On Tuesday, as seems to be the custom, Microsoft released patches and announced a new zero day in Internet Explorer. MSKB 981374 is a remote code execution in IE6 and IE7. Who know that being on IE5 could ever be a good thing.
The KB says Microsoft released details to venders in their Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) programs in order to provide protection to customers.
Within one hour Zscaler had protection in place for its customers. Zscaler offers web security company in a SaaS model. I would see them competing with Scansafe, Purewire and MessageLabs as well as any company trying to get you to put security appliances on your network for web security (bluecoat). Strangely, I didn’t get email from any of those venders bragging they are protecting their customers against this zero day. If they were protecting their customers would there be any reason not to use it for PR? Its not like they are making a Oracle Unbreakable (or was that Apple Unbreakable) claim.
Posts tagged ‘Apple’
Unicorn sighting
A few weeks ago my officemate posted to Facebook,
I’ve just been told by two different Mac Geniuses that installing an antivirus software could actually make the Mac computer less secure. Unfortunately, both were phone conversations because I’m almost certain they were doing the Jedi mind trick hand motions.
I thought of this today as Graham Cluley tweeted links to a couple of video blogs from last year. Unicorns have been spotted, Malware for the Mac does exist. Now to be fair these examples are largely social engineering. Just because it’s not a zero day doesn’t mean the systems isn’t owned. Fake Codecs and Fake anti-maiware aren’t the exclusive providence of Microsoft Operating Systems.
January Patches
After a fairly light December patching load, January took no prisoners.
Microsoft’s patch Tuesday had just one patch, MS10-001. But they made up for that with an out of band update later in the month MS10-002. They also put out a bulletin warning about old flash installs.
Adobe and Oracle piggybacked on patch Tuesday to release updates as well. Vendors pretend its more convenient for people to get all their patches at once, but Its more about losing their own vulnerability announcements in the crowd. Adobe Reader is installed on most machines, so deploying Reader and Acrobat updates is kind of a big deal.
To keep admins on their toes, Adobe also released security updates for Shockwave and Illustrator.
Real Player kept its name in the news with a security update of its own. While it lacks its once ubiquitous presence, it is another thing to watch for.
Firefox released 3.6. Fortunately , this was about new features not security fixes.
Apple not wanting to feel left out released a mega security update rolling up multiple patches.
Wireshark 1.2.6 came out with a couple of security updates.
If you’re responsible for patching in the enterprise looks like you picked the wrong month to stop sniffing glue.
For home use, I use the Secunia Personal Software Inspector in advanced mode. They are now a bit better about prompting you to exclude directories like i386 to avoid nagging you about things that aren’t a problem.
iPhone (in)security in the enterprise
Just when you thought you’d successfully killed it off, its back. The email from management who is getting pressure from the c levels asking why the iPhone isn’t supported. It comes in on schedule every two month.
“iPhone version 3.1 has solved all the security problems, right?”
Um, no.
“There is now a Wolfram Alpha app for the iPhone. This would really help our business development”
Are you serious?
Who can blame them. Apple and their willing co-conspirators in the tech media have been repeating the mantra. “iPhone 3GS is secure for the enterprise.” Secure or not companies are adopting the iPhone, even to the point of allowing personal devices. Lets summarize what we know and what we dont know about the
Problem 1: Encryption
It is of critical importance to protect data privacy through encryption. iphoneinsecurity.com, a site dedicated to iphone forensics has posted video demonstrating the bypass of the iPhone 3GS encryption.
I suppose some would argue that the evil maid attack allows bypass of Full Disk Encryption on computers so I shouldn’t have my data there either. Of course using a smart card or bitlocker with TPM I could protect myself from this attack.
Problem 2: passcode bypass
The passcode on a iPhone is bypassable
Problem 3: Lack of Central Config Management
Enterprises are used to controlling phone configuration centrally a la through a Blackberry Enterprise Server. iPhones configuration is sort of voluntary. TrustDigital would say they solve that issue. I need to talk with them (again) because I think they can enforce a configuration at the time the iPhone connects to the server, but I dont think they have a permanent enforcement agent. Could be wrong.
Problem 4: patching
While patches can be pushed from the BES, iPhone users need to install each patch individually through iTunes
Problem 5: iTunes
Speaking of iTunes, that isn’t exactly a corporate type product. What if we dont want that on our computers. RIM has worked to make Blackberry work without installing any desktop software in a BES environment.
Problem 6: App Store
Whose account is used in iTunes? Do they use their personal account? In that case the end user really owns any applications purchased by the corporation on that account. When the employee terminates they would essentially walk out with the applications the company owns. If a corporate account is created then the opposite problem occurs.
Problem 7: Jailbroken phones
Jailbroken phones are susceptible to security problems. Besides the ikee worm, they allow unapproved applications to be run, bypassing Apple’s whitelisting security model. How can an enterprise prevent jail broken phones from being used?
Problem 8: Repeaters
Like a lot of company headquarters, ours is like a unintentional Faraday Cage. We’ve had to put up repeaters for Verizon and Nextel. Are we supposed to pony up and install AT&T repeaters?
While the iPhone remains exceedingly popular, it still has Apple’s consumer mindset at the core. (sorry bad pun) At least at our company I dont see it making headway until the encryption issue is solved. Then I’ll talk with TrustDigital again about their management solution.
update
The day I posted this I got emailed an announcement of Good Technology’s support for the iPhone. Good uses their own application and would keep the corporate email encrypted in that. However any other corporate data that made its way on to there wouldn’t be protected. In an era of cutbacks its hard to provide support for both Good and Blackberry.
Commenters have pointed out that the iPhone still does not support S/MIME or PGP. I had thought to check on that but it didn’t make the article. S/MIME support is mandatory for my company.
Apple Innovations
I usually skip over the Mac versus PC adds, but due to the hazards of watching football live I caught one today.
It was about the hardware innovations of the Mac. Kind of silly since last time I checked my hardware was from Dell not from Microsoft.
How about Macs software innovations. Apple went all out with XProtect in Snow Leopard.
Here is Sophos’ writeup
When files are downloaded through the following applications:
- Entourage
- Safari
- Firefox
- Thunderbird
- iChat
- and other programs that use LSQuarantine
XProtect is invoked.
Unfortunately, if variants of these threats find their way on to your system via an application that doesn’t set the com.apple.quarantine extended attribute, for example via:
Skype
Adium
BitTorrent
and Finder (via USB keys, network share, etc …)
Then you’re sort of out of luck.
- source: Sophos
But hey, you’re not missing that much anyway. This “feature” only scans for the hash of 2 Mac trojans according ZDnet’s Zero Day blog.
Now that is innovation.
iPhone and CIS Secure Config Guide
The Center for Internet Security released a secure configuration benchmark for the iPhone.
SCMag touts this as a good thing “For the first time, enterprises can apply security configuration best practices to Apple iPhones being used by their employees.” I would argue that there are a couple things wrong with this statement.
First it seems to admit that the iPhone isn’t secure and needs to be locked down. When Microsoft releases a hardening guide, Alan Paller of SANS goes ape and encourages the government to use their buying power to force Microsoft to apply a “secure” configuration prior to shipment. Second, reading the document, I’m not convinced that the CIS config allows enterprises to to enforce security best practices.
The first half of the CIS security guidelines are settings for the user to do on their phone. Fine for the individual, but not for a enterprise. The second half focuses on settings in the iPhone Configuration Utility. I’ve never used this utility and I dont own an iPhone, but it appears that this utility creates a config file you then mail to the user to apply or place on a website. Great way to distribute security policy. Doesn’t seem like a mandatory security policy either. There are a few mentions of ActiveSync which would enforce policy, but it is not explored enough for my tastes in this document.
Recommendation: Keep firmware up to date.
Doing this requires the installation of iTunes. My skin kind of crawls when someone wants that buggy bloated software installed in a business environment in order to load phone firmware. But hey, at least the user gets to sync their music at the same time. The CIS paper does not report a way that the enterprise could verify the installed versions on each deployed iPhone.
Recommendation: autolock at 5 minutes I wish we could enforce an autolock at five minutes. Ours is a bit longer.
With the Blackberry you can set it to lock when holstered. I dont believe the iPhone can do that.
If you needed someone to tell you to set a PIN and a password timeout on a device with, you probably need someone to tell you to come in out of the rain.
Quicktime 7.6.2
Apple has released Quicktime 7.6.2 to deal with multiple security vulnerabilities. Their writeup is posted here.
Hopefully they also fixed the issue in their MSI file that was preventing installs on a few computers. We extract Quicktime.msi from Apple’s installer in order to avoid having to deploy the Apple Software Updater to our computers.
Firefox Updates
For the third time in the past 30 days, there is a Firefox update including security fixes. Firefox 3.0.10 is out.
“And you want to be my latex salesman”
I dont mean to get all Jeff Jones here, but it seems to me there is a bit of tarnish on that “security king” crown that people give to Mozilla.
Software is going to have bugs. I’m glad Mozilla patches them but more than once a month is getting a bit annoying. Its highlighting a problem that Mozilla doesn’t seem to care about. Enterprise patch deployment.
Mozilla loves to brag that their users apply patches. That’s the problem, you’ve got to use it to get prompted to update it. Even then the end user may turn off checking for updates.
Currently to get Firefox/Thunderbird updates to occur, I can either pray or send out emails, or use NAC to block their access to the network until Firefox is patched.
I can’t believe I’m saying this, but Quicktime and JAVA may have the better idea. JAVA has an always running updater process. I believe Quicktime (via Apple Software Updater) is using Scheduled tasks .
I’d love to just be able to use a logon script or NAC to be able to run C:\program files\Mozilla Firefox\updater.exe which would then prompt the user if a Firefox update was necessary. I’ve searched the Internet to see if this is possible. So far no dice.
Share your thoughts on keeping Firefox updated in the enterprise in the comments.
More Mac Cheerleading from the Tech Media
eWeek has an article “Macs Rebound at RAND”. The funny thing is the article says that this big rebound is from Macs being 20% of all systems to 22% of all systems. In their 2000 user environment this means this article was written because of 40 new Macs.
The article doesn’t get into what software they are using to patch much less perform whole disk encryption.
Quicktime 7.6
I finally deployed Quicktime 7.55 two weeks ago. So right on schedule Quicktime 7.6 is out.
Release details here.
