[SecurityRatty] tag: fixed

Apple releases another mega-patch for Mac OS X

Fri, 10 Oct 2008 00:00:00 +0000

Apple on Thursday patched 40 vulnerabilities in Mac OS X -- more than half of them labeled with the company's equivalent of "critical" -- meaning it has fixed more than 250 flaws so far this year.

40 Security Flaws Fixed In Mac OS X Security Update 2008-007

Thu, 09 Oct 2008 20:56:07 +0000

Apple has released another pack of patches that cover a total of 40 documented vulnerabilities affecting the Mac OS X. The Security Update 2008-007, available for Tiger and Leopard, covers a range of third-party components and Mac OS X flaws that could users at risk of remote code executions attacks. The more serious vulnerabilities include: Apache: CVE-2007-6420, [...]

Gdiplus.dll Vulnerability In WinZip Fixed In Version 11.2 SR-1

Tue, 30 Sep 2008 19:09:57 +0000

WinZip Computing released WinZip 11.2 SR-1 on September 25 with a critical update to all installations of WinZip 11. The release addresses a security vulnerability that exists in one of the modules shipped with WinZip 11. This component is not a WinZip module but rather a Microsoft module that WinZip Computing shipped for the convenience [...]

Password Bug Fixed Sooner Than Expected in Firefox 3.0.3

Sat, 27 Sep 2008 08:51:07 +0000

Mozilla released Firefox 3.0.3 with fix for a problem where users were unable to retrieve saved passwords or save new passwords. For some users, ever since upgrading, the new Firefox did not remember passwords or asked if passwords should be saved, even with preferences set to “Remember passwords for sites” and without exceptions in the [...]

Apple patches months-old Java bugs

Fri, 26 Sep 2008 20:00:00 +0000

Apple patched nearly 30 Java vulnerabilities in Mac OS X Wednesday, months after Sun, Java's developer, fixed most of the same flaws for other operating systems.

XSF & XSS: Double your pleasure, double your fun

Sun, 21 Sep 2008 17:00:00 +0000

If you've read this blog, or those of my peers, you're likely quite familiar with cross-site scripting, and the problems associated with open redirect vulnerabilities. A vulnerability you may be less familiar with is cross-site framing, which largely couples the best of both above-mentioned vulnerabilities.
What then, if there's a cross-site framing vulnerability coupled with cross-site scripting in the content offered by the frame? All sorts of problems come to mind: phishing, malware, credential theft; all arguably twice removed from the attacker's source, tucked away in the context of two victim sites.
First, I'll discuss the original XSS issue that led to this finding.
Recently, I was investigating a flawed parameter in Openhire, a career posting vendor used by major companies like Crate&Barrel, Eileen Fisher, Enterprise, Benjamin Moore, Scottrade, and Getty Images.
Most of these sites simply link to the Openhire offering that hosts job postings on their behalf which, in turn, has been crafted to look like the referring site.
As an example, here's Scottrade's employment page hosted by Openhire.

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?version=1&company_id=15624

Standard stuff, looks nicely like the Scottrade site, so everything's cool, right?
Wrong? What if someone hosting a service on your behalf suffers a security gap?
You're only as strong as your weakest link!
Here's the posting for an Application Security Engineer (funny, eh?) at Scottrade as hosted on their behalf by Openhire:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=976367&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters%3B%3B%3BInformation%20Technology%3B%3B%3BSecurity&startflag=3&CFID=66851845&CFTOKEN=29a95-d12594d4-47d9-49e8-9067-1091bdf68e80

Now here the same job posting spewing massive cookie data:

http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3

Screen shot offered below, as the code above will likely be repaired very soon by Openhire. I notified them this past Thursday.

It's bad enough when there's an application security hole in code someone else is hosting on your behalf, but what if your method of displaying said code is also at risk? Enter the Getty Images Jobs page.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=careeropps&startflag=0&company_id=15531&version=2&CFID=12265212&CFTOKEN=60213778

Watch what happens when you pull the Openhire code. Can you say self-replicating frame loop from hell (in Firefox)? Trust me your browser will crash if you leave this running too long. This will likely be fixed soon, so if the URL doesn't work, the screen shot exemplifies the issue.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html

What if, instead of Openhire's Getty Images page, or nothing at all (which obviously creates its own issue), we drop in an arbitrary URL?
Yep, you guessed it.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://www.xssed.com/news/26/Cross-site_framed/

Now, bringing it all home for double the pleasure, double the fun, what if we coupled the original Openhire cross-site scripting vuln with Getty Images cross-site frame vuln?

It hurts twice as much, in my book.

http://www.gettyimagesjobs.com/gettyImagesJobsDisplay.html?http://hostedjobs.openhire.com/epostings/jobs/submit.cfm?fuseaction=dspjob&id=23&jobid=130527&company_id=15624&version=1&source=ONLINE&JobOwner=%22%3E%3CSCRIPT%3Ealert(document.cookie)%3C/SCRIPT%3E&level=levelid3&levelid3=18247&parent=St.%20Louis%20Corporate%20Headquarters;;;Information%20Technology;;;Security&startflag=3

The lessons learned:
1) Ensure your partners are writing secure code on you behalf.
2) Ensure that the code you utilize to incorporate said partner's code is also well written. ;-)

Double the headache, double the dumb.

del.icio.us | digg

AT&T Extends Free Wi-Fi to Cheapest DSL Plans

Tue, 16 Sep 2008 09:30:32 +0000

AT&T seems to have added free Wi-Fi for its lowest-priced DSL customers: The Atlanta Journal-Constitution is the only one with this story, and they've garbled a few of the details, but checking AT&T's public sites seems to confirm it. Previously, AT&T customers had to either have a fiber-optic U-Verse subscription, or a DSL line running at 1.5 Mbps downstream or faster to get free Wi-Fi Basic. The Basic pool covers most of the 17,000 U.S. hotspots, excluding some hotels and premium locations.

AT&T now says that any "FastConnect" subscription, even its DSL Lite offering of 768 Kbps down/128 Kbps up, qualifies for Wi-Fi Basic. The new statement reads: "AT&T Wi-Fi Basic service is FREE and already included if you subscribe to AT&T High Speed Internet, AT&T U-verseSM High Speed Internet, or AT&T FastAccess® DSL—all speed plans included.

There's still a $10 per month fee to upgrade to Wi-Fi Premier, which includes over 70,000 locations worldwide, along with the missing U.S. hotspots, but their Web site says that you have to have a 1.5 Mbps or faster connection to get the $10 per month upgrade. That may be out of date. That ordering page also says you need 1.5 Mbps or faster for free Wi-Fi, so that tends to confirm it hasn't been fixed. (It's even hosted at sbc.com, so perhaps that's part of the vestige of an older system, harder to update.)

Please note that iPhone subscribers still don't get free Wi-Fi on AT&T's Basic network.

Zune Owners Get Free Wi-Fi at McDonald's

Mon, 15 Sep 2008 23:01:01 +0000

Microsoft signs three-year deal with Wayport for old and new Zune owners alike: This is a nice win for Zune users, Wayport, and McDonald's, each in their own way, and it's something Microsoft can simply write off as useful marketing--and a way to get people to try the latest models of their music player, which are being released on 16-September.

The Zune doesn't include a Web browser or any Internet focused features; it's not an iPod touch. But you can use Wi-Fi to browse the Zune Marketplace for music and games, and download new songs in programmed channels, music selections created by a variety of artists and stations. Zune offers both music purchases and a subscription for unlimited music listening. The new models range from $149 for an 8 GB flash model to $249 for a 120 GB hard drive-based player.

The feature I'm most interested in is Buy from FM, which leverages the built-in FM tuner and very low-bandwidth data that's already pushed over analog AM/FM. (See my write-up of this feature from last week.) With Buy from FM, when you're listening to radio stations that participate, you'll be able to click a button and buy the song you're listening to if you're connected to a Wi-Fi network. Zune Pass subscribers can download the song at no additional charge. If there's no Wi-Fi network, the song download or purchase is queued.

Wayport's marketing head Dan Lowden said, "Obviously, it's cool because folks who already own a Zune device and just need to do an upgrade will be able to use this just as with any of the new Zune devices that they start selling as soon as possible." (Microsoft may have a little accounting work to do: Sarbanes-Oxley doesn't let you enhance a product in the market without a fee if you realize the revenue all at once.)

The benefit for Wayport is to have yet another hefty but undisclosed fixed sum underlying its fixed infrastructure costs. In the past, Wayport has done deals with Nintendo, ZipIt, and Eye-Fi to allow all devices in a category unlimited access at McDonald's locations. McDonald's obviously gets more customers, or existing customers who spend more time or visit more frequently.

A partnership with a hotspot operator means that Microsoft doesn't have to provide tools and their users endure frustration in joining a network. "We're experts enabling one click to get this network connected," Lowden said. He noted that Wayport has opened test labs to work with manufacturers in Japan, San Francisco, San Diego, and Seattle. "We're working with these guys from day 1 to make sure it's one click to get connected," he said. I'd also note that San Diego happens to be where Qualcomm's headquarters are located, not that Lowden gave me any tip-off there.

And I have to just say: burn, burn, burn on Apple. Despite Apple partnership with AT&T, which relies on Wayport to operate the AT&T-branded hotspot network and resells access to Wayport's own network, iPhone and iPod touch users have no inclusive Wi-Fi service. AT&T slipped a few times and ostensibly opened up their network or released details that iPhone users would gain free hotspot access--like all AT&T's fiber and all its standard and premium DSL customers.

As Wi-Fi becomes an expected part of any handheld gadget, the venues in which Wi-Fi is used multiply beyond cafes and hotels. Lifestyle locations--which could be clothing stores, nightclubs, ski resorts, and the tops of mountains suddenly become places where people want the same kind of access they have at home. Ultima thule is already unwired.

Feds Set to Take Over Airline Watch-List Checking, Again

Tue, 09 Sep 2008 20:00:00 +0000

The federal government is planning yet again to take over the job of comparing airline passengers to an ever-growing terrorism watch list ... six years after it was first proposed. The feds say this time they've fixed the privacy problems and can fix the name mismatches that have snagged children, nuns and senators.

Cisco 7600 OSR Backbone Router

Sat, 06 Sep 2008 07:25:02 +0000

For our confused CEO blogger over at StreamBase, who thinks an Internet backbone router is the small $30 device he set up in his home office, here is a photo of a the Cisco 7600 OSR which of course runs CISCO IOS.

The Cisco 7600 OSR consists of a 256 Gbps switching fabric and a 30 million packets per second (mpps) forwarding engine. Its breadth of IP services comes from Cisco IOS, which provides features such as security, enhanced QoS, and destination sensitive services. In addition, the Cisco 7600 OSR allows the migration of existing port adapters from Cisco 7500 series routers, via the Cisco FlexWAN module, giving service providers one the industry’s widest array of interface options in any single platform. This provides service providers great flexibility in deploying the Cisco 7600 OSR for a variety of applications, protects their investment in existing systems, and gives them a practical migration path to the New World Optical Internet.

A Revolutionary Platform For Evolving Networks

The Cisco 7600 OSR helps service providers break through service and bandwidth barriers today, while designing networks to scale for future growth. The Cisco 7600 OSR achieves this through “adaptive network processing,” or the ability to evolve the platform for new IP services without hardware upgrades. Unlike fixed, ASIC-based platforms, which are hardware encoded, the Cisco 7600 OSR relies on the highly flexible Parallel eXpress Forwarding (PXF) technology for scalable performance of services. PXF is a patented, Cisco-developed network processor capable of line-rate IP services delivery that can support new IP services through periodic software upgrades. Each OSM has two PXF processors capable of 12 mpps of IP services delivery per interface card.

“IP+Optical combines the dynamism of the Internet world with the foundation of the transport world, creating an infrastructure that can deliver the services that service providers need,” said Lele Nardin, vice president of the Internet Systems Business Unit at Cisco. “Cisco will continue to add innovative solutions on top of this solid foundation to make service providers better equipped to meet the constantly escalating and changing customer demands for new networking services.”

Pricing and Availability

The base Cisco 7600 OSR system is list priced at $73,000 and the entry level system, with interfaces, start at $100,000. The interfaces modules are priced between $27,000 to $180,000. The Cisco 7600 OSR is available now worldwide.