Tag: open source

DNS-Linked Flaw Leaves Many Systems Vulnerable

In-brief: Researchers at Google are warning about a previously undetected flaw in a widely used open source library could be exploited by attacks using overly long web domain names.

Survey: Security The Top Issue for IoT Developers

In-brief: A survey of more than 300 developers working on Internet of Things products reveals that security is their top concern, followed by interoperability.

Whack-A-Bash: New Vulnerabilities add to Patch Confusion

The good news about the rapid, industry response to the revelations about exploitable security holes in GNU Bash (Bourne Again Shell) (aka “Shellshock”) is that Linux users had a fix in hand almost as soon as they became aware of the problem those patches addressed. The bad news about the quick fixes for the two issues, CVE-2014-6271 and CVE-2014-7169, from the likes of Red Hat, Ubuntu, Debian and others is that – in being early- they fail to fix the problems we don’t yet know about. And that’s what we’re seeing in the wake of last week’s storm of patches: a steady drip-drip of disclosures that suggest that Bash may contain other problems worthy of new fixes. Within hours of the disclosure of the first holes, there were problems discovered by Red Hat Product Security researcher Todd Sabin, who found additional “off by one” errors in Bash that were assigned CVE-2014-7186 and CVE-2014-7187 and […]

shellshock

Update: ShellShock’s Long Tail in the Enterprise

The recently disclosed vulnerability in the Linux Bash function dubbed “ShellShock” is creating a firestorm of coverage – and rightly so. The 22 year-old security hole is remotely exploitable and affects Linux based web servers and an unknown number of other devices that might run on linux and contain vulnerable services. However, unlike the recent “Heartbleed” OpenSSL vulnerability, identifying systems vulnerable to Shellshock won’t be easy. Shellshocked first came to light on Wednesday, when Linux vendors including Red Hat began warning about the security hole. The vulnerability allows a malicious actor to take advantage of built in Bash functions, wrapping them in environmental variables and then appending malicious code to the end of function definitions within the variable. In a blog post, Redhat said that any application that runs a shell script using Bash as the command interpreter, or that is hooked onto a shell is vulnerable to attack. Paul Venezia, writing over at InfoWorld, gives one […]

FAKEID Logo

Old Apache Code at Root of Android FakeID Mess

A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security. The vulnerability was disclosed on Tuesday. It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was introduced to Android by way of the open source Apache Harmony module. It affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications, according to Jeff Forristal, Bluebox’s CTO. He will be presenting details about the FakeID vulnerability at the Black Hat Briefings security conference in Las Vegas next week.