A take on the security news, week 50
Yosemite Apple CoreGraphics are logging to /tmp
It is discovered that CoreGraphics on osx 10.10 have logging turned "on" by default (it was "off" in earlier versions of osx). These log files contain a record of all inputs into Mozilla programs during their operation.
If you are affected, go to your /tmp folder and delete occurences of CGLog_mozilla product, i.e CGLog_firefox.
Updating Firefox (FF34, FF ESR 31.3) and Thunderbird (TB 31.3) will fix the problem by turning CoreGraphics logging "off" again.
Cylance release operation Cleaver report
The cybersecurity firm claims that they have evidence to prove that Iranian hackers have infiltrated over 50 companies over the past two years.
The poodle bites again
Its discovered that despite the removal of SSL3, there is still sites that are vulnerable to the Poodle attack. This comes from the fact that the TLS's padding is a subset of SSL3's padding and its therefore a technical possibility that you can use a SSL3 decoding function with TLS. It was found that a number of major sites had this problem and the hosting of the sites are contacted.
Details and mitigations are available in the links below:
Reading local files from Facebook servers
A writeup on a Facebook vulnerability. Short story on how the writer tested some functions and discovered a vulnerability. The vulnerability is now fixed. It turned out that the vulnerability was in a 3rd party product, so you can not use it to steal someone's Facebook pictures.
Microsoft patch tuesday
Exchange, Internet Explorer, MS Word, MS Excel, Office Webapps and MS Office are all "Critical - patch now".
Adobe december patches
Coldfusion, Adobe Reader, Adobe Acrobat and Adobe Flash player needs updating this month.
iOS security updates
iOS 8.12 is now available.
Protocol handling issues in X servers
The vulnerability can be exploited to access uninitialized memory, or overwrite arbitrary memory, leading to denial of service or arbitrary code execution.
Mitigation is prohibiting x-connections from the network by setting "-nolisten tcp" and/or disable GLX indirect contexts.
InfiniteWP SQL Injection
A missing escaping of user-input allow for a sql-injection attack in the Wordpress administration tool InfiniteWP. There is also another issue related to improper hashing of passwords, which can lead to passwords be cracked. The password are stored as unsalted SHA1 hashes.
Upgrade to version 2.7.5 if possible.
Puttyrider, a tool for hicjacking putty sessions
This is a tool that let let you sniff and insert commands into an existing putty session. The idea is that an attacker can attack the sysadmin's Windows machine and then wait for putty sessions from the sysadmin's machine to the server. When this happens he can hicjack the session and inject shell commands with the priviligies of the sysadmin.
Wordpress XSS Exploitation
A realworld example of how easy it is to steal a username and password from an exploitable website. The writer state that he: "find the usual pop-up alert(1) window inadequate to demonstrate the potential consequences of XSS to non-security people.".