-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                              Application Patches

April 11, 2006 23:00 GMT                                          Number Q-169
______________________________________________________________________________
PROBLEM:       While most places are keeping operating systems up to date, 
               application patches are often ignored. Because of this, 
               intruders are targeting application vulnerabilities as a way to 
               gain access to a system. 
PLATFORM:      All 
DAMAGE:        Intruders can gain user or root access to a system. 
SOLUTION:      Apply security patches to high-visibility applications. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Intruders are gaining root access to some 
ASSESSMENT:    systems. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/q-169.shtml 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
______________________________________________________________________________

Most sites are keeping their operating systems up to date to protect them from 
breakins by intruders. Because of this, intruders are now using social 
engineering and targeting application vulnerabilities to gain access to a 
system. Depending on the vulnerability, an application vulnerability can give 
an intruder access at the level of the logged in user, root (administrator), 
or system. Application vulnerabilities occur in any application but an 
intruder will most likely target those applications that are known to exist 
on many systems. For example, Microsoft Office is commonly found on Windows 
systems and is a high-visibility target for intruders. Sites should consider 
rigorously patching the high-visibility applications on their systems to 
prevent them from being used as channels for intrusions and train users on 
how to avoid Social Engineering attacks.

High-visibility Targets
=======================

The table below is a non-inclusive list of high-visibility targets. Keep in 
mind that this list is not inclusive but is an example of high-visibility 
targets. Sites should determine which of their standard applications are 
high-visibility and create their own list of applications that need regular 
updating.

Some High-Visibility Targets
- ----------------------------
Application		Package			Updater
Word			Microsoft Office	Office Update
Excel			Microsoft Office	Office Update
PowerPoint		Microsoft Office	Office Update
Access			Microsoft Office	Office Update
FrontPage		Microsoft Office	Office Update
Internet Explorer	Internet Explorer	Windows Update
Outlook			Internet Explorer	Windows Update
Outlook Express		Internet Explorer	Windows Update
Antivirus Scanner	Antivirus Package	Antivirus Update Site
(Symantec, McAfee, etc.)
Eudora			Eudora			Eudora website
FireFox			Firefox			Firefox Updater
Thunderbird		Thunderbird		Thunderbird Updater
Mozilla			Mozilla			Mozilla Website
Netscape		Netscape		Netscape Website
Safari			Safari			Apple Updater
Adobe Reader		Adobe Reader		Adobe Update Notification
		

We are seeing more and more instances of application vulnerabilities targeted
as the path for intrusion into systems. These attacks are generally part of a
social engineering effort such as provocative e-mails with malicious 
attachments or web pages with malicious downloads. When the attachment is 
double clicked or the web page is visited, the malicious code is executed on a
system. That malicious code may install spyware, a Trojan backdoor, a virus, 
or any other software. 

Social Engineering
==================

In a recent event, twenty people received an e-mail with a malicious 
attachment. Ten of those people double clicked on the attachment. None of 
these people knew the sender or were expecting an e-mail from them but opened
the attachment anyway.

Application vulnerabilities exploited by social engineering are more 
difficult to protect against because they often involve file types that are 
normally considered safe to view such as image files, database files, and 
documents. Files of these types are generally considered safe to open if the 
macro capabilities of the opening application are turned off. Unfortunately, 
that is not the case. In a recent incident, a buffer overflow in Microsoft 
Word allowed a malicious document to be created that would take control of a 
system, drop files on that system and execute them. 

Application Patching
====================

Like operating system patching, application program patching for most 
high-visibility applications can be done automatically, in the background, 
or by periodically visiting an update site. For example, the Firefox web 
browser has a small dot on the upper-right corner of the browser window. 
That box turns red when an update is available. Clicking on that dot takes 
you to the update site. Also, Microsoft Office has an office update site 
(http://office.microsoft.com/en-us/officeupdate/default.aspx) similar to the 
windows update site. Simply visit that site and click update to get a list of
available updates. Select the ones to install and install them. Other 
applications like Adobe Reader check for updates whenever they startup. 

Because of this increase in attacks using social engineering and application 
vulnerabilities, sites should ensure that their high-visibility applications 
are patched. Sites should also make sure their users are trained to not open 
attachments to e-mail messages that are not from a known person and that were
not expected. 

______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

Q-159: Exposure of machine account credentials in winbind log files
Q-160: TWiki Rdiff and Preview Scripts Ignore Access Control Settings 
Q-161: Security Vulnerabilities in Xorg(1) X11R6.9 and X11R7.0 Server
Q-162: OpenMotif Security Update
Q-163: storebackup -- several vulnerabilities
Q-164: HP Color LaserJet 2500 and 4600 Toolbox Running Microsoft Windows 
Q-165: Cisco Networking and Controller Vulnerabilities
Q-166: RealNetworks Products
Q-167: Cisco 11500 Switch Vulnerability
Q-168: Local Unauthorized Access

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBRDxDNrnzJzdsy3QZAQHH4AP+Jb9Qb7/VRkE86rmBBLk2tsJjWsQtd/LR
t7FUCS5+T+NgZZX2gmfhLZ741yTxAjSsdmhsgQPs1jyzTn9WpyixmEi62cjDNtND
ZDHYkjOMFFFr+ZyteLKcxhj7lumnxlfHvpHjY06ll/U/e0qRlPqNZ4rX3VPZsChM
veh8t9tErhE=
=/I9w
-----END PGP SIGNATURE-----