EZSecurity Bulletin for September of 2011
After many years, it’s time for me to move on to face new challenges. This euphemism for “not going to work here at Tieto anymore” can mean a number of things depending on the situation. In this case, I felt I needed to focus more on building my security specialization. But I want to thank all of you for bearing with me being a good team and fine friends.
We will continue sending this bulletin to you every month, as we have for the last years, but starting next month it will only contain the Word-document. This is the last news letter from me. It’s been a blast!
If you want to keep in touch, I’m on LinkedIN. Search for my name!
And my blog as always:
Back to business Please note that Acrobat Reader have had a number of patches release recently and after the Diginotar fiasco, I would recommend you all to make sure that you update applicable https-capable software such as Firefox as well.
MICROSOFT SECURITY BULLETIN SUMMARY FOR SEPTEMBER OF 2011
As per usual, Microsoft release their security bulletins the second Tuesday every month. This month comes along with 5 bulletins.
Important MS11-070 Vulnerability in WINS Could Allow Elevation of Privilege (2571621) MS11-071 Vulnerability in Windows Components Could Allow Remote Code Execution (2570947) MS11-072 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2587505) MS11-073 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2587634) MS11-074 Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2451858)
Please note: some of those vulnerabilities are considered as “Critical” on client operating systems.
TEN YEARS OF SECURITY
A few days ago a milestone flew by: it was ten years since the World Trade Center attack. Much happens in ten years, but in the world of security so much has changed that I can’t help but wonder if a time traveler from 2001 would be able to recognize the world of 2011.
Back in 2001, we had Nimda knocking down our web servers while we were still recovering from the effect of the dot com crash with no end in sight. Enron went under and MCI/WorldCom crashed. Then came the outbreak of worm attacks and the second coming of the Spamocalypse. Internet became so common, that even our grandmothers and grandfathers started using it for everything. When the worm attacks finally subsided, the web browsers became the target and the malicious code went from one trick ponies to multi vector attack-wielding one-man armies. Proving that we had learned nothing, we made more and more of our software reliant on an “always on” Internet connection. Playing a computer game without the proverbial intravenous connection to the big cloud simply wasn’t possible anymore.
The sheer volume of software security patches we had to apply went from scattered showers every now and then to flowing like the Niagara falls. Music and movies, both legal and illegal, also flowed to our computers through bit-torrent, ITunes and services too many to name.
Ever quest, World of Warcraft and the numerous clones of those games merged the idea of user communities with gaming and forever changed gaming from a solitary pastime to a social thing. Talking about communities; we went from IRC, to forums to blogs, to MySpace, to Face Book to Twitter. Everything could be found with Google and that included your house and maps of your neighborhood. And don’t forget that Internet is for porn! Security wise, porn sites have always been bad news and many careless users got virus when searching for sex. Like in the real world. YouTube came from nowhere and suddenly you could find all those TV-clips and obscure songs you though were lost forever. RIAA and MPAA were none too amused.
The governments of the world woke up as from a nightmare of falling helplessly through the space of libertarian Internet-fueled direct democracy and acted in panic. In the name of fighting terrorism and child pornography without any idea on how to actually make any difference in the matter, laws were enacted. Surveillance became ubiquitous and the corporate world followed suit as RIAA declared war on … everyone. Especially grandmothers and young girls who had downloaded the latest crappy boy band songs. Someone calculated that if RIAA were right about the value of pirated songs, a normal IPOD full with copyrighted music would be the most valuable object in the entire world.
China grew larger. India became a preferred destination for businesses jumping on the off shoring band wagon. Many other “low cost” countries followed suit and the global talent pool grew quickly. This and many other changes caused the software market to boom.
People met, fell in love and even “lived together” on the Internet. But Internet also taught us to fear everyone we didn’t know or understand and to stick to places where people always agreed with us. The trend of publishing the identities of condemned criminals gained traction and then went so far as to publish the names of those suspected of something. The gossip and rumor machine had landed on the Internet. How many people that were innocently accused of being criminals, psychopaths or pedophiles and such will probably never be known, but history will judge those spreading such rumors! Mark my word! But people also used their newly found soap box to judge and criticize wars, injustices and other wrongdoings they felt had been done.
Apple reemerged like it was the Phoenix bird complete with new, stylish feathers. Microsoft screwed the pooch and called the offspring Windows Vista. Eventually they saved their faces with Windows 7. The protests against the regulation and secrecy of governments and corporations changed form and suddenly we had entered the era of Wiki leaks. It was the logical next step from governments and corporations spying on people while people were spying on each other. Could authors such as Agatha Christie or Raymond Chandler have dreamed of a society where spy gear would be dirt cheap and everyone could spy on anyone? The Internet allowed people to be as infantile as the felt like and behind the false security of “being anonymous” some of them made ruthless comments on blogs and comment sections. But anonymity also helped to who were hindered to speak freely and thus started a war between those preferring anonymity and those demanding civility. Terms such as anonymizers, onion- and garlic routing entered the common discussion. Hacking also grew another worrisome skill: targeted attacks. Remember the attacks against Iran’s nuclear program? At least that’s what I believe it was. Half-life 2 was delayed because a hackers were able to get hold of some of the source code and Sony got whipped real hard as hackers broke into their gaming network bringing the PS3 community to a grinding halt. Google in China…. I could go on… But let’s continue.
The media landscape got its own overhaul when the emerging Internet based media outlets forced the traditional media to step into the virtual realm. We saw Internet giving power to everyone who was ready to grab it before anyone else did. Most of this came out rather well in my opinion, but we also had to contend with hackers, shady businesses, scams, criminals, Nazis and nationalists and off course everyone with the audacity of voicing a different opinion than our own. The Internet didn’t collapse and neither did the e-businesses, proving the strength of human adaptability. We simply learned to be careful and to survive when it wasn’t enough. Some of our experiences were hard earned.
If all this caused democracies to shake in their foundations, the dictatorships sometimes even fell. It wasn’t the Internet that brought them down, but empowered people feeling strength through hope. Hope was also in the air when the United States of America got its first black president, who appealed to the younger audience with his Blackberry and his Twitter feeds. Anyone here who wants to write new lyrics to the Billy Joel song “We didn’t start the fire”?
The release of Apple’s Iphone led to the rebirth of the PDA. Suddenly everyone had a portable computer and calendar that also doubled as a … phone… Google competed with their own operating system for mobiles called “Android” while Microsoft tried its best to keep up with them. Bronze is the second loser. Right now it’s all about the “apps”, you know buying simple software commodities for cheap money to extend the usability of your cell phone or just to make it look even sillier. And it all integrates into the fluffy, furry critter known as the “cloud”. And now we have finally come to the present day and our journey ends for now. Ahead lies the future, but that’s a story for another day.
It pains me to realize that I probably forgot half of everything that has changed the world for better or worse since 2001. And I feel sorry for those innocent people that died in twin towers as well as for the rest of us that had to feel the pain and fear afterwards. But in all, it has been an interesting ten years that have also held a lot of positive changes. And there has never been any shortage of work for us in the IT-security corner of the IT-world.
TTFN, Erik Zalitis
The official bulletins from Microsoft:
ISC Sans's monthly Microsoft-analysis is always a good read:
All back-issues of this newsletter can be found here:
And on the EZSecurity blog at Tieto DF:
My private blog:
Bruce Schneier’s excellent news letter:
A collection of useful security links:
A good site to check for known vulnerabilities for your favorite programs:
What's the general state of the Internet?:
OWASP Sweden's email list archive:
Recommended for you developers out there:
My own, random knowledge base:
Lead Infrastructure Architect
Certified Ethical Hacker
Citrix Certified Administrator for PS4.
VMware Certified Professional on VI3
Mobile: + 46 (0)70 673 07 54