Aug 23

FlashPlayer 11.4 and AIR 3.4 available

Flash logoAlthough initially highlighted because it included a number of security fixes, Tuesday’s Flash Player updates from Adobe also included the release of FlashPlayer 11.4 and Air 3.4. Among the features in the new release of FlashPlayer are support for ActionScript workers, allowing processing to be carried out in the background without freezing the user interface, and support for bridges between sandboxes, allowing ActionScript objects to communicate across domains. Flash Player 11.4 also introduces licensing support in the form of Flash Player Premium for Gaming.

Flash Player 11.4 now uses the date of video cards drivers to work out how to use video acceleration in Stage3D. Previously, drivers before 2008 would not use hardware acceleration, but that date has been moved to 2006 for some modes. There is also a “constrained” profile, which allows for hardware acceleration on previously blacklisted Intel GMA chipsets. StageVideo can now also make use of the GPU to speed video stream processing from webcams.

The updates also include a number of fixes. The full details of the changes in Flash Player 11.4 and AIR 3.4 are available in the release notes. Downloads for Windows and Mac OS X are available for FlashPlayer 11.4 and AIR 3.4.

Permanent link to this article:

Aug 23

A $5,000 vulnerability in Facebook

A security researcher who goes by the name of AMol NAik has disclosed a security hole in Facebook’s web site. The cross-site request forgery (CSRF) flaw allows an attacker to execute actions as a logged-in user by accessing specific URLs. The researcher earned a bounty of $5,000 for responsible disclosure of the vulnerability before publishing it.

After Facebook introduced its App Center functionality, AMol NAik discovered that the anti-CSRF tokens in HTTP requests are apparently not validated on the server side and that an attacker is therefore able to add applications on the platform as another user. To execute this attack, the attacker merely needs the victim to visit a specially crafted web site, after which malicious applications can be planted on the App Center.

Anti-CSRF measures like the ones employed by Facebook are supposed to prevent this kind of attack by generating a token with every valid session that has to be sent by the client with every request. Scripts on other web sites have no access to this token and therefore can not generate valid requests. In Facebook’s case, the App Center pages did not actually check the token for validity, which allowed anyone to send bogus requests and have them accepted. The Facebook Security team fixed the vulnerability within one day of being contacted by AMol NAik.

Permanent link to this article:

Aug 23

McAfee upgrades Android privacy protection in new Mobile Security

A new version of McAfee Mobile Security helps Android device users keep control of their personal information.

Rather than simply reporting on app permissions, the new version of McAfee Mobile Security also uses a reputation database to check the possible destinations of data sent by apps.

This helps to prevent data being delivered to adware and spyware networks, according to company officials.

They also pointed out that comScore has found 33% of apps ask for more permissions than they need to perform the stated functions, and that according to the University of California Berkeley 97% of users do not understand the relationship between permissions and risks.

“Android apps can ask for 124 types of permissions – these apps could be invading your privacy and exposing your personal life,” said Luis Blando, vice president of engineering, McAfee.

 “With McAfee Mobile Security, consumers can now filter their App Alert notifications to just those apps that are using permissions of interest or concern to the user.”

Other features include malware detection, ‘safe surfing’, SMS filtering, and anti-theft measures.

The $29.95 McAfee Mobile Security is available from Google Play, and also from McAfee’s site which allows a free trial.

Permanent link to this article:

Aug 22

Microsoft says don’t use PPTP and MS-CHAP

Microsoft is warning of a serious security issue in MS-CHAP v2, an authentication system that is mainly used in Microsoft’s Point-to-Point Tunneling Protocol (PPTP) VPN technology. Three weeks ago at the Black Hat conference, encryption expert Moxie Marlinspike presented the CloudCracker web service, which can crack any PPTP connection within 24 hours for $200.

The basic problem has been known for many years: MS-CHAP v2 uses a strangely convoluted combination of three DES operations. This combination can reliably be cracked by trying out all 256 possible DES keys – no matter how complex the password is. A specially developed server can finish this task in less than a day using FPGAs.

Once a PPTP log-in process has been recorded using a network sniffer, the chapcrack open source tool can extract the required tokens, and the key can be cracked for $200 by CloudCracker; this key can then be used to decrypt all the network traffic. The same is also true for corporate Wi-Fi networks that are encrypted with WPA2 and MS-CHAP2. Their MS-CHAPv2 challenge-and-response traffic can be intercepted with FreeRADIUS-WPE and then fed to chapcrack as before.

Two basic strategies can provide more security: either the MS-CHAP authentication traffic is given its own, separately encrypted tunnel – Microsoft recommends the Protected Extensible Authentication Protocol (PEAP) for this purpose – or the system is migrated to a secure VPN technology. Microsoft’s suggested alternatives include L2TP/IPSec, IPSec with IKEv2 and SSTP. The OpenVPN open source protocol is not listed in the recommendation.

Permanent link to this article:

Aug 22

Multi-platform spyware penetrates smartphones and VMs

In late July, virus researchers discovered a trojan going by the names Crisis and Morcut that uses a number of techniques to spy on Windows and Mac OS X users. It installs a backdoor in the system and then uses rootkit functionality to conceal itself from the system. Crisis includes a wide range of espionage tools, allowing it to perform functions such as eavesdropping on Skype calls, keylogging and tapping into webcams.

Anti-virus company Symantec has now discovered that, when running under Windows, the malware has a number of other interesting tricks up its sleeve. Crisis searches for VMware images and infects them with a copy of itself. It also uses the Remote Application Programming Interface (RAPI) to install modules on any devices running Windows Mobile (the forerunner to Microsoft’s current Windows Phone operating system). What exactly these modules do there is not yet clear – Symantec’s virus lab has not managed to get hold of them.

With the help of a little social engineering, the malware appears to be being spread via a Java file named AdobeFlashPlayer.jar, which is signed using a self-signed VeriSign certificate. If a user opens the file and chooses to ignore the error message generated by the self-signed certificate, separate payloads for Windows or Mac OS X are executed depending on the operating system on which the file is opened.

It is notable that this piece of spyware has not yet been observed in the wild by any of the major anti-virus software companies. Samples were uploaded to anti-virus service VirusTotal, which passed them on to the virus labs. Its limited distribution suggests that Crisis is being used for targeted attacks, along the lines of those carried out using commercial trojan toolkit FinSpy, sold by Finfisher. According Russian AV company Dr Web, this is the latest specimen of Italian company HackingTeam’s Remote Control System, also known as Da Vinci.

The company sells its spyware as a “hacking suite for governmental interception” and, among other things, its product brochure promises the ability to eavesdrop on Skype calls. As well as Windows and Mac OS X, Da Vinci also supports iOS, Android, Blackberry, Symbian and Linux. Close inspection of the screenshots in the brochure suggests that Da Vinci also appears to be able to divulge the current location of the person under surveillance.

Permanent link to this article:

Page 30 of 53« First...1020...27282930313233...4050...Last »