As attacks escalate, MS readies emergency IE patch

Emergency Internet Explorer patch coming Microsoft is planning to ship an emergency Internet Explorer update tomorrow (December 17) to counter an escalating wave of malware attacks targeting a zero-day browser vulnerability.

[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]

The out-of-band update, which will be rated critical, follows the public discovery of password-stealing Trojans exploiting the bug on Chinese-language Web sites. Over the past week, the attacks have expanded with hackers using SQL injection techniques to seed exploits on legitimate Web sites.

[ GALLERY: How to configure Internet Explorer to run securely ]

This will be the second out-of-band update from the MSRC (Microsoft Security Response Center) in the last two months. Back in October, the company shipped MS08-067 to plug an extremely critical worm hole that affected Windows 2000, Windows XP and Windows Server 2003.

The IE patch will be available for all supported versions of the browser. According to this pre-patch advisory from Microsoft, the in-the-wild attacks have targeted IE 7 on Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Windows Vista (including SP1) and Windows Server 2008.

The actual flaw exists in the way IE handles DHTML Data Bindings:

Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data (“heap spray”) before the invalid pointer dereference.

* Image source: jmv’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Google downplays Chrome’s carpet-bombing flaw

Google ChromeIn a recent Q&A with Google’s Brian Rakowski, Philipp Lenssen asked him a question in regard to Chrome’s carpet-bombing flaw. Not surprising, considering that Apple refused to admit Safari’s carpet-bombing flaw at the first place, Google is too, downplaying it :

Lenssen: There are ways to make Chrome automatically download a file without the user confirming this (at least using Chrome’s default options). Don’t you consider that a potential problem?

Rakowski: On its own, downloading a file isn’t dangerous. It can be annoying if a site tries to download a bunch of files to fill up your hard drive, but there are other ways to do things like that and it hasn’t become a problem. The danger arises when an automatically downloaded file can be automatically executed. We’ve taken steps to prevent this in Google Chrome and will continue to make sure that this is the case. “

In reality, the danger arises from an automatically downloaded malicious file with a changed icon and a descriptive title or backdoored but legitimate Windows Office files downloaded without any notice, not from dumping hundreds of files on a particular desktop. Causing a denial of service attack next to dumping a piece of crimeware isn’t really going to do much for a malicious attacker wanting your Ebanking data.

The level or exploitability of any of Chrome’s vulnerabilities is proportional with its market share, and whereas there are noIcon Changer currently active malware attacks taking advantage of this particular flaw allowing them to dump a file on a visitor’s desktop, leaving this opportunity open won’t go unnoticed. As it appears, coming up with a simple script filling up someone’s hard drive upon visiting a specific site, seems to be the way to raise awareness on the potential for old school malware attacks relying on changed icons and the binaries spread across the desktop, and hopefully attract Google’s attention to the possibilities for abuse.

Chrome’s been receiving lots of criticism internationally, with Germany’s Federal Office for Information Security urging users not to use the browser, next to the Dutch Computer Emergency Response Team (Govcert.nl) recommending its use only in test environments due to the BETA release. For the time being, it’s clearly a wait and see how they threat security issues type of situation.

[Source: zdnet]

Google patches ‘critical’ Chrome code execution flaws

Google patches 'critical' Chrome code execution flawsThe first security patch for Google’s new Chrome browser is out, fixing at least two “critical” vulnerabilities that put Windows users at risk of code execution attacks.

[ SEE: Google Chrome vulnerable to carpet-bombing flaw ]

The patch, which is rolled out automatically via Chrome’s auto-update feature, also addresses two additional security vulnerabilities — the carpet-bombing issue and a denial-of-service flaw that could lead to browser crashes and data loss.

From the release notes:

  • Fixes a buffer overflow vulnerability in handling long filenames that display in the “Save As” dialog. This is a critical risk that could lead to execution of arbitrary code. See here for fix details.
  • Fixes a buffer overflow vulnerability in handling link targets displayed in the status area when the user hovers over a link. This is a critical risk that could lead to execution of arbitrary code. The issue was reported privately to Google. Fix details here.
  • Fixes an out of bounds memory read when parsing URLs ending with :%. This is a low risk that can be used to crash the entire browser, possibly causing loss of data in the current session. Fix information here.
  • The update also changes the default Downloads directory if it is set to Desktop to ensure that Desktop cannot be the default. This mitigates the risk of malicious cluttering of the desktop (aka carpet bombing) with unwanted downloads, which can lead to executing unwanted files.

[ SEE: Google Chrome vulnerabilities starting to pile up ]

Curiously, user agent for the fully patched version of Chrome (version 0.2.149.29) is still showing WebKit 525.13 (Safari 3.1) , meaning that Aviv Raff’s two-click PC takeover vulnerability is still unpatched.

Google patches ‘critical’ Chrome code execution flaws

I just tested Raff’s proof-of-concept that combines two flaws — one in Safari and one in Java — and was still able to execute code without warning. Strange.

[Source: zdnet]

Clickjacking: Researchers raise alert for scary new cross-browser exploit

Robert (RSnake) Hansen

[ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ]

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery — Robert Hansen (left) and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue.

So, what exactly is Clickjacking?

Clickjacking details emerge

According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:

  • In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.

  • Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this. “It makes it easier in many ways, but you do not need it.” Use lynx to protect yourself and don’t do dynamic anything. You can “sort of” fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait.

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

  • In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.
[Source: zdnet]

Firefox rushes out fix for password manager bug

Firefox rushes out fix for password manager bugJust days after shipping a patch for a dozen serious security holes in Firefox, Mozilla has rushed out another version to fix an annoying password manager bug.

The newest Firefox 3.0.3 basically fixes a problem where users were unable to retrieve saved passwords or save new passwords.

Firefox’s Mike Beltzner explains:

  • The symptom is that users who have password data stores with non-ASCII data saved as something other than UTF-8 (more common for people who have saved passwords on IDN domains or non en-US domains) will not be able to access their saved passwords or create any new saved passwords. There is no permanent dataloss, the saved data is just inaccessible.

Also see Bug 454708.

[Source: zdnet]

Google readying fix for Chrome file download flaw

Google Chrome security patchJust hours after the release of the Google Chrome browser last month, researcher Aviv Raff discovered that he could combine two vulnerabilities — a flaw in Apple Safari (WebKit) and a Java bug — to trick users into launching executables direct from the new browser. (Here’s a demo showing how a Google Chrome users can be lured into downloading and launching a JAR (Java Archive) file that gets executed without warning.

Now, it looks like Google is finally taking the threat seriously with the release of a new Chrome version to developers that changes the download behavior for files that could execute code.

From the changelog:

  • This [version] adds prompting for dangerous types of files (executable) when they are automatically downloaded.
  • The file is saved with a temporary name (dangerous_download_xxxx.download) in the download directory and the user is presented (in the download shelf and the download tab if opened) with a warning message and buttons to save/discard the download.
  • If discarded the download is removed (and its file deleted). If saved, download goes as usual.
  • Dangerous downloads not confirmed by the user are deleted on shutdown.

ALSO SEE:
Google Chrome vulnerable to carpet-bombing flaw

Google Chrome, the security tidbits

[Source: zdnet]

Memory exhaustion DoS vulnerability hits Google’s Chrome

ChromeAditya K Sood from the EvilFingers community, which disclosed the first Chrome DoS vulnerability at the beginning of the month, has released a proof of concept demonstrating a memory exhaustion DoS vulnerability affecting Google’s Chrome versions Chrome/0.2.149.30 and Chrome/0.2.149.29 :

“The Google chrome browser is vulnerable to memory exhaustion based denial of service which can be triggered remotely.The vulnerability triggers when Carriage Return(\r\n\r\n) is passed as an argument to window.open() function. It makes the Google Chrome to generate number of windows at the same time thereby leading to memory exhaustion. The behavior can be easily checked by looking at the task manager as with no time the memory usage rises high. The problem lies in the handling of object and its value returned by the javascript function. Once it is triggered the pop ups are started generating. The Google Chrome browser generate object windows continuously there by affecting memory of the resultant system. Probably it can be crashed within no time. User interaction is required in this.”

What’s Google’s take on this flaw, and have they acknowledged it already? Zero Day asked the researchers.

Q: This is the second DoS vulnerability that members from EvilFingers disclose. How is the second one different than the first one, and how would a remote attacker take advantage of it?

A: Ideally, both are Denial of Service attacks. But second one is different for the matter that it does a memory exhaustion, or I would say “performance” peaks with the pop-ups. By default, all the pops are blocked by Chrome, but still the CPU usage jumps up to 98% and so does the memory consumption, therefore other processes will surely be affected. And then the PoC for the first one crashes the chrome right away without any reaction time to the user or any user way to prevent the loss of work. But with the second one, an experienced user can prevent the same and can save work of other tabs before resulting in a browser restart. Or put in another way, first one is a crash of all tabs, second one is a hang of tabs.

Q: Since you’re responsibly disclosing the vulnerabilities that you find to Google, what is your opinion on their current response time and overall attitude towards the vulnerabilities that you’ve reported?

A: Response time with the first one was well appreciable, as it was fixed within 24hrs though it took some days to roll out next 0.2.149.29 ‘patched’ version. For this newer DoS, the patch is yet to roll out and they have acknowledged the bug for now.

Has Google’s Chrome level of exploitability changed since the first DoS vulnerability? It may well be declining considering some recently published browser market-share statistics, clearly indicating that a lot of users seems to have given Chrome a try, and are back to their default browsers. According to published Chrome stats by Net Application :

“At the end of its third week of availability, Google Inc.’s Chrome accounted for 0.77% of the browsers that visited the 40,000 sites tracked by Net Applications, down from a 0.85% share the week before. “The trend line on Chrome still has a slight downward angle, and these weekly numbers reflect that,” said Vince Vizzaccaro, Net Applications’ executive vice president of marketing. Although Chrome popped above 1% within hours of its release, the new browser now reaches that mark only in the middle of the night, U.S. time, Vizzaccaro added.”

StatCounter’s latest Chrome stats of over 450M page views globally, also indicate the introduction period and the slight decline afterwards. Chrome’s popularity is proportional with its level of exploitability, so keeping an eye on how many users stick with the (BETA) browser, will either increase or decrease it.

[Source: zdnet]

Google Chrome vulnerable to data theft flaw

Google Chrome vulnerable to data theft flawGoogle has seeded a new version of its Chrome browser to developers with fixes for a pair of security issues that could expose users to data theft.

The issue, rated as a “moderate” risk could allow hackers to use HTML files to steal arbitrary files from a victim’s machine.

Details below:

  • r4188 and r4827 Address an issue with downloaded HTML files being able to read other files on your computer and send them to sites on the Internet. We now prevent local files from connecting to the network using XMLHttpRequest() and also prompt you to confirm a download if it is an HTML file.
    • Severity: Moderate. If a user could be enticed to open a downloaded HTML file, this flaw could be exploited to send arbitrary files to an attacker.

The patch, which will eventually be rolled out via Chrome’s automatic update feature, also adds new features around bookmarking and pop-up blocking.

[Source: zdnet]

Four XSS flaws hit Facebook

Facebook XSS VulnerabilityProject XSSed, the clearing house for cross site scripting flaws has just released details on four flaws affecting Facebook’s developers page, iPhone login page and the new users registration page, potentially assisting malicious attackers into adding more legitimacy to their campaigns. With yet another critical XSS flaw hitting Facebook in May earlier this year, what’s the potential exploitability of such flaws if any in the wake of the ongoing Koobface worm’s rounds across the social networking site?

It’s worth pointing out that in both of these cases there were no known cases of active exploitation, perhaps due to Facebook’s quick reaction upon being notified of them. The very same lack of active exploitation was also present in several other cases throughout the year, namely, the recent XSS affecting Google’s login page, and the multiple HSBC sites (still) vulnerable to XSS flaws. And if we are to exclude the XSS worm at Justin.tv which infected 2,525 profiles in July, active exploitation of such flaws is no longer favored compared to the less noisy social engineering tricks exploiting the weakest link - the Internet user social networking with a false feeling of security.

Take Koobface for instance. It scaled so efficiency without exploiting any social networking site specific flaw, only through social engineering tactics forwarding the entire spreading process to the already infected user, which in a trusted environment of friends proved to be a successful form of spreading. Despite the possibility for active exploitation of such flaws in phishing and malware campaigns, cybercriminals appear no be no longer interested in such noisy approaches, at least not while attempting to spread malware across social networking sites. Among the main reasons for this is the fact that their entire campaign would be based on a single propagation vector, which when taken care of through technical measn would render their campaign useless. Instead, just like the Koobface gang continues to do, they mix the social engineering vectors by abusing legitimate brands as redirectors to the malware infected hosts serving the fake YouTube videos.

The Web in general is an entirely different topic, since I can easily argue that the long tail of SQL injected sites can outpace the traffic that could come from a single high-page ranked site that’s participating in a malware campaign. Case in point - the recent Internet Explorer zero day flaw is currently being served through SQL injections affecting vulnerable sites across the Web, a pretty logical move on which I speculated given the fact that it was originally used on Chinese forums and sites only.

For the record, the Facebook security team has been notified of the recently published flaws.

[Source: zdnet]

Major Web browsers fail password protection tests

Chrome, Safari fail password protection testsThat nifty password management feature in your favorite Web browser could be helping identity thieves pilfer your personal data.

That’s the biggest takeaway from the results of this test which shows that all the major Web browsers — including IE, Firefox, Opera, Safari and Chrome — are vulnerable to a total of 20 vulnerabilities that could expose password-related information. Among the problems are three in particular that, when combined, allow password thieves to take passwords without the user’s knowledge. They are:

  1. The destination where passwords are sent is not checked.
  2. The location where passwords are requested is not checked.
  3. Invisible form elements can trigger password management.

Google’s shiny new Chrome browser was among the worst offenders. According to the study, Chrome’s password manager contains multiple unpatched issues that “form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity.”

Apple’s Safari for Windows browser was also failed a majority of the tests (click image for full version):

Major Web browsers fail password protection tests

Technical details of the test, which was conducted by Chapin Information Services, can be found here.

[Source: zdnet]

Apple plugs 21 Mac OS X security holes

Apple plugs 21 holes in Mac OS XApple has released a peck of patches to cover at least 21 documented security vulnerabilities affecting Mac OS X users.

With its eighth security update for 2008, the company shipped fixes for flaws that could lead to remote code execution and denial-of-service attacks . The patch batch also covers a range of serious vulnerabilities in the Adobe Flash Player plug-in.

Here’s the raw skinny on Security Update 2008-008/Mac OS X v10.5.6:

  • CVE-2008-4236: An infinite loop may occur in the Apple Type Services server’s handling of embedded fonts in PDF files. Viewing or downloading a PDF file containing a maliciously crafted embedded font may lead to a denial of service. This update addresses the issue by performing additional validation of embedded fonts. This issue does not affect systems prior to Mac OS X v10.5.
  • CVE-2008-4217: A signedness issue exists in BOM’s handling of CPIO headers which may result in a stack buffer overflow. Downloading or viewing a maliciously crafted CPIO archive may lead to arbitrary code execution or unexpected application termination. This update addresses the issue by performing additional validation of CPIO headers.
  • CVE-2008-3623: A heap buffer overflow exists in the handling of color spaces within CoreGraphics. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.
  • CVE-2008-317: Safari allows web sites to set cookies for country-specific top-level domains, which may allow a remote attacker to perform a session fixation attack and hijack a user’s credentials. This update addresses the issue by performing additional validation of domain names.
  • CVE-2008-4234: Mac OS X provides the Download Validation capability to indicate potentially unsafe files. Applications such as Safari and others use Download Validation to help warn users prior to launching files marked as potentially unsafe. This update adds to the list of potentially unsafe types. It adds the content type for files that have executable permissions and no specific application association. These files are potentially unsafe as they will launch in Terminal and their content will be executed as commands. While these files are not automatically launched, if manually opened they could lead to the execution of arbitrary code. This issue does not affect systems prior to Mac OS X v10.5.
  • CVE-2008-4818, CVE-2008-4819, CVE-2008-4820, CVE-2008-4821, CVE-2008-4822, CVE-2008-4823, CVE-2008-4824: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 9.0.151.0. Further information is available via the Adobe web site.
  • CVE-2008-4218: Integer overflow issues exist within the i386_set_ldt and i386_get_ldt system calls, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issues through improved bounds checking. These issues do not affect PowerPC systems.
  • CVE-2008-4219: An infinite loop may occur when a program located on an NFS share receives an exception. This may lead to an unexpected system shutdown. This update addresses the issue through improved handling of exceptions.
  • CVE-2008-4220: An integer overflow exists in Libsystem’s inet_net_pton API, which may lead to arbitrary code execution or the unexpected termination of the application using the API. This update addresses the issue through improved bounds checking. This API is not normally called with untrusted data, and no exploitable cases of this issue are known. This update is provided to help mitigate potential attacks against any application using this API.
  • CVE-2008-4221: A memory corruption issue exists in Libsystem’s strptime API. Parsing a maliciously crafted date string may lead to arbitrary code execution or unexpected application termination. This update addresses the issue through improved memory allocation.
  • CVE-2008-1391: Multiple integer overflows exist in Libsystem’s strfmon implementation. An application calling strfmon with large values of certain integer fields in the format string argument may unexpectedly terminate or lead to arbitrary code execution. This update addresses the issues through improved bounds checking.
  • CVE-2008-4237: The method by which the software on a managed client system installs per-host configuration information does not always correctly identify the system. On a misidentified system, per-host settings are not applied, including the screen saver lock. This update addresses the issue by having Managed Client use the correct system identification. This issue does not affect systems with built-in Ethernet.
  • CVE-2008-4222: An infinite loop may occur in the handling of TCP packets in natd. By sending a maliciously crafted TCP packet, a remote attacker may be able to cause a denial of service if Internet Sharing is enabled. This update addresses the issue by performing additional validation of TCP packets.
  • CVE-2008-4223: An authentication bypass issue exists in the Podcast Producer server, which may allow an unauthorized user to access administrative functions in the server. This update addresses the issue through improved handling of access restrictions. Podcast Producer was introduced in Mac OS X Server v10.5.
  • CVE-2008-4224: An input validation issue exists in the handling of malformed UDF volumes. Opening a maliciously crafted ISO file may lead to an unexpected system shutdown. This update addresses the issue through improved input validation.
[Source: zdnet]

Firefox joins security patch day treadmill

Firefox joins security patch day treadmillMozilla is joining Microsoft and Opera on the browser patching treadmill.

The open-source group has rolled out the final security fix for the Firefox 2 branch and a new version of Firefox 3 to plug about a dozen security holes that could lead to remote code execution attacks, browser crashes and information disclosure issues.

[ SEE: ‘End of life’ beckons for Firefox 2 ]

In all, Mozilla released eight different bulletins with details on the security flaws. Three of the bulletins carry a “critical” label, meaning they can be exploited “to run attacker code and install software, requiring no user interaction beyond normal browsing.”

One of the bulletins carry a “high severity” rating, meaning it can be used by hackers “to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.”

[ SEE: ‘Extremely severe’ vulnerabilities in Opera browser ]

The details:

  • MFSA 2008-69 XSS vulnerabilities in SessionStore
  • MFSA 2008-68 XSS and JavaScript privilege escalation
  • MFSA 2008-67 Escaped null characters ignored by CSS parser
  • MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
  • MFSA 2008-65 Cross-domain data theft via script redirect error message
  • MFSA 2008-64 XMLHttpRequest 302 response disclosure
  • MFSA 2008-63 User tracking via XUL persist attribute
  • MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

Some of the bugs only affect Firefox 3 so it is important for all Firefox users to apply the update that’s released via the browser’s automatic patching mechanism.

As I previously reported, Mozilla is not planning any more security and stability updates for Firefox 2. If you are still on the old version, also note that the Google-powered anti-phishing protection will no longer be available for Firefox 2 users.

ALSO SEE: As attacks escalate, MS readies emergency IE patch

* Image source: _sarchi’s Flicker photostream (Creative Commons 2.0)

[Source: zdnet]

Google sponsored links spreading (scareware) rogue AV

Malware hunters at Websense Security Labs have discovered legitimate Google sponsored links being used to plant scareware programs (rogue anti-virus applications) on the computers of Windows users.

In a blow-by-blow description of the rogueware attack, Websense researcher Elad Sharf shows how an innocent Google search for the Winrar file archiver and data compression utility can lead to a fake C|Net downloads.com page hosting a legitimate version of Winrar, with a nefarious twist:

Google sponsored links spreading (scareware) rogue AV

According to Sharf, the installer also drops a malicious file named explore.exe in the Windows system32 folder, and then runs the executable. The malicious file is associated with the icon used by Winrar SFX archives, and it binds to the system’s start-up.

The malicious explore.exe file proceeds to change the hosts file to point popular home page sites to a fake Microsoft Security Center site and displays displays a message box at one minute intervals.

This is how the scam works: after installing the infected program, users are interrupted with message boxes at one minute intervals. Thinking that the system has been infected, and irritated at the constant interruption, they might next search for information about the infection using the text that appears in the pop-up message. Finding legitimate forums discussing this infection, they will find confirmation that they are infected. The malware itself offers a fake remedy in the form of a pointer to a fake site. Users with any of the sites in the modified hosts file as their home page, or users who try to access any of those sites, are redirected to a site that pretends to be a Microsoft security center alert.

The end result is the user is tricked into running a security scan using this rogueware and receiving confirmation that the machine is indeed infected. The criminals then attempt to sell a disinfection tool to remove the malware they installed on the victim’s machine.

Ugly stuff.

[Source: zdnet]

‘Extremely severe’ vulnerabilities in Opera browser

Opera 9.6.3 plugs serious security holes Opera has released version 9.63 of its browser as a “recommended security upgrade” that fixes at least seven security vulnerabilities, some with serious risk implications.

The most serious of the flaws could lead to remote code execution if an Opera user is tricked into surfing to a maliciously rigged Web page. Two of the bugs are rated “extremely severe” while three others are rated “highly severe.”

Details on the Opera 9.63 vulnerabilities:

  • Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code. Rated extremely severe.
  • Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional techniques will have to be employed. Rated extremely severe.
  • Exceptionally long host names in file: URLs can cause a buffer overflow, which may be exploited to execute arbitrary code. Remote Web pages cannot refer to file: URLs, so successful exploitation involves tricking users into manually opening the exploit URL, or a local file that refers to it. Rated highly severe.
  • When Opera is previewing a news feed, some scripted URLs are not correctly blocked. These can execute scripts which are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information. Rated highly severe.
  • Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untrusted users, which it then displays using XSLT as escaped strings, this can allow scripted markup to be injected. The scripts will then be executed in the security context of that site. Rated highly severe.
  • Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas. Details will be disclosed at a later date.
  • SVG images embedded using tags can no longer execute Java or plugin content, suggested by Chris Evans.

Opera users are strongly encouraged to download and apply the newest version.

[Source: zdnet]

New worm exploiting MS08-067 flaw spotted in the wild

MS08-067’s W32/Conficker.worm WormMicrosoft’s Security Response Center and McAfee are warning on increased network scanning activity during the last couple of days courtesy of the very latest W32/Conficker.worm exploiting the already patched MS08-067 vulnerability. What’s particularly interesting in the latest wave of copycat worms is that W32/Conficker.worm is patching the infected host in order to ensure that competing malicious parties wouldn’t be able to get in using it. How nice of them.

“This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too.”

MS08-067’s W32/Conficker.worm WormThe public release of the proof of concept code in September, prompted an immediate reaction by international underground communities releasing several different modifications of the exploit, with the Chinese to be first to release a do-it-yourself tool allowing subnet scanning and automatic exposure to malware hosted on a third-party server. At first, the tool was released with commercial intentions with its authors charging $37.80, however, just like the majority of proprietary web malware exploitation kits, several days later the tool leaked to the general public. From a strategic perspective, whereas such DIY tools indeed empower low-profile cybercriminals, the real danger comes from scanning modules introduced within larger botnets.

[Source: zdnet]