Buherator

MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow

Nerval's Lobster writes "If those newspaper reports are accurate, the NSA's surveillance programs are enormous and sophisticated, and rely on the latest in analytics software. In the face of that, is there any way to keep your communications truly private? Or should you resign yourself to saying or typing, 'Hi, NSA!' every time you make a phone call or send an email? Fortunately there are ways to gain a measure of security: HTTPS, Tor, SCP, SFTP, and the vendors who build software on top of those protocols. But those host-proof solutions offer security in exchange for some measure of inconvenience. If you lose your access credentials, you're likely toast: few highly secure services include a 'Forgot Your Password?' link, which can be easily engineered to reset a password and username without the account owner's knowledge. And while 'big' providers like Google provide some degree of encryption, they may give up user data in response to a court order. Also, all the privacy software in the world also can't prevent the NSA (or other entities) from capturing metadata and other information. What do you think is the best way to keep your data locked down? Or do you think it's all a lost cause?"

Read more of this story at Slashdot.

Two months ago I tried testing a REST API that used OAuth 1.0 for authentication and I prefer to use Burp Suite for such tasks. My only problem was that OAuth 1.0 requires signing each request with a different nonce, so using the built-in scanner of Burp would've been impossible without Burp learning how to do it.

I tried solving the problem by setting an oauth-proxy as an upstream proxy in Burp, and I even sent a patch to make it work with Burp, but I had some problems with it, and since I wanted to try Burp Extender since the day it was announced, I decided to write a Burp plugin. Although it's possible to write such plugins in Python and Ruby as well, I found that they required Jython and JRuby, which I consider worst of both worlds, so in the end, I did it using Java, the lesser of two (three) evils.

I searched the web for sensible Java OAuth implementations, and chose Signpost since it had a pretty straightforward API and depended only on the Apache Commons Codec library. To meet the deadlines, I hand-crafted the HTTP parsing and generator class called BurpHttpRequestWrapper that wraps an object that implements the IHttpRequestResponse interface of Burp, and itself implements the HttpRequest interface that Signpost uses to read and manipulate HTTP requests. I also created a simple test suite using JUnit 4 that makes sure that my code doesn't break HTTP requests in any unexpected ways. Later I found out about the IRequestInfo interface that would've made it possible to use the internals of Burp to do at least the parsing part, so I started a branch with a matching name to do experimentation, although as of 12^th June 2013, it doesn't work.

The working version can be found in my GitHub repo, the instructions for building and configuring can be found in the README. Below is an example demonstrating the verify_credentials method of the Twitter API 1.1 using the repeater module of Burp. Although the request at the top doesn't have an Authorization header, Twitter responded with 200 OK, so the plugin inserted the appropriate headers correctly. The actual header can be seen if the logging of HTTP requests is enabled in the Options > Misc tab.

======================================================
19:52:27  https://api.twitter.com:443  [199.16.156.40]
======================================================
GET /1.1/account/verify_credentials.json HTTP/1.1
Host: api.twitter.com
Authorization: OAuth oauth_consumer_key="xxx",
    oauth_nonce="-181747806056868046",
    oauth_signature="QZDwnam9I%2FrCdXzj4l3mnPSgRlY%3D",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="1371059545",
    oauth_token="xxx", oauth_version="1.0"

After numerous reports that the 64-bit Tor Browser Bundle was crashing frequently, we've updated all them. If you were having problems with the last ones, please try these instead and let us know if you have any further problems. Only the 64-bit Linux Tor Browser Bundles have been updated, the other Tor Browser Bundles are still 2.3.25-8

https://www.torproject.org/download/download-easy

Tor Browser Bundle (2.3.25-9)

• Rebuild 64-bit bundles with Firefox optimizations disabled in order to prevent browser crashes. (closes: #8970)
• Update HTTPS Everywhere to 3.2.2
• Update NoScript to 2.6.6.2

Work on a patch is ongoing, but a hotfix which can be applied manually is already circulating on forums. Until a patch is available, the vulnerable module should be deactivated as soon as possible

Java Applet Driver Manager Privileged toString() Remote Code Execution

Java Web Start Double Quote Injection Remote Code Execution

Taco Cowboy writes "Edward Snowden, the leaker who gave us the evidence of US government spying on its people is under threat of being extradited back to the U.S. to face prosecution. Some people in Congress, including Republican Peter King (R-NY), are calling for his extradition from Hong Kong to face trial. From the article: 'A spokesman for the director of national intelligence, James Clapper, said Snowden's case had been referred to the justice department and US intelligence was assessing the damage caused by the disclosures. "Any person who has a security clearance knows that he or she has an obligation to protect classified information and abide by the law," the spokesman, Shawn Turner, said.'"

Read more of this story at Slashdot.

An anonymous reader writes "I have been asked by a medium-sized business to help them come to grips with why their IT group is ineffective, loathed by all other departments, and runs at roughly twice the budget of what the CFO has deemed appropriate for the company's size and industry. After just a little scratching, it has become quite clear that the 'head of IT' has no modern technological skills, and has been parroting what his subordinates have told him without question. (This has led to countless projects that are overly complex, don't function as needed, and are incredibly expensive.) How can one objectively illustrate that a person doesn't have the knowledge sufficient to run a department? The head of IT doesn't necessarily need to know how to write code, so a coding test serves no purpose, but should be able to run a project. Are there objective methods for assessing this ability?"

Read more of this story at Slashdot.

My twitter feed has gotten this one-sided view of the NSA. Soon, they’ll be claiming the NSA practices witchcraft and eats babies, because, as everyone knows, the NSA is evil. In truth, the NSA is not evil, just wrong. I point this out because there are two sides to every story. The better we understand the NSA’s point of view, the better we can fight them. Power corrupts: understanding this from their point of view will teach us how this happens.

An anonymous reader writes "The individual responsible for one of the most significant leaks in US political history is Edward Snowden, a 29-year-old former technical assistant for the CIA and current employee of the defense contractor Booz Allen Hamilton. Snowden has been working at the National Security Agency for the last four years as an employee of various outside contractors, including Booz Allen and Dell. The Guardian, after several days of interviews, is revealing his identity at his request. From the moment he decided to disclose numerous top-secret documents to the public, he was determined not to opt for the protection of anonymity. 'I have no intention of hiding who I am because I know I have done nothing wrong,' he said."

Read more of this story at Slashdot.

anagama writes "NSA officials have repeatedly denied under oath to Congress that even producing an estimate of the number of Americans caught up in its surveillance is impossible. Leaked screenshots of an NSA application that does exactly that, prove that the NSA flat out lied (surprise). Glenn Greenwald continues his relentless attacks with another bombshell this time exposing Boundless Informant. Interestingly, the NSA spies more on America than China according to the heat map. Representative Wyden had sought amendments to FISA reauthorization bill that would have required the NSA to provide information like this (hence the NSA's lies), but Obama and Feinstein demanded a pure reauthorization of FISA, which they got at the end of 2012." And if you don't mind that you might have your name on yet another special list, you might enjoy this Twitter-based take on the ongoing news.

Read more of this story at Slashdot.

Novell Zenworks Mobile Device Managment Local File Inclusion Vulnerability

Microsoft Internet Explorer textNode Use-After-Free

Ross Anderson letölthetővé tette híres Security Engineering című könyvének 2. kiadását PDF-ben. Óriás tisztelet érte. A blogbejegyést erről itt találjátok és a könyvet itt tudjátok letölteni. Kérek mindenkit aki teheti vegye meg. (Én már vettem!). Köszönet Kincses Zolinak is, a jó hír hozójának.

Posted by Adam Mein and Michal Zalewski, Security Team

Our vulnerability reward programs have been very successful in helping us fix more bugs and better protect our users, while also strengthening our relationships with security researchers. Since introducing our reward program for web properties in November 2010, we’ve received over 1,500 qualifying vulnerability reports that span across Google’s services, as well as software written by companies we have acquired. We’ve paid $828,000 to more than 250 individuals, some of whom have doubled their total by donating their rewards to charity. For example, one of our bug finders decided to support a school project in East Africa.

In recognition of the difficulty involved in finding bugs in our most critical applications, we’re once again rolling out updated rules and significant reward increases for another group of bug categories:

• Cross-site scripting (XSS) bugs on https://accounts.google.com now receive a reward of $7,500 (previously $3,133.7). Rewards for XSS bugs in other highly sensitive services such as Gmail and Google Wallet have been bumped up to $5,000 (previously $1,337), with normal Google properties increasing to $3,133.70 (previously $500).
• The top reward for significant authentication bypasses / information leaks is now $7,500 (previously $5,000).

As always, happy bug hunting! If you do find a security problem, please let us know.

An anonymous reader writes "Mt. Gox is the the largest Bitcoin exchange in the world, and as such it and its users are being repeatedly targeted by attackers. Some two months ago, it battled a massive DDoS attack that was likely aimed at destabilizing the virtual currency and allow the criminals to profit from the swings. Now, according to Symantec researchers, the criminals have turned to spoofing Mt. Gox' site and tricking its customers into downloading malware — the Ponik downloader Trojan, which is also able to steal passwords."

Read more of this story at Slashdot.

Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution

Apache Struts includeParams Remote Code Execution

Plesk Apache Zeroday Remote Exploit

dcollins writes "Facebook has a 'Download Info' capability that I've used regularly since 2010 to archive, backup, and search all the information that I've written and shared there (called 'wall posts'). But I've discovered that sometime in the last few months, Facebook silently removed this largest component from the Downloaded Info, locking up all of your posted information internally where it can no longer be exported or digitally searched. Will they reverse course if this is publicized and they're pressured on the matter?" It does appear that the archive of your wall posts is now only available through the not-very-useful Activity Log.

Read more of this story at Slashdot.

Rick Zeman writes "According to Wired, an order by the Foreign Intelligence Surveillance Court '...requires Verizon to give the NSA metadata on all calls within the U.S. and between the U.S. and foreign countries on an "ongoing, daily basis" for three months.' Unlike orders in years past, there's not even the pretense that one of the parties needed to be in a foreign country. It is unknown (but likely) that other carriers are under the same order."

Read more of this story at Slashdot.

Apple released the next update for OS X, 10.8 ...(more)...

...(more)...

A vulnerability in all versions of Windows can be exploited by ordinary users to obtain system privileges. The vulnerability was discovered by Google's Tavis Ormandy, who posted his discovery online without first informing Microsoft

Windows NT - Windows 8 EPATHOBJ Local Ring 0 Exploit