Yet Another Yahoo! Security Issue

The Yahoo! logo that was introduced in 2013 and features dual-tone purple/violet thin-walled lettering.

Yahoo! has fixed a major security flaw. This one was with their Yahoo! Mail email service that allowed an attacker to embed JavaScript in an email and have it execute. This would allow an attacker to gain access to all of a person’s email and Yahoo! account just by them opening an infected email.

How was it done? Yahoo!, like many other email services, strips HTML and most attributes from emails that are received. However, not all are filtered and normally it would not matter if JavaScript were embedded in an attribute – it needs to be encoded and won’t get executed anyway. However, thanks to the video and image previews that have been added in recent years (the ones that show YouTube or Vimeo video preview icons or previews of images attached to an email), some data-x attributes are used to allow the JavaScript Yahoo! wrote to generate a preview block:

Yahoo! Mail XSS Bug

So a security researcher thought… what would happen if I embedded a script inside the element data parameter? So he tried it:

What happened when he sent himself the infected email to his Yahoo! account?

Yahoo! Mail showing a popup generated from a received email

Uh oh…

But that is just some script embedded in an attribute, why is it getting converted to actual HTML? He began digging through Yahoo!’s JavaScript – the part that generates those video and image previews. He found a piece of code that was simply taking the contents of a couple of the parameters and embedding it within the page as HTML:

Oops…

With that kind of power an attacker could gain access to all of the emails from anyone that opened an infected email, send email as said user, or even do other actions with their account.

The researcher submitted the flaw prior to releasing the details and Yahoo! has fixed the issue.

Chrome Security Update: 45.0.2454.101

Google Chrome Browser Logo: Blue gradient circle with a thick white outline and a larger circle behind it with red, yellow, and green trisection coloring from top to bottom left.

Google has released a security update for it’s Chrome web browser. The new version, 45.0.2454.101, includes fixes for a reported cross-origin bypass that affects both the document object model (DOM) parser as well as the V8 JavaScript/ECMAScript engine.

It is recommended that you update your browser to this version to prevent possible exploits. You can do so by clicking the main menu icon (three dashes in the top right) and going to Help / About Google Chrome or by downloading from:

http://www.google.com/chrome/

Firefox: Stolen and Fixed

Mozilla Firefox web browser logo: an orange fox with yellow flames for a tail wrapped around a dark-blue globe.

Mozilla, an open-source software community run by the non-profit organization, Mozilla Corporation, and developers of the Firefox web browser, has announced it’s bug tracking software, Bugzilla, was hacked. The organization’s blog post states that the account that was compromised had access to privately-listed bugs representing zero-day security flaws in the browser. However, if you keep your browser up-to-date you are protected. The zero-day flaws that were stolen were all patched as part of version 40.0.3 released August 27, 2015. The post does not state the date that the account was compromised.

Green bug being swept up by a broom. Icon / clip-art.
By Poznaniak, pozostali autorzy w plikach źródłowych via Wikimedia Commons

This should definitely be a wake-up call for you to keep the software you use up-to-date. Many applications today will automatically update (including the more recent versions of Firefox) but some do not. In addition to keeping you safe from security flaws, the latest versions of programs also deliver features that make using the software more enjoyable and sometimes easier. In the case of web browsers, it also delivers new tools for web developers to use to make better web applications and websites that are more visually appealing and interactive.

More Information

More detailed explanation of why you should take the time to ensure the software you use is up-to-date will be in an upcoming post! I will link the post here.

WordPress Security Release 4.2.4

The WordPress logo. A "W" cut out of a dark gray circle with an outline of the same color. "WordPress" is written below the logo. "Word" is a dulled blue and "Press" is the same gray color as the logo.

WordPress has released version 4.2.4. This security release fixes 3 cross-site-scripting (XSS) vulnerabilities and a possible SQL injection exploit.

In addition the update also fixes a few general bugs in the software:

  • A fix for characters not being saved correctly when a non-standard database collation is used
  • A fix for the core not type-checking directory listings using glob()
  • A fix for shortcodes not working when they are added at the beginning of an HTML element (e.g. <[my-shortcode ...] >)
  • A fix for shortcodes removing line returns inside of CDATA content blocks

WordPress is the open-source blogging and publishing software originally developed by Autoattic who handed off the software and copyrights to the WordPress Foundation, a charitable organization the supports WordPress and related plugins.

https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/