| |
 |
 |
 |
|
|
|
|
Date: 08 March 2013
Click here for printable version
Greetings,
Welcome to the Week in Review for the week ending Friday 8th of March 2013. As usual, it has been an interesting week in IT Security.
The three main news items of the week that will be covered in this post are:
1) Successful attacks on all major browsers at Pwn2Own,
2) Evernote security breach, and
3) Using multiple moving cursors to hide a password.
At the end of this post the most notable security bulletins of the week will also be covered in brief.
Firstly, this year at Pwn2Own major browsers Chrome, Firefox and Internet Explorer have all been successfully attacked! The Java plug-in for Internet Explorer was also compromised (yes, again) at the contest by three separate contestants. Some of the prizes of the competition that are yet to be claimed include Adobe's Flash Player and Adobe Reader on Windows 7. On an interesting note, none of the entrants have scheduled any attempt to compromise Safari on Mac OS X. Only time will tell if more exploits will be discovered and more of the prizes claimed. However one thing is for sure, we should start seeing these products receiving security patches in the next few days as, unlike last year's contest, this year's rules require a full disclosure of exploits used for compromise. If past releases are anything to go by then Chrome patches by Google will be the first to be pushed out.
Evernote, the makers of the cross-platform note taking application, set a great example this week on how to effectively and efficiently deal with a possible breach. On its blog Evernote says: "Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service." [6] Evernote noted that user information including usernames, emails and encrypted (hashed and salted) passwords had been accessed. Despite the robust encryption of the passwords, Evernote, in "an abundance of caution" sent out an email to all its users informing them of the situation and mandating a password change on next login.
In research development, interesting work is being done by Japan Science and Technology Agency (JST) in attempting to hide your password from spyware and peepers. To combat keyloggers some companies employ virtual keyboards on their login page to increase security. A number of techniques can still be used by malware to capture the passwords. In order to overcome this security weakness, the JST is experimenting with introducing multiple cursors on the screen while a user types a password using a virtual keyboard. In their research, while a user types a password, up to 20 cursors move around randomly on the screen using a system they've created called SymmetricCursors. Despite what intuition might make one think, Keita Watanabe at the JST explains: "At first sight, it looks as if the user, too, will get confused which cursor is real. But when you try this system, it's surprisingly easy to understand which one is your cursor." A video is included to show how such a system might work. The research is still in its early stages. The researchers next plan to focus on trying to figure out why the user doesn't get confused by the multiple cursors by using eye tracking technology. This is definitely an interesting security feature to keep an eye out for.
Finally, here are this week's top notable security bulletins:
1) ASB-2013.0034 - ALERT [Win][UNIX/Linux] Oracle Java: Execute arbitrary code/commands - Remote with user interaction
Even more exploits for Java were discovered and patched by Oracle. Oracle noted that some of them were reported to have been observed in the wild. Later in the week Apple released a bulletin specifying that they would start blocking all the older web-plugins of Java on OS X.
2) ASB-2013.0035 - [Win][Linux][OSX] Google Chrome: Multiple vulnerabilities
Google pushed out an update to patch 10 vulnerabilities in Chrome just a day before Pwn2Own. As usual, most of the actual exploits are kept private until users have a chance to update.
3) ESB-2013.0334 - [UNIX/Linux][RedHat] xen: Root compromise - Existing account
A vulnerability in a specific type of network interface emulation in xen virtualisation allowed root privileges in guest operating systems running in xen.
4) ESB-2013.0326.2 - UPDATE [RedHat] kernel: Root compromise - Console/physical
Buffer overflow in the implementation of Universal Disk Format (UDF) in the Linux Kernel allowed for an attacker with physical access to the system to gain root privileges.
5) ESB-2013.0315 - [Debian] apache2: Multiple vulnerabilities
Multiple vulnerabilities discovered in apache2 modules which allowed for increasing of privileges and cross-scripting.
That ends our week in review. Stay patched and have a great weekend.
Regards,
Parth Shukla
Information Security Analyst
|
|
|
|
 |
|
 |
|
|