July 24, 2014

Tor users exposed due to vulnerability in Firefox 17

Tor project logoUsers of the popular Tor anonymity tool have been exposed to malware which can reveal the user’s IP address. According to an announcement made a Tor mailing list, the Tor Browser Bundle is susceptible to a Firefox JavaScript vulnerability and that this vulnerability has been exploited in the wild.

Although all Tor users are potentially vulnerable it appears that the malware, which is exploiting the bug, targets only Windows users. The vulnerability allows arbitrary code execution and the observed attack appears to collect the hostname and MAC address of the Tor user and send them to a remote web server. According to the Tor project, “it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

While outlining what users can do, besides upgrade to the latest version of the Tor Browser Bundle which contains a fixed version of Firefox, the email suggested that, “switching away from Windows is probably a good security move for many reasons.”

The malware used to discover the identities of the Tor users is possibly linked to the FBI as on Friday a vast number of “hidden services” disappeared from Tor and a man from Ireland was arrested on a warrant issued by the FBI in connection with child porn charges which allegedly used the Tor network.

According to the Electronic Frontier Foundation, which issued a statement about the attack, the Tor anonymity tool is often used by human rights activists, journalists, political dissidents and whistleblowers since it allows them to use the web anonymously and avoid different surveillance and censorship techniques.

IE lets web pages track mouse movements, bad news for virtual keyboards, great news for unscrupulous ad companies

(LiveHacking.Com) –  Details have emerged about how Microsoft Internet Explorer allows web pages with JavaScript to track the whereabouts of the mouse anywhere on the screen, even outside of the currently viewed web page. The ramifications of this are two fold. First those using virtual keyboard as a way to avoid possible keyloggers can now no longer assume that the virtual keyboard is safe. Secondly it appears that unscrupulous ad companies have been using this flaw for a while to  measure the viewability of display ads.

Spider.io, a web analytics firm, told Microsoft about the flaw in October, but Redmond has done nothing about it. The issues affects all version of Internet Explorer from version 6 to version 10 and only since the finding have been made public has Microsoft commented on the vulnerability. At the moment Microsoft has no plans to patch the flaw.

The team at Spider.io have created a game to illustrate how easy it is to exploit IE and compromise the security of virtual keyboards. The game may be found at iedataleak.spider.io. There is also a demonstration showing how the flaw can be used to track the mouse over the Skype keypad despite the fact that the Internet Explorer window is not active.

According to  Doug de Jager, chief executive of spider.io, the vulnerability is already being exploited by at least two display ad analytics companies across billions of page impressions per month.

“The vulnerability is being exploited rather mischievously by these companies to measure the viewability of display ads – arguably the hot topic in display advertising at the moment,” de Jager told the Guardian. “Almost every US-based user of Internet Explorer will have their mouse cursor tracked via this exploit almost every day they browse the web.”

Microsoft’s lack of action is a little surprising and it is Redmond’s indifference that has caused Spider.io to disclose the details of the flaw. “We are currently investigating this issue, but to date there are no reports of active exploits or customers that have been adversely affected,” Microsoft said in a statement, adding that it would take “appropriate action to protect our customers”.

Details of the vulnerability

Due to a design flaw, Internet Explorer is populating the global Event object with attributes relating to mouse events, even when it shouldn’t. This means that a web page can be created which uses the fireEvent() method to poll for the mouse position anywhere on the screen and at any time. The reason why the flaw allows programs like Skype to be tracked is that the fireEvent() method and the mouse positions are processed even when the page isn’t active or focused.

Another day, another Firefox release

Mozilla released version 16 of its popular web browser only a few weeks ago and since then it has had two point releases to fix security issues. The latest release, 16.0.2 adds fixes for problems with the Javascript location object.

Three separate issues with the Javascript Location object where reported to Mozilla and fixed in this release:

  1. Security researcher Mariusz Mlynski reported that the true value of window.location could be shadowed by user content through the use of the valueOf method, which can be combined with some plugins to perform a cross-site scripting (XSS) attack on users.
  2. Mozilla security researcher moz_bug_r_a4 discovered that the CheckURL function in window.location can be forced to return the wrong calling document and principal, allowing a cross-site scripting (XSS) attack. There is also the possibility of gaining arbitrary code execution if the attacker can take advantage of an add-on that interacts with the page content.
  3. Security researcher Antoine Delignat-Lavaud of the PROSECCO research team at INRIA Paris reported the ability to use property injection by prototype to bypass security wrapper protections on the Location object, allowing the cross-origin reading of the Location object.

Mozilla also released a new version of its Thunderbird email cleint but noted that Thunderbird is only affected by window.location issues through RSS feeds and extensions that load web content.

The latest version can be downloaded from here while the release notes for 16.0.2 are available from http://www.mozilla.org/en-US/firefox/16.0.2/releasenotes/.

Yahoo! Mail Reinforces Javascript Filters to Defend Against Cross-site Scripting Attacks

(LiveHacking.Com) – Researchers at Trend Micro discovered a potential vulnerability in Yahoo! Mail. They discovered emails sent to Yahoo! addresses that contained JavaScript in the From: field that attempted to launch a Document Object Model (DOM)-based cross-site scripting attack. Although the Trend Micro researchers were unable to replicate the attack they contacted Yahoo! who in response have strengthened their filters that sanitize user emails in order to protect against these kinds of Javascript attacks.

Such types of attacks are not uncommon and in the past successful webmail attacks have targeted  accounts owned by journalists and political activists. Normally when an account is compromised the victim is unaware, which is exactly what the attackers want as they can steal the messages and launch further attacks against the victim’s contacts, all without detection.

Webmail is but one example of a cloud based service which is potentuially vulnerable to outside attack. As the use of cloud based services (including free webmail, free cloud storage space and social networking) increases so does its attraction to attackers.

Google Warns 20,000 Webmasters About Possible JavaScript Injections on their Sites

(LiveHacking.Com) – Accoring to Matt Cutts,  Google’s friendly face, the search giant has sent emails to 20,000 webmasters warning them about possible hacker activity on their sites. The “your site might be hacked” message was sent to websites which exhibited weird redirect behavior.

The message warns webmasters that their “website’s pages may be hacked.” Specifically, Google are worried about JavaScript that hackers have injected into sites that redirect users to malicious sites. Google are advising the webmasters to check the site’s source code for any unfamiliar JavaScript and in particular any files containing ‘eval(function(p,a,c,k,e,r)’. The malicious code may be placed in any HTML, JavaScript, or PHP files so Google are asking admins to be thorough in their search.

The Javascript injection is relatively complex in that the .htaccess file could also have been changed resulting in infected sites cloaking the hack and only showing the malicious content in certain situations.

“We encourage you to investigate this matter in order to protect your visitors. If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but also to identify and fix the vulnerability. A good first step may be to contact your web host’s technical support for assistance. It’s also important to make sure that your website’s software is up-to-date with the latest security updates and patches,” wrote Google.

Google have taken proactive action in the past to protect its users. Last year it removed web sites hosted on the .co.cc free Web hosting service from its search results due to the fact that such a large percentage of the sites were low-quality or set-up only for spam.

Microsoft First to Patch Universal Hash Table Collision Vulnerability with Out-of-band Update

(LiveHacking.Com) – Security Researchers have exposed a flaw in the way the popular Web programming languages (like PHP, ASP.NET and Python) handle hash table collisions resulting in huge CPU usage and a subsequent denial of service. The discoveries were announced yesterday (Wednesday) at the Chaos Communication Congress event in Germany. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.

Although hash collision denial-of-service attacks have been discussed since 2003, Alexander Klink and Julian Wälde have now shown that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. And so it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition.

“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” write the pair in their advisory.

Microsoft have been one of the first to respond to this issue with several announcements including  Security Advisory 2659883 and an advance notification for an out-of-band security update to address the issue. The release is scheduled for today, December 29, at approximately 10 a.m. PST.

According to Microsoft’s security advisory this vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. Tthe .NET Framework is vulnerable from version 1.0 right through to version 4.0.

Microsoft are rating this out-of-band bulletin as “Critical” and it is likely it will will release updates for

  • Microsoft .NET Framework 1.0 Service Pack 3 (Media Center Edition 2005 and Tablet PC Edition 2005 only)
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4

For Windows XP, Server 2003, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 across Intel 32 bit, Intel 64 bit and Itanium where applicable.

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.

More information regarding this vulnerability can be found in US-CERT Vulnerability NoteVU#903934 and n.runs Security Advisory n.runs-SA-2011.004.

Google Releases Chrome 15.0.874.121

(LiveHacking.Com) - Google is continuing with its fast paced development of the Chrome web browser, not only with the major point releases, but also with bug and security fixes to the current stable version. To this end it has just released Chrome 15.0.874.121 for Windows, Mac and Linux. The new version updates the V8 Javascript engine (to 3.5.10.24) and fixes a SVG regression bug that appeared in the last release.

However, most importantly, this release also fixes a “High” risk security error in the V8 Javascript engine which resulted in an out-of-bounds write. Such memory errors are a potential foothold for hackers to run arbitrary code in the browser and so install malware on a PC.

Christian Holler was rewarded $1000 for finding this V8 error under Google’s Chromium Security reward scheme.

Has Skype for iOS Vulnerability Been Fixed?

(LiveHacking.Com) - A new version of Skype (3.5.84) for the iPhone and iPad appeared in the App Store yesterday with lots of new features like Bluetooth support and image stabilization. But the “What’s New” section also mentions “Bugfix for security vulnerability.” Currently Skype are keeping quiet about exactly which “security vulnerability” has been fixed, however it is most likely to be the Cross-Site Scripting vulnerability found in the “Chat Message” window which could allow an attacker to download a copy of the phone’s address book.

The vulnerability, which was found last week, can be exploited by simply sending a specially crafted chat message to a Skype user. Skype uses a locally stored HTML file to display chat messages from other users, however it doesn’t properly encode the incoming users “Full Name”. The result is that an attacker can create some  malicious JavaScript code that runs when the victim views the message.

Skype has a published a blog post about the new iOS version where it explains the new anti-shake feature and the support for Bluetooth, however it mentions nothing about the security fix.

It is recommended that every iPhone/iPad Skype user updates to this new version but it is also worth noting that there have been reports of problems with the new version including 1) Skype Credit not showing 2) Contacts slow to sync 3) Account settings (e.g. photo, name, profile) not appearing.

To remedy these, Skype suggest deleting your Skype app and starting a new installation from scratch. To delete the app, press and hold the app icon on your iPhone, and click the ‘X’. To re-install, return to the AppStore, and install.

Skype Code Injection Vulnerability

(LiveHacking.Com) - Noptrix.net has published details of a new a Skype HTML/Javascript code injection vulnerability. Affecting Skype versions <= 5.5.0.113 on Windows (XP, Vista, 7), the advisory describes a persistent code injection vulnerability due to a lack of input validation and output sanitization of home, office and mobile profile entries.

By using this vulnerability an attacker could inject HTML/Javascript code. Noptrix.net has not verified if it’s possible to hijack cookies or to attack the underlying operating system.