Monthly Archives: August 2013

Mac OS X Sudo Password Bypass

An unaddressed five-month-old flaw in Apple’s Mac OS X gives hackers near unlimited access to files by altering clock and user timestamp settings. As reported by Ars Technica, a bug discovered five months ago has received renewed interest due to the creation of a new module in testing software Metasploit, which can life easier for hackers looking to exploit the Mac vulnerability. The bug revolves around a Unix component called sudo. The program is designed to require a password before “super user” privileges are granted to an account — giving access to other user files. <more>

Facebook bug report posted on Mark Zuckerberg’s wall

Khalil Shreateh, a Palestinian IT researcher, found a big Facebook security vulnerability, but Facebook ignored him. So he used the exploit to write on Mark Zuckerberg’s wall. The hack violated a fundamental rule about how Facebook works: If you’re not friends with someone, you can’t write or post links on their walls. At least in theory. While the vulnerability seems like a severe one, Shreateh says that Facebook didn’t take it seriously. After ignoring Shreateh’s messages twice, Facebook finally gave him a reply: “I am sorry this is not a bug,” the company said. So, Shreateh says, he had no choice but to take the vulnerability all the way to top by posting a message directly on Facebook CEO Mark Zuckerberg’s personal Facebook page. That, as you might expect, really got Facebook’s attention. <more>

Microsoft fixes flaws in IE, Exchange Server & Windows

Microsoft released patch tuesday for August, addressing multiple vulnerabilities in Microsoft Windows, Internet Explorer and Exchange Server. The first update is MS13-059, a cumulative update for Internet Explorer, and patches 11 separate vulnerabilities, 9 of which are rated critical on one or more platforms. The 9 critical vulnerabilities are all memory corruption vulnerabilities. The other 2 are only rated as Moderate severity on some platforms for privilege escalation or information disclosure. MS13-060 (Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution) affects only Windows XP and Server 2003. “The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts.” MS13-061 describes 3 critical vulnerabilities in all currently-supported versions of Exchange Server. The actual vulnerability is in a set of Oracle libraries, called Outside In, which assist in document viewing for users of Outlook Web Access in a web browser. The update installs fixed versions of the Oracle libraries. These vulnerabilities have been publicly disclosed already, but Microsoft states that “Exploit code would be difficult to build”. <more>

Google patches Bitcoin-theft vulnerability in Android

Google is distributing patches for a cryptography flaw in Android that may affect hundreds of thousands of applications. The patches have been passed to partners belonging to the Open Handset Alliance, a trade group dedicated to development of Android, wrote Alex Klyubin, an Android security engineer. Affected applications are those that rely on the pseudo random number generator (PRNG) within the Java Cryptography Architecture or “directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android,” Klyubin wrote. Random numbers are used in part to generate secure encryption keys and for other cryptography processes. In some cases, the numbers were not “cryptographically strong values,” Klyubin said. <more>

Multi-service authentication via palm vein images

Fujitsu Laboratories Ltd. has developed the world’s first technology for extracting and matching 2,048-bit feature codes from biometric data (palm vein images). In contrast to the existing matching process of comparing vein feature patterns, the new method employs feature codes extracted from vein images that represent the features of the images in binary format. This, in turn, allows for simple comparison calculations and rapid authentication. As multiple feature codes can be generated from a single piece of biometric data, different codes can be used for different biometric authentication services. As a result, even in the case of leaked registered data, a new feature code can be generated and registered to give users peace of mind and uninterrupted service. <more>

Stealing data through JavaScript and Timing attacks

At the Black Hat security conference in Las Vegas, researcher Paul Stone demonstrated how cybercriminals could gain access to an Internet user’s information by leveraging various security issues. According to ThreatPost, Stone has come up with a new technique that allows hackers to gain access to the source code of web pages that users are logged into by exploiting browser and JavaScript flaws. By using Scalable Vector Graphics filters, the expert has been able to determine which pixels are white and which are black in a browser window. By utilizing JavaScript, he could reconstruct the content of an iframe and gain access to a page’s source code. The researcher warns that this code could contain sensitive data. In a demonstration made at Black Hat, Stone showed that the source code of a Google+ page contained a phone number, a Google ID and other information that might be valuable to an attacker. <more>

IPv6 attack against Windows 8 machines

Security firm NeoHapsis is warning that the protocol, which has been undergoing a rollout over the last several years, could be subject to a unique attack that redirects users to unwanted potentially malicious pages. Dubbed a “SLAAC” attack, the operation takes advantage of the client-side rollout of IPv6 and the built-in preference such systems have for the new protocol. “Modern operating systems, such as Windows 8 and Mac OS X, come out of the box ready and willing to use IPv6, but most networks still have only IPv4,” explained Neohapsis researchers. The researchers went on to describe an attack in which the attacker finds and IPv4 and sets up a server or network impersonating an IPv6 alternative. When users attempt to load the intended site, their systems could, by default, select the imposter network instead, sending their traffic through the attacker’s systems. <more>