A take on the security news, week 16 2015

Mon 13 April 2015

A take on the security news, week 16 / 2015. I summarize some of the news that I considered noteworthy related to information security this week.
Massive DDOS attack against Github and Greatfire.org, patch tuesday, IIS vulnerability and Chrome pull the plug for NPAPI.

Monday

Chinas great firecannon

Citizenlab has taken a closer look into how the Chinese firewall was used as an DDOS tool against Github. They have labeled it the Chinese Great Cannon and describes it as an distinct infrastructure that is co-living with the firewall. The Great Cannon is modifying traffic going in / out to create large scale DDOS attack.

https://citizenlab.org/2015/04/chinas-great-cannon/#4

Reversing Belkins WPS algorithm

One of the shortcomings of the WPS protocol has been that the algorithm that generates the needed pin-codes have generated insecure pin codes.

The problem is what data has been used to generate the pseudorandom pin codes. In the Belkin case the the algorithm use the four last characters of the serialnumber combined with the mac-address. The problem is that the device broadcast both the serialnumber and the mac-address as part of the WPS initiation, thus making all input to the algortihm known to the attacker.

The advice is to avoid WPS if you can. Even on devices where the algortihm is no flawed, pin codes are easy to bruteforce.

http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/

Tuesday

Ruby verification of wildcard certificate fix

A review of how Ruby’s OpenSSL extensions checks for wildcard certificates found that it matches hostnames wrong. This bug lead to the fact that the wildcard ‘‘ in a wildcard certificate could be placed anywhere in the hostname, i.e www.. Similar problem was actually found in Python a while ago.

Its strongly recommended to upgrade Ruby.

https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/

Wednesday

Microsoft patch tuesday

Totally 11 patches this month, where 4 is rated critical.

  • MS15-032 Internet Explorer cumulative update which contains a list of privately reported vulnerabilities. No one of them seen exploited in the wild yet.
  • MS15-033 MS Office patches a few bulletins, where one of them allow for remote code execution and one that have been publicly disclosed.
  • MS15-034 HTTP.sys, allows for remote code execution if a crafted request is sent to HTTP.sys.
  • MS15-035 Microsoft graphic components is patched and rated critical because it does not require user interaction to exploit. You dont have to open a file or something to get exploited.

https://technet.microsoft.com/library/security/ms15-apr

Adobe updates

Adobe release update to Flash for Windows, Mac and Linux. Exploits have been seen in the wild so you should update as soon as possible.

https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

Chrome discard NPAPI

The NPAPI is discarded from Chrome version 42. If you still need NPAPI support it can be re-enabled through a setting or Chrome enterprise policies. In September the support will be removed entirely.

If you want to use Java from you have to install the NPAPI plugin from Chromestore, then install Java. This makes it much harder to use Java in the Chrome browser.

https://developer.chrome.com/extensions/npapi

http://blog.chromium.org/2013/09/saying-goodbye-to-our-old-friend-npapi.html

Thursday

MS15-034

This vulnerability in IIS was patched yesterday, and is now exploited in the wild. The vulnerability can be used to in DoS attacks and possible remote code execution and it is easy to exploit. If you have vulnerable servers you should update as soon as possible.

Vulnerable systems is:

  • Windows 7
  • Windows Server 2008 R2
  • Windows 8
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2.

HTTP.sys is used by any version of IIS running on one of these operating systems.

HTTP.sys was introduced with IIS 6.”

https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583

http://blog.didierstevens.com/2015/04/17/ms15-034-detection-some-observations/

Oracle critical updates

Oracle released patches for 90 different vulnerabilities across a range of products.

14 of the vulnerabilites are in java, with 3 of them that could lead to remote control execution.

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Friday

MS15-034 update

This vulnerability is now actively used to launch DDOS attacks on servers. There is also more proof-of-concept of the vulnerability and how it can be used to leverage other class of attacks (i.e information leakage or remote code execution).

https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/

Unsecure voting machines

The Virgina Information Technology Agency have examined the machines used in electronic voting. The machines were communicating via WiFi so anyone within WiFi-range (i.e on a parking log outside) could attempt to break in to the machines. The password and encryption that is used on the machine is breakable, and the machines did not log events, so if a attack has happened no one will ever know.

The machines also lacks physical security and is exposing USB port so that attackers can load malware into the machine if they get physical access to it.

The machines, that have been used since 2002, are now decertified.

https://threatpost.com/virginia-voting-machines-exposed-to-simple-potentially-election-altering-hacks-since-2004/112297

Comments