A take on the security news, week 40

Fri 03 October 2014

A take on the security news, week 40 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

  • Monday

Shellshock update

Scans and bots are now looking for unpatched servers. The attackers are looking for scripts that are deployed by common used packages.

https://isc.sans.edu/forums/diary/Why+We+Have+Moved+to+InfoCon+Yellow/18715

https://isc.sans.edu/forums/diary/What+has+Bash+and+Heartbleed+Taught+Us+/18717

iOS 8 MAC randomization ususally disabled

The MAC randomization feature does not work if the location services is turned on (which is true in most cases). The feature only works on iPhone 5s. It also seems that you have to turn of the cellular data connection to get randomized MAC address.

With this presumption it looks like you can hava random MAC addresses, but not a useful phone, or a useful phone, but not MAC randomization.

http://blog.airtightnetworks.com/ios8-mac-randomization-analyzed/

  • Tuesday

Shellshock Bash code injection update

A lot of live checking after shellshock vulnerability. There is now a total of 6 vulnerabilities discovered in bash, so keep up the patching.

https://isc.sans.edu/forums/diary/Shellshock+Updated+Webcast+Now+6+bash+related+CVEs+/18727
https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725

Apple releases Bash update

There is now an update available for Lion, MountainLion and Mavericks. The Mavericks update requires 10.9.5 or greater. The updates are not delivered via AppStore (at the time of writing), but as a separate download.

http://lists.apple.com/archives/security-announce/2014/Sep/msg00001.html

iOS 8 undocumented APIs leak phone call data

An evaluation of how third-part applications can affect the users privacy on iOS 8. The article creators investigated the sandboxing feature, looking for weaknesses.

http://www.andreas-kurtz.de/2014/09/malicious-apps-ios8.html

WordPress Vulnerability Database

Many of WordPress vulnerability is in themes and plugins, making it hard for administrators to have overview. The "Wordpress Vulnerability Database" is an initiative to help with this issue. And probably a good source for the bad guys too :/

https://wpvulndb.com/

  • Wednesday

Securing the Human october newsletter is out

http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201410_en.pdf

FBI open malware investigator portal for the public

For people who are analyzing a lot of malware it is now possible to upload it to FBI's analyzing tool and get an report back, indicating what it is, what it is targeting and the impact.

At the time of writing the portal is open for law enforcements only, but probablt it will be open for more people in a short time.

http://malwareinvestigator.gov/index.html

Cloudflare offers free SSL for everybody

Cloudflare is rolling out SSL certificates for all it users. They are stating that this will double the number of SSL enabled sites from 2 million to 4 million.

They are using what they call Universal SSL which encrypt data from outside to the Cloudflare network, but not inside their network. This is due to the fact that there are more customer's sites than IP-addresses.

This setup will provide security from attacks that are happening close to the browser (between browser and Cloudflare), but will not help against man-in-the-middle attack or eavesdropping between Cloudflare and the site's origin.

https://blog.cloudflare.com/introducing-universal-ssl/

  • Thursday

Shellshock update

It seems that SIP is vulnerable to shellshock, and there is an exploit "SIP Shock" that attacks vulnerable modem.

It seems that OpenVPN is vulnerable to shellshock attack, but only if you are authenticating using username and passwords.

There is also published bulletins from VMWare, HP & Cisco.

XEN Vulnerability

There is a bug in Xen version 4.1 and onward that can be lead to dataleakage. One HVM guest can crash or read the memory of another HVM guest. Only x86 systems are vulnerable.

http://xenbits.xen.org/xsa/advisory-108.html

Apple starts require app-specific password

Starting on October 1, 2014, app-specific passwords will be required to sign in to iCloud using any third party apps.

This will mostly affect third-party calendars and mail clients.

http://support.apple.com/kb/HT6186

  • Friday

Mac Adware (Free Internet Explorer on Mac)

If you search for Internet Explorer on Mac you might stumble upon an dmg from Trovi which offers this. If you read the EULA carefully you find that it behaves as Adware. It collect the following:

  • IP Address and device identifiers like UDID
  • web pages you visit and the content you see, access and utilize...
  • interactions on social networks
  • registration information you provide like name, address, e-mail, phone number, gender birthday

The application is signed by an Apple Developer (thus passing Gatekeeper) and provides you with a legitim version of IE5. But this is software that do more harm than good.

https://isc.sans.edu/forums/diary/Why+is+your+Mac+all+for+sudden+using+Bing+as+a+search+engine+/18753

Bad USB malware is now public

https://github.com/adamcaudill/Psychson

2nd Same Origin Flaw in Android Browser

Another "same-origin-policy" flaw is found in the Android browser. I wrote about the first one a couple of weeks ago. It seems that its time to move away from the default Android browser. This "same-origin-policy" bypass is present in versions prior to Android 4.4.

http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-android-browser/108653

Comments