InfoSec News

Microsoft?s November 2011 Patch Tuesday security update features four bulletins, one critical, but no patch for the kernel-level vulnerability exploited by the Duqu Trojan.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Adobe will cut 750 jobs and reduce its investment in enterprise software as part of a broader plan to target the fast-growing markets for digital media and digital marketing products, the company said Tuesday.
New Relic is adding server monitoring to its Web application performance service, it announced Tuesday.
Online video advertising network ScanScout has agreed to settle U.S. Federal Trade Commission charges that it wrongly claimed that consumers could opt out of receiving targeted ads by changing their computer's browser settings to block cookies.
AT&T's assertions that its planned acquisition of T-Mobile USA will create up to 96,000 new U.S. jobs are "completely unfounded" and contrary to past evidence of similar mergers, one economist said Tuesday.
Yahoo, AOL and Microsoft have partnered to pool their display ad inventories and integrate their sales platforms so that they can offer each other's ads.
A new Citrix SDK helps Windows software developers solve a big problem: How to extend desktop apps to the iPad and iPhone in a way that doesn't turn off mobile users.
I was looking through the program for an upcoming cloud computing conference and noted a number of sessions devoted to negotiating contracts and service level agreements (SLAs) with cloud providers. Reading the session descriptions, one cannot help but draw the conclusion that carefully crafting an SLA is fundamental to successfully using cloud computing.
The Defense Advanced Research Projects Agency (DARPA) had a big hand in creating the Internet and now its wants to get serious about protecting it.
Joel pointed out that Apple had joined the black Tuesday update frenzy this month with an update for Java:
Snow Leopard gets Java for Mac OS X 10.6 Update 6, while Lion gets Java for Mac OS X 10.7 Update 1. Both essentially update to Java SE 6 to 1.6.0_29.
The CVE names that are fixed are:


More on the Apple security updates:http://support.apple.com/kb/HT1222

Swa Frantzen -- Section 66
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The National Initiative on Cybersecurity Education (NICE) has published for public comment a draft document that classifies the typical duties and skill requirements of cybersecurity workers. The document is meant to define professional ...
The National Institute of Standards and Technology (NIST) has released for public comment a draft 'roadmap' that is designed to foster federal agencies adoption of cloud computing, support the private sector, improve the information ...
The National Institute of Standards and Technology (NIST) has agreed to work with the Department of Education and a new organization, the National Cybersecurity Education Council (NCEC), to develop a strategic public-private partnership ...
Palo Alto Networks' data indicates polymorphic malware remains a favorite tool for attackers trying to avoid detection by signature-based antivirus software.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
T-Mobile USA will sell the 4G Samsung Galaxy Tab 7.0 Plus tablet using an unusual payment scheme: After a $250 down payment, buyers will make 20 monthly payments and be required to sign up for a two-year wireless plan.
A Google executive was quick to fire back at Facebook co-founder Mark Zuckerberg's description of Google+ as 'their own little version of Facebook.'
Microsoft today delivered four security updates that patched four vulnerabilities in Windows, most of them affecting the newer editions of Vista and Windows 7.
Despite some lingering technology issues, Hadoop is ready for enterprise use, IT executives said Tuesday at the Hadoop World conference here.
A group of GPS vendors and users has asked the U.S. Federal Communications Commission to permanently block LightSquared from using the upper band of its licensed radio spectrum for a cellular data network.
The lawsuit between Oracle and third-party support provider Rimini Street has heated up further, with new allegations that Oracle is "abusing" the pre-trial discovery process and using "scare tactics" against customers in order to hurt Rimini Street's business.
[SECURITY] CVE-2011-3376 Apache Tomcat - Privilege Escalation via Manager app
osCSS2 "_ID" parameter Local file inclusion
[security bulletin] HPSBHF02706 SSRT100613 rev.1 - HP Integrated Lights-Out iLO2 and iLO3 running SSL/TLS, Denial of Service (DoS), Unauthorized Modification
Adobe has released 1 bulletin today.
This updates Adobe products to the following versions:

Shockwave Player

Known Exploits
Adobe rating

Multiple memory corruption vulnerabilities in the shockwave player allow random code execution.

Shockwave player






Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Overview of the November 2011 Microsoft patches and their status.

Contra Indications - KB
Known Exploits
Microsoft rating(**)
ISC rating(*)


An integer overflow in the TCP/IPstack allows random code execution from a stream of UDPpackets sent to a closed port. Permission for the attacker are at kernel level.

Replaces MS11-064.

Windows TCP/IP

KB 2588516
No publicly known exploits.


An input validation vulnerability in the parsing of true type fonts allows a denial of service from users with valid credentials.

Replaces MS11-077.

Kernel mode drivers

KB 2617657

No publicly known exploits.


Less Urgent

Inappropriate path restriction allows Windows Mail and Windows Meeting Space to be exploited into executing random code with the rights of the logged on user.

Yet another vulnerability related to SA 2269637.

Windows Mail Windows Meeting Space

KB 2620704

No publicly known exploits



If Active Directory is configured to use LDAPover SSL, an attacker having a revoked certificate that is associated with a valid domain account, could get authenticated.

Replaces MS10-068.

Active Directory

KB 2630837

No publicly known exploits


rereleased MS11-037
Rereleased for XP and Server 2003. To quote Microsoft's FAQ: The new offering of this update provides systems running Windows XP or Windows Server 2003 with the same cumulative protection that is provided by this update for all other affected operating systems.

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.


Swa Frantzen -- Section 66 (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Rene wrote in to point out that Firefox 8 is released.

Release notes are at http://www.mozilla.org/en-US/firefox/8.0/releasenotes/
Security fixes are documented at http://www.mozilla.org/security/known-vulnerabilities/firefox.html#firefox8

Predictably, Thunderbird 8 got also released:

Release notes:https://www.mozilla.org/en-US/thunderbird/8.0/releasenotes/
Security fixes:http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html#thunderbird8


Swa Frantzen -- Section 66
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Apple's App Store can be stocked with malware-infected apps by exploiting a bug in iOS, a noted security researcher said Monday.
IPv6 security (slides and training)
Cisco CUCM - Multiple Vulnerabilities
New online security challenge - GotWurzel
[SECURITY] [DSA 2340-1] postgresql security update
After Facebook hit a wall and lost 6 million U.S. users last May, the social network has been slowly coming back.
On Wednesday at 2 p.m. ET, U.S. radio and television stations will break away from regular programming to broadcast emergency warnings, but it'll be a practice exercise.
Google has lost the man who has led its government relations efforts in the Americas for more than six years, at a time when the company's operations face intense scrutiny from legislators and regulators.
[SECURITY] [DSA 2339-1] nss security update
[SECURITY] [DSA 2338-1] moodle security update
foofus.net security advisory - Lexmark Multifunction Printer Information Leakage
Rackspace is making some updates to RackConnect, an offering designed to let businesses securely connect and run applications across private and public cloud services.
MediaTek, a designer of software and chipsets for low-end phones, will work with Facebook on a social networking application for feature phones, the chip company said on Tuesday.
Software AG's WebMethods middleware and ARIS process modeling tools are now certified for deployment on Amazon's Elastic Compute Cloud and VMware, the company announced Tuesday as part of an update on its overall cloud strategy.
Salesforce.com's reach is about to get wider both in terms of functionality and target audience with the arrival of Do, a project management application announced in public beta on Tuesday.
Thomson Reuters has said it made a mistake with the fast launch speed of a billion dollar desktop product for financial traders, called Eikon.
Monday's introduction of another low-priced rival to the iPad won't keep anyone at Apple's California HQ up nights, analysts said.
Your "clever" Twitter campaign has become a PR disaster and threatens to turn into an online firestorm. We offer some advice on how to recover from a social media mistake.
Cisco is acquiring a minority stake in a subsidiary of KT, a South Korean telecommunications services company, which will offer managed services for smart buildings and smart city projects from January.
Latest news, features and more on Hadoop.
Over the next two years, about 30% of midsize businesses will be using a recovery in the cloud service aimed at replicating and restoring virtual machine instances, according to Gartner.
Republic Wireless on Tuesday launched a limited beta program of its $19-a-month hybrid wireless service using, to start, the LG Optimus smartphone running Android 2.3.
NetApp today announced an addition to its Fabric-Attached Storage 2000 family of arrays: the FAS2240, which scales to 432TB of capacity and has a starting price of $7,500
Internet Storm Center Infocon Status