Software Critical Patches September 2013

If you are not the programing language interpreter or software inventor, then, you never know the flaws in the software; you are part of anarchy in the computer age. “The Internet is the first thing that humanity has built that humanity doesn’t understand, the largest experiment in anarchy that we have ever had.” Eric Schmidt, Chairman Google.

Being part of the anarchy, IT should develop strategies for patch management.  “Patch and vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The expected result is to reduce the time and money spent dealing with vulnerabilities and exploitation of those vulnerabilities. Proactively managing vulnerabilities of systems will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred. Patches are additional pieces of code developed to address problems (commonly called “bugs”) in software. Patches enable additional functionality or address security flaws within a program. Vulnerabilities are flaws that can be exploited by a malicious entity to gain greater access or privileges than it is authorized to have on a computer system. Not all vulnerabilities have related patches; thus, system administrators must not only be aware of applicable vulnerabilities and available patches, but also other methods of remediation (e.g., device or network configuration changes, employee training) that limit the exposure of systems to vulnerabilities.” (NIST Special Publication 800-40 Version 2.0, 2005, p. ES-1)

Schmidt pointed out very important fact that the software’s and programs running are not foolproof, they are just in trial stage as technological knowledge matures and new technology discovered.

We can’t say that organizations are fully secured because malicious users are always searching for vulnerabilities to exploit.  “Attackers are able to take advantage of newly discovered vulnerabilities in less time than ever. It has been shown that the amount of time between the discovery of a software vulnerability and corresponding attacks has been steadily decreasing. There is also an increasing trend towards attack tools that exploit newly discovered vulnerabilities appearing well before any corresponding patch is released by the software vendor to fix a problem. This situation is generally known as a “zero day attack”. A large percentage of the incidents reported are caused by successful exploitation of a relatively small number of vulnerabilities in systems and applications. To avoid attacks through known issues or vulnerabilities, organizations should make sure all IT system administrators are fully up to date with the latest security patch/hot-fix releases from their software vendors. Patches and updates should be reviewed regularly and applied to the operating system and/or applications that make up the organization’s information systems. The patch management process should be timely and responsive. To accomplish this, the patching process should be managed in a systematic and controlled way.” (Patch Management, 2008, p. 3)

“Successful Patch Management requires a robust and systematic process. This process, the Patch Management Lifecycle, involves a number of key steps: preparation, vulnerability identification and patch acquisition, risk assessment and prioritisation, patch testing, patch deployment and verification.” (Patch Management, 2008, p. 4)

  1. 2.        Vulnerability Identification and patch acquisition

“There are a number of information resources available to system administrators in order to monitor vulnerabilities and patches that may be applicable to their installed hardware and software systems. As each type of resource has its own specialised area, system administrators need to be able to refer to more than one source for accurate and timely information on new vulnerabilities and patch releases.

Some common resources are:

a)        Product vendor websites and mailing lists – Product vendor websites are probably the most direct and reliable resources for system administrators on vulnerability and patch related information for specific products. Many large vendors also maintain support mailing lists that enable them to broadcast notifications of vulnerabilities, patches and updates to subscribers via email. However, it should be noted that vendors sometimes do not report new vulnerabilities straight away, as they may not wish to report a specific vulnerability until a patch is available. It is therefore necessary to track other IT security resources for timely vulnerability and patch information.

b)       Third-party security advisory websites – A third-party security advisory website is one that is not affiliated with any one vendor, and may sometimes provide more detailed information about vulnerabilities that have been discovered. These websites may cover a large number of products and report new vulnerabilities.

c)        Security advisory websites run by CERTs – One of the most popular vulnerability advisory websites is the US CERT/CC site. It provides technical information about any newly uncovered vulnerability that can assist system administrators and security professionals in assessing the threat from the vulnerability. These advisories are updated as soon as new information is available from the product vendors.

Security advisory websites / resources run by security vendors -A number of third party mailing lists, such as NTBugTraq 4 maintained by CyberTrust, and BugTraq 5 maintained by SecurityFocus, are popular with IT professionals. However, system administrators should verify the information released in these websites with product vendors to confirm the accuracy of any newly discovered vulnerabilities. These websites may also offer newsgroups that system administrators can use to communicate with other users in the same field. System administrators should be careful not to release sensitive information through joining and using these mailing lists and newsgroups. atch Management Life Cycle” (Patch Management, 2008, p. 5-6)

  1. 3.        Patch Management Governance

Every organization should have identified group of persons also called patch and vulnerability group (PVG). The duties and responsibilities of this group being;

a)        “Inventory the organization’s IT resources to determine which hardware equipment, operating systems, and software applications are used within the organization;

b)       Monitor security sources for vulnerability announcements, patch and non-patch remediation’s, and emerging threats that correspond to the software within the PVG’s system inventory;

c)        Prioritize the order in which the organization addresses remediating vulnerabilities; Create a database of remediation’s that need to be applied to the organization;

d)       Conduct testing of patches and non-patch remediation’s on IT devices that use standardized configurations;

e)        Oversee vulnerability remediation;

f)        Distribute vulnerability and remediation information to local administrators;

g)       Perform automated deployment of patches to IT devices using enterprise patch management tools;

h)       Configure automatic update of applications whenever possible and appropriate;

i)         Verify vulnerability remediation through network and host vulnerability scanning;

j)         Train administrators on how to apply vulnerability remediation’s;

  1. 4.        Critical Updates Released

4.1.      Microsoft Updates for Multiple Vulnerabilities (Refer to Appendix 1 – Microsoft Security Bulletin Summary for September 2013)

a)        Systems Affected

b)       Windows Operating System and Components

c)        Microsoft Server Software

d)       Microsoft Office

e)        Internet Explorer

 

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Affected Systems

a)        Windows Operating System and Components

b)       Microsoft Office Suites and Software

c)        Microsoft Server Software

d)       Microsoft Office Services and Web Apps

e)        Productivity Software

Impact

These vulnerabilities could allow remote code execution, elevation of privilege, denial of service, or information disclosure.

Solution

Apply Updates

4.2.      Security update available for Adobe Shockwave Player

Release date: September 10, 2013

Vulnerability identifier: APSB13-23

SUMMARY

Adobe has released a security update for Adobe Shockwave Player 12.0.3.133 and earlier versions on the Windows and Macintosh operating systems.  This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.  Adobe recommends users of Adobe Shockwave Player 12.0.3.133 and earlier versions update to Adobe Shockwave Player 12.0.4.144 using the instructions provided in the “Solution” section below.

AFFECTED SOFTWARE VERSIONS

Adobe Shockwave Player 12.0.3.133 and earlier versions for Windows and Macintosh

SOLUTION

Adobe recommends users of Adobe Shockwave Player 12.0.3.133 and earlier versions update to the newest version 12.0.4.144.

PRIORITY AND SEVERITY RATINGS

Adobe categorizes this update with the following priority rating and recommends users update their installation to the newest version:

Product Updated version Platform Priority rating
Adobe Shockwave Player 12.0.4.144 Windows and Macintosh 1

DETAILS

Adobe has released a security update for Adobe Shockwave Player 12.0.3.133 and earlier versions on the Windows and Macintosh operating systems.  This update addresses vulnerabilities that could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.  Adobe recommends users of Adobe Shockwave Player 12.0.3.133 and earlier versions update to Adobe Shockwave Player 12.0.4.144 using the instructions provided in the “Solution” section above.

This update resolves memory corruption vulnerabilities that could lead to code execution (CVE-2013-3359, CVE-2013-3360).

 

4.3.      Vulnerability Note VU#826463 – Oracle E-Business Suite password disclosure vulnerability

Original Release date: 04 Sep 2013 | Last revised: 04 Sep 2013

Overview

Oracle E-Business Suite 12.0-12.1, when used with the native login pages or single sign-on (SSO) / Oracle Access Management (OAM) with the native login pages, contains a credential exposure vulnerability.

Description

Oracle E-Business Suite administrators who have applied CPU patches for July 2012, October 2012, January 2013, or April 2013 and use the native login pages are affected by a credential exposure vulnerability (CWE-200). Credentials are exposed to the FND_LOG_MESSAGES database table or a log file. The credentials in the logs will be viewable by an attacker with privileged database or privileged operating system access.

Impact

An authenticated attacker with privileged access may be able to read Oracle E-Business Suite credentials from the database logs.

Solution

Apply an Update

Oracle E-Business Suite administrators are advised to apply Oracle CPU July 2013 to address this vulnerability.

Steps

Purge credentials from the database logs

Oracle E-Business Suite administrators that are affected by this vulnerability should purge the database logs of any credentials that were exposed. My Oracle Support (MOS) Note 1579709.1 states the following mitigation steps:

MITIGATION STEP Prevent Logging of Passwords

For customers that have applied E-Business Suite CPU patches JUL 2012, OCT 2012, JAN 2013, or APR 2013, and have not yet applied the JUL 2013 CPU, the following trigger will prevent any additional logging of passwords within FND_LOG_MESSAGES.

In SQL*Plus, login as APPS, and do the following:

CREATE OR REPLACE TRIGGER

FND_LOG_MESSAGES_BI

BEFORE INSERT ON APPLSYS.FND_LOG_MESSAGES

REFERENCING NEW AS NEW OLD AS OLD FOR EACH ROW

WHEN (NEW.module like ‘fnd.sso.SecureHttpRequest%’)

BEGIN

:NEW.message_text := ‘Ignored’;

END;

/

Once the JUL 2013 CPU has been applied, the trigger is no longer required and should be dropped for performance reasons.

In SQL*Plus, login as APPS, and do the following:

DROP TRIGGER

FND_LOG_MESSAGES_BI;

MITIGATION STEP Cleanup Old Log Entries

Customers that have applied E-Business Suite CPU patches JUL 2012, OCT 2012, JAN 2013, or APR 2013 will have log entries that need to be purged. For log entries in the database, remove entries in FND_LOG_MESSAGES by either truncating the table or by selectively deleting the problematic rows.

Customers that have applied one of the patches with the vulnerability listed above will likely have log entries that need to be purged. By default, E-Business Suite logs to FND_LOG_MESSAGES. Customers can optionally configure the system to log to a file on the applications tier by setting the AFLOG_FILENAME profile (this parameter can also be set as a java system property or environment variable). See Oracle E-Business Suite System Administrator’s Guide – Configuration: Logging for more information on logging configuration.

For log entries in the database, remove entries in FND_LOG_MESSAGES by either truncating the table or by selectively deleting the problematic rows.

In SQL*Plus, login as APPS, and do one of the following:

TRUNCATE TABLE FND_LOG_MESSAGES;

or

DELETE FND_LOG_MESSAGES

where MODULE  like ‘fnd.sso.SecureHttpRequest%.secureParse’;

COMMIT;

For log files in the file system purge the log files, or you can run the following commands to remove the specific problematic entries:

For a single file

sed -i  -e ‘/fnd.sso.SecureHttpRequest/d’ file_name

or for multiple files

find /some/dir  -name ‘*.log’ -exec  \

sed -i -e ‘/fnd.sso.SecureHttpRequest/d’ {} \;

Change passwords for affected accounts

Oracle E-Business Suite administrators that feel this exposure may have compromised the credentials should force the passwords to be changed for the affected accounts. My Oracle Support (MOS) Note 1579709.1 states the following mitigation steps:

MITIGATION STEP Force a password change for all E-Business Suite accounts (optional)

If you suspect that logs with passwords have been compromised via the production instance, cloned database copies, or database backups, you should force a password change for all E-Business Suite accounts. For passwords that are managed through OID, passwords should be expired via OID. For passwords managed by E-Business Suite you can force a password change by performing the following steps:

1. Login to database as the APPS user, and run the following SQL:

UPDATE FND_USER set PASSWORD_DATE = NULL

where nvl(END_DATE, sysdate+1) > sysdate

and USER_NAME not in (‘GUEST’,’AUTOINSTALL’,’ASADMIN’,

‘ORACLE12.0.0′,’ORACLE12.1.0′,’ORACLE12.2.0′,’ORACLE12.3.0’,

‘ORACLE12.4.0′,’ORACLE12.5.0′,’ORACLE12.6.0′,’ORACLE12.7.0’,

‘ORACLE12.8.0′,’ORACLE12.9.0’);

COMMIT;

2. Login to E-Business Suite as the SYSADMIN user. You will be prompted to change the SYSADMIN password. Change the SYSADMIN password.

3. To change the GUEST password, follow MOS note: 443353.1 – How To Successfully Change The Guest Password In E-Business Suite 11.5.10 and R12

4. To change the ASASMIN password, follow MOS note: 556540.1 – Installing Oracle E-Business Suite Integrated SOA Gateway, Release 12 – Section: 3.3, Steps: (8 – 11)

For any additional clarification please contact Oracle Support.

References

[1]          NIST Special Publication 800-40 Version 2.0, (2005), Creating a Patch and Vulnerability Management Program, National Institute of Standards and Technology. Retrieved 13th September, 2013 from  http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf

[2]          The Government of the Hong Kong (2008), Patch Management, The Government of the Hong Kong Special Administrative Region. Retrieved 13th September, 2013 from http://www.infosec.gov.hk/english/technical/files/patch.pdf

[3]        Fortinet’s FortiGuard Labs (CVE-2013-3359) and aniway.anyway@gmail.com via the iDefense Vulnerability Contributor Program (CVE-2013-3360).

[4]        United States Computer Readiness Emergency Team 2013, Vulnerability Note VU#826463 – Oracle E-Business Suite password disclosure vulnerability, Department of Homeland Security. Retrieved 13th September, 2013 from http://www.kb.cert.org/vuls/id/826463

[5]        Security bulletin 2013, Security update available for Adobe Shockwave Player, Adobe Systems Incorporated. Retrieved 13th September, 2013 from http://www.adobe.com/support/security/bulletins/apsb13-23.html

Appendix 1 – Table 1- Microsoft Security Bulletin Summary for September 2013

Bulletin ID Bulletin Title and Executive Summary Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
MS13-067 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)

This security update resolves one publicly disclosed vulnerability and nine privately reported vulnerabilities in Microsoft Office Server software. The most severe vulnerability could allow remote code execution in the context of the W3WP service account if an attacker sends specially crafted content to the affected server.

Critical
Remote Code Execution
May require restart Microsoft Office,
Microsoft Server Software
MS13-068 Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473)

This security update resolves a privately reported vulnerability in Microsoft Outlook. The vulnerability could allow remote code execution if a user opens or previews a specially crafted email message using an affected edition of Microsoft Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Critical
Remote Code Execution
May require restart Microsoft Office
MS13-069 Cumulative Security Update for Internet Explorer (2870699)

This security update resolves ten privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Critical
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
MS13-070 Vulnerability in OLE Could Allow Remote Code Execution (2876217)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Critical
Remote Code Execution
May require restart Microsoft Windows
MS13-071 Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user applies a specially crafted Windows theme on their system. In all cases, a user cannot be forced to open the file or apply the theme; for an attack to be successful, a user must be convinced to do so.
Important
Remote Code Execution
May require restart Microsoft Windows
MS13-072 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)

This security update resolves 13 privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Important
Remote Code Execution
May require restart Microsoft Office
MS13-073 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)

This security update resolves three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Important
Remote Code Execution
May require restart Microsoft Office
MS13-074 Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637)

This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Access file with an affected version of Microsoft Access. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Important
Remote Code Execution
May require restart Microsoft Office
MS13-075 Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687)

This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged on attacker launches Internet Explorer from the toolbar in Microsoft Pinyin IME for Simplified Chinese. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.

Important
Elevation of Privilege
May require restart Microsoft Office
MS13-076 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315)

This security update resolves seven privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs onto the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.

Important
Elevation of Privilege
Requires restart Microsoft Windows
MS13-077 Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339)

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker convinces an authenticated user to execute a specially crafted application. To exploit this vulnerability, an attacker either must have valid logon credentials and be able to log on locally or must convince a user to run the attacker’s specially crafted application.

Important
Elevation of Privilege
Requires restart Microsoft Windows
MS13-078 Vulnerability in FrontPage Could Allow Information Disclosure (2825621)

This security update resolves a privately reported vulnerability in Microsoft FrontPage. The vulnerability could allow information disclosure if a user opens a specially crafted FrontPage document. The vulnerability cannot be exploited automatically; for an attack to be successful a user must be convinced to open the specially crafted document.

Important
Information Disclosure
May require restart Microsoft Office
MS13-079 Vulnerability in Active Directory Could Allow Denial of Service (2853587)

This security update resolves a privately reported vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sends a specially crafted query to the Lightweight Directory Access Protocol (LDAP) service.

Important
Denial of Service
May require restart Microsoft Windows
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s