|Wednesday, 25 August 2010, 10:14 am
Tags: Podcasts, show notes, sn
Live now: Security Now 263 with Steve Gibson, our 99th Q&A episode. Watch live at http://live.twit.tv, chat at http://irc.twit.tv, or comment here!
Adobe forced to release Out-Of-Cycle Updates after BlackHat & Defcon:
- Not scheduled until October 12th but couldn’t wait.
- Upgrade Adobe Reader to v9.3.34 for Windows/Mac/Unix
- Adobe Acrobat to v9.3.4 for Windows/Mac
- Adobe Reader & Acrobat to v8.2.4 (cross-platform).
Google Chrome: v5.0.375.127
- Fixes 10 vulnerabilities, two of which are considered critical and six of which are considered high risk. Google did not release any details about the vulnerabilities. It blocked public access to its bug-tracking database to prevent the flaws from being exploited before most people were upgraded to the latest version of the browser. One of the critical flaws could be exploited to cause memory corruption; the other could cause a crash on shutdown.
Apple: Security Update 2010-005
84 Mb Security Update
- Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution
- Description: A stack buffer overflow exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved bounds checking.
- Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: CFNetwork permits anonymous TLS/SSL connections. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue does not affect the Mail application. This issue is addressed by disabling anonymous TLS/SSL connections.
CFNetwork: (Core Services Networking Framework)
- Impact: Multiple vulnerabilities in ClamAV
- Description: Multiple vulnerabilities exist in ClamAV, the most serious of which may
lead to arbitrary code execution. This update addresses the issues by updating
ClamAV to version 0.96.1. ClamAV is distributed only with Mac OS X Server systems.
Further information is available via the ClamAV website at http://www.clamav.net/
- Impact: Opening a maliciously crafted PDF file may lead to an unexpected application
termination or arbitrary code execution
- Description: A heap buffer overflow exists in CoreGraphics’ handling of PDF files. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.
- Impact: An attacker in a privileged network position who can obtain a domain name that
differs only in the last characters from the name of a legitimate domain may impersonate
hosts in that domain
- Description: An issue exists in the handling of certificate host names. For host names
containing three or more components, the last characters are not properly compared.
In the case of a name containing exactly three components, only the last character is
not checked. For example, if an attacker in a privileged network position could obtain a
certificate for www.example.con the attacker can impersonate www.example.com. This
issue is addressed through improved handling of certificate host names.
- Impact: Loading a maliciously crafted PNG image may lead to an unexpected application termination or arbitary code execution.
- Description: A buffer overflow exists in PHP’s libpng library. Loading a maliciously
crafted PNG image may lead to an unexpected application termination or arbitary code
execution. This issue is addressed by updating libpng within PHP to version 1.4.3.
- Impact: Multiple vulnerabilities in PHP 5.3.1
- Description: PHP is updated to version 5.3.2 to address multiple vulnerabilities, the most
serious of which may lead to arbitary code execution. Further information is available via
the PHP website at http://www.php.net/
- Impact: An unauthenticated remote attacker may cause a denial of service or arbitrary code execution.
- Description: A buffer overflow exists in Samba. An unauthenticated remote attacker may
cause a denial of service or arbitrary code execution by sending a maliciously crafted
packet. This issue is addressed by performing additional validation of packets in Samba.
Microsoft/Windows: New Problem: “Binary Planting” / Application DLL Load Hijacking
Acros, a Slovenian security firm last Thursday, published an advisory that identified what they call a “binary planting” flaw in iTunes. If a file type associated with iTunes is opened from a remote network share, iTunes will *ALSO* try to load one more specifically named DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.
DLL Search Order used by LoadLibrary(EX):
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current working directory (CWD)
6. The directories that are listed in the PATH environment variable
Apple patched the problem in Windows iTunes last March with v9.1 From my own cursory examination using HDMoore’s Audit tool:
CorelDraw, Windows cscript & wscript scripting engines, Firefox, WinRAR, Wireshark.
MSFT: “Insecure Library Loading Could Allow Remote Code Execution”
Microsoft told UC Davis Ph D candidate/researcher:
Microsoft will not issue patches to fix the critical DLL (dynamic link library) flaw in multiple applications, but will instead address the
issue in future Windows and Office service packs.
In the US, the eight privacy-breach class action lawsuits have been consolidated into one and
that may be joined by five others. Google sued in Spain over data collection. NYT: Judge in Spain orders Google representative to appear before her. Meanwhile, for Germany, Google offers an “optout tool” for Street View, available for eight weeks.
Spanair’s 2008 crash which killed 154 of 172 people because take-off flaps and slats failed to extend as they should have, may have malware implications
Spanair’s Maintenance System was infected with malware, believed to have been spread
through a Flash Drive, which might have prevented it from alarming about the problem which,
had it done so, would have grounded the plane pending investigation. Internal Spanair documents pointed to “Trojans” causing its central computer — designed to monitor fault messages transmitted from the aircraft — to fail.
Windows 7 graphics-related kernel problems found (grumble)
Question [ 01 ] – Nick in New Brunswick, CANADA wonders about “The Math
behind Password Strength”
Hi Steve, love the show, and love the way you explain complex
issues. I was wondering if you could explain the math behind password
strength sometime and how bit-entropy relates. I have been doing a lot of
research and discovering more questions that need answering.
For example, when someone says, the NIST recommends a 128 bit
password… how is that calculated. I understand that bit entropy is
calculated by LOG2 of a base (where the base is number of possible
characters), and by multiplying that result with the number of characters in
the password you achieve a bit entropy length for the password. But is that
the same as stating “my password is x Bits long” ?
Question [ 02 ] – Joshua Backes in Shreveport, LA believes that he got “rebound”…
I believe that our Netgear router at my job, where I am the computer
tech, had fallen victim to this new type of attack! A few weeks ago our
computers started randomly redirecting to a few different websites as well
as a google-analytical.com/… and would not load the page intended. After
reinstalling windows on two machines, we discovered they began
redirecting within in a couple minutes. Our final resolution was to reset the
router to default … then the rest of the computers began working fine.
Question [ 03 ] – Thorarin Bjarnason in Vancouver, BC, Canada is concerned that:
“Michael McCollum’s Wikipedia page is being considered for deletion”
You pointed me towards the Gibraltar Series. I downloaded Gibraltar
Stars today and did a wiki search on the author, only to find his wiki page
being considered for deletion.
I think that Michael’s page should be kept, not only because I think
his Gibraltar series is great Sci Fi and worth note, but also because I think
his business model is interesting. He sells easily copyable PDFs directly to
consumers who can choose, rightly or wrongly, to distribute the digital
content immediately, and widely.
I think his trail-blazing methods of selling his wares is of potentially
more note than his literature, and this alone should justify his existence on
Perhaps you can help summon the security now army to keep his page
on wikipedia, and maybe the more literate among us can contribute to his
Question [ 04 ] – Harold Kravatsky in Florida found a Windows LNK-Checker that
works with Widows 2000:
I have w2k and I wanted protection from the .lnk exploit. Sophos had
a program but it only works with xp, Vista and win 7. I tried it and it would
not let me install on win2k.
I searched further and found a program from G Data that runs under
Windows 2000. After installing it I had to restart Windows 2000 to
complete the installation. The icons still look normal. Below is more info
from G Data.
Harold Kravatsky, Happy SpinRite customer
Question [ 05 ] – Toby Wilkins in Wales, United Kingdom rightly worries about the
new “Contactless Payment Systems”
I have some information you and security now listeners may be
interested in regarding a new “feature” my Bank in the United Kingdom is
rolling out to all its customers. Wireless credit card payments! (Barclays
bank is a very large bank chain in the UK.)
Today I received my new Barclays bank debit card. I Opened the
letter to find a small booklet boasting Barclays new “contactless” wireless
payment feature built in to the card. UH OH *Alarm Bells*.
The booklet claims payments of up to £15 (~$25) can be made from
any new “contact-less” enabled debit (credit?) card by simply holding it
close to a newly released reading device. NO PIN IS REQUIRED!
I called up the information number (freephone 0800 009 4220). The
polite lady confirmed the above and stated this feature is being rolled out
with all new Barclay cards.
I asked what was to stop a thief walking around a busy railway station
with a reader. Her defense was these devices are physically big, but
admitted she had never been asked this question before. We know that
readers are only going to get smaller and I’m sure its only a matter of time
before hackers rustle up a nifty little reading device to take advantage of
this. When asked, she did not know if the technology used RFID. (blackhat
& defcon spring to mind)
Okay, so only £15 will get taken. This adds up to a lot of money
when taken from hundreds of passers by in a public location. What happens
if a card is “pinged” or “virtually swiped” a number of times under the
counter while you pay? Even with manual swiping of cards, Signatures and
pin numbers; card fraud and “skimming” earns thief’s big bucks. Adding a
wireless, no pin “feature” is only going to make this game much easier for
the bad guys.
In the UK nearly all credit/debit card transactions take place by
inserting the card into a physical reader and typing your personal PIN
number in to the device. When I visit the united states, this does not seem
to be the system used. I have never understood why the US has not adopted
this system like we have in the UK.
I hope you found this information interesting. I’m a great fan of the
show. I recently graduated from university with a computer security degree
with a first class honours results. I am sure that listening to Security Now
was the reason for this great result.
Question [ 06 ] – Antonio Lorusso in Swindon, UK has a thought about “Strict
Hello Steve & Leo,
You spoke of one small problem with STS in that if a computer
connects to a fraudulent site, say a site trying to imitate PayPal.com before
it has connected to the real PayPal.com to receive the STS token the user
will not be protected. Here is one solution.
If I were operating an STS site I would ask for browsers that support
STS to come pre-installed with an STS token with a large expiry date for
my site. This would not even require browser manufacturers to take the
burden of verifying the validity of the request for a pre-installed STS token
simply by insisting that the request is digitally signed for the site requesting
the pre-installation of the STS token. Pre-installed STS tokens could also
be added or updated by browser updates.
The only theoretical fly in the ointment for pre-installed STS tokens
that I can see is that this requires that the provision of browser software and
browser updates be secure. However if browsers software is not being
provided in a secure manner we have more serious problems than the STS
system being compromised, but it would be something to bear in mind with
this pre-install system.
Question [ 07 ] – Thomas Crowe in Virginia Beach, VA worries about a “Self Denial
of Service attack on STS”
First of all I want to say that I’ve been listening security now since
the very beginning, well maybe since episode 10 and quickly caught up.
Thanks for the great podcast!
After listening to your latest podcast number 262, Strict Transport
Security a second time, I started to think about enabling this on my own
web site. But I realized that I could easily shoot myself in the foot if I were
ever to decide not to keep up with my site’s SSL certificate.
Another troubling scenario in general would be: what if a domain
name changes ownership at some point? That domain would not be
accessible by someone who sells it unless they use SSL for the next 40
years or so (whatever the last STS token was set to).
It would make sense to somehow tie this to DNS, where the
ownership of control of the domain is actually implemented. It doesn’t
make nearly as much sense to put this in at the HTTP level — where it is
I think the browser should somehow check against the DNS
expiration date or see if it was renewed. As it is now, it just seems to be a
temporary fix and not a real solution to the problem. Any thoughts to this?
Anyways, thanks for the show. I really enjoy listening every week!
Question [ 08 ] – Matt Bender in Madison, WI wonders about “Adoption Delay”…
Every now and again when listening to Security Now! you make
(usually proud) reference to the fact that you’re still on XP, and not too long
ago we know that you were still using Windows 2000. So, like you, I’m
cautious about adopting new technology the minute it comes out so it can
get the bugs worked out. For example, I would never buy a new model line
of car the first year it comes out. From what I can remember, your
reasoning in not adopting the latest technology/OS is just that very reason,
it’s too new and the bugs need to be ironed out as well as possible security
But based upon your reasoning, if you’re still using XP, why have you
adopted the iPad? It’s a new technology running a relatively infant OS that
has some proven security flaws… I’m not bashing the iPad (or any
technology for that matter), in fact I really like it (I don’t have one
though…). I’m just wondering what your thought process is on adopting
new technology both for you personally and for use at “GRC”.
Take care and keep providing quality work!
Question [ 09 ] – Steve in Florida worries that “STS will block the adminstration of
his router due to Linksys cert mismatch!”
Steve, great show on STS. I’ve been using it in NoScript for a long
time. BUT … whenever I log on to my router’s administration page, I get a
certificate mismatch error, essentially: “You are trying to connect to
192.168.1.1. However, the name on this certificate is Linksys… (etc.)” I
click past it, but from what you said, I wouldn’t be able to do that when
STS is fully implemented.
I have configured the router’s admin page to accept secure
connections only, to help prevent my wireless network being used by a bad
guy to mess with the router. It seems I’d have to disable that, allowing
insecure connections to the router, or else I’d never get past the certificate
Of course, the default password has been changed, but I’d still hate to
change the security settings on the router admin. Any thoughts?
Question [ 10 ] – David Jaundrew (pronounced John-Drew) in Victoria, BC, Canada
came up with an STS-based Denial of Service Scenario:
Great discussion on Strict Transport Security! I was very excited to
hear about this new security feature, though I thought of a scenario that
could allow STS to be incorrectly enabled for non-HTTPS sites using a
man in the middle attack:
– A Starbucks WIFI hacker sets up a man in the middle attack for a
user connecting to the open access point.
– The user attempts to connect to a site that does NOT have HTTPS
support (i.e. http://randomblog.example/) MANY don’t!
– The hacker intercepts the HTTP: request, returning a page that
redirects the user’s browser to httpS://randomblog.example/
– The user’s browser then attempts to connect via the HTTPS URL,
which is AGAIN intercepted by the man in the middle attack (likely using
on-the-fly self-signed certificates). The hacker now sends back an HTTPS
page with the STS header, thus enforcing and requiring the use of HTTPS
– The user clicks through the certificate warning, and the browser
reads the STS header, adding the site to its list of STS-enabled sites.
– The user is now no longer able to connect to
http://randomblog.example/ from ANY internet connection, as their
browser now requires an HTTPS connection, to which the server does not
Now granted, the application for this is strictly a Denial of Service attack
on the individual user, as once STS is enabled, the browser would then be
forced to require proper certificate authentication for the intercepted site.
I suppose my two questions are:
– are the STS headers able to be initially sent when the site is using a
– where has my logic failed me?
Thanks for the podcast, and congratulations on five years!