Qualys Blog

www.qualys.com
wkandek

Additional September Security Advisories – Update

Update

  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.
    Minded Security has an interesting analysis of an additional issue in the used JavaScript code and shows that finding a valid fix that works across all browsers requires experience and structured QA testing. Mikko Hypponen suggests that twitter implements a bounty based program, but it seems that the problems are much lower in the dev/testing stack.

Original
After last week’s patch Tuesday a few high profile vulnerabilities and patches have appeared this week:

  • Adobe accelerated their patch for the Flash 0-day vulnerability by one week and came out with it yesterday, Monday September 20. Google Chrome users got the patch through Chrome’s update mechanism and received it even earlier on Friday, September 17. Google Chrome users can also use the Chrome-embedded PDF reader for most of their PDF usage, at least the simpler document viewing/printing and escape from the still open Adobe Reader 0-day.
  • Samba, the popular filesharing server issued a patch for a critical vulnerability . The vulnerability allows external users to cause a DOS condition and potentially take over control of the Samba server. Most users will run a version of Samba supplied by their vendor and should contact them for the updates, i.e. RedHat, IBM, Apple etc.
  • An exploit for a vulnerability in the 64 bit Linux kernel was published. The vulnerability allows a local user to take full control over the targeted machine. Limited reports of use of the exploit are coming in. A tool has been made available to detect infection. Engage your vendor for a patch.
  • Web applications that use Microsoft’s ASP.net are vulnerable to an "oracle padding" attack against application cookies which allows the attacker to gain access to private information. There is a demo video online on YouTube. Microsoft issued security advisory KB2416728 and has acknowledged a limited number of attacks seen in the wild. The advisory contains workarounds that mitigate the information leak. Web application firewalls with the technology to protect application cookies can also help with the issue
  • Apple published an update to Mac OS X 10.6 (Snow Leopard) fixing a single issue, which is quite uncommon as they normally bundle many security updates together. Earlier versions of Mac OS X are not affected. Quicktime for Windows was updated as well to address a known 0-day vulnerability.
  • Twitter today fixed an XSS vulnerability that was triggered by hovering over a link on their website. The vulnerability had been fixed some time ago, but was unwillingly reintroduced in a recent update. Today it was disclosed again and spread quite quickly. Twitter has more info in their post here.

Leave a Reply