Spyware, viruses, & security forum: NEWS - February 25, 2013

Zero-Day Vulnerability Affecting Java 7 Update 15 and Earlier Versions Identified

Researchers from Polish firm Security Explorations have identified another serious vulnerability in Java 7. The experts say Java SE 7 Update 15 and all earlier versions are affected.

Adam Gowdiak, the CEO of Security Explorations, has told Softpedia that they've uncovered two security issues, which they've dubbed "issue 54" and "issue 55."

When combined, the flaws can be leveraged to achieve a complete bypass of the Java security sandbox.

Oracle has been provided with the details of the newly uncovered bugs, but so far, it has only confirmed receiving the information. Most likely, the company will confirm the existence of the flaws in the upcoming days.

"Both new issues are specific to Java SE 7 only. They allow to abuse the Reflection API in a particularly interesting way," Gowdiak noted. "Without going into further details, everything indicates that the ball is in Oracle's court. Again."

The experts have tested their findings against the initial release of Java SE 7, Java SE 7 Update 11, and Java SE 7 Update 15, which is the version released a few days ago.

Continued : http://news.softpedia.com/news/Zero-Day-Vulnerability-Affecting-Java-7-Update-15-and-Earlier-Versions-Identified-332157.shtml

Related :
Zero-Day Flaws in Java Re-Emerge; No Exploitation in the Wild Yet
Researchers claim to have found more zero-day vulnerabilities in Java

Jonathan Mayer, a researcher at Stanford, has contributed a patch for Firefox that will block third-party cookies from installing on the user's browser. The patch is set to be incorporated into Firefox 22. For some sense of timing on the project, Firefox 19 was released on Tuesday.

With the patch, Firefox would allow all cookies from sites that a user actively visits, but would block cookies from third-party sites if a user has not visited that cookie's origin site. Advertisers generally place third-party cookies and can collect data about a user across several websites with them. This is used to serve more targeted ads or refine where an advertising firm should spend its money.

Blocking third-party cookies would not be new or unheard of among browsers; Apple's Safari already rejects cookies from third-parties. In a blog post on Friday, Mayer called the Firefox patch, "a slightly relaxed version of the Safari policy." Chrome allows all cookies, and Internet Explorer blocks some third-party cookies, although not all.

Continued : http://arstechnica.com/business/2013/02/firefox-22-will-block-third-party-cookies/

Also:
Mozilla to Block Third-Party Cookies in Firefox
Firefox to spit out third-party cookies

From the SANS ISC Diary:

Usually, we find that e-mail used to trick users to malicious or spam sites is either not customized at all, or manually tailored for a particular recipient. A couple years ago at our RSA panel with Alan Paller and Ed Skoudis, I eluded to "mass customized" malware. Malware that automatically harvests social networking accounts or other open source information to find out how to best target you. For example, the malware may see that you "Like" Star Trek on Facebook and then will send you a link to a new movie trailer.

For a while now, I am seeing simple e-mails that appear to be doing something like that. The emails follow the same pattern. The "Real Name" displayed is the name of a person I know. The from e-mail address however has no relation to the person, and is usually some kind of free email 'yahoo'/'gmail' style address. The body of the e-mail itself is just a one liner with a link.

I did suspect Facebook as the source of the information. For most of the "senders" I had gotten these e-mails from in the past, there are other ways then Facebook that link me to them. But wasn't sure about it until now, when I received the e-mail below.

Continued: https://isc.sans.edu/diary.html?storyid=15265

Two more major organisations have gone public about, what they claim, were attempts by Chinese hackers to infiltrate their networks and steal sensitive information.

EADS, the European Aeronautic Defense and Space company, and steelmaker ThyssenKrupp are said to have become the targets of hack attacks originating in China, according to Der Spiegel.

EADS - who makes the Eurofighter jet, as well as spy drones, surveillance satellites, and even rockets for French nuclear weapons - are said to have contacted the German government last year to warn them that the military contractor's computer network has been hacked.

Officially, EADS have described the attack as "standard" and insisted that no harm has been done.

Continued : http://nakedsecurity.sophos.com/2013/02/25/china-eads-thyssenkrupp-hack/

Also:
Chinese hackers attacked Eurofighter maker EADS, company confirms
European Space, Industrial Firms Breached in Cyber Attacks: Report

Duo Security researchers have found an easy way to bypass Google's two-step login verification by capturing a user's application-specific password.

"To make 2-step verification usable for all of their customers (and to bootstrap it into their rather expansive ecosystem without breaking everything), Google's engineers had to make a few compromises. In particular, with 2-step verification came a notion of 'Application-Specific Passwords' (ASPs)," explains Adam Goodman.

The user is required to create and use a separate ASP for every application that doesn't support 2-step verification logins - Adium, Apple Mail, Thunderbird, iCal, and so on.

But the problem with ASP is that, despite its name, it doesn't actually limit the users' access to only certain data or services in their accounts. "In fact, an ASP can be used to log into almost any of Google's web properties and access privileged account interfaces, in a way that bypasses 2-step verification," the researchers discovered.

Continued : http://www.net-security.org/secworld.php?id=14485

Also: Researchers Bypass Google Two-Factor Authentication