VMware Security has posted an announcement that patches are being made available immediately.

VMware has accelerated the delivery of a set of software patches for specific product releases that may be exposed to increased risk. We encourage all customers to view the following links to determine if appropriate patches are available for products in their environment: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html.

For example, ESXi 5.0 P3 has a Security Patch Needed.

Apply security patch available at http://www.vmware.com/patchmgr/ download.portal under Bulletin ESXi500-201205401-SG.

That patch has the following explanations:

Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic.

[…]

Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

[…]

Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

Their announcement also has a FAQ with reference to recent events:

In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products.

500pix is a photo sharing site with an interesting approach to a terms of service (TOS) page. On the left side they have a bunch of legal language.

Content Submitted Or Made Available For Inclusion On The Service

Please read this section carefully before posting, uploading, or otherwise submitting any Content to the site. By submitting content to the site you are granting 500px a worldwide, Non exclusive license to use the content and are representing and warranting to 500px That the content is owned or duly licensed by you, and that 500px is free to publish, Distribute and use the content as hereinafter provided for without obtaining permission Or license from any third party…

Yada, yada, and then on the right they say this:

Basically, Your photos will preserve whatever copyright they had before uploading to this site. We will protect the copyright and will not sell your photos without your permission.

Under the store section they give this concluding sentence:

Your photos will be kept safe.

Safe? That is bold. I would understand if they said they would do their best or practice diligence but this statement is absolute. Then again, note their summary under Release and Indemnity.

Basically, We are not liable if something goes really wrong.

Uh, ok, really safe.

A new social network company by Sarah Gates called Wisegate, which bills itself as “a private invitation-only community of senior information technology professionals,” has released survey results that suggest security and compliance remain a barrier to cloud adoption for IT across industries.

When asked if they were moving protected class data into the public cloud, 53% of senior IT practitioners from leading companies in financial services, healthcare, consumer products, automotive, and government agencies said that the “cloud was too risky and they have no near term plans” to adopt cloud for such applications. Quite a few members reported that government or industry regulations (such as HIPAA or Sarbanes-Oxley) prevent them from adopting cloud-based applications.

Quite a few? What percentage is that?

A survey brief is available online from Wisegate but it has few of the usual details like sample size. It also shows some inconsistencies with the press release.

When it comes to moving to cloud-based applications and services, Wisegate members are most concerned about security. Scott’s first poll shows that 73% of Wisegate members have security as their biggest reservation about moving to cloud-based applications. A second poll from Scott shows that 53% of Wisegate members are addressing this security concern by requiring data classification, virtualization security, and encryption as a key control for moving to cloud.

Encryption as a key control? Funny. That pun was probably unintentional.

The paper from Wisegate emphasises using information from peers to move into cloud. That’s positive. Yet the news, even without the 73% data point, seems to get the opposite story spin. I’d like to see more detail on the 73% breakdown and how the questions were asked. Virtualization security is not mututally exclusive from data classification and encryption. Maybe the obfuscation of data is a sales tactic to get people to join Wisegate.

The PCI SSC is reminding QSAs that we’re just one month away from an important change to PCI DSS reporting requirements. June 30, 2012 is the day when aspects of Requirements 6.2 and 6.5.6 will shift from a best practice to required. The Council has mentioned a couple simple and common-sense guidelines that will help organisations meet the new requirements.

• Risk rankings should be based on standards or best practices
• Risks should be classified to facilitate remediation and by priority (e.g. high, moderate, low)

The requirements read as follows:

6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.
Notes:

• Risk rankings should be based on industry best practices. For example, criteria for ranking “High” risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as “critical,” and/or a vulnerability affecting a critical system component.
• The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.

[…]
6.5.6 [Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes, to include the following:] All “High” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.2).
Note:

This requirement is considered a best practice until June 30, 2012, after which it becomes a requirement.

The change in Requirement 6.2 is linked into other requirements:

2.2.b Verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.2.
[…]
10.4.a Verify that time-synchronization technology is implemented and kept current per PCI DSS Requirements 6.1 and 6.2.
[…]
11.2.1.b Review the scan reports and verify that the scan process includes rescans until passing results are obtained, or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.
[…]
11.2.3.b Review scan reports and verify that the scan process includes rescans until:

• For external scans, no vulnerabilities exist that are scored greater than a 4.0 by the CVSS,
• For internal scans, a passing result is obtained or all “High” vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.

In addition the Council says that when 6.5.6 is applicable (pun not intended) due to application development there now must be a test phase to find vulnerabilities classified as “high” risk.