Microsoft and Adobe have a boatload of emergency fixes, the Replicant project finds a nasty backdoor in popular Android devices & the exploit that weaponize your webcam that’s one attachment away.

Plus a great big batch of your questions, and our answers. All that and much, much more!

Thanks to:

— Show Notes: —

• GroffTheBSDGoat
• Twitter
• Google+
  • GoatBoF

Microsoft and Adobe release flood of critical patches

• “Microsoft: eight bulletins, two critical – addressing 13 issues in Internet Explorer and Sharepoint Server, along with Windows, Office and its .NET Framework”
• The first critical issue that involves IE MS14-029 we’re learning about for the first time today. Researchers with Google’s Security Team have already spotted limited instances of one of the vulnerabilities (CVE-2014-1815) being targeted, which means this should probably be No. 1 on users’ patching agendas.
• The batch of patches also includes a second critical security update for IE MS14-021 that addresses a previously disclosed vulnerability in versions 6 through 11 of the browser.
• “Missing from the updates are patches for vulnerabilities dug up at March’s Pwn2Own hacking competition, including three IE vulnerabilities that bypassed sandboxes and compromised the underlying system”
• “In a blog entry yesterday the company pointed out that it has extended its requirement for consumer customers to update to 8.1 from today until June 10 but that after that date, like it promised, those who haven’t updated will not receive security updates.”
• “Adobe: released two updates today, fixing critical issues in Reader and Acrobat XI (11.0.06), Strung together the wrong way, they could cause a crash and potentially let an attacker take control of an affected system.”
• “Along with a surprise Flash issue. The Flash Player update involves version 13.0.0.206 of the software and earlier versions for Windows, Macintosh and Linux. The issues were not previously made clear in a security bulletin but address vulnerabilities discovered by Keen Team and other researchers that could result in arbitrary code execution and ultimately let an attacker take control of the affected system.”
• Adobe also released a minor security hotfix for Adobe Illustrator CS6 today, fixing a stack overflow vulnerability – something also marked critical by the company – that could lead to remote code execution.

Open Source Android fork Replicant finds and closes backdoor

• While working on Replicant, a fully free/libre version of Android, they discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system.
• This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone\’s storage. On several phone models, this program runs with sufficient rights to access and modify the user\’s personal data.
• Today\’s phones come with two separate processors: one is a general-purpose applications processor that runs the main operating system, e.g. Android; the other, known as the modem, baseband, or radio, is in charge of communications with the mobile telephony network.
• These systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device. The spying can involve activating the device\’s microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator\’s network, making the backdoors nearly always accessible.
• A technical description of the issue, as well as the list of known affected devices is available at the Replicant wiki.

Heartbleed certificate regeneration done wrong in large number of cases

• Netcraft did a survey of SSL certificates to see how Heartbleed affected SSL certificates
• There are 3 required steps to properly replace the SSL certificate
  • Generate a new private key
  • Get issued a new certificate with the new key
  • Revoke the old certificate so it can no longer be used
• They found that 43% of certificates had been reissued
• However they found that only 20% of certificates had been revoked (meaning 23% replaced their certificate but did not revoke the old one, so the old one can still be used by an attacker to perform a man-in-the-middle attack)
• Worse, they found that 7% of certificates had been reissued with the SAME private key, meaning if the private key was stolen, the new certificate is compromised as well
• So in total, only 14% of sites had taken all three steps required to replace their possibly compromised certificates

Feedback:

• Stumble into an exploit, get a job offer. Thanks Jupiter Broadcasting.

• ssh root login for zfs send

  • Allan’s WIP FreeBSD Handbook article to resolve said problem
  • Allan’s fork to zxfer tool to make zfs replication easier

• Disk setup in FreeNAS

  • 6.3.12 Replacing a failed drive

• DevOps

• Second Opinion on security concerns

• Test Google Fiber – use my iperf server!

• Net neutrality

Round Up:

• ‘Blackshades’ Trojan Users Had It Coming — Krebs on Security 97 arrested linked to malware used to capture nude pictures of Miss Teen USA
• Malware Hunting with Mark Russinovich Troubleshooting with Mark Russinovich
• Another Internet Explorer Zero Day Surfaces
• How to properly use traceroute to troubleshoot the internet
• CVE-2014-1761 – Flaw in MS Office RTF parser allows attckers to execute arbitrary code, exploited in the wild since March 2014
• EXE2DOC tool turns any executable into a MS Work Doc exploit
• Emory Accidentally Sends Reformat Request to All Windows PCs
• Sailor hacked 30 public and private organizations, including the US Navy, the Department of Homeland Security, AT&T, and Harvard University while aboard aircraft carrier USS Harry S. Truman
• Why You Should Ditch Adobe Shockwave — Krebs on Security
• James Mickens at Monitorama 2014
• Who owns the media?
• Facebook and CMU design system to detect fake SSL certificates. Of 3.5 million SSL connections made to Facebook during a four-month period starting last December, the team determined that 6,845, or 0.2 percent, used a phony certificate.
• eBay compromised, forcing password reset on all accounts
• Do they mean “hashed” when they say “encrypted”?
• BSDCan: LibreSSL – the first 30 days – slides
• BSDCan: LibreSSL – the first 30 days – video