All the world’s a Stagefright


Here’s how security vulnerabilities are supposed to be handled. One, a researcher discovers an issue. Two, the people who make the software find a solution. And three, the solution is then made available, ideally by automatic update. That’s what Windows does, and what Apple does. It isn’t always as fast as it should be, but at least once the fix exists it’s available almost instantly.

Here’s how it works with Android.

  1. A researcher discovers a vulnerability.
  2. Google says “la la la can’t hear you” for a year or so.
  3. After lots of media coverage Google says it’ll fix the hole.
  4. Google creates a fix and promises to bring it to the Nexus range in two or three months.
  5. Google gives the fix to manufacturers who say they’ll roll it out at some point, maybe, when they get round to it.
  6. The manufacturers get round to it and submit their version to the phone networks, who say they’ll totally bring it out at some point, oh yes siree!
  7. The vulnerability that the fix will eventually fix evolves so that the fix doesn’t fix it any more.
  8. Google says “la la la can’t hear you”.

Read the whole story at: The Times of India

Apple closes QuickTime vulnerabilities on Windows

appleApple has released a security update for its QuickTime media framework for Windows. Version 7.7.4 of the software closes 12 critical security holes causing memory corruption and buffer overflows when processing a number of media formats. The vulnerabilities affect Windows 7, Vista and XP SP2 or later and could be exploited to cause arbitrary code execution and application crashes.

The vulnerabilities affected the playback of MP3, H.263, H.264, TeXML, JPEG, QTIF, Sorenson Video and FPX files as well as the handling of dref, enof and mvhd atoms within the program. All of the problems were reported by researchers working with HP’s Zero Day Initiative, five of them by Tom Gallagher and Paul Bates from Microsoft.

At the time of writing, Apple is not yet listing details about the fixed bugs on its security web site, but has announced that it will do so soon. The 40MB update for the free product can be downloaded from Apple’s Support Downloads web site.

via h-online

New Adobe Vulnerabilities Being Exploited in the Wild

adobe readerAdobe posted a vulnerability report warning that vulnerabilities in Adobe Reader and Acrobat XI (11.0.1) and earlier versions are being exploited in the wild. Adobe is currently investigating this issue.

According to the FireEye blog posted earlier today, the malicious file arrives as a PDF file. Upon successful exploitation of the vulnerabilities, two malicious DLL files are dropped.

Symantec detects the malicious PDF file as Trojan.Pidief and the two dropped DLL files as Trojan Horse.

We are currently investigating the possibility of further protections for these vulnerabilities and will provide an update to this blog when possible.

A subsequent advisory posted by Adobe indicates the following versions of Adobe Reader and Acrobat are vulnerable:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

Internet Explorer security hole: Use other browser

TheTelegraph: Internet Explorer users might want to consider upgrading or switching to another browser after a massive security hole was discovered in Windows’ native web browser.

internetexplorer9logoAccording to security forum, Rapid7 , Internet Explorer 7, 8 and 9 operating on Windows XP, Vista and Seven contains what is known as a “zero day exploit” which allows attackers to gain access to your personal data while you browse.

The forum claimed the exploit would give cyber criminals “the same privileges as the current user”.

It claimed that 41 per cent of US and 32 per cent of global Internet Explorer users could be affected.

Microsoft confirmed that it was aware of the targeted attacks “potentially affecting some versions of Internet Explorer”.

Director of Microsoft Trustworthy Computer, Yunsun Wee, told Fairfax that Internet Explorer 10 is not affected by the issue.

“We recommend customers deploy Microsoft’s Enhanced Mitigation Experience Toolkit 3.0, which provides effective protections without affecting the web browsing experience,” he said. “We will continue to investigate this issue and take further actions as appropriate.”

Adobe fixes ColdFusion security vulnerability

adobe_logo200h-Online: On the same day as Microsoft’s September Patch Tuesday, Adobe released an update for ColdFusion to close a security hole in its rapid web application development software. The hotfix for ColdFusion addresses a vulnerability (CVE-2012-2048), which the company rates as important, that could be exploited by a remote attacker to cause a denial-of-service (DoS) condition.

According to Adobe, the unspecified error affects versions 8.0, 8.0.1, 9.0 to 9.0.2, and 10 of ColdFusion for Windows, Mac OS X and UNIX. Installing the provided hotfix corrects the problem; download links and installation instructions for each affected version are provided on the APSB12-21 technote page. All users are advised to download and apply the hotfix. Adobe credits UK developer David Boyer for finding and reporting the problem.

Oracle rushes out patch for critical 0-day Java exploit

JavaTheRegister: In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits.

“Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance, said in a blog post published on Thursday.

Maurice said that the vulnerabilities patched only affect Java running in browsers, and not standalone desktop Java applications or Java running on servers. According to Oracle’s official advisory on the flaws:

These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password. To be successfully exploited, an unsuspecting user running an affected release in a browser will need to visit a malicious web page that leverages this vulnerability. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system.

That certainly matches the description of the vulnerabilities first spotted on a rogue website by security firm FireEye on Sunday. Exploits for the flaws have since been incorporated into the notorious Blackhole malware toolkit and the Metasploit penetration testing tool.

On Wednesday, Adam Gowdiak of Polish startup Security Explorations revealed that his company had disclosed details of the vulnerabilities in question – along with 29 others – to Oracle in April of this year, but that the database giant still had not fixed the flaws as of its June Critical Patch Update (CPU).

JAVA-updateOracle told Security Explorations that it had developed fixes for most of the other vulnerabilities it had submitted and that they would be ready for the next Java CPU. Unfortunately, however, that patch kit wasn’t scheduled to be released until October 16.

Now, in an apparent capitulation to growing public concern over the exploits, Oracle has issued a rare out-of-band update for Java 7 that it says should ameliorate the threat.

According to Maurice, Java users who run Windows can use the Java Automatic Update feature to get the latest, patched version, which is officially dubbed Java SE 7 Update 7. Users on other platforms can visit the official Java website to download and install it.

Java zero day vulnerability actively used in targeted attacks

JavaZDNet: Security researchers from FireEye, AlienVault, and DeependResearch have intercepted targeted malware attacks utilizing the latest Java zero day exploit. The vulnerability affects Java 7 (1.7) Update 0 to 6. It does not affect Java 6 and below.

Based on related reports, researchers were able to reproduce the exploit on Windows 7 SP1 with Java 7 Update 6. There’s also a Metasploit module available.

Upon successful exploitation, the campaign drops MD5: 4a55bf1448262bf71707eef7fc168f7d – detected by 28 out of 42 antivirus scanners as Gen:Trojan.Heur.FU.bqW@a4uT4@bb; Backdoor:Win32/Poison.E

Users are advised to consider browsing the Web, and interacting with emails in an isolated environment, or to to block Java in their Web browsers until Oracle ships a patch for the security flaw.

Although what we’ve got here is a clear indication of an ongoing malicious attack utilizing a zero day flaw, on the majority of occasions cybercriminals wouldn’t necessarily rely on a zero day flaw in order to infect as many users as possible. Instead, they would stick to using outdated and already patched vulnerabilities taking into consideration the fact that end and corporate users aren’t patching their third-party software and browser plugins.

Not so secure: Text messaging on iPhone can be hacked

A hacker Friday revealed a security flaw that he claimed could make Apple’s iPhone particularly vulnerable to text message cheating.FirstPost: A hacker Friday revealed a security flaw that he claimed could make Apple’s iPhone particularly vulnerable to text message cheating.

The flaw has existed since iPhone was first launched in 2007, and is still not solved in the beta version of iOS 6, the next operating system for iPhone, the hacker under the name “Pod2g” said in a blog post, reported Xinhua.

Under the protocols handling the exchange of SMS (Short Message Service) text between mobile phones, the sender of a message can technically change the reply-to phone number to something different from the original number, Pod2g explained.

In a good implementation, the receiver of the message would see both the original phone number and the reply-to one.

But using iPhone’s SMS feature, when receivers see the message, it seems to come from the reply-to number, while the original phone number of the sender is hidden.

The loophole means that someone could send iPhone users messages pretending to be from the receivers’ banks or other trusted sources, asking for some private information, or cheating them to go to a dedicated website to obtain users’ information.

Pod2g called the security flaw “severe” and urged Apple to fix it before the final release of the iOS 6 software.

“Now you are alerted. Never trust any SMS you received on your iPhone at first sight,” Pod2g wrote in the blog post.

Apple Inc could not be reached for comments.


PostgreSQL patches XML flaws

PostgreSQL_Logoh-online: A flaw in the built-in XML functionality of PostgreSQL (CVE-2012-3488) and another in its optional XSLT handling (CVE-2012-3489) have been patched, and the developers have released updated versions of the open source database with relevant fixes. The holes being patched are related to insecure use of the widely used libxml2 and libxslt open source libraries and the PostgreSQL developers advise anyone using those libraries to check their systems for similar problems.

Both problems in PostgreSQL allow authenticated users of the database to read arbitrary files on the system, and the XSLT flaw allows writing of files. Details are limited, but the release notes for 9.1.5 note how xml_parse() and xslt_process() could be used to access information about files or parts of those files.

To fix the problem, the PostgreSQL developers have released versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20 and urge users to “update their installations at the first available opportunity”. The updates do break some backward compatibility though: users who rely on the built-in XML functionality to validate external DTDs will have to implement a workaround and users who use xslt_process() to fetch documents from external URLs will no longer be able to do so. The developers say they regret having to disable this functionality, but have to do so “to maintain our security standards”.

They also note that these fixes are “substantially similar” to issues in WebKit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5 (CVE-2012-0057). Developers who use libxml2 and libxslt should probably take note of this and check to see if they are exposed to any issues through their use of the libraries.

The update to PostgreSQL also includes several fixes for version 9.1 of the open source database and a number of fixes for older versions. These include corrections to time zone data, documentation corrections, Python/Unicode fixes, a correction to log rotation and reduced data loss when replication failovers among others. As the update is a minor update, users need only shutdown the database, install the new binaries and restart.

LibreOffice vulnerable to multiple buffer overflows

LibreOfficeh-online: Three weeks after releasing LibreOffice 3.5.5, The Document Foundation has confirmed that security holes in earlier versions of the open source LibreOffice productivity suite can be exploited by attackers to compromise a victim’s system. According to the project’s security advisory, these include multiple heap-based buffer overflow vulnerabilities in the XML manifest encryption tag parsing code.

Successful exploitation of the vulnerabilities could lead to the execution of arbitrary code on a system with the privileges of a local user. For an attack to be successful, a victim must first open a specially crafted Open Document Format (ODF) file. Versions up to and including LibreOffice 3.5.4 are affected; upgrading to version 3.5.5 or later fixes these problems. All users are advised to upgrade.

The developers note that the 3.6.0 release of LibreOffice also closes these holes. However, at the time of writing, this version has yet to be released only the fourth release candidate is available.