A new vulnerability has been discovered in Internet Explorer that takes advantage of Cascading Style Sheets (CSS), in order to steal data from the browser. Internet Explorer 8 Vulnerability Exposed This past Friday, Google security researcher Chris Evans posted on the Full Disclosure mailing list (see that post here ) describing a CSS vulnerability he discovered. He also posted a harmless example of what that vulnerability could do. In the example, you go to a site in IE and click a button (which supposedly could be automated) and your twitter account will automatically send out a tweet. Barely two hours later, Microsoft tweeted that they were aware of a problem and would “investigate” the issue. This CSS vulnerability is not exclusive to Internet Explorer. The other four major browsers are also affected: FireFox, Safari, Opera, and Chrome. The only difference is the vendors of those browsers have issued patches and plugged the holes that created the problem. As of yet, Internet Explorer is the only major browser that has yet to be fixed. Not that there hasn’t been enough time to work on a patch. According to Evans in the posting mentioned above, “[t]here’s evidence to suggest that Microsoft has been aware of this since at least 2008.” Whether or not they have known about the vulnerability that long is irrelevant, considering that it has been fixed by everyone else. This vulnerability takes advantage of CSS standards to steal browser data. According to those standards, cookies are sent from the browser when CSS is called, even if it is a cross-domain call. Combining this with a CSS injection attack using background-image:url(), the browser’s cookies will be sent to the given url. These cookies can contain the keys needed to break into web applications such as Twitter accounts and webmail sites. Even worse, this happens even when javascript is disabled, making this a threat even to those who think they are relatively safe.

Read the original post: 
Internet Explorer 8 Vulnerability Exposed

Both Apple and Adobe have shipped out relatively large collections of security patches this past week, Apple fixing up OSX and Adobe locking down it’s Shockwave player. Both sets of patches have been given a security rating of ‘critical,’ which means that there is the possibility of malicious code execution on an unprotected system. Apple And Adobe Both Roll Out Large Security Updates Apple’s update this week fixes code execution attacks when viewing maliciously crafted PDF or PNG files, or even just viewing a document with a maliciously crafted font installed. There is also the possibility for network administrators to abuse their positions by intercepting sensitive data through the use of an anonymous TLS/SSL connection, or to use a similarly named web address to impersonate a legitimate site and steal information that way. For instance, if they are in possession of the domain name www.example.com, they are able to impersonate www.example.com due to the lack of checking the final letter in the certificates. There are also updates for the newest versions of PHP and ClamAV which both claim to include necessary security updates. These updates can be applied via the “Software Update” option in OSX or downloaded from Apple’s support site . Adobe has updated their Shockwave Player to fix several security holes, including 16 memory corruption vulnerabilities which could lead to code execution. These vulnerabilities affect version 11.5.7.609 and earlier, and it is recommended that anyone running these versions immediately upgrade to the most recent version (11.5.8.612) of the software found on Adobe’s website . The memory corruption vulnerabilities and four more issues are all labeled as ‘critical’ in the Severity Rating System. The other issues include two denial of service attacks, one of which could potentially lead to code execution. Also there is a pointer offset vulnerability and an integer overflow vulnerability which can grant one with malicious intent access to plant code in a user’s memory.

Go here to see the original:
Apple and Adobe Both Roll Out Large Security Updates

This week, Mozilla released a security update for their popular Firefox web browser. Firefox 3.6.7 fixes several security issues that were found in the 3.6.6 version. Over half of the vulnerabilities fixed were listed as “Critical,” which is the highest danger level that Mozilla associates with security issues. Mozilla Rolls Out Security Update For Firefox Of the 14 vulnerabilities listed on the Firefox update site, eight are listed as critical. Mozilla defines a critical issue as a “vulnerability [that] can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.” Basically, a hacker can run their code on your computer to access your information and install malware on your system. For instance, they list an issue with PNG issues. If you browse a site with a maliciously crafted image on it without clicking on anything, you can get a computer virus. The way that most of these vulnerabilities are able to execute code on your machine are to take advantage of pointers to unallocated memory. These pointers are caused by array overflows or de-allocating objects with multiple pointers pointing to it. By using these dangling pointers, they are able to put their code into sections of memory that your computer doesn’t realize are being used, and therefore doesn’t know to protect. Once the malicious code is in memory, it is easy to execute. The best way to protect yourself is to make sure that your browser is always up to date with the most current software. In Firefox, this is as easy as clicking the “Check for updates…” link in the Help menu, or by going to mozilla.com and clicking the big green button in the middle of the screen. This will update your browser to ensure that you have the best protection for your web browsing pleasure.

Excerpt from:
Mozilla Rolls Out Security Update for Firefox

This week, Microsoft released a new security patch for issues affecting the XP and Server 2003 operating systems. The vulnerabilities were all related to remote code execution, though only the XP patches were listed as critical by the Microsoft Security Bulletin. Windows XP Security Patch On June 5, Tavis Ormandy, a Google security researcher discovered a zero-day vulnerability in Windows Help that he reported to Microsoft. When Microsoft and Ormandy could not agree on the terms of creating a fix, he published the vulnerability four days later, creating a huge media storm. There were people on both sides, some arguing that Ormandy acted irresponsibly by spoon feeding a security exploit to hackers who would use it to cause harm. Others argued that without full disclosure, Microsoft would not have taken this threat seriously and wouldn’t act towards fixing the issue. Whether or not Ormandy was right in his actions, the outcome speaks in his favor. This past Tuesday, Microsoft released Microsoft Security Bulletin MS10-042, which addresses these vulnerabilities. This is an amazingly quick turnaround. The normal time frame for “responsible disclosure” is to allow the software manufacturer a 60 day window to fix the problem before public release. To have a fix only five weeks after the bug was brought to Microsoft’s attention makes a strong argument for the proponents of full disclosure. On the other hand, since the release of this particular bug, Microsoft has reported over 10,000 computers have been affected by hackers using this security hole. This is a significant amount of people being affected by a previously unpublished issue. The fact that it was unpublished does not necessarily mean that it was unknown to the people who could exploit it. It is unlikely that Ormandy was the only person that would ever discover this problem. Thanks to his actions, we now have a solution to what could have become a serious problem for more than just the 10,000 people who were unfortunately targeted.

Original post: 
Windows XP Security Patch

Recently a formerly classified document was declassified describing how the NSA used computers to crack codes. In Part II , we covered the ATLAS II, the second type of computer used by the NSA for code cracking. The next computer built, ABNER, was very different from its predecessors. After the Pendergrass Report was published in December of 1946, the Army Security Agency made plans to acquire a computer similar to the Navy’s proposed ATLAS. In 1948, ASA analysts visited the three major computer installations currently in existence. The analysts performed experiments using different programming order codes. They concluded that four-address logic (RAYDAC and EDVAC) was preferred over one-address logic (ATLAS and UNIVAC). The ability to use binary notation was found to be a necessary requirement (this disqualified UNIVAC). The Reeves Instrument Corporation provided the design of ABNER. Mercury delay lines with access time between 48 and 348 microseconds were used to compose a 1024 word memory bank. Basic logic was based on the EDVAC design of 16 four-address instructions and 45-bit words. ABNER’s memory was based on the idea that electric pulses would be converted to an analog acoustic signal that could travel through tubes of mercury that used amplifiers at the opposite end to reconstruct the analog wave into an electrical signal. This digital to analog conversion and subsequent analog to digital conversion allowed the storage of data as the signals moving through the mercury could only move at the speed of sound, much slower than electrical signals. A tank of mercury was a glass tube around two feet long. Two cabinets containing 64 mercury delay lines each made up the memory bank. Each tube was held eight words of 48 bits at one-megacycle-per-second with the aforementioned delay time of 384 microseconds. ASA engineers worked closely with programmers to build ABNER. This allowed the ASA to incorporate new feature improvements as ABNER was constructed. This was preferred rather than waiting for the next successor computer. Paired stream comparison, data stream manipulation, and character transformations as modular additions were a few of the logic features added. Besides the new logic features, ABNER, had several input-output features including: a console with status lights, an input-output typewriter, a data conversion unit, punched card and punched paper-tape readers and punches, and it could utilized up to six magnetic tape drives. The construction of ABNER took about two years. The first ABNER was delivered in 1951, followed by a second ABNER in 1955 using quartz instead of mercury for its memory banks. NSA engineers also constructed an clone of of ABNER’s logical design, but with parallel circuits called BAKER. BAKER was a slow-speed analog of ABNER, based on the design of ATLAS I. Unfortunately, BAKER was never reliable enough to really use in training or debugging, but BAKER was a great achievement. It is thought however, that BAKER’s use of parallel circuits to simulate a powerful serial computer should not have been attempted. Next time, we’ll cover more NSA computers of the past, the successors to ABNER and BAKER. For more in depth reading see: http://www.governmentattic.org/3docs/NSA-HGPEDC_1964.pdf.

More here:
The History Of NSA Computers, Up Until 1964. Part III.

A group called Goatse Security was able to grab 114,067 personal email addresses of iPad buyers from ATandT’s website. 114,000 IPad 3G Owners’ Email Addresses Exposed By AT&T Some of the Email addreses leaked include White House Chief of Staff Rahm Emanuel, New York City Mayer Michael Bloomberg, Diane Sawyer of ABC News, and many CEOs, CFO, and CTO’s. A number of the email addresses exposed were even those of DARPA reesarchers and high-ranking military officials. Each iPad comes with an ICC-ID or an “integrated circuit card identifier.” The subscriber’s SIM card and ICC-ID are linked to uniquely identify them. Normally this data would not be publicly accessible. AT&T goofed big time and left a script on their website that allowed anyone to query it. If an ICC-ID was provided to the script, it responded with a the subscriber’s email address. This script was intended to be used with AJAX apps, but obviously had no protections built in. This lack of security allowed researchers to write a simple PHP script that used the iPad browser agent string to grab potentially millions of addresses. This would not have been possible with out all the pictures of iPad’s online that helped them to guess the ICC-IDs. Like any exploit group that wants fame, these guys shared the script and corresponding info with many others like them before reporting the gaping security hole to AT&T. So now Steve Jobs has a bit of a problem. Hundreds of thousands of customer’s and potentially millions of email address have been made available to groups that could use them for malicious purposes. Not only that, but the iPad 3G looks rather unappealing now even if it was not Apple that was responsible for the breach. If you bought an iPad 3G and have an email address that doesn’t reveal your identity and a strong password for it, you might be safe. However, now is as good a time as any to change your email password to something stronger. Also, if your email is firstname.lastname@mysite.com or something similar, just be very cautious about who you open PDF’s from and the links you click in emails. Its easier than you might think for criminals to target a victim with a specially crafted convincing email that appears to be from co-workers or friends. References: http://security.goatse.fr/

See more here:
114,000 iPad 3G Owners’ Email Addresses Exposed by ATandT