This week's security events include news of the release of OpenOffice 2.4.2 to address critical vulnerabilities in its 2.4.x branch, a finding that corporate security policies are ineffective, exploits for a just-patched Microsoft vulnerability already out in the wild, and release of programming tools for cracking Mifare Classic.
OpenOffice 2.4.2 released in response to critical vulnerabilities
For those who have yet to switch over to OpenOffice 3.0, two critical security vulnerabilities have been discovered in the popular alternative to Microsoft's Office suite. All versions prior to 2.4.2 are affected, though the bug is not present in the just-released version 3.0 of OpenOffice.
According to the security advisories, the culprit appears to be heap overflows when processing EMF and WMF files, which can lead to the arbitrary execution of code via a specially crafted StarOffice/StarSuite document.
Whereas there are no known exploits at this point, affected users are encouraged to download and install OpenOffice 2.4.2; or just bite the bullet and jump straight to OpenOffice 3.0. You can access the security advisories here and here.
Study finds corporate security policies ineffective
A study has found that many employees simply do not adhere to security policies, which really should not surprise anyone. The Cisco-commissioned study surveyed 2,000 employees and IT professionals in over 10 countries in an attempt to understand more about the prevalence and effectiveness of corporate security policies.
What is interesting is the conclusion of the study, which linked the failure to comply with security policy as often stemming from a lack of communication and awareness, as well as a "failure to align policy with employee job objectives." I take the last part to mean that employees are ignoring security policies because they simply cannot be bothered, and there is no whip behind non-compliance.
Notable quote from Cisco senior security adviser Christopher Burgess:
"Technology does not equal security. If the individual understand the value of that which they are touching, they will protect it appropriately."
Of course, the fact that the workplace is now a lot more mobile and collaborative in nature does not help where the old security paradigm of defence-in-depth and communication is concerned. You can read the CRN write-up over here.
What strategies do you employ to secure laptops in your organization?
Exploits target Microsoft vulnerability days after release of patch
Microsoft has warned users that exploits targeting the MS08-067 vulnerability - which was mentioned in last week's Security News Roundup, has been spotted circulating in the wild. The exploit code demonstrates code execution to exploit programming flaws on Windows 2000, Windows XP, as well as Windows Server 2003, though no self-replicating attacks have yet to surface.
Indeed, one of the exploits detected by PandaLabs had a particular strain taking control of compromised system, as well as collecting private information such as user name and passwords from applications such as MSN Messenger and Outlook Express to be submitted to a remote server.
The risk is considerable, and all users are strongly advised to update their systems as soon as possible if they have not already done so.
Programming tools for cracking Mifare published
An open source tooled called "Crapto1" has been released by a hacker going by the pseudonym of "Bla." The Crapto1 tool implements the vulnerable Cryto1 algorithm in C, significantly lowering the barrier of entry from the domain of security specialists to those with some programming knowledge. A hardware reader will still be needed to intercept the encrypted radio traffic of course, such as the Proxmark III or the OpenPCD.
Using the tool it is said to be possible to calculate the access code of a Mifare Classic card within around two seconds. All an attacker requires is a live recording of an encrypted radio communication between the card and a legitimate reader, as well as a little programming knowledge. The access code then allows him not only to decode the encrypted data, but also to manipulate the card's content virtually without limit and to clone it to obtain services fraudulently.
So if you're thinking of following some of Chad's advice about what to do with the RFID chips in your wallet, now might be the time to implement them. Alternatively, you might want to give your money to ThinkGeek, and get an RFID blocking wallet or passport billfold.