A take on the security news, week 38

Sat 20 September 2014

A take on the security news, week 38 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

Monday:

Are public credential dumps worth reviewing

Is there anything to learn by reading dumps from breached databases or other sources? This post gives a few suggestions on how you can learn and act upon those massive breaches we see too often nowadays.

https://isc.sans.edu/forums/diary/Are+credential+dumps+are+worth+reviewing/18641

http://en.blog.wordpress.com/2014/09/12/gmail-password-leak-update/

Password managers, attacks and defenses

A paper is released from Stanford where the researchers are looking on popular password managers and their policies on automatically filling out web passwords.

The paper cover password managers in the big browsers, along with a range of third-party solutions.

https://crypto.stanford.edu/~dabo/pubs/papers/pwdmgrBrowser.pdf

Slider Revolution plugin critical vulnerability being exploited

The exploit allow attackers to download any file from the server. This mean that the user could download i.e wp-config.php and thus get the credentials to the database and other resources on the system.

The affected plugin is one of the more popular one, and it is included in many wp-themes (so you can have the affected plugin without knowing it). Check your list and update if needed.

http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html

Tuesday:

Same origin bypass in Android browser

One of the fundamental security mechanism "Same origin policy" is proven faulty on Android browsers. The "Same origin policy" ensures that sites from different origins can not read or act on each others resources (location, responses, cookies etc).

It looks like Android 4.3 and earlier is affected, and there is a exploit for this vulnerability in the metasploit framework. So the advice is, change to another browser if you are on an affected Android which does not receive updates.

http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html

Wednesday:

Adobe releases the delayed Acrobat and Reader bulletins

Rated as a priority 1 on Windows and Mac there might already been exploits running in the wild. This bulletin fixes 8 issues, some of them that can lead to remote code execution (RCE) and full sandbox escape.

http://helpx.adobe.com/security/products/reader/apsb14-20.html

Denial of Service in FreeBSD TCP packet processing

This attack is similar to the "slipping in the TCP window" attack from 2004, but with SYN packets instead of RST. Affects all supported versions of FreeBSD, and therefore a lot of products not necessary thought on as FreeBSD (Bluecoat, Juniper Junos, OSX, Netapp, etc).

https://www.freebsd.org/security/advisories/FreeBSD-SA-14:19.tcp.asc

New TLD, a scammers dream come true

Top level domains such as .support and .club is now actively being misused by scammers. Since the domains are up for grab (the buy the domain), the scammers can also protect them with valid SSL, and thus getting green padlock in the victims browser.

https://isc.sans.edu/forums/diary/https+yourfakebank+support+--+TLD+confusion+starts+/18651

Thursday:

iOS 8 update

This weeks big operating system release iOS 8 brings more than 50 security / privacy fixes (and potentially new bugs). One of the updates are randomized mac-address as long as the device is not associated with an AP. Another one is that the weather application now encrypts the user's location when transmitting data.

http://support.apple.com/kb/HT6441?viewlocale=en_US&locale=en_US

OWASP Releases new Web App Testing Guide (Version 4.0)

A lot of good advices on how to test your web application. This guide lists all of the common web application vulnerabilities and how to test for them. The guide also contains screenshots and kodesnippets. The document spans 220 pages and is available for free download.

https://www.owasp.org/images/1/19/OTGv4.pdf

Friday:

PHP 5.4 and 5.5 updates fixes several bugs

Ten bugs were fixed in version 5.4.33 and 15 bugs were fixed in version 5.5.17. As usual the advice is to update as soon as possible.

Latest version can be downloaded from: http://windows.php.net/download/

Home Depot releases scope of the breach

56 million creditcard was compromised in the attack, thus making it bigger than the Target attack (40 million creditcard compromised).

http://media.corporate-ir.net/media_files/IROL/63/63646/HD_Data_Update_II_9-18-14.pdf

Apple phishing email

Fake email claiming that they are from Apple support is circulating. The phishing email states that "your account is about to expire in 48 hours" and "just click the link below".

As always, dont click that link!

https://isc.sans.edu/forums/diary/Apple+Phishing+emails/18669

eBay suffers XSS attack

Malicious code on eBay ads redirects the user to a fake eBay login site, asking them to provide login details.

Be aware, and watch the address you are redirected to.

http://www.bbc.com/news/technology-29241563

Comments