How risky is the ‘Padding Oracle’ Crypto Attack?

19. September 2010 · Comments Off on How risky is the ‘Padding Oracle’ Crypto Attack? · Categories: Security-Compliance, Vulnerabilities · Tags: ,

ThreatPost reported that a pair of security researchers announced have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies. ‘Padding Oracle’ Crypto Attack Affects Millions of ASP.NET Apps | threatpost.

Microsoft admitted the vulnerability in Microsoft Security Advisory 2416728.

The question is, how likely is this vulnerability going to be exploited in the millions of ASP.NET web sites? According to a post on Slashdot.org:

…this attack requires fairly verbose error messages be sent back to the user of a web application. While I’m sure there do exist some ASP sites where this is the case, I don’t think it has been in any of the non-intranet sites I’ve seen in my career.

It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.

So it appears that the risk of exploitation of this vulnerability depends on the coding practices of the web site developers. Good coding practices, not so risky.

Microsoft addresses one of the Stuxnet related zero-day vulnerabilities

15. September 2010 · Comments Off on Microsoft addresses one of the Stuxnet related zero-day vulnerabilities · Categories: Malware, Vulnerabilities, Zero-day · Tags: ,

Today’s round of Microsoft patches addresses a variety of issues including one of the Stuxnet-related zero-day vulnerabilities. Stuxnet actually leverages four different zero-day vulnerabilities! For more details go here, here and here. Computerworld has a more detailed article about Stuxnet: Siemans: Stuxnet worm hit industrial systems.

Is SSL safe?

02. August 2010 · Comments Off on Is SSL safe? · Categories: Security-Compliance, Vulnerabilities · Tags: ,

Via DarkReading, if you are using the latest version of SSL and it’s configured properly, the answer still may be no, based on two presentations at BlackHat last week.

First, according to Ivan Ristic, the Director of Engineering at Qualys, the main problems with SSL are running old versions of SSL and poor configuration management. Ivan said that half the sites running SSL are still using SSLv2 which has known vulnerabilities. In addition, a statistically large number have invalid certificates.

On the other hand, Robert “RSnake” Hansen and Josh Sokol believe that SSL is broken. They presented some 24 HTTPS/SSL exploitation techniques. Their assessment is that “HTTPS simply cannot guarantee confidentiality and integrity in the browser.”

Ristic countered with, “While the state of SSL websites is “average” in terms of security, SSL is rarely targeted by attackers today. “I have a disclaimer: SSL is not a common attack vector today because there’s so much low-hanging fruit out there. I think it’s the time to start fixing things, and they can be fixed.”

Apple fixes Safari auto-fill vulnerability

28. July 2010 · Comments Off on Apple fixes Safari auto-fill vulnerability · Categories: Vulnerabilities · Tags: ,

It looks like Apple was working on a fix for the Safari auto-fill vulnerability after all. According to MacRumors, “As noted in the security documentation accompanying today’s release, Safari 5.0.1 and 4.1.1 address an AutoFill security flaw disclosed last week that could allow a malicious site to obtain a user’s Address Book information, including name, company affiliation, city/state/country, and email address.”

Apple leads in software vulnerabilities

25. July 2010 · Comments Off on Apple leads in software vulnerabilities · Categories: Security-Compliance, Vulnerabilities · Tags: ,

More news from Secunia via ars technica. Apple has surpassed Oracle as the software company leader in security vulnerabilities. Microsoft is third. You can read the details here.

Also of note in the Secunia report, in the world of Windows, third party application vulnerabilities far exceed those found in Windows itself. And unfortunately, many third party applications do not have as well developed automated patch updating services as Microsoft.

Adobe Reader improved security coming

25. July 2010 · Comments Off on Adobe Reader improved security coming · Categories: Security-Compliance, Vulnerabilities · Tags: , ,

ars technica reported that, “Microsoft has been helping Adobe develop a sandbox similar to the Protected View in Office 2010.” Considering that Adobe Reader is #5 on Secunia’s list of third party products ranked by number of vulnerabilities, this is welcome news. More on Protected View in Office 2010 here.

The question is, why wouldn’t you want all your applications sandboxed this way?

How does Microsoft’s sandboxing technology compare to Suse Linux Enterprise Desktop‘s AppArmor?

Safari privacy vulnerability – Apple unresponsive

22. July 2010 · Comments Off on Safari privacy vulnerability – Apple unresponsive · Categories: Security-Compliance, Vulnerabilities · Tags: , ,

Jeremiah Grossman posted information on a very serious Safari privacy vulnerability which Apple has not yet patched. Here is a the lead paragraph of Jeremiah’s post:

Right at the moment a Safari user visits a website, even if they’ve never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.

Jeremiah says he notified Apple on June 17th. Other than what appears to be an automated email reply, there has been no response. Since Apple had not responded in a meaningful way, Jeremiah decided to go public, as the 83+ million Safari v4 and v5 users have a right to know so they can change the Autofill configuration to protect themselves.


Massive iPhone Security Issue

04. June 2010 · Comments Off on Massive iPhone Security Issue · Categories: Security-Compliance, Vulnerabilities

ReadWriteEnterprise is reporting that:

Content stored on an iPhone 3GS with passcode protection can be accessed without the passcode simply by attaching the device to a computer running the latest version of Ubuntu or a Windows or OSX system running off the shelf software such as iPhone Explorer. This flaw was discovered by Bernd Marienfeld, an information security professional and blogger, last week. Recently, the enterprise has seen a steep increase in the adoption of the iPhone and iPad. But Apple will need to aggressively address security concerns such as these in order to gain and hold market share.

Read the whole article here.