Threatpost for B2B
VMware announced today it has patched a privilege escalation vulnerability in VMware Workstation.
Workstation is the hypervisor software connecting multiple virtual machines on host hardware. Compromising a hypervisor would give an attacker remote control over a number guest machines; the risk is especially elevated in hosting or service provider environments.
This particular vulnerability is limited to Linux version of VMware Workstation, prior to version 9.0.3.
VMware also patched VMware Player for Linux prior to version 5.0.3.
The vulnerability, VMware said, is a shared library privilege escalation bug. Both Workstation and Player contain the same vulnerability, which could allow a local attacker to escalate privileges all the way to root on the host operating system.
VMplayer is packaged alongside Workstation running the OS image without the need for additional hardware.
“The vulnerability does not allow for privilege escalation from the guest operating system to the host or vice-versa,” the advisory said.
Just about a month ago, VMware patched most of its product line, fixing authentication bypass and denial-of-service bugs in vCenter Server, vCenter Server Appliance, vSphere Update Manager, ESX and ESXi.
The most serious vulnerability was in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order for the vulnerability to be exploitable, the affected product must be deployed in an Active Directory environment, VMware said.
Security people like to call themselves a community, but until June some might say its greatest community achievement is turning Twitter into its own private and contentious echo chamber.
But since the Snowden leaks, there’s been a palpable change and a marked swell in stand-taking. Tweeters have become activists. Companies have shut down services, or shut their doors. People are mad—and to risk a cliché–don’t want to take it anymore.
Words such as transparency are part of the security lexicon, and the long-neglected and apparently subverted protocols, algorithms and standards supporting encryption technologies are no longer skeletons in the closet.
The NSA has done Americans—and “non-Americans”—wrong by collecting the metadata from our phone calls, tapping data center fiber links to monitor our Google searches and email messages, and trampling all over the First Amendment in the name of national security.
And in the process, they’ve stepped on the toes of the security community. They’ve trampled too into your backyard by crippling NIST standards development from the get-go, legally or otherwise coercing companies into giving up encryption keys, and hinting that they can hack their way into companies to steal them if necessary.
The response has been admirable. Google, Facebook, Microsoft, Twitter, LinkedIn and others have all petitioned the government to allow those foundational Internet companies to be more forthcoming about the national security requests for customer data they receive. By law they’re not allowed to provide specific data about National Security Letters, but they’re arguing to the highest courts that they should be able to, if for no other reason to demonstrate that they’re not complicit with the NSA or FBI in providing user data without a warrant.
Other technology companies, security firms such as Lavabit and Silent Circle have made their own stands. Lavabit, allegedly Edward Snowden’s secure email provider, shut its doors overnight after being forced to turn over the SSL keys for its service. Silent Circle, seeing the writing on the wall, did the same with its Silent Mail service.
And then you have grassroots movements such as the TrueCrypt audit which raised more money than it anticipated in order to look at oddities in the Windows binaries of the popular open source encryption product. It just might keep the movement going to peer inside other ubiquitous open source security software.
“One of the lasting impacts of the Summer of Snowden is that it’s radicalized members of the security community,” Chris Soghoian told Threatpost last month. “Some of these systems, we’ve long known weren’t good, but no one was incentivized do something. Now they’re asking tough questions and realizing that [the government saying] ‘Just trust us,’ doesn’t work. It’s funny watching peers who are more conservative and scientists who believe their only job is to publish papers—it’s funny watching them become active too.”
But is it helping? Are you tweeters-turned-activists just spitting into the wind?
Every time NSA Director Gen. Keith Alexander, or Director of National Intelligence James Clapper, sit before a Congressional committee to explain the agency’s surveillance activities, they’re quick to point out there is a legal basis for this activity. And by the letter of the law, they’re probably correct. There’s always a loophole. There’s always a crack to slither through unscathed. There’s always a way—and there’s certainly a will.
And not only are lawyers working against you, but powerful lobbies and perhaps misinformed lawmakers. For every USA FREEDOM Act that’s submitted for consideration, you have something such as the FISA Improvements Bill from Sen. Dianne Feinstein, the powerful chair of the Senate Intelligence Committee who supports NSA surveillance. While the Feinstein bill contemplates ratcheting back some of the NSA’s powers with regard to surveillance, it tacitly approves of metadata collection, for example, and would allow it to continue. This contrasts with the FREEDOM Act, which calls for the immediate and permanent suspension of bulk data collection.
NSA reform will be difficult to come by, rest assured of that. It’s probably fair to say most Americans still stand by that old chestnut that “I have nothing to hide, so what do I care if they monitor what I’m doing.” But the security community—yes you’ve become a community—knows better. There’s finally a call to action that has awakened passion in people who suddenly understand why it’s important to stand up and try to make a difference.
Apple has released a new fix for iOS 7–no, it doesn’t roll your phone back to iOS 6–that patches a vulnerability that enabled a user to make app or in-app purchases without needing to enter a password.
The release of iOS 7.04 marks the third update of the iPhone operating system in the short time since Apple pushed out iOS 7 in September. The new OS represented a major change from the older operating systems, both in the look and feel of the software and in its functionality. There’s much zooming in and out and all about in iOS 7, as well as a blurry background that has drawn quite a bit of criticism.
iOs 7 also was a major security release, fixing issues with the iPhone’s certificate trust policy as well as remote code-execution vulnerabilities in the CoreGraphics and CoreMedia components. Quickly following the release of iOS 7 researchers discovered a method for bypassing the passcode lock on the iPhone using two different methods. Apple ended up fixing those in point releases in October.
Now, the company has pushed out another patch for iOS 7, this one with a single security fix.
“A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization,” the Apple advisory says.
To update, iPhone users can go to their Settings and install the software update.
Image from Flickr photos of Klaus.
Buried underneath the ever-growing pile of information about the mass surveillance methods of the NSA is a small but significant undercurrent of change that’s being driven by the anger and resentment of the large tech companies that the agency has used as tools in its collection programs.
The changes have been happening since almost the minute the first documents began leaking out of Fort Meade in June. When the NSA’s PRISM program was revealed this summer, it implicated some of the larger companies in the industry as apparently willing partners in a system that gave the agency “direct access” to their servers. Officials at Google, Yahoo and others quickly denied that this was the case, saying they knew of no such program and didn’t provide access to their servers to anyone and only complied with court orders. More recent revelations have shown that the NSA has been tapping the links between the data centers run by Google and Yahoo, links that were unencrypted.
That revelation led a pair of Google security engineers to post some rather emphatic thoughts on the NSA’s infiltration of their networks. It also spurred Google to accelerate projects to encrypt the data flowing between its data centers. These are some of the clearer signs yet that these companies have reached a point where they’re no longer willing to be participants, witting or otherwise, in the NSA’s surveillance programs. Bruce Schneier, the cryptographer and security expert who has seen some of the NSA documents leaked by Edward Snowden, wrote in a new analysis of the current climate that there appears to be a “fraying” of the surveillance partnerships that have existed for years.
“The Snowden documents made it clear how much the NSA relies on corporations to eavesdrop on the Internet. The NSA didn’t build a massive Internet eavesdropping system from scratch. It noticed that the corporate world was already eavesdropping on every Internet user — surveillance is the business model of the Internet, after all — and simply got copies for itself,” Schneier wrote in his essay.
“Now, that secret ecosystem is breaking down. Supreme Court Justice Louis Brandeis wrote about transparency, saying ‘Sunlight is said to be the best of disinfectants.’ In this case, it seems to be working.”
A partnership requires at least two parties, however, and the disinfectant that has helped bring the anger and disappointment of tech companies out into the open has so far not made its way into the NSA. There are several bills making their way through Congress at the moment, and surely more to come, and some of them are designed to require more transparency of the NSA’s activities. Transparency is one thing; reform is quite another.
The surveillance programs that the NSA and other intelligence agencies have been conducting for years now have relied on weaknesses in the Internet infrastructure, ones that they have taken advantage of in order to gobble massive amounts of data.As many security experts have pointed out, those same weaknesses can be exploited by any other kind of attacker, and their presence makes the Internet itself weaker. Fixing those weaknesses will take some doing, as many of them lie in the basic infrastructure of the network, but as Schneier points out, the job needs doing.
“It’s impossible to build an Internet where the good guys can eavesdrop, and the bad guys cannot. We have a choice between an Internet that is vulnerable to all attackers, or an Internet that is safe from all attackers. And a safe and secure Internet is in everyone’s best interests, including the US’s,” he wrote.
Image from Flickr photos of Jim Kelly.