September 22, 2014

Microsoft, Adobe release security patches plus high profile domains rush to fix XSS vulnerability

(LiveHacking.Com) – The last few days have seen lots of security related activity from some of the world’s leading software vendors. Both Microsoft and Adobe have released patches for some of their key software while almost simultaneously a Google engineer has released details of an obscure cross-scripting request forgery bug that left several high profile domains scrambling to protect themselves over the weekend.

Microsoft

microsoft logoMicrosoft has released six new security bulletins, to tackle 29 different vulnerabilities in Microsoft Windows and Internet Explorer. Two of these security bulletins are rated Critical, while the rest are either rated as Important or Moderate.

The first of the two Critical level bulletins (MS14-037) is a cumulative security update for Internet Explorer. The update fixes one publicly disclosed vulnerability and twenty-three privately reported vulnerabilities in Microsoft’s web browser. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using IE. This security update is rated Critical for IE 6 through to IE 11 on Microsoft Windows desktop operating systems. For the server versions of Windows the update is rated as Moderate.

The other Critical level update (MS14-038) fixes a remote code execution vulnerability that exists because of the way that Windows Journal parses specially crafted files. The vulnerability could be exploited if a user opens a specially crafted Journal file. The fix is rated Critical for all supported editions of Windows Vista, Windows Server 2008 (excluding Itanium), Windows 7, Windows Server 2008 R2 (excluding Itanium), Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

The other bulletins release by Microsoft are:

  • MS14-039 – Vulnerability in On-Screen Keyboard Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker uses a vulnerability in a low integrity process to execute the On-Screen Keyboard (OSK) and upload a specially crafted program to the target system.
  • MS14-040 – Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker logs onto a system and runs a specially crafted application.
  • MS14-041 – Vulnerability in DirectShow Could Allow Elevation of Privilege. The vulnerability could allow elevation of privilege if an attacker first exploits another vulnerability in a low integrity process and then uses this vulnerability to execute specially crafted code in the context of the logged on user.
  • MS14-042Vulnerability in Microsoft Service Bus Could Allow Denial of Service. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system.

Adobe

adobe-logoAdobe has released security updates for Adobe Flash Player on Windows, OS X and Linux. The updates patch vulnerabilities that could potentially allow a remote attacker to take control of the affected system. The affected software versions are:

  • Adobe Flash Player 14.0.0.125 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.378 and earlier versions for Linux
  • Adobe AIR 14.0.0.110 SDK and earlier versions
  • Adobe AIR 14.0.0.110 SDK & Compiler and earlier versions
  • Adobe AIR 14.0.0.110 and earlier versions for Android

As well as fixing two, as yet undisclosed, security bypass vulnerabilities (CVE-2014-0537, CVE-2014-0539), the update also includes additional validation checks to ensure that Flash Player rejects malicious content from vulnerable JSONP callback APIs (CVE-2014-4671).

XSS

rosettaflash_convertAs mentioned above, the update to Adobe Flasher Player includes additional validation checks for an obscure cross-scripting request forgery bug that was disclosed by Google’s information security engineer Michele Spagnuolo over the weekend. In his blog “Abusing JSONP with Rosetta Flash,” Michele details how his tool Rosetta Flash can convert Adobe SFW files from binary to text. Attackers can then upload the “weaponised” SWF file to a domain where they will be loaded by a victim’s browser and executed by Adobe Flash Player.

Several high-profile websites were vulnerable, including most Google domains, Instagram, Tumblr and eBay. Many of these sites have worked over the weekend to protect themselves against the vulnerability.

Because of the sensitivity of this vulnerability, Spagnuolo first disclosed it internally to Google, and then privately to Adobe. He also told Twitter, eBay, Tumblr and Instagram before going public with his findings.

phpMyAdmin Released Versing 3.4.9 to Fix XSS Vulnerabilities

(LiveHacking.Com) – phpMyAdmin’s development team has released version 3.4.9 of this open source database administration tool. This new version fixes two critical cross-site scripting (XSS) vulnerabilities in setup interface and the export panels in the server, database and table sections.

All previous versions of phpMyAdmin (3.4.x) and including version 3.4.8 are affected. It is highly recommended to upgrade to version 3.4.9 to correct these security issues.

The new fixes are:

  • bug #3442028 [edit] Inline editing enum fields with null shows no dropdown
  • bug #3442004 [interface] DB suggestion not correct for user with underscore
  • bug #3438420 [core] Magic quotes removed in PHP 5.4
  • bug #3398788 [session] No feedback when result is empty (signon auth_type)
  • bug #3384035 [display] Problems regarding ShowTooltipAliasTB
  • bug #3306875 [edit] Can’t rename a database that contains views
  • bug #3452506 [edit] Unable to move tables with triggers
  • bug #3449659 [navi] Fast filter broken with table tree
  • bug #3448485 [GUI] Firefox favicon frameset regression
  • [core] Better compatibility with mysql extension
  • [security] Self-XSS on export options (export server/database/table), see PMASA-2011-20
  • [security] Self-XSS in setup (host parameter), see PMASA-2011-19

The new versions of phpMyAdmin are available to download from the project website. phpMyAdmin is licensed under version 2 of the GNU General Public License.

Adobe Fixes Cross-site Scripting Vulnerability in Flex SDK

(LiveHacking.Com) – Adobe has published a security advisory about an “important” vulnerability in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, OS X and Linux. As a result of this vulnerability applications built with the Flex SDK could be open to cross-site scripting attacks.

Adobe are recommending that developers using Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using these instructions.

Which applications are vulnerable?

  • All web-based (not AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A, and 3.6) are vulnerable.
  • Web-based (not AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5, and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable, except in certain cases that involve the use of embedded fonts.
  • Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) will not be vulnerable, but there are rare cases in which they may be vulnerable.
  • Flex applications built using any release of Flex prior to 3.0 are not vulnerable.
  • Flex applications that are AIR-based (not web-based) are not vulnerable.
  • SWF files that were created without using Flex (such as files created in Adobe Flash Professional) are not vulnerable.

Cross-Site Scripting (XSS) Vulnerability in phpMyAdmin

phpMyAdmin is prone to a cross-site scripting vulnerability due to insufficient user-supplied data sanitization.

According to the vulnerability disclosure, an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. The attacker must entice an unsuspecting user to follow a malicious URI. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

All versions prior to phpMyAdmin 3.3.8.1 and 2.11.11.1 are vulnerable. Updates are available to fix this issue.

Critical Security Update for WordPress

Version 3.0.4 of WordPress has released. This version is available from the update page in the WordPress dashboard or for download here. This is a critical update to fixes a core security bug in WordPress HTML sanitation library, called KSES. This security issue has been discovered by Mauro Gentile and Jon Cave (duck_).

More technical information is available here.

Security Issue in Google Website Optimizer

Google has informed its users directly about a security issue in Google Website Optimizer.

Google has warned the Website Optimizer users about a vulnerability in the Website Optimizer Control Script. According to the Google email, an attacker might be able to execute malicious code on a user site using a Cross-Site Scripting (XSS) attack. This attack can only take place if a website or browser has already been compromised by a separate attack.

[Read more...]

OnMouseOver XSS plagues Twitter

A new wave of Twitter attacks which make use of an XSS vulnerability in Twitter’s web client is causing trouble for users of the micro-blogging service. The injected script code is able to read the user’s Twitter cookie and authentication data. First assessments indicate that the vulnerability can be used to create a worm that spreads automatically.

Read the full story here.

Source:[TheHSecurity]