POC PwnFest - Safari Compromised →
News from the Past (the recent past, that is) - Apple Inc. (NasdaqGS: AAPL) Safari drops the drawbridge, and is summarily PWND at POC PwnFest 2016. The exploit took twenty seconds to work its magic... Cruft, the gift that keeps on giving; hearty congratulations to PANGU for their outstanding effort.
Redmond's PAW →
Microsoft Corporation (NasdaqGS: MSFT) has released the Redmond, Washington software leviathan's Privileged Access Workstations.
Essentially, PAWS provisions a workstation to perform high risk-determined activities (SysAdmin work, for example), and permits a user VM on the machine to perform less sensitive, mundane tasks such as normal office tasks.
Seems a might crufty, eh?
'In simplest terms, a PAW is a hardened and locked down workstation designed to provide high security assurances for sensitive accounts and tasks. PAWs are recommended for administration of identity systems, cloud services, and private cloud fabric as well as sensitive business functions.' - via Microsoft Technet
Seven Xen Itch
News, via Dan Goodin, writing at Ars Technica, details a seven year old, pernicious bug in Xen virtualiztion wares. In which, users can exploit the bug to breakout of their local machines, thence into the underlying hypervisor layer. FYI - One high profile customer of the Xen Hypervisor is Amazon Web Services. Time to Patch, eh?
"Admittedly this is subtle bug, because there is no buggy code that could be spotted immediately. The bug emerges only if one looks at a bigger picture of logic flows (compare also QSB #09 for a somehow similar situation). On the other hand, it is really shocking that such a bug has been lurking in the core of the hypervisor for so many years. In our opinion the Xen project should rethink their coding guidelines and try to come up with practices and perhaps additional mechanisms that would not let similar flaws to plague the hypervisor ever again (assert-like mechanisms perhaps?). Otherwise the whole project makes no sense, at least to those who would like to use Xen for security-sensitive work." - via Dan Goodin, writing at Ars Technica.
Top Ten List of Most Exposed Software →
via Anthony M. Freed, writing at InfosecIsland comes this unfortunate, and unsurprising story of the top ten exposed applications currently on a majority of computational devices hereabouts, and the ramifications thereof.
Harbortouch'ed →
via the inimitable Brian Krebs, writing at Krebs On Security, comes the latest sorry tale of attacked, and successfully breached, Point of Sale (POS) terminals manufactured by POS system purveyor Harbortouch.
XKCD, Code Quality →
Good News for TrueCrypt →
Good news for TrueCrypt, via the inimitable Dan Goodin, writing at Ars Technica, of the apparent clean bill of cryptographic health, as it were...
"The TL;DR is that based on this audit, TrueCrypt appears to be a relatively well-designed piece of crypto software," Matt Green, a Johns Hopkins University professor specializing in cryptography and an audit organizer, wrote in a blog post accompanying Thursday's report. "The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances." via Dan Goodin at Ars Technica
iOS FREAKING →
News, via Ars Technica's inimitable Dan Goodin, detailing the FireEye discovery of remnant iOS application FREAK HTTPS vulnerabilities, regardless of host device patching.
'Security researchers from FireEye recently examined the most popular apps on Google Play and the Apple App Store and found 1,999 titles that left users wide open to the encryption downgrade attack. Specifically, 1,228 Android apps with one million or more downloads were vulnerable, while 771 out of the top 14,079 iOS apps were susceptible. Vulnerable apps were those that used—or in the case of iOS, could use—an affected crypto library and connected to servers that offered weak, 512-bit encryption keys. The number of vulnerable apps would no doubt mushroom when analyzing slightly less popular titles.' - via Ars Technica's Dan Goodin
Bad Decisions At Oracle
Meanwhile, in idiotic-decisions-made-by-a-Fortune-500-Company news... Quite likely one of the world's largest software publishers - Oracle Corporation (NYSE: ORCL) has been installing adware along with the JAVA SE Runtime and other JAVA applications on user machines. Evidence of Greed or just Bad Decisions, you be the judge. In this case, when installing the JAVA bits, the ASK.com toolbar is loaded onto the unfortunate victims machine (users can opt-out, but it is not an easy choice to make).
"Tests on a Mac running the latest OS X release proved Oracle's newest Java installer will tack on the Ask extension to both Google's Chrome browser and Apple's Safari, using what some may consider deceptive practices. The option to install Ask is selected by default, meaning users proceeding through installer pop-ups are unlikely to notice the adware until they open a new browser window. Once installed, Ask's extension points the browser's homepage to Ask.com and inserts the Ask toolbar just below the address bar." - via AppleInsider
Wait, What..., Again?
In not-unsurprising-cruft-news, additional, vulnerability-laden, Unix and Unix-like (read Linux) utilities have been detected, requiring updates. The list, enumerated by HD Moore, the CTO of Rapid7 (and of Metasploit fame) includes wget, tnftp, symlink issues and others. Questions have arisen, as to why these utilities have not been scrutinized earlier...
' “wget versions prior to 1.16 are vulnerable to a symlink attack (CVE-2014-4877) when running in recursive mode with a FTP target,” said HD Moore, the chief research officer at Rapid7 who found the vulnerability, in a blog post Tuesday...' - via PCWorld's Lucian Constantin
Input Validation, du Jour →
Not to be undone by the well reported Bourne Again Shell vulnerability of two weeks past, now, via, Robert Lemos, writing at ArsTechnica, comes this sordid tale of poor punctuation coupled with input validation issues. In which, the vulnerability at hand, opens up a logical path within the Microsoft Corporation (NasdaqGS: MSFT) Windows in-built shell, where all the badness is vectored...
Flaws of iOS
No pun intended...
Shellshock Bequeathed →
Much ado about something, nearly a quarter century in the offing, and further evidence to support our Theory of Cruft, or the Things that are Left Over, and Getting in the Way...
Virtue of Patience
Cogitate thrice upon updating newly released software with newly released patches to fix newly discovered bugs, as evidence of cruft...
Infographica, The Timeline
via the erudite Rapid7 blog