OneLogin confirmed this week an attacker took advantage of a bug in its system and was able to view sensitive notes, thought to be secure, posted by users.
Tag Archives: bug
Major vulnerability found in GNU C Library
Security researchers have identified a serious vulnerability in an open-source library of code that is known as GNU C Library (glibc).
The post Major vulnerability found in GNU C Library appeared first on We Live Security.
Mozillas Bugzilla: Hacker Gained Access To Privileged Account
Bugzilla is the Mozilla bug database. Its purpose is to allow users to search for reported bugs and report new ones, according to its page. But what if it was compromised itself?
The post Mozillas Bugzilla: Hacker Gained Access To Privileged Account appeared first on Avira Blog.
Revolutionary Windows 95 turns 20
1995 was a landmark year for technology, the internet and home computing. We can thank Windows 95 for a lot of the perks we find ourselves with today.
The post Revolutionary Windows 95 turns 20 appeared first on We Live Security.
Patch now: Microsoft Emergency Fix
Yesterday Microsoft released an emergency security update for all of the supported Windows version (this means Windows 7, Windows 8/8.1, Windows RT and apparently even the unreleased Windows 10). The patch is supposed to fix an exploit that would allow hackers to access another computer easily. According to the company the flaw lies in the way the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts.
“An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft says in their security bulletin. “There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.“
Microsoft also says that while they had information that indicates that the issue was public there is no evidence that the vulnerability was used in any actual attack on customers.
The vulnerability itself was apparently found after going through loads of data from the Hacking Team email breach.
The post Patch now: Microsoft Emergency Fix appeared first on Avira Blog.
433,000 Ford cars to be recalled because of software bug – would you have preferred an internet update?
Cars which are capable of receiving instructions via the internet (such as software updates) are potentially more at risk of being hacked or meddled with than those which don’t.
The post 433,000 Ford cars to be recalled because of software bug – would you have preferred an internet update? appeared first on We Live Security.
“Unicode of Death†Crashes Your iPhone
The newly discovered security flaw on iOS crashes different messaging apps (like iMessage and your SMS app – basically all apps that use Apple’s CoreText library) on your iPhone and possibly your Apple watch when being sent a specific string of text. In addition to that it causes your mobile to reboot immediately. The bug was first reported on Reddit.com where some people were complaining about it.
According to TheRegister, this is what happens once your mobile receives the message containing the “Unicode of Death”, a string of text including Arabic characters and different symbols: “The bug causes CoreText to access memory that is invalid, which forces the operating system to kill off the currently running program: which could be your text message app, your terminal, or in the case of the notification screen, a core part of the OS.”
And sickestdancer98 from Reddit explains: “I can tell you it is due to how the banner notifications process the Unicode text. The banner briefly attempts to present the incoming text and then “gives up” thus the crash. On a jailbroken device, this ultimately leads to safe mode. However, on a stock iOS device, there is no safe mode hence the respring after the crash. That is why this only happens when you are not in the message because the banner is what truly crashes the entire system. Is this a possible vulnerability? Maybe. Has this been around already? Roughly since iOS 6. Can it be fixed/patched? That, my friends, is up to Apple. I hope I cleared things up a little bit if it did help in anyway, shape, or form.“
Apple is already working on fix which they’ll make available in an upcoming software update. Until then there are a couple of workarounds floating around online, one if them being to just turn off the lock screen notifications for now.
The post “Unicode of Death” Crashes Your iPhone appeared first on Avira Blog.
LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers
What it’s all about
The weaknesses that allow the so called LogJam Attack apparently have to do with how Diffie-Hellman key exchange has been deployed. Said key is a popular cryptographic algorithm that allows internet protocols to agree on a shared key and negotiate a secure connection. Since it is fundamental to many protocols like HTTPS, SSH, IPsec and SMTPS it is relatively wide spread: about 8.4% of the top one million websites and an even bigger part of servers using IPv4 are affected by LogJam.
“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections”, the team state.
According to the researchers LogJam can be used to downgrade connections to 80% of TLS DHE EXPORT servers. They also estimates that a skilled team can break a 768-bit prime and that – due to the available resources – a state-sponsored campaign could break the common 1024-bit prime.
This is especially scary since they estimate that a successful 1024-bit prime attack would allow for eavesdropping on up to 18% of the top one million HTTPS domains.
Their research paper goes even further: “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?” How about that! It definitely opens up room for a lot of discussions.
As with FREAK, the vulnerability is actually quite old already. “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the released paper reads.
What you can do
Luckily the team has already been in touch with most of the browser developers which means that there are either already fixes available (namely for the Internet Explorer) or will be very very soon.
Make sure you have the most recent version of your web browser installed: Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack. If you run a web or mail server you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group.
More information on LogJam can be found on the dedicated page.
The post LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers appeared first on Avira Blog.
LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers
What it’s all about
The weaknesses that allow the so called LogJam Attack apparently have to do with how Diffie-Hellman key exchange has been deployed. Said key is a popular cryptographic algorithm that allows internet protocols to agree on a shared key and negotiate a secure connection. Since it is fundamental to many protocols like HTTPS, SSH, IPsec and SMTPS it is relatively wide spread: about 8.4% of the top one million websites and an even bigger part of servers using IPv4 are affected by LogJam.
“Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections”, the team state.
According to the researchers LogJam can be used to downgrade connections to 80% of TLS DHE EXPORT servers. They also estimates that a skilled team can break a 768-bit prime and that – due to the available resources – a state-sponsored campaign could break the common 1024-bit prime.
This is especially scary since they estimate that a successful 1024-bit prime attack would allow for eavesdropping on up to 18% of the top one million HTTPS domains.
Their research paper goes even further: “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?” How about that! It definitely opens up room for a lot of discussions.
As with FREAK, the vulnerability is actually quite old already. “To comply with 1990s-era U.S. export restrictions on cryptography, SSL 3.0 and TLS 1.0 supported reduced-strength DHE_EXPORT ciphersuites that were restricted to primes no longer than 512 bits”, the released paper reads.
What you can do
Luckily the team has already been in touch with most of the browser developers which means that there are either already fixes available (namely for the Internet Explorer) or will be very very soon.
Make sure you have the most recent version of your web browser installed: Google Chrome (including Android Browser), Mozilla Firefox, Microsoft Internet Explorer, and Apple Safari are all deploying fixes for the Logjam attack. If you run a web or mail server you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group.
More information on LogJam can be found on the dedicated page.
The post LogJam Vulnerability Threatens Thousands of HTTPS Websites & Mail Servers appeared first on Avira Blog.