Earlier this month, the online edition of Telegraph published an article under the title “50 things that are being killed by the Internet.” Some of the items listed could not solely be attributed to the Internet, but the Internet has contributed and brought them to light (e.g., not paying for music or wanting free but authoritative reference works), and other items are signs of progress (e.g., moving from printed fanzines to online ones). But all that aside, the Internet and the World Wide Web do have tremendous influence on the way we live, work, play and learn.
Today we announced the September 2009 bundle of Cisco IOS Software Security Advisories. In line with our previous announcements, this grouping of advisories discloses security vulnerabilities in Cisco IOS Software.
Information on the vulnerabilities disclosed today can be found at the Cisco Security Advisory listing page. Additionally, we create an Event Response Page (ERP) for our advisory bundles as we’ve done for Microsoft vulnerabilities since June 2007. These Event Response Pages are designed to be a starting point for your vulnerability triage needs. The pages contain links to important documents as well as the assigned CVEs and CVSS scores. The ERP for the IOS vulnerabilities disclosed today can be found over at our Security Intelligence Operations portal.
The bundling concept was implemented in response to feedback that the lack of an announced schedule for Cisco IOS Software vulnerability disclosure was not allowing customers to appropriately plan for and integrate security advisories into their management processes. As a general rule, our advisory bundle timelines are limited to Cisco IOS Software and do not include any other Cisco products or operating systems. However, if the same vulnerability exists in Cisco IOS Software and another product—for example Cisco IOS-XE or Unified Communications Manager—we will work to release the corresponding advisories simultaneously. In fact, this was done today and in September 2008 when we disclosed SIP-related vulnerabilities that affected both Cisco Unified Communication Manager and Cisco IOS Software.
Independent security researchers announced a new vulnerability in Microsoft Windows Vista and Windows Server 2008 on the day of the September Microsoft security bulletin announcement. Although first publicized as a denial of service vulnerability, a security advisory from Microsoft later confirmed that attackers could leverage the vulnerability to execute arbitrary code. Although exploit code in some private vulnerability testing tools has been reported, no public examples of exploit code exist.
The vulnerability relates to flaws in the Windows Server Message Block 2 (SMB2) networking component included in Windows Vista and Windows 2008. Although SMB2 is also included in Windows 7 and Windows 2008 R2, changes in the component has rendered these systems unaffected. No current updates are available that correct the vulnerability on affected platforms.
Paul Ohm’s recent paper about the failures of anonymization brought to light some very compelling arguments against the practice. The goal of anonymization is to remove personally identifying details without removing other usefulness from a dataset. As an example, a company might take out names, social security numbers, day and month of birth, street address and credit card information from their customer dataset, but leave purchase history. Such an anonymized dataset might be useful to a marketing partner to identify trends in some generalized demographics that could help them to make more effective decisions in marketing products to future and returning customers.
It is almost that time of year again. Our Product Security Incident Response Team (PSIRT) is readying the release of the next bundle of security advisories for Cisco IOS. As stated in the original announcement, bundles are released on the fourth Wednesday in March and September; the next bundle is scheduled for September 23rd. With that in mind, I wanted to take the opportunity to explain some of the wording that is used in advisories.
I can assure you that there is a large effort applied to every security advisory by our technical, legal, and public relations teams to make sure the advisory is both clear and concise. At the same time though, I think reinforcing some key phrases will help you do the important work—assessing your risk due to an advisory—instead of working to understand the words themselves.
Unless you live and breathe security, you might find phrases such as “the improper handling of a crafted packet may allow an unauthenticated attacker to perform remote code execution” to be confusing. Along the same lines, what are mitigations and how are they different than workarounds? What in the world are CoPP and iACLs and can they buy time before an upgrade is required?