A take on the security news, week 46

A take on the security news, week 46

Thu 13 November 2014

A take on the security news, week 46 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

  • Monday

Microsoft Patch Tuesday Pre-Announcement

16 bulletins are announced, 5 of them marked as critical. This past tuesday also include a patch to Exchange.


Chinese Routing Errors Redirect Russian Traffic

China Telecom had multiple occasions where traffic from and to Russia (Vimpelcom) was routed through China. This was caused by China Telecom start announcing routes from Vimpelcom to all of its peers.

The article also gives a background introduction to how BGP peering works between the big players.


New firmware available for Synology boxes

The new version of DSM adds a lot of security enhancement to your device. AppArmor is enabled and there is a new SecurityAdvisor that will help you configure your device in a safe manner. Support for 2-step verification and DSM Auto Update are also two new features that will come in handy.


Format string vulnerability in dpkg

A format string error is found in dpkg, the default package tool on Debian based Linux distributions. The attackvector is low, but it serves as a reminder about not installing packages from untrusted sources.


  • Tuesday

New potential iOS attack

Following last weeks Wirelurker attack Fireeye demonstrates a new potential attack against iOS. This attack depends on the ability to install additional software using enterprise profiles, just as Wirelurker did.

Enterprise profiles are certificates installed on the device that allows deployment of software directly to the device without goint through Appstore.

The attack starts with the user accepting a enterprise profile that then is installed to the device. Then the attacker sends an sms to the device with an link that must be clicked that then starts the software installation. The software installed can replace existing software, and if it do it will inherit all the access and data of the original application, i.e if the attacker install a malicious replacement of GMail they will have access to all your email.

To avoid this attack a user should not install unknown enterprise profiles and also not install software that does not come from the Appstore.

This attack, called an Masq attack, does not require the device to be jailbreaked.


Emet 5.1 available

The previous version Emet 5.0 is reported to have a problem with the patches today, so you probably want to upgrade Emet before applying todays patches.


Darkhotel report

Active for over 4 years, the Darkhotel APT has shown us a reason to not use hotel WiFi when travelling around. When interesting victims are connected to the hotell WiFi they are offered an maliciuos update to i.e Flash. When the update is installed the machine is infected and the attackers can get whatever data they want from the victims machine.

The Darkhotel APT has been targeted against business executives in several countries.


  • Wednesday

Adobe patches

The usual Adobe Air and Adobe Flash updates. This month there are 18 bulletins patched, some of them already being exploited.


Microsoft patches

Mondays prenotification mentioned 16 bulletins, but its actually just 14 released today. The two remaining bulletins will be released at a future date. Among whats patched is a critical vulnerability in Windows OLE, Internet Explorer, Schannel and XML Core services. All allows for remote code execution.

Remember to update Emet 5.0 to Emet 5.1 before applying the Internet Explorer patch, as mentioned earlier this week.

If you need to select patches start at the top and work down the list.


ISP downgrade customers mailsecurity

Researchers have discovered that ISPs are removing the STARTTLS flag from email traffic.

The STARTTLS flag is a indicator that the server can use to tell the client that we want to use encryption on the mail. When the STARTTLS flag is removed the email client will fail to encrypt mail and will default to plaintext.

This is possible due to the fact that the STARTTLS flag itself is not encrypted and thus can be modified. When STARTTLS Everywhere is implemented this downgrade attack will hopefully not be a problem anymore.


  • Thursday

A reading about ssh-agents

If you are not already familar with the concept of ssh-keys and ssh-agents this is must read for you.

The first article is an introduction to ssh-keys and ssh-agents

The second article gives some advices on what to do and not to do when using ssh-agents.



An update to the Schannel vulnerability

It seems that tuesday patch to schannel is affecting multiple vulnerabilities even if it was listed in just one CVE number. The Schannel is the standard SSL library on Windows and is therefor a critical component in the OS.

There is a couple of buffer-overrun flaws, and at least one fail to validate certification problem which allow connections that should not be allowed (allowing for at MITM attack). There is also a possibility for remote code execution.

So far there is no public exploit, but that will not last for long. This is probably this week's most important patch, so start patching your public servers, then internals.


  • Friday

Mobile Pwn2Own 2014

All phones tested were compromised thanks to webbrowser exploits and NFC bugs. Nine bugs were revealed and safely disclosed to the vendors.


Bypassing Microsoft's patch for Sandworm

Mcafee reveals how they bypass the MS patch from 17. October. The bypass no longer works after this week's patching so this reveal will not cause any harm, just more background information on the root of the problem.