Intel ships BIOS fix for Rutkowska’s Black Hat flaw

Intel ships BIOS fix for Rutkowska’s Black Hat flawIntel has shipped a BIOS update with a fix for a privilege escalation vulnerability that was used by rootkit researcher Joanna Rutkowska to bluepill the Xen hypervisor.

The vulnerability was discussed by Rutkowska at the Black Hat briefings earlier this month but details on the exploit were withheld until Intel could release its patch.

That patch is now available (you can download a new firmware for your motherboard here) with a severity rating of “important.”

According to Intel’s advisory, software running administrative (ring 0) privilege can under certain circumstances change code running in System Management Mode.

  • A new BIOS update is available for select Intel desktop motherboards to ensure proper configuration settings. This change would prevent a malicious user from modifying software that is run in System Management Mode (SMM). SMM is a privileged operating environment running outside of OS control. Malicious software running in this environment could therefore perform any number of operations. Administrative level privileges are required to exploit this issue. BIOS updates to correct this issue are available for all affected Intel branded motherboards.

In a blog entry following Intel’s patch release, Rutkowska warns that an attacker could also use this bug to “directly modify the hypervisor memory, without jumping into the SMM first, just as we did it with our exploit.”

  • Also, in case of e.g. Linux systems, the Ring 0 access is not strictly required to perform the attack, as it’s just enough for the attacker to get access to the PCI config space of the device 0:0:0, which e.g. on Linux can be granted to usermode applications via the iopl() system call.

Affected Intel motherboards: DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, DX38BT and MGM965TW (Mobile).

In its advisory, Intel provides a step-by-step walk-through to help identify systems at risk and detailed instructions on updating your BIOS.

[Source: zdnet]

MSN Norway serving Flash exploits through malvertising

Morten Krakvik from the Norwegian Honeynet Project is reporting that MSN Norway is among the latest victims ofMSN Norway malvertising, a practice where a bogus advertising provider tricks leading portals into accepting advertisements from its network, which often end up redirecting to live exploit URLs. The recent wave of malvertising that also targeted Digg, MSNBC and Newsweek, is very similar to the malvertising campaigns that took place in February which were targeting popular sites as Expedia, Excite, Rhapsody and MySpace. The only thing the malvertisers keep changing are the fake security software domains that they push through their campaigns.

Flash player versions susceptible to exploitation are :

Adobe Flash 9.0.16
Adobe Flash 9.0.28
Adobe Flash 9.0.45
Adobe Flash 9.0.47
Adobe Flash 9.0.115

According to Krakvik’s analysis, the malicious ad came from bannersrotator DOT com which is still active, and servingbannersrotator the malicious ad (tunnel28.swf) currently detected by 9 out of 36 antivirus scanners as SWF:CVE-2007-0071, or SWF.Exploit.

Who’s to blame anyway? The end users for not bothering to patch their browsers and third-party applications at the first place, the portals for doing business with such obviously rogue advertising providers like bannersrotator DOT com, or the advertising networks sacrificing security for efficiency and not screening the ads and newly joining advertisers like bannersrotator DOT com?

It’s the lack of decent situational awareness demonstrated by all parties. For instance, the end user thinking that patching their browser is where it all ends, the portals for not taking advantage of publicly obtainable tools aimed at analyzing malicious flash files, and the advertising networks themselves, for choosing efficiency next to security and helping rogue security software providers have their ads syndicated across legitimate sites.

[Source: zdnet]

iPhone passcode lock rendered useless

iPhone passcode lock rendered uselessDo not trust that passcode lock on Apple’s iPhone.

The feature, which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information.

Here are a few steps to reproduce this vulnerability (requires physical access to a passcode-protected device) to access the phone, e-mail and SMS messages, Google Maps and the full Safari browser:

  • Set up a passcode lock (Settings > General > Passcode Lock and enter a 4-digit passcode. iPhone then requires you to enter the passcode to unlock it).
  • Set up contacts in address book with e-mail address, phone numbers and Web sites.
  • Turn off/on iPhone and move slider to get to “Enter Passcode” screen.
  • Tap “Emergency Call” button (buttom left).
  • Double tap home button.
  • This pulls up all contacts in the Favorites list.
  • Tap on the blue arrow next to contact’s name to get full access to e-mail, SMS, Safari, etc.

Here’s the most troubling thing about this vulnerability: It was fixed by Apple (see advisory) for iPhone v1.1.3 and iPod touch v1.1.3 back in January this year.

  • Passcode Lock
    CVE-ID: CVE-2008-0034
    Available for: iPhone v1.0 through v1.1.2
    Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
    Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

I have confirmed this issue affects iPhone and iPod Touch 2.0, which means the January fix never made it into the newer versions of the software.

The obvious workaround: Remove all Favorites until Apple ships a proper fix.

UPDATE: In the TalkBack section, reader zrds comes up with a better workaround:

  • I’d like to point out that a good workaround is setting your home button “Settings->General->Home Button” to “Home” will effectively negate the issue.

This does work much better as a mitigation.

[Source: zdnet]

Feel like taunting an identity thief? Don’t.

Phishers bite backThe next time you get the urge to enter angry messages to phishers on fake (malicious) Web sites, stop and consider this discovery by researcher Joe Stewart.

The identity thieves behind the Asprox botnet have built extra logic into phishing sites to detect taunts and subject those computer users to drive-by malware exploits.

“If you are running Windows and haven’t recently installed your security updates and patched all your browser plugins/ActiveX controls, you might find yourself infected with your very own copy of Asprox,” Stewart warns.

Not only do you then get the opportunity to unknowingly send phishing emails on behalf of the botnet, you will likely get some extra goodies, since Asprox is also a downloader trojan. You won’t notice it running, but you might notice some of the things it downloads and installs.

For instance, you might find your desktop wallpaper changed to a “spyware alert” type of message, and now all your screen saver shows is scary blue-screens-of-death.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

Stewart posts screen shots with evidence that the Asprox botnet operators are linked to the attackers behind the rogue security software (scareware) attacks.

And at any time, Asprox might deliver another malicious payload and install it for you - and it could be much worse: we’ve seen the Zbot banking trojan installed by Asprox in the past. So instead of a dealing with a nuisance program, you might be silently sending your banking and credit card information to the botnet owners. Something to think about before venting your frustrations on the bad guys. Sometimes phish bite back.

* Image source: David Locke’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Malware detected at the International Space Station

Malware is reaching new heights, and going into Space through a removable media carrying the W32.Gammima.AGISS Malware password stealing malware to the International Space Station. According to :

W32.Gammima.AG worm is a level 0 gaming virus intended to gather personal information. Virus was never a threat to any of the computers used for cmd and cntl and no adverse effect on ISS Ops. Theory is virus either in initial software load or possibly transferred from personal compact flash card. Working with Russians (and other partners) regarding ground procedures to protect flown equipment in the future. It was noted that most of the IP laptops and some of the payload laptops do NOT provide virus protection/detection software .”

Going through some of the daily reports from the ISS, it appears that the folks above us may in fact be doing more antivirus signature updates and scanning of arriving removable media then the average Internet users here on Earth. Trouble is, this approach only mitigates the risk of infection from known threats. How long before the ISS’s laptops start phoning back to a botnet command and control here on Earth upon having their laptops infected with an undetectable by their AV scanner malware?

Wired’s Ryan Singel quotes NASA spokesman Kelly Humphries that “This is not the first time we have had a worm or a virus, it’s not a frequent occurrence, but this isn’t the first time :

“NASA downplayed the news, calling the virus mainly a “nuisance” that was on non-critical space station laptops used for things like e-mail and nutritional experiments. NASA and its partners in the space station are now trying to figure out how the virus made it onboard and how to prevent that in the future, according to Humphries.”

Moreover, according to the 2007’s Final Report of the International Space Station Independent Safety Report, someone needs to tip NASA on why quarterly scanning for vulnerabilities leaves a wide open window of opportunity for exploitation through client-side exploits executed against the crew’s laptops :

“The software and workstations that perform communications and commanding functions also have several security measures. Security for the MCC workstations is governed by and consistent with the National Information Assurance Policy for U.S. Space Systems. All work-stations for command and telemetry are continuously monitored by standard anti-virus and spy-ware protection software and are scanned quarterly for vulnerabilities using the latest industry standard security software. Password protection is in place on all workstations and only certain users/accounts can access ISS commanding servers, which require an additional password. Access to ISS commanding is further limited by partitioning available commands by user groups, and users only have access to the commands necessary to perform that discipline’s function. To provide a quality check of commands, two people are required to perform a command. Finally, all commands to the vehicle are encrypted and must pass through a series of validity and authentications checks.”

Wonder which antivirus software they’re running at the ISS? The daily reports detailing the activities of the crew members provide some interesting details :

  • ISS On-Orbit Status 08/14/08 - Working on the Russian RSS-2 laptop, Sergey Volkov ran digital photo flash cards from stowage through a virus check with the Norton AntiVirus application
  • ISS On-Orbit Status 11/14/07 - Yuri also had about an hour set aside for inspecting RS onboard computer & OpsLAN/Ethernet systems, including verifying laptop equipment, familiarizing himself with cabling functions and laptop assignments, checking anti-virus signature updates on the RSS2 laptop, and checking computer spares & accessories kits
  • ISS On-Orbit Status 08/21/08 - Sergey checked another Russian laptop, today RSK-1, for software virus by scanning its hard drives and a photo disk with the Norton AntiVirus application
  • ISS On-Orbit Status 08/22/08 - CDR Volkov began his day by downlinking yesterday’s Norton AntiVirus (NAV) data from the RSK-1 laptop scan

Since it’s fairly logical to assume that the ISS is heavily networked using protocols that malware can easily spread through despite not being originally written and intended to reach the ISS, NASA should definitely take this repeating situation more seriously next to calling a “nuisance”.

Image courtesy of NASA.

[Source: zdnet]

Microsoft confirms ‘InPrivate’ IE 8

Microsoft confirms IE 8 private browsing modeWhen Microsoft’s Internet Explorer 8 browser makeover ships later this year, it will feature several nifty privacy features aimed at giving surfers control over their Web footprints.

One week after bloggers discovered clues that IE 8 will include a private browsing (ahem, porn mode), Microsoft used the official IE blog to discuss four new granular controls in the browser.

They include:

  • InPrivate Browsing: This lets you control whether or not IE saves your browsing history, cookies, and other data.
  • Delete Browsing History: This helps you control your browsing history after you’ve visited Web sites.
  • InPrivate Blocking: This informs you about content that is in a position to observe your browsing history, and allows you to block it.
  • InPrivate Subscriptions: This feature allow you to augment the capability of InPrivate Blocking by subscribing to lists of Web sites to block or allow.

[ SEE: Anti-malware blocker, cross-site scripting protections coming in IE 8 ]

Microsoft program manager Andy Zeigler provides all the details on the new features and my colleague Mary Jo Foley has some additional commentary.

The new beta refresh will also include support for safer Web 2.0-type mashups, DEP (data execution protection) turned on by default in Windows Vista SP 1, domain highlighting to help flag phishing attacks and changes to the way ActiveX controls are handled.

[Source: zdnet]

Linux under attack: Compromised SSH keys lead to rootkit

Compromised SSH keys leads to rootkitThe U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed, US-CERT said in a note on its current activity site.

From the advisory:

  • Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Phalanx, which dates back to 2005, is a self-injecting kernel rootkit designed for the Linux 2.6 branch. It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Details on the attacks — and targets — remain scarce but it’s a safe bet this is linked to the Debian random number generator flaw that surfaced earlier this year. A working exploit for that vulnerability is publicly available.

To mitigate the risk from this attack, US-CERT recommends:

  • Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
  • Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
  • Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, US-CERT recommends:

  • Disable key-based SSH authentication on the affected systems, where possible.
  • Perform an audit of all SSH keys on the affected systems.
  • Notify all key owners of the potential compromise of their keys.

* Image source: wili_hybrid’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Twitter’s “me too” anti-spam strategy

With Twitter’s continuing growth, its popularity is logically starting to attract the attention of malicious parties, likeTwitter Blacklisting spammers, phishers, and malware authors who wouldn’t mind the fact that nobody is following them when they’re actively updating several hundred users with their latest propositions.

Last’ week’s Twitter announcement that it’s “Turning Up The Heat On Spam” clearly indicates that they are not just aware of the problem, but also, admitting their current inability to deal with it the way they want to. So what is the Twitter team up to? Suspending accounts, community powered feedback on spammers accounts, and hiring dedicated personnel to look for, and shut down spammer’s accounts. Will these measures work? It’s all a matter of implementation, breaking out of the “me too” anti-spam strategies mentality, and listening to what the community has been saying for months.

Twitter is at least being realistic to the situation, and is not offering the Moon with these approaches :

Suspending a spam account only works after it’s already caused some damage. We have enhanced our admin tools to more accurately factor your feedback for a more timely diagnosis. When you block a spam account, we take note—when more people start blocking a spam account, we go to red alert. Blocking also puts that account out of sight and out of mind so you don’t have to see it anymore.

It’s unfortunate that this has to be done but we’re going to hire people whose full time job will be the systematic identification and removal of spam on Twitter. These folks will work together with our support team, and our automatic spam tools. Our first “spam marshal” is starting at Twitter next week.

As always, fighting spam is a sustained activity. There is no magic wand we can wave or switch we can flip to make it all go away. Spammers will keep finding inventive new ways to advance their motives and harm user experience and we’ll keep shutting them down and slowing their progress. We just wanted to make sure everyone knows that we are taking spam seriously.”

Spammers, phishers and malware authors are becoming harder to differentiate, with each and everyone of these getting involved in areas that used to be exclusively the other party’s territory a while ago. Consequently, what looks like a typical phishing link, may in fact be redirecting to a live exploits page, where the typical exploits set taking advantage of the most common client-side vulnerabilities is waiting for the gullible Twitter-er. Despite it’s recent limiting of followers of a particular account to 2000 in order to prevent malicious users from causing more damage than they could, if Twitter really want some creative thinking applied in the process, it should consider researching what the community has already come up with in the form of tools, strategies and recommendations for Twitter to implement.

For instance, the success of the now down Twitter Blacklist was based on the simple categorization of Twitter users inTwitter Spam order to increase the probability of detecting a spammers account using a simple logic based on the followers and following ratio - 1:5 = twittercaster, 1:2 = notable, 1:1 socially healthy, 2:1 newbie or social climber, 5:1 twitter spammer.

Another highly successful self-auditing service, again courtesy of the community is called Twitter Twerp Scan which “checks the number of followers of everyone on your contact list, the number of people they are following, and the ratio between those. If the person is following more than (n) people (can be customised), and has a Following-to-Followers ratio higher than 1:(m) (can be customised), you’ll be notified by a link.

There’s also never been a shortage of pragmatic solutions to at least make it harder to spammers to efficiently spam the network, with tips and recommendations made by Twitter users a couple of months ago :

Twitter’s successful anti-spam strategy lies within whether or not they will consider the know-how and experience offered by the community, which as always finds its ways to adapt to a specific situation long before a service has come to introduce its own solution.

Add spam button courtesy of chadspacey’s photostream.

[Source: zdnet]

Hackers "Pwned" at DefCon

Two speakers proved that they hacked into the attendees' computers

Participants at the DefCon hacking conference, focusing on the latest methods of taking over end users' computers and corporate machines, found out that they had been subjects to a hijack themselves. According to an AFP report, the attendees at the conference were startled by the statements of Tony Kapela and Alex Pilosov, two "lecturers" at the conference, who said that they had silently intercepted data belonging to their colleagues.
Hackers at DefCon learned that their computers had also been hijacked
Enlarge picture

The method used by the two consisted in the exploitation of the paths on which data traveled along the network. Routing can be manipulated in such ways that owners of the affected computers can't tell that their online traffic is being tracked or that they receive other information than what they were waiting for. Instead of trying to break passwords or other security systems, hijackers who choose to use this type of approach only have to "convince" websites that the numbers corresponding to their computer defines the best path for these sites to deliver their data through.

The data traffic across the network is automatic, so websites choose, without verifying, the best path according to the numerical Internet address of the routes. The longer the address is, the higher the chances to be chosen. The hackers' job consists of adding some characters to the array to ensure that their computers are chosen as intermediaries between websites and other users. "Someone can passively intercept traffic," Kapela said. "We can store, drop, filter, mutilate, grope, or modify data heading to you."

And, in fact, this happened during DefCon, when some of the colleagues of the two hackers learned that their computers were not as safe as they thought. The two disclosed some email and search information intercepted while using the aforementioned method. In hackers' slang, some of the attendees, although also well-established hijackers, had been "pwned" by the two, meaning they were completely subdued to the actions of Kapela and Pilosov.

[Source: softpedia]

Russian Hacking Web Affects Hundreds of Thousands of Computers

Joe Stewart, Director of Malware Research at SecureWorks, discovered that a group of Russian hackers used a type of trojan that affected over 378,000 computers. The computers, all part of the same network, were infected via a genuine Microsoft application. Coreflood is the name of the trojan used to steal data from the affected machines, in ways that have never been employed before.

Russian hijackers spread their trojan to hundreds of thousands computers

The targeted companies reported a precise interval during which they felt the effects of the attack. SecureWorks observed some "infection events," with hundred of thousands of computers becoming infected on the same day. As trojans cannot spread all by themselves through a network, specialists took into account all the possibilities for that to happen. The team noticed that a Windows administration tool, PsExec, was used to infect all the computers in a network whose owners had domain administrator privileges. ie1823en.exe was then launched on every affected system.

The hackers, who were identified as being Russians, mostly used Coreflood to get information on bank accounts. They also had access to computers from major institutions, which means they could have gotten their hands on even more important data than previously estimated. Also, the hijackers had another advantage over the people and the institutions they attacked: Coreflood allowed them to get account details without having to log in, because the malicious software has the ability to read screen information. This is one of the reasons that make Coreflood so dangerous. Because of the free access to all data stored on a computer, investigators don't know yet the exact extent of incurred damages.

One of the most affected people was Joe Lopez, a businessman who lost $20,000 when this amount was withdrawn by an unauthorized person. After discovering that the money was missing, he also learned that his computer was infected with the trojan. Joe Stewart stated for the New York Times that the situation was under investigation and that, for this very reason, he could not give explicit details about the case.

Stewart also revealed that, while translating some blog posts that allegedly belonged to one of the members of the group of hackers, he found out that another one of them was dead. However, he also emphasized that, no matter the difficulties these hackers might come across, their illicit activity is still being carried on.

[Source: softpedia]

New StopBadware guidelines take aim at software update bundling

StopBadware draft guidelines take aim at software update bundling

If the StopBadware coalition has its way, software updaters from Sun Microsystems (see screenshot above) and Apple will carry the embarrassing “badware” label.

According to a draft of revamped guidelines (.pdf) from the Google-backed computer security consortium, the badware label will expand to include products that:

  • Install a new application through unattended automatic updates.
  • Introduce new potentially unwanted behaviors to an application through unattended automatic updates.

Under these new guidelines, Apple’s WASU (Windows Automatic Sofware Update) utility will be considered badware because it bundles new products like Safari, iTunes and QuickTime alongside security patches without the end user’s explicit consent.

[ SEE: How does Apple get away with this badware behavior ]

The StopBadware alliance is currently seeking feedback on the new guidelines.

The non-profit group said it would not use the badware label for installation of new applications alongside updates if there is separate disclosure and consent.

[Source: zdnet]

Facebook refuses to fix obvious security flaw

Facebook refuses to fix obvious security flaw

[ UPDATE: Facebook has reversed itself and fixed this vulnerability ]

The Register’s Dan Goodin has the scoop on an obvious security vulnerability that’s being ignored by the powers at Facebook.

The issue, as demonstrated by this proof-of-concept, shows how a social network application can be rigged to hijack a Facebook user’s session identification cookies, deliver pop-up messages or change the color of Facebook pages.

“With a little extra work, an attacker could probably do much more, including send and read messages from a user’s account, change privacy settings and add or delete Facebook friends,” according to the report.

When I tested the code while logged in to Facebook, it worked as advertised and proves conclusively that Facebook fails to sanitize the content of third-party applications. This exposes Facebook’s massive user base to a variety of hacker attacks.

[ SEE: Web worms squirm through Facebook, MySpace ]

Worse, the developer who reported the flaw to Facebook says the company has refused to acknowledge the risk.

  • Wachelka said he filed a bug report with Facebook on Friday and promptly received a message saying the matter had been closed. “Our FBML tags are written not to run Javascript,” Facebook asserted.

A weakness in Facebook’s filtering recently exposed users to a malicious worm attack via the site’s commenting system.

* Image source: We Blog Cartoons.

[Source: zdnet]

Hundreds of Dutch web sites hacked by Islamic hackers

In what appears to be a mass defacement, where several hundred domains take advantage of a shared hosting provider,Net Devilz Netherlands starting as of this Friday, an Islamic hacker known as nEt^DeViL — this is not the NetDevilz team that hijacked the DNS records of the ICANN and Photobucket in June — managed to successfully hack a couple of hundred Dutch web sites as a hacktivist response to the release of the Fitna film, a controversial film released by Geert Wilders, a member of the Dutch parliament in March, 2008.

How did they do it? Since all of the sites are parked on a single IP ( owned by the hosting company, compromising it means having the ability to compromise the content on all the domains hosted there, which is exactly what happened in this case.

The message they left is still active at most of the sites :

“Anti-Fitna ( Response to the Fitna Movie by ‘Geert Wilders’ Cow ! ) This hax0ring is to defend ISLAM - The Religion of [ Abraham, Moses, Jesus & Muhammad ( Peace Be Upon Them All ) ] that Insulted by a Cow ! from Netherlands ! Show Some Respect ! so , I can Leave you in Peace ! [ You’ve Started it ! ] , I don’t have problems with your site but, that what Geert Wilders Cow! chose for you ;) If you think that ” Insulting GOD Religion is a Freedom of Speech as your country did , then allow me to show you my Freedom knowledge of Hacking ;) ”

[ by the way, nothing was deleted relax ^_^ only your index renamed ] [ NOAnti Fitna Defacements WAR ] … [ NO HATING ] … [ NO Lammers ! ] … [ NO Subdirs ;) ] Can Break Your Lame Security ! [ Love Coding than Hacking ;) ‘ Perl , Python , PHP, JavaScript , HTML, VB , Borland Delphi, a Little of C/C++ & Assembly ‘ ]

aB0 m0h4mMed .. for the Old Times Greets & Peace to my Brothers. Abu_Zahra[My Best friend ] ○ Saudia_Hacker ○ Abu Lafy ○ DeadLine , DosMan & b0hAjEr [ Q8Crackers Crew ] ○ Yanis ○ Broken-Proxy ○ Eddy_BAck0o ○ Mianwalian & ZeRo from [#WHACKERZ ] ○ SaveChanges[ PHA ] ○ FBH Crew ○ Apocalypse ○ PaKBrain ○ DaVenjah! ○ BrEakerS ○ Red Devils Crew[ Saudi|x ] ○ by_emR3 , Kerem125 , Gsy & Alemin Krali [ Gr347 7urk15h |3ro7h3r5 ] ○ sys-worm(turkish) ○ F10 ○ ZombiE_KsA ○ xOOmxOOm”

Naturally, this isn’t the first time Islamic hacking groups attacked web sites belonging to a particular country that somehow offended their beliefs. For instance, in 2006, the same mass defacements took place on over 600 Danish web sites in response to the Mohammed’s cartoons released in local newspapers. This hacktivist approach of spreading propaganda isn’t necessarily a full-scale cyber war, it’s an example of information warfare aiming to reach as many Dutch Internet users as possible due to the apparently insecure web hosting provider that they are all using.

Pure hacktivism isn’t dead, as compared to previous web site defacement analysis where the people behind them were hacktivismmultitasking by also hosting malware, phishing and blackhat SEO junk pages on the compromised servers, in this case they only defaced the main pages. However, what pure hacktivism turned into today, consciously of subconsciously, is the propaganda division of an information warfare unit, where given the hundreds of thousands of easily detectable insecure sites within a particular country’s Web, this political propaganda can easily turn into a large scale malware attack.

As in real life through, the real cyber conflicts usually start due to such provocations where a single group or a script kiddie’s actions can cause a lot of damage if that’s what they want to achieve at the first place.

[Source: zdnet]

DEFCON 16: List of tools and stuff released

Defcon 16 tools and utilities

DEFCON, the 9000+ attendee hacker conference in Vegas has become a sort of hydra conference. It has become more like a global fair than what most people think of conferences; even the badge is highly unique.

I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!”, so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse, it’s hard to find all of the “stuff” they release.

Before anyone has a chance to post “it’s all on the DEFCON CD dummy,” I want to challenge them to try. After a weekend of googling (which came back with few results) and making contact with some of the speakers, I provide you with a mostly accurate list of “stuff” that was released at DEFCON this year. If any of the information is inaccurate, or a tool is missing, please contact me and I will update this post.

Beholder – by Nelson Murilo and Luis Eduardo

  • Description: An open source wireless IDS program
  • Homepage Link:
  • Email Address:
  • The Middler – by Jay Beale

  • Description: The end-all be-all of MITM tools
  • Homepage Link: (Online?)
  • Preface Link:
  • ClientIPS – by Jay Beale

  • Description: An open source inline “transparent” client-side IPS
  • Homepage Link: (Online?)
  • Marathon Tool – by Daniel Kachakill

  • Description: A Blind SQL Injection tool based on heavy queries
  • Download Link: DEFCON 16 CD. No online link found.
  • Email Address:
  • The Phantom Protocol – by Magnus Brading

  • Description: A Tor-like protocol that fixes some of Tor’s major attack vectors
  • Homepage Link:
  • Email Address:
  • ModScan – by Mark Bristow

  • Description: A SCADA Modbus Network Scanner
  • Homepage Link:
  • Email Address:
  • Grendel Scan – by David Byrne

  • Description: Web Application scanner that searches for logic and design flaws as well as the standard flaw seen in the wild today (SQL Injection, XSS, CSRF)
  • Homepage Link:
  • iKat – interactive Kiosk Attack Tool (This site has an image as a banner that is definitely not safe for work! – You have been warned) by Paul Craig

  • Description: A web site that is dedicated to helping you break out of Kiosk jails
  • Homepage Link:
  • Email Address:
  • DAVIX – by Jan P. Monsch and Raffael Marty

  • Description: A SLAX based Linux Distro that is geared toward data/log visualization
  • Homepage Link:
  • Download Link:
  • Email Addresses: and
  • CollabREate – by Chris Eagle and Tim Vidas

  • Description: An IDA Pro plugin with a server backend that allows multiple people to collaborate on a single RE (reverse engineering) project.
  • Homepage Link:
  • Email Addresses: and
  • Dradis – by John Fitzpatrick

  • Description: A tool for organizing and sharing information during a penetration test
  • Homepage:
  • Email Address:
  • Squirtle – by Kurt Grutzmacher

  • Description: A Rouge Server with Controlling Desires that steals NTLM hashes.
  • Homepage: (Live?)
  • Email Address:
  • WhiteSpace – by Kolisar

  • Description: A script that can hide other scripts such as CSRF and iframes in spaces and tabs
  • Download Link: DEFCON 16 CD
  • VoIPer – by nnp

  • Description: VoIP automated fuzzing tool with support for a large number of VoIP applications and protocols
  • Homepage Link:
  • Barrier – by Errata Security

  • Description: A browser plugin that pen-tests every site that you visit.
  • Homepage Link:
  • Email Address:
  • Psyche – by Ponte Technologies

  • Description: An advanced network flow visualization tool that is not soley based on time.
  • Homepage Link:
  • * Rob Fuller is a security researcher and pen-tester. He can be found on Twitter and in Room 362.

    [Source: zdnet]

    OpenVAS emerges as free alternative to Nessus

    OpenVAS emerges as Nessus alternativeA new open-source project called OpenVAS has emerged to take the place of Nessus, the popular vulnerability assessment system that closed its source a few years ago.

    The first stable version of OpenVAS, which is a fork of Nessus 2.2, was released this week featuring a server, a client and an NVT (network vulnerability tests) feed.

    Installation packages are available for OpenSUSE, Fedora, Mandrake, FreeBSD and Gentoo. Packages for Debian and Ubuntu are in the works, the group said. An OpenVAS-Client is available for Microsoft Windows.

    The nitty gritty of the new project:

    [ SEE: Questions swirl as Sourcefire buys ClamAV ]

    • OpenVAS Server — This is a scanner that runs many network vulnerability tests against many target hosts and delivers the results. It uses a communication protocol to have client tools (graphical end-user or batched) connect to it, configure and execute a scan and finally receive the results for reporting. Tests are implemented in the form of plugins which need to be updated to cover recently identified security issues. The server consists of 4 modules: openvas-libraries, openvas-libnasl, openvas-server and openvas-plugins. All need to be installed for a fully functional server.
    • OpenVAS-Client — This is a terminal and GUI client application for both OpenVAS and Nessus. It implements the Nessus Transfer Protocol (NTP). The GUI is implemented using GTK+ 2.4 and allows for managing network vulnerability scan sessions. OpenVAS-Client is a successor of NessusClient 1.X.
    • OpenVAS NVT Feed – This is a public feed of Network Vulnerability Tests (NVTS). It contains only signed files and only the supported NVT families and their dependencies. This feed is configured as default for OpenVAS Server.

    The OpenVAS development team plans to extend the range of the vulnerability tests for present and upcoming security issues, especially for those reported as CVEs, BIDs etc.

    [Source: zdnet]

    Fedora infrastructure breach?

    Fedora server compromised?Has there been a security breach in Red Hat Fedora’s infrastucture systems?

    According to a cryptic announcement posted to the Fedora-Announce mailing list, the open-source group is investigating an unspecified “issue in the infrastructure systems” that has resulted in widespread service outages.

    In the note, Fedora maintainers recommend that end users avoid downloading packages on Fedora systems, which strongly hints at a security-related problem:

    • The Fedora Infrastructure team is currently investigating an issue in the infrastructure systems. That process may result in service outages, for which we apologize in advance. We’re still assessing the end-user impact of the situation, but as a precaution, we recommend you not download or update any additional packages on your Fedora systems.

    A follow-up message posted over the weekend said the investigations were continuing but there are no details available on the cause of the problem.

    Efforts to contact Red Hat Fedora maintainers have so far been unsuccessful. I will update this post as necessary.

    * Image credit: jgbrl’s Flickr photostream (Creative Commons 2.0)

    [Source: zdnet]

    Microsoft investigating NSlookup.exe flaw, reported attacks

    Microsoft investigating new Windows zero-day attackMicrosoft is investigating new public reports of a zero-day Windows vulnerability that’s being exploited in the wild.

    According to a this SecurityFocus alert, the attacks are exploiting a remote code-execution vulnerability due to an unspecified error in NSlookup.exe, the command-line administrative tool used for testing and troubleshooting DNS servers.

    • Successfully exploiting this issue would allow the attacker to execute arbitrary code on an affected computer. Failed attacks will cause denial-of-service conditions. Microsoft Windows XP Professional SP2 is vulnerable; other versions and products may also be affected.

    According to the alert, the issue is reportedly “being actively exploited” in the wild but details on the attacks are scarce.

    A video of a proof-of-concept exploit in action was released by Argentinian researcher Ivan Sanchez.

    On its monthly Patch Tuesday Webcast (see transcript), Microsoft’s security response team said it was aware of the flaw report and had started an investigation. The company has not yet issued a security advisory with workarounds or mitigations.

    Some other highlights from the Webcast:

    • The Microsoft Access Snapshot Viewer ActiveX control vulnerability was only partially fixed with MS08-041. The standalone Access Snapshot Viewer is still vulnerable and unpatched. There are confirmed in-the-wild exploits for this vulnerability.
    • The reason the massive IE killbit update was done as an advisory instead of a bulletin was because it only included killbits for third-party (Aurigma and HP) ActiveX controls. Microsoft does not provide a security rating for these controls and the company never releases bulletins without severity ratings. “Since there is no severity associated with this release, we decided to release this update via an advisory.”
    [Source: zdnet]

    Intel proactively fixes security flaws in its chips

    Despite the skepticism surrounding Kris Kaspersky’s upcoming “Remote code execution through Intel CPU bugsIntel chip presentation to be held at this year’s Hack in the Box con, it appears that he’s been on the right track, as Intel has proactively taken care of the problem by fixing two of the critical flaws according to Kaspersky :

    “On Friday, Kaspersky told Computerworld that he has been communicating with Intel about the flaws for nearly a month and the company has told him that it fixed the two critical flaws he brought to Intel’s attention. Both of the flaws — one in the cache controller and one in the Arithmetic logic unit — could be used by a remote attacker to execute arbitrary code, according to Kaspersky.”

    And whereas he’s been asked not to release proof of concept code at at the conference due to the potential implications given Intel’s leading market share, and the fact that the flaw is OS independent, he’ll be releasing technical details on the vulnerability. Was Intel caught off guard at the first place?

    Depends on the perspective. Intel has been actively investing in R&D of security technologies to make their chips moreTrusted Execution Technology secure. An example of such a successful effort is Intel’s Trusted Execution Technology already introduced in several of their chip families :

    “Intel® Trusted Execution Technology for safer computing, formerly code named LaGrande Technology, is a versatile set of hardware extensions to Intel® processors and chipsets that enhance the digital office platform with security capabilities such as measured launch and protected execution. Intel Trusted Execution Technology provides hardware-based mechanisms that help protect against software-based attacks and protects the confidentiality and integrity of data stored or created on the client PC. It does this by enabling an environment where applications can run within their own space, protected from all other software on the system. These capabilities provide the protection mechanisms, rooted in hardware, that are necessary to provide trust in the application’s execution environment. In turn, this can help to protect vital data and processes from being compromised by malicious software running on the platform”

    The question based on Kaspersky’s modest details ahead of the presentation is, whether or not he’ll be demonstrating direct Java bytecode execution, and which chip families is he going to target. One thing’s for sure, when a vendor is proactively fixing vulnerabilities you were speculating about based on off the record discussions with you, you knew what you were looking for.

    [Source: zdnet]

    Adobe Flash ads launching clipboard hijack attack

    Clipboard hijackMalicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.

    In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.

    According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and

    Here is a Mac OS X user explaining the attack:

    This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:

    [ malicious URL deleted ]

    And once it’s in the clipboard, I can’t copy anything else over it until I’ve restarted the machine.

    I’m only going to websites that are directly linked off the main page of, so they’re not obscure, and I’m surfing in firefox, though the system wide clipboard is getting taken over, so I can’t even copy something over that from a program like TextEdit.

    The 5th post on this forum shows what happens when a victim is tricked into pasting — and spamming — the malicious link to help spread the rogue security software.

    Security researcher Aviv Raff has created a proof-of-concept demo to show how easy it is to use Flash with ActionScript code to load (persistently) a malicious URL into a target clipboard. (BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).

    [Source: zdnet]

    China busts hacking ring, managed to penetrate 10 gov’t databases

    If you needed a university certificate in China during the last couple of months, there’s a big chance that a group of tenChinese Net Police people could have supplied with you such, going a step further and adding your details in more than ten government databases across different provinces in the country, making $300k in the process.

    Shanghai Daily is reporting on this sophisticated group of local hackers who were selling “valid” educational certificates by modifying government databases. How they got caught? Apparently, by cross-checking the validity of the certificate, and since they couldn’t hack each and every database in order to add a reference to it, their business model was quickly detected and shut down.

    “The suspects sold fake certificates to make money. Since authentic certificates can be checked on government Websites, they allegedly attacked databases and added false information, the report said. The scheme was discovered after someone purchased a fake doctor’s certificate to apply for a business license in Zhejiang Province in June. Zhejiang authorities found the certificate was faked even though the information on the Jiangxi Public Health Department’s Website matched it, the report said. The Jiangxi Public Health Department checked the database and found it was attacked several months and that many statistics were distorted. It reported the case to police.”

    Whereas China has a very strong reputation on dealing with local cybercrime attacks in a very short time frame, it has perhaps one of the worst reputations across the globe when in comes to the big picture, with Chinese networks topping each and every chart on malicious Internet activity. Is there a double standard on fighting cybercrime in China? Depends. There’s no shortage or organizational bodies fighting cybercrime in the country, however, as in many other countries there seems to be a lack of political awareness on how severe the situation has gotten while they were trying to assess its severity, a situation which when combined with the lack of right priorities set, speaks for itself.

    As far as this hacking ring is concerned, once the people behind it could add authentic entries into the database, they could have also taken a peek at others, which in the context of China’s overall bureaucratic mentality for anything related to cybercrime, could easily turn into a major espionage case — or they can easily make it look like one. Moreover, when there’s demand for a particular good or a service, there’s also supply :

    “Li said demand for fake certificates was strong, according to the report. He contacted his friend surnamed Wang to attack the government databases and validate his false certificates, the report said. The investigation showed Wang attacked more than 10 government databases in Jiangxi, Hubei, Guizhou, Sichuan, Jiangsu and Liaoning provinces from March this year. Wang sold the user rights of every database to Li for 5,000 yuan to 8,000 yuan, the report said.”

    From a security perspective, detecting the fake certificate seems to have worked since these provinces are either not syndicating their databases and trusting a single database as a central point which when once hacked and modified could distribute false data across the rest of the provinces, or the data was cross-checked via offline sources or historical copies of the database. If bureaucracy can help fighting cybercrime by ensuring that a clerk doesn’t trust everything he sees on his monitor, and prompts him to cross-check with different databases “just for the record”, then that’s one of those rare cases.

    [Source: zdnet]

    Can Adobe mitigate ‘clipboard hijack’ issue?

    Adobe investigating clipboard hijack attackAdobe’s product security incident response team (PSIRT) says it is investigating possible solutions to the clipboard hijack attacks spotted on Flash-based advertisements on high-profile Web sites.

    A barebones note on the PSIRT blog simply acknowledges the issue and promised more information after the investigation but, by mentioning “possible solutions,” it is clear that that Adobe is looking for ways to mitigate the threat.

    Here’s an interesting bit from the Flash documentation:

    • The System.setClipboard() method allows a SWF file to replace the contents of the clipboard with a plain-text string of characters. This poses no security risk. To protect against the risk posed by passwords and other sensitive data being cut or copied to clipboards, there is no corresponding “getClipboard” (read) method.

    [ SEE: Adobe Flash ads launching clipboard hijack attack ]

    I’m not entirely sure why a SWF file would need the ability to write to the clipboard but, now that we know it does present a security risk (see harmless clipboard-takeover demo), Adobe might want to nuke that functionality altogether or at least rewrite the documentation to discuss this threat.

    Or, the company can put up a roadblock/warning mechanism whenever a Flash file tries to use the System.setClipboard() method.

    [ SEE: Adobe: Beware of fake Flash downloads ]

    Adobe already does this when a SWF file attempts to access a user’s camera or microphone using the Camera.get() or Microphone.get() methods — via a Privacy dialog box, in which the user can allow or deny access to their camera and microphone:

    Can Adobe mitigate ‘clipboard hijack’ issue?

    While Adobe works on a fix (they should, at the very least, provide a warning screen!), end users should start looking for mitigations elsewhere. I’d start with Firefox and NoScript, a combination that blocks this attack by default.

    * Image source: annia316’s Flickr photostream (Creative Commons 2.0)

    [Source: zdnet]

    From Metasploit to Microsoft: Skape goes to Redmond

    Skape goes to RedmondMetasploit developer Matt Miller, who for years frustrated Microsoft officials with the public release of Windows exploits, is heading to Redmond to join Microsoft’s Security Science team.

    Miller, who uses the hacker moniker Skape,will work on improved ways to find security vulnerabilities and better software defenses through mitigations, according to an announcement by SDL guru Michael Howard.

    “Matt brings a massive amount of real-world exploit and defense experience to our team,” Howard said, nothing that Miller has been focused on design review for Windows 7, the next major revision of the operating system.

    [ SEE: Hacking with Metasploit on a Nokia N800 ]

    Miller’s work around exploiting — and attempting to secure — the Windows ecosystem is legendary. In tandem with HD Moore, he has been one of the core developers on Metasploit, a free point-and-click pentest/attack tool, specializing in exploitation techniques/mitigations, reverse engineering, program analysis and modeling, rootkits and virtualization.

    Over IM this morning, HD Moore said Miller designed a large chunk of the Metasploit 3 architecture, built the meterpreter payload system, and generally led the entire win32 shellcode improvement efforts.

    “He has done some exploit work as well, but his focus was mostly on encoders, shellcode, and payloads,” Moore said. Miller was the third ‘full-time’ developer at Metasploit, having joined the volunteer group in mid-2004.

    He is the author of several groundbreaking research papers, including techniques to bypass Windows Hardware-enforced DEP, improving software security analysis using exploitation properties and exploring the history of exploitation techniques (.pdf) and mitigations on Windows.

    Miller is also an editor for the Uninformed Journal, a free online journal that focuses on encouraging the sharing of technical knowledge.

    UPDATE: Over on Twitter, Dan Guido points out that Miller just open-sourced his WehnTrust HIPS project, which adds anti-exploit mechanisms/mitigations to Windows 2000, Windows XP and Windows Server 2003 systems.

    [Source: zdnet]

    Fortune 500 companies use of email spoofing countermeasures declining

    Here’s a paradox - a technology originally meant to verify the sender of an email message for the sake of preventingSPF System spoofed messages from reaching the network, still hasn’t been embraced by the world’s biggest companies despite being around for years, but is actively used by adaptive spammers increasingly abusing legitimate services in order to take advantage of their identifiable email reputations.

    A recently conducted study by Secure Computing’s TrustedSource reveals that, not only a mere 40% of the Fortune 500 companies use Sender Policy Framework and DomainKeys Identified mail, but also, that the ones who’ve implemented the countermeasures aren’t fully taking advantage of protection mechanisms offered at the first place.

    “Out of the 2008 roster of Fortune 500 companies, a mere 202 appear to be using any of the forgery countermeasures provided by SPF, DKIM, or similar implementations. This poses a stark contrast to Sendmail’s Survey, claiming some 90% of Fortune 1000 companies, suggesting a sharp decline from Sendmail’s reported 282 companies. To make sure our results were accurate, we decided against using a random sampling and instead put together a list of all 500 primary domains used by the Fortune 500 and query them.

    A mere 202 companies, when you account for the companies running both technologies - 40% of the Fortune 500. To make matters worse, only 65 of the 167 companies using SPF included the -all policy, which causes a fail result to be sent if the IP address is not found explicitly in the policy.”

    And while the majority of Fortune 500 companies need to perhaps strategize better on how to built more authenticity in their communications and in fact prevent malicious attacks from reaching their mailboxes, spammers have been reportedly publishing SPF records since 2004, with MX Logic conducting a study into the tactic back then indicating that :

    “In its preliminary study, MX Logic found that some spammers have embraced SPF in the hope that their unsolicited email messages will be viewed as more legitimate because the messages have an SPF email authentication record associated with them. In a sample of more than 400,000 unique spam email messages that passed through the MX Logic Threat Center from Aug. 29 through Sept. 3, 16 percent had published SPF records.”

    Things are a bit different today, with spammers as active participants in the cybercrime ecosystem constantly demandingPayPal SPF fresh malware infected hosts, and having embraced outsourcing as a concept a long time ago, they seem to have stopped investing resources into building legitimate infrastructure themselves, but have started to either renting such on behalf of someone else who build it, or abuse that of legitimate email providers by bypassing their authentication in place allowing them to easily take advantage of the provider’s trusted reputation.

    Here’s an example of spammers sending DomainKeys Identified Mail from Yahoo’s SMTP servers in April, 2008, found in a report issued by MessageLabs, a practice made possible due to the successful breaking of these services CAPTCHA based authentication, either automatically or through human based CAPTCHA breakers :

    “The spam mails are sent via SMTP using Yahoo!’s servers, ensuring the message is signed correctly using Yahoo! DomainKeys Identified Mail (DKIM). This is a sender authentication technique that uses a digital signature in the headers to indicate that the message is genuinely from Yahoo! and not spoofed as such. This approach further helps to ensure that mail generated in this way is harder to block using anti-spam methods based on the source IP address; as if it had been sent from genuine Yahoo! mail servers. In most cases the spam messages are routed through the premium Yahoo! “Plus” servers which are not listed in the Yahoo! webmail interface options page.

    The Yahoo! accounts appear to have been generated programmatically, presumably defeating the Yahoo! CAPTCHA mechanism, because of the consistent format in all cases and all have from-domain of currently. At the time of writing around 1,127 unique Yahoo! User IDs were used in the distribution of this latest type of spam over 28 days, with around 40 new IDs per day being generated.”

    As always, it’s never been about the lack of technological solutions to eradicate all the junk and malicious emails hitting an organization’s mailboxes and its customers. It’s always been about the lack of implementation of these solutions, and ensuring that abusing the now trusted services isn’t done as efficiently as it is for the time being.

    [Source: zdnet]

    uTorrent silently patches critical vulnerability

    Code execution hole in uTorrentIf uTorrent is the client you use to download files, now might be a good time to hit that “check for updates” button.

    According to security alerts aggregator Secunia, there’s a “highly critical” uTorrent vulnerability that could allow remote code execution attacks with rigged .torrent files.

    From the advisory:

    • The vulnerability is caused due to a boundary error in the processing of “.torrent” files. This can be exploited to cause a stack-based buffer overflow by tricking the user into opening a “.torrent” file containing an overly long “created by” field.
    • Successful exploitation may allow execution of arbitrary code.
    • The vulnerability is confirmed in version 1.7.7 (build 8179). Prior versions may also be affected.

    The issue was silently patched by the vendor in version 1.8 RC7. Rhys Kidd says the flaw is at least two years old.

    [Source: zdnet]

    Android security team appeals to hackers

    Android security team appeals to hackersAlready burned by the discovery of serious security vulnerabilities in its SDK, the Android Security Team emerged from the shadows this week with an appeal to the security community for help fixing flaws in the Linux-based mobile platform.

    In a note posted to several public mailing lists, the open-source group published a detailed FAQ covering its security philosophy and process and made a direct request for hackers to use responsible disclosure (.pdf) ethics when vulnerabilities are discovered.

    [ SEE: Google Android SDK has multiple vulnerabilities ]

    • As you may expect, building and maintaining a secure mobile platform is a difficult task. The Android platform team has put a great deal of work into trying to design a platform that balances our goal of open development and user choice with the unique challenges of securing a consumer-focused mobile system.
    • While we have found and fixed many of our own bugs as well as flaws in other open source projects, we realize that the discovery of additional security issues in a system this large and complex is inevitable. That is why we would like to introduce ourselves today and let the security research community know how they can reach out and work with us.

    The group provided an e-mail address for reporting bugs in Android ( and a promise to respond to bug reports and keep reporters informed of the progress of an investigation.

    • We do appreciate and encourage responsible disclosure, especially since Android will be deployed on many different devices that will require a large amount of coordination to patch. Help from security researchers in the form of usable bug reports and responsible time lines will greatly assist us in securing the ecosystem of Android devices as quickly as possible. Our vulnerability bulletins will credit responsible reporters of any flaws.

    The Android security team, which is part of the Open Handset Alliance, plans to release more details of the security features of the Android platform over the next several months.

    [Source: zdnet]

    Opera patches 7 vulnerabilities but keeps one a secret

    Opera patches 7 flaws, keeps one a secretOpera Software has shipped a new version of its flagship Web browser with fixes for at least seven documented security problems but details on one vulnerability — a cross-site scripting issue reported by Chris Weber– is being kept under wraps.

    Opera warned that one of the seven flaws is rated “extremely severe” because of the risk of arbitrary code execution.

    The skinny on what’s included in Opera 9.52:

    • Advisory #1 (extremely severe): When Opera is registered as a handler for a given protocol, it can be started by external applications. In some cases, being started in this way can cause Opera to crash. To inject code, additional techniques will have to be employed. This bug affects Opera for Windows.
    • Advisory #2 (highly severe): Scripts are able to change the addresses of framed pages that come from the same site. Due to a flaw in the way that Opera checks what frames can be changed, a site can change the address of frames on other sites inside any window that it has opened. This allows sites to open pages from other sites, and display misleading information on them.
    • Advisory 3# (currently a secret): Fixed an issue that could allow cross-site scripting, as reported by Chris Weber of Casaba Security: details will be disclosed at a later date.
    • Advisory #4 (moderately severe): Custom shortcut and menu commands can be used to activate external applications. In some cases, the parameters passed to these applications are not prepared correctly, and may be created from uninitialized memory. These may be misinterpreted as additional parameters, and depending on the application, this could allow execution of arbitrary code. Successful exploitation requires convincing the user to modify their shortcuts or menu files appropriately, pointing to an appropriate target application, then to activate that shortcut at an appropriate time. To inject code, additional means will have to be employed. This flaw affects Opera for Microsoft Windows, Linux, FreeBSD and Solaris.
    • Advisory #5 (less severe): When insecure pages load content from secure sites into a frame, they can cause Opera to incorrectly report the insecure site as being secure. The padlock icon will incorrectly be shown, and the security information dialog will state that the connection is secure, but without any certificate information.
    • Advisory #6: (less severe): As a security precaution, Opera does not allow Web pages to link to files on the user’s local disk. However, a flaw exists that allows Web pages to link to feed source files on the user’s computer. Suitable detection of JavaScript events and appropriate manipulation can unreliably allow a script to detect the difference between successful and unsuccessful subscriptions to these files, to allow it to discover if the file exists or not. In most cases the attempt will fail.
    • Advisory #7 (not severe): It has been reported that when a user subscribes to a news feed using the feed subscription button, the page address can be changed. This causes the address field not to update correctly. Although this can mean that that misleading information can be displayed in the address field, it can only leave the attacking page’s address in the address bar, not a trusted third party address.
    [Source: zdnet]

    More security holes appear in Microsoft Office

    More security holes appear in Microsoft OfficeIn addition to this long list of missing Microsoft patches, there are at least three serious (unpatched) vulnerabilities in the Microsoft Office productivity suite.

    On August 12, the same day Microsoft released a slew of Office patches, TippingPoint’s DV Labs published a bare-bones advisory warning about a new high-risk Office flaw that allows code execution attacks.

    From the DVLabs pre-patch alert:

    • This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

    [ SEE: Where on earth are these Microsoft patches? ]

    The company also has two additional unpatched Office bugs on its list:

    • July 8, 2008: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
    • May 5, 2008: This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

    Vulnerability discoveries made by TippingPoints DV Labs are different from those purchased by the company’s ZDI (Zero Day Initiative).

    [Source: zdnet]

    Nokia and Sun confirm S40, Java ME vulnerabilities

    Nokia and Sun confirm S40, J2ME vulnerabilitiesAccording to published reports, Nokia and Sun have both confirmed the existence of serious security problems in the Series 40 and Java Platform Micro Edition (Java ME) , giving instant credibility to the claims by Polish hacker Adam Gowdiak.

    Gowdiak (left), one of the four LSD researchers who discovered the MS03-026 flaw that was later exploited in the Blaster worm attacks, triggered widespread controversy earlier this month demanding 20,000 Euros each from Nokia and Sun for access to his full research but it now appears that he handed over enough information for the companies to reproduce/confirm the issues.

    [ SEE: Researcher discovers Nokia S40 vulnerabilities, demands payment ]

    Here’s Nokia’s response:

    • Nokia has been a week or two getting back to us, but this morning admitted that they have “been investigating the allegations made, using our normal processes and comprehensive testing… We can confirm that both claims are valid in some of our products.”

    From a Sun Micrososystems spokesperson:

    • According to Sun, most of the “security explorations” carried out by Gowdiak were specific to the Nokia phone stack’s implementation of J2ME, rather than J2ME itself. “Sun can confirm that there are a couple of potential vulnerabilities outlined in [Gowdiak’s] post that are specific to [J2ME] but those are limited to older versions of [J2ME],” Sun’s spokesperson said. “In addition, these vulnerabilities would be extremely difficult to exploit because they would require device-specific information that is not readily available.”

    It it not yet known if either company paid for Gowdiak’s research.

    [Source: zdnet]

    Exploit code published for Apache Tomcat flaw

    Exploit code published for Apache Tomcat flawThe United States Computer Emergency Response Team (US-CERT) has raised an alarm for a serious vulnerability in Apache Tomcat, warning that a proof-of-concept exploit is publicly available.

    The code, posted to, exploits a directory traversal vulnerability vulnerability in the way Apache Tomcat handles malformed requests.

    From the advisory:

    • If a context is configured with allowLinking=”true” and the connector is configured with URIEncoding=”UTF-8″ then a malformed request may be used to access arbitrary files on the server.

    The vulnerability (CVE-2008-2938) affects Apache Tomcat versions 4.1.0-4.1.37, 5.5.0-5.5.26, and 6.0.0-6.0.16.

    The open-source group has shipped a fix in Apache Tomcat 6.0.18, an update that also fixes three additional security issues:

    CVE-2008-1232 (cross-site scripting): The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument. This affects 6.0.0 - 6.0.16

    CVE-2008-1947 (cross-site scripting): The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. This application now filters the data before use. This issue may be mitigated by logging out (closing the browser) of the application once the management tasks have been completed.

    CVE-2008-2370 (information disclosure): When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. This affects: 6.0.0 - 6.0.16.

    [Source: zdnet]