Microsoft had a slight breather in September after it delivered a record 14 security bulletins on Patch Tuesday in August. The company was actually preserving its energy for an even more hectic Patch Tuesday in October, which, according to the Security Bulletin Advance Notification, will include 16 updates to patch 49 vulnerabilities – a new record. Out of the 16 security bulletins, four are labeled “critical,” ten “important,” and the remaining two “moderate.” Ten of the security updates address flaws that could allow remote code execution.
Security researcher HD Moore thought he had let the cat out of the bag when he referred to a widespread Windows vulnerability in a tweet on Wednesday. But as it turns out, Moore may have failed to fully gauge the scale of the issue, which he thought affected “about 40 different apps, including the Windows shell.” Mitja Kolsek, CEO of Slovenian security company Arcos, reckons that “most every Windows application has this vulnerability.” Moore had linked to a security advisory issued by Arcos in his tweet.
"We examined a bunch of applications, more than 220 from about 100 leading software vendors, and found that most every one had the vulnerability,” Kolsek told Computer World. “These vulnerabilities' critical impact and relative ease of exploitation present a serious threat to basically all Windows machines.”
The “remote binary planting” vulnerability can be exploited quite easily using malicious files, according to Kolsek. “The main enabler for this attack is the fact that Windows includes the current working directory in the search order when loading executables."
Both Kolsek and Moore fear that the affected applications might have to be patched individually, as patching Windows could disrupt existing applications.
The said bug, which can be exploited using a special TrueType font, can be used to execute arbitrary code. According to Miller, Adobe first learnt of the vulnerability from Google security engineer Tavis Ormandy. "Apparently @taviso previously reported to Adobe the Reader 0-day I dropped at BH. Haha, ruined his effort at trying to be responsible," Miller quipped in a Tweet Tuesday.
Tavis Ormandy was recently in the crosshairs after he went public with a critical vulnerability in Windows' HCP protocol only a few days after notifying Microsoft about it.
Adobe is often maligned for the number of vulnerabilities in its software. Of course, one could argue that the prevalence of Adobe software has made it one of the most targeted 3rd party software vendor and there is little it can do to change that, but the fact is that the San Jose-based company has been leisurely in addressing security concerns.
Google wasted little time in patching a recently discovered flaw in the Audio CAPTCHA technology it employs to stave off abuse of its various online services. The flaw was disclosed in a post on the Full Disclosure mailing list on Monday. It made circumventing Google's Audio CAPTCHA ridiculously easy – as easy as inputting 10 random words. The company took only a few hours to come up with a fix. “We fixed a bug in our audio CAPTCHA validation last night within a few hours," said Google spokesman Jay Nancarrow on Tuesday in an e-mail message. "Audio CAPTCHAs continue to function normally."
The Black Hat security conference attracts the creme de la creme of the security industry. This year the organizers even offered a paid live stream for those unable to make the trip to Vegas. Called Black Hat Uplink, the service carried a $395 price tag. But as security expert Michael Coates found out, the price could be waived entirely, thanks to “a combination of logic flaws and misconfigured systems which provided access to a testing login page that could be used with user credentials that were not fully "registered" (e.g. no payment received). “
Coates, who oversees web security at Mozilla, wrote on his blog that he was unable to attend this year's event and so decided to closely monitor it online. “In this process I noticed the new "Black Hat Uplink" service that would allow remote individuals access to streaming Black Hat talks from two select tracks,” he wrote.
“I identified a series of flaws that would enable the creation of an account with only providing an email address (e.g. no name, address, phone etc) and I was never asked to enter any credit card data. Odd I thought, perhaps you enter the credit card info upon your first login.” Upon completing the registration, he was faced with a slight problem: he didn't have a registration email do direct him to the login page.
“A few select Google searches and I ended up on a relatively vanilla looking login page. I have a username and a key, let's give it a shot. To my surprise the login was accepted and I was now sitting in front of the live Black Hat video stream.”
He wasted little time in contacting the event's organizers, holding off the public disclosure until they had fixed the flaw. He also revealed that Black Hat used a third-party solution for the video feed. Can't see them using the same vendor for the next event, though.
Microsoft has no interest in joining the bug-bounty wars, according to ThreatPost.com. Mozilla recently increased the cash reward it offers to security researchers for nailing vulnerabilities in its software, only for Google to follow suit a few days later. All this was enough to fuel rumors of Microsoft, which doesn't have a bug-bounty program, finally getting sucked into the bug-bounty battle.
But such rumors have now been put to rest by MS. "We value the researcher ecosystem, and show that in a variety of ways, but we don’t think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren’t always financial. It is well-known that we acknowledge researcher’s contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update," Microsoft's Jerry Bryant told ThreatPost in an email.
The company seems satisfied with its current practice of honoring talented security researchers by enlisting their services: “We’ve had several influential folks from the researcher community join our security teams as Microsoft employees. We’ve also entered into contracts directly with many vendors and sometimes individual researchers to test our products for vulnerabilities before they’re released. Many of these vendors and individuals first came to our attention based on the high-quality and unique approaches demonstrated by the vulnerabilities they reported to the MSRC.”
This will not go down well with a growing number of security researchers that discourage fellow researchers from making free disclosures and advocate more bug-buying programs. Don't be surprised if you witness a spike in publicly-disclosed critical bugs in Microsoft software – the company openly discourages security researchers from making public disclosures?
Mozilla’s six-year-old Security Bug Bounty Program, which rewards security researchers for reporting bugs in its software, just became more lucrative. The bounty payment has now been hiked from $500 to $3000 per eligible bug, Mozilla announced on its blog. This has been done “to make it economically sustainable for security researchers to do the right thing when disclosing information.”
The company has made some additions and subtractions to the list of products covered under the bounty program. It has also amended the eligibility terms to better elucidate its “right to disqualify bugs from the bounty payment if the reporter has been deemed to have acted against the best interests of our users.” However, Mozilla clarified that publicly disclosed bugs will continue to be eligible for the bounty program despite the amendments.
“We have also clarified the products covered under the bounty to better reflect the threats we are focused upon. We still include Firefox and Thunderbird obviously, but we also added Firefox Mobile and any Mozilla services that those products rely upon for safe operation,” Mozilla said. “Release and beta versions of those products are eligible. Mozilla Suite bugs however is no longer eligible, as it is not an officially released nor supported Mozilla product.”
A young Argentinian hacker, known only by his sobriquet Ch Russo, claims to have successfully slipped past The Pirate Bay's defenses, gaining access to the torrent site's administrative control panel. An SQL injection vulnerability discovered by Ch Russo and a couple of his chums exposed the site's user database, which is said to contain account information belonging to around 4 million users. However, the hacker denies altering or deleting information.
The trio also resisted the temptation of selling the data to the companies assisting the entertainment industry in its fight against piracy. “Probably these groups would be very interested in this information, but we are not [trying] to sell it,” Russo told security blog KrebsOnSecurity in a phone interview. “Instead we wanted to tell people that their information may not be so well protected.”
Everyone has different reasons for exposing Windows security flaws. Some do it for avenging a fellow security researcher's insult, others to bring home the bacon. Unlike the Microsoft -Spurned Researcher Collective, which falls in the former category, Danish security firm Secunia's motivation is purely pecuniary.
“The vulnerability is caused due to a boundary error in the "UpdateFrameTitleForDocument()" function of the CFrameWnd class in mfc42.dll. This can be exploited to cause a stack-based buffer overflow by passing an overly long title string argument to the affected function,” Secunia said on its site.
According to group manager Jerry Bryant, “Microsoft is investigating new public claims of a possible vulnerability in Windows 2000 and Windows XP.” However, he is unaware of any attacks based on the vulnerability.
July 4 turned out to be a field day for hackers and chance cyber-saboteurs as they converged on the world's most popular video streaming site to wreck havoc using a cross-site scripting (XSS) vulnerability. They inserted malicious code in the comments section of many YouTube videos to trigger a series of anomalous events, including redirects to porn sites and nasty pop-ups, whenever a user visited a targeted video. Justin Bieber fans were probably the worst hit, with hackers and pranksters concertedly targeting the Canadian singer's videos.
But Google wasted little time in plugging the hole. "We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com," a spokesperson for YouTube's parent company said. "Comments were temporarily hidden by default within an hour [of discovering the problem], and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future."