Security News #0x50
- Ars Technica has a nice summary of the Apple sudo vulnerability that has been the talk of the town this past week. This is a significant flaw, as it allows privilege escalation to root on Apple systems, and it currently unpatched for OSX from 10.7 through 10.8.4. On the other hand, exploiting the issue is constrained, as a number of preconditions need to be met before the exploit can be used. The core issue is a problem (CVE 2013-1775) with sudo reported earlier in the year that also affects Linux systems. The catch on Apple systems is that, unlike Linux systems, root access is not required to update the system time, and this modification of the system time is used in the current attack. As might be expected, the folks at Metasploit now have a module, although that may be overkill, as the entire exploit fits in a tweet.
- PacketStorm has another Java vulnerability, similar to the one announced on August 19. This one affects ByteComponentRaster.verify(), rather than BytePackedRaster.verify(). As before, PoC code is available.
- What would a list of exploits be without something affecting a fun consumer product? Core Labs has a proof of concept attack on DVRs from AVTech.
- If you have (Windows) password hashes on a network, and want to know how to leverage them for additional access, you may wish to take a look at the recent post from Chris Truncer.
- I am a big fan of the use of ModSecurity to protect web sites. The folks over at the SpiderLabs blog have a cool demonstration of a novel way to use ModSecurity by creating a honeytrap. In particular, they show how ModSecurity can add fictitious entries to a
robots.txtfile, and then check to see if attackers try to access these nonexistent web pages.
- Ars Technica discusses how password cracking attacks are expanding to attack passphrases.
- The Carnal0wnage blog has list of hackme challenges and the like for Android applciations.
- Threatpost has a nice summary of the attack last week against the New York Times. One interesting angle mentioned in the piece was the fact that the attackers could have used the same technique to re-direct email rather than the web site.
- It looks like someone has been able to reverse engineer the DropBox client. You may also want to take a look at Threatpost’s take.
- BuzzFeed reports that there is a security flaw in army computers that allow unauthenticated logons after logoffs.
- Let’s end as we began, by discussing more Apple Awesomesauce. It turns out that apps on both OSX and iOS will crash hard if they read a particular string of Arabic text.