A dangerous easy-to-exploit vulnerability discovered 15 years ago has reared its head again, leaving server-side website software potentially open to hijackers.

The Apache Software Foundation, Red Hat, Ngnix and others have rushed to fix the so-called httpoxy flaws, specifically: CVE-2016-5385 in PHP; CVE-2016-5386 in Go; CVE-2016-5387 in Apache HTTP server; CVE-2016-5388 in Apache TomCat; CVE-2016-1000109 in PHP-engine HHVM; and CVE-2016-1000110 in Python.

These security holes can be exploited to seize control of a vulnerable web app. Basically, you abuse the Proxy HTTP header in a request to the application to set a common environment variable called HTTP_PROXY. The app then uses the proxy server defined by that variable for any of its outgoing connections.

So, if you point HTTP_PROXY at a malicious server, you can intercept the web app's connections to other systems and, depending on how the code works, potentially gain remote code execution. It hinges on whether or not the app makes outgoing connections as part of its operation, and if they can be usefully exploited.

"If you're running PHP or CGI, you should block the Proxy header now," said Vend infrastructure engineer Dominic Scheirlinck, who coordinated the disclosure of the security holes with software makers. The Register had an early look at the details prior to today's public announcement.
There are advisories available now from Apache, Red Hat, US CERT, Nginx, and Drupal with more details.
"httpoxy is extremely easy to exploit in basic form, and we expect security researchers to be able to scan for it quickly. If you're not deploying code, you don't need to worry," added Scheirlinck.

Code that makes outgoing HTTP connections while running in a server-side CGI context is open to easy attack, he said.

"So, for example, if you are using a Drupal plugin that uses Guzzle 6 and makes an outgoing HTTP request (for example, to check a weather API), you are vulnerable to the request that plugin makes being 'httpoxied'," Scheirlinck explained.
The New Zealander says attackers can direct vulnerable servers to open connections to an evil machine's IP address, and waste server resources by running traffic through malicious proxies.
Scheirlinck said the vulnerability is down to a basic namespace conflict:
    •    RFC 3875 (CGI) puts the HTTP proxy header from a request into the environment variables as HTTP_PROXY.
    •    HTTP_PROXY is a popular environment variable used to configure an outgoing proxy.
Exploitation is possible if just one vulnerable library is used, such as Guzzle or Artax, while processing incoming HTTP requests. "Probably many, many libraries" are affected, Scheirlinck said. Here's how he described the flaw in a PHP script:
PHP has a method called getenv().

There is a common vulnerability in many PHP libraries and applications, introduced by confusing getenv for a method that only returns environment variables. In fact, getenv() is closer to the $_SERVER superglobal: it contains both environment variables and user-controlled data.
Specifically, when PHP is running under a CGI-like server, the HTTP request headers (data supplied by the client) are merged into the $_SERVER superglobal under keys beginning with HTTP_. This is the same information that getenv reads from.

When a user sends a request with a proxy header, the header appears to the PHP application as getenv('HTTP_PROXY'). Some common PHP libraries have been trusting this value, even when run in a CGI/SAPI environment.
Reading and trusting $_SERVER['HTTP_PROXY'] is exactly the same vulnerability, but tends to happen much less often (perhaps because of getenv's name, perhaps because the semantics of the $_SERVER superglobal are better understood among the community).

Quick and easy mitigations are available, with the best being to block Proxy request headers before they hit applications.
A longer-term fix is to not trust HTTP_PROXY under CGI. Developers of software that is insecure and in need of patching should obtain a Distributed Weakness Filing Project number or apply for a CVE number from MITRE.

"We suspect there may be more CVEs coming for httpoxy, as less common software is checked over," said Scheirlinck.
The Proxy / HTTP_PROXY confusion was first spotted in March 2001 in libwww-perl, and was fixed at the time. This month, researchers at Vend found libraries and tools still making the same namespace screw up, leaving them open to hijacking. ®

Apple announced one huge change at WWDC 2016: The company is replacing the HFS+ file system on MacOS, iOS, tvOS and WatchOS with a new file system.

The company has introduced its brand new file system called The Apple File System — or APFS for short — for iOS, OS X, tvOS, and WatchOS, making security its centerpiece.

    "The Apple File System (APFS) is the next-generation file system designed to scale from an Apple Watch to a Mac Pro. APFS is optimized for Flash/SSD storage, and engineered with encryption as a primary feature," according to an entry in the WWDC 2016 schedule.

Yes, the Apple File System is optimized for Flash and SSD-based storage solutions that are used in iPhones, iPads, MacBooks, AppleTV set-top boxes, and others Apple gadgets.

APFS supports "nearly" all features the HFS+ file system provides while offering improvements over the previous system in the process.

Apple describes APFS as a modern file system that includes "strong encryption, copy-on-write metadata, space sharing, cloning for files and directories, snapshots, fast directory sizing, atomic safe-save primitives, and improved file system fundamentals."

Here’s what will definitely bother the FBI:

Security and Privacy are fundamental in Apple File System, as APFS supports encryption natively instead of through Apple’s previous full-disk encryption File Vault application.

There are three modes of operation in APFS: No encryption, Single-key encryption, and Multi-key encryption with per-key files and the other key for sensitive metadata.

These modes allow you to apply sufficient encryption depending on your security needs. APFS supports both AES-XTS as well as AES-CBC cipher variants, depending on the actual device.

Multi-key encryption makes it tough to crack even if one has physical access to the storage. Therefore, with APFS, encryption is now a core part of the operating system, which will definitely bother the FBI as well as other government intelligence agencies.

Besides security and privacy features, APFS also includes both Snapshots, Clones, and Fast Directory Sizing.

Snapshots are read-only instances of the file system at any given point in time. If the state of the file system diverges away from the snapshot, the changed blocks are saved as part of the snapshot.

Clones are writable instead of read-only. APFS can create file or directory clones instantly, rather than having to wait for data to be copied. It is an easy way to create document revisions and do versioning of anything you might want to track.

Fast directory sizing is a feature in APFS that has been designed to give MacOS a fast way to query the size of a directory and all its child objects, rather than having to wait while a bunch of stat calls complete.

The Apple File System is available to developers in preview form right now and is expected to be launched in earnest in 2017.

The pre-release APFS can not be used to boot a device and, for now, does not support many Mac staples, including Fusion Drives and Time Machine. It is also uncertain that the data you put on a drive today will be readable by later versions of APFS.

For more information on the Apple File System, you can refer the preliminary version of the developer documentation.

Microsoft has released 16 security bulletins on Tuesday resolving a total of 44 security holes in its software, including Windows, Office, Exchange Server, Internet Explorer and Edge.

Five bulletins have been rated “critical” that could be used to carry out remote code execution and affected: Windows, Internet Explorer (IE), Edge (the new, improved IE), Microsoft Office and Office services; and the remaining 11 are marked important.

One of the critical issues, MS16-071 that caused alarm bells to go off for many security experts involves a Use-After-Free bug (CVE-2016-3227), which affects Microsoft Windows Domain Name System (DNS) servers for Windows Server 2012 and 2012 R2.

The vulnerability resides in the way servers handle requests. Attackers could send a specially crafted request to a DNS server and convinced it to run arbitrary code in the context of the Local System Account, Microsoft’s advisory warns.

Another critical vulnerability is addressed in MS16-070, which patches some security holes in Microsoft Office.

The crucial Memory Corruption Vulnerability (CVE-2016-0025) resides in Microsoft Word RTF format that could allow an attacker to run arbitrary code and take control of the system if its user was logged on with administrator rights.

An attacker could trigger the exploit with a simple e-mail containing a Microsoft Word RTF file without user interaction.

The remaining two critical bulletins address multiple remote code execution vulnerabilities in Microsoft’s browsers Internet Explorer and Edge.

Rest of the bulletins addresses vulnerabilities in Windows SMB Server, Windows NetLogon, Web Proxy Auto-Discovery (WPAD), Microsoft Exchange, Active Directory, Windows PDF and more.

Meanwhile, Adobe also rolled out security patches for DNG Software Development Kit, Brackets, Creative Cloud Desktop App, and hotfixes for ColdFusion.

However, a patch for a zero-day vulnerability (CVE-2016-4171) in Adobe Flash Player that Adobe claims is being exploited in "limited, targeted attacks" was expected today but will arrive later this week.

Anton Ivanov and Costin Raiu of Kaspersky Labs discovered and reported the zero-day vulnerability in Flash Player version 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. The Flash zero-day exploit is being deployed in active espionage attacks.

Popular code repository site GitHub is warning that a number of users' accounts have been compromised by unknown hackers reusing email addresses and passwords obtained from other recent data breaches.

Yes, GitHub has become the latest target of a password reuse attack after Facebook CEO Mark Zuckerberg and Twitter.

According to a blog post published by Shawn Davenport, VP of Security at GitHub, an unknown attacker using a list of email addresses and passwords obtained from the data breach of "other online services" made a significant number of login attempts to GitHub's repository on June 14.

After reviewing the logins, administrators at GitHub found that the attacker had gained access to a number of its users’ accounts in order to gain illicit access to their accounts’ data.


Although the initial source of the leaked credentials isn't clear, the recent widespread "megabreaches" of LinkedIn, MySpace, Tumblr, and the dating site Fling, that have dumped more than 642 Million passwords over the past month could be the cause.

GitHub didn't reveal the number of compromised accounts, though it does not appear that any data was lost; so your source code repos are safe. As Davenport wrote:
"For some accounts, other personal information including listings of accessible repositories and organizations may have been exposed."
GitHub informed users that it has already reset the passwords of an unspecified number of accounts accessed successfully by the hacker and has begun contacting all affected users to instruct them how to get back into their account.


The company advised its users to "practice good password hygiene" and to enable two-factor authentication for its service.

Since the leaked credentials of recent widespread megabreach date back more than 3 years, there may have still been a possibility that those credentials were being re-used by many online users for other services.

So, it's high time you changed your passwords for all social media sites as well as other online services, especially if you use the same password for different websites.

Page 3 of 3