Security Weekly News 11 March 2011 – Summary

Feedback and/or contributions to make this better are appreciated and welcome
Highlighted quotes of the week:
“Pwn2own breaking news: browsers still have vulnerabilities, and there still are people who know how to exploit them.” – Michal Zalewski
“Just reached a company CEO on his cell to tell him that his firm’s dbase & cust. CCs are pwnd. he said “bullshit,” hung up on me.” – Brian Krebs
“Impressed by potential new customer. He asks me for my GPG key.” – Stefan Esser
“Our security testing team has a suite of testing tools – WebInspect and AppScan included, but to date we have never seen one single tool that can do everything, understand everything and give reliable results.” – Tim Holman
“People have been saying black-box testing is dead for years (me included) but we still do it and find value in it.” – Chris Weber
“Other day I bypassed a well-known IPS with the simple evassion MySQL trick during a demo by vendor :). Are IPS really useful?” – Román Medina-Heigl

To view the full security news for this week please click here (Divided in categories, There is a category index at the top): The categories this week include (please click to go directly to what you care about): Hacking Incidents / Cybercrime, Software Updates, Business Case for Security, Web Technologies, Network Security, Database Security, Mobile Security, Physical Security, Tools, Funny

Highlighted news items of the week (No categories):
Not patched: Search for Pwn2Own in the Full List or Summary 🙂
Updated/Patched: March 2011 Microsoft Black Tuesday Summary, VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm., Firefox v.3.6.15, released, Chrome Stable Release, iOS 4.3 released, numerous security vulnerabilities patched, About Safari 5.0.4, Java for Mac OS X 10.6 Update 4, Java for Mac OS X 10.5 Update 9, Subversion 1.6.16 blocks a denial of service issue, Thunderbird v.3.1.9, released

Average site is exposed about 270 days of the year, according to report
The average website has serious vulnerabilities more than nine months of the year, according to a new report issued yesterday.
According to a study issued by researchers at WhiteHat Security, the average site is exposed about 270 days of the year. 'Information Leakage' has replaced cross-site scripting (XSS) as the most common website vulnerability, the report says.
The report examined data from more than 3,000 websites across 400 organizations that are continually tested for vulnerabilities by WhiteHat Security's Sentinel service. The study offers a look at sites' 'Window of Exposure,' which measures not only the vulnerabilities found in sites, but the length of time it takes those vulnerabilities to be remediated.
IT and security professionals routinely use USBs, smartphones, and tablets to move and back up confidential files, yet their organizations haven't made changes in the wake of the WikiLeaks leaks
Maybe the massive disclosure of diplomatic memos from the U.S. State Department by WikiLeaks didn't serve as much of a cautionary tale for preventing the leak of sensitive data after all: Most IT and security professionals say they use USBs, smartphones, and tablets to move and back up confidential files, and 65 percent say they don't have a handle on what files and data leave the enterprise, a new survey says.

Mobile Security highlights of the week

Charlie Miller kept his Pwn2Own winning streak intact with another successful hack of an Apple product.
Miller (right), renowned for his work breaking into MacBook machines with Safari vulnerabilities and exploits, took aim at Apple's iPhone device here, using a MobileSafari flaw to swipe the phone's address book.
Research in Motion's recent decision to add a WebKit browser to BlackBerry has immediately backfired.
A trio of security researchers used the spotlight of the CanSecWest Pwn2Own contest here to exploit multiple WebKit vulnerabilities in an impressive drive-by-download attack against a BlackBerry Torch 9800 smart phone.
How I Almost Won Pwn2Own via XSS  []
No, seriously.
The good: Google has patched a serious vulnerability I discovered in the Android web market.
The bad: Since the Android web market was launched earlier this year, it was possible to remotely install arbitrary applications with arbitrary permissions onto a victim's phone simply by tricking them into clicking a malicious link (either on their desktop OR phone). The exploit works universally across all Android devices, versions, and architectures.
On March 6,2011, Google published the application "Android Market Security Tool", a tool designed to undo the side effects caused by Android.Rootcager. This application was automatically pushed to devices of users who had downloaded and installed infected applications.
Symantec has identified suspicious code within a repackaged version of the "Android Market Security Tool". This package was found on an unregulated third-party Chinese marketplace. This threat seems to be able to send SMS messages if instructed by a command-and-control server located at the following address:
If you paid attention to the news this week, you'll know that there were a bunch of Android apps pulled from the Android Market because they contained malware. There were over 50 infected applications – these apps were copies of 'legitimate' apps from legitimate publishers that were modified to include two root exploits and a rogue application downloader. This isn't the first example of malware on Android, but it may be the first to affect Google's own Android Market – other malware samples have been seen on third party app markets. This new malware has been referred to as DroidDream, RootCager, and myournet by various researchers and media outlets.
So how does this malware work? First of all, we can start with the basics of how Android apps work. Android applications are mostly written in Java and use XML files for configuration.
According to the blog, Google will initiate its remote-removal process by pushing the installation of a new app called "Android Market Security Tool March 2011." We've had a look at this app, and it does not fix the vulnerability, it simply removes the applications known to be malicious. Google further promises changes to the market to deal with this type of issue and claims to be "working with our partners to provide the fix for the underlying security issues."

Secure Network Administration highlights of the week

Using three different vulnerabilities and clever exploitation techniques, Irish security researcher Stephen Fewer successfully hacked into a 64-bit Windows 7 (SP1) running Internet Explorer 8 to win this year's CanSecWest hacker challenge.s
Fewer (right), a Metasploit developer who specializes in writing Windows exploits, used two different zero-day bugs in IE to get reliable code execution and then chained a third vulnerability to jump out of the IE Protected Mode sandbox.
The attack successfully bypassed DEP (data execution prevention) and ASLR (address space layout randomization), two key protection mechanisms built into the newest versions of Windows.
"Botnets: Measurement, Detection, Disinfection and Defence" is a comprehensive report on how to assess botnet threats and how to neutralise them. It is survey and analysis of methods for measuring botnet size and how best to assess the threat posed by botnets to different stakeholders. It includes a comprehensive set of 25 different types of best-practices to measure, detect and defend against botnets from all angles. The countermeasures are divided into 3 main areas: neutralising existing botnets, preventing new infections and minimising the profitability of cybercrime using botnets. The recommendations cover legal, policy and technical aspects of the fight against botnets and give targeted recommendations for different groups.
FCS v1 March 2011 update  []
We have recieved reports that in some cases the FCS update fails to install correctly. We are reviewing these reports now, and will update this blog when we have details we can share. If you are a WSUS administrator you may want to hold off approving this update for the moment.
MultiRelay fue el script principal que presenté la pasada semana en la RootedCON.
El script se apoya en otros dos scripts que creé para realizar el descubrimiento y escaneo de red que ya comentamos ayer, y una vez que conoce los servicios de la red realiza el mapeo de los servicios.
En primer lugar crea interfaces virtuales en la máquina en la que se ejecuta Metasploit (el atacante) que se corresponden con las IPs descubiertas en la red interna de la máquina comprometida.
The best will be to stop the packets from reaching you in the first place. To stop them as far away from your environment as possible, especially if link saturation is the problem. This will likely need the cooperation of your ISP. You will find some are more willing to help you deal with an attack than others.
If you manage to identify a particular characteristic of the packets being sent, then you might be able to get a firewall, router, IDS, or IPS to deal with the traffic. These types of devices will be better at coping with this than your web or mail server. Check you firewalls, many have the capability to drop traffic based on certain thresholds or characteristics and they may be enough to
Rafael Dominguez Vega of MRW InfoSecurity has reported a bug in the Caiaq USB driver which could be used to gain control of a Linux system via a USB device.
The bug is caused by the device name being copied into a memory area with a size of 80 bytes using strcpy() without its length being tested. A crafted device with a long device name could thus write beyond the limits of this buffer, allowing it to inject and execute code.

Secure Development highlights of the week

Nir Goldshlager Web Security Blog  []
Gaining Administrative Privileges on any Account, 1337$ (Google Reward Program)
This is my first post in my blog and also my first post regarding my security vulnerabilities findings in Google Reward Program,
In the last 2 months, I participated in Google reward program and found some High, Serious vulnerabilities,
OWASP AntiSamy v.1.4.4 Released  []
The OWASP AntiSamy project is an API for safely allowing users to supply their own HTML and CSS without exposure to XSS vulnerabilities.
The biggest move of this release is to officially change the default parser/serializer from the DOM engine to the SAX engine. We've had two engines for the past few versions, but maintaining two engines concurrently is kinda crazy. The SAX version is twice as fast and much better on memory. Even though all of our test cases pass for both engines, I still anticipate some growing pains in the SAX version, which is why I think most critical applications should stick to 1.4.3 for now.
JavaScript sorting algorithms  []
How I Almost Won Pwn2Own via XSS  []
No, seriously.
The good: Google has patched a serious vulnerability I discovered in the Android web market.
The bad: Since the Android web market was launched earlier this year, it was possible to remotely install arbitrary applications with arbitrary permissions onto a victim's phone simply by tricking them into clicking a malicious link (either on their desktop OR phone). The exploit works universally across all Android devices, versions, and architectures.
This article briefly introduces an emerging open-protocol technology, OAuth, and presents scenarios and examples of how insecure implementations of OAuth can be abused maliciously. We examine the characteristics of some of these attack vectors, and discuss ideas on countermeasures against possible attacks on users or applications that have implemented this protocol.
An Introduction to the Protocol
OAuth is an emerging authorization standard that is being adopted by a growing number of sites such as Twitter, Facebook, Google, Yahoo!, Netflix, Flickr, and several other Resource Providers and social networking sites. It is an open-web specification for organizations to access protected resources on each other's web sites. This is achieved by allowing users to grant a third-party application access to their protected content without having to provide that application with their credentials.
Spot the Vuln – Flag  []
Vulnerabilities in implementations of the STARTTLS protocol for establishing an encrypted TLS connection could allow commands to be injected into a connection. According to a description by the discoverer of the problem, Postfix developer Wietse Venema, the key point is that commands are injected into the connection before it has been secured/encrypted, but are only executed once the secure connection has been established.
Hacking crappy password resets (part 1)  []
This is part one of a two-part blog on password resets. For anybody who saw my talk (or watched the video) from Winnipeg Code Camp, some of this will be old news (but hopefully still interesting!)
For this first part, I'm going to take a closer look at some very common (and very flawed) code that I've seen in on a major "snippit" site and contained in at least 5-6 different applications (out of 20 or so that I reviewed). The second blog will focus on a single application that does something much worse.
Multi-browser heap address leak in XSLT  []
It's not often that I find a bug that affects multiple different codebases in the same way, but here is an interesting info-leak bug that is currently unpatched in Firefox, Internet Explorer and Safari.

Finally, I leave you with the secure development featured article of the week courtesy of OWASP (Development Guide Series):

OWASP-0200 Authentication (continued)

Authenticating Value Transactions with Transaction Signing

Any system can benefit from the use of transaction signing. Transaction signing requires a user to interact with some out of bound device, such as a two factor token calculator or SMS message to complete a high value transaction. For example, if a bank wishes to establish an online credit card registration process, they could get the user to verify that this transaction is valid by completing a transaction verification. In the case of mobile phones, this could simply include sending a random value to the user’s phone or ringing them with a IVR system and digitally read a set of digits to be entered.

SMS Based Transaction Signing Sequence Diagram

For low end through to moderate high value systems, the use of a second factor such as a mobile phone is an excellent low cost alternative to two factor authentication fobs. This mechanism is actually stronger than most two factor authentication fobs as to attack it, the attacker would have to involve individual users to perform the same sort of attacks as they would do today.

There is a single weakness in this model – mobile phone registration and updating. If attackers can register their phone before the real user or update the user’s profile to become their number, the attacker can perform high value transactions with impunity. The application MUST enforce that any one number is only linked to a single account, and to ensure that appropriate safeguards are in place, for example if the same number is being used in multiple accounts at different times as these are signs of phishing.

Physically requiring proof of identity to register or update the mobile phone produces the strongest results.

Token Based Transaction Signing Sequence Diagram

For the highest value systems, the use of transaction signing calculators as sold by a number of token manufacturers would be the best alternative. These take a portion of the transaction’s details and combine it with a private key signing on the calculator. Attackers would have to get the user to log in, type in the values and then subsequently give them the result before fraud would occur. This is extremely unlikely and is not amenable to widespread phishing attacks.

Source: link

Have a great weekend.