December 19, 2014

Microsoft fixes 24 security vulnerabilities in December’s Patch Tuesday

Windows-Vista-command-prompt(LiveHacking.Com) – As part of December’s Patch Tuesday, Microsoft has released seven security updates, three of which Microsoft has rated Critical, while the other four are rated Important in severity. These seven patches to address 24 security vulnerabilities in Microsoft Windows, Internet Explorer (IE), Office and Exchange.

The first of the Critical patches is a cumulative update for IE. The patch resolves fourteen privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. The update applies to IE 6 to IE 11, on Windows Server 2003 to Windows 81, depending on the version of IE.

The second Critical patch applies to Microsoft Word and Microsoft Office Web Apps, to fix two privately reported vulnerabilities. The vulnerabilities could allow remote code execution if a user opens or previews a specially crafted Microsoft Word file in an affected version of Microsoft Office software.

The Critical patch resolves a privately reported vulnerability in the VBScript scripting engine in Microsoft Windows. The vulnerability could allow remote code execution if a user visits a specially crafted website.

Microsoft has also re-released and updated two security bulletins related to Internet Explorer. The first, MS14-065, is a cumulative security update for Microsoft’s default browser, while the second relates to the browser’s built-in version of Flash. Adobe also released  a security update for Adobe Flash Player for Windows.

Apple patches security flaws in iOS 8, OS X 10.10 and Apple TV 7

Apple-logo(LiveHacking.Com) – Apple has released new versions of three of its major software products. The new versions of iOS, OS X and Apple TV address multiple security vulnerabilities. iOS 8.1.1, which is available for the iPhone 4s and later; the iPod touch (5th generation) and later; and the iPad 2 and later; addresses nine separate vulnerabilities. Apple TV 7.0.2, which is available for Apple TV 3rd generation and later, addresses four vulnerabilities, all of which are common with the iOS release. OS X 10.10.1 patches four flaws, two of which are common with the iOS release and two which are specific to OS X.

The common fixes are as follows:

  • iOS and OS X: A privacy issue existed where browsing data could remain in the cache after leaving private browsing. (CVE-2014-4460)
  • iOS and OS X: The initial connection made by Spotlight or Safari to the Spotlight Suggestions servers included a user’s approximate location before a user entered a query. (CVE-2014-4453)
  • iOS and Apple TV: A state management issue existed in the handling of Mach-O executable files with overlapping segments. (CVE-2014-4455)
  • iOS and Apple TV: A malicious application may be able to execute arbitrary code with system privileges due to a validation issue that existed in the handling of certain metadata fields in IOSharedDataQueue objects. (CVE-2014-4461)
  • iOS and Apple TV: Due to multiple memory corruption issues in WebKit, visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. (CVE-2014-4452 and CVE-2014-4462)

The iOS specific fixes are:

  • In some circumstances, the failed passcode attempt limit was not enforced. (CVE-2014-4451)
  • The Leave a Message option in FaceTime may have allowed viewing and sending photos from the device. (CVE-2014-4463)
  • A permissions issue existed with the debugging functionality for iOS that allowed the spawning of applications on trusted devices that were not being debugged. (CVE-2014-4457)

The OS X only patches are:

  • The request made by About This Mac to determine the model of the system and direct users to the correct help resources included unnecessary cookies. (CVE-2014-4458)
  • Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution due to a use after free issue existed in the handling of page objects. (CVE-2014-4459)

More information about all these patches can be found on Apple’s Security Updates web site: http://support.apple.com/kb/HT1222

Source code for BadUSB vulnerability posted on GitHub

usb-flash-drive(LiveHacking.Com) – Back in August, security researchers  Karsten Nohl and Jakob Lell demonstrated how a USB device can be reprogrammed and used to infect a computer without the user’s knowledge. Dubbed BadUSB, the pair published their findings during the Black Hat conference, however they did not publish the source code or the reversed engineered firmware needed to perform the attack. Nohl and Lell said they did not release code in order to give firms making USB-controller firmware time to work out how to combat the problem.

Now two other researchers, Adam Caudill and Brandon Wilson have done their own research on BadUSB and produced code that can be used to exploit it. The source-code can be found on Github. Unlike Nohl and Lell, Caudill and Wilson think it is in the public’s interest to release the source code for public consumption.

“We’re releasing everything we’ve done here, nothing is being held back,” said Mr Wilson during his presentation at DerbyCon. “We believe that this information should not be limited to a select few as others have treated it. It needs to be available to the public.”

The BBC contacted Karsten Nohl about the new release, he said that “full disclosure” can motivate USB device makers to improve the security on their devices. However he also noted that the problem with BadUSB is not one particular device but rather, “the standard itself is what enables the attack and no single vendor is in a position to change that.” He added that, “it is unclear who would feel pressured to improve their products by the recent release.”

According to the GitHub page for the new source-code the following devices can be reprogrammed and used as attack vectors:

  • Patriot 8GB Supersonic Xpress
  • Kingston DataTraveler 3.0 T111 8GB
  • Silicon power marvel M60 64GB
  • Toshiba TransMemory-MX™ Black 16 GB
  • Patriot Stellar 64 Gb Phison

Shellshock: Code injection vulnerability found in Bash

bash-man-page(LiveHacking.Com) – A code injection vulnerability in the Bourne again shell (Bash) has been disclosed on the internet. If exploited then arbitrary commands can be executed, and where Bash is used in relation to a network service, for example in CGI scripts on a web server, then the vulnerability will allow remote code execution.

The problem resolves about the way that Bash processes environment variables used to export shell functions to other bash instances. Bash uses environment variables named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the process environment. The problem is that Bash does not stop after processing the function definition; it continues to parse and execute any shell commands following the function definition.

This means that shell commands can be tagged onto the end of environment variables and they will be executed by the shell. The vulnerability is deemed as critical because Bash is used widely on many types of UNIX-like operating systems including Linux, BSD, and Mac OS X.

The most prominent attack vector is via HTTP requests sent to CGI scripts executed by Bash. Also, if SSH has been configured to allow remote users to run a set of restricted commands, like rsync or git, this bug means that an attacker can use SSH to execute any command and not just the restricted command.

The initial bug was designated as CVE-2014-6271, and a patch was subsequently issued. However it was later discovered that the patch had an issue in the parser and did not fully address the problem. As a result a second CVE was assigned, CVE-2014-7169, to cover the remaining problems after the application of the first patch.

To test your system to see if your version of bash is vulnerable, run these two commands:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo completed"
env X="() { :;} ; echo vulnerable" `which bash` -c "echo completed"

In either case, if the word “vulnerable” is displayed then your shell needs patching.

The United States Computer Emergency Readiness Team (US-CERT) has issued a statement: Bourne Again Shell (Bash) Remote Code Execution Vulnerability, along with the following alert: GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169).

Red Hat has posted a special report on its security blog: Bash specially-crafted environment variables code injection attack. Akamai, a provider of cloud services, has also posted a blog post called Environment Bashing.

 

Apple releases iOS 8 with 56 security patches

ios8-logo(LiveHacking.Com) – Along side the release of the iPhone 6 and iPhone 6 Plus Apple has also released a new version of its mobile operating system. iOS 8 includes improvements to Siri and the ability for third parties to add widgets to the notification area. Apple are calling it “huge for developers,  massive for everyone else.” iOS 8 also includes some important security fixes. Overall Apple addressed 56 unique CVEs in this release.

Among the changes are fixes for bugs which could allow an attacker with access to an iOS device to access sensitive user information from logs, allow a local attacker to escalate privileges and install unverified applications, and fixes for bugs that allow some kernel hardening measures may be bypassed.

Other fixes include a patch to stop maliciously crafted PDF files that can allow an attacker to run arbitrary code, and a patch to stop malicious applications executing arbitrary code with system privileges. Most of these issues revolve around NULL pointer dereferencing and bounds checking. For example an out-of-bounds read issue existed in the handling of an IOHIDFamily function. As a result, a malicious application may be able to read kernel pointers and then bypass kernel address space layout randomization. According to Apple’s release notes, “this issue was addressed through improved bounds checking.” A phrase that is found several times in Apple’s document that describes the security content of iOS 8.

Webkit, the open source HTML rendering engine used by Apple, also received a lot of patches (12 in total). According to Apple visiting a maliciously crafted website in previous versions of iOS may lead to an unexpected application termination or arbitrary code execution. This was because of multiple memory corruption issues in WebKit. These issues were addressed through improved memory handling.

As well as releasing iOS 8, Apple also released new versions of OS X, OS X Server, Safari, and Apple TV. These are all maintenance releases which fix bug and patch security vulnerabilities. The full list of updates including links to the relevant security information follows:

LinkedIn can be tricked into revealing personal email addresses

linkedin(LiveHacking.Com) – Benjamin Caudill and Bryan Seely, founders of Rhino Security, have discovered an unintentional side effect of LinkedIn’s obsession with making sure you are “linked” with just about everyone you have had contact with. According to the new research, which was published in part by Brian Krebs, it is possible to troll LinkedIn and discover the email addresses of public figures including leading CEOs, celebrities and company executives.

On a normal day LinkedIn will only let you connect with users that you claim to know professionally or personally. If you don’t know some you can get an introduction via a common third party. To ensure that you are linked to everyone you know LinkedIn will optionally trawl through your Google/Yahoo/Hotmail address book to see if anyone in your address book is already using LinkedIn. Sounds great, very helpful.

The problem is that if you start to create fake email addresses in your list of contacts then LinkedIn will helpfully show you the profiles of users with addresses that match your address book. This is because LinkedIn assumes that if you have their email address then you must know the person.

Now all you need to do is populate your address book with hundreds of combinations of email addresses based on people’s names, and then add @gmail.com or @yahoo.com etc on to the end.

When you import the list of names then LinkedIn will not only show you the profiles which match the addresses, it will also tell you which addresses don’t match any known profiles. If you got lucky and found the address of a high profile user then you just need to use a process of elimination to whittle down the list of emails that didn’t match a profile and you can discover the private email address of the target LinkedIn user.

To prove their point Cludill and Seely discovered the email address of Mark Cuban, the owner of the Dallas Mavericks. Seely said they found success in locating the email addresses of other celebrities using the same method about nine times out of ten.

“We created several hundred possible addresses for Cuban in a few seconds, using a Microsoft Excel macro,” Seely said. “It’s just a brute-force guessing game, but 90 percent of people are going to use an email address that includes components of their real name.”

According to LinkedIn the company will be implementing a couple of changes over the next few weeks to alter the way the service handles email addresses.

Researchers at Black Hat conference demo USB’s fatal flaw

usb-flash-drive(LiveHacking.Com) – Security experts Karsten Nohl and Jakob Lell have demonstrated how any USB device can be reprogrammed and used to infect a computer without the user’s knowledge.

During a presentation at the Black Hat Security conference, and in a subsequent interview with the BBC, the duo have raised the question about the future security of USB devices.

As part of the demo, a normal looking smartphone was connected to a laptop, maybe something a friend or colleague might ask you to do so they can charge the device. But the smartphone was modified to present itself as a network card and not a USB media device. The result was that the malicious software on the phone was able to redirect traffic from legitimate web sites to shadow servers, which fake and the look and feel of the genuine sites, but are actually designed just to steal login credentials.

According to a blog entry posted by the pair, USB’s great versatility is also its Achilles heel. “Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” wrote the researchers.

The experts, who work for Security Research Labs in Germany, gave a presentation at the Black Hat conference called “BadUSB — On accessories that turn evil.” Every USB device has a micro-controller that isn’t visible to the user. It is responsible for talking with the host device (e.g. a PC) and interfacing with the actual hardware. The firmware for these microcontrollers is different on every USB device and what the micro-controller software does is different on every device. Webcams, keyboards, network interfaces, smartphones and flash drives all perform different tasks and the software is developed accordingly.

However, the team managed to reverse engineer and hack the firmware on different devices in under two months. As a result they can re-program the devices and get them to act as something they are not.

During their Black Hat presentation, a standard USB drive was inserted into a computer. Malicious code implanted on the stick tricked the PC into thinking a keyboard had been plugged in. The fake keyboard then began typing in commands – and forced the computer to download malware from the internet.

Defending against this type of attack includes tactics like code-signing of the micro-controller firmware updates or the disabling of firmware changes in hardware. However these must all be implemented by the USB device makers and isn’t something that end users can enforce.

You can download the slides from the presentation here: https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf

Oracle fixes 113 security vulnerabilities, 20 just in Java

Oracle_ai(LiveHacking.Com) – Oracle has released a mammoth set of patches to address 113 security related problems across a wide range of its products. The patch release, which Oracle refers to as a Critical Patch Update (CPU), contains 113 new security fixes for a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.

Although all of the patches from Oracle should be considered important, the set that will get the most attention are the latest patches for Java. Oracle patched 20 vulnerabilities in Java. Eight of the 20 vulnerabilities could allow a hacker to completely compromise a target client. These vulnerabilities are described as being remote exploits which don’t require authentication. In total the CPU provides fixes for 17 Java SE client vulnerabilities, 1 for a JSSE vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle also points out that Windows XP users should upgrade to a new operating system. The security advisory says that “running unsupported operating systems, particularly one as prevalent as Windows XP, create a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider.”

This CPU also includes 5 fixes for the Oracle Database, 29 new security fixes for Oracle Fusion Middleware, 5 fixes for Oracle E-Business Suite, and 3 for the Oracle Sun Systems Products Suite. According to the United States Computer Emergency Readiness Team (US-CERT), the update also include 15 patches for Oracle Virtualization products, and 10 fixes for MySQL.

“Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” wrote Eric Maurice on Oracle’s security blog.

Oracle releases Critical Patch Updates the Tuesday closest to the 17th day of January, April, July and October. The next CPU is due on 14 October 2014.

Microsoft, Adobe release security patches plus high profile domains rush to fix XSS vulnerability

(LiveHacking.Com) – The last few days have seen lots of security related activity from some of the world’s leading software vendors. Both Microsoft and Adobe have released patches for some of their key software while almost simultaneously a Google engineer has released details of an obscure cross-scripting request forgery bug that left several high profile domains scrambling to protect themselves over the weekend.

Microsoft

microsoft logoMicrosoft has released six new security bulletins, to tackle 29 different vulnerabilities in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, while the rest are either rated as Important or Moderate.

The first of the two Critical level bulletins (MS14-037) is a cumulative security update for Internet Explorer. The update fixes one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Microsoft’s web browser. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using IE. This security update is rated Critical for IE 6 through to IE 11 on Microsoft Windows desktop operating systems. For the server versions of Windows the update is rated as Moderate.

The other Critical level update (MS14-038) fixes a remote code execution vulnerability that exists because of the way that Windows Journal parses specially crafted files. The vulnerability could be exploited if a user opens a specially crafted Journal file. The fix is rated Critical for all supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2 (excluding Itanium), Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

The other bulletins release by Microsoft are:

  • MS14-039 – Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system.
  • MS14-040 – Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker logs onto a system and runs a specially crafted application.
  • MS14-041 – Vulnerability in DirectShow Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user.
  • MS14-042Vulnerability in Microsoft Service Bus Could Allow Denial of Service. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system.

Adobe

adobe-logoAdobe has released security updates for Adobe Flash Player on Windows, OS X and Linux. The updates patch vulnerabilities that could potentially allow a remote attacker to take control of the affected system. The affected software versions are:

  • Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.378 and earlier versions for Linux
  • Adobe AIR 14.0.0.110 SDK and earlier versions
  • Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions
  • Adobe AIR 14.0.0.110 and earlier versions for Android

As well as fixing two, as yet undisclosed, security bypass vulnerabilities (CVE-2014-0537, CVE-2014-0539), the update also includes additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671).

XSS

rosettaflash_convertAs mentioned above, the update to Adobe Flasher Player includes additional validation checks for an obscure cross-scripting request forgery bug that was disclosed by Google’s information security engineer Michele Spagnuolo over the weekend. In his blog “Abusing JSONP with Rosetta Flash,” Michele details how his tool Rosetta Flash can convert Adobe SFW files from binary to text. Attackers can then upload the “weaponised” SWF file to a domain where they will be loaded by a victim’s browser and executed by Adobe Flash Player.

Several high-profile websites were vulnerable, including most Google domains, Instagram, Tumblr and eBay. Many of these sites have worked over the weekend to protect themselves against the vulnerability.

Because of the sensitivity of this vulnerability, Spagnuolo first disclosed it internally to Google, and then privately to Adobe. He also told Twitter, eBay, Tumblr and Instagram before going public with his findings.

Apple fixes 44 security bugs in iOS

Apple-logo(LiveHacking.Com) – Apple has released a new point release of iOS 7 to address 44 different security issues with Apple’s mobile operating system. Among the patches are bug fixes for vulnerabilities in the iOS kernel, and fixes for errors in “launchd,” which could allow a malicious application to execute arbitrary code with system privileges. There are also lots of fixes for WebKit, the HTML rendering engine used by Safari.

The kernel vulnerability, which could cause an iOS device to unexpectedly restart, exists because of a null pointer de-reference in the handling of IOKit API arguments. This problem was addressed through additional validation of IOKit API arguments.

launchd has been patched quite extensively in this release. The program is responsible for starting, stopping and managing back ground processes and apps on iOS. According to Apple’s security notice for iOS 7.1.2, launchd has several different vulnerabilities including a heap buffer overflow in the handling of IPC messages, a heap buffer overflow in the handling of log messages, and some unspecified integer overflow/underflow issues. All of these could possibly allow a malicious application to execute arbitrary code with system privileges.

The WebKit HTML rendering engine was also heavily patched with 28 unique bugs being squashed. Many of the bugs were discovered either by Google’s Chrome Security Team or by renowned security researchers like “miaubiz” who were participating in Google’s Vulnerability Rewards Program for Chromium. However Apple did find several bugs on its own. In total, the discovery of 12 of the 28 vulnerabilities is attributed (or co-attributed) to Apple. The result of the “multiple memory corruption issues” in WebKit was that a user visiting a maliciously crafted website could lead to an unexpected application termination or arbitrary code execution.

Two other WebKit vulnerabilities were also found by Erling Ellingsen of Facebook. The first was an encoding issue that existed in the handling of unicode characters in URLs. The result was that a malicious site could send messages to a connected frame or window in a way that might circumvent the receiver’s origin check. The other problem was a spoofing issue that existed in the handling of URLs.

Another interesting issue fixed in this version of iOS was a problem with Siri and lock codes. If a Siri request referred to one of several possible contacts, Siri displayed a list of choices and the option ‘More…’ for a complete contact list. When used at the lock screen, Siri did not require the passcode before viewing the complete contact list.

iOS 7.1.2 is available now for the iPhone 4 and later, the iPod touch (5th generation) and later, and the iPad 2 and later.