SECURITY WARNINGS & Notices - Please post them here

[Dwarden]

Hi Asyn,

There is a FixIT - http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx (link from social.s-msft.com - link source author: swiat)

polonus

i checked the manual edit, i must say it dont work because i can't do it myself due to 'line max character limit)
if i just copy the actual line and change the order, i'm missing approx 50 characters over 1024
jeez who in these days have character limit ...

[Asyn]

Mac trojan posing as a PDF file
http://www.f-secure.com/weblog/archives/00002241.html

Apple Updates Anti-Malware Tools to Address New Trojan Threat
http://www.macrumors.com/2011/09/26/apple-updates-anti-malware-tools-to-address-new-trojan-threat/

[Hermite15]

"Firefox devs mull dumping Java to stop BEAST attacks"

http://www.theregister.co.uk/2011/09/29/firefox_killing_java/

[Hermite15]

Mozilla discussion here (about Java)
https://bugzilla.mozilla.org/show_bug.cgi?id=689661

I recommend that we blocklist all versions of the Java Plugin.

As far as I understand the situation, If all of these apply:

(1) The attacker can control the user's network connection, and
(2) The attacker can perform DNS rebinding or similar
(3) The user loads any non-HTTPS page, or the user loads an HTTPS page controlled by the attacker
(4) The Java plugin is enabled

then, the attacker will be able to steal the user's *existing* session cookies for any website, including any *HTTPS* website that the user visits, even when the cookies are marked Secure and HttpOnly. So, for example, the attacker would be able to steal the uesr's Google mail cookie, Paypal cookie, bugzilla.mozilla.org cookie, mail.mozilla.com cookie, etc., allowing the attacker to log in as the user.

My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.

[DavidR]

Seems lunacy, for firefox to drop JAVA (when many may not have it anyway) when essentially the vulnerability is in the SSL/TLS version used by the browser for secure communication. The vulnerable versions being SSL V3.0 and TLS 1.0. Surely they should be working towards firefox using TLS 1.1 and 1.2 of TLS that aren't susceptible.

I also thought it was a specially crafted javascript and not JAVA that did the decryption, which is immaterial if version 1.1 and 1.2 of TLS aren't susceptible, gear firefox up to use those versions.

[Asyn]

For their chosen-plaintext attack on the Cipher-Block Chaining (CBC) mode that tends to be used with TLS, Rizzo and Duong have to bypass the browser's Same Origin Policy (SOP) so that they can communicate with servers outside of, for instance, the Java applet's domain.

Although the purpose of SOPs is to prevent exactly that, a previously undisclosed bug in Java appears to enable attackers to do so regardless. In the Firefox developers' opinion, the onus is therefore on Oracle to solve the Java problem first. However, Oracle has so far failed to respond, which has prompted the developers to consider releasing an update that disables all Java plug-ins for security reasons.

http://www.h-online.com/security/news/item/Mozilla-considers-disabling-Java-in-Firefox-1351590.html

[Hermite15]

Seems lunacy, for firefox to drop JAVA (when many may not have it anyway) when essentially the vulnerability is in the SSL/TLS version used by the browser for secure communication. The vulnerable versions being SSL V3.0 and TLS 1.0. Surely they should be working towards firefox using TLS 1.1 and 1.2 of TLS that aren't susceptible.

I also thought it was a specially crafted javascript and not JAVA that did the decryption, which is immaterial if version 1.1 and 1.2 of TLS aren't susceptible, gear firefox up to use those versions.

David, I already disabled TLS 1.0 in the past once in Firefox >>> end result? ... most secure sites don't use TLS 1.1 and later, you get an error message and the sites won't open.

[DavidR]

Yes sites have to play their part too and update vulnerable SSL/TLS versions. Problem being the chicken and the egg, if browsers don't give the option/work with the later TLS versions, then sites won't bother either.

Disabling TLS 1.0 in firefox is a bit of a waste of time right now, as it would then fall back to SSL 3.0 which is also vulnerable. FF7 and below only have SSL3 and TLS 1.0 as the encryption protocol options.

[Hermite15]

nope not here that's why I tried it a while ago, as I'm using FIPS settings as a basis in FF. SSL3 is disabled (not just from the advanced settings it's not enough). So when I disabled TLS 1.0, I made the mistake to believe that 1.1 and later were present in FF, well they're not. But they're available in Windows for IE (TLS 1.1 and later). That's were you can actually experiment and see that no site supports that, see screen shot with default settings.

[DavidR]

Which is why I'm saying Mozilla needs to concentrate some effort in firefox having TLS 1.1 and 1.2 as options. Then at least when sites start to catch up their users have it as an option.

So it could at least be a selection preference TLS 1.2, drop to 1.1 and then to 1.0 if the site doesn't have the higher level TLS support. Then if the user so chooses they can uncheck TLS 1.0 so they at least know that the site has a security weakness and choose if they want to enable 1.0 for that instance.

The problem is when they have no option at all when both versions in firefox are vulnerable.

However, all that said, I think that this really has had more headline grabbing attention when this isn't going to be a very common occurrence. Plus no mention of what the users own security applications can do to block the specially crafter script to do the decryption. Not to mention the time it takes.

[Dwarden]

the simple solution is use RS4 istead CBS, the problem here is ... i can't switch it manually in the policy editor because some idiot on Microsoft decided 1024 characters is maximum for that line
yet the DEFAULT value uses 1080 characters lol

[Asyn]

Chrome: Problems with Microsoft Security Essentials
http://chrome.blogspot.com/2011/09/problems-with-microsoft-security.html

Edit: Chrome updates to repair Microsoft false alarm damage
http://www.h-online.com/security/news/item/Chrome-updates-to-repair-Microsoft-false-alarm-damage-1353162.html

[Asyn]

Cisco patch day closes critical vulnerabilities
http://www.h-online.com/security/news/item/Cisco-patch-day-closes-critical-vulnerabilities-1354156.html
http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html

[Asyn]

Security Advisory for Adobe Photoshop Elements 8
http://www.adobe.com/support/security/advisories/apsa11-03.html

[Asyn]

Firefox and SeaMonkey users warned to disable McAfee ScriptScan
http://www.h-online.com/security/news/item/Firefox-and-SeaMonkey-users-warned-to-disable-McAfee-ScriptScan-1355098.html
https://addons.mozilla.org/en-US/firefox/blocked/i42/