Security Advisor

Microsoft Confirms Advanced Security Update Leak

Microsoft has not found any issues since the update info was leaked and pulled offline on Friday. Plus: EU creates new anti-hacking agency; Apple next in line to discredit Dutch Internet certificate company for breach.

• By Jabulani Leffall
• 09/12/2011

The Windows IT security community is buzzing as the week begins after details on September's monthly security updates leaked just a day after the advanced notification, last Friday.

On Monday Microsoft admitted that it inadvertently put the patch details out too soon.

"Microsoft inadvertently displayed draft text of September's bulletin summary, five bulletins, and a security advisory update intended for release on Tuesday, Sept. 13," wrote Dave Forstrom, director of Trustworthy Computing, in a prepared statement. "The draft text was removed as soon as the issue was discovered. We are not aware of any customer impact and are monitoring the issue."

The issue started on Friday when this blog received word from sources that the leak had occurred and then later in the day, the Internet Storm Center flagged the details of four of the five bulletins.

Security wise, none of the updates are "critical" so it won't cause big problems, experts say.

"It's usually a combination of the bulletin and the actual patches that many exploit writers rely on'" said Marcus Carey, security researcher from Rapid7. "Hence, while the security bulletins were apparently exposed early, they won't provide that much opportunity for exploit developers that usually rely (on software) to enable them to see differences between the vulnerable software and the new patches Microsoft releases."

Carey added that the differences between bugs and the benign reveal "which functions or other code would be vulnerable for users that haven't rolled out the patches yet."

Still the early disclosure is problematic in an era of fast-moving exploits and hackers who follow them in search for an incursion point or angle.

For instance, no less than two of the 15 exploits slated for patching on Tuesday are, according to the leaked information, related to dynamic link library (DLL) load hijacking, which has been a thorn in the side of Windows IT security experts since it first popped up as a problem in August of last year. To that end Redmond has been attempting to repair issues around DLL since November 2010.

While security experts from nCircle's Andrew Storms to Rapid 7's Marcus Carey aren't freaking out about the issue, this unprecedented early disclosure is something about which to take notice.

According to Carey, all said, "there are some people that are talented enough to develop exploits based only on the leaked bulletins, so organizations need to be vigilant, as always."

Carey opines that many times multiple people find the same flaws independently, so he and other security observers always safely assume that if an independent researcher or Microsoft discovers flaws, then "the odds are that someone else has identified that flaw in the wild."

EU In Plan To Take Broad Security Steps
The European Union's General Affairs Council on Monday threatened that it's about to go continental on these hackers -- it revealed an initiative that will deploy a unified security framework and a new agency that is "pan-European" that would address the large cross-border IT infrastructure.

At present there are scant details about how such a pervasive organization would work and how cyber security efforts with the U.S. would be coordinated. Plus the establishment of such an entity would entail discussion and later ratification of a formal measure by both the European Council and the European Parliament.

Early proposed sites for group include Tallin, Estonia, Strasbourg, France and Sankt Johann in Pongau, Austria.

Apple Responds to Dutch Digital Incursion
Last summer DigiNotar, a Dutch subsidiary of VASCO Data Security International Inc, had its database hacked into. Last week it announced that it was hit harder that it had previously suspected .

This week Apple became the latest tech giant to lock its infrastructure up from any and all domain names originating at DigiNotar. It will block users of its Safari browser on its MAC OS X operating system from accessing sites secured by domains from DigiNotar, which has admitted that its servers were breached and unauthorized SSL (secure socket layer) certificates were obtained by hackers.

The hacker's identity is not yet officially known -- aside from a hacker calling himself "Comodohacker" taking credit for the digital smash and grab at DigiNotar.

Apple joins Microsoft , Google and Mozilla with similar moves. Although it's unlikely that hackers can break into any of these networks with fake certificates, such stolen domains certificates include those for MI6, the Central Intelligence Agency, Mossad, Twitter and Facebook.