Update your Adobe flash player to stay safe


Few days after Microsoft published a security advisory about a new critical security bug in IE that is being used in limited and targeted attacks, Adobe has issued an emergency security update to fix a critical vulnerability(CVE-2014-0515) in flash player.

Please note that it is completely unrelated to IE Exploit in which bug was in IE and the flash file(.swf) used for making the attack successful.  But, in this case, the bug exists in the flash player plugin. 

So, people who use vulnerable version of Adobe Flash player likely to be vulnerable to this attack.

If you are using windows or Mac, make sure you have the latest flash player version 13.0.0.206.  If you are using Linux, make sure to update to the latest version 11.2.202.356.

This new zero-day flash exploit was spotted as being used in Watering-hole attacks by researchers at Kaspersky Labs in early April.

According to SecureList, this flash exploit spread from a Syrian Justice Ministry website(jpic.gov.sy).  Researchers believe the attack was designed to compromise the computers of Syrian dissidents complaining about the government.

Joomla 3.2.2 is vulnerable to SQL Injection and XSS


If your website is running Joomla 3.2.2, you should upgrade your CMS to the latest version.

A new version of Joomla v3.2.3 has been released to address more than 40 bugs and four security vulnerabilities.

One of the patched security flaws is SQL Injection, caused by Inadequate escaping, rated as High severity bug.  It affects versions 3.1.0 through 3.2.2.

Other two security bugs are Cross site scripting vulnerabilities, which have been rated as Medium severity bugs. 

The last one allows unauthorized logins via GMail authentication, caused by inadequate checking. It affects versions 2.5.8 and earlier 2.5.x and 3.2.2 and earlier 3.x.

It doesn't matter whether you do care about the 40 bugs but you always should consider the security fixes.  So, better update your cms immediately before attackers informing you by hacking your site.

CVE-2013-5065: Windows XP Kernel Privilege escalation vulnerability exploited in the wild


Microsoft has issued a warning about new zero-day vulnerability affecting the Windows XP and 2003 Server operating systems.

The bug referred with CVE id "CVE-2013-5065" is a local privilege escalation vulnerability, is reportedly being exploited in the wild.

A successful exploitation allows attackers to run the arbitrary code in Kernel mode(User mode --> kernel mode).  It will get access to install software, modify data or creating accounts with admin privilege.

However, the vulnerability is not exploitable by a remote attacker.

"It does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003." Microsoft security advisory reads.

Though the Microsoft is issued a workarounds for this vulnerability, it is better to switch to the latest version of Windows (7 or 8), as we aware that Microsoft is going to stop supporting Windows xp by April 2014. 

OpenSSH fixes a critical code execution vulnerability

 

OpenSSH , a tool that provides encrypted communication sessions over a computer network using the SSH protocol, has patched a critical code execution vulnerability.

"A memory corruption vulnerability exists in the post- authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during kex exchange." The security advisory reads.

"If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations."

The vulnerability was identified by an OpenSSH developer Mark Friedl on November 7th.  The fix has immediately been issued.

The flaw is fixed in OpenSSH 6.4 version.  There is security patch available for those users who prefer to continue use OpenSSH 6.2 or 6.3.

WordPress 3.7 released for lazy admins, automatic security update


Wordpress finally come with an idea to put an end to security risks of failing to update the CMS.  Yes, you heard it correctly, they have added a new feature "Automatic update".

The new version 3.7 has no special security bug fixes but they have enabled a good feature that will prevent your CMS being hacked because of outdated versions.

Besides the "Updates while you sleep" feature, they have also added a feature to estimate the strength of your password and "support for automatically installing the right language files and keeping them up to date".

This is quite impressive move from Wordpress.  At least, from now onwards, the lazy admins no need to care about updating the wordpress whenever there is security release, it will be automatically done.

It's just come to mind how many of the lazy admins are going to update to the latest version 3.7!

Update Your Firefox to fix the four critical security holes

Mozilla has released the Firefox version 22 that addresses more than 10 Security vulnerabilities.

Four Critical security bugs including "Execution of unmapped memory through onreadystatechange event", "Privileged content access and execution via XBL", "Memory corruption found using Address Sanitizer" and "Miscellaneous memory safety hazards" have been fixed in the latest version.

Six High level security bugs including "Inaccessible updater can lead to local privilege escalation", "XrayWrappers can be bypassed to run user defined methods in a privileged context", "Data in the body of XHR HEAD requests leads to CSRF attacks" also have been fixed.

Users are recommended to update their Firefox to the latest one.

Mozilla Firefox 21 closes three critical security holes


Mozilla has released Firefox 21 that closes eight security vulnerabilities including four High level and three critical security flaws.

Critical vulnerabilities : Memory corruption found using Address Sanitizer(MFSA 2013-48 ),  Use-after-free with video and onresize event(MFSA 2013-46), Miscellaneous memory safety hazards ( MFSA 2013-41).

High level vulnerabilities:  Uninitialized functions in DOMSVGZoomEvent( MFSA 2013-47),  Mozilla Updater fails to update some Windows Registry entries( MFSA 2013-45), Local privilege escalation through Mozilla Maintenance Service ( MFSA 2013-44 ),  Privileged access for content level constructor(MFSA 2013-42).

Firefox 21 introduces new feature Social API that "makes it easy for your favorite social providers to add a sidebar with your content to Firefox or notification buttons directly on the Firefox toolbar."

It also introduces Health report that "logs basic health information about your browser and then give you tools to understand that information and fix any problems you encounter".

Users are advised to upgrade the firefox as soon as possible, you can check version and update your browser by selecting to Help->About firefox.

Temporary fix for new zero-day IE vulnerability (CVE-2013-1347)

 
Microsoft has issued a temporary fix the recently uncovered Internet Explorer 8 vulnerability that was exploited in the US Department of Labor hack for serving malware.

The vulnerability affects only IE8 so users running Internet explorer versions 6, 7, 9 and 10 do not need to take any action.

Microsoft is working on fixing the issue.  In the meantime, users are urged to apply the temporary fix to prevent from the attack.

To do this, visit this page "http://support.microsoft.com/kb/2847140" and click the Fix it button or link under the Enable heading.

If you are a pentester, the technical analysis and metasploit module can be found here:
https://community.rapid7.com/community/metasploit/blog/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit

Vulnerability in Adobe ColdFusion allows hackers to access files stored on the server


A critical vulnerability(CVE-2013-3336) has been identified in the Adobe ColdFusion - a commercial rapid web application development platform. The security flaw allows hackers to remotely retrieve files stored on the server.

ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX are affected.

Adobe in their security advisory warns that the vulnerability is already being exploited in the wild.

The company is in the process of finalizing a fix for this bug and expects it to be available on May 14, 2013.

In the meantime, the company offered a mitigation for this issue. Users can protect themselves by restricting public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories.

Update your Ubuntu 12.10 to fix the Linux Kernel vulnerabilities


Canonical on May 2 released security advisory to fix ten Linux kernel vulnerabilities that affect the Ubuntu 12.10 version. 

The list of vulnerabilities include Information leak in the Linux kernel's UDFfile system implementation ((CVE-2012-6548), Information leak in the Linux kernel's ISO9660 CDROM file system driver(CVE-2012-6549), Integer overflow in the Direct Rendering Manager (DRM), subsystem for the i915 video driver in the Linux kernel(CVE-2013-0913), Denial of service flaw in guest OS time updates in the Linuxkernel's KVM((CVE-2013-1796)).

Other vulnerabilities are Use after free error in guest OS time updates in the Linux kernel;s KVM (CVE-2013-1797), Flaw in the way KVM emulated the IOAPIC (CVE-2013-1798), Escalate privileges vulnerability in the Linux kernel's ext3 filesystem(CVE-2013-1848) , Buffer overflow was discovered in the Linux Kernel's USB subsystem for devices reporting the cdc-wdm class (CVE-2013-1860), information leak in the Linux kernel's dcb netlink interface (CVE-2013-2634) ,kernel stack information leak in the RTNETLINK component(CVE-2013-2635).

To patch these vulnerabilities, Ubuntu users are urged to update your system to the following package version: linux-image-3.5.0-28-generic 3.5.0-28.48 .

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades. 

Update your Apache Tomcat to avoid Hash collision denial-of-service (DoS)

Update your Apache Tomcat versions 7.0.x, 6.0.x and 5.5.x to the latest released versions 7.0.23, 6.0.35 and 5.5.35, this avoids the hash collision dos vulnerability.

Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values.

Get the updates from here:
http://tomcat.apache.org

OpenSSL Security Advisory for fixing Six vulnerabilities [04 Jan 2012]

Update version of OpenSSL released that fixes six vulnerabilities . Users of previous versions should upgrade to OpenSSL 1.0.0f or 0.9.8s.

Vulnerability Details:
  • DTLS Plaintext Recovery Attack (CVE-2011-4108)
  • Double-free in Policy Checks (CVE-2011-4109)
  • Uninitialized SSL 3.0 Padding (CVE-2011-4576)
  • Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
  • SGC Restart DoS Attack (CVE-2011-4619)
  • Invalid GOST parameters DoS Attack (CVE-2012-0027)
The Security advisory can be found here:
http://openssl.org/news/secadv_20120104.txt

Apache Struts version 2.3.1.1 fixes critical Vulnerabilities


The Apache Struts developers have released version 2.3.1.1 of their open source framework for Java-based web applications.  The update fixes critical vulnerabilities in earlier versions(2.1.0 to 2.3.1). 

The Vulnerabilities could be exploited by an attacker to circumvent restrictions by using dynamic method invocation (DMI) to inject and execute malicious Java code.

Updating to v2.3.1.1 fix the vulnerability.  Alternatively, the security advisory provides instructions for changing a configuration file which mitigates the problem. 

Here you can find more details about the latest release:
http://struts.apache.org/2.x/docs/version-notes-2311.html

Ubuntu security advisory to fix the Critical vulnerabilities in Ghostscript


Ubuntu released security advisory to fix the Critical vulnerabilities in Ghostscript.
Ghostscript could be made to crash or run programs as your login if it opened a specially crafted file.

Affected versions:

Ubuntu 10.10
Ubuntu 10.04 LTS
Ubuntu 8.04 LTS

Vulnerability Details:

It was discovered that Ghostscript did not correctly handle memory
allocation when parsing certain malformed JPEG-2000 images. If a user or
automated system were tricked into opening a specially crafted image, an
attacker could cause a denial of service and possibly execute arbitrary
code with user privileges. (CVE-2008-3520)

It was discovered that Ghostscript did not correctly handle certain
formatting operations when parsing JPEG-2000 images. If a user or automated
system were tricked into opening a specially crafted image, an attacker
could cause a denial of service and possibly execute arbitrary code with
user privileges. (CVE-2008-3522)

It was discovered that Ghostscript incorrectly handled certain malformed
TrueType fonts. If a user or automated system were tricked into opening a
document containing a specially crafted font, an attacker could cause a
denial of service and possibly execute arbitrary code with user privileges.
This issue only affected Ubuntu 8.04 LTS. (CVE-2009-3743)

It was discovered that Ghostscript incorrectly handled certain malformed
Type 2 fonts. If a user or automated system were tricked into opening a
document containing a specially crafted font, an attacker could cause a
denial of service and possibly execute arbitrary code with user privileges.
This issue only affected Ubuntu 8.04 LTS. (CVE-2010-4054)

Jonathan Foote discovered that Ghostscript incorrectly handled certain
malformed JPEG-2000 image files. If a user or automated system were tricked
into opening a specially crafted JPEG-2000 image file, an attacker could
cause Ghostscript to crash or possibly execute arbitrary code with user
privileges. (CVE-2011-4516, CVE-2011-4517)

Solution:
The problem can be corrected by updating your system to the following package version:

Ubuntu 10.10:
libgs8 8.71.dfsg.2-0ubuntu7.1
Ubuntu 10.04 LTS:
libgs8 8.71.dfsg.1-0ubuntu5.4
Ubuntu 8.04 LTS:
libgs8 8.61.dfsg.1-1ubuntu3.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

Microsoft released temporary fix for Kernel 0-day Security Flaw


Few days back, Symantec and the Laboratory of Cryptography and System Security (CrySyS) discovered the zero day security flaw in windows kernel while analyzing the Duqu malware.  Microsoft released a temporary fix this problem.  Microsoft determine the problem is in the Win32k TrueType font(TTF) parsing engine.

An attacker can exploit this vulnerability and install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft is working on to fix this vulnerability with partners in Microsoft Active Protections Program (MAPP). In mean time, Microsoft released "Fix this problem" tool as a temporary solution.

This tool will disable the system access to the T2embed.dll file. The problem with that is it will prevent any applications that rely on embedded TTFs from rendering properly. This is a common practice in Microsoft Office documents, browsers and document viewers.