Security Watch

Dreading Patch Tuesday

IT staff are getting overwelmed as companies co-opt Microsoft's day for releasing patches.

• By Russ Cooper
• 08/15/2005

Governance
The second Tuesday of each month is rapidly becoming the most dreaded day of the month for IT staffers. More and more companies are using the Microsoft Patch Tuesday as their day to release patches also. Microsoft's original intent was to deliver all of their patches on a single day so IT staffers could better coordinate their efforts with respect to patching their machines. With these additional vendor patches, the day is becoming too full to properly analyze the severity and prioritization of all of the patches. Currently, in addition to Microsoft, Oracle, Apple, Mozilla, Sun and Cisco, among others, use the same day.

Is more government interference in the Internet coming? A report by the U.N.'s Working Group on Internet Governance (WGIG) last month made a number of recommendations relating to the future of Internet governance, including a reduced role for the U.S. Dept. of Commerce and ICANN.

The report proposes four models for how the U.N. or international community could become involved with the management of the Internet. The gist of all four models called for more international input so that one country didn't have complete control of the 'Net.

Question: Since when has the Internet been controlled by a single body, and just what additional control does the U.N. or international community think it can exert over the evolution of the Internet? With the exception of laws and regulations governing content traversing the Internet (as it's exposed to a system in a given country), there's very little additional input required, in my opinion.

A Nigerian woman received two and a half years of prison time for helping steal $242 million from a Brazilian bank. This is a landmark victory for Nigeria's Economic and Financial Crime Commission (EFCC). Most of the stolen money was recovered, and properties in various countries, including the U.K. and U.S., will be sold to replace the rest. The EFCC currently is prosecuting 200 cases against "419" (the relevant section of the Nigerian criminal code) scammers.

Although that translates to roughly $100 million per year of jail time, consideration should be made for just how rough it would be to do time in a Nigerian jail. While it is true that the EFCC has made major progress in cracking down on 419 scammers, more than 200 cases have now been prosecuted by that office; and it isn't strictly a Nigerian problem, either. For example, much of the 419 scam emails originate in Holland where they operate largely unmolested.

Hacking/Denial of Service
Oracle Reports versions 6.0, 6i, 9i and 10g contain multiple vulnerabilities that can allow a remote attacker to access sensitive information, overwrite arbitrary files or conduct cross-site scripting attacks.

Oracle Forms versions 6i through 10g, and Reports versions 6.0 through 10g, contain a vulnerability that could allow a remote attacker to run arbitrary system commands on the affected system.

It's doubtful that there are many production environments where these Oracle features are deployed and exposed directly to the Internet, but there are a couple of scenarios to look out for:

Development or prototype servers. Such servers should never be exposed to the Internet, but developers may request such severs be exposed for third-party testing or troubleshooting.

SQL Injection attacks. Improper or incomplete parsing of input by visitors may lead to attack code being injected via a Web front-end, which is then passed on to the Oracle applications.

Want More Security? This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Sun Management Console (SunMC) unprivileged local or remote users may be able to execute arbitrary code. The SunMC server software uses the Oracle listener, affected by the multiple Oracle vulnerabilities described in Oracle Security Alert No. 68.

This vulnerability was fixed in Oracle back in August 2004, so it has taken quite some time for Sun to get around discovering and/or fixing SunMC.

Another survey, the CSI/FBI 10th Annual Survey, has indicated that costs due to computer attacks have dropped again. The CSI/FBI survey states that 2004 losses per company surveyed are 61 percent lower than 2003, down to $204,000 from $526,000. While these losses are down, the losses due to "information theft" and "proprietary information theft" are up.