Google drops three OS X 0days on Apple

Don't look now, but Google's Project Zero vulnerability research program may have dropped more zero-day vulnerabilities—this time on Apple's OS X platform.

In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What's more, the first vulnerability, the one involving the "networkd 'effective_audit_token' XPC," may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn't make this explicit and Apple doesn't publicly discuss security matters with reporters.

Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs. And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities. The security flaws were privately reported to Apple on October 20, October 21, and October 23, 2014. All three advisories appear to have been published after the expiration of the 90-day grace period Project Zero gives developers before making reports public.

Read 1 remaining paragraphs | Comments

Internet attack could shut down US gasoline stations

A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel, according to research to be published on Thursday.

The security weakness—identified by Jack Chadowitz, a former process control engineer and founder of control-system monitoring service BostonBase—could theoretically affect the devices at many of the approximately 115,000 fueling stations in the United States, but only a small fraction of those systems—about 5,300—appear to be vulnerable to an Internet attack, according to security firm Rapid7, which conducted a scan for such devices on January 10. While automated tank gauges are typically accessed to monitor fuel inventories, so as to know when to order gasoline, attackers could also access the settings, Chadowitz said.

“One could change the calibration and make the tank report full or empty,” he told Ars. “If you report the tank is full, no one is going to order fuel.”

Read 10 remaining paragraphs | Comments

The Upgrade From Joomla 2.5 to 3.x Often Isn’t A One-Click Update

With support for Joomla 2.5 having concluded at the end of December more people are trying to upgrade to Joomla 3.x. With that more people are also realizing that the process isn’t quite as easy it might sound in many cases. While the Joomla documentation describes the upgrade type as “One-click to 3.x“, a number of issues can make the process more complicated. Before we get in to those issues, let’s get to the best piece advice we can provide after having done numerous upgrades from Joomla 2.5 to 3.0.x-3.3.x for clients over several years: make a copy of the website and test the upgrade on it first. This allows you to work through any issues that come up before you upgrade your production website, which makes the process easier and less stressful.

In most cases this is most easily accomplished by creating a copy the website in a new directory on the website, which you can then you would access by adding the directories  name to your websites address (for example if you website was www.example.com and the new directory was “joomla3″ then the copy would be accessible at http://www.example.com/joomla3/). You can do that through the following steps:

  1. Make a copy of your websites file and put them in the new directory on the website.
  2. Create new database and import the contents of your production websites database in to that.
  3. Update your configuration.php with the credentials for the new database and if you have the $live_site variable set, update that as well.

With that running you can then move on to doing the upgrade in that.

Extension Problems

The biggest problems when upgrading from Joomla 2.5 to 3.x comes from extensions. In the worst case a problem with an extension can cause the upgrade to fail and the website to completely be broken. This issue unfortunately is all too common occurrence and it is big part of why we suggest doing the test of the upgrade first as restoring the website after a failed upgrade is not something you want to have to do if you don’t absolutely have to. With a test copy you can just remove the broken test copy, make a new copy, and then retry the upgrade, this time making changes to make sure the extension that caused the problem does not cause the problem again by disabling it or removing it first.

While making sure that you have all of the extensions up to date and removing any that are not listed as being compatible with 3.x before the upgrade starts can help to limit problems with extensions it won’t handle everything. In one case an extension had been removed some time in the past but a plugin that was part of got left behind, the plugin then caused the Joomla search functionality to be broken in the newer version.

For some more complicated extensions you need to do multiple upgrades of the extension, some before and after the upgrade of Joomla from 2.5, which is also something you want test before doing on the production website.

Extensions Not Compatible With Your Version of 3.x

Another problem we have found is that just because an extension is listed as being compatible with Joomla 3.x, that doesn’t mean that it will work in the latest version of 3.x. For example in one case during an upgrade we dealt with an extension that was not functioning properly and traced the issue to something caused by a change in JavaScript libraries made in Joomla 3.2.x. Unfortunately the Extension Directory only lists if an extension is compatible with 3.x, so for extensions that haven’t been updated in a while you won’t know for sure if it is going to work properly until actually are trying to use it with the new version of Joomla.

Template Changes

We often find that existing templates require some minor tweaks to keep their existing styling when running on Joomla 3.x. That is much easy to do if you can see the way it looks in Joomla 2.5 while making the changes.

In small number of cases there have been more serious problems due to coding in the templates that causes broken pages to be shown when running in Joomla 3.x. It is much better to find and fix this in the test copy then having trying to fix it while customers are trying to access it.

As 0days get meaner, Google defenses increasingly outpace Microsoft

It's the type of bug that could have visited a world of hurt on a sizable number of people using Google Apps to manage business e-mail and calendars. A cross-site scripting (XSS) flaw in https://admin.google.com/ made it possible for attackers to force Google Apps admins to execute just about any request on that subdomain. Forced actions included creating new users with "super admin" rights, removing two-factor authentication and other security controls from existing accounts and modifying domain settings so e-mail is redirected to addresses controlled by the attacker.

But instead of causing disaster for businesses using Google Apps or generating headlines of an alarming new zero-day vulnerability, the bug was privately reported to Google on September 1 and fixed 17 days later. In exchange for the report, Google paid application security engineer Brett Buerhaus $5,000.

The speed and lack of fuss contrasts sharply with vulnerability travails that have recently visited Microsoft. Twice this month, the software company has been shamed when Project Zero, the vulnerability research team sponsored by Google, has publicly reported unfixed bugs that threaten the security of Windows users.

Read 4 remaining paragraphs | Comments