Google updates for Chrome
Google has released an update for Chrome, their own web browser. From their advisory here: "Google Chrome's Stable channel has been updated to version 2.0.172.31 to fix two security issues in WebKit." CVE-2009-1690 is a memory corruption which can lead to arbitrary code execution within the sandbox. CVE-2009-1718 is an information leak. Both CVE's name Apple Safari, however they also affect Google Chrome.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Green Dam
China has mandated that software that can block certain sites and content be installed on all new computers. While this is certainly very interesting from a sociological and political point of view, the security implications are significant. Millions of computers must be running this particular piece of software. Even more so is that the software appears to be buggy. User experiences indicate that it does not work very well, and makes the computer sluggish. Analysis of the code has identified a number of vulnerabilities, at least one of which is exploitable. More than one remotely exploitable buffer overflow has been reported, with exploit code that is delivered via IIS or potentially any web site. It takes advantage of the Green Dam software as it interacts with Internet Explorer or other browsers. Think of the damage that can be done with a botnet or botnets with somewhere around 50 million systems! Another possible impact is the potential for other parties to monitor Internet activity, control, steal information, or otherwise interrupt the majority of computers in a single country. The analysis by Scott Wolchok, Randy Yao, and J. Alex Halderman of the The University of Michigan is available here. The exploit code certainly is not difficult to find.
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
From the mailbag: Sympatico hacked, TCP dead, SHA-1 out, Belarus DoS
In other news this week...
Sympatico may have been hacked, TCP might be dead, SHA-1 may be on its way out, and political hacktivism.
A major ISP in Canada, Sympatico, appears to have had a breach of their web site according to Websense, malicious code appeared to have been inserted briefly. More info is here http://securitylabs.websense.com/content/Alerts/3416.aspx
A major issue with the TCP protocol implementation may lead to Denial of Service (DoS) to virtually any web site. Reported in Phrack issue 66.
The SHA-1 hashing algorithm is showing its age, researchers may be on their way to creating practical collisions. The paper is found here. http://eprint.iacr.org/2009/259.pdf
Arbor reports that Denial of Service attacks have been ongoing against a Belarus news site. The article is here. http://asert.arbornetworks.com/2009/06/ddos-floods-in-belarus-political-motivations/
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
DTV Flag Day
Today is transition day for digital television in the United States. This reminds me of "flag day" many years ago on January 1 1983, the day when the ARPANET changed from NCP to the TCP/IP protocol suite. It wasn't the happiest day for many, but if we had not gone through that transition then there would be multiple protocols and many incompatible networks today. OK, maybe somewhere along the way we'd have done the conversion to TCP/IP but the longer we would have waited the harder it would have been to do. So while moving to DTV may be painful, at least it's being done, and we can soon take advantage of the new frequencies for things like wireless broadband and improved features available to over-the-air digital TV broadcasts.
Marcus H. Sachs
Director, SANS Internet Storm Center
Comments