Patch Tuesday, Financial Cyber-Crime, APT Lead Week's Security News
Updates dominated the week, with system administrators having to work through Microsoft's monthly Patch Tuesday release, Adobe's quarterly update for Reader and Acrobat, and Oracle's out-of-band update to fix a denial-of-service vulnerability.
Microsoft's Patch Tuesday did not have any surprises since the company had accidentally released the details the week before. All five bulletins had been rated "important." However, the Internet Storm Center at the SANS Institute cautioned that Microsoft may be under-reporting the severity of three of the patches. The difference lies in the fact that Microsoft rates vulnerabilities that require the targeted user to do something before it can compromise the system, such as opening a file, as "important," Wolfgang Kandek, CTO of Qualys, told eWEEK. Qualys considers that opening an Excel or Word file is considered a normal activity, and has given the bulletins higher priority.
Adobe released a much larger update, with 13 patches fixing critical vulnerabilities in Reader and Adobe. The updates repaired a number of remote code execution flaws in Reader and Acrobat X, 9.x and 8.x. Adobe's quarterly patch update also included a fix to the Adobe Approved Trust List to remove the DigiNotar Qualified Certificate Authority certificate.
A few weeks after Apache developers rolled out a fix to patch the security bug in how the Apache Web server handled HTTP headers, Oracle released its own out-of-band update for its application servers that are based on Apache software. When exploited, attackers could cause denial of service on servers by consuming memory and CPU resources. Oracle patched the flaw in Oracle Fusion Middleware, Oracle Application Server and Oracle Enterprise Manager.
Cyber-criminals targeting financial institutions were a popular topic this week. Federal law-enforcement officials testified at a Congressional hearing that criminals were increasingly targeting financial institutions. Online account takeovers were on the rise, even though organizations were getting better at stopping the money from being transferred out of the institution. Criminals are getting better at coming up with new tactics, and organizations needed to step up their security defenses, the officials said.
Financial cyber-criminals are relying on social-engineering tactics to compromise accounts, whether it's by tricking users into clicking on a phishing or spear-phishing email, opening an attachment containing a malicious Adobe document or opening a link posted on the social-networking sites, according to a presentation at the New York InfraGard Cyber-Defense Summit this week.
Insider threats were also a big concern this week, as the financial world was rocked by the admission from Swiss bank UBS that a rogue trader had executed unauthorized trades that could cost the company $2 billion in losses. Organizations are often overlooking their employees, especially highly "trusted" ones when assessing risk and implementing security policies. Senior executives may not be subject to the same checks as the rest of the organization, when they should be subject to more because they have "extraordinary access to assets," according to John Rostern, managing director at Coalfire.
RSA Security revealed some findings from its closed-door summit in July on advanced persistent threats. Security professionals from government agencies and the private sector acknowledged that APTs were more prevalent than publicly assumed.