High risk Ruby on Rails vulnerability

Most users tend to run Ruby on Rails 3.2 these days, but some still run Rails 3.0 or 2.3.
Those who do can not update their application to run Rails 3.2 and need to run Rails 3.0 or 2.3 are strongly advised to update their Rails to 3.0.20 or 2.3.16.

To quote the authors of rails;
“I’d like to announce that 3.0.20, and 2.3.16 have been released. These releases contain one extremely critical security fix so please update IMMEDIATELY.”

“Impact
– ——
The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing
backends. One of the backends involves transforming the JSON into
YAML, and passing that through the YAML parser. Using a specially
crafted payload attackers can trick the backend into decoding a subset
of YAML. ”

More information:
http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo

High Risk WordPress vulnerability

WordPress pushed out version 3.5.1 of its open source blogging platform yesterday, fixing 37 bugs including several cross-site scripting (XSS) errors and a vulnerability that could have allowed an attacker to expose information and compromise an unpatched site.

Until yesterday, the aforementioned vulnerability, discovered by security researchers Gennady Kovshenin and Ryan Dewhurst, affected all versions of the platform. This particular problem could be exploited with a server-side request forgery (SSRF) attack and remote port scanning using pingbacks. Essentially, if left unpatched, an attacker could have forced a server into sending packets of information from the attacker to another server, even if it was behind a firewall.

The update also fixes the following XSS errors:
Two instances of cross-site scripting via shortcodes and post content.
A XSS vulnerability in the external library Plupload.

Due to the nature of this release, it’s advised that anyone running WordPress have their WordPress installations updated.

Further information can be found here:
http://wordpress.org/news/2013/01/wordpress-3-5-1/
http://core.trac.wordpress.org/query?milestone=3.5.1
http://threatpost.com/en_us/blogs/wordpress-fixes-37-bugs-latest-update-012513

LinkedIn Phishing mails

There’s been a couple of reports this week about a mail arriving that looks like it’s from LinkedIn. It’s quite a good fake; unless you mouse-over the links inside it and look at where they go before clicking, you might very well fall victim.
If you do click, you’ll be redirected to a malicious webpage attempting to run Java and (presumably) take over your computer. It’s possible that it also attempts to use Flash and/or other exploits for the same purpose.

If you’ve clicked on this link your computer may be compromised, so please have your computer thoroughly scanned for malware by multiple scanners.

More information: http://blog.webroot.com/2013/01/24/fake-linkedin-invitation-notifications-themed-emails-lead-to-client-side-exploits-and-malware/

High Risk Drupal Vulnerability

New vulnerabilities have been disclosed for Drupal versions lower than 6.28 and 7.19. It is strongly advised to update your installations if you have any, as there is (amongst other things) the possibility of being the victim of XSS-attacks if you do not update.

More information:
http://drupal.org/SA-CORE-2013-001

Ruby on Rails Vulnerability

On January 8th, Aaron Patterson announced CVE-2013-0156, multiple vulnerabilities in parameter parsing in Action Pack allowing attackers to:
Bypass Authentication systems
Inject Arbitrary SQL
Perform a Denial of Service (DoS)
Execute arbitrary code

That means that anyone running Ruby on Rails is advised to update to the latest version, as not doing so could lead to a compromise.

More information:
http://weblog.rubyonrails.org/
http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html

High Risk Java Vulnerability

A new year has arrived, as has a new Java 0-day vulnerability. The vulnerability is present in all Java version up to version 7 update 10. There is currently no patch available for this, and it has already been integrated into the BlackHole exploit kit. As many of you know, Java runs on all platforms, so it doesn’t matter if you run Windows, Mac or Linux, you’re all at risk. Last time this happened, we advised you to uninstall or disable Java in your browser if you don’t have a specific need. I want to reiterate this once more. You can click on this link to see if you have Java installed: http://www.java.com/sv/download/installed.jsp

We suggest that you either uninstall Java if you have no need whatsoever for it, disable it in your Main browser (so you use a secondary browser only for your Java activity), or disable it fully in all your browsers. Information on how to do this can be found below:
Uninstalling Java on Windows 7: http://www.java.com/en/download/uninstall.jsp
Uninstalling Java on Mac: http://osxdaily.com/2012/04/07/tips-secure-mac-from-virus-trojan/

Disabling Java in browsers:
In Firefox, select “Tools” from the main menu, then “Add-ons,” then click the “Disable” button next to any Java plug-ins.
In Safari, click “Safari” in the main menu bar, then “Preferences,” then select the “Security” tab and uncheck the button next to “Enable Java.”
In Chrome, type or copy “Chrome://Plugins” into your browser’s address bar, then click the “Disable” button below any Java plug-ins.
In Internet Explorer, follow these instructions for disabling Java in all browsers via the Control Panel. There is no way to completely disable Java specifically in IE.

More information can be found here: http://www.kb.cert.org/vuls/id/625617

Update: Oracle have now released a patch for Java (version 7 update 11), so anyone using Java should immediately update to this version. You can do this by either updating through the Java Update or by going to http://www.java.com/en/download/index.jsp
You should however only install this update if you have need for Java, and those who has should still follow the guidance in our last mail regarding only allowing it for stand-alone-applications and/or multiple browsers.

Mobile Security

As most of you are aware, the christmas holiday is quickly coming up! 🙂
This means that a lot of us will be traveling on trains, busses and flights to get to our families to maybe relax, drink glögg and eat sill.
Bad people tend to take advantage of the extra amount of people traveling at this time of the year though, and because of that there is a spike in thefts during this time of the year.

A lot of sensitive information and confidential information is stored within mobile devices these days, and losing that data could potentially be devastating. Because of that, it’s important to remember to secure your mobile devices as best as you can.

Included are two guides how to turn secure the Samsung Galaxy S3 (Android) and the iPhone which are some of the most commonly used phones.

iPhone (verified on iPhone 4): The minimum security is to have a PIN code, and that it’s set so that the device is wiped after 10 incorrect attempts of inputting the PIN. You can access these settings from: Settings, General, Passcode Lock, (Erase Data, Simple Passcode).

Android (verified on Samsung Galaxy S3): Please turn on Encryption of the device (and external SD card). You can access this encryption settings from: Settings, Security, Encrypt Device. Please be aware that you can’t use a PIN code when using encryption, so you will need to come up with some word instead to unlock your phone. It’s also advised that you install an anti-virus application on your Android phone.

Skype Vulnerability

Please note that there appears to be a security vulnerability in Skype allowing an attacker to gain access to Skype accounts:

Here’s how it works:
> Sign up for a new Skype account. Use the victim’s email. A warning will come up that an account with that email already exists, but you can still proceed with filling out the form and account creation.
> Log in to the Skype client with your new account.
> https://login.skype.com/account/password-reset-request[2] – request a password reset using the victim’s email.
> You will get a password reset notification and token in your skype client. Follow the link to pick the victim’s account and reset the password.
> It appears the only way to safeguard yourself for now is to change your main Skype account email to one that’s not publicly known.

Source:
http://www.reddit.com/r/netsec/comments/13664q/skype_vulnerability_allowing_hijacking_of_any/

Update 12:27 CET: This was quickly remedied by Skype.

Zero-day Microsoft Internet Explorer

A new high risk zero Internet Explorer day exploit is currently being active in the wild.

That means that anyone using Internet Explorer 7,8 or 9 to browse the internet has the potential of getting infected by simply visiting a webpage with the specific bad code in it. The code will then download an exploit pack to your computer and can give the unauthorized people access into the infrastructure.

There is currently no patch or solution to the issue from Microsoft, so the only viable option is to switch to another browser. Thinking “I won’t click any links from unknown people” is unfortunately not enough, as it’s getting more and more common for these kind of people to either hack known sites and add the code, or to purchase banner space etc for well known sites which then launches the code without you noticing anything at all.

Two browsers you could use are:
Firefox: http://www.getfirefoxcom
Chrome: http://www.google.com/chrome/

For more information: http://www.kb.cert.org/vuls/id/480095

Update: Since, Microsoft has released an update. Run Windows Update to get the latest versions available.

High Risk Java vulnerability

There is currently an extremely high risk Java vulnerability out in the wild that can potentially cause havoc for a lot of users and systems. All someone has to do is get you to visit a site with the bad code, which can then run an exploit kit on your system under the same user as the Java process, which means they’ll most likely be taking over your entire system.

This is not only relevant for sysadmins, but for anyone being connected to the internet. A website you open could potentially have the code on it, and the person would then have access to your PC to install key loggers, or whatever they want – which could be used to breach not only your own PC but your corporate network.

There is currently no fix for this issue, which is why it’s highly recommended to disable the Java plugin in your browsers. If you need to use Java Applets, then it’s suggested to use NoScript with Firefox as you can then whitelist sites you wish to use Java on, and block it on the rest.

You can find more information here:
https://www.us-cert.gov/cas/techalerts/TA12-240A.html
http://www.kb.cert.org/vuls/id/636312