Tuesday, February 12, 2013

Vulnerable Browser Plug-ins: I'm looking at you, Java

It's been about a month now, and the talk of the Java exploit has largely subsided.  Thank you, five-minute attention span.  (Don't worry, I'm accusing myself too).  When the Java exploit received such a critical warning from the Department of Homeland Security's, U.S. Computer Emergency Readiness Team (DHS US-CERT, for short), on January 10, 2013 the news spread like wildfire.  The reason more attention was paid to this than the other 20 alerts for significant risk published in 2012 is that it's very rare for the CERT to advise the general public, consumers and businesses alike, to completely disable a software component - in this case, a browser plug-in.

A complete breakdown of the exploit is available at Mitre's Database of Common Vulnerabilities and Exposures, but in essence the exploit payload, once executed, escalates privileges to allow an attacker control of the system.  A key factor in this exploit receiving so much attention is that all versions of Java are vulnerable across all operating systems, and a package to deliver this exploit was built for metasploit - the free, open-source penetration testing software suite.  Here's a video demonstrating how easy it is to exploit a Windows 8 virtual machine running Internet Explorer 10:

The exploit delivery is all hinged upon whether or not the user accesses a page and auto-loads Java, which will make a request for the .jar file.  What does this mean?  Key dangers come from compromised websites hosting this malware and phishing attempts.

It took Oracle about four days to patch the vulnerability.  If you haven't already done so, it's highly recommended that you update your version of Java.  Most of those concerned will just patch Java and get on with browsing the web, but I think this exploit brings to attention interesting browser behavior.

Running the Browser Gauntlet

When I was first alerted to the exploit, I wanted to test the three big ones to see how they'd inform me of a website wanting to load the Java plug-in.

  1. First up, Internet Explorer.  As in the video above, when I visited a website hosting Java, IE didn't prompt me for action and immediately loaded the Java plug-in.  FAIL
  2. Next in line, Firefox.  FAIL
  3. Okay, Chrome...here we...wait, what?  Chrome alerts me that individual websites want to run Java?  I can still see the rest of the page and just choose not to let Java run?  And this is a default browser behavior?  Well done, sir.  Well done.
I know, I know.  Both IE and Firefox both have browser add-ons that will perform the Java block, but those features aren't baked into the browser by default, whereas Chrome's is!  Here's a screen capture of what you can expect:

So, it would appear the easiest way to protect yourself in regard to this exploit is to use Chrome.  Aside from that, disable Java, or update it to the latest patched version.  Be safe out there!

Read More

Thursday, February 7, 2013

Windows 8: VLC Blu-Ray playback


When I first purchased my Sony laptop, it came with PowerDVD or something similar installed in Win7 allowing Blu-Ray playback.  Any time I travel, I always take this laptop so I can play my Blu-Rays for shows not available through streaming methods.  When I upgraded to Windows 8, Sony doesn't offer the Blu-Ray playback software in the list of software available for download for my laptop model, so I basically lost my ability to play Blu-Rays.

I've used VLC before, and it's a great open-source, multi-platform video player.  I encourage everyone to check it out if you haven't had the privilege to use it.  Since it was free, I installed it and tried to play a Blu-Ray - no luck.  I used the 32-bit version, which is the default download version for Windows.  When I inserted the disc, I just pointed VLC to my disc drive and clicked "Play."  Since that didn't work, I opened the menu: Media > Open Disc, and on the Disc tab I selected BluRay and tried to play it.  Still no luck, but this time I received a more informative error, which was that VLC was missing libaacs.

The Fix
I Googled how to add libaacs capability to VLC, and came across an older guide.  Here's my specific steps:

  1. Install VLC
  2. Visit http://vlc-aacs.whoknowsmy.name/
  3. Copy the libaacs.dll to the root VLC installation directory:
    • C:\Program Files\VideoLAN\VLC (x64)
    • C:\Program Files (x86)\VideoLAN\VLC (x86)
  4. Open your appdata folder
    • Start > Run (or Windows key + R)
    • Type %appdata%; on Windows 8 the qualified path is: C:\Users\username\AppData\Roaming\
    • Look for an aacs folder, and if there isn't one, create it
    • Inside the aacs folder place the KEYDB.cfg file
  5. Insert a Blu-Ray disc, open VLC, and try to play it.
Once I completed that process, I can play Blu-Ray discs again!  Hope it works for you.  Feel free to leave feedback if your steps differed from mine.

P.S. alternatively, you could just fork over the $50 to $100 for a Blu-Ray playback software suite and save yourself the time/trouble.

Read More