Category Archives: Security

aka infosec

Nasty Cloudflare bug leaked sensitive information for months

Cloudflare provides caching, proxy, and security services for thousands of web sites, including some very popular ones like digitalocean.com, patreon.com, bitpay.com, news.ycombinator.com, medium.com, 4chan.org, yelp.com, okcupid.com, zendesk.com, uber.com, 23andme.com, curse.com, and minecraftforum.net.

For about five months, starting in September 2016, a truly awful bug in Cloudflare’s services caused private information from sites hosted by Cloudflare to be leaked to unrelated systems. Since the leaked information was merrily crawled and stored by all the major search engines, all that data became available to the entire planet.

The leaked data includes just about everything you wouldn’t want leaked, such as encryption keys, cookies, passwords, private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, and hotel bookings.

My initial reaction to the news of this leak was relief, because I don’t use Cloudflare for any of my (or my clients’) web sites. But I use other web sites and services that use Cloudflare, so my private information may have been leaked. Almost anyone who uses the web actively could be affected by this bug, and its fallout.

The bug itself has been fixed by Cloudflare. The major search engines are working with Cloudflare to scrub related private information from their databases. But the damage has already been done.

What should you do?

If you run any web sites or services that use Cloudflare, you should take action immediately, by invalidating all user sessions (e.g. login cookies). How this is done depends on the platform you’re using (WordPress, Joomla, etc.) You should probably recommend to your members/subscribers that they change their passwords.

If you use any of the affected sites or services, you should probably change the associated passwords. This may turn out to be overkill, but it’s difficult to know for certain.

The full extent of the damage caused by this bug remains to be seen. In the worst case scenario, malicious hackers noticed the bug when it first appeared, and proceeded to gather leaked information for months.

References

Shockwave 12.2.7.197

Another new Shockwave version was released this week by Adobe. Once again, the official release notes page for Shockwave 12 only shows 12.2.7.197 as the current version, and provides no details. There was no announcement.

A couple of years ago, Adobe changed the way Flash functionality is built into Shockwave, presumably to beef up Shockwave’s security, which up to that point included older, vulnerable versions of Flash. So it’s possible that these barely-documented Shockwave updates exist primarily to synchronize Shockwave’s security with the current version of Flash.

As usual, if you use a web browser with Shockwave enabled, you should install the new version as soon as possible.

Microsoft releases update for Flash

Normally, Microsoft releases updates for Flash in Edge and Internet Explorer along with everything else on the second Tuesday of each month.

This month, something went wrong with the Windows Update system, and Microsoft pushed all the February updates to March, including an expected fix for a serious SMS flaw.

Someone at Microsoft apparently realized that this decision would leave some Flash users (those using Flash in Edge and Internet Explorer) vulnerable for an extra month. Flash vulnerabilities are targeted aggressively by malicious hackers, so this is obviously a bad thing. As a result, Microsoft has released a Flash update, one week later than originally planned.

Anyone who uses Flash in Internet Explorer or Edge should visit Windows Update and install the Flash update as soon as possible.

So we do get a Microsoft Security Bulletin Summary for February 2017 after all, but it only includes a single bulletin.

Flash update fixes 13 vulnerabilities

A new version of Flash, released yesterday, addresses at least thirteen vulnerabilities in previous versions.

According to the security bulletin for Flash 24.0.0.221, the new version fixes “critical vulnerabilities that could potentially allow an attacker to take control of the affected system.”

The release notes for Flash 24.0.0.221 describe some new features that are likely only of interest to developers.

As usual, Internet Explorer and Edge will get new versions of their embedded Flash via Windows Update, while Chrome’s embedded Flash will be updated automatically.

Anyone who still uses a web browser with Flash enabled should update it as soon as possible.

Vivaldi 1.7

Apparently the people who develop Vivaldi believe that adding a screen capture feature to the browser is a good use of their time. Perhaps if you don’t use any other web browsers, and you only ever need to capture screenshots of web sites, and never of anything outside the browser, this would be a useful feature. The rest of us will use the much more powerful features of general-purpose screen capture tools like ShareX.

Aside from the arguably pointless addition of screen capture, Vivaldi 1.7 further improves audio handling, and includes tweaks for domain expansion in the address bar. More importantly, Vivaldi now warns users when they navigate to a non-encrypted page that prompts for a password.

You can see the complete list of changes for Vivaldi 1.7 in the official release announcement.

Microsoft will patch recently-discovered SMB flaw in February

The flaw itself is not particularly dangerous for most users: it can only be used to crash Windows computers with file shares that are exposed to the Internet. But when an exploit was published on Thursday, the vulnerability was initially assigned the highest risk rating by CERT. That rating has since been downgraded, as details of the flaw became more clear.

In any case, Microsoft’s reaction to the exploit announcement included statements that are demonstrably false, and seem to have been motivated by the company’s frantic efforts to get everyone on the planet to switch to Windows 10.

“Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”

This is simply false. The same work is done for Linux and MacOS. The unnamed Microsoft staffer who said this may have borrowed it from this TechNet blog post, without checking its veracity.

“We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

This is totally misleading. Windows 10 is arguably the safest version of Windows yet, but the vulnerability affects all versions of Windows. Worse, the vulnerability is completely unrelated to web browsing.

It looks like Microsoft has issued standing orders to its PR department to push Windows 10 at every opportunity, and not to worry too much about accuracy.

Microsoft is expected to issue an update for the vulnerability on February’s Patch Tuesday.

WordPress 4.7.2 – security update

Most WordPress sites are configured to automatically update themselves when a new version becomes available. Still, anyone who manages any WordPress sites should make sure they are up to date with version 4.7.2, released yesterday.

WordPress 4.7.2 addresses three serious security vulnerabilities. You can find all the details in the release announcement.

Update 2017Feb02: Apparently WordPress 4.7.2 included a fix for a fourth security vulnerability, which wasn’t announced until February 2. The vulnerability is so severe that the WordPress developers didn’t want to risk anyone knowing about it until the majority of WordPress sites were updated.

Chrome 56.0.2924.76

Chrome version 56.0.2924.76 includes fixes for fifty-one security vulnerabilities. But wait, that’s not all. If you want to see what happens when your web browser loads a really big web page, navigate to the change log for Chrome 56.0.2924.76. It’s a behemoth, documenting over ten thousand separate changes.

One change in particular deserves mention: starting with this version, Chrome will show ‘Secure’ at the left end of the address bar if a site is encrypted. When Chrome navigates to a web page that isn’t encrypted, but does include a password prompt, it will show ‘Not Secure’ in the address bar.

Chrome seems to update itself reliably, soon after a new version is released. Still, given the number of security fixes in this release, it’s not a bad idea to check.

Review: Heimdal Security Software

I’m always on the lookout for tools that simplify the task of keeping software up to date. I recently installed Heimdal Security Free on my Windows 8.1 PC, and took a close look at its software patching feature.

Note: the paid version of Heimdal Security includes network traffic-based malware detection. That feature appears in the free version, but it’s disabled.

The Good

The software basically does what it says. By default, it automatically checks for out of date software, and silently installs updates where needed. The software it checks includes the vulnerability-prone Flash and Java, as well as all the major browsers. It’s fast, relatively unobtrusive, and has a polished, professional user interface.

The patching system can be customized: you can tell it to only check for updates, but NOT install them automatically, and you can disable checking for anything in its software list, which currently includes forty-one items.

The Bad

  • If you disable the auto-update feature, there’s no obvious way to install new versions.
  • The ‘Recommended Software’ tab has Install buttons, which at first looks useful. But closer inspection reveals that this list only shows software that isn’t currently installed. In fact, it lists some software I’ve never even heard of, much less installed.
  • Heimdal detects software that is available in both 32- and 64-bit versions. But if you have the 32-bit version installed, the ‘Recommended Software’ tab will list the 64-bit version. And vice-versa. This is not useful.
  • There’s no obvious way to tell Heimdal to perform a re-scan. I eventually realized that disabling the feature and re-enabling it does that, but a ‘Scan’ button would be a real improvement.
  • The software list cuts off some important information: the software version number is often truncated, making definite confirmation of version changes difficult. And there’s no way to resize the column, or the dialog. Update: I discovered that the missing information can be revealed by hovering the mouse over a truncated field.
  • Heimdal shows some software as needing an update when in fact that software is up to date. For example, it continues to report an available update for 7-Zip 16.04: to version 16.04.0. It looks like Heimdal fails to match versions when there are extra zeros.
  • There’s no way to shut down Heimdal once it’s installed. There’s an icon in the notification area, but it doesn’t even have a right-click menu. Your only option is to uninstall Heimdal completely.
  • When Heimdal installs something from the ‘Recommended Software’ tab, it configures itself to automatically update that software. An option to override this behaviour would be helpful.

It’s possible that some of these issues would not present themselves if I configured Heimdal to install updates automatically, but I prefer to have more control over software installation.

Conclusion

Despite its flaws, Heimdal may prove useful to some users. But I can’t recommend it.

Update 2017JFeb01: Heimdal responded to my review, addressing my concerns:

For the moment, Heimdal does not have the option to install updates manually. We wanted to make software updates fast, secure and hassle-free for Heimdal users and adding a manual option would be the opposite of that.

My response: that’s just silly. Make it an option, but default to automatic. Most users would never even see the option. It wouldn’t make anything slower, or less secure, or increase hassle. And all the necessary functionality is already in place.

We called it “recommended software” because it not installed on the system. These are apps you can install with one click, should you want to do it. If not, they don’t impede you in any way.

My response: Understood, but it’s kind of misleading, especially since in some cases they are recommending 32 bit versions of software already installed in 64 bit form.

Indeed, this is something we will work on improving, so we can match software versions to the type of system they’re recommended for.

The scan button is in Heimdal’s home screen, when you hover over the big white button with the green checkmark. We will try to make this more obvious in future versions.

My response: on the Overview tab, there’s a big white icon that’s either a checkmark (if everything is up to date) or an exclamation mark (if it isn’t). Nothing appears when you hover the mouse over this icon, and there’s no indication that clicking it will do anything. But it does work, so it would be nice to have this properly labeled.

Making windows resizable is not something customary to security applications (it would create an unnecessary burden on the system), but we will try to rearrange the elements so that they provide a clearer view in future updates.

My response: Making windows resizable is in fact standard for all Windows applications, and those that don’t allow this are probably not following Windows development guidelines. Further, the notion that adding this functionality would somehow place a ‘burden on the system’ is simply absurd. But the indicated fixes will be welcome in the absence of resize-ability.

Heimdal shows some software as needing an update when in fact that software is up to date.

I think that our support team can help you with that. If you can, send them an email at support@heimdalsecurity.com and they’ll be right on it!

My response: Done. After some back and forth, Heimdal support reproduced one of the problems on their end (7-Zip version detection), and is working on a fix.

We will add a right-click menu in the coming versions. There is no option to shut down Heimdal, because security software usually does not have this feature. If it had it, malware could easily switch it off and infect the system.

My response: if malware is present on a computer, it can kill a process as easily as it can stop a program from its system menu. I want to be able to run the update feature on-demand, and there’s simply no way to do that sensibly unless the program can be closed.

Firefox 51 fixes 24 security issues

The latest version of Firefox addresses at least twenty-four security vulnerabilities and changes the way non-encrypted sites appear in the address bar.

As usual, there’s nothing like a proper announcement for Firefox 51. What we get from Mozilla instead is a blog post that discusses some new features in Firefox, and mentions the new version number almost accidentally in the third paragraph. Once again, CERT does a better job of announcing the new version than Mozilla.

Starting with version 51, Firefox will flag sites that are not secured with HTTPS if they prompt for user passwords. Secure sites will show a green lock at the left end of the address bar as before, but sites that are not secure will show a grey lock with a red line through it. Previously, non-encrypted sites showed no lock icon at all. The idea is to draw the user’s attention to the fact that they are browsing without the security of encryption, which is risky when sensitive information (passwords, credit card numbers) is entered by the user.