SECURITY WARNINGS & Notices - Please post them here

[mchain]

Update on IE use-after-free vulnerability

Tech blog Microsoft Security Response Center announces new Fix-it and out-of-band release Windows Update patch for all versions of IE:  http://blogs.technet.com/b/msrc/archive/2012/09/19/internet-explorer-fix-it-available-now-security-update-scheduled-for-friday.aspx

[Asyn]

Threat Level Yellow: Protection recommendations regarding Internet Explorer exploits in the wild
https://isc.sans.edu/forums/diary/Threat+Level+Yellow+Protection+recommendations+regarding+Internet+Explorer+exploits+in+the+wild/16634
http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx

[bob3160]

Threat Level Yellow: Protection recommendations regarding Internet Explorer exploits in the wild
https://isc.sans.edu/forums/diary/Threat+Level+Yellow+Protection+recommendations+regarding+Internet+Explorer+exploits+in+the+wild/16634
http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx

Simple remedy is to use a different browser till the fix is available.

[mchain]

More information about IE, all versions, exploits, attacks:

http://www.pcadvisor.co.uk/news/security/3470426/internet-explorer-zero-day-attackers-linked-to-bit9-hackers/

Some published reports state that this attack team uses a weaponized version and so far has been used to attack only enterprise/commercial users using IE 8 and IE 9.

[Asyn]

Data Broker Giants Hacked by ID Theft Service
http://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/

[polonus]

Starting next year: https://cabforum.org/pipermail/public/2013-September/002233.html
Google Weaker SSL-Certificate alerts
This also seen to these developments: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
Also Bruce Schneier warned about these issues leaving everyone less secure.
In the meantime I check with Calomel SSL Validation in firefox: https://addons.mozilla.org/En-us/firefox/addon/calomel-ssl-validation/

polonus

[Secondmineboy]

So Google is going to implement their own certificate verification system like in Firefox.

[polonus]

Hi Steven Winderlich,

Seems so,

Well I like a check like this example from DigiCert® SSL Installation Diagnostics Tool:
DNS resolves 'www.security.nl' to 213.156.0.246
HTTP Server Header: Apache

SSL certificate
Common Name = www.security.nl

Subject Alternative Names = www.security.nl

Issuer = Thawte DV SSL CA

Or Why no padlock?
Domain Name: www.security.nl
URL Tested: https://www.security.nl
Number of items downloaded on page: 24
   Valid Certificate found.
   Certificate valid through: Dec 13 23:59:59 2013 GMT
Certificate Issuer: Thawte, Inc.
   All 24 items called securely!

Serial Number = 67ED771B1120A17564A4685737F1D84A

SHA1 Thumbprint = 3C6925620CBFBE09098886F4306F32DE0A363E29

Key Length = 2048 bit

Signature algorithm = SHA1 + RSA (good)

Secure Renegotiation: Supported

SSL ciphers supported by the server
TLS_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

TLS_RSA_WITH_SEED_CBC_SHA

TLS_DHE_RSA_WITH_SEED_CBC_SHA

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

This certificate does not use a vulnerable Debian key (this is good)
SSL Certificate expiration
The certificate expires December 13, 2013 (78 days from today)

Certificate Name matches www.security.nl
 
Subject www.security.nl
Valid from 13/Dec/2012 to 13/Dec/2013 
Issuer Thawte DV SSL CA
   
 
Subject Thawte DV SSL CA
Valid from 18/Feb/2010 to 17/Feb/2020 
Issuer thawte Primary Root CA
   
 
Subject thawte Primary Root CA
Valid from 17/Nov/2006 to 30/Dec/2020 
Issuer Thawte Premium Server CA

SSL Certificate is correctly installed

or this examplke  from Why No Padlock?
Domain Name: www.security.nl
URL Tested: https://www.security.nl
Number of items downloaded on page: 24
   Valid Certificate found.
   Certificate valid through: Dec 13 23:59:59 2013 GMT
Certificate Issuer: Thawte, Inc.
   All 24 items called securely!

polonus

[Pondus]

Duh, iOS 7 Does Not Make Your iPhone, iPad Waterproof   
http://www.pcmag.com/article2/0,2817,2424780,00.asp

http://news.sky.com/story/1145439/waterproof-iphone-advert-owners-fooled

[polonus]

Unpatched IE-hole abused in cyber-espionage: http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/hand-me-downs-exploit-and-infrastructure-reuse-among-apt-campaigns.html      link article authors  Ned Moran and Nart Villeneuve
A MS-Fix-it is available, but no patch has been issues yet,

pol

[Asyn]

Illegal Access to Adobe Source Code
http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html

[polonus]

Hi Asyn,

And this as a reaction on this data breach: http://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
What gonna be the implications?

polonus

[Asyn]

What gonna be the implications?

Well, we'll see over the next few days/weeks...
As you understand German: http://www.heise.de/security/meldung/Einbruch-bei-Adobe-Millionen-Kundendaten-sowie-Sourcecode-von-ColdFusion-und-Acrobat-geklaut-1972175.html

[Asyn]

Microsoft Security Bulletin Advance Notification for October 2013
http://technet.microsoft.com/en-us/security/bulletin/ms13-oct

[polonus]

Hi Asyn,

Thanks for that article link.
Others here could google translate that articlke txt  into UK English or American English.

Couldn't we or shouldn't we further advise users to at least use another reader,
 like for instance FoxIt for the time being until the security position of Adobe's been clarified.
Users should also explicitly allow the use of these readers in the browser
as is the rule with a lot of browsers now.
They should rfeally pre-scan document links or re-check these particular software executables and update uri's for malcode.
Through these latest hacks Adobe has manoevered itself into the ranks of Java and likewise security-problematic codes.

polonus