Patch Tuesday patches FREAK, Universal XSS

Today's bumper crop of updates for Windows and other Microsoft products doesn't just fix a new version of the Stuxnet shortcut attack. It also provides fixes to two serious flaws, one in the operating system's handling of secure connections and the other in Internet Explorer.

First up is a fix for the FREAK attack that lets miscreants trick software into using crackable encryption. Windows was initially believed to be immune to the attack, but a couple of days after it was publicized, Microsoft announced that its software was vulnerable, though the company did not explain what it had learned or why Windows was initially believed to be safe.

Today the company issued a patch for SChannel, the Windows component that's responsible for handling the details of SSL and TLS connections. This sheds a little light on why Windows might have been overlooked at first; it suggests that Windows can be tricked into using weak encryption even after agreeing to use strong encryption. The update fixes the hole and, accordingly, software that uses SChannel. This category includes Internet Explorer and most built-in Windows features, but it excludes Chrome and Firefox, which have their own SSL and TLS code.

Read 2 remaining paragraphs | Comments

SiteLock Still Failing To Do Basic Security Check

Back in September we looked at the fact that a website we were doing an upgrade of Magento on had a security seal from SiteLock claiming that the website was secure, despite the fact that it wasn’t since the website was running outdated software with known security issues. Fast forward six months and SiteLock is still labeling websites as secure when they are running outdated and insecure software.

Today’s case involves a website that we are doing an upgrade from Zen Cart 1.3.8a. That version is nearly five years out of date and there have been numerous releases with security improvements since then (due to its age, it isn’t clear exactly how many of those fix issues that existed in 1.3.8a). Despite that the website is labeled as being secure by SiteLock:

Sitelock Security Seal

Not only does falsely claiming the website is secure mislead those visiting the website, but it also gives webmaster a false sense of security, which a security service shouldn’t do.

If SiteLock was actually interested in security it would quite easy for them to make sure the software on websites is up to date. Our Zen Cart Version Check extension for chrome is able to correctly detect the version in use from outside the website in this case:

Zen Cart Version Check

With access to the website’s file, as Sitelock does, it is even easier to do and more accurate. For Zen Cart the version number is listed in the file /includes/version.php, so all you would need to do is to check files matching that for the following lines and you would know whether an outdated version of Zen Cart is in use:

define(‘PROJECT_VERSION_NAME’, ‘Zen Cart’);
define(‘PROJECT_VERSION_MAJOR’, ‘1’);
define(‘PROJECT_VERSION_MINOR’, ‘3.8a’);

Patched Windows PC remained vulnerable to Stuxnet USB exploits since 2010

In August 2010, Microsoft patched a previously unknown USB vulnerability that state-sponsored attackers had secretly exploited for years, first to infect targets of the "omnipotent" Equation Group and shortly thereafter to spread the virulent Stuxnet worm inside Iranian nuclear facilities. Now, almost five years later, security researchers have warned that the patch designated as MS10-046 failed to fully repair the weakness and that Windows PCs have remained susceptible to similar attacks the entire time. On Tuesday, the software maker released MS-15-020, a patch it says fixes the vulnerability.

As has been extensively documented since July 2010, the vulnerability has been repeatedly exploited in the wild since at least 2008 to surreptitiously infect PCs, even when they weren't connected to the Internet, as was the case with computers inside Iran's Natanz uranium enrichment facility infected by Stuxnet. Besides Stuxnet creators, at least one other group with ties to the NSA has been known to have exploited the so-called .LNK vulnerability: the highly advanced Equation Group hackers. While the exploits developed by those highly advanced state-sponsored attackers would no longer work on a PC that received the MS10-046 patch, there's no way to know if these hacking groups revised their exploits to work around the update. It's also unknown if other groups discovered and exploited the vulnerability.

"Whether this is being used in the wild over time remains to be seen," said Brian Gorenc, the lead researcher with HP's Zero Day Initiative, which first reported the vulnerability to Microsoft. "It's hard to believe that somebody didn't know about this bug prior to it being patched today."

Read 7 remaining paragraphs | Comments