It has uncovered an Adobe Flash exploit that allows web sites to hijack users’ webcams with just a few clicks.
Feross Aboukhadijeh, a student at Stanford University, happened across the security loophole when searching for popular websites to employ clickjacking on. He discovered a previously reported exploit that uses an iframe of the Adobe Flash Settings Manager to secretly authorise changes to settings, but Adobe quickly addressed this by adding framebusting code to prevent the page being loaded in an iframe.
However, Aboukhadijeh discovered that Adobe had ignored the possibility that the settings .SWF file could still be loaded in an iframe, allowing him to completely bypass the framebusting code that Adobe had added to prevent this exploit.
The result is that users who click on certain links, or even just hover over them, will in fact be authorising the web site to turn on and access the user’s webcam. The user does not see the settings file hidden in the iframe and does not know that what might seem like a normal button or link on a web site is actually a guise for the real button on the invisible settings page beneath, and they certainly won’t know that their webcam has been turned on and someone might now be watching them.
Aboukhadijeh has so far only been able to get this exploit to work on the Firefox and Safari web browsers on Mac computers, primarily due to the ease of which the iframed files can be made transparent. He believes, however, that this attack could still be carried out on other web browsers and operating systems when using a more complicated technique of layering iframes.
Aboukhadijeh informed Adobe about the exploit several weeks ago through the Stanford Security Lab, but received no response, so he decided to post it publicly. As expected, Adobe issued a response to media queries immediately, saying it was working on a fix. Since then Adobe said it has released a behind the scenes fix to the Settings Manager, probably involving more framebusting code to stop the file from being loaded in an iframe.
While this might fix this exploit, we have to wonder how long it will be before someone else finds another workaround that effectively taps the same vulnerability, and if Flash really poses the kind of security risk that many people have long thought.
Nevertheless, users who upgrade to it will also benefit from improved security as this release fixes six critical and two moderate severity security vulnerabilities.
Four of the critical patches are shared with Thunderbird 7 and address a use-after-free condition with OGG headers, an exploitable crash in the YARR regular expression library, a code installation quirk involving the Enter key and multiple memory hazards.
A moderate severity patch that provides defence against multiple Location headers caused by CRLF injection attacks is also common to both products.
In addition to these patches Firefox 7 also contains fixes for two critical and one moderate severity vulnerabilities, with one of them resulting in a potentially exploitable WebGL crash.
It’s worth pointing out that Microsoft previously motivated its decision to not include support for WebGL in Internet Explorer by saying that the 3D graphics library opens a large attack surface.
So far several serious vulnerabilities have been identified and patched in WebGL, which partially supports Microsoft’s assessment, but the library’s supporters claim this is no different than with other technologies.
Firefox 7 also updates Websocket, a protocol disabled in the past because of security issues, to version 8, which is no longer vulnerable to known attacks.
Unfortunately, Mozilla has not yet developed a fix for a recently disclosed attack against SSL/TLS, despite having worked on the problem since June. Developers are still trying to find a resolution that will break as few websites as possible, but at this point it’s not even certain that a fix will be included in Firefox 8.
The Flash Player 10.3.183.10 for Windows, Mac and Linux, and Flash Player 10.3.186.7 for Android, contain patches for six security flaws.
One of them is a cross-site scripting (XSS) weakness that can be exploited to execute rogue actions on behalf of web sites or webmail providers if victims click on maliciously-crafted links.
“There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message,” Adobe warns in its security advisory.
XSS vulnerabilities are the result of improper user input validation and allow attackers to execute rogue code in the context of the current web site. For example, they can be leveraged to extract session cookies or load rogue forms into legitimate pages, which makes for very credible phishing attacks.
Adobe credits Google for reporting this cross-site scripting vulnerability, which is identified as CVE-2011-2444. This means it might have been detected in attacks against Gmail users.
Two other patched vulnerabilities allow for arbitrary code execution and are located in the AVM stack. One of them can also lead to a denial of service condition. Two remote code execution logic errors and a Flash Player security control bypass have also been addressed.
Users should deploy the new update as soon as possible because browser plug-ins like Java, Adobe Reader or Flash Player are amongst the most attacked pieces of software one can have on a computer. However, unlike Adobe Reader X (10.0) which features sandboxing technology, Flash Player doesn’t have any anti-exploitation mechanism built-in.
Adobe is working on a sandbox-like technology for Flash, but that could still be one year away from a public release. In the meantime, the company has improved its update mechanism so that users are prompted to install new versions more quickly.
Chrome users have it the easiest because Google bundles a special Flash plug-in version with its browser and handles the update in a silent manner. In addition, Flash Player already runs in a sandbox under Chrome, so it is much harder to attack.
A Java tool for Facebook allows potential attackers to get personal details about users of the social networking web site.
According to H-Online, Facebook Pwn uses social engineering to obtain personal details that are not publicly accessible from Facebook users.
The tool attempts its attack by setting up a fake account that attempts to befriend all of its target’s contacts. Then, the attacker chooses one of the victim’s friends and adopts their identity by stealing their name and profile picture and setting up another fake account.
The fake account submits a friend request to the Facebook user, who is none the wiser as the attacker has the same name and mutual friend list as the person whose identity they stole.
After the friend request is accepted, the tool downloads the victim’s personal data and photographs so that even if the victim detects and unfriends the fake account, the attacker will still have the details. It can then be used for other targeted attacks such as spear phishing or stalking.
People can get the GPL3-licensed “proof of concept” code from the project at Google code.
The part of the site has been taken down, and instead delivers a statement from the company about the intrusion.
Nokia said that during its ongoing investigation of the incident, it discovered that a database table containing e-mail addresses of developer forum members was accessed, by exploiting a vulnerability in the bulletin board software that allowed an SQL injection attack.
“Initially we believed that only a small number of these forum member records had been accessed, but further investigation has identified that the number is significantly larger,” the statement said.
Nokia did not specify when the site was hacked, though it is likely to have happened last week, according to some reports.
The database table records includes members’ e-mail addresses and, for fewer than 7% who chose to include them in their public profile, either birth dates, homepage URL (uniform resource locator) or usernames for AIM, ICQ, MSN, Skype or Yahoo services. Sensitive information such as passwords and credit cards details were not compromised, and the potential fallout of the hack is likely to be limited to unsolicited mail, Nokia said.
After addressing the initial vulnerability, Nokia said it took the developer community website offline as a precautionary measure, while it conducts further investigations and security assessments. The developer community section was still down on Tuesday.
Soon after the hack, visitors to the community pages were taken to a third-party web page containing an image of Homer Simpson, the character from the TV series The Simpsons, and a message, warning the company to patch its security holes, according to reports.
The company is following Google and Mozilla in creating a Web “Bug Bounty” program. For security related bugs — cross site scripting flaws, for example — the company will pay a base rate of $500. If they’re truly significant bugs Facebook will pay more, though company executives won’t say how much.
“In the past we’ve focused on name recognition by putting their name up on our page, sending schwag out and using this an avenue for interviews and the recruiting process,” said Alex Rice, Facebook’s product security lead. “We’re extending that now to start paying out monetary rewards.”
On Friday, Facebook will unveil a new Whitehat hacking portal where researchers can sign up for the program and report bugs.
Many hackers go public with the software and website flaws they find to gain prestige. Finding an important bug on a widely used website such as Facebook can help make a journeyman hacker’s career, and going to the press with the issue can make him — or her — famous.
But talking about the issue before Facebook has had a chance to patch it, can be risky for Facebook users. In recent years, other companies have started these bug bounty programs to encourage hackers to keep quiet about the problems they find until they are patched.
Google pays between $500 and $3,133.70, depending on the severity of the flaw.
Facebook’s security team already engages in a lot of dialogue between security researchers and its own programmers. The company is contacted between 30 and 50 times each week by hackers. Their information leads to an average of about one to three “actionable bugs,” per week, Rice said.
Company executives say that keeping good relationships with the hacker community is very important. Facebook has sponsored high-profile parties at the Defcon hacking conference for the past two years and Facebook Chief Security Officer Joe Sullivan sees that meeting as a key place to recruit new talent and educate security staffers.
Apple’s iOS and Google’s Android smartphone platforms are more secure than traditional desktop-based operating systems, but are still vulnerable to many existing categories of attacks, according to a detailed report from security software vendor Symantec.
Apple and Google designed their mobile operating systems with security in mind. But keeping up with a constantly changing threat landscape is challenging. In the report, “A window into mobile device security,” Symantec evaluated the two operating systems for how they measured up to Web-based and network-based attacks, social engineering attacks, attacks on the integrity of the device’s data, and malware.
Users of both Android and iOS smartphones and tablets regularly synchronize their devices with cloud services and with their home desktop computers. This can potentially expose sensitive enterprise data to systems outside the control of the enterprise, according to Symantec.
When it comes to protecting against traditional malware, Apple’s certification of applications and developers protects users, according to Symantec. On the other hand, Google’s less rigorous certification mode has arguably led to today’s increasing volume of Android-specific malware, the company said. Earlier this month Google had to remove yet more malware-infected apps offered in its Android Market.
Google’s more open approach has been one of the reasons for its success, according to Ben Wood, director of research at CCS Insight. It has helped Google to quickly increase the number of available applications. So far, the offending apps haven’t had a major affect on users, but user sentiment could change quickly if they are hit by more severe attacks, Wood said.
Symantec also has a word of warning for users with jailbroken smartphones. They are an attractive target for attackers since they are every bit as vulnerable as traditional PCs, it said.
Symantec concluded that iOS offers better access control, application provenance and encryption. Google’s Android offers better application isolation, and the permission-based access control category is a tie, according to Symantec. Apple also offers better protection against malware attacks, service attacks, data loss and data integrity attacks. Both offer full protection against Web attacks, and no protection technologies to address social engineering attacks such as phishing or spam.