Included in the patch are critical fixes for Java SE and the Oracle Sun Systems Products Suite.
All up this means that the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.
The worst of the bugs are in Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities.
Writing in the company blog, Oracle said that out of these 19 Java vulnerabilities, 15 affect client-only installations, two affect client and server installations, and two affect JSSE installations.
The blog says that the lower number of Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.
While that might be true, the ton of patches in the rest of the software suggests that while Java is being closely watched, other bits are not.
In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.
The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes.
There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualisation.
The attack consists of installing rogue software within Active Directory, and the malware then allows attackers to login as any user on the domain without the need for further authentication.
It has weaknesses as an attack vector — installation requires administrator access or a flaw on the server that grants such access.
But Skeleton Key has some interesting coding which could point to something even nastier in the future. It does not actually install itself on the filesystem. Instead, it’s an in-memory patch of Active Directory which makes detection even more difficult.
Access is not logged and the malware is completely silent and, as a result, extremely undetectable. Identifying the malware using traditional network monitoring also does not work due to the fact that Skeleton Key does not generate any network traffic.
In its current form, the malware does not survive a system reboot, which means that it has to be a continuous hack, but such things are possible, particularly if you have a disgruntled sysadmin.
Companies can also make the malware useless by having a two-factor authentication to connect to servers, VPN, email and the like. So in otherwords leaning on passwords is pretty much suicide.
Last month, Google angered Microsoft by releasing the details of a security vulnerability ahead of Microsoft’s Patch Tuesday. Microsoft said that the patch was set to be released two days after Google went live with the details and that they refused to wait an extra 48 hours so that the patch would have been released along with the details of the exploit.
That would all be fine but Google does not have the same standards for itself. An exploit has been uncovered in Android 4.3 (Jelly Bean) – which covers roughly 60 per cent of Android’s install base, according to the Android Developer dashboard – and Google is saying that they will not patch the flaw.
The flaw, which exists in WebView impacts nearly 1 billion users, when using Google’s own numbers as a base along with Gartner figures.
To make matters worse Jelly Bean was first announced in June of 2012, which means that Google is dropping support for its mobile OS less than three years after it was released.
Google is clearly stating that legacy support for the OS is not on their agenda even while phones are still being flogged with Jelly Bean under the bonnet.
The question is why if Google is being such a bastard about its own operating system is it so keen to throw Microsoft under the bus?
The Indian company, C-Cubed Solutions, is alleged to call people up saying people have had problems with their computers and conning them out of money.
The case claims that representatives from the company claim they represent Microsoft and then attempt to inveigle people into visiting web sites which are infected with malware, according to the Times of India. The caller may also attempt to get remote access to a computer and ask for payment using a credit card under the pretext of providing technical support.
Microsoft says it never cals people cold and advises people who get such calls never to give any information to people who claim to represent it.
The scam doesn’t only affect people in the USA – cold calls have been made to other countries including the UK, Ireland, Australia, Canada and New Zealand.
The Korea Hydro & Nuclear Power Co was hit by a hack earlier this month and data stolen from its system.
But the South Korea energy ministry said today that the control systems for three nuclear reactors were unaffected by the hack, according to a Reuters report.
The energy minister told the South Korean parliament that the worm was most likely transmitted to the computer systems by an infected USB device – a claim that some have their doubts about.
The CEO of Korea Hydro and Nuclear Power told the parliament that all of the country’s reactors were invulnerable to viruses and worms. But nevertheless he said that the firm was hiring more IT security staff to be on the safe side.
Some people believe that North Korea is behind attacks on South Korea computer installations. The two countries are still technically at war with each other.
BT, Sky, and Virgin Media are struggling to get customers to say yes or no to the controversial adult content blocks, because unlike David Cameron, the majority of customers are happy with being able to see what they like.
When a user tries to access any website. BT, Sky,TalkTalk and Virgin Media are required to ask all their customers if they want web filters turned on or off and never see anything that would offend Cameron and his blue rinse friends ever again.
According to Wired the measures being taken by ISPs have been described as “completely unnecessary” and “heavy handed” by Internet rights groups.
The hijacking works by intercepting requests for unencrypted websites and rerouting a user to a different page. ISPs are using the technique to communicate with all undecided customers.
If you click on an interesting Channeleye story you could be redirected to a page asking about web filtering. The only way you would be safe is if you only look at encrypted websites.
BT is blocking people’s browsers until they make a decision, making it impossible for customers to visit any websites once the in-browser notification has appeared.
A spokesperson for the UK’s biggest ISP said: “If customers do not make a decision, they are unable to continue browsing. The message will remain until the customer makes a decision.”
BT said that it is not forcing people to activate BT Parental Controls and if a user selects “No” they will be taken to a confirmation page and be able to continue browsing without the message reappearing.
The digital rights organization Open Rights Group (ORG) said that ISPs risked encouraging customers to trust hijacked sessions by displaying messages in this way.
“How can a customer tell the difference between an ISP hijack and a phishing site made to look the same? There are better ways for ISPs to contact their customers—particularly given that they have our phone numbers, email and actual addresses,” an ORG spokesperson said.
Sky is also hijacking browser sessions to ask customers if they want to turn on its Sky Broadband Shield web filter. Unlike BT, Sky said it would not disconnect or block customers if they refused to make a decision.
Virgin said it had no plans to disconnect or block customers who did not make a decision, adding that its in-browser message about its Web Filters system could be ignored. The ISP did not say how it planned to get any remaining undecided customers to make a decision if they continued to ignore prompts.
However, all this is playing directly into the Government’s hands by setting a precident. ISPs for years have said that they are not responsible for what their customers see online. By forcing customers to say “yes” or “no” for the web filters they are placing themselves in a role which the government can use.
The next thing could be looking at emails at the request of whatever daft arse idea that the government has about terrorism, or childcare
They’ve just gone and invented a programming language called Ur/Web that they claim will let developers write web apps as self contained program.
Adam Chlipala, a professor of software tech at MIT claimed Ur/Web makes web pages more secure.
But there’s still some pain for web developers said Chiplala because the compiler doesn’t auto generate style sheets.
Once you’ve typed in your code the compiler takes a long hard look at it and gives a list of CSS classes.
He said that the last thing developers want is for apps to have the ability to read and overwrite passwords. Web frameworks generally speaking assume every little line of a program has complete access to a database. Ur/Web doesn’t, he claims.
MIT didn’t say how you’ll get your paws on the programming language.
Apple developed auto updates some time ago but this is the first time it’s taken advantage of the technique.
Microsoft has been auto updating its operating systems for quite some while, as security threats come to light.
The update patches problems highlighted by Carnegie Mellon University and the US Department of Homeland Security, relating to a part of Apple’s OSX operating system dubbed the network time protocol.
Apple is often perceived as having secure machines not subject to the type of threat Windows machines face.
Apple said the update doesn’t even need people to restart their machines, meaning that most people will have been unaware of the action taken.
A report by the German Federal Office for Information Security (BSI) said that a large German steel mill was shut down after hackers stole logins allowing them to compromise the industrial infrastructure.
The BSI did not name the company but said the hackers were sophisticated technically and hacked into software that administered the plant.
They forced the plant to shut down and also compromised a blast furnace.
The news underlines concerns of the extent to which key parts of a country’s infrastructure is open to compromise by hackers.
Over the weekend, hackers compromised some South Korean nuclear installations and published diagrams showing the layout of some installations. The hackers have threatened to damage the nuclear installations themselves if the reactors are not shut down before December 25th.
It’s not known if control systems are vulnerable to such attacks.
Vendors are building in the Trusted Execution Environment (TEE) will reach 366 million as part of that figure.
The shipments are driven by governments, financial service companies and other enterprises largely to ensure secure ID and payments.
The market for TEE devices is still in its early stages, said ABI. But shipments are bound to increase for them and for Host Card Emulation (HCE).
ARM is integrating TruZeone architecture into every Cortex-A family processor it licenses to vendors.
Unlike TEE devices, HCE depends on the cloud and lets banks introduce mobile NFC products without relying on smartphone SIMs. ABI said that HCE support in smartphones is growing exponentially, and will account for shipments of 252 million by the end of the year.
Players in the game include ARM, Nok Nok Labs, NXP Semi, Infineon, Trustonic and Obertur Technologies.
Egress Software made the FOI request and the ICO revealed that only seven percent of breaches in the first three months of this year were because of technical glitches.
That means the fast majority were down to human error and carelessness by people. And fines levied because of technical errors amounted to zero, while the ICO levied £5.1 million for companies that made the mistakes.
The data breaches are across many different sectors. The public sector showed healthcare organisations are top of the disgrace league, followed by local government and educational organisations.
The private sector also showed a rise in data breaches with the financial industry, the housing sector, telecoms and recruitment all showing big rises.
Tony Pepper, CEO of encryption company Egress Software, said: “It is concerning that such a high number of data breaches occur as a result of human error and poor processes. Confusion can often put confidential data at risk, with users unsure of when and how to encrypt.”