Oracle dropped a bomb today on DBAs everywhere: the January 2012 CPU addresses 79 vulnerabilities! Affected Oracle products range from the 10g and 11g releases of Oracle Database, to WebLogic, VirtualBox, and even MySQL. One of the Oracle Database patches fixes a vulnerability that is remotely exploitable without authentication. In other words, PATCH NOW! (After testing, of course.)Read more
Adobe has released updates for the Acrobat suite of products. The update fixes over two dozen vulnerabilities[adobe.com], at least one of which is being actively exploited. The version number of the fixed Acrobat and Acrobat Reader products are 9.2, 8.1.7, and 7.1.4.
What is more damning than the 29 vulnerabilities fixed is that it appears that many of the vulnerabilities have existed since the Acrobat 7.x and are just now being discovered and/or addressed. I have a suggestion for Adobe: Get your developers some secure coding training. Stop all coding at your company until all your developers have taken one month of secure coding classes.
Another Adobe Acrobat vulnerability is being exploited in the wild. All versions up to and including 9.1.3 are vulnerable. The current exploit targets Acrobat and Acrobat Reader on Windows specifically, but all Acrobat variants (those for Linux and Mac OS X) are vulnerable. Apparently, using DEP (Data Execution Prevention) in Windows may thwart the attack (at the moment). DEP is an optional setting. Here is the Microsoft KB article about DEP, but their server is saying it’s “too busy” at the moment (4:11p). More information from the ISC is here.
Adobe is set to release an update on October 13. Until then, keep on your toes!
TRUE Network Security Monitoring customers: rest easier: if your resources are successfully attacked, we should see the results.
You know it’s a bad week when circumstances warrant two Security Advisory posts. There is a zero-day vulnerability making the rounds that affects Adobe Acrobat and Acrobat Reader versions 9. The exploit arrives in a PDF file and exploits the ability of Acrobat to run JavaScript embedded in PDF files. The vulnerability can be completely mitigated by disabling the execution of JavaScript in PDF files (such a PDF is very rare, anyways).
Unfortunately, there is no easy way to affect this Acrobat configuration change across all of your corporate PCs at once. It does make me wish that Adobe provided a Active Directory Group Policy plug-in to enforce certain configuration settings on a domain-wide basis.
Suggestions:
By far the quickest, easiest and likely (at this point) most-effective action you can take is to notify your users via e-mail as I describe in
suggestion #2.
Microsoft recently released a patch for security issue MS09-002 which is a vulnerability in Internet Explorer 7 that allows remote code execution. There is now an exploit in the wild for this vulnerability. The current version of this exploit steals personal data and exfiltrates it to a remote site. I would expect that RBN and BotNet infection vectors would also appear in short order.
If you are one of our NSM customers, please be assured that our NSM processes will be looking for this exploit code and we will be alerting you as necessary; however, this is a new exploit and is likely to change quickly as different malicious entities obtain the exploit code and change it to fit their nefarious needs. As such, it will be difficult to detect all versions of the exploit for several days.
I want to encourage you to ensure that all workstations on your corporate network are patched against this vulnerability, if at all possible. This occasion is an excellent reminder that it is always a good idea to update workstations (not servers) within one or two days of Microsoft’s Patch Tuesday security releases.
If you have no method of pushing patches to machines, I would encourage you to send an e-mail to your users reminding them to refrain from visiting non-business-related websites as much as possible to reduce the risk of infection by this (and other) exploits.
The patch for MS09-002 is available via Windows Update and/or Windows Software Update Services (WSUS) if your organization distributes patches internally.
