Category Archives: Security

aka infosec

Updates for Flash

Version 11.8.800.94 of Flash was announced today. As always, “[t]hese updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.” For a more complete change list for this version, see the Flash Player 11.8 Release Announcement on the Flash Runtime Announcements page.

A patch for Internet Explorer 10 that includes a new version of Flash (also 11.8.800.94) was released by Microsoft today as well.

An update for Flash in Chrome should also become available from Google in the near future. The new version of Flash in Chrome will be 11.8.800.97.

Serious Cryptocat security flaw fixed

Even before the recent NSA revelations, increasing interest in online privacy led Nadim Kobeissi to develop Cryptocat, an easy to use, secure, web-based chat client.

Unfortunately, Cryptocat – until recently – had a serious flaw. A programming error limited the total possible secure keys to a number small enough to make cracking them trivially easy. The person who discovered the flaw created a demonstration program, and the flaw was quickly fixed, but Cryptocat had been running in this flawed state for at least seven months, possibly longer.

Anyone using Cryptocat versions earlier than 2.0.42 should upgrade immediately. Cryptocat typically runs as a web browser add-on or plugin.

Update: the Duo Security blog has an interesting take on this.

Visa and Mastercard don’t want you to use VPN services

The big credit card companies are once again trying to use their influence to make the world more to their liking. Their previous ban on payments to Wikileaks was finally overturned by the Supreme Court of Iceland only weeks ago, but it seems their lawyers are eager to get beaten up again.

It remains unclear exactly what the credit card companies have against VPN services. Virtual Private Networking has many legitimate uses, and VPN solutions are commonplace in the business world. Anywhere remote access to corporate systems is necessary, VPN is just good security. No doubt Visa’s and Mastercard’s true motives will be revealed in the coming days.

Latest Ouch! newsletter: all about ‘spearphishing’

The latest installment (warning: PDF) of the user-focused Ouch! newsletter from SANS discusses ‘spearphishing’. As in regular phishing, the goal of the attacker is to gain access to computers, systems and services. The difference is that while phishing is targeted very broadly, spearphishing targets specific companies, organizations or even individuals. Attackers typically use this technique to gain access to valuable targets like banks.

Firefox 22 now available

Version 22 of Mozilla’s web browser was released yesterday, with the usual utter lack of anything approaching a proper announcement. The closest we got was a post on the Mozilla blog entitled “Firefox Delivers 3D Gaming, Video Calls and File Sharing to the Web“. That post discusses some of the new features of Firefox 22, but never actually mentions the new version number. I understand that Mozilla is trying to place less importance on version numbers, but in my opinion this is going too far.

Making things even more confusing, the main download page for Firefox never mentions the current version, although all the download links point to version 22 URLs, which you can see by hovering your mouse over them.

The release notes page is still a confusing mess. The first text you read on that page is “Firefox Notes (First offered to release channel users on June 25, 2013)”. It sounds like they’re saying that Firefox was released on June 25, 2013. What they really mean is that Firefox version 22 was released on June 25, 2013, but the version isn’t mentioned in the title. In fact, the only reference to the version is in a contributor “thank you” note below the title. Below that, the “What’s New” section lists changes made to Firefox, which we can only assume are specific to version 22 because the page’s URL includes the text “22.0”.

A link on the release notes page for version 22 titled “complete list of changes” now points to a list of bugs in Mozilla’s bug tracking system, Bugzilla. The list of bugs shown is huge, and although each of the 510 entries supposedly represents a bug fixed in version 22, the information is highly technical and not really intended for regular users. A proper change list is nowhere to be found.

Somewhat more useful are the confusingly-named and well hidden “known vulnerabilities” and “security advisories” pages for Firefox. The first of those pages lists security vulnerabilities and the versions of Firefox in which they were fixed, including version 22. The second page lists Firefox security vulnerabilities by the date on which they were first reported by Mozilla, with no indication of which vulnerabilities have been fixed, or when they were fixed.

I’ve been pointing out the lack of proper version announcement resources for Firefox here and in other online forums for a while now, but have yet to see any significant progress.

WordPress 3.5.2 released

WordPress 3.5.2 fixes several security vulnerabilities. Given the recent worldwide attacks against WordPress-based web sites, all WordPress sites should be upgraded to the new version as soon as possible.

One of the vulnerabilities fixed in version 3.5.2 is CVE-2013-2173, a Denial-of-Service (DoS) vulnerability recently disclosed on the VND blog. The vulnerability and a Proof of Concept were disclosed on that site one week after the author reported the issue to the WordPress security team. Concerned that a single email might have been caught in a spam filter, I posted a link to the report in two of the WordPress IRC channels (#wordpress and #wordpress-dev), and soon after that I was told that the security team had been notified. It was later disclosed that the original report had indeed been caught by a spam filter, even though the reporter had received a ‘we received your report’ auto-response. The lessons here are: 1) security email inboxes should not have spam filters; 2) don’t use an auto-responder on security email inboxes; and 3) don’t stop reporting a security issue until you’ve heard back from a human being, confirming receipt of your report.