Monthly Archives: August 2015

Redhat

MVEL as an attack vector

Java-based expression languages provide significant flexibility when using middleware products such as Business Rules Management System (BRMS). This flexibility comes at a price as there are significant security concerns in their use. In this article MVEL is used in JBoss BRMS to demonstrate some of the problems. Other products might be exposed to the same risk.

MVEL is an expression language, mostly used for making basic logic available in application-specific languages and configuration files, such as XML. It’s not intended for some serious object-oriented programming, just simple expressions as in “data.value == 1″. On a surface it doesn’t look like something inherently dangerous.

JBoss BRMS is a middleware product designed to implement Business Rules. The open source counterpart of JBoss BRMS is called drools. The product is intended to allow businesses (especially financial) to implement the decision logic used in their organization’s operations. The product contains a rules repository, an execution engine, and some authoring tools. The business rules themselves are written in a drools rules language. An interesting approach has been chosen for the implementation of drools rules language. The language is complied into MVEL for execution, and it allows the use of MVEL expressions directly, where expressions are applicable.

There is however an implementation detail that makes MVEL usage in middleware products a security concern. MVEL is compiled into plain Java and, as such, allows access to any Java objects and methods that are available to the hosting application. It was initially intended as an expression language that allowed simple programmatic expressions in otherwise non-programmatic configuration files, so this was never a concern: configuration files are usually editable only by the site admins anyway, so from a security perspective adding an expression in a config file is not much different from adding a call in a Java class of an application and deploying it. The same was true for BRMS up to version 5: any drools rule would be deployed as a separate file in repository, so any code in drools rules would be only available for deployment by authorized personnel, usually as part of the company workflow following the code review and other such procedures.

This changed in BRMS (and BPMS) 6. A new WYSIWYG tool was introduced that allowed constructing the rules graphically in a browser session, and testing them right away. So any person with rule authoring permissions (role known as “analyst” rather than “admin”) would be able to do this. The drools rules would allow writing arbitrary MVEL expressions, that in turn allow any calls to any Java classes deployed on the application server without restrictions, including the system ones. This means an analyst would be able to write Sys.exit() in a rule and testing this rule would shut down the server! Basically, the graphical rule editor allowed authenticated arbitrary code execution for non-admin users.

A similar problem existed in JBoss Fuse Service Works 6. While the drools engine that ships with it does not come with any graphical tool to author rules, so the rules must be deployed on the server as before, it comes with RTGov component that has some MVEL interfaces exposed. Sending an RTGov request with an MVEL expression in it would again allow authenticated arbitrary code execution for any user that has RTGov permissions.

This behaviour was caught early on in the development cycle for BxMS/FSW version 6, and a fix was implemented. The fix involves running the application server with Java Security Manager (JSM) turned on, and adding extra configuration files for MVEL-only security policies. After the fix was applied, only the limited number of Java classes were allowed to be used inside MVEL expressions, which were safe for use in legitimate Drools rules and RTGov interfaces, the specific RCE vulnerability was considered solved.

Further problems arose when products went into testing with the fix applied and some regressions were run. It was discovered that it wasn’t a good idea to make the fix with JSM enabled the default setup for productions servers as this caused the servers would run slow. Very slow. Resource consumption was excessive and performance suffered dramatically. It became obvious that making MVEL/JSM fix the default for high-performance production environment was a not an -option.

A solution was found after considerable consultation between Development, QE and Project Management. The following proposals where made for any company running BRMS:

  • When deploying BRMS/BPMS on a high-performance production server, it is suggested to disable JSM, but at the same time not to allow any “analyst”-role users to use these systems for rule development. It is recommended to use these servers for running the rules and applications developed separately and achieving maximum performance, while eliminating the vulnerability by disabling the whole attack vector by disallowing the rule development altogether.
  • When BRMS is deployed on development servers used by rule developers and analysts, it is suggested to run these servers with JSM enabled. Since these are not production servers, they do not require mission critical performance in processing real-time customer data, they are only used for application and rule development. As such, a little sacrifice in performance on a non mission-critical server is a fair trade-off for a tighter security model.
  • The toughest situation arises when a server is deployed in a “BRMS-as-a-service” configuration. In other words when rule development is exposed to customers over the Web (even through VPN-protected Extranet). In this case no other choice is available but to enable complete JSM protection, and accept all the consequences of the performance hit. Without it, any customer with minimal “rule writing and testing” privileges can completely take over the server (and any other co-hosted customers’ data as well), A very undesirable result to avoid.

Similar solutions are recommended for FSW. Since only RTGov exposes the weakness, it is recommended to run RTGov as a separate server with JSM enabled. For high performance production servers, it is recommended not to install or enable the RTGov component, which eliminates the risk of exposure of MVEL-based attack vectors, making it possible to run them without JSM at full speed.

Other approaches are being considered by the development team for new implementation of MVEL fix in the future BRMS versions. Once such idea was to run a dedicated MVEL-only app server under JSM separate from the main app server that runs all other parts of the applications, but other proposals were talked about as well. Stay tuned for more information once the decisions are made.

Ubuntu

USN-2677-1: Oxide vulnerabilities

Ubuntu Security Notice USN-2677-1

4th August, 2015

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 15.04
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

  • oxide-qt
    – Web browser engine library for Qt (QML plugin)

Details

An uninitialized value issue was discovered in ICU. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service. (CVE-2015-1270)

A use-after-free was discovered in the GPU process implementation in
Chromium. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1272)

A use-after-free was discovered in the IndexedDB implementation in
Chromium. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1276)

A use-after-free was discovered in the accessibility implemetation in
Chromium. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via application crash, or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1277)

A memory corruption issue was discovered in Skia. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via renderer crash, or execute
arbitrary code with the privileges of the sandboxed render process.
(CVE-2015-1280)

It was discovered that Blink did not properly determine the V8 context of
a microtask in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
bypass Content Security Policy (CSP) restrictions. (CVE-2015-1281)

Multiple integer overflows were discovered in Expat. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code with the privileges of the user invoking
the program. (CVE-2015-1283)

It was discovered that Blink did not enforce a page’s maximum number of
frames in some circumstances, resulting in a use-after-free. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via renderer crash,
or execute arbitrary code with the privileges of the sandboxed render
process. (CVE-2015-1284)

It was discovered that the XSS auditor in Blink did not properly choose a
truncation point. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to obtain sensitive
information. (CVE-2015-1285)

An issue was discovered in the CSS implementation in Blink. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit this to bypass same-origin restrictions.
(CVE-2015-1287)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1289)

A use-after-free was discovered in oxide::qt::URLRequestDelegatedJob in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code with
the privileges of the user invoking the program. (CVE-2015-1329)

A crash was discovered in the regular expression implementation in V8 in
some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to cause a
denial of service. (CVE-2015-5605)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 15.04:
liboxideqtcore0

1.8.4-0ubuntu0.15.04.1
Ubuntu 14.04 LTS:
liboxideqtcore0

1.8.4-0ubuntu0.14.04.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1270,

CVE-2015-1272,

CVE-2015-1276,

CVE-2015-1277,

CVE-2015-1280,

CVE-2015-1281,

CVE-2015-1283,

CVE-2015-1284,

CVE-2015-1285,

CVE-2015-1287,

CVE-2015-1289,

CVE-2015-1329,

CVE-2015-5605,

LP: 1466208

Panda Security

Thunderstrike 2 – the first virus for Mac

It seemed like this moment would never come and many times we were assured that there was no threat of a virus for Mac users… but Thunderstrike 2 has arrived and swiftly refuted those claims.

This worm was designed by two IT security experts, Xeno Kovah and Trammell Hudson, after noticing a security breach a few months ago. As reported in Wired, they found that various known weaknesses that affect firmware in all the main PC manufacturers could also be used against MAC.

The infection is able to be transmitted through email phishing, by USB o by an Ethernet port, without being detected.

According to its creators, this is how Thunderstrike 2 works:

The post Thunderstrike 2 – the first virus for Mac appeared first on MediaCenter Panda Security.

AVG

AVG Announces Second Quarter 2015 Financial Results

AMSTERDAM, August 5, 2015 /PRNewswire/ – AVG Technologies N.V. (NYSE: AVG), the provider of Internet and mobile security, privacy and optimization to more than 200 million active users, today reported results for the second quarter ended June 30, 2015.

 

Second quarter 2015 highlights

  • Revenue grew 23 percent over the same period last year to $107.8 million
  • Subscription-based revenue continued to accelerate, growing 29 percent over the same period last year and comprising 81 percent of total revenue
  • Mobile revenue increased 10x when compared to same period last year
  • Security and privacy portfolio expanded through the acquisition of Privax, a leading provider of desktop and mobile services for consumers

 

“The record revenue we are reporting today marks the 4th quarter of consistent sequential growth since we launched a major repositioning of the company at the end of 2013,” said Gary Kovacs, chief executive officer of AVG.   “Further, it demonstrates that our strategy is working – as we optimize our core businesses and invest in consumer, mobile and SMB to satisfy the growing and broadening demand for simple, integrated solutions to deliver online security.   We continue to execute well and I am particularly pleased to see that mobile revenue has grown 10 times compared to the same period last year. Increases in subscription-based revenue across all our solutions- including mobile – drove topline growth, setting us up nicely for the future.”

 

Second quarter 2015 financial results

Revenue for the second quarter of 2015 was $107.8 million, compared with $88.0 million in the second quarter of 2014, an increase of 23% compared to the prior year.  Non-GAAP net income for the second quarter was $24.6 million, or $0.47 per diluted ordinary share.  This compares with non-GAAP adjusted net income of $24.7 million, or $0.47 per diluted ordinary share for the same period of the prior year.1 GAAP net income for the second quarter was $8.5 million, or $0.15 per diluted ordinary share.  This compares with net income of $13.7 million, or $0.26 per diluted ordinary share in the prior year’s second quarter.

 

Operating income was $13.8 million, compared with $20.4 million for the second quarter of 2014.  Operating cash flow was $15.5 million for the quarter, compared with $22.3 million for the second quarter last year.  Non-GAAP free cash flow was $11.8 million for the quarter, compared with $19.1 million for the same period in the prior year. The decline in free cash flow was primarily driven by additional $6 million in interest paid associated with strategic acquisitions and a $2 million increase in taxes paid.

(1) Non-GAAP results for the second quarter of 2015 exclude $3.7 million in share based compensation expense, $7.2 million in acquisition amortization and $0.1 million in charges associated with litigation settlements, $2.3 million in acquisition-related charges, $0.5 million in charges related to the unwinding of discounts and changes in fair value and $0.6 million in charges associated with the rationalization of the Company’s global operations, and $2.9 million in charges associated with the Company’s reassessment of the useful life of internally developed software, as described in the Reconciliation of GAAP measures to non-GAAP measures.

                                 

Financial Outlook

Based on information available as of August 5, 2015, AVG is maintaining the following outlook for fiscal year 2015 as follows:

  • Revenue is expected to be in the range of $420 million to $440 million.
  • Non-GAAP adjusted net income is expected to be in the range of $94.2 million to $99.2 million; non-GAAP adjusted net income per diluted ordinary share is expected to be in the range of $1.80 to $1.90.
  • GAAP net income is expected to be in the range of $48.9 million to $53.9 million; GAAP net income per diluted ordinary share is expected to be in the range of $0.93 to $1.03.

 

AVG’s expectation of non-GAAP adjusted net income for fiscal year 2015 excludes share-based compensation expense, acquisition amortization and certain other adjustments, and assumes a normalized tax rate of 12.5%.  For the purpose of calculating GAAP net income per diluted ordinary share and non-GAAP net income per diluted ordinary share, the Company assumes approximately 53 million weighted-average diluted ordinary shares outstanding for the full year.

 

The financial information presented in this press release is neither audited nor reviewed.

 

Conference Call Information

AVG will hold its quarterly conference call today at 5:00 p.m. ET/2:00 p.m. PT/11 PM CET to discuss its second quarter 2015 financial results, business highlights and outlook.  The conference call may be accessed via webcast at http://investors.avg.com or using the following phone numbers and conference ID: +1 913 312 6668 (USA and Canada); +44 20 8150 0795 (UK); Conference ID: 7703757.

 

Live and replay versions of the webcast can be accessed via http://investors.avg.com.

 

Use of Non-GAAP Financial Information

This press release contains supplemental non-GAAP financial measures that are not calculated in accordance with U.S. GAAP.  These non-GAAP measures provide additional information on the performance or liquidity of our business that we believe are useful for investors.

 

Adjusted net income, free cash flow and their related ratios are non-GAAP measures and should not be considered alternatives to the applicable U.S. GAAP measures.  In particular, adjusted net income and free cash flow, and their related ratios, should not be considered as measurements of our financial performance or liquidity under U.S. GAAP, as alternatives to income, operating income or any other performance measures derived in accordance with U.S. GAAP or as alternatives to cash flow from operating activities as a measure of our liquidity.

 

Adjusted net income and free cash flow are measures of financial performance and liquidity, respectively, and have limitations as analytical tools, and should not be considered in isolation from, or as substitutes for, analysis of our results of operations, including our operating income and cash flows, as reported under U.S. GAAP. We provide these non-GAAP financial measures because we believe that such measures provide important supplemental information to management and investors about the Company’s core operating results and liquidity, primarily because the non-GAAP financial measures exclude certain expenses and other amounts that management does not consider to be indicative of the Company’s core operating results or business outlook or liquidity. Management uses these non-GAAP financial measures, in addition to the corresponding U.S. GAAP financial measures, in evaluating the Company’s operating performance, in planning and forecasting future periods, in making decisions regarding business operations and allocation of resources, and in comparing the Company’s performance against its historical performance. Some of the limitations of adjusted net income and free cash flow and their related ratios as measures are:

 

  • they do not reflect our cash expenditure or future requirements for capital expenditure or contractual commitments, nor do they reflect the actual cash contributions received from customers;
  • they do not reflect changes in, or cash requirements for, our working capital needs;
  • although amortization and share-based compensation are non-cash charges, the assets being amortized will often have to be replaced in the future and such measures do not reflect any cash requirements for such replacements; and
  • other companies in our industry may calculate these measures differently than we do, limiting their usefulness as comparative measures.

 

Because of these limitations, investors should rely on AVG’s consolidated financial statements prepared in accordance with U.S. GAAP and treat the Company’s non-GAAP financial measures as supplemental information only.

 

For a reconciliation of these non-GAAP financial measures to the most directly comparable financial measures prepared in accordance with U.S. GAAP, please see “Reconciliation of GAAP to non-GAAP financial measures.”  All non-GAAP financial measures should be read in conjunction with the comparable information presented in accordance with U.S. GAAP.

 

Forward-Looking Statements

This press release contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995, including those relating to an expected range of revenue, net income, EPS, non-GAAP adjusted net income and non-GAAP EPS for the fiscal year ending December 31, 2015 and/or future periods, as well as those relating to the future prospects of AVG.  Words such as “expects,” “expectation,” “intends,” “assumes,” “believes” and “estimates,” variations of such words and similar expressions are also intended to identify forward-looking statements. These forward-looking statements involve risks and uncertainties that could cause actual results to differ materially from those contemplated herein. Factors that could cause or contribute to such differences include but are not limited to:  changes in our growth strategies; changes in our future prospects, business development, results of operations and financial condition; the anticipated costs and benefits of our other acquisitions; our ability to remediate the material weaknesses and other deficiencies identified in our internal controls or IT systems; our ability to comply with our credit agreements; changes to the online and computer threat environment and the endpoint security industry; competition from local and international companies, new entrants in the market and changes to the competitive landscape; the adoption of new, or changes to existing, laws and regulations; changes in international or national tax regulations and related proposals; the assumptions underlying the calculation of our key metrics, including the number of our active users, mobile users, revenue per average active user, subscription revenue per subscriber and platform-derived revenue per thousand searches; potential effects of changes in the applicable search guidelines of our search partners; the status of, or changes to, our relationships with our partners, including Yahoo!, Google and other third parties; changes in our and our partners’ responses to privacy concerns; our ability to successfully exit the third party search distribution business; our plans to launch new products and online services and monetize our full user base; the performance of our products, including AVG Zen; our ability to attract and retain active and subscription users; our ability to retain key personnel and attract new talent; our ability to adequately protect our intellectual property; our geographic expansion plans; the outcome of ongoing or any future litigation or arbitration, including litigation or arbitration relating to intellectual property rights; our legal and regulatory compliance efforts, including with respect to PCI compliance; and worldwide economic conditions and their impact on demand for our products and services.  Given these risks and uncertainties, you should not place undue reliance on these forward-looking statements.

 

Further information on these factors and other risks that may affect the Company’s business is included in filings AVG makes with the U.S. Securities and Exchange Commission (SEC) from time to time, including its Annual Report on Form 20-F, particularly under the heading “Risk Factors”.

 

The financial information contained in this press release should be read in conjunction with the consolidated financial statements and notes thereto to be included in the Company’s reports on Form 6-K and Form 20-F.  The Company’s results of operations for the second quarter, ended June 30, 2015 are not necessarily indicative of the Company’s operating results for any future periods.

 

These documents are available online from the SEC or in the Investor Relations section of the Company’s website at http://investors.avg.com.  Information on the AVG website is not part of this release.  All forward-looking statements in this press release are based on information currently available to the Company, and AVG assumes no obligation to update these forward-looking statements in light of new information or future events.

 

About AVG

AVG is the online security company providing leading software and services to secure devices, data and people. AVG’s award-winning technology is delivered to over 200 million monthly active users worldwide. AVG’s Consumer portfolio includes internet security, performance optimization, and personal privacy and identity protection for mobile devices and desktops. The AVG Business portfolio – delivered by managed service providers, VARs and resellers – offers IT administration, control and reporting, integrated security, and mobile device management that simplify and protect businesses.

All trademarks are the property of their respective owners.

NVD

CVE-2015-3439 (wordpress)

Cross-site scripting (XSS) vulnerability in the Ephox (formerly Moxiecode) plupload.flash.swf shim 2.1.2 in Plupload, as used in WordPress 3.9.x, 4.0.x, and 4.1.x before 4.1.2 and other products, allows remote attackers to execute same-origin JavaScript functions via the target parameter, as demonstrated by executing a certain click function, related to _init.as and _fireEvent.as.