James Slater found a cross-site-scripting vulnerability on Twitter.com which Twitter claims is now fixed.  According to James, it is not fixed.  The vulnerability allows malicious JavaScript to be embedded with user tweets.   This can result in user accounts being compromised and the owner can loose control of their account.

The vulnerability comes down to Twitter’s application programming interface (API) that allows developers to interface with Twitter through their own software.  Popular software packages like Twirl, TweekDeck, and HootSuite use this API to create and read posts on behalf of the user.  The API does not filter the url of the applications using Twitter, allowing malicious JavaScript to be sent along with the URL.

This threat is almost impossible for the average user to protect against, as just seeing the tweet is enough to have your account taken over.  Twitter’s response to this vulnerability was to filter out space characters from the address box in the application, but this only makes it slightly more difficult.

More information about this vulnerability can be found on David Naylor’s site.  David Naylor is a well known search marketing consultant who broke the news to Twitter.

Author: Christopher

(No Ratings Yet)

 Loading ...

Another update to the open source WordPress blogging platform has been released.  This update is primarily a security update for a password reset flaw that was introduced with version 2.8.3.  It is recommended all WordPress blog admins update their copy of WordPress to 2.8.4 immediately.  If you do  not use subversion to control your updates, we highly recommend you look into it as it can dramatically speed up and simplify the process of updating your blog(s).

This flaw can compromise WordPress and WordPress MU installations using a simple browser based exploit.  More detail on the problem can best be explained by Swa Frantzen at SANS Internet Storm Center:

Wordpress unauthenticated administrator password reset

Author: Christopher

(No Ratings Yet)

 Loading ...

Twitter has been down since 6am PST.  They changed the IP of their website and it has been confirmed this is an on-going Distributed Denial of Service Attack (DDOS).  Twitter has partially recovered by I haven’t been able to send a tweet all day so I suspect many people are still having similar problems.  Twitter has had on-going performance problems during their amazing growth as I have noticed over the last year or so I have been using the service myself.  Although back in 2007 Twitter has confirmed their ability to scale with the amount of users joining on a daily basis.

DDOS attacks such as this one are extremely difficult to protect against and is a very expensive process that typically isn’t affordable to anyone but larger businesses.  In the end you typically need more network bandwidth than the sum of all incoming attacks and your typical bandwidth requirements.  With residential services offering 5-50Mbit connections for $50 and less, it is easy to saturate even the largest networks.  Although DDOS is very effective it is very targeted and is the second most expensive cyber-crime (according to the FBI).  Because of this, you will not see DDOS used on global level and generally something most businesses won’t experience.

Author: Christopher

(No Ratings Yet)

 Loading ...

Mozilla released Firefox 3.52. today that patches two vulnerabilities related to how the browser uses SSL certificates.  Updating to this version via the auto update should protect against man-in-the-middle attacks that were discovered by Dan Kaminsky (Mr. DNS) and Moxie Marlinspike at last week’s Black Hat conference.

We recommend upgrading to Firefox 3.5.2 across the board to eliminate this vulnerability.

Author: Christopher

(No Ratings Yet)

 Loading ...

Last Thursday Adobe patched 12 bugs in their Flash application, three of these were caused by Microsoft.  For at least a week hackers have been exploiting at least one of these vulnerabilities.  You can find the full details of the security bulletin on Adobe’s website under Security Advisories.

The report refers to ten vulnerabilities that can potentially lead to compromised systems by allowing hackers to execute their own code.  Windows, Mac, and Linux machines were address in this patch, although Solaris is still set for a future update.

July 10th Microsoft notified Adobe about vulnerabilities in Microsoft’s ATL (Active Template Library), two weeks prior to public announcement.  Microsoft security team has been investigating these ATL for flaws since early 2008.  “[Microsoft] was moving very fast to pull resources together to help us do triage on our products,” said Brad Arkin, Adobe’s director for product security and privacy.

“The hard part was determining what was vulnerable,” said Brad. “It’s easy to rebuild a test version, but then we had to make sure [that] works and make sure we didn’t break it.”

Patched versions of the Flash Player  for Windows, Mac and Linux can be downloaded from Adobe’s Web site.   Users can use Flash’s built-in automatic update mechanism to grab the new versions.

It is a step in the right direction to see Adobe take vulnerabilities in their products more seriously and address these issues in a timely fashion.

Author: Christopher

(No Ratings Yet)

 Loading ...