A take on the security news, week 05 2015

Mon 26 January 2015

A take on the security news, week 05 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Flash vulnerability, Glibc buffer overflow, McAfee secure browser and yosemite 10.10.2 update.

Monday

Adobe Flash Stealth Update

Adobe have patched Flash to fix a 0 day exploit (CVE-2015-0311). If you have autoupdate enabled you are already patched, with manual downloads coming later this week.

The exploit is already detected in the wild, so pleaseupdate as soon-as-possible.

http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2015-0311-flash-zero-day-vulnerability/

http://helpx.adobe.com/security/products/flash-player/apsa15-01.html

http://blogs.adobe.com/psirt/?p=1160

Critical Vulnerability in Symantec

The server component used to manage the products suffers from several vulnerabilities, including sql-injection, xss and information leakage.

The vulnerabilities were responsibly disclosed to Symantec patches is now available.

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00

PHP Unserialize fixed again

The unserialize function is now fixed again.

https://bugs.php.net/bug.php?id=68710

Tuesday

Thunderstrike patched in osx 10.10.2

The attack that target Apple hardware through the Thunderbolt port seems to be blocked by the upcoming 10.10.2 release. The release is seeded to developers and will be able for everyone soon.

No evidence of Thunderstrike is reported in the wild, and the attack requires physical access to the targetmachine.

Thunderstrike is an attack that allows the attacker to modify the bootrom through the Thunderbold port.

Yosemite 10.10.2 also close three other Project-Zero vulnerabilities.

http://www.imore.com/thunderstrike-attack-also-fixed-os-x-10102

http://www.imore.com/latest-os-x-10102-beta-kills-google-disclosed-vulnerabilities-dead

Finding local ip-addresses with Javascript

Leverage WebRTC to get local ip-addresses. By making requests to an STUN server its possible to get a users local ip-addresses behind the NAT. STUN requests are made outside the normal XMMLHttpRequest procedure, so they will not show up in console, or blockable by AdBlock and similar.

The WebRTC library is available in newer versions of Firefox and Chrome.

https://github.com/diafygi/webrtc-ips

Free McAfee secure webbrowser

Aimed at users who want to open new accounts securely, this new browser from MacAffe includes passwordmanager, form autofill, automatic login, enterprise level encryption and more.

https://www.mcafeesecure.com/get-connect/

Wednesday

Glibc vulnerability

A critical buffer overflow vulnerability is found in gethostbyname() and gethostbyname2() which resides in the Glibc library.

GLibc versions before 2.18 (august 2014) is vulnerable. You can check your version with:

$ ldd --version

Patch as soon as possible. The major Linux distros are already shipping pathes through their package systems. Start with your mailservers, then webservers, and then the rest.

The vulnerability have been proven to affect Exim, Postfix and PPTP, but there is probably a lot more services that is affected.

http://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679

https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability

OSX 10.10.2 and iOS 8.1.3

Apple released security updates to osx, safari, ios and appletv.

The 10.10.2 update fixes some reported problem with wifi connectiivity, patches the Thunderbolt vulnerability, and the Spotlight privacy issue that I wrote about last year. It also patch two exploits reported by ProjectZero.

Android WiFi-Direct Denial of Service

Some Android devices are vulnerable to an DoS when scanning for WiFi-Direct services. An attacker could craft a malicius response package causing the Dalvik subsystem to reboot.

Avoid using WiFi-Direct or update to an non-vulnerable version of Android.

http://www.coresecurity.com/advisories/android-wifi-direct-denial-service

Thursday

Blackphone Text Messaging Flaw

A memory corruption vulnerability is found in the Blacphone messaging app. The vulnerability can be triggered remotely if the attacker know the victims Silent Circle ID or phonenumber. This is because the flaw is in the decoding of textmessages, and the phone starts parsing a message as soon as its retreieved.

If exploited the attacker get the priviliges of the messaging app, which allow for decrypt messages, write to extarnal storage, read contacts, read location information and more.

The vulnerability is patched and available as an softwareupdate.

http://blog.azimuthsecurity.com/2015/01/blackpwn-blackphone-silenttext-type.html

Large malvertising campaign targeting xhamster

Malwarebytes are reporting an growth in exploit attempts using the recent Flash vulnerability. The exploit is spread through malvertising campaigns in which the attacker just buy advertising on his website. One site that is targeted is the popular xhamster adult website.

https://blog.malwarebytes.org/exploits-2/2015/01/top-adult-site-xhamster-involved-in-large-malvertising-campaign/

Friday

RansomWeb encrypts website's database

RansomWeb encrypts your database with a key, then wait silently for some time to ensure that all backups are overwritten with the encrypted database. When ready the attacker remove the key and the database is unreadable and an email with demands for money are sent to the victim.

This follows the same pattern that we have seen for files (Cryptolocker) and storage devices (Synolocker), but now attacks websites too.

Its special because the attackers does insert itself between your appliaction and the database encrypting data going into the database and decrypting it on the way out. The key is stored on a remote server and is included via a http request.

https://www.htbridge.com/blog/ransomweb_emerging_website_threat.html

Zero access botnet resumes activity

The Zero access / Sireref is a peer-to-peer botnet used to initializing advertising click-fraud. It was disrupted December 2013 but reactivated from march until july last year. Being silent for over 6 months it has now started distributing click-fraud templates again.

http://www.secureworks.com/resources/blog/zeroaccess-botnet-resumes-click-fraud-activity-after-six-month-break/