Show Notes:

Java 0-day exploit in the wild

• Two critical vulnerabilities in Java 7 are being combined to create a 0-day exploit that can compromise all major browsers (Firefox, Chrome, Safari, Opera, IE)
• The vulnerability can be exploited in a ‘drive-by’ fashion, meaning it does not require any interaction from the user
• This means that attackers could purchase advertising on legitimate sites and inject the exploit code in to the adverts
• This exploit will likely also be heavily used on compromised websites (like Bryan’s wordpress blog)
• Java 6 is not susceptible to this exploit, but contains a number of older unpatched vulnerabilities, and should not be used
• Oracle reportedly knew of critical Java bugs under attack for 4 months
• The two vulnerabilities were reported to Oracle in April, along with a total of 29 other flaws
• Security Explorations furnished the bug reports, with working Proof of Concept code to Oracle
• Oracle patched 3 of the issues in the Jun 12 2012 Java Critical Patch Update, issues 10, 13 and 21. There was also some mitigation in the code that broke the original PoC exploit of issue 26
• According to a status report received by Security Explorations from Oracle on August 23rd, Oracle was planning to fix the two vulnerabilities in its October Critical Patch Update (CPU), along with 17 of the other Java 7 flaws reported
• Adam Gowdiak, CEO of Security Explorations, remarks that the exploit in the wild combines the 2 vulnerabilities in an entirely different way than their proof of concept furnished to Oracle
• Owing to the difference in implementation, Security Explorations assumes that someone else independently discovered the same exploit, rather than discovering it via some leak in the vulnerability report handling process
• Gowdiak adds ““We don’t know with whom and in what form or detail Oracle is sharing vulnerability information.”
• A 3rd party patch for the vulnerability has been developed, but is only available from the author to IT Administrators, and is not designed for end users
• Additional Coverage
• Java 7 Update 7 has been released to resolve this exploit

Google publishes important information about hosting user generated content

• Google loads all user generated content from an isolated domain, googleusercontent.com
• Google uses subdomains to separate different bits of UGC
• One of the reasons for this is attacks such as GIFAR, which an attacker takes a valid .gif file, and concatenates a java exploit .jar (which is just a zip file containing the compiled code)
• Now an attacker can embed on their site an HTML appet tag with a src pointing to a google domain (such as Picasa)
• By shifting the content from official google domains, to the googleusercontent.com, the browser’s ‘same origin’ policy should prevent malicious UGC from accessing the users’ google.com authentication cookie
• Google goes on to detail their solutions for content that requires authentication (private documents, google apps for enterprise), where not being able to access the google authentication cookie would pose a problem
• Google uses a number of solutions (temporary cookies on googleusercontent.com URL passed authorization tokens, URLs bound to a specific user), to trade off usability and the risk of accidental disclosure (if access to a private image is controlled by a URL parameter, what if the user copies the link to the picture and uses it elsewhere?)

Feedback:

• Tool for provisioning new servers
  FreeBSD’s install can be scripted in a few different ways, the easiest is likely to start with the 225 line shell script that is the current FreeBSD installed
  /usr/src/usr.sbin/bsdinstall/scripts/auto
  You can set a few environment variables, and remove the dialogs, and you’ll have a fully automated install tuned just the way you like, then just PXE boot that, or make your own CD
  There are also some nice tutorials out there:
  Scripting a FreeBSD 9.x Install
  HOWTO: Modern FreeBSD Install RELOADED
  I generally do not script the installs of my BSD boxes, it takes only 5–10 minutes to do the install, and since each machine tends to have a different disk layout, it wouldn’t save much time
  Also, many of my servers are in foreign data centers, and they do the FreeBSD install for me, then just provide me with my SSH credentials. (Although a great many now provide IPMI/KVMoIP and allow me to install the OS myself)

• Thoughts on OpenID
  OpenID moves the trust from a number of separate sites, to a single site, your ‘identity provider’
  This is likely more secure, since OpenID is based on strong practices, but also presents a more tempting target
  The advantage is that you can be your own OpenID provider, and then you only have to trust yourself

• Tricks to conserve Bandwidth?

• Daniel writes in with a note that he uses Puppet to manage over 2000 nodes from a pair of redundant Puppetmasters running via Apache/mod_passenger without issue.

• Shlomi writes in with a question about moving an LVM to ZFS.
  Your best bet is to do something like I did when I moved from a number of separate UFS drives, to a ZFS array (not, there is some performance penalty for doing it this way, more on that later)
  Use these instructions to remove one of the disks from your LVM volume (the biggest one you have enough free space to remove).
  Now create your ZFS pool, and add this now empty disk
  Start filling the ZFS pool until you have free enough space in the LVM to remove another disk, then add that disk to the ZFS pool
  Repeat as necessary
  ZFS will do write-biasing to try to ensure the drives reach ‘full’ at the same rate, so the emptier drives will receive a higher portion of the new writes. If you can create the pool from scratch, you will get better write performance, since all disks will be used to their maximum bandwidth
  ZFS had a planned feature called ‘block pointer rewriting’ that would allow for re-balancing the disk space across devices and for defragmenting files (fragmentation gets excessive due to copy-on-write)
  Personally, I am going to build a fresh array with 4x3TB disks in RAID Z1, and then recycle my 1.5TB disks for other purposes

• I want to hear more about Scale Engine and what it does and some of the services. How about a segment on just Scale
  We provide a few main services:
  • Origin Web Cluster – Accelerated PHP/MySQL platform (Hosts JB’s site, and forums)
  • Edge Side Cache – an extremely fast memory backed geographically distributed MRU cache. Stores frequently accessed content in memory close to the users for fastest delivery. Great for images, css and javascript, but can also cache entire pages (Hosts JBs images, css and js)
  • Content Distribution Network – Disk backed geographically distributed MFU cache, stores static content close to the user for faster delivery. Works great for static content, especially larger content like audio and video podcasts. (Hosts JB episode downloads)
  • Video Streaming Network – Hosting Live, On-Demand, Pay-Per-View and Fake-Live video streaming. Provides multi-bitrate streaming to ‘any screen’ via RTMP (Flash), HLS (iOS, Safari, Android, Roku, VLC), or RTSP (Android, Blackberry, Quicktime, VLC). ScaleEngine’s SEVU API allows extensive content control for Geo-Blocking and Pay-Per-View/Subscription based viewing (Hosts JB live stream)

Have some fun:

• What will be in the news the week in October when Allan is at Euro BSD Con? Let make a prediction on the head lines or just make up funny stuff to read

What I wish the new hires “knew”

Round-Up:

• ‘Lulzsec hacker’ latest to be arrested in US
• Researchers at the Usenix Security conference have demonstrated a zero-day vulnerability in your brain. Attaching an $200 EEG to your head, they can extract your bank card PIN number
• Windows 8 Tells Microsoft About Everything You Install, Not Very Securely | Nadim Kobeissi
• VMware Joins OpenStack, Embraces Its ‘Ugly Sister’
• Want a Windows 8 Start Button? Open source to the rescue!
• FreeBSD Struggles To Gain UEFI Boot Support
• Dropbox finally adds 2 factor authentication
• Top-Level Universal XSS
• Team GhostShell posts database and information dumbs from a number of sites, totalling over 1 million records, a number of the dumps contain usernames, passwords, email addresses and phone numbers