Infections and exploits plagued this week in security, affecting everything from the Mac OS X to Oracle database servers. High profile leaks and a passage of a controversial information sharing bill also graced the security landscape. Here's a look at April 23-27.
VMware Source Code Leaked: Last week, VMware confirmed an attack that led to the online publication of source code for its ESX hypervisor and said that more could be on the way.
The individual stepping up to take credit for the attack was a hacker going by the handle of Hardcore Charlie, who also claimed responsibility for another hack on military contractor China National Import & Export Corp earlier this month.
“The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today,” said Iain Mulholland director of the VMware Security Response Center, in a blog post.
Hardcore Charlie also tweeted that he possessed EMC source code, which he said he also planned to post.****
**Microsoft Fixes Hotmail Password Flaw: **Redmond patched a password reset vulnerability in its Hotmail Web mail service last week that potentially exposed its more than 360 million users to account compromises.
Specifically, the glitch enabled miscreants with a Firefox add-on to circumvent security restrictions and remotely reset the password of a Hotmail account by modifying the data, while also enabling them to decode CAPTCHA and send automated values over the MSL Live Hotmail module. When the reset button was hit, hackers could then manipulate the requests and put in their own reset information.
Luckily for Hotmail’s 360 million users, the bug was discovered and repaired in a relatively short window of time. Microsoft got wind of the vulnerability April 20 and issued a fixed the following day. The fix went public at the end of last week.
**House Passes CISPA Bill****: **The controversial Cyber Information Sharing and Protection Act passed in the House of Representatives by a vote of 248 to 168 at the end of last week, despite a strong public backlash from privacy advocates and academia who asserted that the move violated privacy rights.
Specifically, the bill, supported by firms such as Facebook, financial trade associations, AT&T, utilities, Intel, and several tech companies, among others, gives the federal government a lot of leeway to share classified cyber threat information with U.S. companies. The bill also simultaneously eliminates many restrictions to information sharing between organizations.
The bill’s chief supporter and architect Mike Rogers applauded the legislation as a move in the right direction toward the comprehensive protection of U.S. networks against cyber spies and thieves from Russia and China.
However, CISPA’s opponents, including the Center for Democracy and Technology, as well as the ACLU, called the bill ‘overly broad’ and contended that it would serve to erode users’ Internet freedoms and privacy.
Oracle Suffers Critical Glitch: A critical vulnerability enabling remote code execution in all versions of the Oracle database server remains unpatched even after Oracle attempted to fix the flaw with its April Critical Patch Update, according to reports circulating last week.
Specifically, the vulnerability, occurring in the TNS Listener service, a function which routes connection requests from clients to the server, allows attackers to intercept server traffic and execute malicious commands on the system.
The vulnerability exists in all Oracle versions, affecting customers using 8i, 9i, 10g, and 11g (11g R2). If exploited, a remote attacker has complete control of the data exchanged between the server database and the client machines, which paves the way for miscreants to hijack users’ sessions and inject code to do their malicious bidding.
Oracle recently patched the flaw TNS Listener service in its April update. However it turns out that the fix didn’t apply to current versions of the Oracle database, leaving many customers subject to arbitrary attacks aiming to exploit the vulnerability.
New Flashback Variant Attack Macs: Yet another Flashback variant was discovered sweeping through users' Mac OS X machines last week. This time, Mac security firm Intego reported the pesky Mac malware installs on users' computers without requiring a password.
The latest Flashback version, known as Flashback.S, inserts itself in one of the user's home folders that include ~/Library/LaunchAgents/com.java.update.plist or ~/.jupdate.
Once it has completely installed itself, the malware then deletes all files and folders in ~/Library/Caches/Java/cache in order to eliminate the applet from the infected Mac, and avoid detection or sample recovery, according to Intego.
The Mac-focused Flashback Trojan was first discovered in September 2011, impersonating a bogus Adobe Flash Player installer. The malware has since gone on a rampage against the Mac OS X platform with numerous variants that have exploited a slew of Java vulnerabilities, ultimately infecting as many as 650,000 machines, according to reports.