A take on the security news, week 50

Wed 10 December 2014

A take on the security news, week 50 / 2014. I summarize some of the news that I considered noteworthy related to information security this week.

Yosemite logging input to /tmp, Patch tuesday, Poodle bites again, Hijacking putty sessions and a Wordpress XSS attack.

  • Monday

Yosemite Apple CoreGraphics are logging to /tmp

It is discovered that CoreGraphics on osx 10.10 have logging turned "on" by default (it was "off" in earlier versions of osx). These log files contain a record of all inputs into Mozilla programs during their operation.

If you are affected, go to your /tmp folder and delete occurences of CGLog_mozilla product, i.e CGLog_firefox.

Updating Firefox (FF34, FF ESR 31.3) and Thunderbird (TB 31.3) will fix the problem by turning CoreGraphics logging "off" again.

https://www.mozilla.org/en-US/security/advisories/mfsa2014-90/

Cylance release operation Cleaver report

The cybersecurity firm claims that they have evidence to prove that Iranian hackers have infiltrated over 50 companies over the past two years.

http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf

http://www.engadget.com/2014/12/03/operation-cleaver-iran-hackers/

  • Tuesday

The poodle bites again

Its discovered that despite the removal of SSL3, there is still sites that are vulnerable to the Poodle attack. This comes from the fact that the TLS's padding is a subset of SSL3's padding and its therefore a technical possibility that you can use a SSL3 decoding function with TLS. It was found that a number of major sites had this problem and the hosting of the sites are contacted.

Details and mitigations are available in the links below:

https://www.imperialviolet.org/2014/12/08/poodleagain.html

https://vivaldi.net/blogs/entry/not-out-of-the-woods-yet-there-are-more-poodles

Reading local files from Facebook servers

A writeup on a Facebook vulnerability. Short story on how the writer tested some functions and discovered a vulnerability. The vulnerability is now fixed. It turned out that the vulnerability was in a 3rd party product, so you can not use it to steal someone's Facebook pictures.

http://josipfranjkovic.blogspot.no/2014/12/reading-local-files-from-facebooks.html

  • Wednesday

Microsoft patch tuesday

Exchange, Internet Explorer, MS Word, MS Excel, Office Webapps and MS Office are all "Critical - patch now".

https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+-+December+2014/19043

Adobe december patches

Coldfusion, Adobe Reader, Adobe Acrobat and Adobe Flash player needs updating this month.

http://helpx.adobe.com/security.html

iOS security updates

iOS 8.12 is now available.

http://support.apple.com/en-us/HT1222

  • Thursday

Protocol handling issues in X servers

The vulnerability can be exploited to access uninitialized memory, or overwrite arbitrary memory, leading to denial of service or arbitrary code execution.

Mitigation is prohibiting x-connections from the network by setting "-nolisten tcp" and/or disable GLX indirect contexts.

http://lists.x.org/archives/xorg-announce/2014-December/002500.html

InfiniteWP SQL Injection

A missing escaping of user-input allow for a sql-injection attack in the Wordpress administration tool InfiniteWP. There is also another issue related to improper hashing of passwords, which can lead to passwords be cracked. The password are stored as unsalted SHA1 hashes.

Upgrade to version 2.7.5 if possible.

https://www.securityweek.com/sql-injection-other-vulnerabilities-found-infinitewp-admin-panel

  • Friday

Puttyrider, a tool for hicjacking putty sessions

This is a tool that let let you sniff and insert commands into an existing putty session. The idea is that an attacker can attack the sysadmin's Windows machine and then wait for putty sessions from the sysadmin's machine to the server. When this happens he can hicjack the session and inject shell commands with the priviligies of the sysadmin.

https://github.com/seastorm/PuttyRider

Wordpress XSS Exploitation

A realworld example of how easy it is to steal a username and password from an exploitable website. The writer state that he: "find the usual pop-up alert(1) window inadequate to demonstrate the potential consequences of XSS to non-security people.".

https://blog.gaborszathmari.me/2014/12/10/wordpress-exploitation-with-xss/