SANS Internet Storm Center, InfoCON: green

SANS Internet Storm Center, InfoCON: green http://isc.sans.edu en-us Sat, 04 Feb 2012 01:48:03 +0000 Sat, 04 Feb 2012 00:58:01 GMT (C) SANS Institute 2012 isc rss feed maker 30 handlers@sans.org (ISC Handlers) SANS Internet Storm Center, InfoCON: green http://isc.sans.org/images/status.gif http://isc.sans.org Apple Security Advisory 2012-001 v1.1, (Sat, Feb 4th) http://isc.sans.edu/diary.html?storyid=12532&rss http://isc.sans.edu/diary.html?storyid=12532&rss Below is the security advisory and we will link to the advisory once it is available on Apple's website.

APPLE-SA-2012-02-03-1 Security Update 2012-001 v1.1

Security Update 2012-001 v1.1 is now available

for Mac OS X v10.6.8 systems to address a compatibility

issue.

Version 1.1 of this update removes the ImageIO security

fixes released in Security Update 2012-001.

OS X Lion systems are not affected by this change.

Update #1:
Apple Support shows there were 3 different issues which were corrected in ImageIO in the original Security Update information located at http://support.apple.com/kb/HT5130.
Elsewhere, it appears that there are a number of users of OS XLion which had problems after applying the original update as reported in Apple Support forums, 9to5Mac, and thevarguy.com. The Security Advisory only mentions OS X Snow Leopard, so I am not sure that the two issues are related or just coincidental. Stay tuned for more information.
----
Guy Bruneau Scott Fendley (ISC Handler On Duty) (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Sat, 04 Feb 2012 00:58:01 GMT Sophos 2012 Security Threat Report, (Fri, Feb 3rd) http://isc.sans.edu/diary.html?storyid=12526&rss http://isc.sans.edu/diary.html?storyid=12526&rss - Smartphones and tablets causing significant security challenges

- Major data breaches and targeted attacks on high-profile companies and agencies

- Hacktivism - A shift from hacking for money to hacking as a form of protest or to prove a point

- Conficker worm is still the most commonly encountered pieces of malicious software seen is Sophos customers

- Fake antivirus software is still the most common type of malware but in second half of the year appears to be on the decline

- Spearphishing attacks on the rise
Despite all this, some successes On March 16, 2011 a coordinated effort known as Operation b107 between Microsoft, FireEye, U.S. federal law enforcement agents and the University of Washington knocked Rustock offline. [1] The entire report available here.
Handler Mark published a diary on some of the things to take in consideration When your service provider has a breach. [3]
[1] http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-07.aspx

[2] http://www.sophos.com/en-us/security-news-trends/reports/security-threat-report/html-01.aspx

[3] https://isc.sans.edu/diary.html?storyid=10651

[4] http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf
Data breach diaries reported by ISC in 2011:
[1] Wordpress.com https://isc.sans.edu/diary.html?storyid=10729

[2] RSA Breach https://isc.sans.edu/diary.html?storyid=10609

[3] Lockheed Marting https://isc.sans.edu/diary.html?storyid=10939

[4] Sega Pass https://isc.sans.edu/diary.html?storyid=11065

[5] SonyPictures https://isc.sans.edu/diary.html?storyid=10996

[6] DigiNotar SSL Breach (result = bankruptcy) https://isc.sans.edu/diary.html?storyid=11479

[7] GlobalSign https://isc.sans.edu/diary.html?storyid=12205

[8] Stratfor Global Intelligence https://isc.sans.edu/diary.html?storyid=12271
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Fri, 03 Feb 2012 22:34:15 GMT ISC StormCast for Friday, February 3rd 2012 http://isc.sans.edu/podcastdetail.html?id=2302, (Fri, Feb 3rd) http://isc.sans.edu/podcastdetail.html?id=2302 http://isc.sans.edu/podcastdetail.html?id=2302 Fri, 03 Feb 2012 06:25:05 GMT Critical PHP bug patched, (Fri, Feb 3rd) http://isc.sans.edu/diary.html?storyid=12520&rss http://isc.sans.edu/diary.html?storyid=12520&rss PHP fixed the issue not by introducing a new hash function, but instead it limited the number of input parameters. Just like the php hardening patch suhosin did all along, PHP now supported a max_input_var parameter to limit the number of input parameters a request may send. The default limit was set to 1,000, plenty for most web applications.
Sadly, the fix was implemented incorrectly, and introduced a more severe vulnerability, a remote code execution vulnerability. Thats right: An attacker could craft a request, that will execute code on a web server running PHP 5.3.9.
Today, the PHP team released PHP 5.3.10 to address the issue.
If you are running PHP 5.3.9: PATCH NOW! This is a very critical bug
If you are running PHP 5.3.8: DO NOT UPGRADE TO 5.3.9. I would actually recommend that you wait.
Additionally, try to enable Suhosin if at all possible. There is a slight performance hit, but it is unlikely to break your web application unless you are already tight in resources. Many Linux distributions include Suhosin, so it may be pretty easy to set up.
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Fri, 03 Feb 2012 05:40:36 GMT New Poll - What security issue concerns you the most this year?, (Fri, Feb 3rd) http://isc.sans.edu/diary.html?storyid=12517&rss http://isc.sans.edu/diary.html?storyid=12517&rss Fri, 03 Feb 2012 01:19:27 GMT PHP 5.3.10 Released, Fixes CVE-2012-0830 available for download http://www.php.net/archive/2012.php#id2012-02-02-1, (Fri, Feb 3rd) http://isc.sans.edu/diary.html?storyid=12514&rss http://isc.sans.edu/diary.html?storyid=12514&rss Fri, 03 Feb 2012 00:56:37 GMT ISC StormCast for Thursday, February 2nd 2012 http://isc.sans.edu/podcastdetail.html?id=2299, (Thu, Feb 2nd) http://isc.sans.edu/podcastdetail.html?id=2299 http://isc.sans.edu/podcastdetail.html?id=2299 Thu, 02 Feb 2012 05:06:11 GMT Apple and Apache security fixes and releases, (Wed, Feb 1st) http://isc.sans.edu/diary.html?storyid=12502&rss http://isc.sans.edu/diary.html?storyid=12502&rss
security update 2012-001 for Snow Leopard (Mac OS X 10.6) and Snow Leopard server
update for Lion and Lion server (Mac OS X 10.7.2 - 10.7.3)
remote desktop 3.5.2 client
server admin tools 10.7.3

http://support.apple.com/kb/HT1222

10.7.3:http://support.apple.com/kb/HT5048

server admin tools:http://support.apple.com/kb/HT5050

Apache HTTP Server 2.2.22 Released

This version of Apache is principally a security and bug fix release, including significant security fixes:
http://httpd.apache.org/security/vulnerabilities_22.html
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.]]> Wed, 01 Feb 2012 22:02:51 GMT Oracle Security Alert: http://www.oracle.com/technetwork/topics/security/alert-cve-2011-5035-1506603.html, (Wed, Feb 1st) http://isc.sans.edu/diary.html?storyid=12499&rss http://isc.sans.edu/diary.html?storyid=12499&rss Wed, 01 Feb 2012 21:40:25 GMT