Hello and welcome to the CERTStation Podcast for the 33nd week of 2010. I am Jay Johnson and these are the headlines:

Microsoft's latest patch Tuesday takes care of security 35 holes (pause)
Apple's website hit by a massive hack attempt while
ColdFusion's vulnerability proves to be a bigger threat than thought earlier (pause)
Your game for Android could be a spy application in disguise and Finally
RIM offers surveillance tools for the Indian government

And now for this week's newswire details
The final total for this month's record patch flood of patches is 15 bulletins to fix 35 security holes in Microsoft products. While, last Friday, Microsoft had announced it would be issuing 14 bulletins and closing 34 holes, this doesn't seem to have included the LNK hole that was closed out-of-schedule MS10-046. Critical updates were provided for all Windows versions on all platforms, for Microsoft Office for Windows and Mac, and for .NET and Silverlight. Among the affected components are the Windows Shell, the XML Core Services, the MP3 and Cinepak codecs, IIS, IE 7 and 8, Word, and the Windows SMB network service. Most of the related vulnerabilities allow attackers to remotely inject malicious code and gain control of vulnerable systems. Updates with the second highest, important, rating were provided for all Windows kernels and various drivers, Movie Maker, Excel, the TCP/IP network stack, and the Windows tracing feature. Most of the programming flaws in these components allow local attackers to elevate their access privileges. Microsoft has also released new signatures for the Malicious Software Removal tool. The vendor is deploying the updates via the usual mechanisms and users are advised to install them immediately. As an added surprise, Microsoft also released an advisory about security holes in the Windows Service Isolation feature that allow non-privileged processes to access privileged system functions. According to the advisory, a successful attacker could, in very special circumstances, elevate a non-privileged NetworkService process to system privilege level.

(pause)
A hack attack that can expose users to malware exploits has infected more than 1 million webpages, at least two of which belong to Apple. The SQL injection attacks bombard the websites of legitimate companies with database commands that attempt to add hidden links that lead to malware exploits. While most of the sites that fell prey appear to belong to mom-and-pop operations, two of the infections hit pages Apple uses to promote iTunes podcasts. The malicious links appear to have been removed since Google last indexed the pages in early August. These attacks have been ongoing and are changing pretty often, said Mary Landesman, a senior researcher with ScanSafe, a Cisco-owned service that provides customers with real-time intelligence about malicious sites. Interestingly, many of the sites compromised have been involved in repeated compromises over the past few months. It's not clear whether these are the work of the same attackers or are competing attacks. SQL injection attacks succeed because web applications don't properly filter search queries and other user-supplied input for malicious text. When the data is processed, commands are passed to a website's backend server, causing it to add links or cough up sensitive information. The attacks that hit Apple used highly encoded text strings to sneak past web-application filters.

(pause)
Several security experts are claiming that the vulnerability in ColdFusion disclosed last week is more critical than Adobe is reporting. Adobe has classified the issue as 'important', probably because it's not a problem under the default configuration, but in practice there appear to be many non-default installations on which the vulnerability is exploitable. The vulnerability allows arbitrary files on the server, including the password file password.properties, to be accessed via directory traversal. A Python exploit for accessing files on a vulnerable server has already been posted to several sites. ColdFusion versions 8.0, 8.0.1, 9.0, 9.0.1 and earlier for Windows, Mac and UNIX are affected. The password file contains the CF admin password, in either plain text, or hashed form, depending on the configuration. By determining the password, an attacker can gain access to the ColdFusion server's administration interface and may be able to take complete control of the server. Users should attach the highest priority to installing the security update.

(pause)
Researchers with F-Secure discovered an Android app that is a spy app disguised as a Snake game. The Snake spy app is for use with GPS Spy, an Android spy app. The idea is that you'd download and install the Snake spy app onto the Android phones that you'll want to spy on; from there, the Snake app will run in the background and keep tabs on that phone. F-Secure speculate that Google will remove the app from the Android Market, or hit the app kill switch. This isn't malware in the truest sense you need to have physical access to the phone, according to F-Secure but it's still best classified as a Trojan horse. And while there are some practical purposes for spying apps for example, monitoring your kids there are countless ways that this sort of thing could be abused spying on co-workers or a spouse, for example. Also, this does serve as a reminder that, while there are advantages to Google's more open app store policies, that openness does have its drawbacks, so the onus is on you to stay alert. If you didn't knowingly download an app to your phone, you'll want to question it before you run it.

(pause)
According to the Wall Street Journal, during secret negotiations, BlackBerry vendor Research in Motion (RIM) offered to provide the Indian government with information and a number of tools for monitoring email and text messages sent using BlackBerry mobile devices. However, this does not mean that in future Indian government agencies will be able to read all messages. The BlackBerry Enterprise Service (BES) encrypts all sent messages and RIM stresses that not even RIM it can decipher them. Government agencies will reportedly have to make do with metadata, such as the sender and recipient. The company's BlackBerry Internet Service (BIS), on the other hand, is designed for non-business users. BlackBerry's using BIS instead communicate with a server hosted by their mobile provider. These messages are compressed, but not encrypted (unless the individual users have done so with their own software) and it appears that RIM may be helping the Indian government to unpack them. India requires mobile phone providers to provide the government with access to customer communications. It plans to block 3G networks until a system to allow full line tapping is in place. It's not yet clear whether or not India is satisfied with the concessions made to date and negotiations are ongoing. India has been threatening to ban the BlackBerry service outright. The BlackBerry vendor is also under pressure in Saudi Arabia and the United Arab Emirates, both of which are also demanding access to BlackBerry messages. The Wall Street Journal says that, although RIM wants to help mobile phone providers to meet national requirements, it's not prepared to rewrite its security architecture or to give government's better access to messages than its competitors. Although it is likely to remain impossible to eavesdrop on encrypted communications via the Blackberry Enterprise Server, the German interior minister is nonetheless advising the German government and government departments not to use Blackberry's.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.