Information Security Blog

U.S. enables Chinese hacking of Google
(CNN) — Google made headlines when it went public with the fact that Chinese hackers had penetrated some of its services, such as Gmail, in a politically motivated attempt at intelligence gathering. The news here isn’t that Chinese hackers engage in these activities or that their attempts are technically sophisticated — we knew that already — it’s that the U.S. government inadvertently aided the hackers.

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html?hpt=T2

Twitter cuts feature on site over security flaw
BOSTON (Reuters) – Twitter has temporarily disabled one of the features on its website after a security researcher warned of a programing flaw that left the login credentials of its users vulnerable to hackers.
Twitter co-founder Biz Stone said in an email that the company had temporarily cut off access to a feature that lets users display Twitter updates on their websites by using Flash technology.

“Our team has disabled the Flash widget while we look into the problem,” Stone said.

Mike Bailey, a senior security analyst with Foreground Security of Orlando, Florida, said that the problem exploits a widely known vulnerability in Adobe Systems Inc’s Flash programing language.

Adobe has told programmers how to address the vulnerability, which was first discovered in 2006, Bailey added, but noted the operators of many websites have failed to respond to those warnings.

The microblogging site’s huge popularity has made it a prime target for hackers looking to spread malicious software to Twitter’s millions of users.

http://www.reuters.com/article/idUSTRE60L4AD20100122?type=technologyNews

RealPlayer haunted by 11 critical vulnerabilities
A quick heads-up to any computer users out with RealPlayer installed: There are at least 11 critical vulnerabilities that expose Windows, Mac and Linux users to malicious hacker attacks.

RealNetworks released an advisory to warn of the vulnerabilities, which could be exploited via rigged image and media files to launch remote code execution attacks.

The vulnerabilities also affect some versions of the Helix Player for Linux.
Here are the details from the RealNetworks alert:

1. A heap overflow error when processing a malformed ASM Rulebook, which could be exploited to execute arbitrary code.
2. A heap overflow error when processing a malformed GIF file, which could be exploited to execute arbitrary code.
3. A buffer overflow error when processing a malformed media file, which could be exploited to execute arbitrary code.
4. A buffer overflow error when processing a malformed IVR file, which could be exploited to execute arbitrary code.
5. A heap overflow error when processing a malformed IVR file, which could be exploited to execute arbitrary code.

http://blogs.zdnet.com/security/?p=5344&tag=col1;post-5344

Microsoft confirms 17-year-old Windows vulnerability

Posted by Ryan Naraine @ 8:05 am
One day after a Google security researcher released code to expose a flaw that affects every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and warn of the risk of privilege escalation attacks.

Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode. For an attack to be successful, the attacker must have valid logon credentials.

The flaw does not affect Windows operating systems for x64-based and Itanium-based computers, Microsoft said.

http://blogs.zdnet.com/security/?p=5307&tag=content;col1

As far as vulnerabilities go, being able to run arbitrary code in kernal mode is about as serious as it comes.  To me, this gives another good reason to go to the 64 bit version if you haven’t already.  While it may seem surprising to some that the same bug that existed in NT still exists in Windows 7, but you have to remember that users are funny creatures that expect all the programs they bought twenty years ago to still work.  Do you really think Microsoft coders redo every module with each new release? Of course not.

Many point out that MS knew about the bug for several months and acted slowly.  I would have to agree that an advisory was in order and a patch as soon as possible.

There does come a time when MS needs to drop support entirely for legacy applications or at a minimum, make the administrator install legacy support only if needed rather than having it turned on by default.  I really don’t imagine many folks require 16 bit application support in 2010.  Maybe I am wrong?