[SECURITY] [DSA 3021-1] file security update

Two significant vulnerabilities affecting a wide range of systems that couldn't be patch fast enough were released in the past few months. The simple solution for both issues was to find and to patch. However, if the site audit policy is inadequate, finding these systems became a daunting task. It became clear that regularly auditing a network is a necessity, having a baseline you can rely on and an accurate software inventory is critical when dealing with issues like; how many systems are using Bash or might have OpenSSL embedded in them is paramount.

Ways that can be used to address and fix known vulnerabilities; and help detect suspicious activity:

1- Identify the risks, if software patch it. If it is the enterprise's "crown jewels", make sure they are well protected. Remember, this a repetitive process that need to be reviewed at regular interval.
2- Defense-in-depth from the perimeter to the host and regularly test and verify its accuracy
3- If you own an IDS/IPS, turn off old signatures that fire on old software. They just "fatigue" the analysts and detract them from the real attacks
4- Set up a SIEM to centralize logging and alert on events that have been identified as serious risks and/or unusual activity

Dealing with Bash will eventually be coming to an end. If you already have a simple and easy method for auditing and keeping an accurate host software inventory, we would like to hear from you. Using your method, how quickly were you able to identify all the vulnerable network devices?

[1] http://heartbleed.com/
[2] https://isc.sans.edu/forums/diary/Attention+NIX+admins+time+to+patch/18703
[3] http://nmap.org/
[4] http://www.open-audit.org/
[5] http://www.openvas.org/


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Despite Apple's recent missteps in patching iOS 8, iPhone and iPad users may want to upgrade to the Apple's latest available mobile operating system to fix some serious security issues.

Among the most critical is a vulnerability — CVE-2014-4377 — in how iOS processes PDF files as images. An attacker who exploits the flaw could use a malicious Web page viewed by the user in Safari to run code on the victim's device, according to a description of the problem posted this week by Argentinian security consultancy Binamuse.

A proof-of-concept attack is "a complete 100% reliable and portable exploit for MobileSafari on IOS7.1.x," Felipe Andres Manzano, principal consultant at Binamuse, stated in the company's analysis.

Read 7 remaining paragraphs | Comments

Internet Storm Center Infocon Status