Malicious Office Documents Cause Security Woes

Exposure:

Today, Microsoft released two security bulletins describing seven vulnerabilities found in components that ship with Microsoft Office XP and 2003 for Windows, and Office 2004 for Mac. These bulletins do not affect the more current versions of Office, such as 2007 Microsoft Office System or Microsoft Office 2008 for Mac.

The vulnerabilities affect different versions of Office to varying degrees. Though the seven vulnerabilities differ technically, and affect two different Office components, they share the same scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents. In one bulletin, Microsoft specifically states PowerPoint documents are vulnerable. However, they also mention any "Office file" in their other alert. Therefore, we recommend you beware of all unexpected Office documents.

If you’d like to learn more about each individual flaw, drill into the "Vulnerability Details" section of the security bulletins listed below:

•  MS10-003: Multiple PowerPoint Code Execution Vulnerabilities, rated Important
•  MS10-004: Microsoft Office MSO.DLL Code Execution Vulnerability, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

MS10-003:

•  Office XP w/SP3
•  Office 2004 for Mac

MS10-004:

PowerPoint update for:

•  Office XP w/SP3
•  Office 2003 w/SP3
•  Office 2004 for Mac

Adobe Corrects At Least Seven Vulnerabilities in Flash Player and Air

They also warn of a zero day flaw in Illustrator CS3 and CS4

Severity: High

9 December, 2009

Summary:

§ This vulnerability affects: Adobe Flash Player 10.0.32.18 and earlier, running on all platforms. Some flaws also affect Adobe AIR 1.5.2

§ How an attacker exploits it: By enticing your users to visit a website containing malicious Flash content

§ Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it

§ What to do: Download and install the latest version of Adobe Flash Player and Air

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe’s Flash Player ships by default with many web browsers, including Internet Explorer (IE). It also runs on many operating systems.

In a security bulletin released on the same day as Microsoft Patch Day, Adobe warned of at least seven critical vulnerabilities that affect Adobe Flash Player 10.0.32.18 for Windows and Macintosh (as well as all earlier versions). Some of the flaws also affect Adobe Air 1.5.2 as well. Adobe’s bulletin refers to seven CVE numbers, which suggests that their update fixes seven security vulnerabilities. The bulletin doesn’t describe the flaws in much technical detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these unspecified vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC. If you use Adobe Flash Player in your network, we recommend you download and deploy the latest version throughout your network as soon as possible.
On a related note, the day before releasing the Flash update, Adobe also released an advisory about a critical buffer overflow vulnerability in Illustrator CS3 and CS4. The flaw has to do with Illustrator’s inability to properly parse specially crafted .EPS files. If an attacker can entice one of your Illustrator users into opening a malicious .EPS file, he can also exploit this flaw to execute code on that user’s computer, with the user’s privileges. There is no patch for this flaw yet. Adobe plans to release one in January.

Solution Path

Adobe has released a new version of Flash Player and Air. Specifically:

§ Flash Player 10.0.42.34

§ Air 1.5.3

If you use these products in your network, we recommend you download and deploy their updates as soon as possible.

As we all know Carbonite is dirt cheap and although I have issues with it nor would I recommend it there are clearly a large number of people that do. Recently however there has been a growing voice of concern with statements in Carbonite’s Terms of Service and Privacy Policy which has reached the general masses.

“Carbonite may disclose your Personal Information to third parties if we believe that such action is necessary to (1) comply with a law, regulation, or governmental or judicial warrant, rule, or order; (2) protect and defend the rights or property of Carbonite; (3) enforce the Carbonite Terms and Conditions of Use and/or this Privacy Policy. Carbonite may also provide access to your Backup Data to government authorities if Carbonite suspects or believes that the data contain child pornography or other prohibited data, or that the data or the Carbonite Products or Services are being used for illegal purposes. Carbonite will provide access to your Backup Data to your surviving spouse and/or your executor upon presentation of a death certificate and identification which Carbonite reasonably believes to be valid and sufficient, or in response to a court order, warrant, subpoena or other judicial or administrative legal process.”

http://www.carbonite.com/privacy/

The above statement that Carbonite can and will provide access to stored, encrypted, data is an obvious concern but could also violate Federal regulations on data security. For example the only way I can see how a medical office can store data to an online service is if they can show there is no possible path to that data becoming compromised. With eSecureBackups we are secure in the belief that all data is encrypted locally with a key only the local computer (keyfile) or user knows.

Your pass phrase is encrypted twice before it is stored on the server to prevent anyone but you from recovering the stored pass phrase. The system is designed so that recovering a pass phrase requires action from two people: the person that created the key and a senior level server technician. Neither person can recover the pass phrase without the cooperation of the other person. The system is also designed so that only the creator of the pass phrase can view the pass phrase once it is recovered. Data blocks are compressed, encrypted with AES-256-bit and your private pass phrase, digitally signed for integrity verification upon restore, and tagged with multiple strong checksums to provide data integrity assurance. The encrypted data is then encrypted again as it enters the Internet, until it reaches one of the secure data centers.

Per the Carbonite paragraph they are clearly saying they have the ability to bypass encryption. If data can be accessed by a third party either through legal warrant or nefarious act then the requirements of HIPAA or PCI would prevent use of such services by most businesses. With eSecureBackups the Pass Phrase is wrapped twice using only data known to the end user as one of those protections. With the use of specific questions and answers known only to the end user the Pass Phrase cannot be recovered and without the Pass Phrase the data cannot be decrypted.

Bottom line just because a service says your data is secure or encrypted it is still up to the end user to do some basic checking to see how the process is designed to work, does work and how any potential regulatory needs may apply. Also for the true security geek or totally paranoid there is nothing preventing you from encrypting your data manually by way of a third party application such as TrueCypt prior to using an online service.

SMBs often do not see the big picture, and many tend to ignore the five immutable laws of SMB security, which are:

• Small is not invisible
  Many SMB owners believe they are safe because they’re too small to be interesting to cybercriminal organizations. Nothing could be further from the truth. Cybercriminals target SMBs because they are easier to penetrate than large businesses. Some intruders successfully penetrate SMBs for years at a time before being detected, quietly siphoning off valuable information.

• It’s not about threats. It’s about security
  Too often, SMBs focus on specific threats and not the "big picture" about protecting their businesses. There’s more to security than firewalls and intrusion protection devices. Too often SMBs can fall into a classic trap by responding to individual threats with knee-jerk reactions rather than examining their entire security stance.
• Know what you need to protect
  Every SMB has a unique environment, and with that will have unique security vulnerabilities. SMBs must understand the risks in their environment before they can effectively protect against them. The best way to do this is to work with a professional risk assessment team. This assessment will tell SMBs exactly what their risks are, and how they can take steps mitigate.
• To collaborate, you must mitigate
  Today, as the price of doing business, many SMBs open their networks to partners and customers to achieve efficiencies and value-add through electronic collaboration. But, these external partnerships introduce new security and compliance risks. SMBs must understand and mitigate these risks as part of their collaboration strategy.

• You don’t have to go it alone
  Most SMBs cannot afford to pay a team of round-the-clock security experts. Partnering with an expert security outsourcing company can deliver big company protection for small company price. However, every business market has unique security and compliance challenges, so it is critical to partner with a security outsourcing company that also understands the SMB’s business model.

If you haven’t caught the news it appears the Cash For Clunkers website has what must be the strangest or maybe scariest User Agreement statement I’ve ever seen on a site. Below is a screen capture as well as the text from the site:

Read the rest of this entry »

Today, Microsoft released a security advisory warning of a serious unpatched DirectX vulnerability, which attackers have already begun exploiting on the Internet. The vulnerability affects DirectX 9.0 (and earlier versions) running on Windows 2000, XP and Server 2003 computers. It does not seem to affect DirectX 10 running on Windows Vista or Server 2008 computers.

Well did you know that many of the network printers have the ability to hold print jobs and only allow them to be printed by entering a security code on the printer itself? This means you just print to the network printer, enter a code to hold the document then when your ready you go to the printer, enter the security code and out come your print jobs.