Archive

Archive for the ‘Patch’ Category

Java Runtime Environment 1.6 Update 29

October 23, 2011 1 comment

Version 1.6 of the Java platform has been updated to version 29. If you’re not prompted to update automatically, visit Java.com and click the download button.
It patches 20 vulnerabilities including protection against BEAST.

“BEAST” (Browser Exploit Against SSL/TLS) can potentially provide a malicious hacker the ability to bypass SSL/TLS encryption and ultimately decrypt potentially sensitive web traffic.  This exploit was recently demonstrated at a security conference.  The vulnerability related to this exploit is CVE-2011-3389.

http://blogs.oracle.com/security/entry/october_2011_critical_patch_updates

You might have read my previous article, Java 7 released, but it’s still not out of RC.

Java 6 SE - Update 29

Download

You can directly download the whole install package for both 32 and 64 bit windows versions from FileHippo, or visit the Java website directly to be offered an installation suitable for your OS and language.

Firefox 7.01 on Release Channel

October 1, 2011 1 comment

So a new version of Firefox has landed on the Release channel, and already we see the first dot release,  to 7.0.1 – to resolve a bug with Add-On visibility.

We’ve identified an issue in which some users may have one or more of their add-ons hidden after upgrading to the latest Firefox version, affecting both desktop and mobile. These add-ons and their data are still intact and haven’t actually been removed.

blog.mozilla.com/addons

If you’ve had this problem, the upgrade should resolve it. The Add-Ons blog has a link to a tool to resolve the issue if the upgrade doesn’t.

Beta, Aurora, Nightly

So Beta Channel is now at 8.b1, Alpha Aurora Channel is offering 9.0a2 and strange versioning continues over at Firefox Nightly, offering up 9.0a1 – a depreciated build?

Read the official Release Notes for yourself here.

Adobe Flash Player 10.3 Advisory

September 18, 2011 Leave a comment

Flash Player by Adobe, consistently plagued with vulnerabilities, has under gone yet another minor version upgrade on the Release channel – to 10.3.183.7 10.3.183.10

Adobe recommends users of Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.183.5.
Users of Adobe Flash Player for Android 10.3.185.25 and earlier versions should update to Adobe Flash Player for Android 10.3.186.3.

http://www.adobe.com/support/security/bulletins/apsb11-21.html

Google Security

A Google Security researcher who fuzzed over 400 bugs in Flash Player was denied attribution by Adobe, because of the way CVE numbers are allocated.
He blogged about it in this post, and Adobe responded with their own snark..

So, what’s the right number of CVEs to allocate? In this particular case, some of the code changes we made were closely related within a single component, which would argue for consolidating them with a single CVE, while others were clearly distinct. At this point, we’d rather invest our time in continuing the hardening work that will make Flash Player more robust against attack than reviewing change logs. We’ve updated the security bulletin to include CVE-2011-2424 to describe this batch of bugs.

http://blogs.adobe.com/asset/2011/08/how-did-you-get-to-that-number.html

And the updated text of the advisory now attributes the CVE to the Google team.

This update resolves multiple memory corruption vulnerabilities that could lead to code execution (CVE-2011-2424).

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
Tavis Ormandy of the Google Security Team (CVE-2011-2424)

http://www.adobe.com/support/security/bulletins/apsb11-21.html

Downloads

Android users can get the latest release version from the market here, Internet Explorer users can direct download from FileHippo.com and those running Firefox can grab it from FileHippo.com too..

Those looking for the official Adobe Flash Player download site can click here.

Insecure Data Request/Response from Quidco RPC

September 13, 2011 Leave a comment

I recently reported some Data Protection and Privacy issues with the Quidco app for Android, and wanted to have an in-depth look at the Client/Server data sent by the app.

Packet Capture

With the newly installed tcpdump facility, I was able to capture the network traffic from my handset and watch the Quidco app for Android send a request to the remote server and receive data back. This happens when you log-in, when you check-in, when the app wants to load your personal details and display your cash-back history.

Pretty standard stuff, nothing out of the ordinary, nothing unexpected.

The problem is not what’s being sent, but how. The communication between the server and the handset is not secured – the data is sent by the server over the internet as plain-text, and includes your email, postcode, real name, date of birth and IMEI.

JSON-RPC

JSON or JavaScript Object Notation, is a lightweight text-based open standard designed for human-readable data interchange.
The JSON format is often used for serializing and transmitting structured data over a network connection. It is used primarily to transmit data between a server and web application.

http://en.wikipedia.org/wiki/JSON

JSON allows the Quidco app to makes requests to the remote server in a defined way, through procedure calls. Such procedures observed in the analysis of the packet capture include getNearbyDeals and getUserDetails.

Wireshark Analysis

The capture file is loaded into Wireshark where it can be displayed and reconstructed.
One function has the ability to reorder and display in ASCII the request and response of a specific TCP stream.

Reconstruct A TCP Stream

Reconstruct A TCP stream with Wireshark

getNearbyDeals

getNearbyDeals

The function takes several arguments, including the users latitude and longitude, and returns data on the deals close-by.

getUserDetails

getUserDetails

Evil Twin Attack

Being a mobile app, designed to be used out and about, it’s a possibility the end user will connect to a WIFI hotspot, for example Openzone, when they want to check-in at a store or search for near-by deals.

An ‘Evil Twin’ is a hotspot with the same name as a legitimate one, but which is set-up by criminal entities to harvest personal data, log-in or banking details. The Guardian ran a story about it. It’s all to do with the way your handset will automatically connect to a WIFI network based on it’s SSID or name.

Firesheep was a proof of concept plug-in for the Firefox browser, which allowed trivial Facebook session hijacking on insecure networks. Now there is a native Android app, FaceNiff which claims to do a similar job.

Disclosure

The developers of the app were contacted regarding the insecure client/server communication and now the app has been updated to v1.0.4 to address this issue.

Wireshark analysis of traffic captured for version 1.0.4 shows all request/response traffic is made over https.

The main idea of HTTPS is to create a secure channel over an insecure network. This ensures reasonable protection from eavesdroppers and man-in-the-middle attacks

http://en.wikipedia.org/wiki/HTTP_Secure

Wireshark Analysis

v1.0.4 Application Traffic Secured with HTTPS

Quidco App for Android is out of Beta!

September 8, 2011 Leave a comment

The Quidco App for Android has finally lost it’s Beta status, and version 1.1.0 is now available from the Android Market or visit Quidco.com/app.
If you’re not already a Quidco member, read my post and sign up!

v1.1.0

Quidco app for Android is released!

So the Quidco app moves from this early Beta, to full release version, and quickly to v1.0.2 – although the Whats New tab on the web based android market says nothing has changed, the Recently Changed section on the mobile version of the market shows crash fixes.

Using The Quidco App

Sign Up Or Sign In

Load the app, and you will be asked to sign-in with your Quidco details, or to join the Quidco service.
The first time you sign-in, you will be asked to enable Location Sources –  both Network and GPS are required for full functionality.

Location

If you choose not to enable your location, you can still choose from a general list of places.

Device Association

Again, the very first time you run the app you will be asked to associate your device with your Quidco account.
You have to enter the code exactly – if you enter it incorrectly, you will be given several more attempts. If you appear to be stuck, make sure your keyboard doesn’t automatically capitalise the first letter.

If you sign out, it will not ask you to associate again when you sign-in.

Nearby Deals

Click Nearby to be shown a list of deals and in-store cashback offers ordered by distance from location.

At the top, select Map to be taken to a fully interactive Google map with each deal a pin in the map. Click one of the deals to be given it’s name, and again to view the full details.

The Pizza Hut deal for example is a discount voucher, which gives clear instructions for use, and T&C in the details tab.

Account Settings

Under the central option in the bottom bar, My Quidco allows you to view your most recent activity and change your account settings.

You can choose to hide Gambling offers, Hide 18+ offers, and modify your in-store cashback settings, and even register a card if you’re not yet set up.

 

Smart Shopping

With digital vouchers, and  in-store cashback, the Quidco mobile app is a convenient way to earn and to save money in the real world.
Download the app, try it out today!

 

Quidco App for Android Updated – v1.0.8

September 3, 2011 Leave a comment

A new version of the Quidco App for Android has been released to the Android market.

v1.0.8

Quidco App Updated

This update resolves the following issues.

  1. fixed crash when map location shown on Motorola devices
  2. fixed category icons not displaying on some devices
  3. fixed gender toggle style on settings page
  4. fixed gambling/adult style on settings page
  5. fixed error feedback messages on settings page
  6. fixed filters not retaining previously set state
  7. potential fix for crash when loading maps on some devices
  8. potential fix for crash when viewing vouchers on some devices
  9. added greyed out checkbox to filter page to make filters more clear
Categories: Android, Beta, Patch, Quidco, Software Tags: , , ,

Java Runtime Environment 7 – JRE 1.7 – Updated

August 31, 2011 Leave a comment

A new version of the Java platform is out, 1.6 update 27 has been superceded by a minor version increment to 1.7
These Release Notes detail why you need Java.

The Java SE Runtime Environment contains the Java virtual machine,
runtime class libraries, and Java application launcher that are
necessary to run programs written in the Java programming language.

However, if you check your current Java version, you will not see the option to install this latest update.

Java 7

Incorrect Java Version

A notice on the site informs you why.

Why is Java SE 7 not yet available on java.com?

The new release of Java is first made available to the developers to ensure no major problems are found before we make it available on the java.com website for end users to download the latest version. If you are interested in trying Java SE 7 it can be downloaded from Oracle.com

Keep an eye out for the general release and update as soon as you can.