Thanksgiving should be a time for rest and relaxation; there’s good food, better company and the chance to take a break before the holiday season gets into full swing. For companies LinkedIn, Zen Cart and Lenovo, however, the weekend wasn’t a walk in the park: All three patched critical vulnerabilities in their software to address problems with style sheets, PHP and automatic update security. Here’s a quick look at what was addressed.
Big Link, Big Trouble
First up is LinkedIn. As reported by SecurityWeek, security firm BitSensor recently discovered a potential flaw in the cascading style sheets (CSS) used by LinkedIn’s publishing platform. The social site had good intentions — to allow users to customize the look and feel of their blog posts — but CSS security was apparently overlooked. While HTML tags used by the platform are deliberately limited to lower the chance of a cross-site scripting (XSS) attack, Ruben van Vreeland of BitSensor discovered modifying trusted CSS class selectors could allow malicious actors to significantly alter the user interface to permit clickjacking.
Here’s how it works: By using the li_style CSS to force a link to stretch across the entire width and length of page, attackers could covert the entire visible surface into a single, massive redirect. However, no instances of this attack were detected in the wild, and LinkedIn has already patched the problem to prevent this kind of clickjacking.
Not So Peaceful
E-commerce software Zen Cart, meanwhile, had its own problems with a PHP bug that would allow attackers “unlimited access to the files and entire database of the vulnerable application,” SecurityWeek stated. The problem only affected the newest version — Zen Cart 1.5.4 — and stemmed from a PHP file inclusion vulnerability in the /ajax.php file.
Security firm High-Tech Bridge found the flaw on Nov. 25. It reported that the PHP problem was not difficult to abuse and was possible even on hardened Web servers. Within 24 hours, Zen Cart said it patched the problem, and High-Tech Bridge has reported it will release the full details of the vulnerability on Dec. 16.
Computer manufacturer Lenovo also patched two critical issues over the weekend that could have allowed malicious actors to easily guess admin passwords or elevate privileges on a Windows device. Security company IOActive reported the problems in October, and Lenovo fixed both issues on Nov. 19. The vulnerabilities stemmed from Lenovo System Update version 5.07.0013, which automatically looks for support updates. By taking advantage of weaknesses in the password-generation algorithm, however, it’s possible for attackers to guess the username and password of a temporarily generated admin account.
According to Threatpost, the vulnerability only exists when the update’s first effort at strong password generation fails and forces the program to use an easier, reproducible algorithm. If attackers know the algorithm and when the admin account was created, it’s possible to gain full access. In addition, a function intended to let lower-level users initiate system updates permitted an easy privilege escalation attack using a browser instance created by links to Lenovo support and help topics, which could then be used to gain admin privileges and save or run malicious code.
Not everyone had a restful Thanksgiving. Users of LinkedIn, Zen Cart and Lenovo machines have something to be thankful for, however: Speedy patches plugged a number of serious software holes.