Just two updates for October’s Patch Tuesday

System administrators still reeling from last month’s bumper Patch Tuesday will be glad to know that they can rest easier this month. For the month of October, Microsoft will be releasing only two updates, with one rated as “critical” and the other as “important.”

Organizations are advised to exercise vigilance in patching the critical flaw, as it involves a vulnerability in Windows XML Core Services 3.0, used extensively by Windows to manipulate XML data. Consequently, affected versions of the operating system range from Windows 2000, XP, Server 2003, Vista, and Server 2008. In addition, this flaw is also present in XML Core Services 4.0 and 6.0, although this is viewed as less critical.

In a written statement, Don Leatham of Lumension Security (formerly PatchLink) urged IT administrators to patch this vulnerability. Leatham noted that, left unaddressed, the flaw could compromise the integrity of a company’s sensitive information — due to the fact that this vulnerability impacts a broad range of Microsoft platforms.

The second bulletin is related to the same XML issue, though specific to Office 2003 and Office SharePoint Server. Still, it could still result in a remote code execution flaw, and hence should not be taken lightly.

Flaws targeting Acrobat spotted in-the-wild

Days after initial announcements of a serious Adobe Reader flaw, working exploits were spotted in the wild. The exploit in this case leverages on CVE-2008-2992 by means of a crafted format string argument to execute arbitrary code. The delivery mechanism is by means of a malformed PDF file.

Bojan Zdrnja over at SANS Internet Storm Center highlighted a sample that was sent to him by one of his readers:

Unfortunately, Wayne [the reader] is right – these PDF documents exploit the JavaScript buffer overflow vulnerability. This is not surprising, though, as a fully working PoC has been recently published as well, but it’s interesting to see that the attackers modified the PoC a little bit, probably in order to evade anti-virus detection.

Zdrnja also noted that none of the AV products detected his malicious PDF sample — not really surprising given how new it is.

At this point, Adobe has updated Adobe Reader 8.1.2 and Acrobat 8.1.2 to address the vulnerabilities. Given the popularity of the PDF file format, and the ease of delivery via e-mail, it is more important than ever to ensure that patching and upgrading are promptly executed.

Adobe eliminates Cold Fusion vulnerability

Adobe has issued a security fix for its ColdFusion. The patch eliminates a vulnerability that allows attackers to circumvent existing restrictions on a server operating in a shared hosting environment.

According to Adobe, ColdFuson 8.0, 8.0.1 as well as ColdFusion MX 7.0.2 are affected. You can check out the Adobe security bulletin here for patch instructions.

Security researchers to demonstrate WPA packet injection

German Security researcher Erik Tews and co-researcher Martin Beck have found a way to break the Temporal Key Integrity Protocol (TKIP) key used by the Wi-Fi Protected Access (WPA) encryption standard. At next week’s PacSec 2008 security conference in Tokyo, the duo will give a presentation on this titled, “Gone in 900 Seconds: Some Crypto Issues with WPA.” They will also leverage on their findings to demonstrate data injection into the WPA traffic between a router and a laptop.

The precise method to achieve the data injection has yet to be made public, though it is known that it involves breaking the Temporal Key Integrity Protocol (TKIP) key of the Wi-Fi Protected Access (WPA). This was achieved by tricking a WPA router to disgorge large amount of data, coupled with a “mathematical breakthrough” to crack TKIP without using a dictionary attack. To be clear, the team has not managed to crack the actual encryption keys used to secure data in WPA, so WPA appears to remain secure at this junction.

Moving ahead, the obvious solution at this point would be to change to the WPA2 encryption scheme, which uses the more robust Advanced Encryption Scheme (AES) encryption instead of TKIP.

Are you using wireless in your organization? Are you using WPA or WPA2 at this point?

Feel free to discuss the various security events here.