Security Alerts & News
by Tymoteusz A. Góral

History
#2018 OpenSSL update fixes high-severity DoS vulnerability
The OpenSSL Software Foundation released an update to the OpenSSL crypto library that patches a vulnerability rated high severity that could allow a remote attacker to cause a denial-of-service condition.

OpenSSL released the version 1.1.0e update that fixes flaws found in OpenSSL 1.1.0, according to the OpenSSL Security Advisory issued last week. The United States Computer Emergency Response Team also alerted system admins of the issue last week.

According to OpenSSL, the vulnerability occurs during a renegotiation handshake procedure. “If the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” according to the advisory.
#2017 Firefox users fingerprinted via cached intermediate HTTPS certificates
The way in which Firefox caches intermediate CA certificates allows a third-party to deduce various details about website visitors and also link advertising profiles to private browsing sessions.

Before we go on, it is important that non-technical users understand what is an intermediate CA certificate.

At the top of the entire HTTPS infrastructure we have root CAs (Certificate Authorities), which are companies such as Comodo, Symantec, DigiSign, and others.

For security reasons, root CAs generate intermediate certificates, instead of using the main root certificate. This way, when an intermediate CA certificate gets compromised, the root CA continues to operate and doesn't have to revoke and replace certificates for all its clients, but only a few.
#2016 The attack of the alerts and the zombie script
In our previous post we found a way to UXSS (bypass the SOP policy) using the htmlFile/ActiveXObject, however, I mentioned that there were other interesting things to do using that same object. Have you tried anything? If yes, congratulations. The only way to find bugs is by trying, and today we are going to explore another interesting thing that can be done with the same ActiveXObject.
#2015 Hacks all the time. Engineers recently found Yahoo systems remained compromised
Some five months after Yahoo disclosed a security breach that exposed sensitive data for 500 million accounts, some of its systems remained compromised, according to a report published Tuesday. The report said that in light of the hacks, Verizon would knock $350 million off the price it would pay to acquire Yahoo's Internet business.

"A recent meeting between technical staff of the two companies revealed that some of Yahoo’s systems were compromised and might be difficult to integrate with Verizon’s AOL unit," The Wall Street Journal reported, citing unnamed people. Verizon remains concerned that the breaches may hamper user engagement and in the process make the assets less valuable. Yahoo responded by cutting $350 million from the original $4.83 billion price tag, bringing the deal value to about $4.48 billion. It wasn't clear precisely when the meeting occurred.
#2014 CryptoMix: Avast adds a new free decryption tool to its collection
Avast now provides a decryption tool for ransomware CryptoMix (offline only)

In cooperation with researchers from CERT.PL, we are happy to announce the release of another decryptor tool, for the ransomware,CryptoMix. CryptoMix has multiple aliases, including CryptFile2, Zeta, or the most recent alias CryptoShield.
#2013 Microsoft Security Bulletin MS17-005 - Critical
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. For more information, see the Affected Software section.
#2012 Java and Python FTP attacks can punch holes through firewalls
The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks.

On Saturday, security researcher Alexander Klink disclosed an interesting attack where exploiting an XXE (XML External Entity) vulnerability in a Java application can be used to send emails.

XXE vulnerabilities can be exploited by tricking applications to parse specially crafted XML files that would force the XML parser to disclose sensitive information such as files, directory listings, or even information about processes running on the server.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12