Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Apple fixed 27 security vulnerabilities in its Safari browser

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

April 3, 2014

Click here to order the best dedicated server and at a great price.

Apple said earlier this morning that it has fixed no less than 27 security vulnerabilities in its Safari browser for OS X computers, eighteen of which were uncovered by Google's Chrome Security Team.

All but one of the flaws allow potential attackers to execute arbitrary code on victims' computers. Apple said its Safari 7.0.3 and 6.1.3 update will close the security flaws, which were found in its WebKit-derived browser engine.

The company has released the update for Safari on Macs running OS X Mountain Lion and Mavericks. Users are advised to fire up Apple's Software Update tool as soon as possible.

March's iOS 7.1 update for iPhones, iPads and iPod Touches fixed several of the vulnerabilities that were also in mobile Safari. Naturally, as for Safari on Windows, Apple dropped support for that long ago.

All but one of the security vulnerabilities killed today involve memory corruption bugs which, if exploited by a specially crafted website, could allow an attacker to crash the software, or execute arbitrary code on the victim's machine – which is a great starting point for injecting malware on the computer.

The remaining security bug allows a hacker running code in the browser's secure sandbox to bypass restrictions and read arbitrary files on the system. Its discovery was credited to researcher Ian Beer, who worked with the Google Project Zero campaign.

If you're wondering why Google takes such an interest in Apple's software, the Blink engine used by Google Chrome is a fork of the WebCore component of the open-source Webkit, and Safari also uses WebKit.

Even though Blink has veered off on its own development path, security bugs found in Blink's WebCore may also exist in Safari's WebCore.

For example, one Safari flaw patched today, CVE-2013-2871, is a WebCore use-after-free blunder previously discovered in Chrome pre-28.0.1500.71. Another, CVE-2013-2926, is a use-after-free() vuln that was found in Chrome pre-30.0.1599.101.

Readers will note that a lot of the security flaws date back to last year when Google fixed them in Chrome, revealing the delay in Safari picking up Chromium's updates.

One security hole in Safari, now patched, was exploited by Google just last month to run an arbitrary app as root at the Pwn2Own hacking contest at CanSecWest 2014-- Google revealed the flaw to bag $32,000 for charity.

The ID for that flaw, CVE-2014-1300, was reserved on January 8, 2014, although a Google engineer said the company shared the details of the flaw with Apple before the event.

The other security flaws closed today were found by VUPEN and others working with HP's Zero Day Initiative, and Apple staffers and independent researchers.

In other internet security news

A serious security vulnerability that potentially allowed shop lifters to empty eBay ProStores shops and swipe customer credit cards has been successfully repaired, according to the researcher who claims he found the security flaw.

Mark Litchfield, a security technician at Securatary says he discovered the flaw in eBay-owned ProStores that not only opened the door to store account hijackers, but also leaked "full access to all their customers PII [Personally identifiable information] as well as their full credit information in clear text."

Overall, eBay's ProStores host online shops for eBay resellers and provides a wizard for creating the traders' websites.

"Similar to the gostorego security vulnerability also on the eBay website, we could shop for free by giving ourselves store credits or gift cards or we could have created our own orders for free," Litchfield said.

After he reported the security flaw in February, it was fixed correctly, clearing the way for Litchfield to go public on March 20.

For its part, eBay has yet to respond to repeated requests for comment. Lichfield characterizes the security vulnerability as a serious string of issues that took way too long to fix.

According to the researcher, in order to gain control of a victim's eBay ProStores site, the attacker must create his own ProStore account. There's a 30-day free trial available. He would then use that as a springboard to infiltrate the victim's web site (s).

"In a nutshell, it was possible to change the password of another admin, then you could log in as that user with full administrative rights to the stores," Litchfied added.

"With this attack, I was more shocked than anything to find the credit card information being displayed back in clear text. If people are buying things online, why would the full card information need to be returned in clear text to the administrator? That's a *major* security flaw of gigantic proportions," he added.

ProStores is aimed at small to medium businesses, and was acquired by eBay nine years ago. The system offers inventory management, supplier communication and integration with Quickbooks, Dreamweaver and other tools.

Litchfield also said there was an XML external entity vulnerability in ProStores. Securatary said it had reported the issue to eBay on February 11 but it was only fixed on March 20.

"The Magento issue I reported earlier was fixed extremely quickly but this attack didn't expose any credit cards," Litchfield said.

"The ProStores attack was as bad as the GoStoreGo one but for some reason took weeks to fix and this one exposed full credit card information in clear text. Go figure," he added.

Over the past three days, we have asked eBay several times for comment and will update if and when we hear from the company.

In other internet security news

The numbers were compiled last week and confirm what many system admins already had suspected. DDoS (distributed denial of service) attacks have more than tripled since the start of 2014, according to a new study released on Thursday that underscore zombie networks as the primary source of junk traffic that can be used to flood websites and other internet properties.

Overall, about 29 percent of all botnets are located in either India, China and Iran, while some are located in the U.S.

The study, by DDoS mitigation firm Incapsula, ranks the United States as number five in the list of “Top 10” attacking countries.

Several zombie networks have been deployed in multiple attacks. More than a quarter of botnet attacks happen more than 50 targets a month, according to Incapsula. And the trend appears to be increasing.

Traffic volumes are growing and 20 Gbps attacks are rapidly becoming normal. About 32.4 percent of all DDoSs is above 20 Gbps and 81.7 percent of assaults feature multiple strands of attack.

A normal SYN flood and large SYN flood combo is the most popular multi-vector attack-- a one-two punch technique that crops up in 75 percent of all attacks. NTP reflection was the most common large-scale attack method in January and February 2014.

The Incapsula study is based on hundreds of attacks on websites and other internet properties that use the company’s DDoS Mitigation service.

In other internet security news

Oracle is warning its Australian customers in the enterprise segment to get ready for extra security patches in the next coming months.

Recent changes at Australia's federal laws mean that Oracle has warned its customers that one security patch will be needed to handle a new gender equity reporting requirement, while changes to superannuation (tr. retirement pension) will mean another two.

Then there's a fourth patch that can be expected to handle general other changes expected in the Federal budget, which is delivered in the first week of May and comes into effect as of July 1st.

Australia's financial management software vendors are briefed in advanced of the Budget, so that vendors generally know what they need to start working on.

Their software is also tuned to cope with the need for rapid adjustment. We understand that financial management packages have modular designs to make it easy for vendors' outposts in different nations to encode local regulations into their wares.

We're aware that at least one top tier ERP vendor outsources the creation of these hyper-local patches, in part because the local office is more concerned with – and competent at - sales and marketing than actual coding.

Even if outposts of multinational vendors have to scramble to get the job done, the work is probably welcome if Oracle's missive is anything to go on-- only users of version 12.0 or higher of Oracle Payroll can put the patches to work.

Government therefore keeps users on the upgrade treadmill, along the way creating just the kind of red tape Australia's rulers will this week decry with a “repeal day” dedicated to “cutting administrative overhead.”

In other internet security news

Farid Essebar, aka Diablo, has finally been arrested by Bangkok police after more than 3 years on the run, on suspicion of causing no less than $4 billion worth of damage to Swiss banking systems and various other institutions in Europe.

The 27-year-old Moroccan, who has a Russian passport, was caught by police from the the Department of Special Investigation (DSI), as well as officials from the Immigration Bureau, and the Office of the Attorney-General.

"We arrested the suspect at a condominium on Rama Road. Thailand will then send him to Switzerland within 90 days in accordance with the extradition agreement," police chief Songsak Raksaksakul said.

Swiss authorities are said to have alerted the Thai police through their embassy in Bangkok that the hacker and three associates had come to the south-east Asian country.

Why did it took so long to track him down is still a mystery, although the report claims that law enforcers wanted to make sure they got a positive identification of the criminal before swooping in for an arrest.

Over the past three years, Essebar and the three other men apparently spent their time moving between various Thai tourist destinations and also made stints to other nearby countries including Hong Kong, among others.

It’s still unclear exactly how long the Moroccan is facing in a Swiss jail, but if the prosecution is successful it won’t be the first time he’s gone behind bars.

Essebar was arrested back in August 2005 and jailed by a Moroccan court a year later for spreading the infamous Zotob worm which infected systems across the globe including those of CNN, ABC, the Financial Times and the New York Times.

It even managed to crash the Department of Homeland Security's (DHS) US-VISIT border screening system, much to the embarrassment of the George Bush administration.

In other internet security news

European police agency Europol warns internet users again that using free Wi-Fi hotspots poses a data risk and that sensitive information can be lost or stolen by potential hackers that are located in the same hotspot.

Troels Oerting, head of Europol's cybercrime centre, told BBC News that a growing number of attacks are being carried out via public Wi-Fi service and that people should send personal data only across trusted networks.

"We have seen a growing increase in the misuse of Wi-Fi hotspots and the issue is getting worse, in order to steal information, identity or passwords and money from the users who use public or insecure Wi-Fi connections," he added.

The problems posed by using insecure Wi-Fi have been known for many years, and underscore the important need to use a VPN connection when accessing the internet from insecure public places such as cafes, transport hubs and conference venues.

But consumers often ignore these best practices, putting them at increased risk of getting hacked as a result. Sean Sullivan, security advisor at anti-virus firm F-Secure, commented-- "This has been a concern for many years, and that's why sensible companies force employees to use VPN connections. A Firefox plugin called 'Firesheep' definitively demonstrated just how utterly insecure Wi-Fi hotspots can be back in 2010."

Sullivan added that he used open hotspots all the time but always took care to take basic security precautions when he did. "If you want to use an open Wi-Fi hotspot to search for the latest sports scores, then go for it. But if you want to check your bank balance, read your email, have a private chat with your friends, then get yourself a VPN service,” he concluded.

According to a recent Kaspersky Lab survey, 34 percent of people using a PC admitted to taking no special measures to protect their online activity when using a Wi-Fi hotspot.

Only about 12.6 percent of internet users take the time to actively check the encryption standards of any access point before they use it, and that number is extremely low, considering all the risks that are involved.

The Kaspersky Lab survey does offer some comfort to those concerned about consumer attitudes to internet security. Only one in seven of those quizzed were comfortable banking or shopping online while connected to an untrusted Wi-Fi hotspot.

And in a related development, privacy groups such as the EFF (Electronic Frontier Foundation) have teamed up with technology firms such as Twitter and privacy-focused search service DuckDuckGo to create a new campaign to improve data security for consumers in a post-Snowden world of dragnet surveillance.

The 'Encrypt all Things' campaign has drawn up a seven point Data Security Action Plan for 2014 specifically designed to promote better data protection practices by websites and the technology industry, as well as promoting greater security awareness about privacy-enhancing technologies among consumers.

In other internet security news

Internet security consultants are suggesting that Canadian businesses and the federal government should adopt a just-released U.S. government framework for tightening IT security of critical infrastructure, and by adding additional layers of security to improve the confidentiality of all saved data.

“I honestly don’t think that we should re-invent the wheel,” said Kevvie Fowler, a partner in the forensic advisory services at KMPG Canada.“

Fowler said that the guidelines were released February 12 by the federal National Information Technology Laboratory (NIST). “If you look at what has been done, it already leverages several concepts from internationally-adopted standards like ISO 27001/2 and a few others,” he added.

In 2010, the Harper government announced a national strategy to better protect critical infrastructure calling for the public and private sectors to work on addressing risks. But two years later, the Auditor General released a report complaining the strategy still didn’t have an action plan. That plan has since been completed.

Public Safety Canada has released a guideline of best practices for incident response. But Fowler said the NIST document goes further. Meanwhile, as part of its effort to work on an infrastructure security plan, the Canadian government is holding an invitation-only conference in New York next week.

Called a ``Framework for Improving Critical Infrastructure`` it’s aimed at organizations, regulators and consumers to create or improve cybersecurity programs.

The document provides a common language to address and manage cyber risk in a cost-effective way based on business needs, without placing additional regulatory requirements on businesses, NIST says.

“The framework provides a consensus description of what’s needed for a comprehensive cybersecurity program,” said under secretary of commerce for Standards and Technology and NIST director Patrick Gallagher.

“Additionally, it reflects the efforts of a broad range of industries that see the value and need for improving cybersecurity and lowering overall risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business.”

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Apple.

Click here to order the best dedicated server and at a great price.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.