Last week Qualys was at Infosecurity Europe meeting customers and demoing the new QualysGuard Malware Detection service. We also gave a presentation on integrating Vulnerability and Patch data, which you can download from here.
Recently in Apple Category
The SANS Institute just published the Top Cyber Security Risks Report for the first half of 2009. In this report TippingPoint, SANS and Qualys collaborated using attack, vulnerability and forensics data to provide the latest trends in the security field.
Enterprise IT administrators and tech savvy computer end users alike will find interesting information that will help them secure their computers against current threats in the typical software installed on their machines, such as Adobe Reader and Flash, Apple QuickTime, Microsoft Office and Sun Java. The report clearly demonstrates a lag in installing security patches to these productivity applications, despite the attention they get in the press and from the security community. Since all of them are widely installed in businesses, we advise organizations to treat them with the same attention as OS and network vulnerabilities patches and to include them in their regular patching process.
Enterprise IT administrators and tech savvy computer end users alike will find interesting information that will help them secure their computers against current threats in the typical software installed on their machines, such as Adobe Reader and Flash, Apple QuickTime, Microsoft Office and Sun Java. The report clearly demonstrates a lag in installing security patches to these productivity applications, despite the attention they get in the press and from the security community. Since all of them are widely installed in businesses, we advise organizations to treat them with the same attention as OS and network vulnerabilities patches and to include them in their regular patching process.
June's Patch Tuesday is generating major workload for IT administrators. Microsoft released their biggest number of patches in recent memory, not only for Windows systems, but also for their Mac Office suite. Adobe has patches for their Reader product for Windows, Mac and Unixes and Apple released a production version of Safari 4 for Mac OS X and Windows.
Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.
On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.
As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.
As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.
Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.
References:
Microsoft's 10 bulletins patch a total of 31 vulnerabilities, extending to almost all of their products on both servers and workstations. Most urgent on the server side are MS09-018 for the Active Directory vulnerabilities and MS09-020 for the IIS/WebDAV vulnerabilities, as both are categorized as critical and have the highest rating (Consistent exploit code likely) in the Microsoft exploitability index. MS09-022 - Windows Print Spooler is rated critical as well, affects both servers and workstations and so has a higher exposure potential than the other server based vulnerabilities. MS09-25 brings 4 updates for the Windows base operating system kernels and even the new Vista and 2008 versions are affected by 3 of them.
On the workstation side, beyond MS09-022 and MS09-025 we have the updates for Internet Explorer, Word, Excel and Windows Search. MS09-019 has patches for 8 IE vulnerabilities for all versions from IE5 to IE8 - however it is interesting to note that IE8 is only affected by a single vulnerability, which was recently disclosed at the CanSecWest conference in the Pwn2Own contest sponsored by TippingPoint's ZDI.
As expected we did not see a patch for DirectShow vulnerability, acknowledged by Microsoft 10 days ago in KB971778. While they have the patch it is still undergoing Quality Assurance and Stability testing. For Macintosh users, Microsoft provided the patch for last month's disclosed vulnerabilities - MS09-017 for PowerPoint. Both users of Office 2004 and Office 2008 are advised to upgrade to fix a Remote Code execution issue.
As Adobe had announced previously they also published their quarterly patches this 2nd Tuesday of the month. Currently we see that a patch has been released, but there is no further detail available as to the vulnerabilities covered.
Update: The Adobe advisory is out and it shows a total of 14 vulnerabilities. The patch covers Adobe Reader on Windows and Macintosh. Unix users will have to wait until June 16th to get their fixes.
References:
Microsoft just published their advance notice for June's Patch Tuesday. After the rather light weight release of last month, which only addressed PowerPoint on Windows, this month's release covers all major areas with 10 updates. Two are critical updates for Windows (out of a total of 6), there is one critical update for Internet Explorer and three critical updates for Microsoft Office.
Mac OS X users, which have seen their fair share of action recently on the OS side and with QuickTime need to pay attention as well, Microsoft will release an update for the Powerpoint vulnerabilities that they disclosed last month for both Windows and Mac platforms, but at the time only provided patches for Windows.
We will not see a fix for the DirectShow vulnerability KB971778 disclosed last week. While they have a fix it is still undergoing Quality Assurance and Stability testing.
Mac OS X users, which have seen their fair share of action recently on the OS side and with QuickTime need to pay attention as well, Microsoft will release an update for the Powerpoint vulnerabilities that they disclosed last month for both Windows and Mac platforms, but at the time only provided patches for Windows.
We will not see a fix for the DirectShow vulnerability KB971778 disclosed last week. While they have a fix it is still undergoing Quality Assurance and Stability testing.
Microsoft's May Security Bulletin contains a single advisory for PowerPoint in Microsoft Office (MS09-017). It addresses 14 distinct vulnerabilities, including the 0-day vulnerability that was identified in the beginning of April 2009. While the vulnerabilities rank only as important on most versions of Microsoft Office, they all categorized as "remote code execution" and have a low exploitability index, meaning exploits are relatively easy to write and can be expected to be used soon in attacks.
One of the mentioned workarounds for CVE-2009-0556 , the 0-day vulnerability patched in this advisory is installing MOICE (KB937696). MOICE stands for "Microsoft Office Isolated Conversion Environment," a toolset that sanitizes Office documents when opened through browsing and email by removing potentially dangerous code. It has been available since May 2007 and is cited as a work-around in eight of Microsoft's 78 advisories in 2008. MOICE is an interesting tool, used to reduce the risk produced by the increasing number of file format vulnerabilities. Its limitation is that it only works with Office 2003 and 2007; Office 2000 and Office XP are not supported.
In addition to the Microsoft patches both Adobe and Apple released their equivalent of "Patch Tuesday" advisories. Adobe fixed a recent critical 0-day vulnerability in their Acrobat and Reader product lines. Compared to their February patch for a known 0-day, this time around they reacted much faster and published patches for Windows, Mac OS X and Unix simultaneously. Adobe software is widely installed and according to statistics from F-Secure PDF based file exploits are on the rise - 49% for the first 4 months of 2009 compared to 28% in 2008.
Apple's patches address a variety of critical issues in OS X and the Safari browser. The advisory for OS X addresses over 40 vulnerabilities and the Safari advisory applies to both OS X and Windows.
References:
One of the mentioned workarounds for CVE-2009-0556 , the 0-day vulnerability patched in this advisory is installing MOICE (KB937696). MOICE stands for "Microsoft Office Isolated Conversion Environment," a toolset that sanitizes Office documents when opened through browsing and email by removing potentially dangerous code. It has been available since May 2007 and is cited as a work-around in eight of Microsoft's 78 advisories in 2008. MOICE is an interesting tool, used to reduce the risk produced by the increasing number of file format vulnerabilities. Its limitation is that it only works with Office 2003 and 2007; Office 2000 and Office XP are not supported.
In addition to the Microsoft patches both Adobe and Apple released their equivalent of "Patch Tuesday" advisories. Adobe fixed a recent critical 0-day vulnerability in their Acrobat and Reader product lines. Compared to their February patch for a known 0-day, this time around they reacted much faster and published patches for Windows, Mac OS X and Unix simultaneously. Adobe software is widely installed and according to statistics from F-Secure PDF based file exploits are on the rise - 49% for the first 4 months of 2009 compared to 28% in 2008.
Apple's patches address a variety of critical issues in OS X and the Safari browser. The advisory for OS X addresses over 40 vulnerabilities and the Safari advisory applies to both OS X and Windows.
References:
Download Laws 2.0
