Entries with tag computer security.

Security Researchers: Don’t Compare Every Vulnerability to Heartbleed, Shellshock

Some security researchers are berating the media and others in the security field for using Heartbleed or Shellshock as a source of comparison when a new software flaw is discovered. In early November, Microsoft patched a serious bug in SChannel (Secure Channel) that was found in each version of the Windows operating system since Windows 95. An IBM researcher reported the bug to Microsoft in May, and it was recently fixed. According to a recent article on securitywatch.pcmag.com, a security researcher from Tripwire referenced Heartbleed and Shellshock when discussing the Microsoft patch. The article states that the need for sensationalism to gain attention for information security to be taken seriously indicates “a problem, and it’s not the bug itself.” Each vulnerability issue should be taken on its own. Josh Feinblum, vice president of information security at Rapid7, noted that the SChannel vulnerability wasn’t like Heartbleed. “This vulnerability poses serious theoretical risk to organizations and should be patched as soon as possible, but it does not have the same release-time impact as many of the other recently highly-publicized vulnerabilities,” he wrote. “Microsoft customers can take a deep breath before they dive head first into patching, but should make sure patching is treated at the highest priority given the potential risk if/when an exploit is successfully developed.” (PC Mag)(Rapid7 Blog)

OpenVPN Might Be Vulnerable to Shellshock Bug

New information shows that virtual-private-network servers based on the popular open source OpenVPN may be vulnerable to attacks exploiting Shellshock and related flaws. Fredrik Strömberg, cofounder of the commercial VPN service Mullvad, noted, “OpenVPN has a number of configuration options that can call custom commands during different stages of the [VPN] tunnel session.” “Many of these commands are called with environmental variables set, some of which can be controlled by the client.” Hackers exploiting Shellshock could use this to infect systems with malware. The Shellshock vulnerability is in versions 1.14 through 4.3 of the GNU Bourne Again Shell—known as Bash—the command-line shell used in many Linux and Unix operating systems, as well as Mac OS X Mavericks, and some Windows and IBM products. Numerous Internet-connected devices, Web servers, and online services run on Linux distributions that use Bash. If a system has a vulnerable Bash version as its default shell, hackers could attack it via malicious Web requests, telnet communications, or other programs that use Bash to execute scripts. They could then run deep-level shell commands on target devices. Researchers say hackers could exploit many possible remote attack vectors, including the OpenVPN server’s authentication capabilities. Vendors continue issuing Shellshock patches for their vulnerable products. (PC World)(ZD Net)(Threatpost)

Google Responds to Heartbleed Flaw with BoringSSL

Problems associated with the Heartbleed Internet-security vulnerability discovered earlier this year continue with hundreds of thousands of servers still operating with unpatched problems in the open-source OpenSSL cryptographic library. To address these concerns, Google announced it is developing BoringSSL, based on OpenSSL, which is an open source implementation of the Secure Sockets Layer and Transport Layer Security protocols. Researchers discovered a flaw in OpenSSL that attackers could exploit to access an application’s memory, including sensitive data and private encryption keys. Google is developing BoringSSL, rather than just patching OpenSSL, because it can no longer keep up with all the patches. “As Android, Chrome, and other products have started to need some subset of these patches, things have grown very complex,” said Google software engineer Adam Langley, “The effort involved in keeping all these patches straight across multiple code bases is getting to be too much.” The company is now importing changes from OpenSSL into BoringSSL .Google plans to contribute its BoringSSL code to the OpenSSL open-source project. The new SSL fork should appear in Google’s Chromium repository soon and in the Android OS after that. (eWeek)(PC World)(Naked Security)(BoringSSL)

New Service Charts Websites’ Security Issues

A new online service offers a public index of websites with known security issues, enabling users to see if a site they visit has a security flaw. Project Un1c0rn < http://un1c0rn.net>, developed by a group of independent developers—is a searchable index of 59,000 websites currently, with more to come. It is focusing on problems caused by the Heartbleed OpenSSL vulnerability as well as issues with open Mongo DB and MySQL databases, which are the sources of the most widespread vulnerabilities as they rely on common tools. The developers are working to make Project Un1c0rn the first peer-to-peer decentralized exploit system, which they say would enable individuals to host their own scanning nodes and let security researchers offer to help with fixes. (SlashDot)(Motherboard)(Project Un1c0rn)

Bug Leaves Linux, Open Source Users at Risk

Security researchers have discovered a new vulnerability in open source software that attackers could exploit to launch malware attacks. Developers have since released a patch for the bug in the GnuTLS cryptographic code library, which could place Linux and other open source software users at risk for problems such as buffer overflow attacks. GnuTLS is an open-source implementation of Internet encryption protocols including Secure Sockets Layer; Transport Layer Security; and Datagram Transport Layer Security, used in various Linux distributions. An infected server could exploit the vulnerability during the handshake between the Secure Sockets Layer and Transport Layer Security, culminating in the crash of vulnerable clients. It could also allow attackers to execute code on the system. The vulnerability was reported by Joonas Kuorilehto, a principal systems engineer at Codenomicon, the same vendor of vulnerability-testing tools responsible for finding the Heartbleed flaw in the OpenSSL Internet-security protocol earlier this year. (Ars Technica)(PC World)(Red Hat Bug Tracker)

Microsoft Issues Internet Explorer Patch for Windows XP Users

Despite ending support for Windows XP on 8 April, Microsoft has released a patch for an Internet Explorer (IE) flaw that will work for users of Windows XP, 7, and 8. The fix addresses a security issue for IE versions 6 through 11. According to Microsoft, the vulnerability affects the way IE accesses an object in memory that has been deleted or that has not been properly allocated. It could corrupt memory in a way that lets an attacker remotely execute arbitrary code in a user’s browser. Microsoft is continuing to ask customers using XP to upgrade to a newer Windows version and those using Internet Explorer to move to the latest iteration. (The Associated Press)(GeekWire)(Microsoft Security Response Center)

Microsoft Extends XP Support in China

Microsoft announced it will continue providing security for Windows XP in China after support for the operating system ends elsewhere  on 8 April. In a post on its account on the Sina Weibo microblogging website, Microsoft also asked users to upgrade to the latest Windows version. Windows XP has roughly 57 percent of China’s operating system market, but part of that is attributable to piracy, according to PC World. (PC World)(Computerworld)

Home-Based Wireless Routers Notoriously Insecure

Security experts conclude there are so many potential vulnerabilities in home-based wireless routers that it is best to consider them insecure. The issues came to light following the discovery of problems with Linksys routers, which enabled TheMoon worm to infect and thrive on the home hardware. Security researchers found these types of products are shipped with several other bugs that make them open to infection, according to SANS Institute Internet Storm Center researchers Kyle Lovett and Matt Claunch. This includes home routers from Linksys, Cisco and Netgear. Compounding the problem is most consumers don’t know how to properly protect these networks, through which personal and financial information can be sent. In addition to wireless routers, security experts say home networking devices are particularly vulnerable through the Universal Plug and Play protocol. Independent Security Evaluators, a security firm, identified 55 new and undisclosed vulnerabilities in home routers, which led its analysts to conclude few, if any, home routers could be properly secured. (SlashDot)(Symantec Security Focus)(SANS Institute Internet Storm Center) 

Showing 8 results.