11.5 C
Sunday, October 22, 2017

Two-year-old Java flaw re-emerges due to broken patch

A patch for a critical Java flaw released by Oracle in 2013 is ineffective and can be easily bypassed, security researchers warn.

This makes the vulnerability exploitable again, paving the way for attacks against PCs and servers running the latest versions of Java. The flaw, tracked as CVE-2013-5838 in the Common Vulnerabilities and Exposures (CVE) database, was rated by Oracle 9.3 out of 10 using the Common Vulnerability Scoring System (CVSS).
It can be exploited remotely, without authentication, to completely compromise a system's confidentiality, integrity and availability. According to researchers from Polish security firm Security Explorations who originally reported the flaw to Oracle, attackers can exploit it to escape from the Java security sandbox. Under normal conditions, the Java Runtime Environment (JRE) executes Java code inside a virtual machine that is subject to security restrictions. On Thursday, Security Explorations revealed that the Oracle patch for the vulnerability is broken.

The fix can be trivially bypassed by making a four-character change to the proof-of-concept exploit code released in 2013, Security Explorations CEO Adam Gowdiak wrote in a message sent to the Full Disclosure security mailing list. Gowdiak's company published a new technical report that explains how the bypass works in more detail. The company's researchers claim that their new exploit was successfully tested on the latest available versions of Java: Java SE 7 Update 97, Java SE 8 Update 74 and Java SE 9 Early Access Build 108. In its original advisory in October 2013, Oracle noted that CVE-2013-5838 only affects client deployments of Java and can be exploited through "sandboxed Java Web Start applications and sandboxed Java applets." According to Security Explorations, this is incorrect. "We verified that it could be successfully exploited in a server environment as well as in Google App Engine for Java," Gowdiak said in the Full Disclosure message. On the client side, Java's default security level -- which allows only signed Java applets to run -- and its click-to-play behavior can act as mitigating factors.

These security restrictions can prevent automated silent attacks. In order to exploit the vulnerability on an up-to-date Java installation, attackers would need to find a separate flaw that allows them to bypass the security prompts or to convince users to approve the execution of their malicious applet.

The latter route is more likely. Security Explorations has not notified Oracle about the CVE-2013-5838 bypass before disclosing it.

According to Gowdiak the company's new policy is to inform the public immediately when broken fixes are found for vulnerabilities that the company has already reported to vendors. "We do not tolerate broken fixes any more," he said. It's not clear whether Oracle will push out an emergency Java update just to patch this vulnerability, or if it will wait until the next quarterly Critical Patch Update, which is scheduled for April 19.

Tech industry must secure against ‘unintended consequences’: Elop

Intentionality, creativity, and leadership is the only way the tech industry can protect the world against the 'perils of unintended consequences', Telstra head of Innovation Stephen Elop has said.

Microsoft Ends Free Public Advance Security Notification Service

The general public will have to wait until Patch Tuesday as Microsoft ends its early public warning of upcoming patching. For the last decade, every Microsoft Patch Tuesday was preceded by a Microsoft Advance Notification Service (ANS) update. In an unexpected move, Microsoft announced on Jan. 8 that it is ending the free general public availability of ANS, which will only be available to Microsoft premier customers and members of its security programs. ANS provided a brief preview of the patches set to debut on Patch Tuesday. The public release, however, never provided full details of the specific flaw but, rather, was a general overview of patched items to help provide some initial guidance. In many cases, whenever Microsoft is set to make a change to any of its software or security products or policies, the change is announced in advance. Ironically, there was no advance notification for the end of the Advance Notification Service. "We believe announcing a few days prior to an Update Tuesday cycle calls attention to this change more effectively than repeating it for a few months," a Microsoft spokesperson told eWEEK via email. "The vast majority of customers don't use ANS to prepare for security updates; and for those that do, it isn't coming to an end." Back in 2008, the Microsoft Active Protections Program (MAPP) debuted, providing the company's partners with a program that gives details of vulnerabilities before the official patches are released. Though public availability of ANS is now changing, Microsoft's spokesperson noted that there are no changes to MAPP. "Premier customers and current organizations that are part of our security programs, such as the Microsoft Active Protections Program, will continue to receive the ANS," the spokesperson stated. Qualys, a MAPP partner, is working with Microsoft to get early access to security notifications, according to Wolfgang Kandek, Qualys CTO. He believes the ANS still matters and there is value in that IT administrators can read about specifics, exploits and priorities. "On one hand, I am certain that many IT admins wait until the bulletins are released and go directly to the technical details and form their own opinions; on the other hand, there are IT admins that appreciate the guidance," Kandek told eWEEK. "Taking that guidance away is a step backward." Marc Maiffret, CTO of BeyondTrust, also a MAPP partner, said the ANS is helpful in that it allows IT to plan better. While larger enterprises might have dedicated teams and partnerships with Microsoft, small and midsize businesses (SMBs) are likely to be impacted by the end of the public ANS. With the ANS changes, those SMBs will now have to wait until the morning of Patch Tuesday to know how their next few nights will be spent. For Rapid 7, which is not a MAPP partner, the publicly available advanced notification was valuable, said Ross Barrett, senior manager, security engineering at Rapid7. "It broadly informed the public about all affected platforms and products," Barrett told eWEEK. "The new approach assumes that customers have comprehensive knowledge and understanding of what is in their environments so that they can seek out what patches to prepare for." People don't fully know what is in their environments, and making it harder for them to get relevant security warnings could be harmful, Barrett said. "On a personal note, as a security professional who works with coverage of Microsoft platforms, this just makes it harder for us to get ready for Patch Tuesday every month," Barrett said. "Instead of generally knowing something about all the things that will be patched, though never exactly what, we now have to hunt down a list that we can never know is comprehensive." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.  

Juniper starts waving fixes for DROWN vuln

Turn off SSL, install patches, block traffic at firewalls Juniper Networks has identified products it says are vulnerable to the DROWN attack. DROWN turned up at the end of February, and is a relic of enduring but pointless support for the long-deprecated SSLv2 protocol. The most prominent exposure to DROWN is in web sites that weren't configured to refuse attempts at SSLv2 connection. However, hardware vendors use HTTPS to secure access to management consoles, which means the vulnerability sent the whole industry scrambling to identify and patch vulnerable systems. In Juniper's advisory, the company says its ScreenOS (the operating system for NetScreen firewalls), Security Threat Response Manager (STRM), its JSA virtual appliance, and its WLC Wireless LAN Controller had the DROWN vulnerability. For ScreenOS later than version 6.3.0r19, the fix is straightforward: disable SSLv2 and SSLv3 at the CLI with the <ttl>unset sll ssl3 command. The company promises a fix for the STRM and JSA Series products in versions 2014.6.r4 and 2013.2.r14, and fixes are promised for other products. Listed as not vulnerable are Junos OS, Junos Space, JunosE, QFabric Director, Standalone IDP (intrusion detection and prevention), NSM, WLAN RingMaster and WLAN SmartPass. If you have vulnerable products that don't yet have a fix, Juniper notes that SSL traffic can be blocked at the firewall. ® Sponsored: 2016 global cybersecurity assurance report card

India’s transport minister vows to ban self-driving cars to save jobs

"We wonrsquo;t allow driverless cars in India," said Nitin Gadkari.

Apple has art tips for a budding Ansel Adams or Pablo...

Enlarge Image Bernhard Lang uses an iPhone 6S Plus and a helicopter to capture stunning images thousands of feet in the air. Bernhard Lang via Apple Smartphone cameras have advanced so much in recent years that many shutterbugs have largely abandon...

Will the iPhone 5S’s fingerprint technology help enterprise security?

A fingerprint sensor has been built into Apple's latest iPhones, but what will this mean for enterprise security? Apple’s influence on the smartphone market is undeniable, and this technology addition may lead to a revolution in smartphone security as others adopt similar technologies. But what does fingerprint security mean for the enterprise? Dave Birch, director of Consult Hyperion, believes the feature is less about security and more about convenience.

He said the fingerprint sensor will save users time, as they will no longer need to swipe their home screen and enter a four-digit pin to access their phone. Apple’s new flagship device, the iPhone 5S, features a 500ppi fingerprint sensor in the home button of the device, which scans sub-epidermal skin layers.

The addition is not particularly surprising, after Apple's July 2012 acquisition of Authentec, a mobile security company which specialises in fingerprint sensors. The iPhone 5S is not the first smartphone to include fingerprint sensor technology – Motorola’s Atrix was, in 2011. But while the fingerprint technology is not new, Apple’s brand name and dedicated following could take the technology mainstream and inspire other manufacturers to add it to upcoming devices. If successful, it is likely to move the industry away from passwords to biometric user authentication methods, but some argue that it is a sales tactic, rather than a robust addition to security. Biometrics just one layer of security   Two-factor authentication experts argue that biometrics should just be part of the way a user is identified.  Apple’s brand name and dedicated following could take fingerprint sensor technology mainstream and inspire other manufacturers to add it to upcoming devices "A single factor, whether it’s a Pin (something you know), a smartphone (something you have), or a fingerprint (who you are), is not enough on its own.

The iPhone’s fingerprint sensor is a significant step, but not a silver bullet,” said Thomas Bostrøm Jørgensen, CEO of Encap. “Hacking a fingerprint may sound as if it’s only possible through rather gruesome means, but it is very possible to steal fingerprints through more social methods – lifting a print from a discarded coffee cup is no more science fiction than the fingerprint scanner itself,” he said. But the technology does represent another step towards better smartphone security.

This has become a growing concern as the devices become more regularly used to access data in the enterprise. Richard Moulds, vice-president of product strategy at Thales e-Security, said the introduction of biometrics has raised the bar for personal security.  “The potential exists to not only protect access to the phone and the apps directly associated with it, but also to open up the prospect of strong authentication to a plethora of third-party services accessed from the phone, such as home banking and e-commerce,” he said. Closing the door on developers But Apple said it has no plans to allow the Touch ID sensor to be used for more than unlocking phones or verifying iTunes purchases.

This is because the tech giant has not given the developer community access to the technology. Apple chief Tim Cook indicated that the company may look for other uses for the sensor first, before opening it up to the developer community. Given the history of fingerprint scanners on laptops and successful attempts by security researchers to bypass such systems, Apple is likely to wait until the technology is proven and widely accepted before opening it up to the wider developer community. Enterprise security Tony Cripps, principal device analyst at Ovum, said that while the additional security at the authentication layer may provide some additional comfort level to enterprises, they will have very little control over how it is used. “If Apple was to supply the APIs, then presumably at that point it does become possible to incorporate that into a device management suite,” he said. Alex Mesguich, vice-president of enterprise research at Context, said the technology could facilitate the bring your own device (BYOD) trend in the workplace.

He added that further down the line, if Apple allows developers to program external applications – organisations could use this feature to identify their employees before sending important information to the device. Over time, if Apple opens up the technology and provides an application programming interface (API), third-party developers will be able to build in hooks that can integrate the device with corporate security.

In the meantime, however, it seems that the fingerprint sensors will be seen as an additional security layer for devices.  Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

GitHub Improves Two-Factor Security With U2F

GitHub embraces the FIDO standard and aims to get Yubico U2F keys into as many developer hands as it can. GitHub has emerged in recent years to become the de facto standard location for developers to launch new code projects and engage with potential contributors. With all that code in one place, GitHub is also an attractive target for attackers, with password security often being the weak link. In an effort to secure itself and its users, GitHub today is announcing its support of the FIDO (Fast Identity Online) Universal 2nd Factor standard and is engaging with U2F hardware vendor Yubico to help make keys more easily accessible and available. The FIDO Alliance is a multi-stakeholder effort with more than 150 member companies, including Bank of America, MasterCard and Visa, as well as Google and Qualcomm. The goal of the U2F standard, which officially hit the 1.0 milestone in December 2014, is to enable a hardware-secured mechanism for two-factor authentication. The U2F hardware is typically available in the form of a USB device that includes the secure hardware token. One such device is the YubiKey built and sold by Yubico. GitHub has had two-factor authentication in place for several years, supporting Google Authenticator and SMS-based deployments, said Shawn Davenport, GitHub's vice president of security. With Google Authenticator, a one-time password is generated on the user's device; with SMS, the user is sent a one-time password via SMS on their mobile device. Although GitHub provides two-factor authentication, Davenport admitted that usage of existing two-factor systems is relatively low among GitHub users. "We have approximately 300,000 users with some form of two-factor authentication today, either Google Authenticator or SMS-based," Davenport told eWEEK. "We have over 11 million users, so adoption of any form of two-factor authentication is low." With the new U2F support, Davenport is optimistic that it will act as a catalyst to grow adoption for two-factor adoption overall. To help further spur adoption, GitHub and Yubico will be giving free YubiKey U2F keys to 1,000 attendees of the GitHub Universe conference today in San Francisco. The partnership with GitHub and Yubico is also offering a YubiKey to an initial 5,000 developers for only $5 per key, which is a substantial discount from the retail price of $18 per key. An additional 95,000 GitHub users will be able to get a YubiKey for a 20 percent discount. "Unlike Google Authenticator or SMS, which is essentially free, there is a cost here," Davenport said. "Once we get widespread adoption of U2F across all major sites and services, at that point it will make even more sense for users to make the small investment in a U2F-compatible device." For its part, Yubico has been trying to help organizations easily deploy U2F. Stina Ehrensvard, CEO and founder of Yubico, said her company already has millions of users around the world that recognize the value of purchasing a security key. Among the organizations that Yubico has helped deploy two-factor authentication technology are the Linux Foundation and CERN. "It's not a major cost, and it's not a reoccurring cost," Ehrensvard told eWEEK. "I'm not seeing that cost is a major barrier. The challenge is about getting U2F to work across as many sites as possible, and that's what we're working on now." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Cyber security – what does the future hold?

Each year there are at least 50 million cyber attacks in the UK alone and this number is rising. Cyber security is a high profile agenda item; from warnings this month by Vince Cable of the vulnerability of essential services, to the recent request by...

US appeals court rejects challenge to National Security Letter gag orders

A panel of the 9th US Circuit Court of Appeals rejected a challenge from CloudFlare and CREDO Mobile.

Turkey’s constitutional court rules against YouTube block

Turkey’s constitutional court has ruled that a government block on access to Google’s YouTube service violates laws governing freedom of expression. Access to the video-sharing site is expected to be restored after the court’s ruling is communicated to the country’s telecommunication authorities. The block was imposed in March after anonymous users uploaded audio recordings of what sounded like Turkish officials discussing Syria. At the time, Turkish prime minister Tayyip Erdogan denounced the leak as "villainous" and foreign minister Ahmet Davutoglu called the posting a "declaration of war”. The constitutional court’s ruling is widely seen as a snub to Erdogan’s government, reports the BBC. Erdogan criticised social media sites such as Twitter and YouTube in the run-up to elections on 30 March. Twitter was banned after a user posted damaging allegations of corruption implicating those close to Erdogan, who vowed to "wipe out Twitter". Social media sites such as Twitter and Facebook were heavily used by protesters during anti-government demonstrations last year. The block on Twitter was lifted in April after a constitutional court ruling, but the block on YouTube has remained in place despite decisions from lower courts calling on the government for them to be lifted. Despite the block, however, many people in Turkey have found various ways of circumventing government-imposed controls. YouTube was blocked previously in Turkey in 2007 but that ban was lifted in 2010. Turkish authorities have a long history of monitoring and filtering web content, even intermittently blocking access to online services Read more on Turkey Turkey attempts to increase block on Twitter Turkey blocks access to Twitter Turkey seeks tighter internet control Blogspot shut down in Turkey following football broadcast spat Turkey, Russia top Internet risk charts Turkey bans YouTube Anonymous attacks Turkish government websites in Antisec campaign protest Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Donate your Lego for art: Ai Weiwei fills cars with Lego...

Artist Ai Weiwei's Lego installation at Alcatraz Prison in San Francisco Bay. Beck Diefenbach/Corbis Frustrated parents around the world are used to finding stray pieces of Lego abandoned in their cars. But now Chinese artist Ai Weiwei is calling on...