Security Weekly News 11 March 2011 – Full List

Category Index

Hacking Incidents / Cybercrime

 
Backup tapes stolen from employee's car contained unencrypted data
The Cord Blood Registry earlier this week began notifying some 300,000 registrants that their personal data might be at risk.
According to a Feb. 14 disclosure letter (PDF) from the CBR, members of the registry could be in danger of identity theft.
The letter does not say how the breach occurred, but a report on the Office of Inadequate Security website indicates that the breach was the result of the theft of data backup tapes from an employee's car.
 
François Baroin confirms the cyber attacks on his ministry in an interview with radio station Europe 1. The French Budget Minister, François Baroin, has confirmed a report by Paris Match magazine which said that his ministry fell victim to a cyber attack in December 2010. During the attack, 150 PCs were reportedly infected with spyware. The as yet unknown attackers appear to have targeted documents in connection with the French G20 presidency. The report said that although no official traces have been confirmed, there is evidence that the documents found their way to the unknown attackers via Chinese computers.
 
Spammers love to use hidden Facebook 'Like' buttons to spread their spam quickly, a technique called Likejacking. Recently, I was forwarded a few German Likejacking pages:

Software Updates

 
Overview of the March 2011 Microsoft Patches and their status.
 
Service Location Protocol daemon (SLPD) denial of service issue and
ESX 4.0 Service Console OS (COS) updates for bind, pam, and rpm.
 
Firefox v.3.6.15, released  [www.mozilla.com]
Check out what's new, the known issues and frequently asked questions about the latest version of Firefox. As always, you're encouraged to tell us what you think, either using this feedback form or by filing a bug in Bugzilla.
 
Chrome Stable Release  [googlechromereleases.blogspot.com]
The Google Chrome team is excited to announce the arrival of Chrome 10.0.648.127 to the Stable Channel for Windows, Mac, Linux, and Chrome Frame. Chrome 10 contains some really great improvements including:
New version of V8 – Crankshaft – which greatly improves javascript performance
New settings pages that open in a tab, rather than a dialog box
Improved security with malware reporting and disabling outdated plugins by default
Sandboxed Adobe Flash on Windows
Password sync as part of Chrome Sync now enabled by default
GPU Accelerated Video
Background WebApps
webNavigation extension API (experimental but ready for testing)
 
Apple released a new version of iOS for iPhone, iPad and iPod Touch devices. Besides some new features that are being introduced with this release of iOS, Apple also patched a number of security vulnerabilities.
You can see the whole list at http://support.apple.com/kb/HT4564 – some of these are really low risk but if you scroll down to Webkit fixes, you can see that Apple patched 49 (!!!) security vulnerabilities that, according to Apple "may lead to an unexpected application termination or arbitrary code execution" (in other words: having your device pwned).
 
About Safari 5.0.4  [support.apple.com]
Safari 5.0.4 for Mac
This update contains improvements to stability, compatibility, accessibility and security, including the following:
Improved stability for webpages with multiple instances of plug-in content
Improved compatibility with webpages with image reflections and transition effects
 
Java for Mac OS X 10.6 Update 4  [support.apple.com]
Available for: Mac OS X v10.6.6, Mac OS X Server v10.6.6
Impact: Multiple vulnerabilities in Java 1.6.0_22
Description: Multiple vulnerabilities exist in Java 1.6.0_22, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_24
 
Java for Mac OS X 10.5 Update 9  [support.apple.com]
Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8
Impact: Multiple vulnerabilities in Java 1.6.0_22
Description: Multiple vulnerabilities exist in Java 1.6.0_22, the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating to Java version 1.6.0_24
 
The Subversion developers have released version 1.6.16 which includes, in addition to a selection of bug fixes and stability enhancements, a fix that prevents the exploitation of a remotely triggerable denial of service. The DoS problem affects Subversion servers up to and including version 1.5.9 and 1.6.15. They are vulnerable to a null pointer being dereferenced when an unauthenticated user attempts to lock a file.
 
Thunderbird v.3.1.9, released  [www.mozillamessaging.com]
Check out what's new, the known issues and frequently asked questions about the latest version of Thunderbird. As always, you're encouraged to tell us what you think, either using this feedback form or by filing a bug in Bugzilla

Business Case for Security

 
Average site is exposed about 270 days of the year, according to report
The average website has serious vulnerabilities more than nine months of the year, according to a new report issued yesterday.
According to a study issued by researchers at WhiteHat Security, the average site is exposed about 270 days of the year. 'Information Leakage' has replaced cross-site scripting (XSS) as the most common website vulnerability, the report says.
The report examined data from more than 3,000 websites across 400 organizations that are continually tested for vulnerabilities by WhiteHat Security's Sentinel service. The study offers a look at sites' 'Window of Exposure,' which measures not only the vulnerabilities found in sites, but the length of time it takes those vulnerabilities to be remediated.
 
IT and security professionals routinely use USBs, smartphones, and tablets to move and back up confidential files, yet their organizations haven't made changes in the wake of the WikiLeaks leaks
Maybe the massive disclosure of diplomatic memos from the U.S. State Department by WikiLeaks didn't serve as much of a cautionary tale for preventing the leak of sensitive data after all: Most IT and security professionals say they use USBs, smartphones, and tablets to move and back up confidential files, and 65 percent say they don't have a handle on what files and data leave the enterprise, a new survey says.

Web Technologies

 
Nir Goldshlager Web Security Blog  [www.nirgoldshlager.com]
Gaining Administrative Privileges on any Blogger.com Account, 1337$ (Google Reward Program)
Hi,
This is my first post in my blog and also my first post regarding my security vulnerabilities findings in Google Reward Program,
In the last 2 months, I participated in Google reward program and found some High, Serious vulnerabilities,
 
OWASP AntiSamy v.1.4.4 Released  [security-sh3ll.blogspot.com]
The OWASP AntiSamy project is an API for safely allowing users to supply their own HTML and CSS without exposure to XSS vulnerabilities.
The biggest move of this release is to officially change the default parser/serializer from the DOM engine to the SAX engine. We've had two engines for the past few versions, but maintaining two engines concurrently is kinda crazy. The SAX version is twice as fast and much better on memory. Even though all of our test cases pass for both engines, I still anticipate some growing pains in the SAX version, which is why I think most critical applications should stick to 1.4.3 for now.
 
JavaScript sorting algorithms  [www.sorting-algorithms.com]
 
How I Almost Won Pwn2Own via XSS  [jon.oberheide.org]
No, seriously.
The good: Google has patched a serious vulnerability I discovered in the Android web market.
The bad: Since the Android web market was launched earlier this year, it was possible to remotely install arbitrary applications with arbitrary permissions onto a victim's phone simply by tricking them into clicking a malicious link (either on their desktop OR phone). The exploit works universally across all Android devices, versions, and architectures.
 
This article briefly introduces an emerging open-protocol technology, OAuth, and presents scenarios and examples of how insecure implementations of OAuth can be abused maliciously. We examine the characteristics of some of these attack vectors, and discuss ideas on countermeasures against possible attacks on users or applications that have implemented this protocol.
An Introduction to the Protocol
OAuth is an emerging authorization standard that is being adopted by a growing number of sites such as Twitter, Facebook, Google, Yahoo!, Netflix, Flickr, and several other Resource Providers and social networking sites. It is an open-web specification for organizations to access protected resources on each other's web sites. This is achieved by allowing users to grant a third-party application access to their protected content without having to provide that application with their credentials.
 
Spot the Vuln – Flag  [software-security.sans.org]
 
 
Vulnerabilities in implementations of the STARTTLS protocol for establishing an encrypted TLS connection could allow commands to be injected into a connection. According to a description by the discoverer of the problem, Postfix developer Wietse Venema, the key point is that commands are injected into the connection before it has been secured/encrypted, but are only executed once the secure connection has been established.
 
Hacking crappy password resets (part 1)  [www.skullsecurity.org]
This is part one of a two-part blog on password resets. For anybody who saw my talk (or watched the video) from Winnipeg Code Camp, some of this will be old news (but hopefully still interesting!)
For this first part, I'm going to take a closer look at some very common (and very flawed) code that I've seen in on a major "snippit" site and contained in at least 5-6 different applications (out of 20 or so that I reviewed). The second blog will focus on a single application that does something much worse.
 
Multi-browser heap address leak in XSLT  [scarybeastsecurity.blogspot.com]
It's not often that I find a bug that affects multiple different codebases in the same way, but here is an interesting info-leak bug that is currently unpatched in Firefox, Internet Explorer and Safari.

Network Security

 
Using three different vulnerabilities and clever exploitation techniques, Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win this year's CanSecWest hacker challenge.s
Fewer (right), a Metasploit developer who specializes in writing Windows exploits, used two different zero-day bugs in IE to get reliable code execution and then chained a third vulnerability to jump out of the IE Protected Mode sandbox.
The attack successfully bypassed DEP (data execution prevention) and ASLR (address space layout randomization), two key protection mechanisms built into the newest versions of Windows.
 
"Botnets: Measurement, Detection, Disinfection and Defence" is a comprehensive report on how to assess botnet threats and how to neutralise them. It is survey and analysis of methods for measuring botnet size and how best to assess the threat posed by botnets to different stakeholders. It includes a comprehensive set of 25 different types of best-practices to measure, detect and defend against botnets from all angles. The countermeasures are divided into 3 main areas: neutralising existing botnets, preventing new infections and minimising the profitability of cybercrime using botnets. The recommendations cover legal, policy and technical aspects of the fight against botnets and give targeted recommendations for different groups.
 
FCS v1 March 2011 update  [blogs.technet.com]
We have recieved reports that in some cases the FCS update fails to install correctly. We are reviewing these reports now, and will update this blog when we have details we can share. If you are a WSUS administrator you may want to hold off approving this update for the moment.
 
MultiRelay fue el script principal que presenté la pasada semana en la RootedCON.
El script se apoya en otros dos scripts que creé para realizar el descubrimiento y escaneo de red que ya comentamos ayer, y una vez que conoce los servicios de la red realiza el mapeo de los servicios.
En primer lugar crea interfaces virtuales en la máquina en la que se ejecuta Metasploit (el atacante) que se corresponden con las IPs descubiertas en la red interna de la máquina comprometida.
 
The best will be to stop the packets from reaching you in the first place. To stop them as far away from your environment as possible, especially if link saturation is the problem. This will likely need the cooperation of your ISP. You will find some are more willing to help you deal with an attack than others.
If you manage to identify a particular characteristic of the packets being sent, then you might be able to get a firewall, router, IDS, or IPS to deal with the traffic. These types of devices will be better at coping with this than your web or mail server. Check you firewalls, many have the capability to drop traffic based on certain thresholds or characteristics and they may be enough to
 
Rafael Dominguez Vega of MRW InfoSecurity has reported a bug in the Caiaq USB driver which could be used to gain control of a Linux system via a USB device.
The bug is caused by the device name being copied into a memory area with a size of 80 bytes using strcpy() without its length being tested. A crafted device with a long device name could thus write beyond the limits of this buffer, allowing it to inject and execute code.

Database Security

 
Like in the previous blog post, we'll talk about methods which need only non-privileged rights. Because we have too many ways for SMB Relay for privileged accounts, much depends from current situation and our rights.
Inro
Our next target is Oracle. Oracle is one of the most widespread RDBMS and many Enterprises use it as backend. We can find version from 8i to 11g in real life. Next information will be actually for each of them.
Runs as…
Oracle server service runs as 'System' by default. But like MS SQL, it is very often occurs that the service runs as a domain/local user account by different reasons, for example when it is used as backend for SAP and other ERP systems.

Mobile Security

 
Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.
Miller (right), renowned for his work breaking into MacBook machines with Safari vulnerabilities and exploits, took aim at Apple's iPhone device here, using a MobileSafari flaw to swipe the phone's address book.
 
Research in Motion's recent decision to add a WebKit browser to BlackBerry has immediately backfired.
A trio of security researchers used the spotlight of the CanSecWest Pwn2Own contest here to exploit multiple WebKit vulnerabilities in an impressive drive-by-download attack against a BlackBerry Torch 9800 smart phone.
 
How I Almost Won Pwn2Own via XSS  [jon.oberheide.org]
No, seriously.
The good: Google has patched a serious vulnerability I discovered in the Android web market.
The bad: Since the Android web market was launched earlier this year, it was possible to remotely install arbitrary applications with arbitrary permissions onto a victim's phone simply by tricking them into clicking a malicious link (either on their desktop OR phone). The exploit works universally across all Android devices, versions, and architectures.
 
On March 6,2011, Google published the application "Android Market Security Tool", a tool designed to undo the side effects caused by Android.Rootcager. This application was automatically pushed to devices of users who had downloaded and installed infected applications.
Symantec has identified suspicious code within a repackaged version of the "Android Market Security Tool". This package was found on an unregulated third-party Chinese marketplace. This threat seems to be able to send SMS messages if instructed by a command-and-control server located at the following address:
 
If you paid attention to the news this week, you'll know that there were a bunch of Android apps pulled from the Android Market because they contained malware. There were over 50 infected applications – these apps were copies of 'legitimate' apps from legitimate publishers that were modified to include two root exploits and a rogue application downloader. This isn't the first example of malware on Android, but it may be the first to affect Google's own Android Market – other malware samples have been seen on third party app markets. This new malware has been referred to as DroidDream, RootCager, and myournet by various researchers and media outlets.
So how does this malware work? First of all, we can start with the basics of how Android apps work. Android applications are mostly written in Java and use XML files for configuration.
 
According to the blog, Google will initiate its remote-removal process by pushing the installation of a new app called "Android Market Security Tool March 2011." We've had a look at this app, and it does not fix the vulnerability, it simply removes the applications known to be malicious. Google further promises changes to the market to deal with this type of issue and claims to be "working with our partners to provide the fix for the underlying security issues."

Physical Security

 
Clever hounds  [www.economist.com]
IN THE early 20th century, a horse named Clever Hans was believed capable of counting and other impressive mental tasks. After years of great performance, psychologists put the ruse to rest by demonstrating that though Hans was certainly clever, he was not clever in the way that everyone expected. The horse was cunningly picking up on tiny, unintentional bodily and facial cues given out not only by his trainer, but also by the audience. Aware of the "Clever Hans" effect, Lisa Lit at the University of California, Davis, and her colleagues, wondered whether the beliefs of professional dog handlers might similarly affect the outcomes of searches for drugs and explosives. Remarkably, Dr Lit found, they do.
 
10-Year-Old Cars Only Need Bill Of Sale, ID To Be Towed
Stealing cars has apparently never been easier. Criminals aren't using fancy tools or new technology; they're just calling the tow truck and having cars towed away.
They weren't asked for proof they owned the car.
The law does little to protect a car's owner when the vehicle is at least 10 years old. Thieves can call in a wrecker service and have it towed right out of an owner's yard; they don't even need a title

Tools

 
Metasploit Framework 3.6.0 Released!  [blog.metasploit.com]
In coordination with Metasploit Express and Metasploit Pro, version 3.6 of the Metasploit Framework is now available. Hot on the heels of 3.5.2, this release comes with 8 new exploits and 12 new auxiliaries. A whopping 10 of those new auxiliary modules are Chris John Riley's foray into SAP, giving you the ability to extract a range of information from servers' management consoles via the SOAP interface. This release fixes an annoying installer bug on Linux where Postgres would not automatically start on reboot.
 
BeEF 0.4.2.3-alpha  [code.google.com]
 
– Fixed race condition importing manual list of hosts (sometimes the file would get deleted). Grr.
– Added a lock to prevent multiple Armitage clients from trying to determine what OS a box has. This should help in CTF situations.

Funny

 
Offensive Security … Try harder  [www.offensive-security.com]
 
Another problem solved  [www.nakedpassword.com]
 
If you don't want spam-bots or bad guys breaking into your site, make them do calculus.
That's the approach the folks at a Croatia's Ruder Boškovic Institute are taking. Before you can log in to the research institute's Quantum Random Bit Generator service, you have to enter your name, password and affiliated organization, and then solve a math problem that would make most people run for the hills: