11th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 11th week of 2010. I am Jay Johnson and these are the headlines:

Apple patches 16 holes security flaws in their Safari web browser (pause)
The popular opensource spam application for emails called the SpamAssassin, has been found with a security vulnerability in it’s filter module while
Symantec is saying that it will partially shut down SecurityFocus (pause)
Researcher say that they will expose 20 hackable Apple Security Flaws and Finally
New IE receives a new major threat

And now for this week's newswire details
Apple has released a security update for its Safari Web browser, fixing flaws for both Mac and Windows users. But a large number of the vulnerabilities it addresses are housed in the browser's WebKit rendering engine, which is also in use by rivals, including Google's Chrome. Safari 4.0.5 fixed 16 flaws, which computer security provider Secunia rated as "highly critical." The vulnerabilities could also be exploited by an attacker to bypass security restrictions or compromise a user's system. Along with a number of stability and performance improvements. Six of the flaws affect only Windows versions of Safari, with the remaining ten affecting both Mac OS X and Windows versions. Vulnerabilities in WebKit affect both Mac OS X and Windows versions of Safari. Most of these vulnerabilities can lead to crashing applications or arbitrary code execution. Use-after-free issues were found and addressed in the handling of the HTML object element, HTML elements with right to left text, parsing of XML documents, nested HTML tags, CSS rendering, and HTML callbacks. Memory corruption in CSS handling and errors in cross-origin handling were addressed. A bug which allowed cookies to be set, even if Safari was configured to block cookies, was also fixed.

(pause)
The SpamAssassin Milter plug-in which plugs in to Milter and calls SpamAssassin, contains a security vulnerability which can be exploited by attackers using a crafted email to inject and execute code on a mail server. The SpamAssassin Milter plug-in is frequently used to run SpamAssassin on Postfix servers. In order to exploit the vulnerability, the plug-in must be called with the -x expand flag. For attackers to obtain root privileges, as the author of the security advisory proclaims, the plug-in has to be started as root – something which is anyway highly inadvisable. The attack occurs via a specially crafted recipient address and is therefore unable to succeed if the plug-in only receives emails addressed to defined addresses. The Internet Storm Center reports that the vulnerability is already being actively exploited online. To be on the safe side, Postfix administrators who use SpamAssassin should check their configurations. The developers are working on a patch.

(pause)
SecurityFocus.com, home to the well-known Bugtraq mailing list, will terminate its news portal section and will transfer its content to Symantec Connect. SecurityFocus has been a mainstay in the security community, its Bugtraq mailing list is where almost all new security-related vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them, etc are discussed. Its news section provides original news content, detailed technical papers and guest columnists. This section and Infocus articles, whitepapers, and other SecurityFocus content will be moved to Symantec main website starting 15 March 2010. According to SecurityFocus, mailing lists including Bugtraq and its Vulnerability Database will remain online at www.securityfocus.com. There will not be any changes to any of the list charters or policies and the same teams who have moderated list traffic will continue to do so. The vulnerability database will continue to be updated and made available as it is currently. DeepSight and other security intelligence related offerings will remain unchanged. SecurityFocus was founded in 1999 and then acquired by Symantec in August 2002.

(pause)
Charlie Miller is an NSA-trained hacker with an elite reputation for tracking down dangerous security flaws in software. But his latest work could be subtitled Apple Hacking for Dummies. Later this month at the CanSecWest security conference in Vancouver, Miller plans to unveil research that he says has turned up 30 previously unknown critical security vulnerabilities in common software, 20 of which are in Apple's Preview application. In other words, he says he's found 20 different ways that a cybercriminal could hijack the machine of any Mac user tricked into opening an infected PDF--or given that Safari uses the same code as Preview to render PDFs, simply visiting an infected Web page. That's a record haul of security bugs even for Miller, a researcher for Baltimore-based Internet Security Evaluators who has become one of the world's most prominent Mac hackers after revealing methods for hacking the iPhone via its Safari browser in 2007 and via text message last summer. He's also considering keeping the details of his bug’s secret and watching to see how long it takes the software vendors to patch them after his Vancouver talk. While that would leave users vulnerable to the secret vulnerabilities he's found, Miller says it could also help reveal more about just what software companies are doing--or not doing--to patch their products' flaws.

(pause)
Software giant scrambles to deliver a workaround to protect against a zero-day exploit in its Internet Explorer browser, says it is developing a more permanent patch. Microsoft said on Friday it is testing a patch to fix a new hole in Internet Explorer 6 and IE 7 following the release of exploit code on the Internet. With the announcement it seems increasingly likely that the company will be issuing a patch for the hole before the next Patch Tuesday in about four weeks, if the testing of the patch goes quickly. Microsoft has released automated workarounds designed to immunize users against a critical vulnerability in earlier versions of Internet Explorer, which criminals are already exploiting online. The "Fix It" updates were released over the weekend for people who still use IE versions 6 and 7. The fixes are by no means foolproof. One of them disables the so-called peer factory functionality the browser may need to carry out certain tasks, such as printing. The other turns on a measure known as DEP, or data execution prevention, on more recent operating systems.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.