The Wolves of Vuln Street - The First System Dynamics Model of the 0day Market

April 14, 2015, 8:47 am

≫ Next: Statistics Will Crack Your Password

I’ve been working with economics and policy researchers from MIT and Harvard to study the economic forces behind the 0day market. Here’s what we found:

The vulnerability market is not controlled by price alone — many levers exist that tip the scales between offense and defense.
Bug bounties are still effective to help find vulnerabilities faster, especially for less mature software.
Creating incentives for tools and techniques that support vulnerability discovery is a more efficient way for defenders to drain the offense stockpile of 0day vulnerabilities.

Find this surprising? Want to know how to compete as a defender in a market not entirely defined by price? Read on here.........https://hackerone.com/news/the-wolves-of-vuln-street

↧

Statistics Will Crack Your Password

April 14, 2015, 10:00 am

≫ Next: Protecting infrastructure secrets with Keywhiz

≪ Previous: The Wolves of Vuln Street - The First System Dynamics Model of the 0day Market

Think like a hacker and ask yourself how fast your passwords might be able to be cracked based on their structure.

When hackers or penetration testers compromise a system and want access to clear text passwords from a database dump, they must first crack the password hashes that are stored. Many attackers approach this concept headfirst: They try any arbitrary password attack they feel like trying with little reasoning. This discussion will demonstrate some effective methodologies for password cracking and how statistical analysis of passwords can be used in conjunction with tools to create a time boxed approach to efficient and successful cracking.

more here........http://www.praetorian.com/blog/statistics-will-crack-your-password-mask-structure

↧

Protecting infrastructure secrets with Keywhiz

April 14, 2015, 10:26 am

≫ Next: Don't Just Rely on Tor: Security Advice from an Alleged Dark Web Veteran

≪ Previous: Statistics Will Crack Your Password

At Square, our number one priority is security. We needed something to protect secrets, especially as their number increased with our adoption of a service-oriented microservice architecture. Although protecting infrastructure secrets is a common need, we weren’t able to find an adequate secret management system. (More on this under “Existing Practices.”) So, we built Keywhiz.

Keywhiz is a secret management and distribution service that is now available for everyone. Keywhiz helps us with infrastructure secrets, including TLS certificates and keys, GPG keyrings, symmetric keys, database credentials, API tokens, and SSH keys for external services — and even some non-secrets like TLS trust stores. Automation with Keywhiz allows us to seamlessly distribute and generate the necessary secrets for our services, which provides a consistent and secure environment, and ultimately helps us ship faster.

more here........https://corner.squareup.com/2015/04/keywhiz.html

↧

Don't Just Rely on Tor: Security Advice from an Alleged Dark Web Veteran

April 14, 2015, 10:41 am

≫ Next: REVERSE ENGINEERING WIPEOUT (PSX)

≪ Previous: Protecting infrastructure secrets with Keywhiz

Being a cybercriminal is hard. Once you reach a level of notoriety, any number of well-funded agencies may be hot on your tail. Some people might think that the power of encryption and anonymity technology like Tor could be enough to hold the cops off. But they would be wrong.

The real “professionals” also rely on a high standard of operational security, or “OPSEC” for short. This is essentially the practice of keeping your sensitive work safe, and often boils down to having smarts and being disciplined, rather than anything specifically technological.

more here.....http://motherboard.vice.com/read/dont-just-rely-on-tor-security-advice-from-an-alleged-dark-web-veteran

↧

REVERSE ENGINEERING WIPEOUT (PSX)

April 14, 2015, 11:49 am

≫ Next: Shellshock - Not a Can of Worms if You Patch

≪ Previous: Don't Just Rely on Tor: Security Advice from an Alleged Dark Web Veteran

In 1995 one of my all time favorite video games was released: the original WipEout for PlayStation. The brand new PlayStation produced 3D graphics previously unseen on living room TVs and WipEout exploited its capabilities like no other game at the time. It was one of the pioneering titles of the fifth generation console era.

WipEout's art style was distinctively different from other games too. With the help of the UK based design studio The Designers Republic the game achieved a mature look that was in stark contrast to the comic style found in most other games.

I remember poking around on the CD of the PC Version of WipEout back in the day, looking for ways to modify the game. I was thrilled to find .pcx images of all textures and tried to change one of the in-game billboard graphics to show my name. I wasn't able to get it working.

Now, almost 20 years later, I thought I'd give it another shot.

more here........http://phoboslab.org/log/2015/04/reverse-engineering-wipeout-psx

↧

Shellshock - Not a Can of Worms if You Patch

April 14, 2015, 11:52 am

≫ Next: Hostapd-wpe for OpenWrt Barrier Breaker

≪ Previous: REVERSE ENGINEERING WIPEOUT (PSX)

In information security, 2014 will undoubtedly remain infamous for at least two vulnerabilities that affected the vast majority of the Internet infrastructure and users: Heartbleed and Shellshock. While most system administrators scrambled to apply patches to mitigate these issues as soon as possible, unfortunately, despite the fact that a year has passed by since Heartbleed was revealed and about seven months since Shellshock, there are still a large number of systems that remain vulnerable. Websense® Security Labs™ has discovered, via one of our honeypots, that a simple, yet aggressive worm in the wild exploits the Shellshock vulnerability for reconnaissance purposes.

more here.......http://community.websense.com/blogs/securitylabs/archive/2015/04/14/shellshock-not-a-can-of-worms-if-you-patch.aspx

↧

Hostapd-wpe for OpenWrt Barrier Breaker

April 14, 2015, 11:57 am

≫ Next: Link time and inter-procedural optimization improvements in GCC 5

≪ Previous: Shellshock - Not a Can of Worms if You Patch

Hostapd-wpe (Wireless Pwnage Edition) is a patch for hostapd v2.2 created by the OpenSecurity Research group aiming to replace FreeRadius-WPE. The WPE patch implements 802.1X authentication server impersonation attacks in order to obtain client credentials, but also implements Cupid attack, allowing to exploit heartbleed vulnerability (CVE-2014-0160) on client connections over EAP-PEAP/TLS/TTLS.

This article arises after the need for a portable device for testing wireless infrastructures security (802.11b/g/n and 802.11ac)

more here.......https://www.acrylicwifi.com/en/blog/hostapd-wpe-openwrt-barrier-breaker/

↧

Link time and inter-procedural optimization improvements in GCC 5

April 14, 2015, 12:01 pm

≫ Next: Several issues in SQLite (+ catching up on several other bugs) & Article on Finding bugs in SQLite, the easy way

≪ Previous: Hostapd-wpe for OpenWrt Barrier Breaker

GCC-5.1 release candidate 1 just branched. Lets take a look what changed in the inter-procedural optimization (IPA) and link-time optimization (LTO) frameworks here.......http://hubicka.blogspot.dk/2015/04/GCC5-IPA-LTO-news.html

↧

Several issues in SQLite (+ catching up on several other bugs) & Article on Finding bugs in SQLite, the easy way

April 14, 2015, 12:39 pm

≫ Next: Paper: Just A Little Bit More

≪ Previous: Link time and inter-procedural optimization improvements in GCC 5

SQLite is probably the most popular embedded database in use today; it
is also known for being very well-tested and robust.

Because of its versatility, SQLite sometimes finds use as the
mechanism behind SQL-style query APIs that are exposed between
privileged execution contexts and less-trusted code. One example of
this is the WebDB / WebSQL mechanism available in some browsers; in
this setting, vulnerabilities in the SQLite parser can open up the
platform to attacks.

Anyway, long story short, I recently reported around 22 bugs in the
query parser, including the use of uninitialized memory when parsing
collation sequences:

https://www.sqlite.org/src/info/eddc05e7bb31fae7

...and bad free():

https://www.sqlite.org/src/info/02e3c88fbf6abdcf

...and a stack buffer overflow:

http://www.sqlite.org/src/info/c494171f77dc2e5e

Since all the fixes are already public and the issues are fixed in
3.8.9, but there's no upstream advisory, I figured I'd drop a note
here; if you're relying on SQLite in a way mentioned earlier on, you
may want to upgrade. There are no CVEs assigned for any of the above.

The aforementioned three bugs aside, the remaining 19 issues are
probably less interesting. They depend on "privileged" commands (e.g.,
ATTACH), only have DoS potential, or corrupt nominally boring areas of
memory (say, http://www.sqlite.org/src/info/0cdf502885ea7e58). Some of
them may matter for escalating SQL injection to RCE. If you are
curious, you can check out docs/vuln_samples/sqlite_* shipping with
afl-fuzz for a complete set.

All of the above bugs were found with http://lcamtuf.coredump.cx/afl/
after spending around 30 minutes to set up the job.

...

Here's another, unrelated bug that may not have had a CVEs. It
affects browser <video> handling (H.264):

https://github.com/FFmpeg/FFmpeg/commit/e8714f6f93d1a32f4e4655209960afcf4c185214

PPS. I haven't posted about this before, but here are three
recently-fixed issues affect PNG, JXR, and TIFF handling in MSIE,
leaking values from browser memory:

http://lcamtuf.blogspot.com/2015/03/another-round-of-image-bugs-png-and.html
http://lcamtuf.blogspot.com/2015/02/bi-level-tiffs-and-tale-of-unexpectedly.html

PPPS. Since we're on the topic of catching up, I would strongly advise
against using jxrlib, a Microsoft-developed open source library for
parsing JXR / HDP / WDP files (JPEG XR), a new image format supported
in Internet Explorer and Adobe Flash. It appears to have many
exploitable memory corruption errors that are discoverable with AFL. I
pinged them in December, but the maintainers weren't very responsive.
The bugs do not affect MSIE, since the OSS implementation appears to
be completely separate (huh). That said, they will affect ImageMagick
and similar programs if they are built with jxrlib support compiled
in. Since the library has fairly minimal install base, this note is
about as much effort as I think it warrants.

Additional link here titled "Finding bugs in SQLite, the easy way" ......http://lcamtuf.blogspot.fr/2015/04/finding-bugs-in-sqlite-easy-way.html

/mz
Author:
Michal Zalewski
lcamtuf@coredump.cx

↧

Paper: Just A Little Bit More

April 14, 2015, 12:42 pm

≫ Next: White Paper: Identifier based XSSI attacks

≪ Previous: Several issues in SQLite (+ catching up on several other bugs) & Article on Finding bugs in SQLite, the easy way

Abstract. We extend the FLUSH+RELOAD side-channel attack of Benger et al. to extract a significantly larger number of bits of information per observed signature when using OpenSSL. This means that by observing only 25 signatures, we can recover secret keys of the secp256k1 curve, used in the Bitcoin protocol, with a probability greater than 50 percent. This is an order of magnitude improvement over the previously best known result. The new method of attack exploits two points: Unlike previous partial disclosure attacks we utilize all information obtained and not just that in the least significant or most significant bits, this is enabled by a property of the “standard” curves choice of group order which enables extra bits of information to be extracted. Furthermore, whereas previous works require direct information on ephemeral key bits, our attack utilizes the indirect information from the wNAF double and add chain.

more here..........http://eprint.iacr.org/2014/434.pdf

↧

White Paper: Identifier based XSSI attacks

April 14, 2015, 1:29 pm

≫ Next: CVE-2015-1864: Multiple HTML and Javascript injections

≪ Previous: Paper: Just A Little Bit More

Cross Site Script Inclusion (XSSI) is an attack technique (or a vulnerability) that enables
attackers to steal data of certain types across origin boundaries, by including target data
using SCRIPT tag in an attacker's Web page as below:

<SCRIPT src="http://target.example.jp/secret"></SCRIPT>

For years, XSSI has been known among Web security researchers that JavaScript file,
JSONP and, in certain old browsers, JSON data are subject to this type of information theft
attacks. In addition, some browser vulnerabilities, that allow attackers to gain information
via JavaScript error messages, have been discovered and fixed in the past.

In 2014, we conducted research on this old topic and discovered some new attack techniques
and browser vulnerabilities that allow attackers to steal simple text strings such as CSV,
and more complex data under certain circumstances. In the research, we mainly focused on
a method of stealing data as a client side script's identifier (variable or function name).

In this paper, we first describe these attack techniques / browser vulnerabilities in the next
section and then discuss countermeasures for these issues.

more here........http://www.mbsd.jp/Whitepaper/xssi.pdf

↧

CVE-2015-1864: Multiple HTML and Javascript injections

April 14, 2015, 1:33 pm

≫ Next: [CVE-2015-1866] Ember.js XSS Vulnerability With {{view "select"}} Options

≪ Previous: White Paper: Identifier based XSSI attacks

We have recently discovered a security issue in Kallithea [0].

Synopsis
========

Several vulnerabilities have been found in Kallithea, allowing
attackers to inject malicious code into the administration pages.

Description
===========

HTML and Javascript injection was possible in several places in the
Kallithea UI, allowing attackers to run malicious code.

User details (first name, last name) as well as repository, repository
group and user group descriptions were pasted unfiltered into the HTML
code, thus attacker could inject their code by setting their first name
to, for example:

<img src="/images/kallithea-logo.svg" onload="alert('Hello,
    World!');">

This would display an alert every time users administration page. Used
against a user with administrator's access, this can expose sensitive
information:

<img src="/images/kallithea-logo.svg"
        onload="$.ajax({url:'/_admin/my_account/api_keys'}).done(function(data){
        a=new RegExp('[0-9a-z]{40}','g');alert('Your API key is:'+
        data.substr(data.search(a), 40));});">

Impact
======

As the vulnerability allows attacker to execute arbitrary code in the
user's browser, it can be used to gain access to the user's account by
stealing user's credentials, like API keys. In the case the user also
has administrator rights, it is possible for the attacker to gain full
administrator access to the Kallithea instance.

Resolution
==========

Kallithea project has fixed this issue, and issued a patch and a bugfix
release.

Users are recommended to apply the patch or to upgrade to the latest
0.2.1 release.

Affected versions
=================

The issue is currenly present in Kallithea versions before 0.2.1.

Acknowledgments
===============

Thanks to Nick High for reporting this issue.

References
==========

[0] Kallithea Project
<https://kallithea-scm.org/>

[1] CVE-2015-1864
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1864>

[2] Kallithea: Security Notice CVE-2015-1864
<https://kallithea-scm.org/security/cve-2015-1864.html>

[3] Patch for the issue
<https://kallithea-scm.org/security/cve-2015-1864.patch>

[4] Mercurial changeset fixing the issue
<https://kallithea-scm.org/repos/kallithea/changeset/a8f2986afc18c9221bf99f88b06e60ab83c86c55>

-- 
Cheers,
  Andrew Shadura
  on behalf of Kallithea Security Team

↧

[CVE-2015-1866] Ember.js XSS Vulnerability With {{view "select"}} Options

April 14, 2015, 1:35 pm

≫ Next: Phantom Cyber Lands $2.7M Seed Round To Automate Cybersecurity

≪ Previous: CVE-2015-1864: Multiple HTML and Javascript injections

[CVE-2015-1866] Ember.js XSS Vulnerability With {{view "select"}} Options

Data passed as the label of select options may not be escaped before being passed to the browser.

* Versions Affected: 1.10.0, 1.11.0, 1.11.1, 1.12.0 beta
* Not affected: Versions prior to 1.10.0
* Fixed Versions: 1.10.1, 1.11.2

Impact
-------

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the select view means that any user-supplied data bound to an option's label will not be escaped correctly.

In applications that use Ember's select view and pass user-supplied content to the label, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS").

All users running an affected release and binding user-supplied data to the select options should either upgrade or use one of the workarounds immediately.

Releases
--------

Releases are available on emberjs.com/builds/#/tagged

Workarounds
-----------

Ensure that you escape any user-supplied value that you bind to an option label. For example, if you bind a label:

   {{view 'select' content=people optionLabelPath='content.name'}}

Ensure that you escape the `name` value of each item `people` using Ember.Handlebars.Utils.escapeExpression:

   var people = this.get('people');
   var peopleForSelect = people.map(function(person){
     var newPerson = Object.create(person);
     newPerson.name = Ember.Handlebars.escapeExpression(person.name);
     return newPerson;
   });
   this.set('peopleForSelect', peopleForSelect);

Credits
-------

This vulnerability was reported to us by Phillip Haines of Zestia. Many thanks for working with us on identifying the issue and on the advisory process.

Best,

-Matthew (Ember.js Core Team member)

http://madhatted.com :: @mixonic

diff --git a/packages/ember-htmlbars/lib/templates/select-option.hbs b/pa=
ckages/ember-htmlbars/lib/templates/select-option.hbs
new file mode 100644
index 0000000..6471e4e
--- /dev/null
+++ b/packages/ember-htmlbars/lib/templates/select-option.hbs
@@ -0,0 +1 @@
+{{~view.label~}}
diff --git a/packages/ember-views/lib/views/select.js b/packages/ember-vi=
ews/lib/views/select.js
index a68b58b..6a203ac 100644
--- a/packages/ember-views/lib/views/select.js
+++ b/packages/ember-views/lib/views/select.js
@@ -20,25 +20,12 @@ import { computed } from "ember-metal/computed";
import { A as emberA } from "ember-runtime/system/native_array";
import { observer } from "ember-metal/mixin";
import { defineProperty } from "ember-metal/properties";
-import run from "ember-metal/run_loop";
=

import htmlbarsTemplate from "ember-htmlbars/templates/select";
+import selectOptionDefaultTemplate from "ember-htmlbars/templates/select=
-option";
=

var defaultTemplate =3D htmlbarsTemplate;
=

-var selectOptionDefaultTemplate =3D {
-  isHTMLBars: true,
-  render: function(context, env, contextualElement) {
-    var lazyValue =3D context.getStream('view.label');
-
-    lazyValue.subscribe(context._wrapAsScheduled(function() {
-      run.scheduleOnce('render', context, 'rerender');
-    }));
-
-    return lazyValue.value();
-  }
-};
-
var SelectOption =3D View.extend({
  instrumentDisplay: 'Ember.SelectOption',
=

diff --git a/packages/ember-views/tests/views/select_test.js b/packages/e=
mber-views/tests/views/select_test.js
index 0452770..53762db 100644
--- a/packages/ember-views/tests/views/select_test.js
+++ b/packages/ember-views/tests/views/select_test.js
@@ -4,6 +4,7 @@ import run from "ember-metal/run_loop";
import jQuery from "ember-views/system/jquery";
import { map } from "ember-metal/enumerable_utils";
import EventDispatcher from "ember-views/system/event_dispatcher";
+import SafeString from 'htmlbars-util/safe-string';
=

var trim =3D jQuery.trim;
=

@@ -133,6 +134,44 @@ test("can specify the property path for an option's =
label and value", function()
  deepEqual(map(select.$('option').toArray(), function(el) { return jQue=
ry(el).attr('value'); }), ["1", "2"], "Options should have values");
});
=

+QUnit.test("XSS: does not escape label value when it is a SafeString", f=
unction() {
+  select.set('content', Ember.A([
+    { id: 1, firstName: new SafeString('<p>Yehuda</p>') },
+    { id: 2, firstName: new SafeString('<p>Tom</p>') }
+  ]));
+
+  select.set('optionLabelPath', 'content.firstName');
+  select.set('optionValuePath', 'content.id');
+
+  append();
+
+  equal(select.$('option').length, 2, "Should have two options");
+  equal(select.$('option[value=3D1] b').length, 1, "Should have child el=
ements");
+
+  // IE 8 adds whitespace
+  equal(trim(select.$().text()), "YehudaTom", "Options should have conte=
nt");
+  deepEqual(map(select.$('option').toArray(), function(el) { return jQue=
ry(el).attr('value'); }), ["1", "2"], "Options should have values");
+});
+
+QUnit.test("XSS: escapes label value content", function() {
+  select.set('content', Ember.A([
+    { id: 1, firstName: '<p>Yehuda</p>' },
+    { id: 2, firstName: '<p>Tom</p>' }
+  ]));
+
+  select.set('optionLabelPath', 'content.firstName');
+  select.set('optionValuePath', 'content.id');
+
+  append();
+
+  equal(select.$('option').length, 2, "Should have two options");
+  equal(select.$('option[value=3D1] b').length, 0, "Should have no child=
elements");
+
+  // IE 8 adds whitespace
+  equal(trim(select.$().text()), "<p>Yehuda</p><p>Tom</p>", "Options sho=
uld have content");
+  deepEqual(map(select.$('option').toArray(), function(el) { return jQue=
ry(el).attr('value'); }), ["1", "2"], "Options should have values");
+});
+
test("can retrieve the current selected option when multiple=3Dfalse", f=
unction() {
  var yehuda =3D { id: 1, firstName: 'Yehuda' };
  var tom =3D { id: 2, firstName: 'Tom' };


diff --git a/packages/ember-htmlbars/lib/templates/select-option.hbs b/pa=
ckages/ember-htmlbars/lib/templates/select-option.hbs
new file mode 100644
index 0000000..6471e4e
--- /dev/null
+++ b/packages/ember-htmlbars/lib/templates/select-option.hbs
@@ -0,0 +1 @@
+{{~view.label~}}
diff --git a/packages/ember-views/lib/views/select.js b/packages/ember-vi=
ews/lib/views/select.js
index 721da86..3583904 100644
--- a/packages/ember-views/lib/views/select.js
+++ b/packages/ember-views/lib/views/select.js
@@ -21,26 +21,12 @@ import { computed } from "ember-metal/computed";
import { A as emberA } from "ember-runtime/system/native_array";
import { observer } from "ember-metal/mixin";
import { defineProperty } from "ember-metal/properties";
-import run from "ember-metal/run_loop";
=

import htmlbarsTemplate from "ember-htmlbars/templates/select";
+import selectOptionDefaultTemplate from "ember-htmlbars/templates/select=
-option";
=

var defaultTemplate =3D htmlbarsTemplate;
=

-var selectOptionDefaultTemplate =3D {
-  isHTMLBars: true,
-  revision: 'Ember () VERSION_STRING_PLACEHOLDER',
-  render: function(context, env, contextualElement) {
-    var lazyValue =3D context.getStream('view.label');
-
-    lazyValue.subscribe(context._wrapAsScheduled(function() {
-      run.scheduleOnce('render', context, 'rerender');
-    }));
-
-    return lazyValue.value();
-  }
-};
-
var SelectOption =3D View.extend({
  instrumentDisplay: 'Ember.SelectOption',
=

diff --git a/packages/ember-views/tests/views/select_test.js b/packages/e=
mber-views/tests/views/select_test.js
index eda11bd..8150e31 100644
--- a/packages/ember-views/tests/views/select_test.js
+++ b/packages/ember-views/tests/views/select_test.js
@@ -4,6 +4,7 @@ import run from "ember-metal/run_loop";
import jQuery from "ember-views/system/jquery";
import { map } from "ember-metal/enumerable_utils";
import EventDispatcher from "ember-views/system/event_dispatcher";
+import SafeString from 'htmlbars-util/safe-string';
=

var trim =3D jQuery.trim;
=

@@ -133,6 +134,44 @@ QUnit.test("can specify the property path for an opt=
ion's label and value", func
  deepEqual(map(select.$('option').toArray(), function(el) { return jQue=
ry(el).attr('value'); }), ["1", "2"], "Options should have values");
});
=

+QUnit.test("XSS: does not escape label value when it is a SafeString", f=
unction() {
+  select.set('content', Ember.A([
+    { id: 1, firstName: new SafeString('<p>Yehuda</p>') },
+    { id: 2, firstName: new SafeString('<p>Tom</p>') }
+  ]));
+
+  select.set('optionLabelPath', 'content.firstName');
+  select.set('optionValuePath', 'content.id');
+
+  append();
+
+  equal(select.$('option').length, 2, "Should have two options");
+  equal(select.$('option[value=3D1] b').length, 1, "Should have child el=
ements");
+
+  // IE 8 adds whitespace
+  equal(trim(select.$().text()), "YehudaTom", "Options should have conte=
nt");
+  deepEqual(map(select.$('option').toArray(), function(el) { return jQue=
ry(el).attr('value'); }), ["1", "2"], "Options should have values");
+});
+
+QUnit.test("XSS: escapes label value content", function() {
+  select.set('content', Ember.A([
+    { id: 1, firstName: '<p>Yehuda</p>' },
+    { id: 2, firstName: '<p>Tom</p>' }
+  ]));
+
+  select.set('optionLabelPath', 'content.firstName');
+  select.set('optionValuePath', 'content.id');
+
+  append();
+
+  equal(select.$('option').length, 2, "Should have two options");
+  equal(select.$('option[value=3D1] b').length, 0, "Should have no child=
elements");
+
+  // IE 8 adds whitespace
+  equal(trim(select.$().text()), "<p>Yehuda</p><p>Tom</p>", "Options sho=
uld have content");
+  deepEqual(map(select.$('option').toArray(), function(el) { return jQue=
ry(el).attr('value'); }), ["1", "2"], "Options should have values");
+});
+
QUnit.test("can retrieve the current selected option when multiple=3Dfal=
se", function() {
  var yehuda =3D { id: 1, firstName: 'Yehuda' };
  var tom =3D { id: 2, firstName: 'Tom' };


diff --git a/packages/ember-htmlbars/lib/templates/select-option.hbs b/pa=
ckages/ember-htmlbars/lib/templates/select-option.hbs
new file mode 100644
index 0000000..6471e4e
--- /dev/null
+++ b/packages/ember-htmlbars/lib/templates/select-option.hbs
@@ -0,0 +1 @@
+{{~view.label~}}
diff --git a/packages/ember-views/lib/views/select.js b/packages/ember-vi=
ews/lib/views/select.js
index f5de69d..191e813 100644
--- a/packages/ember-views/lib/views/select.js
+++ b/packages/ember-views/lib/views/select.js
@@ -21,26 +21,12 @@ import { computed } from "ember-metal/computed";
import { A as emberA } from "ember-runtime/system/native_array";
import { observer } from "ember-metal/mixin";
import { defineProperty } from "ember-metal/properties";
-import run from "ember-metal/run_loop";
=

import htmlbarsTemplate from "ember-htmlbars/templates/select";
+import selectOptionDefaultTemplate from "ember-htmlbars/templates/select=
-option";
=

var defaultTemplate =3D htmlbarsTemplate;
=

-var selectOptionDefaultTemplate =3D {
-  isHTMLBars: true,
-  revision: 'Ember () VERSION_STRING_PLACEHOLDER',
-  render(context, env, contextualElement) {
-    var lazyValue =3D context.getStream('view.label');
-
-    lazyValue.subscribe(context._wrapAsScheduled(function() {
-      run.scheduleOnce('render', context, 'rerender');
-    }));
-
-    return lazyValue.value();
-  }
-};
-
var SelectOption =3D View.extend({
  instrumentDisplay: 'Ember.SelectOption',
=

diff --git a/packages/ember-views/tests/views/select_test.js b/packages/e=
mber-views/tests/views/select_test.js
index d9fb500..af50933 100644
--- a/packages/ember-views/tests/views/select_test.js
+++ b/packages/ember-views/tests/views/select_test.js
@@ -4,6 +4,7 @@ import run from "ember-metal/run_loop";
import jQuery from "ember-views/system/jquery";
import { map } from "ember-metal/enumerable_utils";
import EventDispatcher from "ember-views/system/event_dispatcher";
+import SafeString from 'htmlbars-util/safe-string';
=

var trim =3D jQuery.trim;
=

@@ -133,6 +134,44 @@ QUnit.test("can specify the property path for an opt=
ion's label and value", func
  deepEqual(map(select.$('option').toArray(), function(el) { return jQue=
ry(el).attr('value'); }), ["1", "2"], "Options should have values");
});
=

+QUnit.test("XSS: does not escape label value when it is a SafeString", f=
unction() {
+  select.set('content', Ember.A([
+    { id: 1, firstName: new SafeString('<p>Yehuda</p>') },
+    { id: 2, firstName: new SafeString('<p>Tom</p>') }
+  ]));
+
+  select.set('optionLabelPath', 'content.firstName');
+  select.set('optionValuePath', 'content.id');
+
+  append();
+
+  equal(select.$('option').length, 2, "Should have two options");
+  equal(select.$('option[value=3D1] b').length, 1, "Should have child el=
ements");
+
+  // IE 8 adds whitespace
+  equal(trim(select.$().text()), "YehudaTom", "Options should have conte=
nt");
+  deepEqual(map(select.$('option').toArray(), function(el) { return jQue=
ry(el).attr('value'); }), ["1", "2"], "Options should have values");
+});
+
+QUnit.test("XSS: escapes label value content", function() {
+  select.set('content', Ember.A([
+    { id: 1, firstName: '<p>Yehuda</p>' },
+    { id: 2, firstName: '<p>Tom</p>' }
+  ]));
+
+  select.set('optionLabelPath', 'content.firstName');
+  select.set('optionValuePath', 'content.id');
+
+  append();
+
+  equal(select.$('option').length, 2, "Should have two options");
+  equal(select.$('option[value=3D1] b').length, 0, "Should have no child=
elements");
+
+  // IE 8 adds whitespace
+  equal(trim(select.$().text()), "<p>Yehuda</p><p>Tom</p>", "Options sho=
uld have content");
+  deepEqual(map(select.$('option').toArray(), function(el) { return jQue=
ry(el).attr('value'); }), ["1", "2"], "Options should have values");
+});
+
QUnit.test("can retrieve the current selected option when multiple=3Dfal=
se", function() {
  var yehuda =3D { id: 1, firstName: 'Yehuda' };
  var tom =3D { id: 2, firstName: 'Tom' };

↧

Phantom Cyber Lands $2.7M Seed Round To Automate Cybersecurity

April 14, 2015, 2:34 pm

≫ Next: CVE-2015-3043 Adobe Flash player being exploited in the wild

≪ Previous: [CVE-2015-1866] Ember.js XSS Vulnerability With {{view "select"}} Options

Phantom Cyber, a cybersecurity startup with an ambitious idea, announced a $2.7M seed round with backing from some of the biggest names in computer security.

Investors include John W. Thompson, former CEO of Symantec, Thomas E. Noonan, former CEO of Internet Security Systems (ISS) and John C. Becker, former CEO of Sourcefire. Zach Nelson, CEO of NetSuite Inc, Foundation Capital and Rein Capital also participated.

The trouble with today’s approach to cybersecurity is that it’s entirely too manual, postulates Phantom Cyber CEO Oliver Friedrichs.

more here.........http://techcrunch.com/2015/04/14/phantom-cyber-lands-2-7m-seed-round-to-automate-cybersecureity/

↧

CVE-2015-3043 Adobe Flash player being exploited in the wild

April 14, 2015, 2:36 pm

≫ Next: What the Ridiculous Heck, D-Link?!

≪ Previous: Phantom Cyber Lands $2.7M Seed Round To Automate Cybersecurity

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh and Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system.

more here.........https://helpx.adobe.com/security/products/flash-player/apsb15-06.html

↧

What the Ridiculous Heck, D-Link?!

April 14, 2015, 3:51 pm

≫ Next: Bro: what's it good for?

≪ Previous: CVE-2015-3043 Adobe Flash player being exploited in the wild

As mentioned in an update to my post on the HNAP bug in the DIR-890L, the same bug was reported earlier this year in the DIR-645, and a patch was released. D-Link has now released a patch for the DIR-890L as well.

The patches for both the DIR-645 and DIR-890L are identical, so I’ll only examine the DIR-890L here.........http://www.devttys0.com/2015/04/what-the-ridiculous-fuck-d-link/

↧

Bro: what's it good for?

April 14, 2015, 5:28 pm

≫ Next: Googles UIforETW: Windows Profiling Made Easier

≪ Previous: What the Ridiculous Heck, D-Link?!

Bro (aka Bro IDS) is a versatile network monitoring tool. A vanilla, out of the box install of the tool gives users intrusion detection and network logging capabilities.

more here..........http://jshlbrd.blogspot.com/2015/04/bro-whats-it-good-for.html

↧

Googles UIforETW: Windows Profiling Made Easier

April 14, 2015, 5:30 pm

≫ Next: DOM Attributes now on the prototype chain

≪ Previous: Bro: what's it good for?

Microsoft’s Event Tracing for Windows (ETW, aka xperf) is an amazing tool for understanding the performance of Windows computers. ETW offers an incredibly deep view into the entire system and allows investigations of complex problems that would otherwise be intractable. It can even be used to record traces on a customer’s machine for later analysis on a developer’s machine, to investigate performance problems that cannot be reproduced locally.

However, the process of recording ETW trace has always been challenging, so we’re pleased to share a new tool we’ve been developing: UIforETW.

more here.......http://google-opensource.blogspot.com/2015/04/uiforetw-windows-profiling-made-easier.html

↧

DOM Attributes now on the prototype chain

April 14, 2015, 10:15 pm

≫ Next: [SYSS-2015-013] Panda Antivirus Pro 2015 - Authentication Bypass

≪ Previous: Googles UIforETW: Windows Profiling Made Easier

The Chrome team recently announced that we are moving DOM attributes to the prototype chain. This change, implemented in Chrome 43 - (Beta as of mid April 2015) - brings Chrome more in line with the Web IDL Spec and other browsers’ implementations, such as IE and Firefox. WebKit based browsers, such as Safari, are currently not compatible with the spec.

The new behavior is positive in many ways. It:

Improves compatibility across the web (IE and Firefox do this already) via compliance with the spec.
Allows you to consistently and efficiently create getters/setters on every DOM Object.
Increases the hackability of DOM programming. For example, it will enable you to implement polyfills that allow you to efficiently emulate functionality missing in some browsers and JavaScript libraries that override default DOM attribute behaviors.

more here........http://updates.html5rocks.com/2015/04/DOM-attributes-now-on-the-prototype

↧

[SYSS-2015-013] Panda Antivirus Pro 2015 - Authentication Bypass

April 15, 2015, 1:40 am

≫ Next: [SYSS-2015-014] Panda Global Protection 2015 - Authentication Bypass

≪ Previous: DOM Attributes now on the prototype chain

Advisory ID: SYSS-2015-013
Product: Panda Antivirus Pro 2015
Vendor: Panda Security
Affected Version(s): 15.1.0
Tested Version(s): 15.1.0
Vulnerability Type: Authentication Bypass Using an Alternate Path or 
                    Channel (CWE-288)
Risk Level: Medium
Solution Status: Not fixed
Vendor Notification: 2015-02-27
Solution Date: -
Public Disclosure: 2015-04-14
CVE Reference: Not yet assigned
Author of Advisory: Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Panda Antivirus Pro 2015 is an antivirus software with many features
defending users against different threats.

The vendor Panda Security describes the product as follows (see [1]):

"Panda Antivirus Pro 2015 is truly 'install and forget'. Remove viruses
and any other threats or malware from your computer. Essential anti
virus that offers real-time protection for your PC."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The endpoint protection software Panda Antivirus Pro 2015 offers a
password protection in order to restrict access to the management
console. With an enabled password protection, changing settings or
deactivating the protection features requires the set password.

By analyzing the password-based authentication of the implemented
password protection, the SySS GmbH found out, that the password
comparison is done within the process PSUAMain.exe (actually within the
used module PSUNConsole.dll), which runs in the context of the current
Windows user, who can also be a standard, limited user.

This fact allows a further analysis and the manipulation of the password
comparison during runtime without administrative privileges, as every 
user is able to debug and manipulate the processes running with her user
privileges.

In order to bypass the password-based authentication, for example to
deactivate the protection of Panda Antivirus Pro 2015 in an unauthorized
manner, an attacker only has to patch this password comparison, so that
it always returns true, for example by comparing the correct unload
password with itself or by modifying the program control flow.

The SySS GmbH also found out, that the actual set password for the
password protection can be extracted as cleartext during runtime from
the process PSUAMain.exe.

Thus, a limited Windows user or malware running in the context of such a
user is able to deactivate Panda Antivirus Pro 2015 in an unauthorized
manner and furthermore to extract the actual password as cleartext.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The SySS GmbH developed a proof-of-concept software tool named
UnloadPanda for deactivating the Panda protection in an unauthorized
manner.

The following output exemplarily shows a successful bypass of the
password-based authentication and of the cleartext password extraction:

UnloadPanda.exe

                ____________________________________________________________
               /    _____       _____ _____                                 \
              /    /  ___|     /  ___/  ___|                                 \
             |     \ `--. _   _\ `--.\ `--.                                   |
             |      `--. \ | | |`--. \`--. \                                  |
             |     /\__/ / |_| /\__/ /\__/ /                                  |
              \    \____/ \__, \____/\____/   ... unloads Panda!             /
               \          __/ |                                             /
               /         |___/    _________________________________________/
              / _________________/
        (__) /_/
        (oo)
  /------\/
 / |____||
*  ||   ||
   ^^   ^^
SySS Unload Panda Protection v1.0 by Matthias Deeg - SySS GmbH (c) 2015

[+] The Panda process was patched successfully.
    Now you can unload the Panda protection with an arbitrary password.
    After entering an arbitrary password, the correct one will be shown.
[+] The correct password is: s3cret1!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The SySS GmbH is currently not aware of a solution for the reported
security vulnerability.

Please contact the vendor for further information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2015-02-27: Vulnerability reported to vendor
2015-03-06: Reported vulnerability again as the vendor did not reply to
            to the first e-mail with the SySS security advisory
2015-03-06: Vendor acknowledges e-mail with SySS security advisory and
            opens a case
2015-04-14: Public release of security advisory according to the SySS
            Responsible Disclosure Policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Web site for Panda Antivirus Pro 2015
http://www.pandasecurity.com/usa/homeusers/solutions/antivirus/
[2] SySS Security Advisory SYSS-2015-013
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-013.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Matthias Deeg.

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = 5AE3 96EE A014 FB90 9D81 AF90 8C54 7E88 A34C CED8

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may 
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web 
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

↧