28th Week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 28th week of 2010. I am Jay Johnson and these are the headlines:

Oracle releases 59 patches for security flaws (pause)
Mozilla warns about password-stealing Firefox add-on while
Microsoft patches critical bugs in Windows and Office (pause)
A vulnerability has been found in FreeBSD's memory management and Finally
Crypto tool predicts password cracking time

And now for this week's newswire details
Oracle Corp. released a set of 59 patches on Monday to fix security vulnerabilities across its entire range of database, application and middleware products. The patches include fixes for three critical flaws affecting virtually every supported version of the company's Database Server technology. They were released as part of the company's scheduled quarterly Critical Patch Updates, and included a total of 28 fixes for remotely exploitable vulnerabilities, which it considers to be a critically important flaw because it allows for systems to be exploited over the network without the need for a username or password. Of the 59 patches announced today, 13 are for security problems in Oracle's suite of database technologies. Three are critical because they address particularly dangerous flaws in all Oracle database server versions. Oracle administrators have been notoriously slow at deploying security patches especially in database environments. Previous studies have shown Oracle environments to often be months behind in deploying the company's security patches even in instances where flaws might present considerable danger.

(pause)
Mozilla on Tuesday warned users that a password-stealing add-on slipped into Firefox's extension gallery more than a month ago had been downloaded nearly 2,000 times before it was detected. The malicious Mozilla Sniffer add-on was yanked from Mozilla's servers Monday, and added to the Firefox blocklist, a last-resort defense that uninstalls potentially-dangerous browser extensions from users' machines. Mozilla also notified users of a critical security vulnerability in another add-on, the popular CoolPreviews, which currently sits at No. 21 on the Firefox most-downloaded list, saying it had temporarily yanked that plug-in, too. The Mozilla Sniffer add-on was submitted to the Firefox Add-ons site June 6, Mozilla announced in a blog post on 13th of July. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location, Mozilla confirmed. Anybody who has installed this add-on should change their passwords as soon as possible. The situation with CoolPreviews was different. That add-on, which is downloaded about 77,000 times each week, contained a critical bug that could have been used by hackers to hijack computers.

(pause)
Microsoft patched five vulnerabilities in Windows and Office, including a bug hackers have been exploiting for almost a month. As expected, patch Tuesday slate was short just four security updates that included fixes for five separate flaws. Of the four updates, three were rated critical, the highest threat ranking in Microsoft's four-step scoring system. All five of the specific vulnerabilities patched were also rated critical. Two of the bulletins affected Windows, while the remaining pair impacted Office. Four of the five vulnerabilities in the bulletin quartet were pegged by Microsoft with an exploitability index score of 1, meaning that the company expects attacks to materialize in the next 30 days. But there were few surprises. Last week Microsoft revealed that the two Windows updates would address already-acknowledged bugs in Windows XP and Windows 7. The most prominent of the pair was MS10-042 the update that addressed the vulnerability in Windows XP's Help and Support Center, a feature that lets users access and download Microsoft help files from the Web and can be used by support technicians to launch remote support tools on a local PC. Users and IT administrators should apply the MS10-042 patch as soon as possible; this is actively being exploited to target XP desktop systems.

(pause)
Vulnerability in the memory management of FreeBSD's network subsystem allows authenticated users to edit files for which they only have read privileges. The sendfile command uses mbuf memory to buffer the content of the file to be transmitted. Although the mbuf object supports a read-only flag, this flag is not transmitted correctly when mbuf buffer references are duplicated. An advisory by the FreeBSD developers states that users can consequently access security-relevant system files and obtain permanent root-level privileges when data is transmitted via sendfile and the loopback interface. The problem affects FreeBSD version 7.x and later. The developers recommend that users update to the 7 STABLE or 8 STABLE production versions.

(pause)
Instead of indicating password quality via colored bars, the Windows crypto tool Thor's Godly Privacy TGP informs users about the estimated time required for a successful brute-force attack on the chosen password. TGP calculates the time from the number of iterations a brute-force tool would need to arrive at the correct character combination. The calculation is based on a Class F attack with a throughput of 1 billion passwords per second and a key space of 96 that contains all lower and upper case letters as well as all numbers and special characters, brackets etc. This way, the tool impressively demonstrates that the length of a password is more important for its resilience than the complexity if we disregard simple long passwords such as "Hippopotomonstrosesquipedaliophobia" that can be cracked via dictionary attacks. Developer Timothy "Thor" Mullen thinks that the displayed information gives users a better idea than green and red bars or quality indicators such as good, medium or bad.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.