Posts tagged ‘chrome’

SANS Internet Storm Center, InfoCON: yellow: Reverse Heartbleed Testing, (Sun, Apr 13th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: yellow and was written by: SANS Internet Storm Center, InfoCON: yellow. Original post: at SANS Internet Storm Center, InfoCON: yellow

I wanted to know if the tools/software I execute regularly are vulnerable to scraping my system memory.  Now the reverse heartbleed scenario is very possible, but the likelihood seems to be much more of a non-issue.  

Seeing is still believing in my book.  So I set out to see what the interweb world was doing to test this out.  There are some very reputable services/organizations out there offering up a fresh url to the reverse heartbleed and others offering to 'test' a given url.   These are a black box.  Trust is hard to earn at times, especially when you are dealing with an exploit like this one.  I wanted to see source code, or at least pseudocode so I could craft my own.  I found a script out there called Pacemaker [1] that was written and provided by Peter Wu.  I liked it because it was transparent, simple, and it can be used exclusively under my control (the ultimate first step of developing trust).

So simple, I was able to review it for harm and function, and cut and paste it into vi.  Escape, write, quit, and I was off and running.   Basically it works like a simple webserver, very simple.  The script is executed and listens on port 4433.  You point your client software at it with a localhost url and the server script reports on STDOUT what it finds.  

I did not have any vulnerable client software readily available to give a whirl, but I did try all my curl and wget installs that I use regularly.   I also hit it with Chrome and Safari to see the error messages.

Here is what I tested with it.

wget 1.11.4:  

Connection from: 10.0.0.11:60401
Unable to check for vulnerability: SSL 2.0 clients cannot be tested
 
curl 7.30.0 (x86_64-apple-darwin13.0) libcurl/7.30.0 SecureTransport zlib/1.2.5:
 
Connection from: 10.0.0.11:60418
Got Alert, level=Fatal, description=40
Not vulnerable! (Heartbeats disabled or not OpenSSL)
 
curl 7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5:
 
Connection from: 127.0.0.1:59451
Possibly not vulnerable
 
Chrome 34.0.1847.116:

Connection from: 127.0.0.1:59490
Got Alert, level=Fatal, description=47
Not vulnerable! (Heartbeats disabled or not OpenSSL)
 

I am interested in seeing more output from known vulnerable client software.  Feel free to give this a ride and share your results.  If I get a chance to spin out a new VM with some vulnerable OpenSSL on it today, then I will share my experiences too.

 

[1]   https://github.com/Lekensteyn/pacemaker


-Kevin

ISC Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe, Microsoft Push Critical Fixes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft each issued updates to fix critical security vulnerabilities in their software today. Adobe patched its Flash Player software and Adobe AIR. Microsoft issued four updates to address at least 11 unique security flaws, including its final batch of fixes for Office 2003 and for systems powered by Windows XP.

crackedwinTwo of the four patches that Microsoft issued come with Redmond’s “critical” rating (its most severe), meaning attackers or malware can exploit the flaws to break into vulnerable systems without any help from users. One of the critical patches is a cumulative update for Internet Explorer (MS14-018); the other addresses serious issues with Microsoft Word and Office Web apps (MS14-017), including a fix for a zero-day vulnerability that is already being actively exploited. More information on these and other patches are available here.

As expected, Microsoft also used today’s patch release to pitch XP users on upgrading to a newer version of Windows, warning that attackers will begin to zero in on XP users even more now that Microsoft will no longer be issuing security updates for the 13-year-old operating system. From Microsoft’s Technet blog:

“From the year that Windows XP was built, cyber attacks have increased in sophistication.  Systems receiving regular updates get the protections they need based on the latest cyber threats.  But at some point an older model of any product will lack the capability to keep up and becomes antiquated.  Obsolescence for Windows XP is just around the corner.

Cybercriminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues.  Over time, attackers will evolve their malicious software, malicious websites, and phishing attacks to take advantage of any  newly discovered vulnerabilities in Windows XP, which post April 8th, will no longer be fixed.”

Microsoft offers free a Windows XP data transfer tool to ease the hassle of upgrading to a newer version of Windows. I would submit that if your PC runs XP and came with XP installed, that it might be time to upgrade the computer hardware itself in addition to the software. In any case, beyond this month is not the greatest idea, and it’s time for XP users to consider other options. Don’t forget that there are many flavors of Linux that will run quite happily on older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

ADOBE

Adobe fixed at least four vulnerabilities in Flash, all of them critical. The company says it is not aware of any exploits in the wild against the flaws. The latest version is v. 13.0.0.182 for Windows, Mac and Linux systems. The Adobe advisory for the Flash update is here.

This link will tell you which version of Flash your browser has installed. IE10/IE11 for Windows 8.0/8.1 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is 34.0.1847.116 for Windows, Mac, and Linux (to learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu).

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

If you use Adobe AIR (required by some desktop software products such as Pandora, e.g.,), you’ll need to make sure that’s updated as well. AIR usually does a good job of checking for new versions on startup. If you’re not sure whether you have AIR installed or what version it’s at, see these directions. The latest version is 13.0.0.83, and is available for manual download here.

flash13-0-0-182

Linux How-Tos and Linux Tutorials: Replace the Retiring Windows XP with Linux

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Carla Schroder. Original post: at Linux How-Tos and Linux Tutorials

Windows XP is officially retired as of April 8, 2014. Microsoft has tried to retire XP several times before, but due to enterprise customer demand had to continue supporting it. But this time they really really mean it, for reals.

If you’re using Windows XP, it won’t stop working. All this means is you won’t get security patches or technical support anymore. So what should you do? You can continue using it, as you always have. Or, you can upgrade to Windows 8.1, the newest Windows, or Windows 7. Or switch to Linux. Let’s look at the pros and cons of upgrading to a newer Windows.

KDE desktop

Windows 8.1 has a completely re-designed interface that looks a lot like an over-excited automated teller machine. It adds support for touchscreens, and is supposed to be less obese and peppier than 7. Windows 7 does not support touchscreens, and doesn’t look much different from XP. If you buy a new computer that comes with 8.1 and decide you don’t like it, you can “downgrade” to Windows 7. Downgrading is a huge hassle that requires having the proper “license rights”, the purchase of Windows 7 Professional at $139 for the OEM version, or $209 for the full retail version, phoning home to Microsoft for permission to do what you want with your own computer, and then installing it. The OEM version comes with no technical support; otherwise it’s pretty much the same as the full retail version. Microsoft considers this a temporary downgrade, until you come to your senses and learn to love 8.1.

Another option is to purchase Windows 8.1 or 7 and install it on your XP computer. If your XP machine is more than six years old, chances are it won’t support the newer Windows releases, because they need considerably more power and storage. Your favorite XP applications may or may not work on the newer Windowses, if you even still have the original installation media, and peripherals such as scanners and printers may not be supported. So the most likely scenario is buying a whole new computer, and possibly new applications and peripherals. You can still get Win 7 PCs, though that option is slowly evaporating.

Try Linux

Any option other than keeping your existing Windows XP system is going to cost money, hassles, or both. So why not give Linux a try? It is a mature, rock-solid professional computing platform you can rely on. You can download it for free, copy it to a USB stick or DVD, and try it without installing it to your hard drive. If there is enough room on your hard drive, you can install Linux alongside XP and choose the one you want to run at boot. If your XP computer is powerful enough and you have your original installation media, you can run XP inside a virtual machine on Linux. Yes, you can have it all.

Let’s run through the pros and cons of switching to Linux. First the good parts:

  • Immune to Windows malware, and you don’t need anti-malware software
  • Offers both free of cost and supported options
  • Runs great on older, less-powerful hardware
  • No insane license restrictions
  • No artificially crippled versions to justify multiple price points
  • No phoning home to the mothership for permission to use your own computer the way you want to
  • Flexible and configurable
  • Easy one-click software installation and removal, from secure sources
  • Great hardware support, without having to hunt down drivers
  • A giant world of great software for free, and lots of great commercial software
  • Maintained by an open, global community of first-rate developers and contributors
  • All Linux software is available on the Internet, so you never lose it.

There are also some downsides you must take into account. Your Windows applications won’t run on Linux, unless they also have Linux versions. For example, Web browsers such as Firefox, Opera, and Chrome run on Windows and Linux. Productivity apps like Moneydance (personal finance), LibreOffice (office suite), Thunderbird (email) and a lot of games run on Windows and Linux. Windows apps like Outlook, Internet Explorer and MS Office do not run on Linux. So you’ll need to make an inventory of the apps you need and see if they have Linux versions, or if there is an equivalent you can use. I’ll be surprised if you can’t find equivalent or better alternatives.

You can make Linux look like Windows. You’re still going to have to learn some new ways of doing thing, but as it’s all just pointy-clicky it’s no big deal. Windows 7 is different from XP, and Windows 8.1 is radically different, so any change means you’ll have to learn some new things.

Buying a Linux Computer

Installing Linux is pretty easy, but if you’d rather buy a good computer with Linux already installed there are a lot of great independent Linux computer vendors. They are skilled specialists, and you’ll get good hardware and great service. The typical low-budget Windows PC is specced to the micro-penny, and built with the cheapest possible components. Linux shops like System76 and ZaReason engineer their computers with reliable, good-quality components, and they stand behind their products.

Which Linux?

Another Linux advantage is hundreds of variants called distributions, or distros for short. Every one is tailored a little bit differently. Ubuntu Linux is very popular, and offers both free-of-cost downloads, and commercial support options. Linux Mint is a popular Ubuntu variant. openSUSE and Fedora Linux are great distros for advanced users who like to stay on top of new technologies. Mageia Linux is a wonderful desktop Linux for beginners to advanced users. Please visit the Resources section (below) for pointers to all kinds of helpful information.

The Myth That Must Die

I am not a Windows fan. I’ve worked exclusively in Linux since the early 2000s, except for occasional forays into Windows to keep up with new developments. I’ve written books, hundreds of how-to articles, done Web development, and all of my multimedia production on Linux. You’d think the richest software company on the planet would be able to make a bulletproof, secure, easy-to-use operating system. They have failed at this, and are still failing. One of my biggest peeves is that Microsoft’s marketing created the false illusion that personal computers are easy to use, and require no special training. This is not true. It has never been true. A personal computer is an extremely complex and sophisticated power tool. Just owning a computer does not magically bestow all manner of skills on you. It does not make you into an accountant, publisher, artist, musician, big data analyst, security expert, writer, scientist, or anything at all. Except perhaps befuddled a lot. Windows is not easy. Linux is many times easier to operate and maintain, and many times less restrictive.

You Might Want Android

If all you really need is a nice little portable device for Web surfing, social media, email, reading books, listening to music, playing games, and watching movies then get an Android tablet. Android is a Linux variant, but stripped-down and simplified. You literally poke it with a finger to operate it. ZaReason has a really nice 9.7″ tablet, the ZaTab, that is completely open, and not locked down like so many Android devices. Android is also coming to laptops and desktops, so keep an eye on the market to watch for something that might work for you.

The bottom line is that any change away from Windows XP is going to involve expense and a learning curve, so why not consider leaving Windows-land, and investing your time and money in the solid, reliable Linux world?

Resources

Weekend Project: Linux For Beginners
Ubuntu Unleashed is the best Linux book for beginners
Ubuntu Linux
Linux Mint
Mageia Linux
Fedora Linux
openSUSE
Cynthia Harvey has a large and excellent body of articles on Linux and open source replacements for Windows applications.

lcamtuf's blog: Messing around with <a download>

This post was syndicated from: lcamtuf's blog and was written by: Michal Zalewski. Original post: at lcamtuf's blog

Not long ago, the HTML5 specification has extended the semantics for <a href=…> links by adding the download attribute. In a nutshell, the markup allows you to specify that an outgoing link should be always treated as a download, even if the hosting site does not serve the file with Content-Disposition: attachment:

<a href="http://i.imgur.com/b7sajuK.jpg" download>What a cute kitty!</a>

I am unconvinced that this feature scratches any real itch for HTTP links, but it’s already supported in Firefox, Chrome, and Opera.

Of course, there are some kinks: in absence of the Content-Disposition header, the browser needs to figure out the correct file name for the download. In practice, this is always done based on the path seen in the URL. That’s not great, because a good majority of web frameworks will tolerate trailing garbage in the path segment; indeed, so does imgur.com. Let’s try it out:

<a href="http://i.imgur.com/b7sajuK.jpg/KittyViewer.exe" download>What a cute kitty!</a>

But we shouldn’t dwell on this, because the download syntax makes it easy for the originating page to simply override that logic and pick any file name and extension it likes:

<a href="http://i.imgur.com/b7sajuK.jpg" download="KittyViewer.exe">What a cute kitty!</a>

That’s odd – and keep in mind that the image we are seeing is at least partly user-controlled. A location like this can be found on any major destination on the Internet: if not an image, you can always find a JSON API or a HTML page that echoes something back.

It also helps to remember that it’s usually pretty trivial to build files that are semantically valid to more than one parser, and have a different meaning to each one of them. Let’s put it all together for a trivial PoC:

<a href="http://api.bing.com/qsonhs.aspx?q=%22%26notepad%26"
  download="AltavistaToolbar.bat">Download Bing toolbar from bing.com</a>

That’s pretty creepy: if you download the file on Windows and click “open”, the payload will execute and invoke notepad.exe. Still, is it a security bug? Well… the answer to that is not very clear.

For one, there is a temptation to trust the tooltip you see when you hover over a download link. But if you do that, you are in serious trouble, even in absence of that whole download bit: JavaScript code can intercept the onclick event and take you somewhere else. Luckily, most browsers provide you with a real security indicator later on: the download UI in Internet Explorer, Firefox, and Safari prominently shows the origin from which the document is being retrieved. And that’s where the problem becomes fairly evident: bing.com never really meant to serve you with an attacker-controlled AltavistaToolbar.bat, but the browser says otherwise.

The story gets even more complicated when you consider that some browsers don’t show the origin of the download in the UI at all; this is the case for Chrome and Opera. In such a design, you simply have to put all your faith in the origin from which you initiated the download. In principle, it’s not a completely unreasonable notion, although I am not sure it aligns with user expectations particularly well. Sadly, there are other idiosyncrasies of the browser environment that mean the download you are seeing on a trusted page might have been initiated from another, unrelated document. Oops.

So, yes, browsers are messy. Over the past few years, I have repeatedly argued against <a download> on the standards mailing lists (most recently in 2013), simply because I think that nothing good comes out of suddenly taking the control over how documents are interpreted by the browser away from the hosting site. I don’t think that my arguments were particularly persuasive, in part because nobody seemed to have a clear vision for the overall trust model around downloads on the Web.

PS. Interestingly, Firefox decided against the added exposure and implemented the semantics in a constrained way: the download attribute is honored only if the final download location is same-origin with the referring URL.

SANS Internet Storm Center, InfoCON: green: Identification and authentication are hard … finding out intention is even harder, (Thu, Mar 13th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

While the drama about the lost airplane in Malaysia is still continuing, our hearts of course go out to the families of the missing. This ISC diary though is not about airplanes, or terrorism, it is rather about the related discovery that at least two passengers on the plane were using fake passports. Equally startling was the comment by Interpol that this is "common". What is the point of maintaining, for example, a no-fly list, if those listed on it anyway travel with stolen documents, and if the security checkpoint apparently fails to determine that a 19yr old doesn't look like a 40yr old, and that Italians who don't speak at least rudimentary Italian are, well, somewhat rare?

If we translate this to the virtual world, it turns into an everyday problem. How do we know that Joe using Joe's password is actually Joe, and not Jane? I probably should call them "Bob" and "Alice" to make this worthy of a scientific paper :), but the problem still stands: identification and authentication are hard, and finding out intentions is even harder. If we take from the airport physical security playbook, then it is "behavior" that makes the difference. The security checkpoint guys are (supposedly) trained to look for "clues" like nervousness, and carry-on baggage that is leaking 1,2,3-trinitroxypropane. Inevitably, there are numerous software products that claim to identify the "unusual" as well. Joe connecting from Connecticut, even though he lives in Idaho? Alert! Joe using Chrome even though he used Firefox last time? Alert! Joe typing his password faster than usual? Alert!

But like in the physical world, this kind of profiling only works well if you have a pretty homogenous and static "good guy" population, and a pretty well defined adversary. The real world, unfortunately, tends to be more diverse and complex than that. Which is why login fraud detection, just as airport security, often drowns in the "false positives", and as a result, de-tunes the sensitivity to the point where real fraud has stellar odds to just slip by. This is a fundamental issue with many security measures. Statisticians call this "base rate fallacy". If there are many many! more good guys than bad guys, finding the bad guys with a test that has a high error rate is pretty much: moot.

Checking the passports against the Interpol list of stolen passports .. wouldn't hurt though. Not doing this is akin to letting someone log in to an account that is suspended, or log in with a password that was valid two years ago.
 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe, Microsoft Push Security Updates

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe and Microsoft today each released software updates to fix serious security flaws in their products. Adobe pushed an update that plugs a pair of holes in its Flash Player software. Microsoft issued five updates, including one that addresses a zero-day vulnerability in Internet Explorer that attackers have been exploiting of late.

crackedwinMicrosoft’s five bulletins address 23 distinct security weaknesses in Microsoft Windows, Internet Explorer and Silverlight. The Internet Explorer patch is rated critical for virtually all supported versions of IE, and plugs at least 18 security holes, including a severe weakness in IE 9 and 10 that is already being exploited in targeted attacks.

Microsoft notes that the exploits targeting the IE bug seen so far appear to perform a check for the presence of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET); according to Microsoft, the exploits fail to proceed if EMET is detected. I’ve recommended EMET on several occasions, and would encourage any Windows users who haven’t yet deployed this tool to spend a few minutes reading this post and consider taking advantage of it to further harden their systems. The latest version — 4.1 — is available at this link and requires Microsoft’s .NET Framework 4 platform. For those of you who don’t mind beta-testing software, Microsoft has released a preview version of the next generation of EMET — EMET 5.0 Technical Preview.

This month’s updates include a fix for another dangerous bug – deep within the operating system on just about every major version of Windows  – that also was publicly disclosed prior to today’s patches. Microsoft’s Technet Blog has more details on these and other bulletins released today.

Readers still using Windows XP should remember that after next month, Microsoft will stop releasing security updates for that version of Windows. Microsoft recently announced that it will make available for free a Windows XP data transfer tool to ease the hassle of upgrading to a newer version of Windows. I would submit that if your PC runs XP and came with XP installed, that it might be time to upgrade the computer hardware itself.

In any case, using Windows XP beyond next month is not the greatest idea, and it’s time for XP users to consider other options. Don’t forget that there are many flavors of Linux that will run quite happily on older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

FLASH UPDATE

brokenflash-aAdobe’s Flash update brings the media player to  v. 12.0.0.77 on Windows and Mac OS X.  This link will tell you which version of Flash your browser has installed. IE10 and Chrome should auto-update their versions of Flash. If your version of Chrome (on either Windows, Mac or Linux) is not yet updated to v. 12.0.0.77you may just need to close and restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.). Adobe does not appear to have released any updates for AIR as it often does when pushing new Flash patches.

As always, please drop a note in the comments section if you experience any issues with the updates released today.

adobeupdate3-14

SANS Internet Storm Center, InfoCON: green: Adobe Updates: Flash Player, (Tue, Mar 11th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe released a new version of Flash Player as part of today's patch Tuesday. No details are available yet. We will update this diary once the details become available. Note that this will also affect browsers like Chrome that include an embeded version of Flash.

 

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

SANS Internet Storm Center, InfoCON: green: Apple iOS 7.1, (Mon, Mar 10th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Here is detailed information on today's Apple releases – both iOS and Apple TV were updated

APPLE-SA-2014-03-10-1 iOS 7.1

iOS 7.1 is now available and addresses the following:

Backup
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A maliciously crafted backup can alter the filesystem
Description:  A symbolic link in a backup would be restored, allowing
subsequent operations during the restore to write to the rest of the
filesystem. This issue was addressed by checking for symbolic links
during the restore process.
CVE-ID
CVE-2013-5133 : evad3rs

Certificate Trust Policy
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Root certificates have been updated
Description:  Several certificates were added to or removed from the
list of system roots.

Configuration Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Profile expiration dates were not honored
Description:  Expiration dates of mobile configuration profiles were
not evaluated correctly. The issue was resolved through improved
handling of configuration profiles.
CVE-ID
CVE-2014-1267

CoreCapture
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application can cause an unexpected system
termination
Description:  A reachable assertion issue existed in CoreCapture's
handling of IOKit API calls. The issue was addressed through
additional validation of input from IOKit.
CVE-ID
CVE-2014-1271 : Filippo Bigarella

Crash Reporting
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to change permissions on arbitrary
files
Description:  CrashHouseKeeping followed symbolic links while
changing permissions on files. This issue was addressed by not
following symbolic links when changing permissions on files.
CVE-ID
CVE-2014-1272 : evad3rs

dyld
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Code signing requirements may be bypassed
Description:  Text relocation instructions in dynamic libraries may
be loaded by dyld without code signature validation. This issue was
addressed by ignoring text relocation instructions.
CVE-ID
CVE-2014-1273 : evad3rs

FaceTime
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
access FaceTime contacts from the lock screen
Description:  FaceTime contacts on a locked device could be exposed
by making a failed FaceTime call from the lock screen. This issue was
addressed through improved handling of FaceTime calls.
CVE-ID
CVE-2014-1274

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in the handling of JPEG2000
images in PDF files. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2014-1275 : Felix Groebert of the Google Security Team

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description:  A buffer overflow existed in libtiff's handling of TIFF
images. This issue was addressed through additional validation of
TIFF images.
CVE-ID
CVE-2012-2088

ImageIO
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted JPEG file may lead to the
disclosure of memory contents
Description:  An uninitialized memory access issue existed in
libjpeg's handling of JPEG markers, resulting in the disclosure of
memory contents. This issue was addressed through additional
validation of JPEG files.
CVE-ID
CVE-2013-6629 : Michal Zalewski

IOKit HID Event
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may monitor on user actions in other
apps
Description:  An interface in IOKit framework allowed malicious apps
to monitor on user actions in other apps. This issue was addressed
through improved access control policies in the framework.
CVE-ID
CVE-2014-1276 : Min Zheng, Hui Xue, and Dr. Tao (Lenx) Wei of FireEye

iTunes Store
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A man-in-the-middle attacker may entice a user into
downloading a malicious app via Enterprise App Download
Description:  An attacker with a privileged network position could
spoof network communications to entice a user into downloading a
malicious app. This issue was mitigated by using SSL and prompting
the user during URL redirects.
CVE-ID
CVE-2014-1277 : Stefan Esser

Kernel
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to cause an unexpected system
termination or arbitrary code execution in the kernel
Description:  An out of bounds memory access issue existed in the ARM
ptmx_get_ioctl function. This issue was addressed through improved
bounds checking.
CVE-ID
CVE-2014-1278 : evad3rs

Office Viewer
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Opening a maliciously crafted Microsoft Word document may
lead to an unexpected application termination or arbitrary code
execution
Description:  A double free issue existed in the handling of
Microsoft Word documents. This issue was addressed through improved
memory management.
CVE-ID
CVE-2014-1252 : Felix Groebert of the Google Security Team

Photos Backend
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Deleted images may still appear in the Photos app underneath
transparent images
Description:  Deleting an image from the asset library did not delete
cached versions of the image. This issue was addressed through
improved cache management.
CVE-ID
CVE-2014-1281 : Walter Hoelblinger of Hoelblinger.com, Morgan Adams,
Tom Pennington

Profiles
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A configuration profile may be hidden from the user
Description:  A configuration profile with a long name could be
loaded onto the device but was not displayed in the profile UI. The
issue was addressed through improved handling of profile names.
CVE-ID
CVE-2014-1282 : Assaf Hefetz, Yair Amit and Adi Sharabani of Skycure

Safari
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  User credentials may be disclosed to an unexpected site via
autofill
Description:  Safari may have autofilled user names and passwords
into a subframe from a different domain than the main frame. This
issue was addressed through improved origin tracking.
CVE-ID
CVE-2013-5227 : Niklas Malmgren of Klarna AB

Settings – Accounts
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
disable Find My iPhone without entering an iCloud password
Description:  A state management issue existed in the handling of the
Find My iPhone state. This issue was addressed through improved
handling of Find My iPhone state.
CVE-ID
CVE-2014-1284

Springboard
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
see the home screen of the device even if the device has not been
activated
Description:  An unexpected application termination during activation
could cause the phone to show the home screen. The issue was
addressed through improved error handling during activation.
CVE-ID
CVE-2014-1285 : Roboboi99

SpringBoard Lock Screen
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A remote attacker may be able to cause the lock screen to
become unresponsive
Description:  A state management issue existed in the lock screen.
This issue was addressed through improved state management.
CVE-ID
CVE-2014-1286 : Bogdan Alecu of M-sec.net

TelephonyUI Framework
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A webpage could trigger a FaceTime audio call without user
interaction
Description:  Safari did not consult the user before launching
facetime-audio:// URLs. This issue was addressed with the addition of
a confirmation prompt.
CVE-ID
CVE-2013-6835 : Guillaume Ross

USB Host
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A person with physical access to the device may be able to
cause arbitrary code execution in kernel mode
Description:  A memory corruption issue existed in the handling of
USB messages. This issue was addressed through additional validation
of USB messages.
CVE-ID
CVE-2014-1287 : Andy Davis of NCC Group

Video Driver
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Playing a maliciously crafted video could lead to the device
becoming unresponsive
Description:  A null dereference issue existed in the handling of
MPEG-4 encoded files. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2014-1280 : rg0rd

WebKit
Available for:  iPhone 4 and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2013-2909 : Atte Kettunen of OUSPG
CVE-2013-2926 : cloudfuzzer
CVE-2013-2928 : Google Chrome Security Team
CVE-2013-5196 : Google Chrome Security Team
CVE-2013-5197 : Google Chrome Security Team
CVE-2013-5198 : Apple
CVE-2013-5199 : Apple
CVE-2013-5225 : Google Chrome Security Team
CVE-2013-5228 : Keen Team (@K33nTeam) working with HP's Zero Day
Initiative
CVE-2013-6625 : cloudfuzzer
CVE-2013-6635 : cloudfuzzer
CVE-2014-1269 : Apple
CVE-2014-1270 : Apple
CVE-2014-1289 : Apple
CVE-2014-1290 : ant4g0nist (SegFault) working with HP's Zero Day
Initiative, Google Chrome Security Team
CVE-2014-1291 : Google Chrome Security Team
CVE-2014-1292 : Google Chrome Security Team
CVE-2014-1293 : Google Chrome Security Team
CVE-2014-1294 : Google Chrome Security Team

Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: SeriesGuide Turns Chrome Browser Into a TV Torrent TiVo

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

It’s no secret that many people catch up with their favorite TV-shows via BitTorrent. Popular shows such as Game of Thrones and The Walking Dead are downloaded millions of times by people from all over the world.

While downloading and/or sharing copyrighted material is against the law in many countries, there are plenty of tools around to help people’s TV-torrenting habits. The new Chrome extension ‘SeriesGuide’ falls into this category.

SeriesGuide keeps track of people’s favorite TV-shows, which are then displayed in a calendar format, so users know when to tune in. In addition, it offers Pirate Bay download links for each episode, ranked by the number of seeders and leechers.

SeriesGuide Overview

TF caught up with SeriesGuide’s developer who goes by the nickname SchizoDuckie. The developer says he coded the extension to fix a recurring problem he faced.

“I’m developing this mostly because it’s a solution to a problem I have myself. I’m following loads of series that air at separate intervals and you keep having to take the same steps manually: Figure out when something has aired, wait for a download to appear, go to The Pirate Bay, search for a torrent, sort it by most seeds, weed out the crap, and download.”

While he has a Netflix account, SchizoDuckie says most TV-shows take weeks or months to become available in Europe where he’s located.

“We don’t even have the final half of Breaking Bad yet. So then you resort back to piracy,” he says, adding that many other people are probably facing a similar problem.

Right now SeriesGuide is in beta stage, but SchizoDuckie says that many more features will be added in the near future. This will include automatic notifications when new episodes are released, automatic downloads, plus support for seedboxes and remote downloading.

SeriesGuide Downloads

SeriesGuide is free of charge and available in the Chrome Store. It currently comes in two flavors; one that opens the extension in the same tab, and one that launches it in a separate tab.

There’s very little doubt that the TV-companies wont be amused by SeriesGuide. However, SchizoDuckie believes that the extension is perfectly legal and there’s no lawsuit on the horizon.

“I’m not really worried. First off, I’m in Europe, I don’t have to worry about gazillions of dollars of lawyer fees if I cough in the wrong direction. Secondly, I’m not distributing anything illegal, I’m merely connecting pieces of data that are freely available on the web and presenting them in another interface,” he says.

“This is exactly what Google and The Pirate Bay does too, and this is exactly what a human does if he operates this same procedure manually. If there’s a law against that somehow, then I don’t want to live on this planet anymore.”

That said, Google is known to boot torrent related extensions from the Chrome Store over “piracy concerns“, so there is a chance that SeriesGuide will not be available there forever. According to SchizoDuckie, this isn’t really a major problem.

“If somehow the whole thing does get taken down, then the source code is still out there, since it’s an open source project. The genie is out of the bottle,” he concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

SANS Internet Storm Center, InfoCON: green: IOS SSL vulnerability also present in OS X, (Sun, Feb 23rd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Friday Apple released an update to IOS, to versions 7.0.6 and 6.16, to fix an SSL Authentication flaw.  Indication is that this flaw is easily exploitable, so this update should be applied as soon as practical.  Apple has also indicated that this flaw also appears in OS X and that a patch is "coming soon".  In the meantime be careful where you browse with your OS X based machines.

Adam Langley at the ImperialViolet blog has created a test page to help you determine if your browser is vulnerable to this attack.  If you can load content from the test page you are at risk, an error indicates you should be ok.

 On my two OS X based machines with current versions of Firefox, Chrome and Safari, only Safari displayed the vulnerability. Both Chrome and Firefox appeared to be ok. Below is the Firefox output.

Chrome just displayed its "This webpage is not available" error.

Researchers have determined that the flaw is caused by an errant goto statement.  I realize that, although progress has been made, effective code review, code coverage,  and code regression process and tools continue to challenge software development, but this seems like an easy one to catch.

 

– Rick Wanner – rwanner at isc dot sans dot edu – http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: iOS Update Quashes Dangerous SSL Bug

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Apple on Friday released a software update to fix a serious security weakness in its iOS mobile operating system that allows attackers to read and modify encrypted communications on iPhones, iPads and other iOS devices. The company says it is working to produce a patch for the same flaw in desktop and laptop computers powered by its OS X operating system.

iossslThe update — iOS 7.0.6 — addresses a glaring vulnerability in the way Apple devices handle encrypted communications. The flaw allows an attacker to intercept, read or modify encrypted email, Web browsing, Tweets and other transmitted data, provided the attacker has control over the WiFi or cellular network used by the vulnerable device.

There has been a great deal of speculation and hand-waving about whether this flaw was truly a mistake or if it was somehow introduced intentionally as a backdoor. And it’s not yet clear how long this bug has been included in Apple’s software. In any case, if you have an iPhone or iPad or other iOS device, please take a moment to apply this fix.

Generally, I advise users to avoid downloading and installing security updates when they are using public WiFi or other untrusted networks. On the surface at least, it would seem that the irony of this situation for most users is that iOS devices will download updates automatically as long as users are connected to a WiFi network. But as several folks have already pointed out on Twitter, Apple uses code-signing on iOS and app updates to ensure that rogue code can’t be pushed to devices.

I will update this post when Apple ships the patch for OS X systems. For now, it may be wise to avoid using Safari on OS X systems. As Dan Goodin at Ars Technica writes, “because the Google Chrome and Mozilla Firefox browsers appear to be unaffected by the flaw, people should also consider using those browsers when possible, although they shouldn’t be considered a panacea.”

For a deeper dive on this vulnerability and its implications, check out this piece by Larry Seltzer at ZDNet, and this analysis by Google’s Adam Langley.

Update: Apple has fixed this and a number of other important issues with OS X, in this release.

Krebs on Security: Adobe, Microsoft Push Fixes For 0-Day Threats

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

For the second time this month, Adobe has issued an emergency software update to fix a critical security flaw in its Flash Player software that attackers are already exploiting. Separately, Microsoft released a stopgap fix to address a critical bug in Internet Explorer versions 9 and 10 that is actively being exploited in the wild.

brokenflash-aThe vulnerabilities in both Flash and IE are critical, meaning users could get hacked just by visiting a compromised or booby-trapped Web site. The Flash patch comes just a little over two weeks after Adobe released a rush fix for another zero-day attack against Flash.

Adobe said in an advisory today that it is aware of an exploit that exists for one of three security holes that the company is plugging with this new release, which brings Flash Player to v. 12.0.0.70 for LinuxMac and Windows systems.

This link will tell you which version of Flash your browser has installed. IE10/IE11 and Chrome should auto-update their versions of Flash, although IE users may need to check with the Windows Update feature built into the operating system.

If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is v. 33.0.1750.117 for Windows, Mac, and Linux. To learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu (the option to apply any pending updates should appear here as well).

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

FLASH-12-0-0-70

As I noted in my Tools for a Safer PC primer, blocking Javascript by default in your Web browser is the best way to block browser-based attacks — including these Flash zero-day flaws. Several Mac users have written in recently to ask about the whereabouts of a Tools for a Safer Mac post, and while that’s a good idea (and a post that may soon be coming), script-blocking via extensions/add-ons like NoScript and NotScripts is an approach that works across multiple OSes.

Another great cross-platform approach to blocking Flash (and Java) content by default is Click-to-Play, a feature built into Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari) that blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them. Check out this post for more details on deploying Click-to-Play.

MICROSOFT FIX-IT TOOL

IEwarningMicrosoft has released a security advisory and a FixIt shim tool for a previously unknown zero-day vulnerability in Internet Explorer versions 9 and 10. Microsoft says it is aware of “limited, targeted attacks” that attempt to exploit a vulnerability in Internet Explorer 10. Only Internet Explorer 9 and Internet Explorer 10 are affected by this vulnerability. Other supported versions of Internet Explorer are not affected.

Microsoft says it is working on an official patch, but that in the meantime IE users should consider taking advantage of a new FixIt solution. According to Microsoft, applying the Microsoft Fix it solution here prevents the exploitation of this issue.

Microsoft warns that IE users should make sure they have the latest version of IE before appyling this FixIt solution (that means a visit to Windows Update). Also, the company says that after you install this Fix it solution, you may experience increased memory usage when you use Internet Explorer to browse the web. This behavior apparently occurs until you restart Internet Explorer.

Errata Security: FirstLook.org fails at security so far

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The new venture from Glenn Greenwald and Pierre Omidyar, “FirstLook.org“, has launched with their first news articles. It has technical flaws in its security.

To start with, the website violates your privacy and tracks your behavior — even when you have DoNotTrack set in your web browser. This is sort of an unforgivable lapse for a website setup to report on the violation of privacy by the NSA. In my browser, they send the cookie contents of “initial_referrer: http://t.co/241PQdNjwr“, which tracks the fact that I came to their website by following a link from this tweet by Pierre Omidyar. (If you haven’t yet gone to their site, please click on the link above so that they’ll track you coming from this blogpost — for the lulz).
Some are praising them for being the first news site based on SSL, meaning that whatever you do on their site is safe from the prying eyes of the NSA. This praise is undeserved, as the SSL is not quite working yet. 
The most noticeable flaw is that when you visit the homepage you get a warning: “this page contains other resources that are not secure”. Sometimes this warning means you can be hacked. In other cases it doesn’t. Here it looks relatively safe, as it’s just the video downloaded from Vimeo player. But no matter how safe, it’s breaking the promise of an encrypted connection, and teaches users to ignore crypto warnings.
The Qualys “ssllabs.com” site has a great tool for assessing a site’s SSL security. The results for FirstLook.org are a failing grade, at least in light of the adversary (the NSA). The site supports TLS_RSA_EXPORT_WITH_RC4_40_MD5, meaning the NSA can downgrade the connection into something they can crack. The site fails to support “forward security” for many browsers, meaning the NSA can either get a court order demanding encryption keys, or crack eavesdropped data over many years. They don’t support SNI for some browsers, meaning that some browsers will get nasty warning messages about the domain name being wrong.
The site has scalability problems. People are already reporting getting “503″ error codes and the site has only been live for a few hours. One problem may be that they use Apache, which is well-known to be hard to scale (competing software like lighthttpd and nginx are easier to scale). The Chrome “audit” tool also gives poor grade, showing that many resources on the site are not cached, and thus, must be re-requested. These scalability issues aren’t necessarily an SSL concern, but exacerbate problems with SSL.
I don’t know if the site is just “security washing” (just giving the appearance of security) or are really committed to the idea. Assuming they are committed, and that these are transient problems, I would hope that they document their efforts. Security is a tradeoff — there are good reasons why competing media sites don’t go to this level of effort. A commitment to SSL means a guy in Yemen can’t access the website, both because of his export controlled 40 bit browser and his satellite connection causing SSL problems. A commitment to “do not track” disrupts how the business earns money and prevents some otherwise cool features you’d get with tracking the reader. Documenting all these issues, both the good and bad, would be a great boon to security for everyone.

For your reading pleasure, here is the full HTTP request headers from one of my queries. As you can see, DNT:1 is enabled, and the cookie is tracking me nonetheless:
GET /assets/javascripts/underscore-min.js HTTP/1.1
Host: firstlook.org
Connection: keep-alive
Cache-Control: no-cache
Accept: */*
Pragma: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36
DNT: 1
Referer: https://firstlook.org/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: mp_ce2f59c033d995c677576fc3e9758d98_mixpanel=%7B%22distinct_id%22%3A%20%221441a8fb2157f0-0eb4ceedf-404c0028-3e8000-1441a8fb216a3e%22%2C%22%24initial_referrer%22%3A%20%22http%3A%2F%2Ft.co%2F241PQdNjwr%22%2C%22%24initial_referring_domain%22%3A%20%22t.co%22%7D; __utma=238902935.1222969571.1392015029.1392015029.1392015029.1; __utmc=238902935; __utmz=238902935.1392015029.1.1.utmcsr=t.co|utmccn=(referral)|utmcmd=referral|utmcct=/241PQdNjwr; _ga=GA1.2.1222969571.1392015029

SANS Internet Storm Center, InfoCON: green: Adobe Flash Player Emergency Patch, (Tue, Feb 4th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Adobe today released an emergency patch for a vulnerability that is currently actively exploited. The patch addresses CVE-2014-0497. [1]

The address affects all Windows, OS X and Linux. for Windows/OS X, the current version is now 12.0.0.44 and for Linux 11.2.202.336. Google Chrome users need to update Google Chrome to fix the included version of Flash as do users of Internet Explorer 10 and 11. [2]

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
[2] http://technet.microsoft.com/en-us/security/advisory/2755801

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Adobe Pushes Fix for Flash Zero-Day Attack

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe Systems Inc. is urging users of its Flash Player software to upgrade to a newer version released today. The company warns that an exploit targeting a previously unknown and critical Flash security vulnerability exists in the wild, and that this flaw allows attackers to take complete control over affected systems.

The latest versions that include the fix for this flaw (CVE-2014-0497) are listed by operating system in the chart below.

flash12-0-0-43

The Flash update brings the media player to version 12.0.0.44 for a majority of users on Windows and Mac OS X. This link will tell you which version of Flash your browser has installed. IE10/IE11 and Chrome should auto-update their versions of Flash to v. 12.0.0.44. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser. The version of Chrome that includes this fix is 32.0.1700.107 for Windows, Mac, and Linux (to learn what version of Chrome you have, click the stacked bars to the right at of the address bar, and select “About Google Chrome” from the drop down menu).

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

Adobe did not include many details in its advisory about the nature of the attack that prompted this update, other than to credit two researchers from Kaspersky Lab for reporting the vulnerability. As such, this flaw may be related to this Feb. 3 blog post by Kaspersky, which references Adobe Flash in the context of a long-running cyber espionage campaign that Kaspersky has dubbed “The Mask”; the security firm says it plans to release more details about this campaign at its analyst summit next week.

TorrentFreak: BitTorrent Sync Used to Create Decentralized Web Browser

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

censoredThe Pirate Bay is one of the most censored file-sharing websites around, with blockades in place across dozens of Internet service providers around the world.

With that in mind it will come as no surprise that one of the biggest torrent-related stories of recent times was the news that The Pirate Bay team is working on a new system, one designed to cut through Internet censorship.

While the debut of that software is a while off, others have been working on similar projects with the same goal in mind. Harvard research fellow Jack Minardi has been building a censorship-busting web browser, one that’s running BitTorrent under the hood.

Called SyncNet, Minardi’s tool is built on BitTorrent Sync, the powerful Dropbox-like software launched last year by BitTorrent Inc. While in its basic form Sync is generally used for syncing files and folders between machines, friends and co-workers, in its SyncNet application it is used to store and distribute HTML, images and other web content.

“To add your own content to SyncNet you just need to add a directory of HTML files to BitTorrent Sync,” Minardi explains.

By self-publishing websites locally, everyone with access to a machine through BitTorrent Sync/SyncNet can view it peer-to-peer without the need to access a traditional server-based website. Any changes to the website are automatically pushed to users and since BitTorrent Sync has a feature to grant users read-only access, there’s no risk of unauthorized modification of content.

bittorrent-syncThe decision to used BitTorrent Sync under the SyncNet hood is both brilliant and at the same time incredibly obvious when one considers the former’s distribution skills.

Further playing to BitTorrent Sync’s strengths, the idea is that future updates will allow SyncNet to browse regular websites and store them locally, ready to be synced between other users of SyncNet. In theory only one user in the sharing network will need access to ‘outside’ websites in order to view them and in common with regular BitTorrent, transfer speeds will increase as the sharing network grows.

While SyncNet is a very exciting proposition, it is still under development and comes with certain limitations. Firstly, it currently works only with static content.

“This means no social networks or other dynamic content,” Minardi explains. “However many sites today do not need to be dynamic and would benefit from converting to only static resources. Most blogs or news sites could be served with SyncNet with little to no modifications.”

Another difficulty arises when a website’s content changes. Currently SyncNet has to pull down fresh files for an entire site, not just for a single modified page. However, Minardi notes that selective syncing should be possible since BitTorrent Sync already has that capability.

Perhaps the largest issue to overcome is that of domain resolution, but Minardi says that will be tackled by the use of Colored Coins, a new mechanism built on top of the Bitcoin protocol.

“Colored Coins essentially allow you to color a certain coin and mark that it represents ownership of something else. In SyncNet a colored coin will represent ownership of a domain name. Anyone with access to the Bitcoin blockchain (which is public data) will be able to see who owns a domain name and what secret it resolves to,” Minardi explains.

For those who like to get their hands dirty with experimental tools the NetSync GitHub project page can be found here, with further reading here. Those looking for a more simple route will have to wait for the Chrome and Firefox plugins currently under consideration.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

The Hacker Factor Blog: Resistance is Futile

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I feel dirty. I even confessed to my friends during lunch this week about my transgression. I have sinned. I must repent.

This week, I installed a Windows computer in my office.

I gave up on Windows back in 2009. After 19 years of fighting with desktop and stability issues, I completely stopped using Windows. For the last five years I have been 100% Linux and Mac. There are still Microsoft programs that I need, but I can run real Microsoft Word and PowerPoint on my Mac. OpenOffice has become better over the years, but it is still far behind Word on functionality and features. (In contrast, the open-source PowerPoint clone called “Impress” seems to have taken some serious steps backwards.)

However, one of my clients allowed me to see how they were using some web software that I created for them. It works great on Firefox and Chrome and Safari and Opera and iPhones and Androids… but did not function correctly under Internet Explorer. This means that I need a real version of IE to debug the problem, and that means running Windows.

Standing Room Only

I recently rearranged my office. I turned part of my bookshelf into a stand-up workstation with a 13-inch high monitor. I jokingly call it my “Borg Alcove” (even though Star Trek fans will say that I’m facing the wrong direction when I stand at it). Since it’s a new workstation area, I installed a new computer. And since the new computer came with Windows8 installed, that’s what I’m using.

Wow. Having come from the Linux and Mac and Android world, Windows8 really sucks. Over the last five years I have barely seen any version of Windows. I didn’t care when Windows8 was released and I paid little mind to the reviews about this version of the Microsoft operating system. This is literally my first close inspection of the latest-greatest operating system that Microsoft has to offer. And I am thoroughly underwhelmed.

The Good

I believe that I went in with an open mind. Microsoft has had 3 major releases since I paid attention to them. I completely ignored Microsoft Vista, 7, and 8. Microsoft has had a lot of time to improve the system. I actually expected this to be a fun experience.

Let me start with the positives.

#1: It hasn’t crashed. No hangs, no spontaneous reboots, no problems. It just works. Granted, I haven’t installed much onto the base system, but this is already a notable difference compared to XP and Win2000. With the previous versions, I would have rebooted the computer a dozen times by now and it would have crashed at least once. This is a huge improvement. This is the type of stability that would have kept me using Windows if it existed five years ago.

#2: Very little bloatware. I bought the computer from Dell. I expected it to be full of sample software, links to services I don’t use, and try-before-you-buy crap. With older versions of Windows, there was so much bloat that the computer would take forever to start up, and you’d need a very powerful system just to do basic tasks since bloat was competing for resources. Removing bloatware had a serious risk of making the system unstable. But this computer? It has a few Dell apps that I removed without rebooting or crashing. Otherwise, it’s as empty as I had hoped for.

#3: Easy configuration. Starting the computer for the first time prompted me for some basic information and allowed me to skip some personal information. It had none of the mandatory strip-down cavity search that we had with some versions of Windows. I even found this to be more direct and less intrusive than configuring a new Mac. I mean, Apple is so intent on getting you onto iTunes and their cloud, that I want to hid my wallet before configuring one of their computers. Ubuntu is also trying to make their cloud service mandatory. Being able to easily bypass the Microsoft cloud service and easily change the update schedule to match my needs was a pleasant surprise.

The Bad

I had heard that Windows8 had removed the “Start” menu, but I never expected them to hide my list of applications! Just finding something like “Notepad” should not require clicks through menus and full-desktop windows! We have computers to run programs; getting to those programs should not be a hassle. This is nothing shy of a massive usability failure. As far as I can tell, there are now three separate desktops that are difficult to switch between — some require a mouse click and others require a keyboard to “ESC” to a different desktop. (If I’m doing it wrong, then it’s a design issue — don’t blame the user.)

One of these desktops shows a bunch of big rectangles that mean nothing to me. A second screen shows the actual desktop where I do work. There’s a hidden menu on the side of the screen that allows me to click on a button to bring up the first screen, and then I can click on a button to bring up the App screen with all of the applications. This is unnecessary indirection. It’s as if Microsoft tried to get rid of the desktop metaphor, failed to completely get rid of it, and couldn’t decide on a different metaphor for replacing it.

I also don’t like how the desktop is not very configurable. For example, in previous versions of Windows (and on Linux, Mac, and other operating systems), I can easily change the thickness of the window borders. But with Windows8, you need to use regedit and change some internal parameters, and then logout and log back in to see the changes. (Even Gnome’s desktop updates immediately when parameters are adjusted.) Also, the square corners on everything really reminds me of Windows 3.1 and the GEM desktop. I cannot believe that there is no obvious option for changing the skins on the desktop. Even Windows XP had better options for customizing the aesthetics.

Finally, I find Internet Explorer’s user interface to be confusing. The address bar is next to the tabs — a very bad idea. I cannot see the entire URL that I’m visiting and I keep confusing the address bar with the tabs. As a result, I keep clicking on the wrong items. (Don’t blame the user for a poor interface.) It’s as if Microsoft fired their entire usability lab and left the design up to a new intern.

The Ugly

However, the worst part is how Internet Explorer processes HTML. I found out why my web sites don’t work with Internet Explorer. IE10 was interpreting my web pages as “must be seen under IE8 emulation mode”. The emulation modes are great for developers since they really act like older versions of IE. The problem is, it dumbs down to an older browser that doesn’t support HTML5 or modern JavaScript features. Who was the idiot that decided a consumer browser should start up in developer mode?!?

I ended up finding a piece of poorly document HTML that can be included in the header to force IE to use the highest mode available. This code should be in the <head> section:

<meta http-equiv=”X-UA-Compatible” content=”IE=edge” />

Using this meta directive, IE will use the highest supported IE version. IE10 will act like IE10 and not IE8.

The second issue I have is that the developer’s “do you want to debug” query keeps popping up. If IE notices that you’re on a local network, then it assumes that you are a developer. This is a really bad assumption when you’re using a corporate network and most of your web pages are local. Chrome and Firefox have developer tools that can be toggled, but they default to “off”. IE has a toggle, but it defaults to “on”.

Finally, there’s the interpretation of HTML. Microsoft seems to have looked over the HTML standard very closely. There are a few places where there is ambiguity. In these corner cases, Chrome, Firefox, Safari, Android, Mobile Safari, Dolphin, and every other browser has gone one way, and Microsoft has taken a different route. This really shows up with self-closing tags and tags that are not properly closed. For example, I had a form in a table. One of the inputs didn’t have a close. Setting the input to “disabled” would ignore the scope of the table and span multiple cells. With other browsers, the scope ends when a higher-level scope ends.

Dirty Windows

I actually had expected better from Microsoft. They have disappointed me again. This experience has made me not regret my decision to abandon Windows five years ago. If it wasn’t for my need to support IE as a browser, this computer would be running Ubuntu.

The only real good news is that I was able to make a few minor adjustments to my web pages. They now work work correctly with Internet Explorer. Even FotoForensics should be working better now.

Now for my other problem… For the last few years I’ve been pressuring one of my friends to upgrade from XP to something current. XP is an old, unsupported operating system and it’s time for him to re-enter the modern world and use a browser that supports HTML5. However, I don’t think he’ll like a Mac since he only knows Windows, and Linux is not user-friendly enough for him. But now that I have seen Windows8, I think he is better off with his old and unsupported version of XP.

Update 2014-02-21:
At the suggestion of everyone who wrote in, my friend installed Windows 7. It is much more like XP than Windows 8 and his learning curve has not been as painful as I expected.

Meanwhile, I have updated to Windows 8.1 (free update! just download!). Windows 8 was a mistake. Windows 8.1 is worse. First, it really wants you to register with Microsoft’s cloud service and provide your personal information. (There goes one of the positives from Windows 8.) The workaround (so you do not need to register) is to click on “Create a new account” and then select “use my existing account” at the bottom.

Second, the initial preferences want to send far too much personal information to Microsoft. I strongly recommend doing ‘Custom’ settings and disabling anything that you do not want to send to Microsoft. (Microsoft does not need to know every site that I browse and every application that I use.)

Third, they added in some store and shopping applets to the Start page. Watching the network traffic, those applets seem to be spying on my computer activities — be sure to uninstall them.

LWN.net: Fedora Workstation proposal: ease installation of non-free software

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

The Fedora Workstation working group has come out with a proposal to ease
Fedora’s traditional “see no evil” approach to non-free software in the
hope of making the distribution appealing to a wider group of users.
In order to keep with the Fedora policy of only shipping free
software we will only make available 3rd party software that offers their
own repository for their software. Examples here include Google Chrome and
Adobe Acrobat.

Schneier on Security: Adware Vendors Buy and Abuse Chrome Extensions

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is not a good development:

To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome’s update service, which sends the adware out to every user of that extension.

[...]

When malicious apps don’t follow Google’s disclosure policy, diagnosing something like this is extremely difficult. When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently — I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook — if I didn’t notice that, the next step would have probably been a full wipe of my computer.

Krebs on Security: Security Updates for Windows, Java, Flash & Reader

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Adobe, Microsoft and Oracle today each issued security updates to fix serious vulnerabilities in their products. Adobe released patches for AIR, Acrobat, Flash and Reader, while Microsoft pushed out fixes to shore up at least a half dozen security weaknesses in Windows and Office. Oracle released an update for Java that fixes at least three dozen security holes in the widely-used program.

crackedwinAll of the vulnerabilities that Microsoft fixed this month earned “important” ratings; not quite as dire as those labeled “critical,” which involve flaws so dangerous that they can be exploited by bad guys or malware to break into systems with no user interaction. Nevertheless, flaws marked “important” can be quite dangerous, particularly when used in tandem with other attack techniques.

By way of illustration, this month’s MS14-002 patch addresses an important zero-day flaw that was first found to be exploited in targeted attacks late last year. In one version of this attack, documented quite nicely in this fascinating yet somewhat technical writeup from Trustwave Spiderlabs, attackers used this Windows flaw in combination with a bug in Adobe Reader. According to Trustwave, the bad guys in that attack included the Windows flaw as a means of bypassing Adobe Reader’s security sandbox, a technology designed ensure that any malicious code embedded in documents only runs under limited privileges (i.e., isn’t allowed to invoke other programs or alter core system settings).

In short, don’t put off applying this month’s patches from Microsoft. They are available via Windows Update or Automatic Update. Also, Microsoft took this opportunity to remind Windows XP users that the company will no longer be supporting Windows XP after April 2014 (guess I will have to retire the above broken Windows graphic as well). The lack of ongoing security updates for XP means it will likely become an even bigger target for attackers; if you rely on XP, please consider transitioning to a newer operating system sometime soon. Who knows, it might be a great excuse to try Linux, which tends to be very light on resources and ideal for older hardware. If you’ve been considering the switch for a while, take a few distributions for a spin using one of dozens of flavors of Linux available via Live CD.

adobeshatteredSpeaking of Adobe Reader, the company today released updates to fix at least three vulnerabilities in the widely-used program. Users of Adobe Reader XI (11.0.05) for Windows and Mac should update to Adobe Reader XI (11.0.06). Obligatory note: There are other  options.

Adobe also pushed out patches for its Flash Player and AIR products. The Flash update brings the media player to version 12.0.0.38 on Windows and Mac OS X.  This link will tell you which version of Flash your browser has installed. IE10 and Chrome should auto-update their versions of Flash. If your version of Chrome (on either Windows, Mac or Linux) is not yet updated to v. 12.0.0.41, you may just need to close and restart the browser.

The most recent versions of Flash are available from the Adobe download center, but beware potentially unwanted add-ons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (FirefoxOpera, e.g.).

In addition, Adode AIR (required by some applications like Pandora Desktop, for example) was updated to v. 4.0.0.1390 for Windows, Mac and Android devices. Adobe AIR checks for and prompts you to install any available updates anytime you launch an application that uses AIR; in any case, the download link is here. See the chart below for the updated version numbers for your operating system.

adobe1-14

Separately, Oracle issued its critical patch update, which includes some 36 security fixes for Java. This update brings Java to Java 7 Update 51, and is available via the built-in Java updater or from Java downloads.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Updates are available from Java.com or via the Java Control Panel. Keep in mind that updating via the control panel will auto-select the installation of the Ask Toolbar, so de-select that if you don’t want the added crapware.

Otherwise, seriously consider removing Java altogether.  I’ve long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an affirmative use or need for Java, unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play). Java 7 lets users disable Java content in web browsers through the Java Control Panel. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

There are a couple of ways to find out if you have Java installed and what version may be running.  Windows users can click Start, then Run, then type “cmd” without the quotes. At the command prompt, type “java -version” (again, no quotes). Users also can visit Java.com and click the “Do I have Java?” link on the homepage. Updates also should be available via the Java Control Panel or from Java.com.

Update, 5:33 p.m. ET: Included information about Java patches.

SANS Internet Storm Center, InfoCON: green: Adobe Patch Tuesday January 2014, (Tue, Jan 14th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

 Adobe released two bulletins today:

1 – Reader/Acrobat

This bulletin fixes three vulnerabilities. Adobe rates this one "Priority 1" meaning that these vulnerabilities are already exploited in targeted attacks and administrators should patch ASAP.

After the patch is applied, you should be running Acrobat/Reader 11.0.06 or 10.1.9 .

2 – Flash Player and Air

The flash player patch fixes two vulnerabilities. The Flash player problem is rated "Priority 1" for Windows and OS X. The Air vulnerability is rated "3" for all operating systems. For Linux, either patch is rated "3".

Patching flash is a bit more complex in that it is included with some browsers, in which case you will need to update the browser. For example Internet Explorer 11 and Chrome include Flash.

 

http://helpx.adobe.com/security/products/flash-player/apsb14-01.html

http://helpx.adobe.com/security/products/flash-player/apsb14-02.html

——
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The Hacker Factor Blog: JPEG Patches

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I am very particular about the image libraries I use. The libgif and libpng libraries are nice and solid, but they didn’t have all of the features I wanted. I ended up writing my own libraries. I also wrote my own own TIFF library because libtiff has too many security holes. Frankly, if you see source code that used incremental pointers without boundary checking, like b1 = *pb++;, then you’re looking at a serious exploit potential. (Just because C permits it does not mean it is a good coding practice.)

For JPEGs, I do rely on libjpeg. Specifically, libjpeg6b (sometimes called libjpeg6-b, libjpeg6-2, or libjpeg62). The Independent JPEG Group (IJG) stopped supporting this version back in 2006, but most applications still use this version. IJG had wanted people to migrate to libjpeg8, but that didn’t happen. Between version 6 and version 8, the entire API changed — nobody wanted to go back and rewrite their code. Version 8 also has a more complicated API, so developers who don’t know better would use version 6 because it was available and easier to program.

Personally, I have a different reason for sticking with version 6. Version 8 does not render JPEGs the same way as version 6. V6 follows the JPEG standard to the letter, while V8 does a few enhancements that can impact some sensitive analysis algorithms. For digital image analysis, standard is better than better.

Unfortunately, libjpeg6b really isn’t maintained anymore, and I’ve found dozens of ways to crash the library. One of these days I’ll write my own complete JPEG decoder and just move away from the IJG code. But for now, I have a pre-parser that sanitizes JPEGs prior to calling libjpeg, just so they won’t crash.

Patches!

Since I am dependent on libjpeg, I am very sensitive to anytime the library wants to be patched. Last month, my Ubuntu system identified that libjpeg62 wanted to be patched. “Hell no!” I don’t know what the patch does, but I’m not installing anything until I make sure it isn’t going to negatively impact my analysis tools.

The first thing I did was download the source code for the new libjpeg62 (apt-get source libjpeg62). I looked at the list of changes as well as compared code against the original libjpeg6b (the one from IJG, not the one from apt-get). The update added support for a cropping transform and better compiler support. Nothing that impacts rendering, so it’s safe for me to install. In addition, these patches are from 2010… nothing looks new.

Then I looked for ‘why’ it was updated…

Exploits!

Last November, the Full Disclosure mailing list posted a warning about a specific type of corrupted JPEG. It is possible to construct a specialized JPEG that results in an information leak from uninitialized memory. These exploits were given Common Vulnerabilities and Exposures (CVE) identifiers: CVE-2013-6629 and CVE-2013-6630. The posting to Full Disclosure even includes links to some fun sample images.

Warning for non-programmers: If really low-level programming details go over your head, then skip to the next section.

Here’s a technical description regarding how the exploit works…

JPEG is a horrible format that was clearly created by a committee. There’s one section that defines the type of JPEG and the components involved. The common ones are baseline, progressive, and lossless, but there’s a dozen others that nobody ever uses. So everyone with a hex editor can do this from home, let’s all use the same picture. This JPEG is one of the most popular images uploaded to FotoForensics. (We’ve seen over 200 variants of this picture. I think the guy may be from One Direction, but I’m not sure. I don’t follow boy-bands.)

wget -O image.jpg 'http://fotoforensics.com/analysis.php?id=fe81eaebc6c294bc8af1d1e9412f1af94d19c455.101587&fmt=orig'

JPEG uses ’0xff’ to denote tags. The tag “ffc0″ (found at offset 0xf8 in the JPEG) denotes a baseline JPEG “Start of Frame” tag (SOF). This is where the components are defined.

000000F0   0B 0B 0B 0B  0B 0B 0B 0B  FF C0 00 11  08 01 E5 01  ................
00000100 F4 03 01 22 00 02 11 01 03 11 01 FF C4 00 1F 00 ..."............

The SOF is followed by a two-byte length (00 11 = 17 bytes, including the 2 bytes that specify the length). The “08″ identifies the precision — this is an 8-bit deep JPEG. (Most JPEGs are 8 bits deep.) Then comes the image size (01 E5 and 01 F4 = 500×485). Finally, we have the components definitions; each component is a color channel. In this picture, there are 3 (03) components. Each component has three bytes: the first defines the identifier (because you can never have enough indirection), the second identifies the subsampling, and the third identifies the quantization table for decoding. In this case, we have “01 22 00″, “02 11 01″, and “03 11 01″. So what does this mean?

The first component (array position [0] with values “01 22 00″) will use the identifier “01″. It will have 2×2 definitions per minimum coding unit (MCU). (The MCU is the JPEG grid size, so the grid for this element will be four 8×8 grids in one 16×16 grid.) Anything that references component id “01″ will be decoded with quantization table 00.

A little earlier in the file (offset 0x6E) is the quantization table definition (FFDB). I’m not going to dive into that structure because it is not relevant to CVE-2013-6629 or CVE-2013-6630. The structure defines table 00 as being the luminance definition. So component[0] with id “01″ is the luminance. The subsampling identifies that this picture will use 16×16 chrominance subsampling, also called “4:2:0″.

The second component uses identifier “02″, has 1×1 records per MCU (i.e., 1 instance per grid) and uses quantization table 01 (chrominance). The third identifier “03″ also defines 1 chrominance record.

Different JPEG libraries use different component identifiers. Usually the identifiers are either 00, 01, 02 or 01, 02, 03. However, I’ve also seen them named (A,B,C), (Y,U,V), and (R,G,B). The byte value doesn’t really matter; it’s just an identifier.

In this file, we have a couple of Huffman table definitions (FFC4) and then the really key part: the start of stream (SOS), denoted by the FFDA tag at file offset 0x2BB.

000002B0   E9 EA F2 F3  F4 F5 F6 F7  F8 F9 FA FF  DA 00 0C 03  ................
000002C0 01 00 02 11 03 11 00 3F 00 EE B4 DF D9 47 C3 9F .......?.....G..

The SOS works with the SOF to define the binary data stream. It is followed by a 2-byte length (000C = 12 bytes), number of components per MCU (3 in this example), and two bytes per component. (I know, 3 components × 2 bytes + 2 byte length + 1 byte number of components ≠ 12 bytes. The SOS header contains other junk that doesn’t impact CVE-2013-6629 and CVE-2013-6630.)

Each two-byte component in the SOS header contains the component identifier and the Huffman table identifier (from all of those FFC4 tags). In this case, the first entry says “01 00″. That means identifier “01″ will use DC table 0 (upper nibble of 00) and AC table 0 (lower nibble). The “02 11″ means identifier “02″ will use DC table 1 and AC table 1. And identifier “03″ looks just like identifier 02. Putting the SOF and SOS definitions together, we now know:

  • The JPEG uses 16×16 chrominance subsampling because the luminance defines four 8×8 entries per MCU.
  • Identifier 01 is the luminance, and it uses quantization table 0 with Huffman tables DC[0] and AC[0].
  • Identifier 02 is the first chrominance (chrominance-blue or U), and it uses quantization table 1 with Huffman tables DC[1] and AC[1]. There is one U entry per MCU.
  • Identifier 03 is the other chrominace (chrominance-red or V), and it uses quantization table 1 with Huffman tables DC[1] and AC[1]. There is one V entry per MCU.

This means the binary data stream that comes after the SOS header will define a series of MCU elements. Each MCU will be in the format “YYYYUV”. The series of MCU elements in the data stream looks like YYYYUVYYYYUVYYYYUV…

I surrender! Show me the exploit!
The JPEG library has some idiot checking for corruptions. An invalid identifier in the SOS header will lead to a corrupt component abort. Similarly, an invalid Huffman table definition will lead to an abort. But… what if we have a valid definition but an undefined component? For example, rather than defining identifiers (1,2,3), what if we defined (1,2,1) and left 3 as undefined? Now we have two problems: we have one component defined twice (CVE-2013-6629), and an undefined component (CVE-2013-6630).

Now we can test this condition. Simply change the component identifier definition. In this example, I changed the definition from (1,2,3) to (3,2,3). My bad header looks like FF DA 00 0C 03 03 00 02 11 03 11.

If your using a vulnerable version of libjpeg, then you should see colorful garbage right above this line. (And the 16×16 blocks are likely very visible.) If you’re not vulnerable, then you should see a blank space or a broken image icon (because your browser would not render a corrupted JPEG).

For real fun, save the JPEG and view it under different programs, like OpenOffice, Gimp, Image Viewer, ImageMagick (display), and Gnome’s nautilus on Linux, or Safari and Preview on a Mac, or other programs… Every program should show a different colorful picture.

wget -O image-bad.jpg 'http://fotoforensics.com/analysis.php?id=d9eb122455e9b02959deffb55e15f9e1384cc0dc.101587&fmt=orig'

Even if you patched your system, lots of applications include their own copy of libjpeg (or an alternate JPEG library) rather than rely on the system library. Even if one application won’t render the image, other programs will.

The real fun with this picture happens when you reload it. (NOTE: FotoForensics forces your browser to cache the picture, so just reloading this page in your browser will not show you anything different with these pictures.) To see it change, save the corrupt JPEG and open it in various programs, then ‘revert’ or ‘reload’ the picture. Watch the picture and see if it changes. The changes may be minor (different noise patterns) or major (cool new colors!). This happens because one of the components defined in the SOF is undefined in the SOS.

So… what happens when it is undefined? The JPEG library ends up with uninitialized memory. It’s allocated, but it’s not set. You end up with random data. The unset data can change with each reload because you have new uninitialized memory.

NOTE: Some programs cache the rendered image. Loading the corrupted JPEG in Microsoft Word or PowerPoint will render it once. Deleting and inserting the picture won’t change the rendering. However, closing the program and restarting it will render a different colorful pattern.

In the Hello Kitty example that was posted to Full Disclosure, he forces the browser to reload the picture a dozen times. First he loads a good picture, then he loads the corrupted version. He’s hoping that the uninitialized memory will align with a previous deallocation of the good picture. When this happens, the corruption shows part of the previous picture. (Try his example. If you don’t see the duplication corruption, then reload the page or hold down shift to force a reload.)

How bad is it?

As vulnerabilities go, this is a featherweight. The worst that can happen? The library will allocate uninitialized memory. Let’s say the dirty memory happens to include a plain-text password. Those bytes are passed through the inverse-DCT function and the results are converted from YUV to RGB. Both of these steps include lossy and non-reversible calculations. With the best of luck, I might be able to narrow it down to a couple of dozen potential values per character in the password.

On a more realistic attack vector, this could be used to profile the computer’s memory management structure and potentially identify the back-end operating system. However, there are other profiling methods that would be easier and more reliable.

As threats go, this is really a low risk.

Patching vs Fixing

As cool as this bug is, it is not new. It actually dates back to at least June 2004. Yet, CVE did not release an advisory until late 2013. That’s 9 years! While I’ve complained about the slow academic publication cycle, even academic journals publish faster than this. Compared to CVE, Congress’s ability to pass a budget seems streamlined.

There’s a couple of ways to fix this issue…

  • One option is to load the SOS header and then check for invalid or omitted entries prior to use and set a reasonable default. The June 2004 advisory included a patch that attempts to repair the JPEG. Since the SOF and SOS usually list identifiers in the same order, the patch replaces the corrupt SOS record with the same order entry from the SOF.

  • Libraries can be modified to detect and abort if this condition is detected. For example, Chrome implemented detector that aborts if the corruption is identified.

    Adobe implemented a similar abort years ago. Photoshop CS5 pops up an error message that says, “Could not complete your request because no JPEG frame component ID was found equal to an already read scan component ID.” While overly technical for your average Photoshop user, it is completely correct.

  • Another option is to detect the duplicate identifier and change it to match the next unused identifier. (I chose this option for my own code.) While this will probably render a lot of garbage, junk is better than aborting when doing forensics on digital pictures. (You cannot analyze anything, including metadata, if the library aborts or the picture won’t load.)
  • In every JPEG I have seen, standard libraries use the same ordering as the components definition. Here’s a thought: if you detect this situation then forget the ordering and use the same ordering as the components definition in the SOF block. (This is similar to the 2004 patch, but it replaces all entries rather than just the one that was detected.)
  • Probably the best option is to use a smarter initialization sequence. Replace every malloc() with calloc() to clear the memory, and set pointers with default values before loading the pointer settings. This way, even if the memory pointers are invalid, they still point to allocated memory that has been initialized. This gets rid of the uninitialized memory leak and ensures that reloading the image will not change the image.

Although there are many solutions, Canonical’s approach is definitely the wrong answer. The Ubuntu security forums decided to not fix it because libjpeg6b is “ancient”.

sarnold> Michal suggests libjpeg6b will not be updated from upstream
mdeslaur> upstream bug and proposed patch is ancient. Chromium contains
mdeslaur> a patch.

I guess the Ubuntu community missed the part about libjpeg6b being used EVERYWHERE. It may be old, it may have been ignored by IJG since 2006, but it is widely used.

Speaking of 2006… The official code released by IJG back in 2006 does not include any patches for this 2004 exploit. Call it oversight or incompetence, your choice.

There are other variations of this bug. For example, rather than changing the component IDs, change the Huffman table IDs. In the SOS header, changing the second byte for any of the components (e.g., changing the luminance from “00″ to 01, 10, or 11) will create a different type of corruption that still accesses uninitialized memory. However, there is no CVE for this bug. (And don’t expect one for the next few years; CVE assignments are not fast.)

Patched?

There’s a couple of things that bother me about this latest update to libjpeg. First, the source code from apt-get says that nothing changed since 2010… so why was a patch pushed out?

Second, nothing in this patch addresses the recent CVE exploits. The description for this latest libjpeg62 update explicitly says it is for CVE-2013-6629 and CVE-2013-6630, but I don’t see that in the source code. I see the code changes that should be there, but they are not in the patch that was pushed out. After applying the patch, I checked every libjpeg on the system (find /usr -name libjpeg*) and none of them had recent timestamps. While I applied the patched version to my system, applications that still use the system-wide libjpeg6b act as if there is no patch.

More problematic to these bugs is the lack of ownership. For example, CVE-2013-6629 says that there are patches for Chromium, Thunderbird, and a few other packages, but not for libjpeg in general. And even though libjpeg6b is included on virtually every Linux distribution as well as many widely-used open source projects, there does not appear to be any maintainer who has taken ownership of this library. I can see who the Ubuntu maintainer is. I can find the RedHat maintainer. I can even find the maintainers for SuSE and Debian and other Linux versions. They all report that they applied the same patch, but I don’t see who provided the initial solution to all of these vendors.

Maybe I’m just missing something… (Shouldn’t apt-get update and apt-get upgrade be enough to patch this?) Or maybe there are bigger problems than uninitialized memory in libjpeg.

TorrentFreak: How The Pirate Bay Plans to Beat Censorship For Good

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

tpb-logoOver the past few years The Pirate Bay has had to deal with its fair share of censorship, mostly through court-ordered blockades.

In response to these efforts the site launched the PirateBrowser last summer, and not without success. The tool, which allows users to circumvent ISP blockades, clocked its 2.5 millionth download a week ago.

However, there’s a much bigger project in the pipeline, one that will make The Pirate Bay and other sites more resilient than ever before. Instead of bypassing external censors, the new tool will create its own P2P network through which sites can be accessed without restrictions.

“The goal is to create a browser-like client to circumvent censorship, including domain blocking, domain confiscation, IP-blocking. This will be accomplished by sharing all of a site’s indexed data as P2P downloadable packages, that are then browsed/rendered locally,” a Pirate Bay insider explains.

In other words, when users load The Pirate Bay or any other site that joins the new platform, the site’s data will be shared among users and stored locally. The website doesn’t require a public facing portal and only needs minimal resources to “seed” the site’s files to the rest of the world.

“It’s basically a browser-like app that uses webkit to render pages, BitTorrent to download the content while storing everything locally,” the Pirate Bay insider says.

All further site updates are incremental, so people don’t end up downloading the entire site day after day. The disk space users need for the locally stored sites ranges from a few dozen megabytes for a small site, to several gigabytes for a larger torrent index.

The new software will be released as a standalone application as well as Firefox and Chrome plugins.

Since the site data comes from other peers, there is no central IP-address that can be blocked by Internet providers. Site owners will still offer webseeds to speed up loading, but sites are fully accessible when these are blocked.

Another important change is that the new software will not use standard domain names. Instead, it will use its own fake DNS system that will link the site’s name to a unique and verified public key. For example, within the application bt://mysite.p2p/ will load 929548249111abadfjab29347282374.p2p.

“Site owners will be able to register their own names, which will serve as an alias for the curve25519 pub-key that will identify the site,” the Pirate Bay insider notes.

“The “domain” registrations will be Bitcoin authenticated, on a first come first served basis. After a year the name will expire unless it’s re-verified.”

The entire project will be open source and built using existing code such as Libtorrent, Webkit, SQLite v3 and node-js. The Pirate Bay team is still looking for coders to assist, mainly on the Windows side, but thus far the development has been going steady.

It may take a few months before the first version is released in public, but it already promises to be a game changer in the ongoing censorship Whack-a-Mole.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

SANS Internet Storm Center, InfoCON: green: Monitoring Windows Networks Using Syslog (Part One), (Sat, Jan 4th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

As an incident responder, I love high value logs. We all know Windows event logs can be super chatty, but with the right tuning they can be very useful.  I’ve tried out several utilties for sysloging Windows event logs, but I’ve found event-to-syslog (code.google.com/p/eventlog-to-syslog) to be my favorite due to the simple config and install.  

If you are not logging anything from your Windows clients and you suddenly turn on everything, you will be overwhelmed. I’m going to cover a couple of logs to start looking at in this post and go into more detail on my next post.   AppLocker, EMET (http://support.microsoft.com/kb/2458544/en-US) ,Windows Defender and application error logs are some of the most valuable logs when looking for compromised systems. These are what we are going to cover today.

AppLocker Setup

If you haven’t set up AppLocker in your environment, now would be a great time to get started. Microsoft has a great document that covers it in complete detail (

http://download.microsoft.com/download/B/F/0/BF0FC8F8-178E-4866-BBC3-178884A09E18/AppLocker-Design-Guide.pdf)  For most, using the Path Rules will get you what you need.  The pros and cons of each ruleset are covered  in section 2.4.4 pg.17-22.

The MS doc is quite extensive, but for a quick start guide try the NCSC Guide (http://ncsc.govt.nz/sites/default/files/articles/NCSC%20Applocker-public%20v1.0.5.pdf)

The basic idea of the path rules is to allow things to run from normal folders (e.g. Program Files and Windows Folders) and block everything else. The NSA SRP guide (YEA YEA, I know) gives a good list of rules  to use with Applocker (www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf).‎ You will run into some issues with Chrome and other apps (Spotify) that run from the users AppData folder,but  that is where the syslog auditing comes into play.  First deploy this in audit mode and then once you are comfortable, move to prevent mode.  If you already have a software inventory product, you will be able to leverage that information to feed into your policy. Much has been written about this, but I wanted to cover the basics.

EventLog-to-Syslog Installation

Download the software from (https://code.google.com/p/eventlog-to-syslog/)

1. To install it as a service its simple run:

c:>evtsys.exe -i -h <Syslog Server IP>

2. Copy the evtsys.cfg  to C:\windows\system32\ directory. (More on this below)

3. Restart the service.

c:>Net stop evtsys

c:>Net start evtsys

Thats it, you should be ready to get logs.

Evtsys.cfg Setup

A basic version of the evtsys.cfg can be found on my Github (http://goo.gl/79spGK). This config file is for Windows 7 and Up. Please rename the file to Evtsys.cfg before using. This file uses XPATH for the filters, which makes creating new ones easy. Here is a quick way to create your own.

1. In the Windows Event Viewer, select the Event logs you wish to create a rule from.

2. Click the Details Tab and Select XML View.

3. Determine the Channel for the Event along with any specific Event ID you want from that channel.

In this case the Windows Defender Channel is:

<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>

The event ID’s we want are: 1005,1006,1010,1012,1014,2001,2003, 2004, 3002,5008

4.  Putting it all together. The format for the rules are:XPath:<PathtoChannel>:<Select statement> and the rule must be on one line. In the channel name it’s ok to have spaces, but the Select statement has to have double quotes.

5. Click the Filter Current Log Button on the side of the Event View and enter the additional data you want to use to filter. Then Click on the XML tab at the top. You can cut and paste the entire <SELECT PATH portion into your filter.

XPath:Microsoft-Windows-Windows Defender/Operational:<Select Path=”Microsoft-Windows-Windows Defender/Operational\”>*[System[(EventID=1005 or EventID=1006 or EventID=1010 or EventID=1012 or EventID=1014 or EventID=2001 or EventID=2003 or EventID=2004 or EventID=3002 or EventID=5008)]]</Select>

 

Other Items that will be syslogged are:

  • Application Crashes

  • Emet

  • Windows Defender

  • Account Lockouts

  • User Added to Privileged Group

Finished Product

The  raw syslog for a blocked AppLocker log looks like below.

Jan  3 12:59:35 WIN-C AppLocker: 8004:  %OSDRIVE%\TEMP\bob\X64\AGENT.EXE was prevented from running.

 

Raw syslog for allowed programs.

Jan  3 14:37:51 WIN-CC AppLocker: 8002: %SYSTEM32%\SEARCHPROTOCOLHOST.EXE was allowed to run.

 

Simple Stats

To get a list of all applications that have been blocked, use the following command:

$cat /var/log/syslog |fgrep AppLocker |fgrep prevent|awk ‘{print $7}’ |sort|uniq -c

1 %OSDRIVE%\TEMP\bob\X64\AGENT.EXE

 

Next Time on ISC..

In the next post I’ll cover more comprehensive config file to detect attackers and integrate logs for reporting.

Tom Webb

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Errata Security: Snakeoil vs. bounties

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

A “bounty” is what trustworthy companies offer hackers who break their stuff. This is not to be confused with “prizes”, where companies create absurd challenges for hackers to break their stuff, but with rules that mean hackers will never win. Trustworthy companies are those who regularly have to pay out on the bounties, untrustworthy companies selling snakeoil don’t pay out.

I mention this because of this press release saying:

“A challenge was issued to top hackers a week ago to break into secure cloud service, [XXXXX] for $25,000. 700 hackers from 49 countries already took up the hacking challenge, hailing from top universities like MIT, Stanford and Princeton and corporations like Vodafone and Tata Consulting.”

This is nonsense. The contest isn’t for their cloud service. Instead, the contest is for a separate, contest-specific network. It’s a trick. It narrows the challenge to focus on the most secure part of their system only — the part they know is secure. But hackers don’t exploit the strongest part of any system, that would be stupid. Instead, hackers target the weakest link in the network, the part which isn’t included in the contest.
In contrast, the bounty system of other companies puts everything under the microscope. It’s totally out of their control what the hackers might hack. Since security is so hard, they often have to pay out. For example Google Chrome is the most trusted, secure browser precisely because it’s had to pay out the most in bounties — not because they had invalid contest constructed so they would never have to pay out.
A company that offers a $25k vulnerability bounty is trustworthy — a company offering a $25k prize for some weird challenge isn’t trustworthy at all. Either they are knowingly deceiving you, or are too stupid to understand that their challenge has no merit. Either answer means you should not trust them. They are not a security company that has won the respect of security professionals, they are a marketing company trying to hoodwink you.