Posts Tagged ‘open source’
Tuesday, August 27, 2013 @ 03:08 PM gHale
A Zero Day vulnerability in Java 6 is suffering exploitation and Oracle is aware of the hole but, since Java 6 is no longer supported, the company will not patch the issue.
F-Secure’s Timo Hirvonen first spotted the exploit a few days after the proof-of-concept for Java 6 (CVE-2013-2463) became public. Hirvonen added the Java Zero Day exploit is now a part of the Neutrino exploit kit.
That means there will be a widespread adoption.
“In addition, we still see very high rates of Java 6 installed (a bit over 50 percent), which means many organizations are vulnerable. We attribute this to the lock-in that organizations experience when they run software applications that require the use of Java 6,” said Wolfgang Kandek, CTO of Qualys.
Users should update their Java installations to the latest revision of version 7, which does not suffer from the issue. Users who don’t need Java in their everyday tasks should uninstall the software altogether.
Avira Security Expert and Product Manager Sorin Mustaca said this just follows along the path of the “sad state of Java security.”
Mustaca said, while it most likely won’t happen, Oracle should make the software open source to address current security problems.
“Making it open source would create an entirely new ecosystem with companies that can take care of the legacy Java versions like Java older than v6,” Mustaca said.
Other experts argue this might not be the best option, considering there already are open source versions of Java, and they haven’t led to any major improvements.
“Comprehensive security review of the platform is what Java needs in the first place,” noted Adam Gowdiak, chief executive of Security Explorations, a company that focuses on Java vulnerabilities.
Monday, May 20, 2013 @ 04:05 PM gHale
The developers of the open source cloud storage and collaboration suite ownCloud released an update to their software that closes critical vulnerabilities.
Version 5.0.6 of ownCloud closes holes that allowed authenticated users to inject SQL commands and execute PHP code on the server or allowed them to download other users’ calendars.
Another flaw allows unauthenticated attackers to execute API commands with admin privileges by making use of cross-site request forgery (CSRF).
The ownCloud server can also end up misused as a spam source by turning it into an open email redirector, a problem, which the developers fixed with the update. The update also fixes a number of additional, non security-related bugs; a complete list of all improvements is available on ownCloud’s Change Log web page.
Because of the serious nature of the vulnerabilities, users should upgrade to ownCloud 5.0.6 as soon as possible.
Some of the security vulnerabilities also affect ownCloud 4.0.x and 4.5.x, for these versions the developers released ownCloud 4.0.15 and 4.5.11 that exclusively fix the security problems and include no further bug fixes. Users can download the updated versions of ownCloud from the project’s web site.
Monday, April 23, 2012 @ 10:04 AM gHale
The Ruby development team issued an update to the 1.9.3 series of its open source programming language to fix a vulnerability found in the RubyGems package management framework.
The maintenance release of the scripting language, labelled 1.9.3-p194, updates RubyGems to close a security hole that caused SSL server verification to fail for remote repositories.
The update fixes it by disallowing redirects from https to http connections and by enabling the verification of server SSL certificates in an updated version of RubyGems, 1.8.23; more details on these issues are in the latest RubyGems History file. The developers encourage those who use https source in .gemrc or /etc/gemrc to upgrade as soon as possible.
Further information about the update, including a full list of bug fixes, look at the official release announcement and in the change log. Ruby 1.9.3-p194 is available to download from the project’s site.
Thursday, April 12, 2012 @ 05:04 PM gHale
Samba developers patched a critical security vulnerability that hits all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 which released in January.
The hole allows an attacker to gain complete access to a Samba server from an unauthenticated connection. The GPLv3 licensed Samba works on Unix and Linux systems with the ability to share files with Windows systems by implementing the SMB, SMB2 and CIFS protocols.
Security Researcher Brian Gorenc and an unnamed colleague, working for the Zero Day Initiative, discovered the vulnerability. The flaw, located in the code generator for Samba’s remote procedure call (RPC) interface, makes it possible for clients on the network to force the Samba server to execute arbitrary code. This attack can work over an unauthenticated connection, granting the attacker root user privileges and thus complete access to the Samba server.
The fact the problem was in the Perl-based DCE/RPC compiler Samba uses to generate code for handling remote requests has, presumably, made it very hard to detect with automated code auditing methods and caused it to stay hidden for such a long time.
Due to the seriousness of the exploit, all users of Samba should update their installations as soon as possible, officials said. As a temporary workaround, the developers suggest using the hosts allow parameter in the smb.conf file to restrict access to the server to trusted users only. They do point out, however, that “this can be used to help mitigate the problem caused by this bug but it is by no means a real fix, as client addresses can be easily faked.”
Wednesday, March 7, 2012 @ 11:03 AM gHale
The open source web application framework Ruby on Rails updated to version 3.2.2 to fix two important security issues and several other bugs.
Because of the serious nature of the security issues, users should upgrade their installations as quickly as possible. Users of Rails 3.0 and 3.1 will find new versions, 3.0.12 and 3.1.4, that also address the vulnerabilities.
The two cross-site scripting vulnerabilities officials fixed allowed attackers to take advantage of improperly sanitized options tag fields and direct manipulation of a safebuffer to execute arbitrary HTML in the browser of users visiting a Rails site. Further details of the option tag issue and safebuffer issue are available.
The Rails 3.2.2 update also includes fixes which ensure flushed log files and that failing tests will exit with non-zero status codes. It also removes calls to some deprecated methods and includes various Ruby 2.0 compatibility fixes.
More information on the changes since version 3.2.1 is available on GitHub. Users can download Rails 3.2.2 using RubyGems.
Thursday, February 2, 2012 @ 06:02 PM gHale
Following the release of new versions of its open source Firefox web browser, Thunderbird email client and SeaMonkey suite, Mozilla detailed the security fixes included in each of the updates.
Version 10.0 of Firefox closes 8 security holes in the browser, 5 of which are “Critical” by Mozilla, according to the project’s Security Center page.
The critical issues include an exploitable crash when processing a malformed embedded XSLT stylesheet, potential memory corruption when decoding Ogg Vorbis files, XPConnect security checks bypassed by frame scripts, a use after free error in child nodes from nsDOMAttribute and various memory safety hazards. An attacker could exploit these vulnerabilities remotely to execute arbitrary code on a victim’s system.
Additionally, Firefox 10 closes two “High” impact issues that could lead to information disclosure or an attacker violating the HTML5 frame navigation policy by replacing a sub-frame for phishing attacks. They also fixed a moderate severity bug when exporting a user’s Firefox Sync key to a “Firefox Recovery Key.html” file that causes it to save with incorrect permissions.
Based on the same Mozilla Gecko platform as Firefox 10, version 2.7 of the SeaMonkey “all-in-one Internet application suite” fixes all of the same vulnerabilities, while Thunderbird 10 addresses all but the moderate incorrect permissions bug because it does not use Firefox Sync.
An update to the 3.6.x legacy branch of Firefox, version 3.6.23, fixes four of the above critical issues and a low impact bug related to an overly permissive IPv6 literal syntax previously repaired in Firefox 7.0, Thunderbird 7.0 and SeaMonkey 2.4. The developers note that Firefox 3.6.26 “now enforces RFC 3986 IPv6 literal syntax”, adding the change “may break links written using the non-standard Firefox-only forms that were previously accepted”. The 3.1.18 update to the 3.1.x branch of Thunderbird also corrects these issues.
All users should upgrade to the current stable versions, the developers said.
Thursday, September 1, 2011 @ 03:09 PM gHale
Apache webserver buttoned-up a vulnerability attackers are exploiting to crash websites.
Flaws in the open-source Apache’s HTTP daemon made it easy to crash servers using publicly available software. The bugs in the way the HTTPD processed multiple web requests that involved overlapping byte ranges allowed attackers to overwhelm servers by sending them a modest amount of traffic.
An advisory on Apache’s website said the bug, known as CVE-2011-3192, is gone in version 2.2.20.
“We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” the advisory stated. The vulnerability has “active use.”
One of the bugs fixed in the update was specific to Apache, while a second flaw has been out there since 2007, and possibly involves all webservers, an Apache bulletin said. The Internet Engineering Task Force is considering changing the underlying protocol responsible for the problem, Apache said.
Versions 1.3.x and 2.0.x through 2.0.64 contain the denial-of-service vulnerabilities. A single web request that contains overlapping byte ranges for a specific page can trigger the vulnerabilities.
“The problem is that currently such requests internally explode into 100′s of large fetches, all of which are kept in memory in an inefficient way,” Apache’s advisory said. “This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy.”