The CanSecWest security conference in Vancouver in currently under way. In addition to their normal presentation lineup CanSecWest also hosts the PWN2OWN competition organized by ZDI where researcher’s bring their exploits and try them against the latest software versions. The competition is both technically challenging and politically loaded – two years ago research company VUPEN made it into the headlines when they said they would not sell their Chrome exploit to Google for even 1 Million US Dollars.
Oracle published two critical security updates today. First, a new version of Java has been released that addresses 42 distinct vulnerabilities, with 19 having the highest possible CVSS score of “10” allowing an attacker to take full control of the machine. This update also addresses the vulnerabilities found during the PWN2OWN competition at CanSecWest in Vancouver in March, where Java was exploited by three different security researchers. Oracle also changed the alerts that come up when one runs a Java applet, introducing distinct states giving overall more information on the nature of the applet. The new versions are update 21 for Java v7 and update 45 for Java v6.
Also today, the Oracle Critical Patch Update (CPU) came out that addresses all other Oracle products. Overall, the April 2013 CPU fixes over 120 vulnerabilities in 13 product groups. An accurate map of installed software will be crucial in applying these patches due to the large number of products covered. We recommend starting with Internet exposed services first, and then moving by the CVSS scores attached to the vulnerability.
It is the beginning of March and Microsoft just published the Advance Notice for this month’s Patch Tuesday.
We will get seven bulletins next week, affecting all versions of Windows, some Office components and also Mac OS X, through Silverlight and Office. Four of the bulletins carry the highest severity rating of “critical”.
Bulletin 1 will be on the top of our list next week. It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT. Bulletin 2 addresses critical vulnerabilities in Microsoft Silverlight, both on Windows and Mac OS X, and is widely installed at least on end-user workstations to run media applications, for example Netflix. Bulletin 3 is a vulnerability in Visio and the Microsoft Office Filter Pack. It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the “critical” rating. The last critical bulletin is for Sharepoint server.
The three remaining bulletins are all rated “important” and apply to OneNote, Office 2010 for Mac and Windows itself.
In other security news, the ZDI’s PWN2OWN competition is currently going on at the CanSecWest security conference in Vancouver. PWN2OWN awards prizes ranging from US$ 20,000 to US$ 100,000 to security researchers who can demonstrate vulnerabilities in the following products: Adobe Flash, Adobe Reader, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Oracle Java. In yesterday’s run, prizes have been claimed for Oracle Java by James Forshaw, Oracle Java again by Joshua Drake, IE10 on Windows 8 by VUPEN, Google Chrome on Windows 7 by a team from MWR Labs, John and Nils and finally Mozilla Firefox and finally Oracle Java, both by the team at VUPEN. Today the competition continues with attacks on Adobe Reader, Adobe Flash and IE10, and is then followed by Google’s Pwnium3, which awards prizes of over US$ 100,000 for vulnerabilities in Google’s ChromeOS.
You can expect patches for these vulnerabilities to be released over the coming weeks. We will keep you updated here, so stay tuned.