33rd week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 33rd week of 2009. I am Jay Johnson and these are the headlines:

Twitter Continues to Battle DDoS Attack (pause)
Microsoft patches nine security vulnerabilities on last Patch Tuesday while
Java SE6 Update Fixes Exploit Linked to ActiveX Flaw (pause)
WordPress vulnerability allows remote admin password reset and Finally
Apple fixes six security holes in it's Safari web browser

And now for this week's newswire details
More than two days after experiencing a complete outage as a result of a distribute denial-of-service (DDoS) attack, Twitter and other social networking sites such as Facebook are still battling a surge in traffic related to the attack. Twitter has taken some steps to mitigate the spike in traffic and ensure that the site is not knocked offline again, but some of those steps are having an impact on third-party tools that link to Twitter through API's (application programming interface). To defend itself against the ongoing DDoS attack, Twitter has implemented various defensive actions, some of which are blocking third-party Twitter applications from being able to connect with Twitter API's. The mitigating steps are also affecting the ability of many users to post to their Twitter accounts via SMS (short message service) text messages.

(pause)
Although August is the month of vacations, it's certainly not the case for Microsoft which announced 9 total patches as part of their monthly Patch Tuesday release cycle for August 2009. There are 5 critical patches that can all be exploited remotely and 4 important ones that require direct access to the system for exploitation. This release covers a variety of products with Windows as the main focus. Although this is a big release, there are no surprises in it as it addresses an outstanding public Zero-day vulnerability and it includes an official patch for the out-of-band patch released in July. As always users are urged to review these critical patches carefully against their environment and apply them as soon as possible. QualysGuard users are advised to scan systems in their environment to identify affected Windows machines and patch them accordingly.

(pause)
Java SE6 is set to receive what is being called "significant security patches." The need for repair came after the US-CERT (United States Computer Emergency Readiness Team) warned that a number of vulnerabilities were in existence, allowing potential hackers to bypass authentication methods and execute arbitrary codes. One flaw exposes Java's audio system; if left unpatched, online deviants could be given access to a computer system without authorization. Another exploit provides root access to a vulnerable machine. The most prominent flaw to be patched is directly related to the flaws experienced in Microsoft ActiveX. According to the public advisory released by Sun Microsystems, security vulnerabilities in the Active Template Library (ATL) in various releases of Microsoft Visual Studio that is used by the Java Web Start ActiveX control may allow the Java Web Start ActiveX control to be leveraged to execute arbitrary code.

(pause)
A vulnerability in the current 2.8.3 release of the popular WordPress blogging software can be exploited remotely via a web browser to temporarily lock out administrators. The cause of the issue is an error in the web-based password reset function. Normally when a password reset is requested, the user would be sent a link to their registered email address. Once the link is clicked, the old WordPress password is removed and a new one is generated which is again sent by email. The password reset function in the wp-login.php PHP module can be abused to bypass the first step and then reset the admin password by submitting an array to the $key variable. This can be done remotely through any web browser and no confirmation of the password reset will be sent to the admin. The WordPress developers have been advised of the issue and have corrected the problem in a development version of the blogging software, in which they prevent arrays from being passed in the $key variable. Administrators that have already been locked out of their systems should use the "Emergency Password Reset Script", which needs to be loaded into the root of the WordPress installation. The WordPress developers have now released WordPress 2.8.4 to address password reset issue and installation is "highly recommended" to fix the "very annoying" problem.

(pause)
Apple has updated Safari to version 4.0.3, reportedly fixing some stability and compatibility issues but also, most importantly plugging a number of security holes. Two of the security patches only apply to the version of Apple's browser that runs on Microsoft's operating system. Fixes in the new version includes CoreGraphics, ImageIO which only effects Windows XP and Windows Vista. Other updates such as Safari itself which previous had a bug that used to cause a maliciously crafted website to be promoted into Safari's Top Sites view has been fixed along with a couple of WebKits within the browser. Clearly it's very important that Safari users update their systems as soon as possible.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.