XSS and Cookie Handling Vulnerabilities Identified on HTC Website, Allows Attacker to Hijack Account

16-year-old security researcher Thamatam Deepak has identified a number of three cross-site scripting (XSS) vulnerabilities and a cookie handling flaw on the website of world-renowned smartphone manufacturer HTC.

The expert said the vulnerabilities – which affected pages such as product security, account information, and smartphone presentation – have been addressed by HTC after he notified them, according to The Hacker News

If unfixed, the XSS vulnerabilities could have been leveraged by a remote attacker to inject arbitrary content, while the cookie handling flaw might have been exploited to hijack user accounts.

This isn’t the first time when security experts find XSS bugs on HTC’s website. Back in April, researcher Shadab Siddiqui identified similar flaws and reported them to the company.

However, at the time, they failed to respond to his notifications and the vulnerabilities remained unfixed for months.

Default Configuration Flaw in W3 Total Cache Exposes Tens of Thousands of Sites

W3 Total Cache, which boasts high-traffic sites like Mashable and Lockergnome among its users, has serious vulnerabilities, according to this post on the Full Disclosure list.

The default setup – that is, when users simply choose “add plugin” from the WordPress catalogue – left cache directory listings enabled, according to poster Jason Donenfield.

This, he said, allows database cache keys to be downloaded on vulnerable installations – and that could expose password hashes. “A simple google search of "inurl:wp-content/plugins/w3tc/dbcache" and maybe some other magic reveals this wasn't just an issue for me”, he writes.

Donenfield later amended the search term to “inurl:wp-content/w3tc”.

“Even with directory listings off,” he continues, “cache files are by default publicly downloadable, and the key values / file name of the database cache items are easily predictable.”

Donenfield says the developer of the plug-in intends to release a fix “soon”. In the meantime, he notes that “deny from all” should be set in the .htaccess file.

Unpatched Java Vulnerability Exploited – Macs Infected With Flashback Malware

A Java vulnerability that hasn't yet been patched by Apple is being exploited by cybercriminals to infect Mac computers with a new variant of the Flashback malware, according to security researchers from antivirus firm F-Secure.

Flashback is a computer Trojan horse for Mac OS that first appeared in September 2011. The first variant was distributed as a fake Flash Player installer, but the malware has been changed significantly since then, both in terms of functionality and distribution methods.

Back in February, several antivirus companies reported that a new Flashback version was being distributed through Java exploits, which meant that the infection process no longer required user interaction.

The Java vulnerabilities targeted by the February exploits dated back to 2009 and 2011, so users with up-to-date Java installations were protected.

However, that's no longer the case with the latest variant of the malware, Flashback.K, which is being distributed by exploiting an unpatched Java vulnerability, security researchers from F-Secure said in a blog post Monday.

Oracle released a fix for the targeted vulnerability, which is identified as CVE-2012-0507, back in February and it was included in an update for the Windows version of Java.

However, since Apple distributes a self-compiled version of Java for Macs, it ports Oracle's patches to it according to its own schedule, which can be months behind the one for Java on Windows.

Security experts have long warned that this delay in delivering Java patches on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms that they were right.

After being dropped and executed on the system via the CVE-2012-0507 exploit, the new Trojan horse prompts a dialog window that asks the user for their administrative password.

Regardless of whether the user inputs the password or not, the malware still infects the system, F-Secure said in its description of the malware. The Trojan's purpose is to inject itself into the Safari process and modify the contents of certain Web pages.

There are rumors that a new exploit for a different unpatched Java vulnerability is currently being sold on the underground market and could be used to target Mac users in a similar way in the future, the F-Secure researchers said.

"If you haven't already disabled your Java client, please do so before this thing really become an outbreak," they said. The antivirus company provides instructions on how to do this.

Apple stopped including Java by default in Mac OS X starting with version 10.7 (Lion). However, if Lion users encounter a Web page that requires Java, they are prompted to download and install the runtime and might later forget that they have it on their computers.

Android Bug Allows Hackers to Install Malicious Code Without Warning

It's been more than a month since researchers reported two serious security vulnerabilities in Android, but so far there's no indication when they will be purged from the Google-spawned operating system that's the world's most popular smartphone platform.

The first flaw allows apps to be installed without prompting users for permission. The permission-escalation vulnerability permits attackers to surreptitiously install malware in much the way a proof-of-concept exploit researcher Jon Oberheide published last year did. In that case, an app he planted in the Android Market and disguised as an expansion pack for the Angry Birds game secretly installed three additional apps that without warning monitored a phone's contacts, location information and text messages so data could transmitted to a remote server.

“The Android Market ecosystem continues to be a ripe area for bugs,” Oberheide wrote in an email. “There are some complex interactions between the device and Google's Market servers which has only been made more complex and dangerous by the Android Web Market.”

The second bug resides in the Linux kernel where Android originates and makes it possible for installed apps with limited privileges to gain full control over the device. The vulnerability is contained in code device manufacturer have put into some of Android's most popular handsets, including the Nexus S. The bug undermines the security model Google developers created to contain the damage any one application can do to the overall phone.

Oberheide and fellow researcher Zach Lanier plan to speak more about the vulnerabilities at a two-day training course at the SOURCE conference in Barcelona in November. In the meantime, they put together a brief video showing their exploits in action.



One of the hopes for Android a few years back was that it would be a viable alternative to Apple's iOS, both in terms of features and security. With the passage of time, the error of that view is becoming harder to ignore. And if i'm not wrong, Google developers have updated Android just 16 times since the OS debuted in September 2008. The number of iOS updates over the same period is 29.

It's a far cry from the approach Google takes with its Chrome browser, which is updated frequently, and has been known to release fixes for the Flash Player before they're even released by Adobe.

Even more telling, when a new version of iOS is released, it's available almost immediately to any iPhone user with the hardware to support the upgrade. Android users, by contrast, often wait years for their phone carriers to supply updates that fix code execution vulnerabilities and other serious flaws.

Owners of the Motorola Droid, for instance, are stuck running Android 2.2.2 even though that version was released in May 2010 and contains a variety of known bugs that allow attackers to steal confidential data and remotely execute code on handsets the run the outdated version.

Oberheide has more here.

21 reasons to uninstall Java by Oracle

Oracle this week pushed an updated version of its Java runtime environment that fixes 21 security vulnerabilities, 19 of which allow attackers to remotely install malicious software on end-user machines.

The company recommends users install Java 6 Update 24 as soon as possible, but before readers follow though, allow us to offer this modest proposal: Try uninstalling Java altogether. This will dramatically shrink the attack surface of your machine, and unless you use a handful of specific applications, you'll never notice the difference.

Once upon a time, Java, with its mantra of write once, run anywhere, was the white knight that was going to save the mankind from the predatory clutches of Microsoft Windows. It never quite worked out that way – at least on the desktop – but the prospect was enough to “scare the hell” out of Bill Gates (your reporter's byline used to accompany that CNET exclusive but it was removed years ago for reasons that are unknown).

Despite the hype about Java's superior security model, the framework by some accounts has surpassed Adobe applications as the most exploited software package, with millions of attacks logged each quarter. While the vast majority of the affected platforms are Windows, attacks, albeit lame ones for now, are beginning to target Mac OS X and . And given Steve Jobs' insistence of thinking differently, Apple doesn't typically release Java security updates until months after they come out of Oracle.

Even Java attacks against Linux are now being seen.

We won't spend much time complaining about Oracle's legal broadside on the Android operating system, but that's another reason you may want to avoid Java.

So go ahead, give it a try and uninstall Java completely. You can always reinstall it if you need to, although as we've already said, if you're like most people, there's little chance you'll need to.

Bootnote

No, OpenOffice does not require Java. Per the official OpenOffice Wiki, Java is required merely to complete OpenOffice. Most OpenOffice functions work just fine on machines that don't have Java installed.

IE, Windows server bugs is likely to be exploited soon

Microsoft has released 13 updates that patch security holes in a wide range of its software offerings, including vulnerabilities rated critical in its Internet Explorer browser and Windows server operating systems.

The bugs in IE make it possible for attackers to remotely execute malicious code when an end user does nothing more than visit a booby-trapped website. Although there's no evidence the vulnerabilities are being exploited in the wild now, members of Microsoft's security team said there was a high likelihood reliable exploit code would be developed by real-world attackers in the next 30 days.

The vulnerabilities affect all supported versions of the Microsoft browser, including versions 8 and 9, which were rebuilt from scratch to minimize the damage that can be done when hackers identify vulnerabilities.

The second critical update covers all versions of Windows Server 2003 and Windows Server 2008, including the most recent R2 iteration, which is regarded as one of Microsoft's most secure server operations systems ever. By setting up a malicious DNS server and getting a vulnerable system to query it from inside the victim's network, an attacker can take complete control of the underlying machine.

According to Microsoft's exploitability index for August, attackers aren't likely to exploit the DNS flaw in the next month.

The remaining 11 patches carry the lower-level ratings of important and moderate and affected products including Windows, Office, .Net, and Visual Studio. Vulnerable components include the Remote Desktop Web Access Login, Microsoft Chart Web Control, and the Report Viewer Web control. The vulnerabilities enable attacks involving information theft and and denial of service outages.

Roundups of this month's Patch Tuesday offerings from Microsoft and SANS are here and here. Commentary from Kaspersky Lab and Qualys is here and here.