Windows system admins will be busy again tomorrow, Patch Tuesday
August 13, 2012
Tomorrow is Patch Tuesday again, and as always, Windows system admins will be busy as Microsoft rolls out its latest security and bug fixes for no less than five very critical security vulnerabilities in all its PC and server operating systems, including Internet Explorer.
And as if all that wasn't enough, Adobe will also issue its own security patches for similar bugs in its Reader and Acrobat programs also tomorrow.
As part of its monthly Patch Tuesday update, Microsoft plans to release no less than nine security bulletins on August 14, 2012. Five of those nine bulletins have been designated as "very critical", Microsoft's highest security rating for its OSs.
Those five critical bulletins address serious security vulnerabilities in several different Microsoft operating systems and their related software, including Windows, Internet Explorer, Microsoft SQL Server and Microsoft Exchange Server.
"August is a mixed bag of critical bulletins, which affects workstations, browsers, servers and productivity products," said Rapid Seven security analyst, Marcus Casey.
"Bulletin one is rated critical and will address Internet Explorer versions 6, 7 and 8. Browser bulletins always deserve some important attention since client-side browser attacks are the de facto standard way to compromise corporate networks," added Casey.
The most significant vulnerability affects Microsoft Exchange Server 2007 and Exchange Server 2010. The issue, which involves the way various files are analyzed in the software could allow a hacker to gain full remote control of a targeted system.
This would give the hacker the power to install all kinds of viruses and malware, and then spread them across a whole corporate network. Casey says that when hackers learn of an opportunity to remotely infiltrate a network in that manner, "it's music to their ears," he said.
"They could see a potential for remote discovery, remote exploitation and propagation of attacks since Microsoft Exchange Server is used quite a bit in some organizations' communications," Casey said.
"And make no mistake-- email servers are prime targets for exploitation in the hacking community," added Casey.
For its part, Adobe's various fixes for its Acrobat and Reader software will also be released tomorrow, affecting both Mac OS X and Windows versions of its software.
The company reports that its security patches this time around should be considered "critical" as well.
Some observers in the internet security community have reported that a hacker exploiting certain vulnerabilities in Acrobat or Reader could execute malicious native code.
But Adobe claims that there have been no reports indicating that hackers have successfully exploited those bugs, which the company refuses to identify publicly.
In other internet security news
National Security Agency chief General Keith Alexander's first-ever direct appeal to hackers to assist the secretive spy agency was greeted with polite applause at the DefCon Conference in Las Vegas on Friday. But afterwards, it was a different story...
"You're going to have to come in and help us," Alexander told DefCon attendees. The NSA boss, dressed down in jeans and a t-shirt for the occasion, also denied that his agency kept files on "millions of Americans."
"The people who would say we are doing that should know better. That is absolute nonsense," Alexander said, referring to former NSA employees who have told the media that the agency does just that.
DefCon founder Jeff Moss told the crowd that he asked Alexander to speak at the conference to educate conference guests about the NSA, which he described as one of "spookiest, least known" organizations in the world.
After reports of Alexander's appearance started making the rounds, skeptics took to online forums to express their doubts about helping the NSA make the Internet more secure "from exploitation, disruption, and destruction."
On Wired's Threat Level blog, for example, commenters questioned Alexander's playing down of the information it keeps on Americans—one advised potential NSA recruits that if they "have any sense at all they will run a mile from this guy."
The NSA also had a booth at DefCon for the first time. There was no small irony in its location next to one run by the Electronic Frontier Foundation (EFF)-—a non-profit concerned with Internet freedom and privacy issues that is currently suing the U.S. government spy agency over allegedly illegal wire taps of phone calls by American citizens.
As could be expected, representatives for the NSA and the EFF declined to discuss that litigation. Alexander's appeal to hackers focused on protecting the free flow of information on the Web from attacks by international hackers like the denial of service (DoS) attacks by Anonymous and other groups that have temporarily knocked prominent websites and even Sony's entire PlayStation Network offline in recent years.
Alexander is actually calling for more than just an early warning system provided by the hacker community, however. At DefCon, Alexander pushed for a complete overhaul of the Internet's U.S. infrastructure to enable the NSA to "know instantly when overseas hackers might be attacking public or private infrastructure and computer networks," according to MIT's Technology Review.
Alexander said the NSA is pushing as hard as it can for new legislation in Congress that would enable the private sector to more easily alert the NSA and law enforcement agencies about cyberattacks. The NSA is also collaborating with more than a dozen U.S. defense contractors to test early-warning technology in a program called the Defense Industrial Base (DIB) Cyber Pilot that sends alerts to the agency the instant one of the security systems run by the private companies is breached.
That's all part of an effort to get around restrictions on monitoring Internet activity that the NSA, the FBI, and other U.S. law enforcement agencies must abide by.
"We do not sit around our country and look in. We have no idea if Wall Street is about to be attacked," Alexander told the DefCon crowd, according to Technology Review.
In other internet security news
Prosecutors in the U.K. today said they will charge eight journalists with illegally eavesdropping on voice mail, a decision that could have strong implications for media mogul Rupert Murdoch.
British Prime Minister David Cameron's former director of communications Andy Coulson is among eight journalists facing charges, as is Rebekah Brooks, the former chief executive of Murdoch's News International.
The names of the hacking victims announced by the Crown Prosecution Service include some of the world's biggest celebrities, including Angelina Jolie, Brad Pitt, Paul McCartney, soccer star Wayne Rooney, and actor Jude Law.
Coulson and Brooks are former editors of the defunct Murdoch tabloid the News of the World, which was shut down in late 2011 in the face of public outrage at the hacking scandal.
Six other journalists were also charged, Alison Levitt of the Crown Prosecution Service announced, while three will not be prosecuted. The CPS is still waiting to decide about two other cases, she said.
Coulson resigned as editor after an earlier round of the phone-hacking scandal involving the paper's royal correspondent Clive Goodman and private investigator Glenn Mulcaire.
They were sent to prison for hacking into the voice mails of staffers working for Prince William and Prince Harry. Coulson said he knew nothing about the hacking but resigned because he was editor of the paper at the time.
He was later hired to be communications director for David Cameron, a move which Cameron's critics say was bad judgment on his part.
Coulson quit the post in Cameron's office last year when police opened a new investigation into phone hacking after accusations that it went far beyond Goodman and Mulcaire.
Brooks went on to become chief executive of News International after her time at News of the World and is seen as personally close to Rupert Murdoch. She quit News International, the British newspaper publishing arm of News Corp., amid the scandal last summer.
Murdoch recently resigned from a number of positions within News Corp., his global media empire, as the company began moves to separate its entertainment and publishing arms following the scandal.
British police have been investigating phone-hacking by people working for Murdoch since January 2011 and have arrested dozens on suspicion of phone hacking, computer hacking and corruption.
The scandal exploded with the revelation that one of the hacking victims was Milly Dowler, a 13-year-old British girl whose phone was hacked after she disappeared in 2002. She was later found murdered.
The Met Police continues to investigate claims of phone hacking, known as Operation Weeting. A parallel police operation is investigating claims of inappropriate payments to police and public officials. Those crimes were also committed in 2011.
Prime Minister David Cameron established a separate independent judge-led inquiry into media ethics, the Leveson Inquiry, following the news of the hacking of Milly Dowler's voice messages.
Cameron and other senior present and ex-government figures have been called to testify before the inquiry, as have News Corp. media baron Rupert Murdoch and his former UK deputy, Rebekah Brooks.
Milly Dowler's parents told the inquiry in November how phone hacking on behalf of News of the World had given them false hope their missing daughter was still alive.
In fact, the messages had been accessed by a private investigator working for News of the World, Dowler's father, Bob, told the inquiry panel. Milly Dowler had already been murdered by then.
You can link to the Internet Security web site as much as you like.