Safari just got served. At this year’s Pwn2Own conference, security firms and enthusiasts are doing their very best to discover and deploy exploits to some of the world’s most popular browsers. Chrome, Firefox, Internet Explorer, and Safari, they’re all on the menu for conference attendees and some have definitely faired better than others. Google issued a challenge, promising $20,000 to any person or team that could crack Chrome on the conferences opening day, but the two teams scheduled to take a swing backed down. Firefox is, for the time being, still standing, and, per usual, Microsoft’s Internet Explorer was taken down without much fuss. But which browser faired the worst? That would be Apple’s Safari. A French security research firm named Vulpen managed to break into Safari running on a MacBook Air in a cool five seconds. The company noted that the Safari update issued by Apple yesterday — version 5.0.4 — fixes some of the vulnerabilities, but not all. The takedown of Safari 5.0.3 used exploits that are still available in the updated code base. Go ahead Apple detractors, have a little fun in the comments section. More →
The digital rights management (DRM) security used by Microsoft to protect apps in its Windows Phone 7 Marketplace has been cracked, enthusiast blog WPCentral reports. Though the technology needed to do so is not yet in the hands of the general public, the DRM protecting paid applications can now easily be stripped off of apps. If details of the vulnerability used to achieve the DRM crack are made available to the public, unscrupulous programers could use the exploit to develop software that allows users to steal applications and deploy them to Windows Phone 7 devices. Microsoft has not publicly responded to the security hole, though WPCentral claims the company has been made aware of the issue. Hit the break to see Microsoft’s Windows Phone 7 Marketplace security being manhandled in a proof-of-concept video demonstration. More →
Adobe released a security bulletin today warning of a critical, zero-day vulnerability in their Reader and Flash Player software. The bulletin notes that an unpactched system could “crash [your system] and potentially allow an attacker to take control of the affected system.” The vulnerability is affecting:
- Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.1.95.2 and earlier for Android
- Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX
- Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh
- Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Adobe Reader for Android is not affected by this issue.
Adobe is promising an update to fix the issue by November 9. Hit the read link to read more and for mitigation instructions for your specific platform. More →
UPDATE: Bob Lord, Twitter’s security chief, has put up an official blog post explaining exactly what happened this morning. You can read that article here. More →
Adobe has revealed a critical, zero day exploit in Adobe Flash that is affecting WIndows, Macintosh, Linux, Solaris, and Android systems. Adobe does not provide much detail about the issue, but does state that the vulnerability could “cause a crash and potentially allow an attacker to take control of the affected system.” The post states that at present, only Flash Player for Windows is being actively exploited. This is the second critical vulnerability being reported by Adobe in under 7 days. Updates on the zero day bug and forthcoming patch can be found on Adobe’s security bulletin website, found here. More →
Comex, the developer of the jailbreakme.com 2.0 website, has released the source code for the PDF exploit found in un-patched versions of Apple’s iOS mobile operating system. The code has been called “impressive” and “dangerous” by some security analysts. The exploit has the ability to install malicious code on a users iOS device by simply visiting a webpage crafted to run the code. If you do not plan on jailbreaking your iOS device, we recommend updating to iOS 4.0.2 to remove the vulnerability. If you are already jailbroken, we suggest installing the “PDF Fix” patch from Cydia.
[Via Macworld] More →
PSA: today is patch Tuesday, there are 34 vulnerabilities in your Windows system waiting to be plugged
Just a quick public service announcement and follow-up on a story we published last week. Today is Microsoft’s patch Tuesday, and on this patch Tuesday there are thirty-four vulnerabilities in your Windows system ready to be remedied by 14 bulletin updates. If you haven’t done so already, or your machine is not set to automatically update itself, we recommend that you launch Windows Update and let the magic happen. Stay safe out there, it’s a jungle. More →
This coming Tuesday — August 10 — Microsoft will release a company record fourteen security bulletins to plug thirty-four vulnerabilities. Angela Gunn, a member of Microsoft’s Response Communications team, wrote: “For those who keep track of such things, this will be the most bulletins we have ever released in a month; we have released 13 bulletins on a couple of occasions. However, in total CVE count, this release ties with June 2010, so there’s no new record there.” Of the fourteen bulletins, eight are listed as critical and six are rated as important. Make sure to run your Windows Updates next Tuesday to get all the goodies.
[Via CNET] More →
Today, Microsoft released an out-of-band patch for the Windows .lnk extension exploit that was announced several weeks ago. The exploit can allow unauthorized users to execute arbitrary code if an “icon of a specially crafted shortcut is displayed.” Microsoft said: “An attacker could disseminate a USB or other removable drive with a malicious shortcut file on it and when the target victim opens the drive in Windows Explorer or any other application that parses the icon of the shortcut, the malicious code would execute on the victim’s computer. An attacker could also embed malware in a malicious Web site, a remote network share, or in a Microsoft Word document.” Lately, the .lnk exploit, which is actually a vulnerability found in the Windows Shell, has been spreading via the Sality.AT virus, according to a Microsoft blog post. Regardless, the patch is out there and the bug is present in virtually all versions of Windows, if you’re a Windows user, we highly suggest you install it now. More →
Sunday, users of Google’s video service YouTube were exposed to a cross-site scripting vulnerability that put the cookies of those visiting affected video pages at risk. Those employing the scripting vulnerability targeted videos of popular teen singer Justin Bieber, as some visitors saw: “tasteless messages pop up about the teen star, and were also redirected to external sites with adult content,” according to blog NetworkWorld. Google released a statement saying: “Comments were temporarily hidden by default within an hour, and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future.” Google was also quick to point out that the compromised YouTube cookies did not provide unauthorized third-parties with access to users Google Accounts. More →
Goatse Security, the firm who blew the lid off of an exploit that allowed the names and email addresses of over 114,000 iPad owners to be farmed, is speaking out. In a blog post, Goastse team member Escher Auernheimer writes:
I released a semantic integer overflow exploit for Safari through Goatse Security in March– it was patched on Apple’s desktop Safari but has yet to be patched on the iPad. This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.
And it doesn’t stop there. Addressing some of the verbiage in AT&T’s apology letter, Auernheimer goes onto say:
AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. [...] AT&T says the person responsible for this went “to great efforts”. I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it.
Auernheimer closes with: “We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. [...] We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.” Amen, Escher, Amen. Your move Apple/AT&T. More →
Whew. About a month ago, a German group by the name of Chaos Computer Club exposed a vulnerability in Nokia’s S60 handsets that allowed attackers to remotely disable messaging by simply sending a string of specifically formatted SMS messages. Dubbed the Curse of Silence, Chaos Computer Club responsibly contacted Nokia and carriers long before releasing details to the public and while some carriers responded immediately, Nokia apparently hung back for a while as it prepared a fix. S60 users whose carriers weren’t among the responsible few that addressed the issue need not worry as Nokia as finally released a cleanup tool, free of charge of course, that will repair any device affected by the exploit. While a preventative solution would have been preferable, something is better than nothing and the fix is confirmed to work. If you found yourself the victim of a CoS attack hit the read link, follow the simple instructions and you should be back in action in no time.