The Intel Security Advanced Threat Research Team has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library that could allow malicious parties to set up fraudulent sites masquerading as legitimate businesses and other organizations.
The Mozilla NSS library, commonly utilized in the Firefox web browser, can also be found in Thunderbird, Seamonkey, and other Mozilla products. Dubbed “BERserk”, this vulnerability allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites utilizing SSL/TLS. Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites.
What users can do immediately
Individual Firefox browser users can take immediate action by updating their browsers with the latest patches from Mozilla.
Google has also released updates for Google Chrome and ChromeOS, as these products also utilize the vulnerable library.
Ensuring that privacy and integrity be maintained is core to what we do at Intel Security. As this issue unfolds we will continue to provide updates on effective countermeasures and proper mitigation strategies.
Rich Notifications are another new Chrome feature. Chrome already supported basic notifications, but with the new notifications users can be shown, and can interact with, tips and information outside of the browser. For example, a pop-up window in the Windows task bar can inform users when a new email arrives. Notifications can contain pictures, buttons and URLs as well as text. The notifications are handled by a notification center outside the browser, which not only allows the information to be displayed without a running browser but also serves as somewhere a user can consult to see what notifications they have missed.
Rich Notifications replace HTML-based notifications in the Chrome extensions: HTML-based notifications are no longer supported in version 28. Comprehensive instructions for developers are available. At the moment, Rich Notifications only work in Chrome OS and Windows – support for Mac OS X and Linux is said to be coming.
Version 28 also closes various security holes including a richly rewarded use-after-free issue with network sockets and a well-rewarded fix to a HTTP/SSL man-in-the-middle attack. Other rewarded bugs included two use-after-free issues in input handling and resource loading, plus an out-of-bounds read in SVG, all found by Chrome bounty regular miaubiz, a screen data leak through GL textures with Windows and NVIDIA cards, and a lack of entropy in renderers.
The updated browser is available to download for Windows, Linux and Mac OS X or, for existing users, will arrive automatically. Chrome has also seen its Flash player updated to version 11.8.800.97 as noted in Adobe’s patch day.
With the second security and maintenance release of WordPress 3.5, the developers of the popular open source blogging software have closed 12 bugs, seven of them security issues. In their announcement, the developers “strongly encourage” all users to update all their installations of the software to version 3.5.2 immediately. In addition to the fixed vulnerabilities, the new release also includes some proactive changes intended to harden the platform against attacks.
Security fixes in this release include measures to prevent server-side request forgery (SSRF) attacks. The TinyMCE editor, the external SWFUpload library and other components have been updated to fix cross-site scripting (XSS) holes; WordPress’s own SWFUpload fork is used by the blogging platform to transfer files to the server, while TinyMCE is used as the software’s content editor. A problem that could be exploited by attackers to perform denial-of-service (DoS) attacks on sites that use WordPress’s password protection for posts has also been fixed.
WordPress 3.5.2 is available for download from the project’s web site. Alternatively, existing users can update automatically via Dashboard → Updates in the WordPress admin interface. The source code for WordPress is licensed under the GPLv2 or later.
Symantec has updated its suite of Windows security products with the release of Norton Antivirus 2013 v20.4, Norton Internet Security 2013 v20.4 and Norton 360 2013 v20.4.
Version 20.4 is primarily a bug-fix release, with some notable fixes, but also tweaks the user interface.
One visible change for users who also have Malwarebytes Anti-Malware Free installed as additional protection is a fix that prevents Norton from blocking or flagging up MBAM as incompatible.
The latest update also resolves an issue where the Safe Web annotations for checking search results for safety and privacy were not appearing in the US version of Google.com. Also corrected is an issue whereby Intrusion Prevention was incorrectly flagged as switched off when Norton AntiSpam was being opened from Microsoft Outlook.
English users will find a new widget – Backup – has been added to the main product page, while the Norton Safe Web widget has been removed, although it continues to function and appear within all compatible web browsers. The Backup widget refers to Symantec’s cloud backup, sync and sharing solution, currently called Norton Zone.
Two other fixes include making buttons in high-contrast mode more visible and ensuring the Scan Items tab scroll bar always appears.
Apple has released a security update for its QuickTime media framework for Windows. Version 7.7.4 of the software closes 12 critical security holes causing memory corruption and buffer overflows when processing a number of media formats. The vulnerabilities affect Windows 7, Vista and XP SP2 or later and could be exploited to cause arbitrary code execution and application crashes.
The vulnerabilities affected the playback of MP3, H.263, H.264, TeXML, JPEG, QTIF, Sorenson Video and FPX files as well as the handling of dref, enof and mvhd atoms within the program. All of the problems were reported by researchers working with HP’s Zero Day Initiative, five of them by Tom Gallagher and Paul Bates from Microsoft.
At the time of writing, Apple is not yet listing details about the fixed bugs on its security web site, but has announced that it will do so soon. The 40MB update for the free product can be downloaded from Apple’s Support Downloads web site.
Canonical has released Ubuntu 13.04 Raring Ringtail, most likely the last release of Ubuntu that will primarily cater for laptop and desktop users. For Ubuntu 13.04, Canonical focused on tightening up the core of the OS and polishing the Unity interface in preparation for Ubuntu’s smartphone and tablet debut, which is slated to occur in October with the release of version 13.10. There’s also the usual slew of package updates, a new Linux kernel, and a couple of new features, too.
The first thing you’ll notice upon booting Raring Ringtail is that Unity, and the PC in general, is faster and more responsive. This is down to Canonical putting a lot of time and effort into tweaking Ubuntu’s core libraries, to reduce the CPU and memory usage of system processes, resulting in a snappier interface (Unity) and installed apps. This tightening of Ubuntu’s core should also reduce power consumption, which is good news for laptop users. While these changes will obviously help laptop and desktop users, their primary purpose is to prepare Ubuntu for its debut on smartphones and tablets, which generally have less RAM and weaker processors. While we’re discussing core changes, Ubuntu 13.04 now uses the Linux 3.88 kernel — a sizable upgrade from Ubuntu 12.10′s Linux 3.5 kernel (which had a nasty security vulnerability, incidentally).
Moving from the core and into userland, Ubuntu 13.04 features updated versions of Firefox, LibreOffice, and Python. The workspace switcher has been removed from the Unity launcher by default, and Ubuntu One (Canonical’s cloud storage service) can now be controlled from the system tray. If you add some social media accounts, such as Twitter or Facebook, there’s also a new “Friends” lens, which is a lot like the People app in Windows 8 — basically, you can browse your friends’ latest updates, like, retweet, and so on. Overall, though, not a whole lot has outwardly changed in Ubuntu 13.04 — it’s definitely more of a tweak-and-polish release. For a good overview of Ubuntu 13.04′s new features, watch the video below.
Looking ahead, Canonical now has its work cut out with Ubuntu 13.10, which will introduce the Ubuntu Touch interface for smartphones and tablets. Details are fairly scarce at the moment, in accordance with Canonical’s move to a closed-door development process, but it seems like Canonical is attempting to create a single version of Ubuntu that works across PCs, smartphones, tablets, and even TVs (See: Canonical outs Ubuntu TV: Brave or stupid?) Ever since the Unity interface was first introduced, we have presumed that Ubuntu was heading in the direction of mobile devices — and now we’re just six months away from it actually happening. It’s definitely a savvy move for Canonical, with the PC market slowly dying, but whether it can actually carve out a section of the mobile market from Apple, Google, and Microsoft remains to be seen.
Microsoft is making another attempt to close the privilege elevation hole in the NTFS filesystem’s kernel driver for Windows 7 and Server 2008, including R2. The new patch, 2840149, supersedes security update 2823324, which Microsoft released on its April Patch Tuesday.
However, shortly after releasing it, the software giant had to recall the first update because it caused problems with various third-party programs; it crippled computers and triggered error messages. Kaspersky’s anti-virus programs also started acting up once the update was installed, erroneously assuming that they no longer had a valid licence and discontinuing operation. When re-releasing the update, Microsoft didn’t clarify whether this was the reason for the system malfunctioning.
The new patch is already being deployed via Windows Update. Microsoft is offering a bootable recovery disk as an ISO image to customers whose computers have failed to boot since the first patch was installed.
Microsoft’s Patch Tuesday on 9 April will be an important spring cleaning day; the company plans to implement nine security bulletins. One of the bulletins deals with vulnerabilities in Windows Defender for Windows 8 and RT; the hole is rated as important and can be exploited to achieve elevated privileges.
The headline bulletins will be the two critical security holes, one of which affects all versions of Windows and Windows Server, and another critical vulnerability which can be found in all versions of Internet Explorer. Whether the Internet Explorer fix will be addressing the IE vulnerability revealed at the recent Pwn2Own contest is unclear though. Both critical holes allow for remote code execution.
The remaining bulletins have been rated as important and aim to close holes in Windows, Office InfoPath 2010, and Web Apps 2010 Service Pack 1, as well as in server software such as Groove Server and SharePoint. Microsoft says that most of these vulnerabilities allow attackers to elevate their privileges and launch denial-of-service attacks. The patches for Microsoft Office and for the server software will close holes that allow potential attackers to harvest data.
h-online: Google has updated the Stable, Beta and Developer Channels of the desktop version of its Chrome browser with a number of bug fixes and improvements. The Stable Channel update closes seven security vulnerabilities, three of them rated High, and includes bug fixes. New stable Chrome versions for iOS and Android have also been released and include minor improvements. The iOS version of the browser now supports Apple’s Passbook application.
The update to the Stable version of Chrome for Windows, Mac OS X, Linux and Chrome Frame (for running Chrome inside of Internet Explorer) brings it to version 23.0.1271.91. The update closes a security vulnerability in the Mac OS X version of the browser that is caused by a severe rendering bug with the operating system’s driver for Intel graphics cards. This problem was rated by Google as High priority, as was a buffer underflow problem in libxml and a use-after-free bug in the browser’s SVG filters, which have also been fixed.
The Beta Channel of Chrome for Windows, Mac OS X, Linux and Chrome Frame has been updated to version 24.0.1312.25, which includes a number of bug fixes for running applications within the browser, fixes stability issues, and solves two problems with the taskbar in Windows 8. The Beta version of Chrome for Chrome OS is now 23.0.1271.94; the update improves network stability and updates the included Pepper Flash plugin.
In the Developer Channel, Chrome for Windows, Mac OS X and Chrome Frame has been updated to version 25.0.1337.0 which includes a number of fixes and improvements, most noticeably improvements to the Live Tiles functionality for Windows 8 and bug fixes for Flash on Mac OS X. Chrome for the Chrome OS Developer Channel is now at version 25.0.1324.1, which includes a firmware update.
Chrome for iOS has been updated to version 23.0.1271.91 which has introduced the ability to open PDFs in other applications and enables users to save their airline boarding passes and tickets in Apple’s Passbook. The update also brings some security and stability improvements. Chrome for Android is now at version 18.0.1025469 on ARM and version 18.0.1026322 on x86 devices; both updates fix stability issues.
An overview over the different desktop Chrome release channels and platform is available from the Chromium Project, the open source upstream of Chrome. The listing includes download links for the different versions of the browser. All versions of Chrome should update themselves automatically; on some mobile platforms the user will be prompted to perform the update.
The H-Online: The latest version of Firefox, version 16, has returned to Mozilla’s servers with the release of Firefox 16.0.1 after the discovery of vulnerabilities caused the organization to remove the just-released open source web browser from circulation. Mozilla’s security blog post described the problem as just that of a malicious web site being able to potentially determine the URLs and parameters used and suggested downgrading to Firefox 15.0.1, despite the numerous critical bugs fixed in Firefox 16.
But on Wednesday, Gareth Heyes, an independent security researcher, posted a proof of concept (PoC) which demonstrated that Firefox 16 was somewhat insecure with its Windows location variables, allowing an attacker to open a window pointing at some part of another site (in the PoC, twitter.com), wait for that site to redirect the window to a “logged in” page (a twitter.com profile page) and then retrieve the new location and any associated data (in the PoC, the user’s twitter handle). Accessing the location information should normally be prevented by the browser’s “Same Origin” policy.
According to Mozilla’s advisory though, a similar but separate critical flaw had been found in Firefox 16, Firefox ESR 10.0.8, SeaMonkey 2.13, Thunderbird 16 and Thunderbird ESR 10.0.8 and earlier, which not only disclosed the location object, but, in Firefox 15 and earlier, had the potential for arbitrary code execution. Firefox 16.0.1 closes both these holes. The presence of the flaw in Firefox 15 does, though, raise questions over the previous advice given by Mozilla to downgrade from 16 to 15.
But these were not the only holes fixed in 16.0.1; another security advisory says developers also identified two of the top crashing bugs in the browser engine and that these bugs showed signs of having corrupted memory. Mozilla concludes that it could be possible to exploit these holes to execute code. One of the bugs only affected FreeType on mobile devices and is therefore fixed in Firefox 16.0.1 for Android, while the other is a WebSockets bug in Firefox 16 only and is not present in Firefox ESR.