Rogue Certification Authority certificates a reality
A team of researchers presenting yesterday at the 25th Annual Chaos Communication Congress held in Berlin, have successfully demonstrated an attack against X.509 digital certificates signed by a trusted Certification Authority (CA) using the MD5 hashing algorithm. The attack method makes use of MD5 collision techniques which were known to exist since 2004 but demonstrated in practice for the first time.
Read more about the details here.
The discovery, however, does not post a serious security risk as the technique has not been disclosed. Furthermore, most CAs are already using at least SHA-1 for the hashing function instead of MD5. The slow mover, VeriSign, acknowledged the attack today and confirms that all certificates issued are not vulnerable to the new attack.
If you are still paranoid, get hold of an Extended Validation Certificate.
Happy New Year 2009! 
Yahoo! fixes cross-site scripting vulnerability
Yahoo! has fixed a cross-site scripting vulnerability affecting the HotJobs website. The vulnerability, first reported by Netcraft allowed injection of malicious code that stole session authentication cookie of Yahoo! users and submitting them to a US-based webserver. Yahoo!’s statement found on Netcraft states:
The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue.
As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.
The session authentication cookies could have been used for accessing Yahoo! services such as Yahoo! Mail and Yahoo! HotJobs amongst others.
Google’s Chrome under fire
The new JavaScript speed king, Google Chrome web browser is getting hammered by security researchers over security vulnerabilities ranging from crashing the browser to potentially running malicious code on the user’s computer. Here’s a quick round-up of what I have come across so far:
1. “Carpet bomb” - September 3, 2008. Security researcher Aviv Raff managed to discover this vulnerability hours after the browser was released. The vulnerability, when exploited could litter the user’s download directory with numerous irrelevant files or could potentially be used to exploit other vulnerabilities that may exist on the user’s machine.
Raff describes on his site how a specially-crafted java archive file (JAR), combined with a social engineering ploy could trick a user in to downloading and executing the file without any warning from the browser.
The vulnerability comes from Google’s use of an outdated version of WebKit, the open source browser engine toolkit used also by Apple’s Safari browser. The WebKit version used in Chrome is the same used in Safari 3.1, which had its own set of vulnerabilities.
2. URL Handler Crash - September 3, 2008. Rishi Narang discovered an issue in Chrome that can crash Chrome altogether when the user visits a specially-crafted URL, throwing the following (G)message:
Whoa! Google Chrome has crashed. Restart now?
