Tag Archives: Security

Opera Browser Vulnerable to Memory Corruption Exploit

In the raging browser wars, features, security and stability are paramount to competing. Opera might want to get a serious handle on things with the next release they push.

There is a memory corruption bug that has been present in Opera 10, 11 and the pre-release of 12 on Windows XP SP3. The vulnerability exists within SVG (Scalable Vector Graphics) layout handling. By nesting SVG functions within XML calls, an attacker is able to crash Opera. While crashing a browser might not seem like a huge deal to some, couple it with code injection and you have an exploit that can lead to complete remote code execution, and then it’s game over.

The exploit, which was discovered over a year ago, was reported to Opera but never fixed. Jose Vasquez, the original author, has published full details on the vulnerability as well as written and released a complete Metasploit module. Metasploit is a security framework for penetration testing, allowing a large number of security professional to collaborate on software and service vulnerabilities.

What might seem like a benign crash of your browser, might turn out to be an attacker positioning themselves to take control of your computer and network. Although it’s been previously broken, Jose also indicates it may be possible to bypass DEP, which is an active security feature provided by Microsoft,  specifically made to prevent unwanted code execution.

In an interview, Opera’s co-founder,  Jon Stephenson von Tetzchner indicated their number of users grew from 50 million in 2009 to over 150 million in just one year. There are a lot of users who are potentially vulnerable to exploitation of this bug. When Opera 11.51 was released, major security and minor stability issues were the reason for the update. If we consider that  this bug has been present since 10.50, disclosed to Opera over a year ago, and still left unfixed — many users may want to look at switching to the very popular Chrome  or Firefox 7  until Opera fixes this issue.

Computer Virus Infects US Drones Predator and Reaper Cockpits

It has been discovered that the cockpits of two US drone  fleets Predator and Reaper, have been infected with a virus. The virus infection was discovered two weeks ago in the Creech Air Force base in Nevada. Since then, the officials have been trying to remove the infection, but the virus keeps on coming back, reports WIRED.

The virus consists of a Trojan payload that logs the keystrokes of the pilot controlling the drones remotely. As you might know, these drones have been used extensively in spying as well as targeting enemy territory remotely and have been a great asset to the US Army.

It isn’t apparently clear whether the infection is a result of a cyber-attack or whether it was just an accidental infection. Whatever the case may be, the virus has infected both unclassified as well as classified machines, and it is speculated that some confidential data might have gone outside of the military network.

Interestingly, this is not the first time that the Predator and Reaper fleet has come under security scrutiny. It was well known that these drones send video to their stations unencrypted. The US Army had previously found hours of drone video recording on computers seized from Iraqi insurgents.

Reuters has quoted an unnamed source saying that this infection hasn’t impacted overseas missions.

iPhone Users Vulnerable To Address Book Snarfing Via Skype XSS

Skype users on iOS devices should be on the look out for malicious users who intend on stealing their address book.

A vulnerability affecting Skype 3.01 on iOS devices, including the iPod Touch and iPhone, gives an attacker the ability to secretly upload the entire contents of your address book. The hole is due to a non-validated input field in the client, instead of the contents being displayed to the user, they are executed. Coupling XSS with sandbox permissions that do not allow for fine-tuned access control within apps, provides a way for an attacker to steal the contents of an unsuspecting user’s address book.

Skype has been criticised numerous times over identical vulnerabilities in their desktop software, that allowed for remote code to be executed on a victim’s computer. The flaw is one that Skype has had reported numerous times, fixed numerous times, yet they have not completely audited the applications before release.

Phil has detailed the attack performed against an iPhone 4 running iOS 4.3.5 and has indicated that the vulnerability was reported to Skype over a month ago. Hopefully a fix is in the works, but more importantly, hopefully Skype will perform a full check instead of simply throwing input sanitising on the vulnerable text field.

DigiNotar Hack: Adobe set to patch Acrobat and Reader tomorrow

Adobe logo  Tomorrow,  Adobe will be releasing an  Adobe Reader and Acrobat  security update which will remove DigiNotar certificates from its trusted list. The update will be available for both Windows and Mac. Once installed,it will remove DigiNotar certificates from the Adobe Approved Trust List program’ or AATL. AATL basically is a program that allows users to create digital signatures so that a PDF signed with it is trusted whenever it is opened using Acrobat or Reader of version 9 and above.

This update is a result of the DigiNotar security breach in which a hacker supposedly generated hundreds of rogue SSL certificates. These certificates were used to spoof content, perform phishing attacks and more notably in man-in-the-middle attacks. All of the major browser vendors have now removed DigiNotar certificates from their trusted lists. Both Microsoft (Security Advisory 2607712) and Apple (Security Update 2011-005) have also released updates revoking trust of the DigiNotar certificates.

The Adobe update is rated as critical  and it is recommended that all users of the aforementioned software install this update as soon as possible. The update can be downloaded from here once it is released. Adobe has also indicated that they will be enabling dynamic updates of AATL with a future update so that a user doesn’t have to manually install a patch to update the trusted list in scenarios like this.

In case you want to manually remove the DigiNotar certificates from AATL, instructions for both Adobe Reader and Acrobat can be found here.

Certificate Authority GlobalSign Loses Critical Data to ComodoHacker

Over the last few months, we have seen sophisticated and well-organized attacks on various websites and web-services. While some of these attacks were aimed at proving vulnerabilities, others were carried out to raise concerns against policies and actions taken by these agencies, organizations and at times, Governments. Whatever be the case, in all these situations, always the end-user suffered the most.  The recent course that this hack and breach fest has taken, (not essentially the same hacker groups) is towards certificate authorities.
globalsign-security-breach
Certificate Authorities are the bodies who issue certificates to certify a website or a web-service as genuine. Whenever we visit a website with an SSL or TLS authentication, a certificate is issued which validates the site in the browser. This is used to verify the website as well as the integrity of it.

On July 10 2011, ComodoHacker attacked the Certificate Authority DigiNotar. This attack led to the creation of  fake Gmail certificates that was used for  man in the middle attacks. This time, the same hacker ComodoHacker claims to have hacked another Certificate Authority- GlobalSign. The hacker claims that he has large amounts of data from the Certificate Authority which includes emails, database backups, customer data and other sensitive information, all of which he plans to release in near future.

The Pastebin message announcing this says,

I have ALL emails, database backups, customer data which I’ll publish all via cryptome in near future), GlobalSign (I have access to their entire server, got DB backups, their linux / tar gzipped and downloaded, I even have private key of their OWN globalsign.com domain

Following this breach, GlobalSign has stopped issuing security certificates after internal investigations proved that the breach was indeed genuine.

 

Gmail Users in Iran Hit by MITM Attacks

Gmail users in Iran might have been affected today, based on several reports suggesting that Gmail.com connections were being hit by Man In The Middle(MITM) attacks.

I first spotted this notice on Hacker News where the submission had a link to pastebin.com  containing details of the affected root server  certificate. Google has since then confirmed the attempted attack on their blog.

Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran.

MITM or Man-In-The-Middle attacks are one of the most sophisticated attacks, where a third party can effectively eavesdrop & monitor all  communication  between two parties, without either of the parties knowing that they are being eavesdropped upon. In case of sites using SSL, such as Gmail – the attacker was able to get hold of a fraudulent certificate which is used for encrypting.

The certificate was issued by DigiNotar. Chrome users (on version 13 and above) were alerted of the fraudulent certificate by virtue of an inbuilt security feature called certificate pinning. Certificate Pinning  maintains a whitelist of verified root Certificate Authorities which are trusted by Chrome in creating a connection to Gmail.com and Google accounts in general. Since DigiNotar was not in the whitelist of  verified CAs, Chrome displayed an error message about the certificate being invalid

 

Chrome shows Invalid Certificate message

Mozilla have responded by pushing an update to Firefox which revokes the certificate’s trust. As a result of this, if a user visits the site presenting the fraudulent certificate,  the user would be informed that the connection is not secure. Mozilla has also updated their knowledge base with an article showing steps involved in revoking the certificate.

 

 

Motorola Droid 3 Reaches Root Status

The Motorola Milestone 3, known stateside as the Droid 3, has been rooted!   The well-known kernel hacker and security researcher Dan Rosenberg, has posted the details of a simple vulnerability that provides superuser access to the device by using a configuration value that prevents the Android Debugging Bridge from de-escalating its root privileges.

The Droid 3 is the successor to the very popular Droid 2. It launched on Verizon back in July, with a locked bootloader preventing customized kernels and ROM cooking. The original Motorola Droid implemented security measures that required signed images for flashing. It took almost a year before it was rooted and Motorola stuck with their choice to alienate power users by enforcing signature checks on their Droid series of devices.

Featuring a spacious 5-row hardware QWERTY keyboard, qHD screen and all the methods of connectivity you can handle, the Droid 3 is a powerhouse of a device. Although none of the Droids are included in the guide to the Best Android Phones in India, the original Droid pushed Android launch sales over the iPhone and beat the Nexus One.

Now that Google and Motorola have joined forces, the Android community can expect more top-tier hardware built by Motorola and powered by unskinned, unmolested and bloatware-free Android, receiving timely updates directly from Google.

Nokia Developer Database Compromised by SQL Injection

Nokia’s Developer site is home to an app submission launchpad, documentation on developing for S40, Windows Phone and MeeGo, as well as the official place to be for conversation on the platforms with their development teams.

Unfortunately, the developer page has been the target and victim of a simple SQL injection attack. Part of the internal administration database has been compromised. A portion of the database containing user names and password hashes (along with their respective salts) has been circulated and posted online.

Thankfully, Nokia employs the use of hashing algorithms in their security policy and no plain-text passwords are stored. According to the above image, the vulnerable page is their search form which allows for unsanitized/unfiltered input. An attacker enters a query that is processed by the back-end as an SQL statement, any information stored within the tables the attacker requests, is provided as output. This can be information containing simple notes or links, but an attacker will often craft a query to return stored credentials, credit card or other personal information.

Exactly how much information was taken from the database is unknown, but at least 11 accounts have had their password hashes posted online.

The folks who head the Nokia Developer page have been notified of the breach and hopefully they are scrambling to close the current known hole and then tasking a team to search through all of their public facing pages and lock them down.

Android Malware Trend Continues, GingerMaster Targeting Gingerbread

The first piece of malware for Android 2.3 ‘Gingerbread’ has been spotted. Working alongside  NetQin  –  a mobile security firm, security researcher  Xuxian Jiang  has located and detailed the inner workings of GingerMaster, the first piece of malware that attacks Android Gingerbread.

Using Gingerbreak, which is the  the latest exploit for gaining root access to Gingerbread, the malware gathers information about the infected device and sends it to a remote server. In addition to exfiltrating the IMEI, phone number and SIM serial, GingerMaster creates a backdoor root shell, stored in the system partition in an attempt to survive after software upgrades, to allow for an attacker to access the device at will.

The malware also acts as a trojan horse. Registering on a remote server, the application will sit and wait for instructions on a ‘command and control’ channel. This allows for an attacker to remotely trigger events, such as downloading and installing more malware without the user knowing or reading personal information saved on the phone.

With more and more malware for Android popping up, looking to mobile security software  as a means to protect your device is a good choice, but using more common sense with downloading applications from official stores and understanding the risks of giving permissions to apps, is a better way to protect yourself from these threats. While both Google and Apple are looking for ways to implement a “kill switch” for unauthorized devices or applications, this is a reactive measure to an inherent problem with all security implementations – they rely on the user.

Microsoft Products Steer Clear of Vulnerability Leaderboard

In its latest quarterly malware report, Kaspersky Labs has released key trends after analysing vast numbers of IT threats during the second quarter of 2011.

Software Makers

The top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (by virtue of Java vulnerabilities). With great improvements in the Windows updates mechanism and several Windows XP users moving to a more secure Windows 7 experience, Microsoft is no more featured in the list. Incidentally, seven of the top 10 vulnerabilities were found in Adobe Flash Player alone!

Web-surfing

Navigating the web remains the riskiest activity on the Internet. 87 per cent of the websites used to spread malicious programs were concentrated in just 10 countries, with the US based websites leading the pack.

Local infection

The number of fake antivirus programs detected globally by Kaspersky Lab has increased and also the number of users whose computers blocked attempts to install counterfeit software increased 300 per cent in just three months of the last quarter.

India was among the top 10 countries with highest risk of local infection on computers. Every second computer in the country was at risk of local infection at least once in the past three months.

Botnet controllers see India as a place with millions of unprotected and un-patched computers which can remain active on zombie networks for extended periods of time.

– Yury Namestnikov, Senior Virus Analyst at Kaspersky Lab

Hacking

Interestingly, 2011 can go down in the technology history as the year of hacking  since  services from several major organizations like Sony, Honda, Fox News, Epsilon, and Citibank were hacked and disrupted

Mobile

The number of mobile threats targeting different mobile platforms has increased exponentially. In the second quarter of 2011, the detected threats running on J2ME doubled while those on Android nearly tripled. Malicious programs continue to be detected in the official Android Market.