Skip to content

Gotham Security Daily Threat Alerts

April 15, Softpedia – (International) Expert finds SQL injection, RCE vulnerabilities in Flickr Photo Books. A security researcher identified and reported a SQL injection vulnerability and a remote code execution vulnerability in Flickr’s Photo Books Web site that could allow an attacker to gain access to Flickr’s databases. Yahoo closed the vulnerabilities after a second report by the researcher. Source: http://news.softpedia.com/news/Expert-Finds-SQL-Injection-RCE-Vulnerabilities-in-Flickr-Photo-Books-Video-437724.shtml

April 15, Help Net Security – (International) Hardware manufacturer LaCie suffered year-long data breach. Computer storage manufacturer LaCie stated that the FBI informed the company of a data breach where malware was used to gain access to customer transactions carried out on the company’s Web site. LaCie temporarily disabled the e-commerce portion of its Web site and will be resetting users’ passwords in response. Source: http://www.net-security.org/secworld.php?id=16693

April 15, Help Net Security – (International) Heartbleed: VMware starts delivering patches. VMware announced that it began issuing patches for its products affected by the Heartbleed OpenSSL vulnerability, with patches for all affected products expected by April 19. Source: http://www.net-security.org/secworld.php?id=16692

April 14, Softpedia – (International) Flash SMS flaw in iOS can be exploited to make the lock screen unresponsive. A security researcher identified a Flash SMS flaw in iOS that can be used to make a device’s lock screen unresponsive, which could be used for ransom attacks. The flaw was fixed with the release of iOS 7.1 but devices running previous versions of the mobile operating system are vulnerable. Source: http://news.softpedia.com/news/Flash-SMS-Flaw-in-iOS-Can-Be-Exploited-to-Make-the-Lock-Screen-Unresponsive-437566.shtml

 

Gotham Security Daily Threat Alerts

 April 14, IDG News Service – (International) Akamai admits issuing faulty OpenSSL patch, reissues keys. Akamai Technologies stated April 13 that a patch issued by the company designed to protect its customers from the Heartbleed vulnerability contained a fault, making it ineffective. The company then began reissuing all Secure Sockets Layer (SSL) certificates and security keys for affected sites. Source

April 14, Help Net Security – (International) Jetpack pushes update to close critical security hole. The creators of the Jetpack plugin for WordPress published an update for the popular plugin that closes a vulnerability discovered during a security audit that could allow an attacker to bypass a site’s access controls. Source

April 12, Softpedia – (International) Google rewards experts for XXE vulnerability in Toolbar Button Gallery. Google awarded two Detectify researchers $10,000 after they identified and reported an XML External Entity (XXE) vulnerability in the Google Toolbar Button Gallery that could have allowed an attacker to gain access to data on the company’s production servers. The vulnerability was closed soon after being reported. Source

April 12, Softpedia – (International) Nine people accused of stealing millions of dollars with Zeus malware. The U.S. Department of Justice unsealed an indictment against nine individuals for allegedly being involved in a criminal organization that used the Zeus banking trojan to steal millions of dollars. The alleged scheme used Zeus to steal account information and then transfer stolen money to accounts belonging to ‘mules’ who withdrew and transferred the money. Source

 

 

 

 

Gotham Security Daily Threat Alerts

 

April 11, SC Magazine – (International) Cyber attacks are targeting Heartbleed flaw, says US CERT. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning April 10 stating that attackers have begun exploiting the Heartbleed vulnerability in OpenSSL and advised affected entities to report any incidents involving the vulnerability. Source: http://www.scmagazineuk.com/cyber-attacks-are-targeting-heartbleed-flaw-says-us-cert/article/342274/

April 11, Softpedia – (International) Expert shows that hackers can abuse Chrome speech recognition API flaw. A security researcher identified a vulnerability in an older version of Chrome’s speech recognition API that could be leveraged to obtain the transcript generated by the browser. The API was introduced in Chrome 11 but may still be used by some Web sites. Source: http://news.softpedia.com/news/Expert-Shows-That-Hackers-Can-Abuse-Chrome-Speech-Recognition-API-Flaw-437237.shtml

April 11, Threatpost – (International) BlackBerry, Cisco products vulnerable to OpenSSL bug. BlackBerry reported that several of its software products are vulnerable to the Heartbleed OpenSSL vulnerability, though its phones were unaffected. Cisco also reported that many of its products, including video communications and phone systems, were also vulnerable. Source: http://threatpost.com/blackberry-cisco-products-vulnerable-to-openssl-bug/105406

April 10, Seattle Times – (Washington) Audit: State sold computers with Social Security numbers, tax info still on them. Washington officials quarantined computers, stopped sales, and established new guidelines after an audit released April 10 determined several State agencies likely gave away or sold roughly 1,800 computers out of 20,000 over the last 2 years containing confidential information, including Social Security numbers, medical records, and tax reforms. The auditors noted about 9 percent of all computers given away or sold held confidential information. Source: http://blogs.seattletimes.com/today/2014/04/audit-state-sold-computers-with-social-security-numbers-tax-info-still-on-them/

Gotham Security Daily Threat Alerts

April 9, Softpedia – (International) Companies advise users to change passwords due to possible Heartbleed attacks. Several private companies and government organizations advised users to change their passwords in the wake of the Heartbleed vulnerability in OpenSSL that could expose usernames, passwords, and other secure communications. Security researchers also began posting analyses of the vulnerability as organizations worked to close the vulnerability on their systems. Source: http://news.softpedia.com/news/Companies-Advise-Users-to-Change-Passwords-Due-to-Possible-Heartbleed-Attacks-436704.shtml

April 9, Softpedia – (International) Four vulnerabilities fixed with the release of Adobe Flash Player 13.0.0.182. Adobe issued an update for its Flash Player, closing four security issues. Source: http://news.softpedia.com/news/Four-Vulnerabilities-Fixed-With-the-Release-of-Adobe-Flash-Player-13-0-0-182-436600.shtml

April 9, Softpedia – (International) WordPress 3.8.2 addresses 2 vulnerabilities, includes 3 security hardening changes. A new version of WordPress was released for download containing fixes for two security vulnerabilities and three changes that enhance security. Source: http://news.softpedia.com/news/WordPress-3-8-2-Addresses-2-Vulnerabilities-Includes-3-Security-Hardening-Changes-436613.shtml

April 8, Threatpost– (International) Last call for XP, Office 2003 updates: April Patch Tuesday fixes 11 vulnerabilities. Microsoft released its monthly Patch Tuesday round of updates April 8, including the final updates for Windows XP and Office 2003, with 4 bulletins closing 11 vulnerabilities. Source: http://threatpost.com/last-call-for-xp-office-2003-updates-april-patch-tuesday-fixes-11-vulnerabilities/105329

April 8, IDG News Service – (International) Cybercriminals use sophisticated PowerShell-based malware. Researchers at Symantec identified a new malicious PowerShell script that contains several ways to hide itself and can inject malicious code into rundll32.exe. The finding follows the discovery of another malicious PowerShell script by Trend Micro researchers known as CRIGENT or Power Worm during March. Source: http://www.networkworld.com/news/2014/040814-cybercriminals-use-sophisticated-powershell-based-280521.html

April 8, Threatpost – (International) Google patches 31 flaws in Chrome. Google released a new version of its Chrome browser, closing 31 vulnerabilities, 19 of which were rated as high priority. Source: http://threatpost.com/google-patches-31-flaws-in-chrome/105326

April 8, Softpedia – (International) 2013 threat report: 8 mega data breaches, 552 million identities exposed. Symantec published its Internet Security Threat Report for 2013, showing a 62 percent increase in data breaches from organizations during the year, with 552 million identities exposed, among other findings. Source: http://news.softpedia.com/news/2013-Threat-Report-8-Mega-Data-Breaches-552-Million-Identities-Exposed-436508.shtml

April 8, IDG News Service – (International) Yahoo email anti-spoofing policy breaks mailing lists. Security researchers reported encountering an issue with mailing lists after Yahoo introduced a new Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy to prevent email spoofing. Source: http://www.networkworld.com/news/2014/040914-yahoo-email-anti-spoofing-policy-breaks-280500.html

April 10, Softpedia – (International) Deltek suffers data breach, hackers gain access to credit card information. Deltek reported that attackers breached the company’s GovWin IQ Web site, exposing personal and financial details of around 80,000 employees of federal contractors and about 25,000 payment card details belonging to customers of the site’s eCommerce platform. The breach was first discovered March 13 but occurred sometime between July 3, 2013 and November 2, 2013. Source: http://news.softpedia.com/news/Deltek-Suffers-Data-Breach-Hackers-Gain-Access-to-Credit-Card-Information-436861.shtml

April 10, The Register – (International) Not just websites hit by OpenSSL’s Heartbleed – your PC, phone and more may be in peril. A researcher from the SANS Institute reported in a presentation that the Heartbleed vulnerability in OpenSSL could also affect devices and applications on the client side as well as the server side, potentially allowing attackers to obtain passwords and cryptographic keys from PCs, phones, routers, and other devices. Source: http://www.theregister.co.uk/2014/04/10/many_clientside_vulns_in_heartbleed_says_sans/

April 10, Softpedia – (International) SQL injection vulnerability fixed in Orbit Open Ad Server. High-Tech Bridge researchers identified and reported a SQL injection vulnerability in the popular open-source ads server Orbit Open Ad Server that could have allowed attackers to compromise Web sites running vulnerable installations. OrbitScripts fixed the vulnerability after being notified by the researchers. Source: http://news.softpedia.com/news/SQL-Injection-Vulnerability-Fixed-in-Orbit-Open-Ad-Server-436925.shtml

April 9, Threatpost – (International) BlackBerry patches remote code execution vulnerability. BlackBerry released an update April 9 which closes a remote code execution vulnerability in BlackBerry 10 that could be exploited in a limited number of scenarios. Source: http://threatpost.com/blackberry-patches-remote-code-execution-vulnerability/105373

April 9, The Register – (International) Uh oh! Here comes the first bug in the Windows 8.1 Update. Microsoft suspended distribution of the Windows 8.1 Update for April after some enterprise customers using Windows Server Update Services (WSUS) 3.0 Service Pack 2 reported that the update prevented machines’ abilities to receive future updates. Source: http://www.theregister.co.uk/2014/04/09/windows_81_update_bug/

 

VMware Published Applications

On April 9, VMware announced Horizon 6, which includes multiple feature updates to the Horizon suite. The biggest item to note is the release of Horizon View 6, which will now offer publishing applications accessible via PCoIP.

As noted in the announcement, VMware is going right at Citrix, specifically with the various issues involved with upgrading Citrix XenApp 6.5 to 7.5. Citrix XenApp 7.5 requires a completely new build in parallel to the existing Citrix XenApp 6.5 environment. As of now there is no upgrade path. VMware is seizing this opportunity with the release of Horizon View 6, and their timing is on point.

There has been chatter of VMware offering a published application feature for many years now. VMware’s only play in the past was Horizon View, which was specific to VDI, which not all customers required. VDI in general is much more pricey from a CAPX standpoint than hosted shared desktops/applications (i.e., XenApp). Obviously this was always used against VMware simply from a cost standpoint.

Now will this mean all Citrix XenApp customers will now jump ship to VMware Horizon View? No; however, it does provide an alternative. Citrix XenApp is a very mature product, but with the release of XenApp 7.5, Citrix is now using the FlexCast Management Architecture (FMA) which is completely new to XenApp (initially released May of 2013 as XenDesktop App Edition). Take a look at the blog I wrote last month about some of the shortcomings with XenApp 7.5.

There will be much more information related to Horizon View 6 once it is released, and of course tested. Right now it is just VMware telling us how good the product will be. Just like any other new product I am sure there will be bugs, etc. Stay tuned for future blogs on Horizon View 6.

OpenSSL Vulnerability-Heartbleed Bug

The OpenSSL organization posted Vulnerability Note VU#720951 on April 7, 2014 titled OpenSSL Heartbeat Information Disclosure. This vulnerability is commonly referred to as “heartbleed” and can disclose sensitive information to attackers.

The following is an excerpt of the vulnerability note – please click the link above for additional information, including vendors who may be affected by this vulnerability.


Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520) https://tools.ietf.org/html/rfc6520. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Please see the Heartbleed website for more details. Exploit code for this vulnerability is publicly available. Any service that supports STARTLS (imap,smtp,http,pop) may also be affected.

Impact

By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

Solution

Apply an update

This issue is addressed in OpenSSL 1.0.1g.

Please contact your software vendor to check for availability of updates. Any system that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items.

Reports indicate that the use of mod_spdy can prevent the updated OpenSSL library from being utilized, as mod_spdy uses its own copy of OpenSSL. Please see https://code.google.com/p/mod-spdy/issues/detail?id=85 for more detail.

Disable OpenSSL heartbeat support

This issue can be addressed by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the changes to take effect.

Use Perfect Forward Secrecy (PFS)

PFS can help minimize the damage in the case of a secret key leak by making it more difficult to decrypt already-captured network traffic. However, if a ticket key is leaked, then any sessions that use that ticket could be compromised. Ticket keys may only be regenerated when a web server is restarted.


Click here for additional information.

Gotham Security Daily Threat Alerts

April 5, Softpedia – (International) DDoS attack enabled by persistent XSS vulnerability on top video content provider’s site. Incapsula reported that they mitigated an application layer distributed denial of service (DDoS) attack against a client which utilized a cross-site scripting (XSS) vulnerability in a popular video content provider’s Web site. Malicious JavaScript code was injected into a tag associated with users’ profiles, which executed whenever a legitimate user accessed the page Source: http://news.softpedia.com/news/DDOS-Attack-Enabled-by-Persistent-XSS-Vulnerability-on-Top-Video-Content-Provider-s-Site-436029.shtml

April 4, Softpedia – (International) Upatre downloader distributed via banking-themed spam campaign. Researchers at Trend Micro detected a spam campaign using banking-themed emails to distribute the Upatre downloader, which in a sample downloaded the Zeus trojan and the Necurs security-disabling malware. Source: http://news.softpedia.com/news/Upatre-Downloader-Distributed-via-Banking-Themed-Spam-Campaign-435975.shtml

April 4, The Register – (International) Five-year-old discovers Xbox password bug, hacks dad’s Live account. A San Diego boy identified and reported a vulnerability in Microsoft’s Xbox Live service that can allow access to a user’s account by repeatedly entering ‘space’ characters and then hitting ‘submit’ when prompted for a password. Microsoft closed the vulnerability after it was reported. Source: http://www.theregister.co.uk/2014/04/04/five_year_olds_xbox_live_password_hack/

April 4, Softpedia – (International) 85% of links spotted in cyberattacks in 2013 led to compromised legitimate sites. Websense Security Labs released their 2014 Threat Report, detailing threats and trends during the past year. The report found that 85 percent of malicious links in email and Web attacks were directed at legitimate sites that were compromised by attackers, among other findings. Source: http://news.softpedia.com/news/85-of-Links-Spotted-in-Cyberattacks-in-2013-Led-to-Compromised-Legitimate-Sites-435939.shtml

April 7, OpenSSL Security Advisory - TLS heartbeat read overrun (CVE-2014-0160) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2. http://www.kb.cert.org/vuls/id/720951

 

 

%d bloggers like this: