19th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 19th week of 2010. I am Jay Johnson and these are the headlines:

Apple's popular web browser Safari gets targeted by a zero day exploit (pause)
More than 20 vulnerabilities have been found in the latest PHP release while
Microsoft pushes fixes for two bugs in this week's Patch Tuesday (pause)
Facebook account of its own board member gets compromised and Finally
Drupal fixes XSS vulnerability in one of its module

And now for this week's newswire details
Security researchers are warning of a critical vulnerability in Apple's Safari browser. The current version 4.0.5 and possibly older versions are affected. If a user visits a website containing the exploit using the Windows version of Safari, the site can compromise the system and either crash the browser or execute malicious code. The problem is caused by an error in the way the browser deals with pop-ups. The demo exploit provided by security researcher opens the calculator program in Windows XP Service Pack 3. No cases of the vulnerability being exploited in the wild have been reported to date. Users should nevertheless avoid clicking on links to un trusted websites.

(pause)
Information about more than 20 vulnerabilities has been disclosed as part of the "Month of PHP Security" (MOPS) held this May. Eight of the holes are contained in PHP applications, while 12 affect PHP itself. Four articles about PHP security have also been published. The main issues disclosed so far are a code injection hole in Xinhua, a WYSIWYG editor that is also part of the Serendipity CMS, and SQL injection holes in the DeluxeBB forum software and in the ClanSphere CMS. In PHP itself, various functions contain vulnerabilities that, for instance, allow intruders to spy out information or, through uninitialized memory access, execute code. Official patches have so far only been released for some of the applications, rather than for PHP itself. However, the descriptions of the individual vulnerabilities contain information about possible fixes.

(pause)
IT administrators were treated to a light security update from Microsoft on Tuesday when the software giant pushed out two patches for previously unknown issues, but remained working on a fix for zero-day SharePoint vulnerability. Each of this month's patches addresses as "critical" vulnerability, but neither of the patches was delivered with much urgency from Microsoft. The company said chances of exploitation were low. MS10-031 is for Microsoft Office and addresses remote code execution vulnerability present in all versions, Office XP, 2003 and 2007. Microsoft's blog post at the SRD goes into further detail on the difficulties in writing a working exploit. While the bulletin only carries a severity of "important", we consider it to be the more urgent of today's release. The second bulletin MS10-030 fixes vulnerability in Windows Outlook Express and Windows Mail, both mail clients for the POP/IMAP protocols. The vulnerability allows remote code execution and is classified as "critical". We don't see Outlook Express/Windows Mail being used in the enterprise but smaller businesses could be affected.

(pause)
Even Facebook board members are not immune to phishing attacks. On Saturday, Jim Breyer of Accel Partners became the latest victim when his account was used to send a spam message to more than 2,300 friends. The message in question came in the form of an event invitation reading, Would You Like a Facebook Phone Number and included an RSVP link. The phishing scam prompted individuals who clicked on the faulty link to enter their login credentials, which then caused their accounts to be hacked in the same manner. Breyer's compromised Facebook account is another blemish on the company's muddied reputation concerning user privacy and safety. There's currently a swell of negative Facebook sentiment concerning the opt-in settings of Instant Personalization. In addition, Facebook recently had to disable chat following a privacy blunder that exposed users'; live Facebook chat sessions. Still the majority of Facebook's more than 400 million members many of whom are not all that concerned with their privacy won't restrict their status update behavior following the hack. But it's certainly an embarrassing moment for the company, and one that does highlight the fallibility of the world's most popular social network.

(pause)
The development team behind the Drupal module Context has released a new version 6.x-2.0-rc4, which fixes a cross-site scripting vulnerability when displaying block descriptions. If a user with administer blocks permission clicks on a crafted link, JavaScript contained in the link is executed with the privileges of the Drupal page. Attackers can exploit this to gain access to a system. Just a few weeks ago, a simple XSS vulnerability in a bug-tracking system allowed root access to Apache Software Foundation servers, so XSS vulnerabilities are certainly not to be treated lightly. Although the Context module is a release candidate, it is nonetheless in use on many live sites, including the US President's office's White House site, which uses a Context HTTP Headers module that also requires the Context module. Because the module is still a release candidate, in accordance with their security policy the Drupal developers have not released an official warning, despite the fact that they do otherwise warn of vulnerabilities in third party modules.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.