A take on the security news, week 47

A take on the security news, week 47

Mon 17 November 2014

A take on the security news, week 47 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

This article is under development, one day at a time :)

  • Monday

Update on the Schannel announcement

The MS14-066 patch last week added some new ciphers to the system. It now seems that client that doesnt support the new ciphers fails to connect to the system at all. The quickfix is to disable the 4 new ciphers through the registry. What ciphers and how to modify the registry is described in the KB article below.

https://support.microsoft.com/kb/2992611

Exploit ready for the Windows OLE vulnerability

As expected last week, the announcement of an exploit of MS14-064 would been a short week away. Attack code is now available in the Metasploit framework and if you havent applied patches yet, its time to do so.

http://packetstormsecurity.com/files/129101/ms14_064_packager_run_as_admin.rb.txt

  • Tuesday

Updates for iOS, Apple TV and OSX Yosemite

Apple today released updates for iOS 8 and OS X 10.10 (Yosemite). There is at least one critical update for WebKit that affect all three platforms. The 10.10 Spotlight information leakage that I mentioned some weeks ago are also fixed in this update.

https://isc.sans.edu/forums/diary/Updates+for+OS+X+iOS+and+Apple+TV/18961

MS14-066 PoC/DoS exploit

There is now a proof of conecpt exploit that targets MS14-066. So far its a denial-of-service attack and you have to be a Rapid7 subscriber to be able to download the exploit. So far it seems that exploiting this vulnerability is far from trivial.

De-anonmyziation of Tor users

This paper looks into feasability and effectiveness of analyzing traffic inside the Tor network. If the attacker can insert enough nodes into the network he can use traffic analysis to determine the source of anonymous traffic.

https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545

  • Wednesday

Microsoft is patching out-of-band

A patch for MS14-068 was released and should be applied after you have tested it. This is the patch that was announced last monday, but didnt came on tuesday. The vulnerability let an attacker with the credentials of any domain user evalate priviliges to any other account, including domain administrators. This vulnerability allows for remote priviliege escalation and is therefore rated critical.

http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

Whatsapp is now encrypting

The popular messaging app Textsecure is now doing end-to-end ecryption. This new feature is available on Android devices, and is not available for group messages, photos and video messages. Whatsapp says that more platforms and coverage will be addedd.

http://www.wired.com/2014/11/whatsapp-encrypted-messaging/

New SSL authority offers free certificates

A group consisting of Mozilla, EFF, Cisco, Akamai and others are starting an initiative called letsencrypt. The goal is to make it easy and free for domain owners to acquire certificates. The process of ordering certificates should now be an easy task thanks to several scripts (management software) that is availble for different platforms. Letsencrypt launches in summer 2015 if everything goes according to plan.

https://www.letsencrypt.org

  • Thursday

NoSQL and security (or lack of it)

As a part of the Big Data hotness we get more and more NoSQL databases. This is databases that offers less feature in trade of higher speed. There is some security consideration that differs from NoSQL and the traditional SQL databases. So if you are deploying MongoDB, CouchDB, Elasticsearch or any of the other NoSQL it should be worth reading through.

So far the security had been caused by the obscurity, but we start seeing tools for scanning and exploitation of NoSQL databases, so its time for consider some real security now.

https://isc.sans.edu/forums/diary/+Big+Data+Needs+a+Trip+to+the+Security+Chiropracter+/18971

  • Friday

Critical XSS vulnerability in Wordpress

3.7.4, 3.8.4 and 3.9.2 is vulnerable and has to be upgraded. This specific XSS vulnerability is not prsent in 4.0, but if you upgrade to 4.0.1 you will be fixing several other issues. So upgrade as soon as possible, and maybe you should turn on autoupdate if you not already have done so.

https://wordpress.org/news/2014/11/wordpress-4-0-1/

Google release webapplication testbed

If you need to show off your pentester skills, or have a webapplication scanner that you need to test, Google has released "Firing Range" for you.

According to the github page: "Firing Range is a test bed for web application security scanners, providing synthetic, wide coverage for an array of vulnerabilities."

The tests are also available for download so you can play with them offline.

https://github.com/google/firing-range

CryptoPHP a new hidden threat to popular CMS

Fox IT has released a paper where they analyse what they call a new hidden threat found in several popular CMS. This threat start with website owners being social engineered to install a backdoor into their site. The backdoor is delivered through pirated themes and/or plugins for Wordpress, Drupal and Joomla CMS. When installed the backdoor is used to do Blackhat SEO.

https://foxitsecurity.files.wordpress.com/2014/11/cryptophp-whitepaper-foxsrt-v4.pdf

XSS vulnerability in jQuery

A vulnerability in jQuery's validation plugin was disclosed and patched this week. The problem was in a demo file that was included as a part of the captcha code and allowed for unchecked input from the user. I you have the jQuery valdiation plugin you should probably update or remove the problematic file.

http://sijmen.ruwhof.net/weblog/256-cross-site-scripting-in-millions-of-web-sites#more-256