Synology & “Shellshock” bash Vulnerability

Synology has released an announcement about the Shellshock vulnerability. Not all Diskstations are vulnerable and for the ones that are the Bash shell isn’t available to public users.

Synology released a statement about the “Shellshock” vulnerability.

From the statement:

A vulnerability of a commonly used UNIX command shell, Bash, has been discovered allowing unauthorized users to remotely gain control of vulnerable UNIX-like systems. A thorough investigation by Synology shows the majority of Synology NAS servers are not concerned. The design of Synology NAS operating system, DiskStation Manager (DSM), is safe by default. The bash command shell built-in in DSM is reserved for system service use (HA Manager) only and not available to public users. For preventive purpose, Synology is working on the patches addressing this bash vulnerability and to provide them as soon as possible.

Only one of my three DiskStations is on the vulnerable list (the 1511+). That particular NAS always gets updated last. It’s used for all my backups and file storage. While recovery would be possible it would take a long time. My test NAS (the 212J) isn’t on the vulnerable list so I can’t test the updated firmware. My main NAS, the DS212+, isn’t on the list either.

Since I can’t test the update I’m not applying it to my 1511+. The 1511+ isn’t accessible from the internet, it isn’t even set up for quick connect, and my router wouldn’t send any Internet traffic to it. So the risk to me seems nearly non-existent and the risk of problems is higher than normal. I’ll wait until others beat on the update for awhile and apply it sometime in the future, maybe just the next update. As I write this the update for the DS1511+ isn’t available from the download center or through automatic update.

Security: DLL Search order Vulnerability

This is a little old, reported about a month ago, but I’m just getting around to patching it and Microsoft isn’t. The “Insecure Library Loading Could Allow Remote Code Execution” vulnerability was announced by Microsoft back in late August in bulletin 2269637. Unfortunately Microsoft has not rolled out a patch with their normal patch rollouts. Probably because of the potential to break apps. They did publishknowledge base article 2264107 which has a workaround to the problem.

This vulenrability is a little old, reported about a month ago, but I’m just getting around to patching it and Microsoft isn’t. The “Insecure Library Loading Could Allow Remote Code Execution” vulnerability was announced by Microsoft back in late August in bulletin 2269637.  Unfortunately Microsoft has not rolled out a patch with their normal patch rollouts. Probably because of the potential to break apps. They did publish knowledge base article 2264107 which has a workaround to the problem.

In short, because the working directory is included in a DLL search path and could be a remote directory it was possible for an attacker to compromise a system with a remote DLL. Applications could avoid this by not relying on the default search order.

I ran through the steps and haven’t had an issue. Since I don’t expect any of my applications to run a remote DLL (WebDAV or SMB file share) I’m not expecting any problems. I’ve installed the patch and changed the settings on Windows 7 64-bit only, but the patch is available for other OS’s and the process seems the same for them.

To patch the PC:

  1. Download and install the appropriate OS patch from the KB article. I needed to reboot and I suspect the other OS’s will also need a reboot.
  2. The patch doesn’t change anything, it just enabled the use of the registry keys described in the article. You can create the registry key(s) manually or do like I did, and click the “Fix It” link in the article.
  3. The Fix It link creates the global registry key with a value of “2” which prevents searching the working directory for DLLs in the location is WebDAV or SMB (remote).

The working directory isn’t the directory the application is installed in (I suppose it can be, but that would be coincidence). This patch also affects the search order (based on the article) so if the app is installed remotely, and properly written to not rely on the remote working directory for a DLL, I would expect the app to continue to work. But, I don’t have any remotely installed apps to test this out.

This is the first time I tried one of those “Fix It” links. It’s a little scary but worked well. I’ll post an update if I have any app issues, but so far so good.

Microsoft Security Updates for July 2008

Microsoft has released four security bulletins for July 2008, two of which are for desktops.

MS08-038 addresses a vulnerability in Windows Explorer and is for Windows Vista and carries an “important” rating. The update includes the original Vista, Vista SP1 and Vista x64.

MS08-037 addresses a vulnerability in DNS and is for Windows 2000 SP4, Windows XP SP2 & SP3, and Windows XP x64 original release & SP2. it’s rated as “important”. [Updated: This patch is part of a coordinated, multi-vendor DNS patch.]

These patches, and the others, also affect server OS’s. There’s no Internet Explorer update this month.

Also, Microsoft will begin rolling out an update to Windows Update later this month. Last time they did this they catch grief for updating PCs that were set to “do not update”. This time around they’ll be doing things differently and won’t update PCs set to not update.

Safari 3.1.1 Released

Apple has released Safari 3.1.1 for both OS X and Windows. I installed it on my two Leopard Macs without a problem through Apple’s Software Update and a reboot was required. It’s also available as a standalone download.

The update includes four security fixes (two are Windows only). One of the patches plugs the vulnerability that won the PWN to OWN contest at CanSecWest.

There’s also the standard

…improvements to stability, compatibility…

The reboot displayed a blank blue screen for a nerve-racking length of time but was otherwise uneventful.

[Updated April 17th:] Well, I may have spoken too soon. My iMac was stable until the first reboot after the patch. At that point it wouldn’t finish loading and would lock up shortly after logon. Starting in Safe Boot mode would allow the logon but instability would ensue after running an app or two. The update itself doesn’t seem to be the problem as a new user profile runs Safari and other apps just fine. Also, my MacBook is running fine.

Microsoft Security Bulletins for April 2008

Another “Super Tuesday” patched this week but I just got around to firing up my Windows VM’s today (actually it’s been about 12 days since I’ve been in Windows). There were ten updates waiting for me on Windows Vista and eight on Windows XP Home, although not all were security related.

This month’s updates included:

KB945553 (MS08-020) – Vulnerability in DNS client could allow spoofing. This is rated as “Important” for all supported desktop OS’s except Windows Vista SP1, which doesn’t need the update.

KB948590 (MS08-021) – Vulnerability in GDI could allow remote code execution. This is rated as “Critical” for all supported desktop OS’s.

KB944338 (MS08-022) – Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution. This is rated as “Critical” for all desktop OS’s except Windows Vista, which doesn’t need the update.

KB948881 (MS08-023) – Critical security update for ActiveX killbits. This is required for all supported desktop OS’s, although the severity ranges from “Important” to “Critical”.

KB947864 (MS08-024) – Cumulative security update for Internet Explorer. As expected, all supported versions of IE get the update and all are rated “Critical”.

KB941693 (MS08-025) – Vulnerability in Windows Kernel could allow elevation of privileges. This one has an “Important” rating for all supported desktop OS’s.

There were also some security patched for applications. MS08-018 patches a Project vulnerability while MS08-019 patches a vulnerability in Visio. I don’t run either Project or Visio so I didn’t install the updates.

The Malicious Software Removal Tool, Junk Email Filter update (Vista only, in my case at least) and Windows Defender definition updates were also included.

I also received KB938371 (on my Vista SP1 vm) which is an updated needed to add or remove Vista SP1. Since I received Vista SP1 successfully I already had some of the components. According to the bulletin Vista SP1 install “will only install the new components in this rereleased update.”

Non-security related patches included an update to Live Writer and a optional Group Policy patch. For some reason my Windows XP Home installation also received .NET 2.0 SP1 although it appears that it was released back in December and I installed the base .NET 2.0 in early January, two patch Tuesday’s ago.

As expected, a reboot was required. So far I haven’t encountered an differences or problems since applying the updates.

Windows Home Server Security Updates

I don’t have my Windows Home Server set to automatically install updates from Microsoft. today was the day I went into the console and told it to pull down the updates. Even though I tell it not to automatically install the updates the process is unstoppable once I click the update now button. I don’t get a preview of the updates that will be installed.

Today’s updates included:

KB941693 (MS08-025) – Vulnerability in Windows Kernel could allow elevation of privilege.

KB945553 (MS08-020) – Vulnerability in DNS client could allow spoofing.

KB948590 (MS08-021) – Vulnerability in GDI could allow remote code execution.

KB948881 (MS08-023) – Critical security update for ActiveX killbits.

KB947864 (MS08-024) – Cumulative security update for IE7.

The Malicious Software Removal Tool also ran.

As expected, a reboot was required.

So far I haven’t encountered an differences or problems since applying the update.

Apple Releases Security Update 2008-002 V1.1

Apple released an updated copy of Security Update 2008-002. The re-release is Leopard only. Apple is typically tight lipped and don’t ay what’s changed. Others have reported that it fixes an Aperture printing problem that was introduced in the first update attempt. This makes sense with what I’ve seen. I have three Macs with Leopard but only the two with Aperture were offered the new version of the update through Apple’s Software Update.

Apple OS X Security Update 2008-002

Apple released security update 2008-002 for all versions of OS X. It’s available through software update or as a direct download. The list of fixes is extensive and others who have counted them say they number over 40, I’ll take their word for it.

I installed the update yesterday without a problem on my to Intel Macs running Leopard. A restart is required. I haven’t encountered any problems but with the wide range of fixes there’s probably pieces I haven’t touched yet. There’s three different versions of the update: Leopard, PPC and Universal. There’s three more patches for the same three flavors of OS X server.

Microsoft Security Bulletins for March 2008

Microsoft has released 4 security bulletins for March. All are for Office products and all are rated critical for one or more of the affected products. There weren’t any OS or IE updates this month. Since I don’t run any Office products I didn’t install any Microsoft updates this month, but these were the updates:

MS08-014 is a security update that patches several vulnerabilities in Microsoft Excel. Microsoft Excel 2003 Service Pack 3 and Microsoft Excel 2007 Service Pack 1 are not affected but other versions of Excel are vulnerable. Vulnerable versions include Office 2004 and Office 2008 for the Mac. The Office 2007 Compatibility pack is also vulnerable as is the Excel 2003 viewer.

MS08-015 is a critical update for Microsoft Outlook. Microsoft Outlook 2007 Service Pack 1 is not vulnerable but all other versions are vulnerable.

MS08-016 is a security update for Microsoft Office. Vulnerable versions include Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 2, Microsoft Office Excel 2003 Viewer (base version & Service pack 3), and Microsoft Office 2004 for Mac.

MS08-017 is a critical update for Microsoft Office Web Components. Client vulnerabilities include Microsoft Office 2000 Service Pack 3, Microsoft Office XP Service Pack 3, Visual Studio .NET 2002 Service Pack 1, and Visual Studio .NET 2003 Service Pack 1.

While none of these patches apply to me, my Windows Vista Home Premium and Windows Vista Ultimate installations did have three updates waiting in Windows Update. The Windows Malicious Software Removal Tools, the March Update for the Windows Mail Junk E-Mail filter, and a generic “Update fir Windows Vista” described as:

Update for Windows Vista (KB946041)

Download size: 581 KB

You may need to restart your computer for this update to take effect.

Update type: Recommended

This is a reliability update. This update resolves some performance and reliability issues in Windows Vista. By applying this update, you can achieve better performance and responsiveness in various scenarios. After you install this item, you may have to restart your computer.

More information:
http://support.microsoft.com/kb/946041

Windows Update also includes Microsoft Silverlight 1.0 as an optional installation. I decide to go ahead and install it. The updates installed without any issues, a restart was required. The first time I went to a Microsoft website I had to except the Silverlight license agreement and enable Silverlight itself.

Microsoft Security Bulletins for February 2008

Microsoft released 11 security bulletins for February 2008, six are rated critical and five are important.  My Windows XP Pro SP2 installation received the following updates through Windows Update:

MS08-010 – Cumulative Update for Internet Explorer (critical)

MS08-007 – Vulnerability in WebDAV Mini-Redirector Could Allow Remote Code Execution (critical)

MS08-008 –  Vulnerability in OLE Automation Could Allow Remote Code Execution (critical)

A reboot was required.

I’m running the Windows Vista SP1 Release Candidate so I didn’t get any updates on that machine. I don’t run MS Office apps so I avoided those updates too. I’m all updated out so I’m not going to cover the other updates. Suffice it to say that any copies of Windows or Office you have will get updated. For more information you can read CNet’s article which has the Cliff Notes version of the MS Bulletins.