Monthly Archives: August 2015

Ubuntu

USN-2702-2: Ubufox update

Ubuntu Security Notice USN-2702-2

11th August, 2015

ubufox update

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

This update provides compatible packages for Firefox 40.

Software description

  • ubufox
    – Ubuntu modifications for Firefox

Details

USN-2702-1 fixed vulnerabilities in Firefox. This update provides the
corresponding updates for Ubufox.

Original advisory details:

Gary Kwong, Christian Holler, Byron Campen, Tyson Smith, Bobby Holley,
Chris Coulson, and Eric Rahm discovered multiple memory safety issues in
Firefox. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges of
the user invoking Firefox. (CVE-2015-4473, CVE-2015-4474)

Aki Helin discovered an out-of-bounds read when playing malformed MP3
content in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
obtain sensitive information, cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4475)

A use-after-free was discovered during MediaStream playback in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash or execute arbitrary code with the
priviliges of the user invoking Firefox. (CVE-2015-4477)

André Bargull discovered that non-configurable properties on javascript
objects could be redefined when parsing JSON. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to bypass same-origin restrictions. (CVE-2015-4478)

Multiple integer overflows were discovered in libstagefright. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
Firefox. (CVE-2015-4479, CVE-2015-4480, CVE-2015-4493)

Jukka Jylänki discovered a crash that occurs because javascript does not
properly gate access to Atomics or SharedArrayBuffers in some
circumstances. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service. (CVE-2015-4484)

Abhishek Arya discovered 2 buffer overflows in libvpx when decoding
malformed WebM content in some circumstances. If a user were tricked in
to opening a specially crafted website, an attacker could potentially
exploit these to cause a denial of service via application crash, or
execute arbitrary code with the privileges of the user invoking Firefox.
(CVE-2015-4485, CVE-2015-4486)

Ronald Crane reported 3 security issues. If a user were tricked in to
opening a specially crafted website, an attacker could potentially
exploit these, in combination with another security vulnerability, to
cause a denial of service via application crash, or execute arbitrary
code with the privileges of the user invoking Firefox. (CVE-2015-4487,
CVE-2015-4488, CVE-2015-4489)

Christoph Kerschbaumer discovered an issue with Mozilla’s implementation
of Content Security Policy (CSP), which could allow for a more permissive
usage in some cirucumstances. An attacker could potentially exploit this
to conduct cross-site scripting (XSS) attacks. (CVE-2015-4490)

Gustavo Grieco discovered a heap overflow in gdk-pixbuf. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash or execute arbitrary code with the priviliges of the user invoking
Firefox. (CVE-2015-4491)

Looben Yang discovered a use-after-free when using XMLHttpRequest with
shared workers in some circumstances. If a user were tricked in to opening
a specially crafted website, an attacker could potentially exploit this to
cause a denial of service via application crash or execute arbitrary code
with the priviliges of the user invoking Firefox. (CVE-2015-4492)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
xul-ext-ubufox

3.1-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:
xul-ext-ubufox

3.1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
xul-ext-ubufox

3.1-0ubuntu0.12.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Firefox to make
all the necessary changes.

References

LP: 1483858

CentOS

CEEA-2015:1600 CentOS 6 mac80211_dup EnhancementUpdate

CentOS Errata and Enhancement Advisory 2015:1600 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2015-1600.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
d49f85c2013498475e53ac5270c7e582e603eb4ed4d653946aa0143126e8c610  kmod-mac80211_dup-0.1_rh1-1.el6_6.i686.rpm

x86_64:
3285e98c5797bef7fc06d20850fc7f3766d2fdec0348a95085d8780794fb3c7d  kmod-mac80211_dup-0.1_rh1-1.el6_6.x86_64.rpm

Source:
07fdfe64fab5291f1bd3d79ed1a9019670364fb4bdd43d9c2184054fa5a8ab89  mac80211_dup-0.1_rh1-1.el6_6.src.rpm
CentOS

CEEA-2015:1600 CentOS 6 cfg80211_dup EnhancementUpdate

CentOS Errata and Enhancement Advisory 2015:1600 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2015-1600.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
6901cdee5ee315b81904f3883eff2aad14b0da4533097c566816e97ae64e8773  kmod-cfg80211_dup-0.1_rh1-1.el6_6.i686.rpm

x86_64:
067549365623676b6b63b781a43203fa24ff9e50f134f1ffce7bdeeb8ec048f7  kmod-cfg80211_dup-0.1_rh1-1.el6_6.x86_64.rpm

Source:
6043001ba4f5d6b8ebf4629495b7b2a5aff150800c8642190f52c1715d1d1e06  cfg80211_dup-0.1_rh1-1.el6_6.src.rpm
CentOS

CEEA-2015:1600 CentOS 6 iwlwifi_dup EnhancementUpdate

CentOS Errata and Enhancement Advisory 2015:1600 

Upstream details at : https://rhn.redhat.com/errata/RHEA-2015-1600.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

i386:
c3d93d0fd54c593609e5993911c7823941600cb620758117f49dcb454aa75ed5  kmod-iwlwifi_dup-0.1_rh1-1.el6_6.i686.rpm
e444efaf101ddcb1fc26eb28646420fa26f42b41466f811cf889db718420c12c  kmod-iwlwifi_dup-firmware-0.1_rh1-1.el6_6.i686.rpm

x86_64:
bf0db204c599967070d41209240eea643e2e03131f730be92a79db20a76b2b1d  kmod-iwlwifi_dup-0.1_rh1-1.el6_6.x86_64.rpm
e03a1f36e1a367558bc59ba7e0072dc0dc919b23ac761d456827489446aa4fc6  kmod-iwlwifi_dup-firmware-0.1_rh1-1.el6_6.x86_64.rpm

Source:
c2d2378c6fc32cf978c3597fd5c2d3f87fffffde0eb305685e7423eae643a337  iwlwifi_dup-0.1_rh1-1.el6_6.src.rpm
AVG

Creating Smart Homes for Today – and Tomorrow

Need some help imagining what a smart connected home could look like? American retail giant Target recently installed and opened it’s own version in downtown San Francisco’s Metreon center. Its 3,500 square-foot model home is a transparent acrylic house with rooms decorated with acrylic furniture and outfitted with the latest smart connected home products. Target’s “Open House”, as it is called, and store offers both consumers and the curious a way to view and experience smart living.

Interestingly enough, you can’t really call the installation a “home of the future”, because all of the products on display, with the exception of one, are available today!

Walking through the rooms, guests experience vignettes that demonstrate the ways these multiple smart connected devices can work together to create helpful real-life solutions today. Here are a few sample scenarios:

  • The baby wakes up early crying in the nursery: The Mimo baby monitor ($199.99) alerts your phone and soothing music automatically begins piping in from Sonos speakers until you can get there. Soft Hue lights ($199.99 three-pack) gently go on. The Nest Cam ($199) gives you a good view of Junior in distress. The Nest thermostat adjusts for the morning temp. Meanwhile Wemo turns off the humidifier and turns on your coffee pot in the kitchen.
  • In the kitchen: Coffee Smart Optimal Brew ($149.99) is ready and you prepare for a long day by putting on a CrockPot Smart Slow Cooker ($129.99) meal that you can monitor from the office. Your Drop app and kitchen scale ($99.95) gives you the recipe and measures the exact ingredients needed. Meanwhile, your Petnet ($149.99) pet feeder is set to automatically feed the dog just the right amount of food for lunch.
  • In the master bedroom that evening: After weighing in and taking your blood pressure with Withings devices, you’re ready for sleep. Your Jawbone Up3 ($149.99) wearable, after monitoring your activity all day, is now ready to track your ZZZs. Once the Hue lights go off, August Smart Lock ($249.99) automatically locks up. All is well… until a midnight storm rolls through and Quirky alerts you to a leak in the garage…

Most of us are familiar with Nest, which is one of 50 vendors on display. But it is truly pretty amazing to see just how many other smart products are out there – and capable of working together to provide useful solutions in the home today.

Still, the smart home of today is pretty much in the domain of early adopters. While this is changing, for most of us (even in Silicon Valley) it is happening one device at a time. This was reinforced at a recent panel discussion on “The Connected & Smart Home: What It Can Be and How Will We Get There” hosted by the Churchill Club in San Jose, California.

Target Smart Home

 

So, Target’s idea is really a smart one (no pun intended), because the model helps to demystify connected home products and inspire guests just like me to explore the world of connected home living. Target says it also plans to learn from Open House. Both Target and its partners are getting real-time feedback from the real consumers interacting with their products.

To be sure, there is still a lot that needs to be figured out about the future of the smart connected home by the industry and consumers alike. The industry vision is that all our smart connected devices (that make sense) can be controlled remotely, easily talk to each other (in industry speak “are interoperable”), and provide data that can be analyzed and acted upon and protected, for the betterment our lives.

That there is a lot of work to be done, particularly on interoperability and the data analysis and security front, was also reinforced by the Churchill Club panel that featured some of the top experts in the field from Nest, Intel, Qualcomm, Forrester Research and Accenture.

Today, security is a chief concern to people adopting smart home technology. That’s security as in “home security.” But as we all see more smart connected devices coming into our homes and realize the data is flowing—not only in our homes, but outside of them, data security is only going to become increasingly important to all of us.

Target’s Open House underscores just how fast the future is coming and the need to be ready for it. Hopefully, this will not only be a great starting point to get more consumers interested in the concept of the smart home, but will also get them engaged and thinking ahead about the need to secure all that data being generated in our smart connected homes now and in the future.

Avast

Understanding tech companies’ privacy policies and their effect on users

Tech companies’ privacy policies have the ability to help or hinder users.

When was the last time you sat down and read through the entirety of a tech company’s privacy policy, even if you visit the site every day?

In an article recently published by TIME in collaboration with the Center for Plain Language, a selection of the world’s leading and regularly visited tech websites were ranked in a list in relation to their privacy policies. In short, they rated the companies based on the manner in which they communicated with the public while walking them through their privacy policies. In this case, it wasn’t the actual data that these companies collect from current and potential new users that was being analyzed. Instead, this study looked at the way in which that information is brought to the attention of these users.

When picking apart a company’s policy, it’s important to think about how users can actually benefit from taking the time to read it. While that may sound obvious, we’ve all come across our fair share of unfortunate company pages (such as T&Cs, FAQs, or even About Us sections) that add up to a bunch of unintelligible language that we ultimately digest as gibberish. Regarding the level of clarity in a company’s policy, TIME writes:

Does the policy, for instance, make it easy for people to limit the ways in which the company collects their personal information? Or are instructions about opting out obscured in the policy’s hinterlands with no hyperlinks?

In addition to Google, within the list are three social media platforms that many of us use on a regular (if not daily) basis: Facebook, LinkedIn and Twitter. When taking a closer look at these four websites’ policies, it becomes clear that they approach the issue of individuals’ privacy and personal information in very different ways:

1. Google: Unsurprisingly, Google does a great job of spelling out their policies using language that users can easily understand – hence, it came in first place in this study. The Center for Plain Language concluded that by reading through Google’s privacy policy, users’ trust in the company can actually increase. Impressive, considering that most people’s trust in Google is already considerably high to begin with.

2. Facebook: While certain policies simply acknowledge that they store and analyze user information, Facebook’s “What kinds of information” section takes it a step further, breaking down each kind of interaction users have while using the site and clearly explaining which information is collected and stored while those interactions are being executed.

Photo via TIME

3. LinkedIn: Coming in at number three on the Center’s list, LinkedIn is an example of a company with a privacy policy that is mediocre in its clarity and messaging. However, LinkedIn does claim to have crafted “the policy to be as clear and straightforward as possible”, so the company’s third place rating could be a bit of subjective judgement call.

Photo via TIME

4. Twitter: Jump down to the second to last place on the list, and that’s where you’ll find Twitter. In a series of long and hard-to-read paragraphs, users are left wondering what it was that they just read when trying to pick apart Twitter’s privacy policy. This social media channel is a good example of what not to write when attempting to be transparent with audience members.

This study goes to show that it’s not only privacy policies that are crucial – it’s also important to pay attention to the way in which these policies are written and shared with users. Users should always be able to feel that they understand how and why their personal information is stored, analyzed, and/or shared on websites that they frequently use. Read the full report from the Center for Plain Language for a complete privacy policy analysis.

Follow Avast on FacebookTwitterYouTube, and Google+ where we keep you updated on cybersecurity news every day.