April 12 will be a record Patch Tuesday with 17 security issues fixed
April 8, 2011
Microsoft said earlier this morning that it is preparing itself for a new Patch Tuesday record with no less than 17 critical security bulletins, nine rated very critical and eight classified as important, as part of the early April edition of its regular monthly updates that are always performed on Tuesdays.
Next Tuesday's security update batch for Windows computers and servers will collectively address a total of 64 security vulnerabilities. Security holes in Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, .NET Framework, Windows Server 2003 and Windows Server 2008 will all be patched.
Some of next Tuesday's security fixes will include a critical SMB Browser security flaw that affects all versions of Windows. Security vulnerability scanning firm Qualys warns that all supported versions of Office and Windows will both need updating, a task that is likely to result in plenty of overtime for sysadmins.
This is a huge update and system administrators should plan for deployment as all Windows systems including Server 2003 and 2008 and Windows 7 are all affected by critical security bulletins," said Amol Sarwate, manager of the Vulnerability Research Lab at Qualys.
Frequently used office software like Excel 2003 through 2010 and PowerPoint 2002 through 2010 are also critically affected.
Microsoft also released 17 bulletins in December 2010 but these addressed a total of 40 flaws-– fewer than the 64 security flaws due to be fixed next Tuesday, and only two of the end of year patch were deemed critical.
The April edition is therefore a much bigger concern than the December Patch and far in excess of the standard fare for Patch Tuesday, which probably approximates at three to four bulletins a month.
In other security news...
RSA provided us more data on the high-profile attack against its servers behind the EMC division's flagship SecurID two factor authentication product last October.
RSA was highly criticised by the Internet security community two weeks ago for its refusal to discuss the attack, aside from warning that the security of SecurID might be reduced. The security company finally broke its silence a few days later and provided a fair amount of detail on how it was attacked in the first place.
What it didn't say is what was taken, a topic that still remains the subject of a lot of concern and speculation.
The attack itself involved a targeted phishing campaign that used a Flash object embedded in an Excel file. The assault, probably selected after reconnaissance work on social networking sites, was ultimately aimed at planting back-door malware on RSA's servers, according to a blog post by Uri Rivner, head of new technologies, identity protection and verification at RSA.
In this particular incident, the attacker sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees. You normally wouldn't consider these users particularly high profile or high value targets. The email subject line read "2011 Recruitment Plan".
The email was designed well enough to fool at least one of the employees as he retrieved it from his Junk mail folder, and he then opened the attached excel file. It was a spreadsheet titled "2011 Recruitment plan.xls".
The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609). As a side note, by now Adobe has released a security patch for the zero-day, so it can no longer be used to inject malware on patched (fixed) machines.
Rivner compared the attack to stealth bombers getting past RSA's perimeter defences. He said many other high profile targets, such as Operation Aurora attacks, had been already hit by such "Advanced Persistent Threats"-- an Internet security industry buzzword that often boils down to a combination of targeted phishing and malware attacks.
In the case of the RSA attack on its servers, the assault involved a variant of the Poison Ivy Trojan. Once inside the network, the attacker carried out privilege elevation attacks to gain further access to higher value administrator accounts.
So-called 'stepping stone attacks' allow hackers to jump from compromised access to a low interest account onto accounts with far more privileges before carrying out the end purpose of a multi-stage assault, normally the extraction of commercially or financially sensitive information.
Even though RSA detected the attack in progress, hackers still managed to make off with quite a bit of sensitive information, Rivner has confirmed.
In this particular incident, the attacker managed to gain access to various staging servers at key aggregation points. This was done to get ready for data extraction most likely at a planned future date. Then they went into the servers of interest, removed the data and moved it to internal staging servers where the data was aggregated, compressed and encrypted for extraction and delivery outside of the RSA network.
The attacker then used FTP to transfer many password protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider. The files were subsequently pulled by the attacker and removed from the external compromised host to remove any traces of the attack.
So just exactly what kind of data was extracted and pulled away? Nobody seems to know for now. The concern is that SecurID seeds have been lifted, along with the mechanism that links an individual token's serial number to its individual seed.
Additionally, it could also be that RSA's database of serial numbers has been compromised as well.
According to RSA, SecurID's two-factor authentication has not been broken in either of these manners but until RSA explains what was taken and how did those actions impacted customers then user's will not unnaturally think the worst.
RSA may well have provided an anatomy of the attack, but it hasn't said what was stolen, akin to a bank saying that robbers got in through the vault and made off with something without saying what was taken or how much money was stolen.
You can link to the Internet Security web site as much as you like.