Wednesday, 16 April 2014

Oracle's got 104 MORE fixes for you

Oracle has released a hefty load of security updates that address a total of 104 different vulnerabilities across its product lines.
The database giant said its latest Critical Patch Update includes fixes for its middleware and database platforms, as well as the Hyperion, Siebel, and PeopleSoft platforms and a number of former Sun packages.
The issues addressed range from elevation of privilege and data disclosure flaws to easily targeted remote code execution vulnerabilities rated as high as 10.0 in Oracle's CVSS risk matrix.
Because the update includes a number of fixes for issues rated as "critical," Oracle is advising administrators to test and deploy the patches as soon as possible in order to protect users from attack.
Of the 104 issues addressed in the update, 41 lie within various Sun products. Java SE will receive fixes for nine CVE-listed flaws that the company rates at 9 or 10 on its risk matrix. The flaws have been classified as being remotely exploitable, meaning they can allow an attacker to take complete control of the target system without user notification or authentication.
In total, the Java update addresses 37 security flaws in the platform and it is considered to be a critical fix and top deployment priority. An additional Sun patch addresses four flaws in the Solaris platform which are considered to be lower risks.
Also in the April update are 20 fixes for flaws in Oracle Fusion Middleware. That patch is also considered to be a critical update as it addresses 13 vulnerabilities that can be remotely exploited without user authentication.
Oracle noted that Fusion Middleware customers should also pay close attention to the Database update, as vulnerabilities in shared components could also affect the middleware platform. That Database update addresses two flaws, neither of which are remotely exploitable.
Other fixes in the update include 14 vulnerabilities for MySQL Server, two of which can be remotely targeted, and eight vulnerabilities in PeopleSoft, with five remotely exploitable flaws. Oracle Virtualization, Supply Chain Products Suite, and Siebel CRM also received updates.

Canadian Heartbleed hacker nabbed

Authorities in Canada have announced the arrest of the man they believe to be behind an attack on the country's tax system using the Heartbleed vulnerability.
The Royal Canadian Mounted Police (RCMP) said that 19 year-old Stephen Arthuro Solis-Reyes of London, Ontario has been arrested on charges of unauthorized use of a computer and criminal mischief in relation to data for stealing taxpayer information from the Canada Revenue Agency (CRA).
"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," assistant commissioner Gilles Michaud said in a statement.
"Investigators from National Division, along with our counterparts in [Ontario] Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners."
Solis-Reyes is said to have used data gathered by exploiting the Heartbleed vulnerability on the CRA's servers in the attack, which reportedly resulted in the loss of 900 social insurance numbers. The CRA believes that the hacker gathered the information over a six-hour window of time which occurred on April 9 between the first public reports of the flaw and the implementation of security measures.
The attack marked one of the first known instances of hackers actively exploiting the Heartbleed condition in the wild to steal user data. Though if reports are to be believed, the NSA and (likely) other government organizations have been exploiting the flaw for years in order to gather intelligence info.
The RCMP reported that it arrested Solis-Reyes without incident on April 15. The Mounties also seized computer equipment from the home. He is scheduled to appear before a court in Ottawa on July 17 to begin trial.
The investigation is still ongoing, although the Mounties did not report of any other persons involved in the attack.

Heartbleed shrinks Tor by an eighth

Tor, the sometimes-controversial internet-traffic-anonymising service, is bleeding thanks to Heartbleed.
Roger Dingledine, one of Tor's three original co-developers and now the project's leader, director and researcerh, has posted to the Tor relays mailing lists with his assessment that “we'll lose about 12% of the exit capacity and 12% of the guard capacity.”
The reason for the degradation is that some Tor nodes are running compromised versions of OpenSSL. Tor's overlords , sensibly, appear to be looking at the service's participants to check whether they are likely to Heartbleed out if attacked. As they find problems, they exclude the nodes from the network.
“I/we should add to this list as we discover other relays that come online with vulnerable openssl versions,” Dingledine writes. He also adds that there are plenty of places for Tor's operators to look, as to date they have only considered “... the relays with Guard and/or Exit flags, so we should add the other 1000+ at some point soon.”
Tor's overseers are doubtless not alone in having a lot of Heartbleed-related work to do. That they have that work to do, and that Tor is degraded by the vulnerability, is more evidence of the very significant impact the problem is causing.