Huber advised website owners using ImageMagick for image processing on their sites to check the magic number in uploaded image files to verify that an uploaded file is an image file. Wikipedia provides a list of common magic numbers at List of file signatures. One reason for ImageMagick's popularity is that it supports a large number of different file formats, supporting over 200 file formats. You can find a list of the supported file formats at ImageMagick: Formats. If you have ImageMagic installed, you can check on which formats it supports on the installed system by issuing the command identify -list format.

References:

1. Huge number of sites imperiled by critical image-processing vulnerability
   By: Dan Goodin
   Date: May 3, 2016
   Ars Technica

[/security/vulnerabilities] permanent link

A software change Adobe made in version 21.0.0.182 will prevent the exploit from being successful, so users who have at least that version should be safe from the exploit allowing their systems to be compromised, since on versions 21.0.0.182 and 21.0.0.197, it will only cause a crash¹. But I would advise users to upgrade to the current version of the Adobe Flash Player, which is version 21.0.0.213. If you use multiple web browsers on a system, you should ensure that each of them have the latest version of an Adobe Flash Player plug-in, if you have Adobe Flash Player support installed for the browser. You can check the version of the Flash Player being used by a browser by visiting Adobe's www.adobe.com/software/flash/about/ page. Alternate methods for checking the version of the Flash Player on Apple OS X systems can be found at Determining the version of Adobe Flash on an OS X system.

References:

1. Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player
   Posted: APril 7, 2016
   Simply Security News, Views and Opinions from Trend Micro, Inc
2. A Look Into Adobe Flash Player CVE-2016-1019 Zero-Day Attack
   Posted: April 8, 2016
   Simply Security News, Views and Opinions from Trend Micro, Inc

[/security/vulnerabilities/multios] permanent link

An attacker could take advantage of the vulnerability through a lookup on an attacker controlled domain name or through compromised Domain Name System (DNS) servers, or via a man-in-the-middle attack where an attacker has the capabililty to alter DNS data flowing to/from the vulnerable system and DNS servers.

The vulnerability has been given the Common Vulnerabilities and Exposures (CVE) designation CVE-2015-7547. The issue was detected by Google researchers investigating a segmentation fault issue they encountered with a Secure Shell (SSH) application. The researches traced the issue to a buffer overflow inside glibc. When they reported the issue to the glibc maintainers, they found that the maintainers had been informed of the vulnerability in July and that individuals involved with the Red Hat distribution of Linux had also discovered the vulnerability and were working on a fix for it. The Google researchers disclosed the vulnerability today.

If you are responsible for a Linux system or other equipment that uses glibc, you should update the software as soon as feasible. If you have a system that uses the RPM Package Manager, you can see what version of glibc is installed and the build date for the package with rpm -qi glibc. On systems that use the open-source command-line package-management utility yum, you can issue the command yum update glibc from the root account. The currently available version for CentOS Linux systems is glibc 2.17. CentOS is functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL)

References:

1. Extremely severe bug leaves dizzying number of software and devices vulnerable
   By Dan Goodin
   Date: February 16, 2016 Ars Technica
2. CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
   Posted By: Fermin J. Serna, Staff Security Engineer and Kevin Stadmeyer, Technical Program Manager for Google
   Date Posted: February 16, 2016
   Google Online Security Blog

[/security/vulnerabilities/linux] permanent link

When I checked a MacBook Pro running, OS X 10.8.4, I saw output indicating it was vulnerable, i.e., I saw "vulnerable" displayed when the command was run. The check can be performed by opening a Terminal window and entering the code. The terminal application is in Applications/Utilities.

$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
vulnerable
this is a test

A bash shell prompt could be otained by a malicious remote user if Remote Login was enabled and Guest Access was also enabled, though, hopefully, if Remote Login was enabled, Guest Access would not be enabled. Of course, a malicious person could also gain access to the system remotely if Remote Login is enabled and a weak password is present for an account on the system that is allowed remote access.

A OS X system could also be vulnerable if it is functioning as a web server and there are scripts present on the server that would allow an attacker to provide any input he wishes that could be executed as code by the script.

Apple released a fix for the vulnerability for OS X systems on September 29, 2014.

After the laptop was upgraded to OS X 10.8.5 and security updates were applied, I didn't see "vulnerable" displayed when the code was executed.

$ env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'
this is a test

And when I tested the related vulnerability CVE-2014-7169, the date was no longer displayed.

$ env X='() { (a)=>\' sh -c "echo date"; cat echo
date
cat: echo: No such file or directory

A system that has been patched for both CVE-2014-6271 and CVE-2014-7169 will simply echo the word "date" and the file "echo" will not be created, as shown above.

References:

1. Shellshock Vulnerability: What Mac OS X users Need to Know | The Mac Security Blog
   By Derek Erwin
   Date: September 26, 2014
   Intego - Mac Antivirus & Security
2. Shellshock (software bug)
   Wikipedia

[/security/vulnerabilities/multios] permanent link

Some attacks may not be feasible except from systems on the same LAN as the attacked system, since a very fast connection between the attacker and target may be needed to make the attack practicable. If a webserver is in a datacenter with perhaps dozens or even hundreds of other systems, a compromised system within the datacenter could be used by an attacker to exploit these vulnerabilities on other servers within the same datacenter, however.

If you need to determine which version of OpenSSL you are running, you can use the command openssl version. You may need to specify the full path to the command if it isn't in your default path. For a Solaris 10 system, you can use the following path:

# /usr/sfw/bin/openssl version
OpenSSL 0.9.7d 17 Mar 2004

For Solaris 7, use /usr/local/ssl/bin/openssl version.

References:

1. Vulnerable versions of OpenSSL apparently still widely deployed on commerce sites
   Netcraft
   November 3, 2003
2. ESB-2003.0871 -- Sun Alert Notification -- OpenSSL Vulnerabilitiyes in Sun Grid Engine 5.3
   Australian Computer Emergency Response Team (AusCERT)
   December 24, 2003

[/security/vulnerabilities/multios] permanent link

[ More Info ]

[/security/vulnerabilities/windows] permanent link

The vulnerability is within software that is part of the Windows operating system distribution. The affected software processes Windows MetaFile (WMF) images, but an attacker need only rename an infected WMF file with a JPG, GIF, PNG, or other common graphic file format extension to avoid any block on all WMF files, since a Windows system will examine the contents of files with those extensions and execute the code in them, if they are really WMF files.

An attacker can send infected images by email or put them on a website. The mere presence of an infected file on a system can lead to the system's infection, if file indexing software, such as Google's desktop search utility is presence. When the file is indexed, the exploit is triggered.

[ More Info ]

[/security/vulnerabilities/windows] permanent link