his week saw three of the major web companies issue patches just to make life especially easy for administrators.
As well as Microsoft’s Patch Tuesday, which included eight security bulletins, three of which were rated as critical and addressed 19 distinct vulnerabilities, there were also patches from Adobe and Google. Possibly the most notable of the Microsoft patches was for the Internet Explorer zero-day, which implements a simple kill-bit setting that disables the affected ActiveX control “Information Card Signin Helper”. This was patched with MS13-090.
Tyler Reguly, technical manager of security research and development at Tripwire, said: “IT pros everywhere will have a little less weight on their shoulders because Microsoft shipped a fix for the current IE zero-day. It’s important to note, however, that the fix is not in the traditional IE Cumulative Update (MS13-088) but rather in a separate ActiveX fix (MS13-090).”
In other words, thanks for the patch but it is not the patch we wanted. Ross Barrett, senior manager of security engineering at Rapid7, said that there would be “mixed feelings” of relief and frustration for Windows and Security administrators alike as while there were no complicated patches, there was no fix for the exploited Office vulnerability, which was described in advisory 2896666.
“The reality is it’s in very limited, targeted exploitation in a specific region AND it requires user interaction to exploit, so I would not worry about it too much. At risk and high value systems should have the mitigations in place already, and if not, I suggest you investigate EMET. If you fear that you are at risk of being targeted, apply the fix it,” Barrett said.
Elsewhere, Adobe’s released just
two Flash updates this week that it said “address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system”
Finally, Google
fixed 12 flaws in Chrome, including six high-risk bugs of which two of the more serious vulnerabilities included use-after-free bugs in various elements of the browser, and there also are two out of bounds reads in the browser. So not a quiet weekend watching sport for the administrators this weekend.
Going back to Adobe, and it seems that the stories about the October breach will not stop spiralling as not only has it emerged that 234,979 of the breached credentials belonged to military and government users, but this has led to Facebook having to
warn users about passwords as it is likely that many users share passwords across both applications.
In other password-stealing news, the user forum Macrumors was
hacked with a potential 860,000 usernames, email addresses and encrypted p
asswords snatched, while the loyalty card scheme LoyaltyBuild was also attacked and saw 1.5 million details breached. So what is the answer, is it is a case of don’t put your details into any website on the grounds that they may one day be attacked, or take the risk? It seems that a risk management strategy could be more than just for businesses.
Finally, it seems that no news digest is complete without a reference to the US government of some sort, and this time it is in regard to reported attacks against the
Obamacare website, after CNN reported that hackers had attempted more than a dozen cyber attacks against the website.
A top Homeland Security Department official said that the attacks failed, but the DDoS attack, called “Destroy Obama Care,” was recently spotted on a file-sharing site. Arbor Networks, who detected it, said there was no evidence that the program had been launched to attack the troubled federal portal for consumers to shop for health coverage, but its capability had been noted. Once again it seems that a central repository of data is an easy target and kudos for Obamacare for holding the attackers off, for now.