http://www.karmaspoon.com

Apple’s First 2010 OS X Security Update Not So Bad

SEVERITY: HIGH
19 January, 2010

SUMMARY:
These vulnerabilities affect: All current versions of OS X 10.5.x (Leopard) and OS X 10.6.x (Snow Leopard)
How an attacker exploits them: Multiple vectors of attack, including enticing one of your users into downloading and viewing various malicious media files
Impact: Various results; in the worst case, an attacker executes code on your user’s computer, potentially gaining full control of it
What to do: OS X administrators should download, test and install Security Update 2010-001
EXPOSURE:
Today, Apple released a security update to fix vulnerabilities in all current versions of OS X. The update fixes a dozen (number based on CVE-IDs) security issues in six of the components that ship as part of OS X, including CoreAudio, OpenSSL, and the Flash Player plug-in. Some of these vulnerabilities allow attackers to execute code on your OS X machines, so we rate this update Critical. Apply it as soon as you can. Three of the fixed vulnerabilities include:

CoreAudio Buffer Overflow Vulnerability. CoreAudio is an OS X component that helps the operating system play various audio files. It suffers from a buffer overflow vulnerability involving the way it handles specially malformed mp4 audio files.  If an attacker can get a victim to open a malicious mp4 file (perhaps hosted on a malicious web site), he could exploit this flaw to either crash the playing application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges.
Multiple Adobe Flash Player Plug-in Vulnerabilities. OS X ships with Adobe’s Flash Player so that it can play Flash content found on many web sites today. Apple’s OS X update fixes seven unspecified security vulnerabilities in the OS X Flash Player plug-in. Apple’s alert does not describe these vulnerabilities in any technical detail. However, it does describe the impact of the worst flaws. By enticing you to a malicious web site, an attacker could potentially exploit one of these flaws to execute code on your computer, with your privileges. We suspect the updates to the OS X Flash Player plug-in are related to the ones Adobe fixed in their stand-alone player recently.
Multiple Image-related Memory Corruption Vulnerabilities. ImageIO and Image RAW are both OS X components that help the operating system handle various types of image files. Both components suffer from memory-related vulnerabilities (specifically, a buffer overflow and a buffer underflow) involving the way they handle certain types of media files. Though the vulnerabilities differ technically, they share a very similar scope and impact. If an attacker can get a victim to view a specially crafted media file (perhaps hosted on a malicious web site), he could exploit these flaws to either crash the viewing application or to execute attack code on the victim’s computer. By default, the attacker would only execute code with that user’s privileges.
Apple’s alert also describes a less risky Denial of Service (DoS) flaw and an information disclosure issue. Components patched by this security update include:

CoreAudio    CUPS
Flash Player Plug-in
ImageIO

Image RAW
OpenSSL
Please refer to Apple’s OS X 10.5.x and 10.6.x alert for more details

SOLUTION PATH:
Apple has released OS X Security Update 2010-001 to fix these security issues. OS X administrators should download, test, and deploy the corresponding update as soon as they can.

Security Update 2010-001 (Leopard)
Security Update 2010-001 (LeopardServer)
Security Update 2010-001 (Snow Leopard )
Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend that you let OS X’s Software Update utility pick the correct updates for you automatically.

FOR ALL USERS:
These flaws enable many diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). Installing these updates, therefore, is the most secure course of action.

STATUS:
Apple has released updates to fix these issues.

Summary:

• This vulnerability affects: Firefox 3.5.5 (and previous versions) for Windows, Linux, and Macintosh
• How an attacker exploits it: Multiple vectors of attack, including enticing one of your users to visit a malicious web page
• Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
• What to do: Upgrade to Firefox 3.5.6 (or legacy Firefox 3.0.16)

Exposure:

The Mozilla Foundation released Firefox 3.5.6, fixing at least 11 vulnerabilities (we typically base our count on CVE-IDs) in their popular web browser. They also released Firefox 3.0.16 to fix security vulnerabilities in the legacy version of Firefox. Three of the vulnerabilities have been rated as critical, which they define as a vulnerability that can be used to run attacker code and install software, requiring no user interaction beyond normal browsing. We summarize the most critical Firefox 3.5.x vulnerabilities below:

• Integer Overflow, Crash in Libtheora Video Library (2009-67).  An attacker would first have to trick one of your users into visiting a malicious web page with a specially crafted video that writes data past the bounds of the buffer, causing a crash and potentially the ability to run arbitrary code on a victim’s computer. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
  Mozilla Impact rating: Critical

• Memory Safety Fixes in Liboggplay Media Library (2009-066). Again, the bugs which were fixed could potentially be used by an attacker to crash a victim’s browser and execute arbitrary code on their computer.
  Mozilla Impact rating: Critical

• Buffer Overflow Vulnerability in GIF Parser (2009-065). This addresses several crashes in the brower engine used in Firefox and other Mozilla products.  Mozilla warns that with enough effort at least some of these could be exploited to run arbitrary code. As usual, if your user has local administrative privileges, the attacker gains complete control of the user’s machine.
  Mozilla Impact rating: Critical

Mozilla’s alert describes several more vulnerabilities. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that the 3.5.6 update fixes. You can also visit the 3.0 Known Vulnerabilities page, to check out the fixes in 3.0.15.

Solution Path:

Mozilla has updated Firefox 3.5, correcting these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.5.6 as soon as possible. They have also released updates for the 3.0.x line of Firefox, which you can find here. However, we recommend 3.0.x users update to 3.5.x to keep current with the latest version of Firefox.

Note: The latest version of Firefox 3.5 automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

For All Users:

Many of these attacks arrive as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.5.6, fixing these security issues.

• This vulnerability affects: Adobe Reader and Acrobat 9.2 and earlier, on Windows, Mac, and Unix computers
• How an attacker exploits it: By enticing your users into viewing a maliciously crafted PDF document using javascript
• Impact: An attacker can potentially gain control of  your system 
• What to do: Implement the workarounds described in the Solution Path section of this alert

Exposure:

Adobe has confirmed a critical zero day vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. This was first referenced by Adobe in a blog posting on Monday and they have since  issued a security bulletin. Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue. Users running Microsoft DEP (”Data Execution Prevention”) functionality available in more recent versions of Microsoft Windows are at reduced risk:

• All versions of Adobe Reader 9 running on Windows Vista SP1 or Windows 7
• Acrobat 9.2 running on Windows Vista SP1 or Windows 7
• Acrobat and Adobe Reader 9.2 running on Windows XP SP3
• Acrobat and Adobe Reader 8.1.7 running on Windows XP SP3, Windows Vista SP1, or Windows 7

With the DEP mitigation in place, the impact of this exploit has been reduced to a Denial of Service during Adobe’s testing.

Since attackers are actively exploiting this vulnerability in the wild and Adobe hasn’t had time to patch it yet, this flaw poses a serious risk to Adobe Reader users. Until a patch is available, we recommend you implement the workarounds described below to mitigate the risk of this attack.

Solution Path

Adobe has not had time to release a patch for this zero day vulnerability. However, the workarounds described below should mitigate the risk of attacks currently circulating in the wild.

• Inform your users of this vulnerability. Advise them to remain wary of unsolicited PDF documents arriving via email. If they don’t absolutely need the document, and don’t trust the entity it came from, they should avoid opening it until you patch Adobe Reader.
• Disable JavaScript in Adobe Reader. According to Adobe, users can mitigate the issue by disabling JavaScript in Adobe Reader. To disable JavaScript in Adobe Reader, click Edit => Preferences => JavaScript and then uncheck Enable Acrobat JavaScript. Keep in mind, this prevents JavaScript from running in legitimate PDF documents as well.
• Use a gateway device, like your Firebox, to block PDF files. If your users can’t download PDF files, these exploits won’t affect them. Unfortunately, doing this blocks legitimate PDF files as well. Nonetheless, depending on your business needs, you may still want to block PDF files until a patch is available.

How to Secure Your Network

Networking makes it easy to share Internet access and data. But you don’t want to share your information with just anyone. With a wireless network, your information is traveling through the airwaves, not physical wires, so anyone within range can “listen in” on your network. There are five essential security measures you should take to secure your wireless network.

1. Change the default password

Access points and routers have a default password set by the factory. You will be asked for a password when you want to change their settings. (The Linksys by Cisco default password is admin). Hackers know these defaults and will try them to access your wireless device and change your network settings. To thwart any unauthorized changes, change the password so it will be hard to guess.

2. Change the default SSID

Your wireless devices have a default SSID (Service Set Identifier) set by the factory. The SSID is the name of your wireless network, and can be up to 32 characters. Linksys by Cisco wireless products use linksys as the default SSID. Hackers know these defaults and can use them to join your network. Change your network’s SSID to something unique, and make sure it doesn’t refer to the networking products you use. As an added precaution, be sure to change the SSID on a regular basis, so any hacker who may have figured out your network’s SSID in the past will have to figure out the SSID again and again. This will deter future intrusion attempts.

3. Enable WPA Encryption

Encryption allows protection for data that is transmitted over a wireless network. Wired Equivalency Privacy (WEP) and Wi-Fi Protected Access (WPA) offer different levels of security for wireless communication. WPA is considered to be more secure than WEP, because it uses dynamic key encryption. To protect the information as it passes over the airwaves, you should enable the highest level of encryption that is supported by your network equipment.

4. Disable SSID broadcast

By default, most wireless networking devices are set to broadcast the SSID, so anyone can easily join the wireless network with just this information. But hackers will also be able to connect, so unless you’re running a public hotspot, it’s best to disable SSID broadcast. You may think it is more convenient to broadcast your SSID so that you can click on it to join your network, but you can configure the devices on your network to automatically connect to a specific SSID without broadcasting the SSID from your router.

You might ask “If it’s easier for hackers, why broadcast SSID in the first place?” The reason is because setup is easier if you can see it. After setup you should disable SSID Broadcast.

5. Enable MAC address filtering

Linksys by Cisco routers give you the ability to enable MAC (Media Access Control) address filtering.

Some routers give you the ability to enable MAC address filtering. This is not MAC like Mac computers. With MAC address filtering, you specify which computers can access your network. It would be very difficult for a hacker to access your network using a random MAC address.

The MAC address is a unique series of numbers and letters assigned to every networking device. With MAC address filtering enabled, wireless network access is provided solely for wireless devices with specific MAC addresses. For example, you can specify only the computers in your house to access your wireless network. It would be very difficult for a hacker to access your network using a random MAC address. 

Purchase a new Linksys by Cisco device

If you do not already have a quality, easy to use wireless network security device, you can get great deals direct through Linksys. 
Linksys by Cisco

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA mandates the privacy and security of protected health information (PHI).
The HIPAA security rule was published in May 2003 and subject to enforcement for all covered entities starting in April 2005. Given the productivity gains for healthcare professionals to communicate with patients and other doctors and health professionals via email, healthcare organizations need to leverage real-time electronic communications, but do so securely.
HIPAA places a number of requirements on the health care industry’s information handling practices, and has direct impact on the operation of messaging systems.

Who is impacted by HIPAA?
Covered entities consist of healthcare providers, health plans (insurance, etc.) and healthcare
clearinghouses (claims and transaction processors). Service personnel (accountants, lawyers, etc.) working on behalf of the covered entities are also subject to HIPAA requirements.

HIPAA IT Security Requirements

HIPAA dictates that organizations must ensure that:
Email messages containing protected health information are secured, even when transmitted via
unencrypted links.
Senders and recipients are properly verified via person or entity authentication
Email servers and the messages they contain are protected.

NIST (National Institute of Science and Technology) has published an information security guide that many believe will meet the requirements of HIPAA. This guide (An Introduction to Computer Security: The NIST Handbook) provides the specifics an organization needs to understand the scope of their compliance efforts.
http://csrc.nist.gov/publications/nistpubs/800‐12/handbook.pdf

To better understand at a high level the outcomes that HIPAA requires, covered entities must:
Have a documented process to protect PHI and detect/correct security violations
Allow only authorized personnel have access to PHI
Develop a process to respond in the event of a security breach
Periodically evaluate the organization’s ability to protect PHI
From a technology standpoint, strong cases can be made for organizations to implement:
Access controls: to ensure the wrong people do not get access to information
Detailed auditing of mail traffic: to track who is accessing data (and more importantly, prove it to the examiners)
Encryption: to authenticate sender and recipient, provide protection of the message contents and
ensure a message hasn’t been tampered with.
While HIPAA does not specify particular technologies that should be used to implement these rules, the regulation can be seen as an attempt to mandate best practices for information security, and, for the purposes of this paper, messaging security.

Penalties Associated With Non-Compliance to HIPAA
The general penalty for failure to comply with HIPAA regulations is:
Each violation: $100
Maximum penalty for all violations of an identical requirement: may not exceed $25,000
Penalties for Wrongful Disclosure of INDIVIDUALLY Identifiable Health Information include:
Wrongful disclosure offense: $50,000, imprisonment of not more than one year or both
Offense under false pretenses: $100,000, imprisonment of not more than five years, or both
Offense with intent to sell information: $250,000, imprisonment of not more than ten years, or both.

If you need help with your HIPAA needs, please contact us. We have years of experience in getting people HIPAA compliant.