As summer comes to an end there is nothing better than some security researchers who see fit to disclose a new zero day vulnerability every day for a month. That is in fact what the guys over at Abysssec have decided to do to ensure that the criminals (and pen testers) have plenty of ways to compromise our computers.
The good news is that it would appear that the vulnerabilities being disclosed are already patched. All that is new is detailed analysis of the flaws and proof of concept exploits to attack users who have not patched their software. The bad news is that almost no one has a fully patched environment and these disclosures are so detailed that we can expect a flurry of new malware to take advantage of these flaws.
The first two flaws are in cpanel and Adobe Flash and Reader. It appears the current “STABLE” version of cPanel is affected, yet the “CURRENT” and “BETA” releases have been fixed. The Adobe flaws were fixed in 9.3.3 which was released on June 29th, 2010.
While I understand the importance to penetration testers of having working proof of concept and exploit code, I still think I am going to chalk this one up in the “bad idea” column. The typical argument of pressuring vendors to release fixes does not apply, as most already have, which means the press this is receiving is the likely motivation.
Sophos Security Chet Chat episode 24 is now live on http://podcasts.sophos.com. This week Tony Ross our Global Sales Trainer and I discussed this weeks news as well as a detailed exploration of why testing malware on your own might not be such a good idea.
You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 24.