ISSSource White Papers

Posts Tagged ‘open source’

Tuesday, August 27, 2013 @ 03:08 PM gHale

A Zero Day vulnerability in Java 6 is suffering exploitation and Oracle is aware of the hole but, since Java 6 is no longer supported, the company will not patch the issue.

F-Secure’s Timo Hirvonen first spotted the exploit a few days after the proof-of-concept for Java 6 (CVE-2013-2463) became public. Hirvonen added the Java Zero Day exploit is now a part of the Neutrino exploit kit.

Adware via Google App Engine Sites
Unauthorized YouTube Ads via Plugins
Browser Extensions Steal Account Info
Mac Attack: Ransomware Targets Safari

That means there will be a widespread adoption.

“In addition, we still see very high rates of Java 6 installed (a bit over 50 percent), which means many organizations are vulnerable. We attribute this to the lock-in that organizations experience when they run software applications that require the use of Java 6,” said Wolfgang Kandek, CTO of Qualys.

Users should update their Java installations to the latest revision of version 7, which does not suffer from the issue. Users who don’t need Java in their everyday tasks should uninstall the software altogether.

Avira Security Expert and Product Manager Sorin Mustaca said this just follows along the path of the “sad state of Java security.”

Mustaca said, while it most likely won’t happen, Oracle should make the software open source to address current security problems.

“Making it open source would create an entirely new ecosystem with companies that can take care of the legacy Java versions like Java older than v6,” Mustaca said.

Other experts argue this might not be the best option, considering there already are open source versions of Java, and they haven’t led to any major improvements.

“Comprehensive security review of the platform is what Java needs in the first place,” noted Adam Gowdiak, chief executive of Security Explorations, a company that focuses on Java vulnerabilities.

Monday, May 20, 2013 @ 04:05 PM gHale

The developers of the open source cloud storage and collaboration suite ownCloud released an update to their software that closes critical vulnerabilities.

Version 5.0.6 of ownCloud closes holes that allowed authenticated users to inject SQL commands and execute PHP code on the server or allowed them to download other users’ calendars.

Cloud Security Reputation Growing
Cloud Coverage Shows Leaks
Hiking Cloud Computing Efficiency
Conflicts on Who Owns Cloud Security

Another flaw allows unauthenticated attackers to execute API commands with admin privileges by making use of cross-site request forgery (CSRF).

The ownCloud server can also end up misused as a spam source by turning it into an open email redirector, a problem, which the developers fixed with the update. The update also fixes a number of additional, non security-related bugs; a complete list of all improvements is available on ownCloud’s Change Log web page.

Because of the serious nature of the vulnerabilities, users should upgrade to ownCloud 5.0.6 as soon as possible.

Some of the security vulnerabilities also affect ownCloud 4.0.x and 4.5.x, for these versions the developers released ownCloud 4.0.15 and 4.5.11 that exclusively fix the security problems and include no further bug fixes. Users can download the updated versions of ownCloud from the project’s web site.

Wednesday, January 23, 2013 @ 03:01 PM gHale

It is possible to silently install extensions for Mozilla’s open source Firefox web browser.

The process makes use of the fact that Firefox uses a Sqlite3 database to maintain information about which add-ons, or extensions, end up installed and, of those, which ones the user has approved, said ZScaler security researcher Julian Sobrier.

Chrome Updated, Fixes Security Holes
Mozilla Closes Critical Holes
Chrome Wards Off BlackHole
Phishing Report: Comparing Browsers

This goal of this feature, introduced in Firefox 8, was to stop toolbars and other applications adding in their own add-ons without informing the user.

Sobrier’s technique shows the mechanism is relatively easy to overcome. Add-ons have privileged access to the browser and therefore a malicious add-on could do anything including stealing the user’s history, modifying pages’ contents or disabling security features in the browser. The add-on doesn’t have to be malicious either, just unexpected; back in 2009 Mozilla found itself blocking a silently installed Microsoft extension which happened to expose Firefox users to a .NET Framework flaw. Without a user knowing what is on the system, it becomes hard to react to security threats when they appear.

An application has to be able to copy an extension into the Firefox extensions directory. Once this occurs, a user must access the Sqlite3 database and add a record to it for the new extension. It is a simple task to set the field for “Has this add-on been approved” and that is what Sorbrier’s code does. The add-on will only begin running when Firefox restarts. Sorbrier demonstrated the technique with a proof of concept extension and installer written in C# and available for download.

Mozilla has the capability to blacklist malicious add-ons, but the catch is they have to end up detected. There are reportedly other techniques too, such as modifying prefs.js in Firefox to block its need to prompt to install add-ons. Although the technique does require a high level of local privileges, it is one that is easy to hide in installers and downloads, and if the purpose of the attack is not to cause immediate damage, it is a useful tool for an attacker, researchers said.

Monday, April 23, 2012 @ 10:04 AM gHale

The Ruby development team issued an update to the 1.9.3 series of its open source programming language to fix a vulnerability found in the RubyGems package management framework.

The maintenance release of the scripting language, labelled 1.9.3-p194, updates RubyGems to close a security hole that caused SSL server verification to fail for remote repositories.

OpenSSL Closes Security Holes
Python Updates Hash Collision
OpenSSL Not Completely Secure
Oracle Patches DoS Hole

The update fixes it by disallowing redirects from https to http connections and by enabling the verification of server SSL certificates in an updated version of RubyGems, 1.8.23; more details on these issues are in the latest RubyGems History file. The developers encourage those who use https source in .gemrc or /etc/gemrc to upgrade as soon as possible.

Further information about the update, including a full list of bug fixes, look at the official release announcement and in the change log. Ruby 1.9.3-p194 is available to download from the project’s site.

Thursday, April 12, 2012 @ 05:04 PM gHale

Samba developers patched a critical security vulnerability that hits all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 which released in January.

The hole allows an attacker to gain complete access to a Samba server from an unauthenticated connection. The GPLv3 licensed Samba works on Unix and Linux systems with the ability to share files with Windows systems by implementing the SMB, SMB2 and CIFS protocols.

Apple Working on Malware Fix
Mac Botnet Growing Rapidly
Apple Fixes Java Holes
Botnet Rises for Third Time

Security Researcher Brian Gorenc and an unnamed colleague, working for the Zero Day Initiative, discovered the vulnerability. The flaw, located in the code generator for Samba’s remote procedure call (RPC) interface, makes it possible for clients on the network to force the Samba server to execute arbitrary code. This attack can work over an unauthenticated connection, granting the attacker root user privileges and thus complete access to the Samba server.

The fact the problem was in the Perl-based DCE/RPC compiler Samba uses to generate code for handling remote requests has, presumably, made it very hard to detect with automated code auditing methods and caused it to stay hidden for such a long time.

Due to the seriousness of the exploit, all users of Samba should update their installations as soon as possible, officials said. As a temporary workaround, the developers suggest using the hosts allow parameter in the smb.conf file to restrict access to the server to trusted users only. They do point out, however, that “this can be used to help mitigate the problem caused by this bug but it is by no means a real fix, as client addresses can be easily faked.”

The Samba project posted patches for Samba 3.6.3/.4, 3.5.13/.14 and 3.4.15/.16. Red Hat has already released patches for RHEL5 and RHEL6.

Wednesday, March 7, 2012 @ 11:03 AM gHale

The open source web application framework Ruby on Rails updated to version 3.2.2 to fix two important security issues and several other bugs.

Because of the serious nature of the security issues, users should upgrade their installations as quickly as possible. Users of Rails 3.0 and 3.1 will find new versions, 3.0.12 and 3.1.4, that also address the vulnerabilities.

Google Fixes Chrome Vulnerabilities
Mozilla Shuts Vital Security Hole
Google Secures Chrome 17
Chrome Loses SSL Query Capability

The two cross-site scripting vulnerabilities officials fixed allowed attackers to take advantage of improperly sanitized options tag fields and direct manipulation of a safebuffer to execute arbitrary HTML in the browser of users visiting a Rails site. Further details of the option tag issue and safebuffer issue are available.

The Rails 3.2.2 update also includes fixes which ensure flushed log files and that failing tests will exit with non-zero status codes. It also removes calls to some deprecated methods and includes various Ruby 2.0 compatibility fixes.

More information on the changes since version 3.2.1 is available on GitHub. Users can download Rails 3.2.2 using RubyGems.

Thursday, February 2, 2012 @ 06:02 PM gHale

Following the release of new versions of its open source Firefox web browser, Thunderbird email client and SeaMonkey suite, Mozilla detailed the security fixes included in each of the updates.

Version 10.0 of Firefox closes 8 security holes in the browser, 5 of which are “Critical” by Mozilla, according to the project’s Security Center page.

Holes Fixed in Mozilla Network
A ‘Blue Screen of Death’ Comeback
Internet Explorer Goes to Silent Updates
Chrome Cuts Vulnerabilities in Update

The critical issues include an exploitable crash when processing a malformed embedded XSLT stylesheet, potential memory corruption when decoding Ogg Vorbis files, XPConnect security checks bypassed by frame scripts, a use after free error in child nodes from nsDOMAttribute and various memory safety hazards. An attacker could exploit these vulnerabilities remotely to execute arbitrary code on a victim’s system.

Additionally, Firefox 10 closes two “High” impact issues that could lead to information disclosure or an attacker violating the HTML5 frame navigation policy by replacing a sub-frame for phishing attacks. They also fixed a moderate severity bug when exporting a user’s Firefox Sync key to a “Firefox Recovery Key.html” file that causes it to save with incorrect permissions.

Based on the same Mozilla Gecko platform as Firefox 10, version 2.7 of the SeaMonkey “all-in-one Internet application suite” fixes all of the same vulnerabilities, while Thunderbird 10 addresses all but the moderate incorrect permissions bug because it does not use Firefox Sync.

An update to the 3.6.x legacy branch of Firefox, version 3.6.23, fixes four of the above critical issues and a low impact bug related to an overly permissive IPv6 literal syntax previously repaired in Firefox 7.0, Thunderbird 7.0 and SeaMonkey 2.4. The developers note that Firefox 3.6.26 “now enforces RFC 3986 IPv6 literal syntax”, adding the change “may break links written using the non-standard Firefox-only forms that were previously accepted”. The 3.1.18 update to the 3.1.x branch of Thunderbird also corrects these issues.

All users should upgrade to the current stable versions, the developers said.

Monday, October 17, 2011 @ 03:10 PM gHale

A major open source project, WineHQ, suffered a breach.

WineHQ, which manages Wine, an open source technology that lets users install and run Windows applications on Linux, Mac, Solaris and other operating systems, found someone broke into one of its database systems and gain access to an open source PHP tool that allows remote management of databases.

Two Groups Join in RSA Attack
Cyber Threats Forecast for 2012
Firms Hacked and Don’t Know It
3 Face Hacking Charges in AZ, CA

Wine developer Jeremy White said it’s unclear how the intruder was able to gain unauthorized access to the PHP utility. “It was either by compromising an admins’ credentials, or by exploiting an unpatched vulnerability in phpmyadmin,” White said. White is the founder and chief executive of Codeweavers, a company that sponsors the Wine project.

WineHQ had “reluctantly” decided to allow application developers to remotely access the PHP utility because it is “a very handy tool, and something they very much wanted,” he said. “But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient.”

There appears to be no immediate evidence of harm to any databases though it would have been relatively easy for malicious hackers to cause damage, White said.

However, the attackers managed to harvest all the login information of users of the Wine Application Database (AppDB) and Bugzilla, the WineHQ bug tracking system, White said.

“This means that they have all of [the email addresses], as well as the passwords,” of AppDB and Bugzilla users, he said.

“The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked,” White said. “This, I’m afraid, is a serious threat; it means that anyone who uses the same email/password on other systems is now vulnerable to a malicious attacker using that information to access their account.”

WineHQ is resetting the passwords of all affected users, he added.

WineHQ is the second open source project to suffer from a breach in the past two months. In August, hackers broke into, the home of the Linux project, and gained administrative access to several servers within the infrastructure.

That breach led to a subsequent breach that resulted in several websites, including and, going offline in September.

SourceForge, an open-source software development site that hosts more than 260,000 open source projects, hosts WineHQ. SourceForge suffered a hack attack itself in January something some believe may have focused on corrupting projects hosted on the site.

Thursday, September 1, 2011 @ 03:09 PM gHale

Apache webserver buttoned-up a vulnerability attackers are exploiting to crash websites.

Flaws in the open-source Apache’s HTTP daemon made it easy to crash servers using publicly available software. The bugs in the way the HTTPD processed multiple web requests that involved overlapping byte ranges allowed attackers to overwhelm servers by sending them a modest amount of traffic.

Trouble for Net Security Software
Security Provider’s Vulnerability Exposed
Poison Ivy Infected RSA to Steal SecurID
Compliance Does Not Mean Secure

An advisory on Apache’s website said the bug, known as CVE-2011-3192, is gone in version 2.2.20.

“We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade,” the advisory stated. The vulnerability has “active use.”

One of the bugs fixed in the update was specific to Apache, while a second flaw has been out there since 2007, and possibly involves all webservers, an Apache bulletin said. The Internet Engineering Task Force is considering changing the underlying protocol responsible for the problem, Apache said.

Versions 1.3.x and 2.0.x through 2.0.64 contain the denial-of-service vulnerabilities. A single web request that contains overlapping byte ranges for a specific page can trigger the vulnerabilities.

“The problem is that currently such requests internally explode into 100’s of large fetches, all of which are kept in memory in an inefficient way,” Apache’s advisory said. “This is being addressed in two ways. By making things more efficient. And by weeding out or simplifying requests deemed too unwieldy.”

Archived Entries