IFRAME height attribute causes a crash in the kernel driver win32k.sys. Microsoft believes it is difficult to engineer the code to achieve remote control execution and gives it an exploitability index of 2. Nevertheless you should address it if you are running under that configuration.

Microsoft published its Patch Tuesday Preview for February of 2012 and as expected we are getting a larger batch of nine bulletins addressing a total of 21 vulnerabilities. Four bulletins are classified as "critical" and the remaining as "important". There is the expected critical update to Internet Explorer which should be highest priority. After all, we saw last month how quickly attackers are incorporating browser based attacks into their toolkits; an exploit for MS12-004 was detected a mere 15 days after Patch Tuesday.

There are also two critical fixes for WIndows itself, plus one for the .NET framework that should be prioritized.

In the "important" category, there are three Remote Code Execution vulnerabilities, one of them in Office. Most likely we are looking at file based attacks and at least the Office vulnerability should be included in your first tier of patching.