Microsoft has this time quite a big pile of security patches in its November 2014 Patch Tuesday, which will address almost 60 non-security updates for its Windows OS along with 16 security updates.
The software giant released Advance Notification
for 16 security bulletins, the most in more than three years, which
will be addressed as of tomorrow, 11 November, 2014. Five of the
bulletins have been marked as "critical", nine are "important" in severity, while two were labeled "moderate."
The updates will patch vulnerabilities in Microsoft’s various software
including Internet Explorer (IE), Windows, Office, Exchange Server,
SharePoint Server and the .NET framework as well.
Five critical vulnerabilities affect specific versions of Microsoft
Windows, including Windows 7, Windows 8, Windows RT, and Windows Server.
One of them also affects Internet Explorer versions 7 through 11 as
well.
Four of the five critical bugs are said to allow remote code execution,
meaning that successful hackers could hijack a system and install
malicious softwares on the victim’s machine, while the last could allow
an attacker to gain administrative privilege on a vulnerable machine.
"A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email," is how Microsoft describes a critical patch.
Another nine patches are rated as "important", which are
not as severe as the critical ones but should still be installed in
order to keep your systems safe. These affect Microsoft Windows, Office
and Microsoft Exchange.
Five of the nine important updates will patch "elevation of privilege" vulnerabilities,
two others fix the OS security features bypass vulnerabilities, one
addresses Remote Code Execution bug, while the other one plugs an
information leak.
Last two patches are rated as "moderate", which indicates a much lower
risk, but should still be installed by the users. One of them addresses a
denial of service flaw in Microsoft Windows, while the other patches an
Elevation of Privilege bug.
If you have Automatic Updates enabled on your machine, these fixes will
all be made available via Windows Update and will be applied
automatically for most users. But in case users have not enabled it,
Microsoft is encouraging them to apply the updates promptly. Some
patches applied may require restarting the servers as well.
Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.
Brakeman now supports loading checks that are not run by default. These “nondefault” checks may have high false positive rates or introduce significant slowdowns. Optional checks should be treated as experimental and may experience more breaking changes than default checks.
To run all checks, use -A. To list only the optional checks, try --optional-checks. Optional checks are also listed in --checks. As usual, checks may be specified using -t or --test. At this time there is no way to easily run the default checks plus some optional checks.
On the code side, optional checks are the same except Brakeman::Checks.add self becomes Brakeman::Checks.add_optional self.
It works with Rails 2.x, 3.x, and 4.x.
Advantages
No Configuration Necessary
Brakeman requires zero setup or configuration once it is installed. Just run it.
Run It Anytime
Because all Brakeman needs is source code, Brakeman can be run at any stage of development: you can generate a new application with rails new and immediately check it with Brakeman.
Better Coverage
Since Brakeman does not rely on spidering sites to determine all their pages, it can provide more complete coverage of an application. This includes pages which may not be ‘live’ yet. In theory, Brakeman can find security vulnerabilities before they become exploitable.
Best Practices
Brakeman is specifically built for Ruby on Rails applications, so it can easily check configuration settings for best practices.
Flexible Testing
Each check performed by Brakeman is independent, so testing can be limited to a subset of all the checks Brakeman comes with.
Speed
While Brakeman may not be exceptionally speedy, it is much faster than “black box” website scanners. Even large applications should not take more than a few minutes to scan.
Installation
Using RubyGems:
gem install brakeman
Using Bundler, add to development group in Gemfile and set to not be required automatically:
group :development do
gem 'brakeman', :require => false
end
From source:
gem build brakeman.gemspec
gem install brakeman*.gem
Usage
brakeman [app_path]
It is simplest to run Brakeman from the root directory of the Rails application. A path may also be supplied.
Basic Options
For a full list of options, use brakeman --help or see the OPTIONS.md file.
To specify an output file for the results:
brakeman -o output_file
The output format is determined by the file extension or by using the -f option. Current options are: text, html, tabs, json, markdown, and csv.
Multiple output files can be specified:
brakeman -o output.html -o output.json
To suppress informational warnings and just output the report:
brakeman -q
Note all Brakeman output except reports are sent to stderr, making it simple to redirect stdout to a file and just get the report.
To see all kinds of debugging information:
brakeman -d
Specific checks can be skipped, if desired. The name needs to be the correct case. For example, to skip looking for default routes (DefaultRoutes):
brakeman -x DefaultRoutes
Multiple checks should be separated by a comma:
brakeman -x DefaultRoutes,Redirect
To do the opposite and only run a certain set of tests:
brakeman -t SQL,ValidationRegex
If Brakeman is running a bit slow, try
brakeman --faster
This will disable some features, but will probably be much faster (currently it is the same as --skip-libs --no-branching). WARNING: This may cause Brakeman to miss some vulnerabilities.
By default, Brakeman will return 0 as an exit code unless something went very wrong. To return an error code when warnings were found:
brakeman -z
To skip certain files that Brakeman may have trouble parsing, use:
brakeman --skip-files file1,file2,etc
To compare results of a scan with a previous scan, use the JSON output option and then:
brakeman --compare old_report.json
This will output JSON with two lists: one of fixed warnings and one of new warnings.
Brakeman will ignore warnings if configured to do so. By default, it looks for a configuration file in config/brakeman.ignore. To create and manage this file, use:
brakeman -I
Download Brakeman - See more at: http://blog.hackersonlineclub.com/2014/11/brakeman-rails-security-scanner-latest.html#sthash.1XOHKjYe.dpuf
0 comments:
Post a Comment