Enlarge (credit: Ildar Sagdejev)

In August 2011, multiple servers used to maintain and distribute the Linux operating system kernel were infected with malware that gave an unknown intruder almost unfettered access. Earlier this week, the five-year-old breach investigation got its first big break when federal prosecutors unsealed an indictment accusing a South Florida computer programmer of carrying out the attack.

Donald Ryan Austin, 27, of El Portal, Florida, used login credentials belonging to a Linux Kernel Organization system administrator to install a hard-to-detect backdoor on servers belonging to the organization, according to the document that was unsealed on Monday. The breach was significant because the group manages the network and the website that maintain and distribute the open source OS that's used by millions of corporate and government networks around the world. One of Austin's motives for the intrusion, prosecutors allege, was to "gain access to the software distributed through the www.kernel.org website."

The indictment refers to kernel.org officials P.A. and J.H., who are presumed to be Linux kernel developer H. Peter Anvin and kernel.org Chief System Administrator John "'Warthog9" Hawley, respectively. It went on to say that Austin used the credentials to install a class of extremely hard-to-detect malware known as a rootkit and a Trojan that logs the credentials of authorized users who use the secure shell protocol to access an infected computer.

Read 7 remaining paragraphs | Comments

RETIRED: Dnsmasq CVE-2015-1859 Information Disclosure Vulnerability
SAP Netweaver CVE-2016-1910 Information Disclosure Vulnerability
WordPress WassUp Plugin 'main.php' Cross Site Scripting Vulnerability
RETIRED:Adobe Flash Player and AIR CVE-2016-4121 Unspecified Remote Code Execution Vulnerability

The latest version of OpenOffice.

OpenOffice, once the premier open source alternative to Microsoft Office, could be shut down because there aren't enough developers to update the office suite. Project leaders are particularly worried about their ability to fix security problems.

An e-mail thread titled, "What would OpenOffice retirement involve?" was started yesterday by Dennis Hamilton, vice president of Apache OpenOffice, a volunteer position that reports to the Apache Software Foundation (ASF) board.

"It is my considered opinion that there is no ready supply of developers who have the capacity, capability, and will to supplement the roughly half-dozen volunteers holding the project together," Hamilton wrote.

Read 22 remaining paragraphs | Comments


Enlarge / If you haven't changed your password for Last.fm since 2012, it's long past time—the passwords are now easily grabbed from the Internet.

The contents of a March 2012 breach of the music tracking website Last.fm have surfaced on the Internet, joining a collection of other recently leaked "mega-breaches" from Tumblr, LinkedIn, and MySpace. The Last.fm breach differs from the Tumblr breach, however, in that Last.fm knew about the breach when it happened and informed users in June of 2012. But more than 43 million user accounts were exposed, including weakly encrypted passwords—96 percent of which were cracked within two hours by researchers associated with the data breach detection site LeakedSource.

Last.fm is a music-centered social media platform—it tracks the music its members play, aggregating the information to provide a worldwide "trending" board for music, letting users learn about new music and share playlists, among other things. The 2012 database breach contained usernames, passwords, the date each member joined the service, and internal data associated with the account. The passwords were encrypted with an unsalted MD5 hash.

"This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords, a sizable increase from prior mega breaches," a member of LeakedSource wrote in a post about the data. Ars confirmed the LeakedSource data using our own Last.fm account information.

Read 2 remaining paragraphs | Comments

RETIRED:Linux Kernel CVE­-2016-­2062 Local Buffer Overflow Vulnerability
RETIRED: Moodle CVE-2016-3732 Access Bypass Vulnerability
RETIRED: OpenJPEG 'opj_free()' Function Remote Heap Based Buffer Overflow Vulnerability
RETIRED: Multiple EC-CUBE Plugins CVE-2016-1205 Unspecified Cross Site Scripting Vulnerability
FormatFactory 3.9.0 - (.task) Stack Overflow Vulnerability

About a week ago, Apple patched three vulnerabilities in iOS that had been used in a targeted exploit. This set of vulnerabilities, also known as Trident, affected WebKitand the iOS kernel. Given the substantial code overlap between iOS and OS X, and in particular the fact that one of the vulnerabilities affected WebKit, it is no surprise that OS X and Safari are vulnerable as well.

Yesterday, Apple released a patch of OS X and Safari to address these issues.

The OS X update, which is only available for El Capitan and Yosemite, fixes the two kernel vulnerabilities. The Safari update which is availablefor OS X Mavericks and Yosemite (not the latest version, El Capitan), fixes the WebKit vulnerability.

I recommend patching these quickly given that the same vulnerabilities have already been exploited for iOS.

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Bitdefender Antivirus Plus avc3 Kernel Drive Local Privilege Escalation Vulnerability

Enlarge (credit: Apple)

Late last week, Apple released iOS 9.3.5 to patch three zero-day bugs that could be used to access personal data on an infected phone. Dubbed "Trident," the bugs were used to create spyware called Pegasus that was used to target at least one political dissident in the United Arab Emirates.

Today, Apple has released updates for Safari 9 and OS X El Capitan and Yosemite that collectively patch the three "Trident" bugs in its desktop operating system. It's not clear whether the bugs affect Mavericks or any older versions of OS X, but we've reached out to Apple for comment and will update the article if we receive a response.

We've also asked Apple why so many days elapsed between the release of iOS 9.3.5 and the release of the OS X versions of the same patches. iOS 9.3.5 was accompanied by disclosures from Citizen Lab and Lookout, the groups that discovered the bugs. In theory, patching iOS without also patching the equivalent bugs in OS X could leave Mac users more open to attack.

Read 1 remaining paragraphs | Comments

Internet Storm Center Infocon Status