Mozilla released Firefox 3.52. today that patches two vulnerabilities related to how the browser uses SSL certificates.  Updating to this version via the auto update should protect against man-in-the-middle attacks that were discovered by Dan Kaminsky (Mr. DNS) and Moxie Marlinspike at last week’s Black Hat conference.

We recommend upgrading to Firefox 3.5.2 across the board to eliminate this vulnerability.

Tags: Black Hat, firefox, mozilla, Vulnerabilities

Author: Christopher

Tomorrow at 12pm EST Joanna Rutkowska and Loic Duflot are publishing a paper and actual exploit code that works against Intel cache mechanisms.  These attacks will allow privileged escalation in SMM (System Management Mode) space and capable of deploying a rootkit that can take complete control of the machine.   SMM space is out of reach of operating systems and this attack cannot be detected or protected with any current form of software anti-virus protection.  SMM space is available on all Intel CPUs from as far back as the Intel 386.

This exploit has been reported to Intel on numerous occasions over the last few years.  Loic reported it 3-4 months prior back in October and Intel’s own employees had made mentioned of it in documents as far back as 2005.  So far to date, Intel has not provided any resolution to this vulnerability and is this is the main reason behind Joanna and Loic going the full disclosure route.  Joanne mentions on her blog “If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later.”

Intel did alert CERT back in October when Loic reported his findings, this was tracked under Issue VU#127284.

You will find full details published at Joanna’s website Invisible Things Kernel Security Blog

Currently, there is no defense to this threat outside of using AMD or Virtualization, or is there Intel?

Tags: AMD, Black Hat, Exploit, hack, Hardware, Intel, Rootkit, SMM, Virtualization

Author: Christopher

As Dan Kaminsky recently demonstrated at the Black Hat conference in Las Vegas, the DNS security flaw presents a serious vulnerability.  In case there was previously any doubt, he showed just how dangerous to internal networks and the internet at large it is to run un-patched DNS servers.  Even with the patch, the exploit is still possible, just extremely difficult.

The vulnerabilities are not limited to the web, but affect every type of internet service and traffic, including IM, telnet, email, and usenet.  Every protocol uses DNS servers to locate and communicate with between servers and client computers.  Even HTTPS (web sites using SSL – Secure Sockets Layer) would be affected because the Certificate Authorities who authenticate the certificates rely on DNS.  Note that all major CAs have patched their DNS servers, but of course many sites use self-signed certificates.

Some services have already fallen prey to this exploit, with AT&T being the first publicized victim.  Actually, the victims were the people whose requests were directed to a bogus Google search site because of an un-patched AT&T DNS server.  Fortunately, the bogus site only hosted code to auto-click the adsense advertisements, creating extra revenue for the perpetrators.  It could have been worse, if for example the site had been created to infect visitors with drive-by infections or inducements to download crimeware.

The picture is not completely bleak.  Thanks in part to Kaminsky’s presentation, more organizations are taking the threat seriously and patching their servers.  Also, any SSH-based connections which had been made at least once prior to the exploit would warn users if new connection attempts were made to bogus sites, because of the way SSH keeps digital fingerprints of remote hosts.  So Secure Shell, sftp, scp, and SSH-based VPNs would at least warn users about the change in fingerprints, or deny the connection altogether, depending on the local configuration.

For anyone wishing to know whether or not the DNS server he or she is using has been patched, Dan has published an online DNS checker on his blog at http://www.doxpara.com/.

Tags: AT&T, Black Hat, DNS, Exploit, Information Security, Kaminsky, Vulnerability

Author: Christopher