Hackin9
Apple modders can rejoice: The latest jailbreak software for iOS 6 was released on Monday.
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
0day full - Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
 
Free Monthly Websites v2.0 - Multiple Web Vulnerabilities
 
Multiple Vulnerabilities in D'Link DIR-600 and DIR-300 (rev B)
 
[IMF 2013] Call for Participation
 
Oracle has issued an update to Java two weeks ahead of the normal schedule.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The U.S. Department of Energy said Monday that personal information about several hundred employees and contractors was stolen in a mid-January hack, but that no classified information was compromised.
 
[SECURITY] [DSA 2616-1] nagios3 security update
 
Oracle Java SE CVE-2012-4301 JavaFX Remote Security Vulnerability
 
Oracle Java SE CVE-2013-1482 JavaFX Remote Security Vulnerability
 
Oracle Java SE CVE-2013-1477 JavaFX Remote Security Vulnerability
 
NGS00315 Patch Notification: Symantec Enterprise Security Management Agent Privilege Escalation
 
NGS00336 Patch Notification: Symantec Network Access Control Privilege Escalation
 
Internet use fell in U.S. homes but soared inside the Superdome during this year's Super Bowl.
 
Oracle Java SE CVE-2013-1472 JavaFX Remote Security Vulnerability
 
Oracle Java SE CVE-2013-0447 JavaFX Remote Security Vulnerability
 
Directory Traversal - EasyITSP <= 2.0.7
 
[SECURITY] [DSA 2614-1] libupnp security update
 
APPLE-SA-2013-02-01-1 Java for Mac OS X v10.6 Update 12
 
DC++ 0.802 and below incorrectly registers URI schemes in Windows
 
The scary stories from the Web are getting worse. First there were a few stolen credit card numbers. Then there were a few thousand. Now we hear about millions of financial records being exposed by security breaches, and we grow numb to the potential threat. Credit card numbers barely scratch the surface of what the bad guys are after, and there are more dangerous stories that come out of the labs studying cyber war.
 
Developers now can create audio and video communications applications that work across the Chrome and Firefox browsers without the need for plug-ins.
 
Thirty-one years ago, Massachusetts-based software developers Mitch Kapor and Jonathan Sachs created a program -- an electronic spreadsheet -- that would change the world. A year later, on Jan. 26, 1983, Lotus Development Corp. released Lotus 1-2-3 for the IBM PC and grossed $53 million in sales. The following year, sales tripled to more than $150 million.
 
 

Australia in talks to declassify infosec data
CRN Australia
This is because cyber weaponry like Stuxnet will likely -- inevitably, Schmidt said -- be discovered by the infosec research community. In recent years, security researchers have discovered and extensively detailed malware thought to have been ...

 
Booming sales of tablets, smartphones and solid-state drives (SSDs) are taking a toll on hard-disk drive sales, revenue from which is expected to drop by about 12% this year.
 
Apple on Friday shipped an update to Java 6 for Mac users running OS X Snow Leopard, matching Oracle's cadence for Java 7, which was patched the same day.
 
Sony has started shipping two new Vaio ultrabooks with large screens starting at US$699 as the company expands its lineup of thin and light laptops.
 
SAP is planning to impose a higher price on its Standard Support software maintenance offering later this year, with the increase applying only to new contracts.
 
Oracle Java SE CVE-2013-0437 Remote Java Runtime Environment Vulnerability
 
[ MDVSA-2013:006 ] freetype2
 
FreeBSD 9.1 ftpd Remote Denial of Service
 
Oracle Automated Service Manager 1.3 & Auto Service Request 4.3 local root during install
 
[HITB-Announce] #HITB2013AMS FINAL CALL for Paper Submissions
 
Dell reportedly is closing in on finalizing a deal to take the company private, and all the speculation is shining a renewed spotlight on the PC maker, say analysts.
 
The Super Bowl drove more than 24 million tweets about the game and halftime show, but the night's biggest social networking winners were the companies quick-witted enough to take advantage of the blackout that stopped play.
 
Increased sales of electronics and new forms of computing devices will drive the worldwide semiconductor market to growth this year after a slowdown in 2012, the nonprofit organization World Semiconductor Trade Statistics said on Monday.
 
Even as the release of Internet Explorer 10 (IE10) looms for Windows 7, enterprises are standardizing on the four-year-old IE8 instead, a developer of browser management software said today. Insider (registration required)
 
"Superclean" and "DroidCleaner" offered to clean up your Android phone, but while doing a dreadful job of that, they also turned the phone into an infected USB stick ready to load audio snooping software onto Windows PCs


 
ESA-2013-002: RSA Archer® GRC Multiple Vulnerabilities
 
Going on the offense doesn’t mean actively targeting cybercriminals, experts say. Deceptive tactics, phony documents can help trip up attackers.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
University information assurance programs are varied, but they are beginning to provide technology disciplines a level of security knowledge.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Allowing employee-owned mobile devices doesn’t have to mean accepting all BYOD risks. Infosec pros share their BYOD security strategies.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
2013 IT security trends reveal mobile device security tops the list of priorities for security pros this year.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
A government report denounces Chinese IT Telecom giants Huawei and ZTE but should the security risks prompt action?

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
No ultimate test can give third-party software a clean bill of health, but careful assessment can help organizations gain more control over vendors.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The Mega file-sharing service has launched a vulnerability reward program that will pay up to a!10,000 (around US$13,600) for every serious security flaw found in the platform and reported responsibly. The rules of the program were laid out in a blog post published Saturday.
 

Last week (30 JAN) Attrition.org (@SecurityErrata) tweeted that the SANS GIAC site was susceptible to cross-site scripting (XSS) via the search field.

XSS is, without question, a vulnerability almost every web application will or has suffered at some point. One need only read Attritions OSVDB, Secunia Advisories, or Whitehats website statistics reports to get a feel for how prevalent the issue is. There are many reasons why the vulnerability is #2 on OWASPs Top 10 and SANS, like so many others, is no stranger to the issue as Johannes Ullrich (Dr. J) points out in his ISC Diary entry from 12 JUN 2012.



The particular vector reported last week regarding SANS/GIAC was quite interesting as it was reported as a simple XXS. However, upon closer inspection it turns out it was actually quite complicated to exploit and far from simple. Initial reports indicated that the search boxes were vulnerable to simple attacks such as onmouseover=alert(document.cookie) x=, but the truth was much more complicated. Operating from a place of complete transparency, Brian C from the SANS Web team provided us with explicit details regarding this vulnerability so as to help readers protect themselves from similar issues.

According to Brian, when the web team received the report of the issue they tried all the basic CSS attacks and couldnt immediately reproduce the issue. After further research and communication with the reporter, Ryan F figured out how to duplicate the problem, and once verified, the team immediately shut down the search page while they worked on the investigation. It turns out that, while the attack string used by the original reporter triggered an alert, it was not the same alert they were trying to trigger. The attackers string was actually dealt with properly by the code, thus, the issue was not the simple attack that the original reporter thought it was.

Brian stated that root cause was attributed to php striptags() functionality. This function is used by PHP to remove HTML tags from strings in order to render them safe for display in the browser. When using this function in certain areas of the application the team selectively allows safe tags through, an example being the tags used to indicate a paragraph of text (p and /p. The team discovered that while the function does strip tags as it should, if any safe tags are let through it does not check the attributes of the tag. As a result, any area of the application where striptags() are in use was reviewed. The good news was that most of the places the function was in use, no tags were allowed through. In the other parts of the application the function was not used in conjunction with user input so again the risk was quite low. In addition to reviewing the use of striptags() the team focused on expanding their core validation libraries. These enable whitelisting of attributes which will be used in areas where safe tags are allowed through in order to prevent such issues in the future.

To summarize actions taken, the team:


Reviewed all uses of the striptags function

Expanded validation library to check tag attributes when needed


The unfortunate series of events that caused the issue included:


The underlying striptags() issue above

A paper on the site with an example of a simple XXS

Google indexing the site and converting papers to text for indexing

Search string used by the original reporter

Section of the paper returned for the search preview


This combination of events allowed a JavaScript alert box to display but the alert box was not the simple reflected XSS attack the original reporter thought it was. Instead, the issue essentially resembled a stored or persistent attack. This is indeed unfortunate, yet at the same time exploitation would have been nontrivial. Regardless, the SANS Web team will be reviewing logs to ensure no related activity ensues.



Dr. J followed up with the SANS Web teams Ryan C for further technical exploration of the issue. This was indeed a compound problem, not caused by the simple lack of attributes filtering alone. As the application was NOT double-encoding the input it meant that data being sent by Google, which Google had escaped for literal display as part of the search results, was decoded when it should not have been.

As an example:

div class=description

Nov 17, 2011 b.../b such as SCRIPT and balert/b in the uniform resource identifier (URI). b.../b injecting br the script into other places, such as a bcookie/b field. b.../b Jscript onsubmit br copyparentfolder bdocument/b javascript meta onchange onmove onerror onselect br bonmouseover/b b...../b img src=bx/b:gif onerror=window[al\u0065rt](0)/img b.../b

/div

The above is what was returned by Google and, after running through HTML sanitation, should have been returned to the browser.

According to Ryan C, using the model-view-controller architecture (MVC) pattern, the controller should encode the output before making it available to the view. The view in-turn uses HTML sanitizer to decode and display as actual HTML. However, because double-encoding was disabled in the controller, for instance remained as such, rather than being double-escaped to . The HTML sanitizer re-constituting the HTML in the view, then decoded the to when it should have been converting to .

In summary, as ISC Handler Swa pointed out, the difficulty lay in the fact that snippets of GIAC Gold papers were being sent back and that trying to maintain the formatting by preserving some of the strict HTML created the issue. While the whitelist allowed certain HTML tags, certain attributes such as div onmouseover= were not removed.



Now that were fully up to speed on the issue, what are some solutions?

Swa reminded us that HTML Purifier is a decent standard library with which to accomplish our mitigation goals above. HTML Purifier is reasonably configurable: it first cleans up the HTML to make sure it is standards compliant to avoid issues with browsers that try to interpret broken HTML, then it removes disallowed tags/attributes.

Dr. J mentioned OWASP ESAPI which is current for Java but is beginning to fall behind in maintenance for the likes of PHP.

Without question, refer to the Top 10 2010-A2-Cross-Site Scripting (XSS) overview which includes the OWASP XSS Prevention Cheat Sheet. Jim Manicos discussion on the Future of XSS Defense is also a great read.

Ive long been an advocate for utilizing web application firewall options where possible or applicable. During my years of heavy web application vulnerability research when developers struggled to repair code in a timely or effective manner, I was always quick to mention the likes of ModSecurity as a short-term mitigation that can remain in place after the code fix to allow for defense-in-depth. While a WAF may not have been fully effective in mitigating this oddly chained issue, it can go a long way in blocking the majority of attacks with the likes of the OWASP Core Rule Set (CRS) . Note: ModSecurity for IIS was just voted the 2012 Toolsmith Tool of the Year.

As always, were interested in your tactics and preventative measures, and look forward to hearing from you.

Russ McRee|@holisticinfosec
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Premier 100 IT Leader Michael Capone also answers questions on getting an MBA and the single most important issue that IT departments face.
 
Oracle has agreed to pay US$1.7 billion for Acme Packet, a network equipment vendor specializing in session delivery.
 
German newspaper and magazine publishers said Monday that they won't give Google the same copyright deal as it struck with French publishers to settle a dispute over revenue lost when news article snippets appear in search results.
 
Oracle has agreed to pay $1.7 billion for Acme Packet, a network equipment vendor specializing in session delivery.
 

Post suggestions or comments in the section below or send us any questions or comments in the contact form on https://isc.sans.edu/contact.html#contact-form

--

Adam Swanger, Web Developer (GWEB, GWAPT)

Internet Storm Center https://isc.sans.edu
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Tor Multiple Security Vulnerabilities
 
Symfony YAML Component Multiple Remote PHP Code Execution Vulnerabilities
 
The US Federal Trade Commission has published a package of recommendations to improve the privacy of user data on smartphones and tablets. Among other things, the FTC's document demands that a Do Not Track feature be implemented


 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0753 Remote Code Execution Vulnerability
 
U.S tech companies lead all other industries in patent production, a new study finds. But when patent activity is measured on a per capita basis globally, the U.S. ranks ninth.
 
A 22-year-old Dutch man who sold credit card details online was sentenced to 12 years in a U.S. prison in a fraud prosecutors alleged caused more than $63 million in damages, according to the Department of Justice.
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0747 Security Bypass Vulnerability
 
Microsoft has released tools to block Internet Explorer 10 from automatically reaching corporate PCs running Windows 7, a sign that the new browser will not release for at least several weeks
 
Security delivered as a cloud service has several benefits, including costs and flexibility, but there are some cautions, too, adopters say.
 
Taiwanese smartphone maker HTC will release phones with screens larger than 5 inches, and develop more budget-friendly handsets for the Chinese market, its CFO said Monday.
 
Hewlett-Packard has announced the availability of its latest Pavilion laptop with Google's Chrome OS as the PC maker tries to improve laptop sales by offering an alternative to the Windows OS.
 
Samba SWAT Cross Site Request Forgery and Clickjacking Vulnerabilities
 
Internet Storm Center Infocon Status