November 21, 2014

Microsoft fixes Windows Live identity theft flaw

(LiveHacking.Com) – Microsoft has fixed a recently discovered a vulnerability in Microsoft’s Windows Live service that allowed an attacker to steal victims’ online identities.  Abdeljalil S’hit and Yasser Aboukir reported the flaw to Microsoft after they discovered that by using Cross-Site Scripting (XSS) they could execute a malicious script. To exploit the vulnerability the attacker needed to create and error on the Windows Live login page which (due to the XSS problem) would then execute the malicious script.

As a result of the flaw an attacker could impersonate a Windows Live user by gaining full control of the victim’s cookies. Combined with social engineering, this technique could be used to steal a victim’s Windows Live identity. The researchers were asked by the Microsoft Security Research Center to not disclose the flaw while it looked into a fix. The pair duly kept quiet and Microsoft did come up with a fix, but it took three months!

We have created a code change to address the issue and are now testing the changes,” a Microsoft spokesperson told the duo according to ZDNet. “Because changes to the site may affect a large number of users the testing requirements prior to production release are lengthy. Based on the testing schedule and barring any significant regressions the team expects to release an update into production in early May.

Abdeljalil S’hit and Yasser Aboukir are to be applauded for the way they disclosed the issue, but questions remain over Microsoft’s delay in addressing the problem. To Microsoft’s credit they did however  feature the pair on its list of June 2012 Security Researchers for their proper disclosure.

 

Maintenance and Security Update for WordPress

(LiveHacking.com) – The WordPress team has released WordPress 3.4.1 to fix an important information disclosure vulnerability, in addition to Cross-Site Scripting (XSS) and privilege escalation vulnerabilities.

According to the WordPress blog, this release also addresses 18 bugs with version 3.4, including:

  • Fixes an issue where a theme’s page templates were sometimes not detected.
  • Addresses problems with some category permalink structures.
  • Better handling for plugins or themes loading JavaScript incorrectly.
  • Adds early support for uploading images on iOS 6 devices.
  • Allows for a technique commonly used by plugins to detect a network-wide activation.
  • Better compatibility with servers running certain versions of PHP (5.2.4, 5.4) or with uncommon setups (safe mode, open_basedir), which had caused warnings or in some cases prevented emails from being sent.

WordPress 3.4.1 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

Security Update for WordPress 3.3

(LiveHacking.Com) – The WordPress team has released WordPress 3.3.2 to fix 6 security vulnerabilities including two cross-site scripting vulnerabilities and a privilege escalation. The fixed vulnerabilities come in two distinct parts. First, three external libraries included in WordPress received security updates and second, the WordPress core security team have fixed three further vulnerabilities.

The external libraries are all connected with the way WordPress uploads files. Plupload, which WordPress currently uses for uploading media, has been updated to  version 1.5.4. Plupload, which gives WordPress the ability to upload files using HTML5 Gears, Silverlight, Flash, BrowserPlus or normal forms, fixed a the way the Flash part of the library worked to avoid CSRF issues.

Two other Flash related libraries were also updated, SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins and SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

The other three vulnerabilities, which the WordPress core security team fixed, are:

  • Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
  • Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
  • Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

WordPress 3.3.2 can be downloaded from here or you can update from the Dashboard → Updates menu in your site’s admin area.

New Version of Opera Released to Fix Cross-site Scripting Vulnerability

(LiveHacking.Com) – Opera 11.61 has been released and it is recommended that all users upgrade to the latest version to benefit from the security and stablilty changes. With regards to security, Opera 11.61 fixes two security issues:

  • An issue where manipulation of framed content can allow cross-site scripting.
  • An issue where script events could be used to reveal the presence of local files.

The cross site script issue is the worse of the two and has been given a “High” vulnerability rating. According to the advisory “pages from unrelated sites should not be able to interact with the contents of each other – known as the same-origin policy. Certain manipulations of framed content, made before loading a target site in a frame, can cause Opera not to correctly apply this restriction. This allows malicious sites to perform cross-site scripting attacks against arbitrary target sites, executing scripts in the context of that target site.”

The other issue, which has a “Low” rating, fixes an issue where remote web pages could detect what types of files a user has on their local machine. The advisory reports that “certain types of HTML elements may behave differently when they attempt to reference local files that exist. The attempt to load the local file will be blocked, but different JavaScript events may fire, allowing the presence of the local file to be detected. The contents of the local file will not be exposed, and the attacker will need to be able to guess the path to the local file in order to check for its existence.”

Other non-security related changes include an update to the default Speed Dials as well as fixes for the built-in email client along with stability (crashing) fixes. More details about the update can be found in the WindowsMac and UNIX change logs. Opera 11.61 is available to download now.

WordPress 3.3 Patched to Fix Cross-Site Scripting Vulnerability

(LiveHacking.Com) – WordPress 3.3.1 has been released to fix a Cross-Site Scripting (XSS) vulnerability discovered by  security researchers, Aditya Modha & Samir Shah. As well as fixing the XSS problem, 3.3.1 fixes 15 issues with WordPress 3.3. Once the vulnerability was made public other researchers tried to test the vulnerability but without success. It transpires that if WordPress is installed using an IP address the vulnerability is exploitable. If however, like many people, WordPress is installed via a domain name, the site isn’t vulnerable. This is because of some logic with the WordPress codebase which treats urls differently depending on whether WP_SITEURL is set or unset.

The WordPress team mentioned thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K. and the Go Daddy security team for responsibly disclosing the bug to the WordPress security team.

WordPress 3.3.1 can be downloaded from here or use Dashboard → Updates in your site admin.

phpMyAdmin Released Versing 3.4.9 to Fix XSS Vulnerabilities

(LiveHacking.Com) – phpMyAdmin’s development team has released version 3.4.9 of this open source database administration tool. This new version fixes two critical cross-site scripting (XSS) vulnerabilities in setup interface and the export panels in the server, database and table sections.

All previous versions of phpMyAdmin (3.4.x) and including version 3.4.8 are affected. It is highly recommended to upgrade to version 3.4.9 to correct these security issues.

The new fixes are:

  • bug #3442028 [edit] Inline editing enum fields with null shows no dropdown
  • bug #3442004 [interface] DB suggestion not correct for user with underscore
  • bug #3438420 [core] Magic quotes removed in PHP 5.4
  • bug #3398788 [session] No feedback when result is empty (signon auth_type)
  • bug #3384035 [display] Problems regarding ShowTooltipAliasTB
  • bug #3306875 [edit] Can’t rename a database that contains views
  • bug #3452506 [edit] Unable to move tables with triggers
  • bug #3449659 [navi] Fast filter broken with table tree
  • bug #3448485 [GUI] Firefox favicon frameset regression
  • [core] Better compatibility with mysql extension
  • [security] Self-XSS on export options (export server/database/table), see PMASA-2011-20
  • [security] Self-XSS in setup (host parameter), see PMASA-2011-19

The new versions of phpMyAdmin are available to download from the project website. phpMyAdmin is licensed under version 2 of the GNU General Public License.

Adobe Fixes Cross-site Scripting Vulnerability in Flex SDK

(LiveHacking.Com) – Adobe has published a security advisory about an “important” vulnerability in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, OS X and Linux. As a result of this vulnerability applications built with the Flex SDK could be open to cross-site scripting attacks.

Adobe are recommending that developers using Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using these instructions.

Which applications are vulnerable?

  • All web-based (not AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A, and 3.6) are vulnerable.
  • Web-based (not AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5, and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable, except in certain cases that involve the use of embedded fonts.
  • Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) will not be vulnerable, but there are rare cases in which they may be vulnerable.
  • Flex applications built using any release of Flex prior to 3.0 are not vulnerable.
  • Flex applications that are AIR-based (not web-based) are not vulnerable.
  • SWF files that were created without using Flex (such as files created in Adobe Flash Professional) are not vulnerable.

Ruby on Rails Updated to Fix XSS Vulnerability

(LiveHacking.Com) – The open source open source web framework Ruby on Rails has been updated to fix a cross site scripting vulnerability in the translate helper method.

The vulnerability, which could allow an attacker to insert arbitrary code into a page, affects versions 3.0.0 and later as well as version 2.3.X in combination with the rails_xss plugin. It has been fixed in version 3.0.11 and version 3.1.2.

The bug in the translate helper method meant that when using interpolation in combination with HTML-safe translations, the interpolated input would not get HTML escaped

The releases notes gives the following example:

translate('foo_html', :something => '<script>') # => "...<script>..."

After:

translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."

Shortly after the release of 3.1.2, the Ruby on Rails team released 3.1.3 to fix a number of regressions that found their way into 3.1.2, including a fix to the translate helper with a html translation which uses the :count option for pluralization.

Skype for iOS Vulnerability Allows Attacker to Steal Address Book Just By Sending a Chat Message

(LiveHacking.Com) – A Cross-Site Scripting vulnerability has been found in the “Chat Message” window of Skype for iOS. The vulnerability can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Because of the way Skype uses the built-in webkit browser any Javascript run via the Chat Message exploit can access the local user file system. Access to files on iOS devices is restricted by the underlying operating system but every iOS application has access to the users AddressBook. This has allowed Phil Purviance to create a proof of concept injection and attack that downloads an user’s address book to a remote server just by sending a Skype Chat Message.

Phil told Skype about the almost a month ago and was told that an update would be released early this month.

Skype says it is aware of the security issue, and had issued the following statement:

“We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense internet security as always.”

Phil also created a video showing the exploit in action:

phpMyAdmin 3.4.4 and 3.3.10.4 Fix XSS Vulnerability

(LiveHacking.Com) – Norman Hippert from The-Wildcat.de has discovered a vulnerability in phpMyAdmin, the open source database administration tool. As a result the phpMyAdmin developers have announced the release of versions 3.4.4 and 3.3.10.4. These new versions close the hole, discovered by Norman, in the Tracking feature that can lead to multiple cross-site scripting (XSS) vulnerabilities.

The vulnerability exists due to improper sanitisation when input is passed to the table, column and index names. Although, to exploit this vulnerability an attacker must be logged into phpMyAdmin, the development team “consider this vulnerability to be serious.”

phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Further information about the updates can be found in the 3.4.4 and 3.3.10.4 release announcements and in the project’s security advisories.