Critical Bug in GnuTLS library affects Linux and hundreds of apps


A critical bug(CVE-2014-0092) in handling the errors in the GNU Security library GnuTLS affects hundreds of software packages including RedHat, Debian and Ubuntu distros.

According to RedHat security advisory, there is a coding error in GnuTLS which fails to handle certain errors that could occur during the verification of an X.509 certificate, results in reporting 'a successful verification'.

"An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker." the advisory reads.

The bug exists in returning the value in the verify.c file (https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b?diffmode=sidebyside).  It appears the uninitialized variable "result" is causing the problem.  There is also another coding error where it returns value of issuer_version when issuer_version is less than zero, instead of returning zero.  And, when result is less than zero, it goes to 'cleanup' location instead of 'fail'.

Nikos Mavrogiannopoulos from Red Hat Security Technologies Team discovered this security flaw, while doing an audit of GnuTLS for the RedHat.

Users are advised to upgrade to the latest GnuTLS version (3.2.12 or 3.1.22) or apply the patch for GnuTLS 2.12.x.

Hackers can use Google Chrome to spy on your conversations


A Security bug in Google Chrome allows hackers to use computer microphone to surreptitiously listen to your private conversations.

Normally, a website that uses speech recognition technology gets permission from user to access mic.  There will be indication of the speech recognition in chrome.  Once the user leaves the website, chrome will stop listening to Mic.

Israeli developer Tal Ater found a security flaw in this system, while working on Speech Recognition library.

The problem is that once you grant a HTTPS-enabled website permission to use your mic, chrome will remember the choice and start listening in the future without asking permission again.

In a demo video, he showed how an attacker could leverage this functionality by launching a small hidden pop-up window that will start the speech recognition system.

Ater reported the bug to Google's Security team on Sep. 2013.  He has been nominated for the chromium's reward panel.



Security Bugs fixed: Wireshark 1.10.4 and 1.8.12 released

Wireshark latest versions are available here.  The new versions 1.10.4 and 1.8.12 have no special features comparing to previous versions.  However, multiple bugs have been fixed in these versions.

There are three security bugs fixed.  The vulnerability exists in the "SIP dissector", "The BSSGP dissector" and the "NTLMSSP v2 dissector"

An attacker could remotely crash the Wireshark by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.

Besides security bugs, there are also some non-security related bugs fixed in these versions such as "Tx MCS set is not interpreted properly in WLAN beacon frame", "Wireshark fails to decode single-line, multiple Contact: URIs in SIP responses".

Download the latest version from here:
http://www.wireshark.org/download.html


Hacked Verizon Femtocell allows hackers to spy on Phone calls made with iPhone & Android


Two Security experts from iSEC Partners have found a way to spy on Verizon wireless mobile phone customers by hacking into devices the U.S. Carrier sells to boos Wireless signals indoors.

In a demonstration for Reuters, researchers Ritter and Doug DePerry show how they are able to spy on phone calls, messages and photos made with iPhone and Android phones by using a Verizon femtocell that they had previously hacked.

"This is not about how the NSA would attack ordinary people. This is about how ordinary people would attack ordinary people," Reuters quoted a senior consultant with the security firm iSEC Partners , Tom Ritter as saying.

Verizon reportedly updated the software on its signal-boosting devices, known as femtocells or network extenders,to thwart hackers from copying the technique of the two experts.

"The Verizon Wireless Network Extender remains a very secure and effective solution for our customers" Verizon spokesperson said in a statement after they fixed the bug.

However, researchers claimed their technique still works because they had modified the device before the company pushed out the software fix. Experts told Reuters that the further details will be shared at the two upcoming hacking conferences : Black Hat and DefCon.

Security Flaw in Samsung allow hackers to bypass Android Lock screen

A Security flaw in the Samsung phones allows hacker to bypass the lock screen and launch apps and dial phone numbers on a locked device. The vulnerability has been discovered by a mobile enthusiast Terence Eden.

To exploit this security flaw, the hacker should activate the screen and press Emergency Call. Then,  Press the "ICE" button on the bottom left and hold down physical home key for a few seconds and then release. Now, you can access the Home screen and launch any app or widget.

Researcher has tested this vulnerability against Galaxy Note II N7100 running 4.1.2.

"This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed." Eden said in his blog post.

The researcher says he tried to contact Samsung regarding this vulnerability but there is no proper response from their side.




Reflected Cross site scripting vulnerability in MTS Mobile website


An Information Security Expert Narendra Bhati, from Sheoganj, India has discovered Reflected Cross site scripting vulnerability in the official website of MTS website(mtsindia.com).

MTS group is an Indian mobile network operator headquartered in New Delhi, that provides wireless voice, messaging and data services in India.

The vulnerability exists in the Search field  of the website.  Injecting the xss code in the Search box will execute successfully the injected code.

For instance, injecting the following code in the search box will display the alert box:

    "><script>alert("E Hacking News")</script>
Narendra also found that the field allows user to run the iframe code also.  So , possibly, a hacker can inject phishing page to scam innocent visitors.

    "/><iframe src="http://www.google.com" width=1000 height=1000></iframe>

One of the twitter "Sign in" forms sends password in plain text


Zohar Alon, the CEO of cloud security company Dome9, discovered a security flaw in the design Twitter. One of the 'Sign in' forms failed to use secure connection and sends the password in plain text.

The main twitter sign in page uses secure connection and encrypts login credentials to prevent hackers from obtaining the data.  But , the drop down sign in menu in the tweet details page failed to utilize the HTTPS(secure) connection.

Vulnerable Twitter sign in form

It means that a malicious hacker can capture the login credentials by sniffing the victims' network traffic.

Afrer being notified by The Next Web about this critical vulnerability, the Twitter security team has addressed the issue. Now it uses HTTPS protocol for the sign in page.

Google webmaster Tools security flaw giving unauthorized access to Old Accounts

A security flaw in Google Webmaster tools results in old user accounts automatically getting re-verified and given access to sites they shouldn’t have access to anymore.

Google Webmaster tools is Google website that helps website owners manage how their site appears in Google, diagnose problems, and optimize traffic.

According to the Search Engine Journal report, users are finding themselves with sudden access to accounts that they once had access to, but no longer do; i.e., ex-employees or even contractors and the like.

webmaster tools security flaw

"For those not aware of the seriousness of this apparent breach of security, " The Search Engine Journal report reads. "The rub is, there’s simply no guarantee those granted renewed access won’t do something malicious. Not only could past access holders change key elements, but spying on the competition for larger entities is definitely a possibility."

"That bug is presumably giving a lot of power to individuals that shouldn’t have it — power to deindex, disavow links, unverify the current/legitimate webmaster’s access, and even redirect sites to other verified domains in the user’s account. It also reveals a lot of link, search, index/crawl and other data to users that shouldn’t be able to see those things." The Search Engine Land report says.

Google has fixed the bug , several hours after the issue. 

CVE-2012-4953 : Critical Memory corruption vulnerability in Symantec Antivirus


symantec vulnerability

CVE-2012-4953: A critical security flaw has been discovered in the multiple Symantec Antivirus products. The improper handling of the malformed CAB files results in Memory corruption vulnerability. The vulnerability has been announced in US-CERT on Nov 5.

According to the statement, a successful exploitation may result in arbitrary code execution as the result of a file being scanned

"We have confirmed that Symantec Endpoint Protection 11, which uses dec_abi.dll, and Symantec Scan Engine 5.2, which uses Dec2CAB.dll, are affected" The researcher says.

A remote attacker can send a specially crafted CAB formatted file to trigger a memory corruption error in 'dec_abi.dll' and execute arbitrary code with system privileges on the victim system.

I'm still confused the date of notification to the vendor. The report says the bug was reported on 8 Apr 2011 ?!

"The SEP product team has received the vulnerability report (VU#985625) from CERT and we are actively working on a response that will include all affected versions of Symantec products as well as mitigation plans . Please be assured that all versions of SEP 12.1 are unaffected by CERT VU#985625. We will provide an official advisory on Wednesday, November 7 PST." The symantec response when one of the user asked details about the vulnerability in their forum.

According to the US-CERT advisory, Symantec Endpoint Protection 11 is affected and upgrading to Symantec to Symantec Endpoint Protection 12 will fix the problem.

"Symantec currently has no plans to update Symantec Endpoint Protection 11. We have verified that Symantec Scan Engine, now known as Symantec Protection Engine for Cloud Services, version 7 does not appear to be affected." advisory reads.