Microsoft takes aim at Vista 'SoftMod' hack

Starting this week, Microsoft will ship an update to Windows Vista Ultimate users to ferret out cracked copies of its most expensive and feature-packed operating system.

The renewed anti-piracy campaign is aimed directly at the activation exploit known as the “SoftMod hack,” according to a post on Microsoft’s WGA blog.

This Knowledge Base article explains:

  • This update enables Windows Vista to detect activation exploits that bypass product activation and that interfere with usual Windows operation. An activation exploit is a form of software that replaces or modifies authentic Windows components. When activation exploits are present on a system, it indicates that a software or hardware vendor may have tampered with genuine Windows to enable the sale of counterfeit software. Therefore, the security and the privacy of the computer are put at risk. After this update is installed, you will know if activation exploits are present on the system.

According to Alex Kochis, director of Microsoft’s Windows Genuine group, this is what a user would see on a system that has detected the SoftMod activation exploit:

* Hat tip: Gregg Keizer.

[Source: zdnet]

Google wants to buy Native Client security flaws

Google is (indirectly) buying security vulnerabilities from white hat hackers.

Under the guise of a Native Client Security Contest, the search engine firm is offering big cash prizes to hackers who find bugs and other security flaws in the open-source research technology for running x86 native code in Web applications.

[ SEE: Android security team appeals to hackers ]

From the contest FAQ:

  • To participate, you will need to test the Native Client builds, identify security exploits which affect the current Native Client build at the time of submission and report them to our team. Our judges will review your entry. If you are one of the top five participants selected by the judges and satisfy the requirements for eligibility, then you will win a cash prize.

The judging will be led by Princeton University’s Ed Felten.

The first prize is $8,192, the second prize $4,096, the third prize is $2,048, the fourth prize is $1,024 and the fifth prize is $1,024. All amounts are in USD.

At least one exploitable defect is already publicly known.

[Source: zdnet]

Malware campaign at YouTube uses social engineering tricks

Remember last month’s Google Video search results poisoning attack which was hijacking legitimate YouTube titles in order to acquire potential traffic coming from Google Video? Or the massive comment-spam attack on Digg.com?

It appears that the cybercriminals behind both of these campaigns aren’t giving up just yet, and are currently experimenting with a catchy social engineering attack at YouTube which is once again attempting to serve rogue security software under the disguise of a required media codec.

Here’s how the new campaign looks like.

This time their experiment relies on a new “visual social engineering vector”, a message “Click Here to Join the Club” or “Click Here for Free Porn” is embedded within the legitimate video, with a pointer enticing the user into clicking on the PornTube link right next to it. This novel approach slightly differs from previous campaigns involving fake YouTube sites, or the use of the very same malware links this time basically posted within the comments of a video.

The campaign does suffer from a major weakness, and that’s its adult content which YouTube has already — perhaps automatically — started removing. The fake codecs used in the campaign act as downloaders for rogue security software, with the cybercriminals earning revenue in the process. Moreover, not only are the Google Video, Digg.com’s and this latest campaign launched by the same attackers, but the malware campaigners behind them continue using highly toxic net blocks residing within the Latvian DATORU EXPRESS SERVISS Ltd (zlkon.lv), and the Dutch WORLDSTREAM DBM which makes them fairly easy to keep track of - at least for now.

[Source: zdnet]

Apple catches up on Safari (browser) security

After years of lagging behind on important security features, Apple has finally added a malware-blocker, a phishing filter and support for EV (extended validation) certificates into the latest refresh of its Safari Web browser.

The malware roadblock headlines a list of Safari 4 security features that also includes cookie blocking, private browsing, secure encryption, safe downloads and parental controls.


[ SEE: PayPal: If a browser doesn't have anti-phishing technology (like Safari) ditch it ]

Apple has been heavily criticized in the past for neglecting basic security features in Safari. PayPal CIO Michael Barrett went so far as to suggest that end users should avoid the browser because of the missing protections.

Now, it looks like Apple has finally caught up. According to a source, the crucial malware block is powered by Google’s blacklist of malicious sites and will trigger a warning when a user lands at known malware sites.

Microsoft’s Internet Explorer, Mozilla’s Firefox and Opera all provide the ability to issue similar warnings.

The support for EV-Certs (see right) is also important. This allows Web surfers to easily identify legitimate Web sites and businesses. For sites that have an EV Certificate, Safari 4 will display the site’s name in green on the right side of the address field.

[Source: zdnet]

Heads-up: Critical Adobe Flash Player patch coming

[ UPDATE: Here's the official alert from Adobe with information on the patch. It covers a total of five vulnerabilities and affects Flash Player 10.0.12.36 and earlier ]

Sometime later today, Adobe will issue a patch for at least one critical vulnerability affecting its ubiquitous Flash Player. If you live on the Windows ecosystem, this is a heads-up to pay attention to Adobe’s security updates page and treat this as a high-priority issue.

According to an advisory from iDefense, the company that brokered the disclosure process, the patch will fix a Flash Player vulnerability that could allow an attacker to use rigged Shockwave Flash files to execute arbitrary code with the privileges of the current user.

From the iDefense alert:

  • During the processing of a Shockwave Flash file, a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control.

To exploit this vulnerability, iDefense said a targeted user must load a malicious Shockwave Flash file created by an attacker. This can be trivially done via social engineering techniques or injecting content into a compromised, trusted site or advertising network.

  • Utilizing various techniques, an attacker is able to re-allocate and control the memory used by the destroyed object. This allows the attacker to subvert execution when a virtual function is called via the invalid reference.

The flaw was confirmed latest version of Flash Player (9.0.124.0). Previous versions may also be affected. iDefense said it tested exploitation on Windows XP SP3 and Windows Vista SP1.

  • iDefense believe that all platforms supported by Flash Player are affected by this vulnerability, including Linux and MacOS.

Adobe was first notified of this issue last August. The company is currently in the midst of responding to zero-day attacks against bugs in its Adobe Reader and Acrobat products.

[Source: zdnet]

Chinese hackers deface the Russian Consulate in Shanghai

That was fast. Chinese hackers collaborating with the Chinese Hacking Union, a two-years old training community for wannabe hackers, hacked and defaced the official web site of the General Consulate of the Russian Federation in Shanghai, PRC in response to the recent accusations that a Russian navy vessel has sank a Chinese cargo ship.

The message left on the now “under maintenance” site translates as follows:

“Russia invaded our territory to kill people from the People’s Republic. Hack done for the Chinese crew of controversy! Russia must be punished! ! ! Hacked BY: Yu”

In a related interview, profiling the hacker “Yu” after the Russian Consulate hack, he describes himself as a network security enthusiast that has been defacing Chinese, Japanese, Korean, Taiwanese and U.S sites for a while, but had to give up his activities due to college studies. Interestingly, he’s also insisting that education is the better choice in the long term, than the web site defacements he’s involved into.

Yu’s hacking group, as well as the Chinese Hacking Union, are a great example of the diverse but highly de-centralized province-based IT underground scene in China. Largely inspired by the glorious China Eagle Union, the Red Hacker’s Alliance and the Hacker Union of China, new training communities keep popping-up like mushrooms - even gender based ones (Chinese female hacking group spotted).

The site of the Russian Consulate in Shangha remains serving a “The site is currently under maintenance! sorry for any inconveniences!” message.

[Source: zdnet]

Adobe Reader 9 and Acrobat 9 zero day exploited in the wild

Yesterday, Adobe confirmed the existence of a critical vulnerability affecting Adobe Reader and Acrobat versions 9.0 and earlier, originally detected by the Shadowserver Foundation last week.

The onging targeted attacks have since been confirmed by both, Symantec and McAfee urging users to disable JavaScript in Adobe Reader and Acrobat until Adobe issues a patch on the 11th of March in the following way - Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript.

Symantec’s comments on the potential for massive attacks using the exploit:

So far, these attacks appear to be targeted and not widespread. Symantec is continuing to monitor the vulnerability’s use in the wild.

While examining the JavaScript code used for “heap-spraying” in these PDFs, we can see the same comments that show that these separate exploit attempts come from the same source! It seems likely that the people behind this threat are using targeted attacks against high-ranking people within different organizations—for example, locating the CEO’s email address on the company website and sending a malicious PDF in the hope that their malicious payload will run. Once the machine is compromised, the attackers may gain access to sensitive corporate documents that could be costly for companies breached by this threat.

For the time being, cybercriminals chose to generate less noise by launching targeted attacks just like they did earlier this week using IE7’s MS09-002 vulnerability. However, as we’ve previously seen it’s only a matter of time until copycat attackers start using it on a large scale.

With several targeted campaigns currently active, what are the chances that a sample malware campaign would be once again monetizing infected hosts by infecting them with rogue security software similar to Conficker’s first release? Huge.

Upon analyzing the binary served once an infected host gets successfully exploited from a sample campaign, it’s attempting to trick the user into install the very latest rogue security software Spyware Protect 2009. The cute part is that the cybercriminals didn’t manage to successfully configure their campaign resulting in a 404 error.

What’s important to point out is that the original targeted attacks detected by the Shadowserver Foundation are once again using a well known and previously abused Chinese DNS provider (js001.3322.org) with more details about its owner available in a related BusinessWeek article.

[Source: zdnet]

New Symbian-based mobile worm circulating in the wild

F-Secure and Fortinet are investigating a newly discovered mobile malware identified as SymbOS/Yxes.A!worm or “Sexy View”. The malware is affecting S60 3rd Edition series devices, and has a valid certificate signed by Symbian tricking the mobile device user into thinking it’s a legitimate application. In terms of propagation, “Sexy View” propagates by collecting all the phone numbers from the infected device, and then SMS-es itself to all of them including a link to a web site hosting a copy of it.

SymbOS/Yxes.A!worm is the second mobile malware detected in the wild for 2009, followed by last month’s discovery of Trojan-SMS.Python.Flocker by Kaspersky Labs. A trend, a fad, or opportunists experimenting for mobile malware’s prime time in 2009?

Using spam and phishing as analogies, both, spammers and phishers require huge databases of harvested email address in order to hit them directly. What used to be old-fashioned directory attacks where they were attempting to guess user names and associate them with email boxes, is today’s greatly matured underground market segment offering millions of segmented (on per country, city, industry, email provided basis) emails which cybecriminals easily integrate within their campaign management kits.

What’s particularly interesting about SymbOS/Yxes.A!worm is that it appears that the worm’s main objective is to harvest information from the infected devices such as phone numbers, IMEI, IMSI as well as the phone type. This data harvesting approach is pretty similar to that of email harvesting tools, and in the long term the harvested data will be monetized and resold to phone scammers whose activities are already driving the success of such site as WhoCallsme? and 800notes.

Moreover, Guillaume Lovet, a senior manager of Fortinet’s Threat Research Team is also speculating on the potential for a mobile botnet due to the ways in which Yxes.A!worm spreads: “As far as our analysis goes, the worm currently does not take commands from the remote servers it contacts. However, since the copies hosted on the malicious servers are controlled by the cyber criminals, they may update them whenever they want, thereby effectively mutating the worm, adding or removing functionality. We’re really at the edge of a mobile botnet here.

With carriers, manufacturers, and service providers clearly aware of the emerging mobile malware threat, thankfully, they seem to be thinking in the right direction - according to McAfee’s 2009’s Mobile Security Report, when asked “Who Should Bear the Cost of Securing Mobile Devices?” 44% of the mobile device manufacturers forwarded the responsibility to themselves instead of their clients.

In times when your mobile number and physical location for a successful scam targeting is prone to become a valuable good in the underground economy, your vigilance remains a cost-effective solution.

[Source: zdnet]

Microsoft: ‘Consistent exploit code likely’ for IE vulnerabilities

Microsoft today shipped four bulletins with patches for at least 8 documented security vulnerabilities affecting Windows users and warned that “consistent exploit code could be easily crafted” to launch attacks via the Internet Explorer browser.

The Patch Tuesday batch includes fixes for a pair of code execution holes in IE, two bugs in the Microsoft Exchange Server, a remote code execution issue in the Microsoft SQL Server, and three separate flaws haunting users of Microsoft Office Visio.

The Internet Explorer bulletin (MS09-002) should be treated with urgency because the flaws can be exploited to launch drive-by download attacks.

  • This security update is rated Critical for Internet Explorer 7 running on supported editions of Windows XP and Windows Vista. For Internet Explorer 7 running on supported editions of Windows Server 2003 and Windows Server 2008, this security update is rated Moderate.

The Microsoft warning that consistent exploit code was likely suggests that it’s very easy for an attacker to host a specially crafted Web site and attack unpatched users who surfed to the rigged Web site.

  • The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability.

Enterprise administrators will also want to pay special attention to the Microsoft Exchange update (MS09-003) which covers two different vulnerabilities that expose users to code execution or denial-of-service attacks.

Microsoft explains:

  • The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.

The company says it expects to see “inconsistent exploit code” published for this bulletin. However, nCircle director of security operations Andrew Storms says this is a very serious problem.

“This vulnerability means that any cybercriminal sending a well crafted email attachment to an enterprise could gain complete control over the server and gaining one of the keys to the kingdom,” Storms said.

“All kinds of highly confidential and proprietary information pass through an Exchange server every day. Gaining control over it and its content would be a gold mine to any cyber criminal,” he added.

[Source: zdnet]

Targeted malware attacks exploiting IE7 flaw detected

Researchers at TrendMicro have detected a targeted malware attack exploiting last week’s patched critical MS09-002 vulnerability affecting Internet Explorer 7. Upon opening the spammed Microsoft office document, vulnerable users are automatically forwarded to a Chinese live exploit site which still remains active.

The attack has also been confirmed by McAfee and by the ISC, who point out that the cybercriminals appear to have reverse engineered Microsoft’s patch in order to come up with the exploit.

From TrendMicro’s post:

The threat starts with a spammed malicious .DOC file detected as XML_DLOADR.A. This file has a very limited distribution script, suggesting it may be a targeted attack. It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML detected by the Trend Micro Smart Protection Network as HTML_DLOADER.AS.

HTML_DLOADER.AS exploits the CVE-2009-0075 vulnerability, which is already addressed by the MS09-002 security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS.

This backdoor further installs a .DLL file that has information stealing capabilities. It sends its stolen information to another URL via port 443.

The attackers trade-off in this case is to either launch a less noisy targeted attack, or attempt to target as many users as possible by using legitimate web sites as infection vectors, a choice that depends on what they’re trying to achieve, and who are they targeting in particular.

Who’s behind the attack anyway? The web service (9966.org) used as a “phone back” location with the stolen data, is a well known one used primarily by Chinese hackers in previous massive SQL injections attacks, which doesn’t necessarily mean the campaign is launched by Chinese hackers, since it could be international hackers from anywhere using a well known malicious infrastructure in order to forward the responsibility to local hackers.

Moreover, in this particular campaign I can easily argue that the window of opportunity for abusing this vulnerability in a targeted fashion, is just as wide open as attempting to exploit the same hosts by diversifying the use of different exploits. For instance, despite the timely exploitation of MS09-002, based on the number of Conficker affected hosts globally, a situation where once again a patch is present, there’s a great chance that some of the hosts they’re attempting to exploit through the use of MS09-002 are already part of Conficker’s botnet, or remain susceptible to outdated vulnerabilities.

So far, no massive malware campaigns are taking advantage of the exploit, but users are advised to self-audit themselves against known client-side vulnerabilities and MS09-002 in particular.

[Source: zdnet]

Crimeware tracking service hit by a DDoS attack

A week after a newly launched crimeware tracking service went public, cybercriminals didn’t hesitate to prove its usefulness by launching a distributed denial of service attack (DDoS) against it. According to the Swiss security blog, the Zeus tracker came under attack from a previously known source that also attacked abuse.ch over an year ago taking advantage of a well known do-it-yourself DDoS malware.

Just like November 2008’s DDoS attack against the anti-fraud site Bobbear.co.uk — with evidence that the attack was commissioned provided by Zero Day back then — the single most evident proof of the usefulness of your cybercrime tracking service always comes in the form of a direct attack against its availability.

What is the Zeus Tracker anyway, and why is it so special at the first place?

The Zeus Tracker is a full-disclosure project keeping track of known Zeus hosting locations, one of the most ubiquitous crimeware applications cybercriminals take advantage of for years. Moreover, by maintaining a real-time blocklist that allows the community to easily take action against known Zeus domains/IPs it shouldn’t come as a surprise that the service is getting attacked - simply because it exposes active crimeware campaigns.

Once available as a proprietary crimeware tool costing several thousands dollars, today, pirated copies of Zeus are so prevalent, that most of the innovations attempting to to improve its usefulness and abilities to sniff E-banking transaction data come from third parties in a true open source crimeware fashion. In fact, the Zeus crimeware is so popular that cybercriminals themselves are looking for and successfully finding remotely exploitable vulnerabilities within the kit in an attempt to hijack someone else’s botnet.

Moreover, with or without the Zeus Tracker’s real-time data, the Zeus malware is prone to continue dominating the crimeware landscape due to its maturity into a cybercrime-as-a-service proposition. For instance, the increasing number of services offering managed Zeus botnets not only allow less sophisticated cybercriminals easy access to hundreds of thousands of banker malware infected hosts, but also, the relatively low prices the services charge due to the fact that they’re running pirated copies of Zeus ultimately results in the scalability of cybercrime in general.

Attempting to undermine this scalability would mean coming up with ways to shorten the average time a Zeus command and control domain/IP remains online, next to communicating the already known locations as a public service just like the Zeus Tracker does.

[Source: zdnet]

Apple Patch Day: Gaping Mac OS X, Safari holes

It’s Apple’s turn on the Patch Day treadmill and, for Mac OS X users, it’s quite ugly.

As I write, Apple has released four different bulletins to cover 48 documented vulnerabilities in the Mac OS X ecosystem, a solitary code execution flaw affecting Safari for Windows and four different security problems in Java for Mac OS X.

Security Update 2009-001 is quite a whopper, providing patches for holes in a wide range of components, including several open-source implementations like ClamAV and fetchmail.

[ How does Apple get away with this badware behavior? ]

This is a high-priority update for all Mac OS X users so don’t fool around when you see that Software Update alert. All the raw details can be found in this advisory.

If you’re a Windows user and Safari is installed on your machine, pay special attention to this alert, which warns of code execution exposure on Windows XP and Windows Vista.

  • Multiple input validation issues exist in Safari’s handling of feed: URLs. The issues allow execution of arbitrary JavaScript in the local security zone. This update addresses the issues through improved handling of embedded JavaScript within feed: URLs.

[ Pwn2Own hacker contest targets browsers, smart phones ]

Apple also shipped a Java for Mac update with fixes for 4 more security problems:

  • Multiple vulnerabilities exist in Java Web Start and the Java Plug-in, the most serious of which may allow untrusted Java Web Start applications and untrusted Java applets to obtain elevated privileges. Visiting a web page containing a maliciously crafted Java applet may lead to arbitrary code execution with the privileges of the current user.
[Source: zdnet]

Should Microsoft decouple IE from Patch Tuesday?

A security researcher wants Microsoft to follow the lead of other browser makers and start fixing Internet Explorer security problems outside of the Patch Tuesday cycle to help contain the Windows malware epidemic.

[ Microsoft: ‘Consistent exploit code likely’ for IE vulnerabilities ]

According to Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, IE’s dominant userbase and high risk profile exposes Windows users to a wide range of malicious hacker attacks but, despite years of warnings, business users are not rushing to install IE patches ahead of other critical updates (see chart below).


[ SEE: Hackers exploiting (unpatched) IE 7 flaw to launch drive-by attacks ]

The chart, powered by data collected by Qualys over the last six months, shows that critical IE patches are applied in very much the same speed as other high-priority updates.

I had a chat with Kandek about his findings and he was adamant that the risk presented by a critical IE vulnerability is higher than another critical flaw in another piece of software that doesn’t interact directly with the Internet.

  • “Every month when Microsoft issues it security advisories we get asked what patch to apply first. Typically we are reluctant to elevate one vulnerability over the other, however looking at the 2008 data we agree that Internet Explorer vulnerabilities should be given the highest priority and patched first. The browser is the heaviest used software application that interacts with the Internet, the most likely source of malicious content. It is not only used for professional purposes but also in private interactions – e-commerce, social networking, private e-mail, etc. Browser patches are heavily tested by Microsoft and unlikely to break any existing functionality on the desktop.

Unfortunately, Kandek says the vulnerability data shows that companies treat browser patches just like all other patches — their deployment cycle correlates very closely with other critical patches.

The answer? Kandek argues that Microsoft should borrow from the Mozilla Firefox playbook and fit an automatic-update utility directly into IE to handle patching on the fly.

“Think about it. There’s a very big exposure area. Hackers are increasingly targeting the browser. Enterprises are on a tight patch schedule. If IE got moved out of Patch Tuesday, won’t it be better?” he added.

[ GALLERY: How to configure Internet Explorer to run securely ]

“Patches would be deployed faster and we would have a healthier IE population,” Kandek added, nothing that IE add-ons like Flash and other media players would benefit from an automatic update tool embedded in the browser.

The Qualys data was culled from 9.5 million IP scans per month.

* Hat tip to Gregg Keizer at ComputerWorld.

[Source: zdnet]

Massive comment spam attack on Digg.com leads to malware

According to PandaSecurity, the social news site Digg.com is among the very latest Web 2.0 services to be targeted by cybecriminals on their way to acquire legitimate traffic to their malware serving domains. The ongoing attack is far more widespread the originally stated, with +500,000 bogus comments

leading to 15 currently active malware domains, where the end user is enticed to install a fake video codec in order to view the video. Once executed, the codec attempts to trick the user that they’re infected with malware, and in order to get rid of it, a rogue security software has to be purchased.

Despite the obvious similarities with last month’s Google Video keywords poisoning attack, the comment-spam campaign at Digg.com is unique in the sense that it appears to have been active for over an year now. Let’s dissect the campaign, and explain how it works.

The cybercriminals are taking advantage of on purposely registrated bogus accounts, in a combination with compromised legitimate accounts to not only post Digg stories directly leading to malware, but also, to heavily comment on legitimate and bogus stories by posting even more malware-serving links.

So basically, you have a catchy title submitted through a bogus account, with a miltitude of bogus accounts commenting on it, and linking to more malware serving domains. Or exactly the opposite - bogus accounts commenting on legitimate stories since January, 2008. This practice of self-recommendation greatly reminds me a similar Ebay bot talk scheme back in 2006, where bogus accounts were automatically giving positive recommendation to fraudulent accounts, all operated by the same person/gang.

Interestingly, just like in Google’s keywords poisoning campaign, no client-side vulnerabilities are used. Instead, the cybecriminals are entirely relying on the end user to download and execute the codec on their way to view the video.

Digg.com’s abuse department has already been notified of all the related malware domains used across the site.

UPDATE: The following is a complete list of the malware domains used within the comments posted at Digg.

[Source: zdnet]

Pwn2Own hacker contest targets browsers, smart phones

After two straight years of taking dead aim at Macbooks and Windows-powered machines, hackers at this year’s CanSecWest conference will have shiny new targets: Web browsers and mobile phones.

According to CanSecWest organisers, there will be two separate Pwn2Own competitions this year — one pitting hackers against IE8, Firefox 3 and Safari and another targeting Google Android, Apple iPhone, Nokia Symbian and Windows Mobile.

[ SEE: 10 questions for MacBook hacker Dino Dai Zovi ]

On the browser side, the IE vs Firefox battle is sure to grab headlines although I’m not quite sure why Opera or Google’s Chrome was not included in the target list.

The rules of engagement are not yet available but it’s a safe bet that a successful attacker would have to exploit a zero-day vulnerability to gain full access to the target computer.

CanSecWest organizers plan to Sony VAIO P running Windows 7 as the platform for the contest. The successful hacker gets to keep the machine.

[ SEE: Google Android vulnerable to drive-by browser exploit ]

The second contest — against mobile phone platforms — will be another closely watched affair. Hackers have already successfully infiltrated the iPhone and Android platforms and there are known security problems in Symbian and Windows Mobile so we’re likely to see a lot of attention paid to this contest.

In 2007, New York-based security researcher Dino Dai Zovi teamed up with Shane Macaulay to hijack a MacBook Pro via a flaw in Apple’s QuickTime software. A year later, hacker Charlie Miller needed just two minutes to exploit a Safari bug to win that contest.

Alex Sotirov also partnered with Macaulay in 2008 to exploit an Adobe Flash vulnerability on a Windows Vista box. (Thanks to NonZealot for the correction).

* Image source: Channy Yun’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Inside Microsoft’s February patch batch

Apply IE emergency update now, don’t ask questions — Eric Schultze

It’s a seemingly light batch of patches this month, trailing an even lighter, single patch release in January. Two critical items were released — including patches for Internet Explorer 7 and Microsoft Exchange Server. Additionally, two “important” items were released — for Microsoft SQL Server and Visio.

MS09-002 is a typical IE patch, providing protection if a user is surfing to an evil website. What’s unusual this month is that the vulnerability is only present in Internet Explorer 7. This leads to the question “what did Microsoft put in IE7 that they didn’t put in earlier versions that leads to this exploit, and why didn’t their new security testing program catch this vulnerability?”


[ SEE: Microsoft: ‘Consistent exploit code likely’ for IE vulnerabilities ]

Microsoft says that it’s easy for hackers to create an evil webpage to exploit this issue.

MS09-003 is a Critical patch for Exchange Server (versions 2000, 2003, 2007) that could lead to code execution and/or Denial of Service. The attacker can send a malformed winmail.dat file to an Exchange Server in hopes of having that server execute code of their choosing. (winmail.dat files are configuration files that instruct the email client how to render and display Rich Text Formatted documents.) Alternatively, the attacker can send a series of packets to the Exchange Server in an attempt to take down the mail services - creating a denial of service attack. Microsoft says that inconsistent exploit code is likely to be released.

MS09-004 is probably the most interesting patch this month. This patch addresses the zero-day SQL Server flaw reported by Sec-Consult on December 9th, 2008. This flaw enables attackers to execute code of their choice on the affected SQL Server. The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull of this exploit.

[ SEE: Microsoft confirms critical SQL Server vulnerability ]

However, unauthenticated attackers (since when you do authenticate your attacker anyway?) can still leverage this flaw if they can plant their code using SQL Server injection techniques via poorly coded websites. Proof of concept code has been published on the Internet but Microsoft says they have not seen proof of exploitation (maybe they aren’t looking hard enough?). I’d probably rate this patch as Critical - given the end result capable. I’m guessing Microsoft has downgraded this severity because of the “authentication” requirement. (although they give this a ‘1′ in the exploitability index - saying that consistent exploit code is likely).

MS09-005 is an Important patch for Visio. Open a malformed Visio document and the evil-doer can run code on your system in the context of your currently logged on account. Microsoft says this was privately reported and they’ve seen no reports of exploitation. They recommend not opening Visio documents from untrusted sources.

[ SEE: BlackBerry bitten by ActiveX control flaw ]

I recommend a two pronged approach to patching this month. Two patches are for Server issues (09-003 and 4 - Exchange and SQL) and two are for client side applications (09-002 and 5 - IE7 and Visio). Give the two server patches to the Server maintenance team and ask that they install these two as soon as possible - given what I believe is the severity of these issues. Give the two client side patches to the desktop team and have them install these patches in the next update cycle or as they see fit - but no need to burn the weekend candle for these.

* Eric Schultze is chief technology officer at Shavlik Technologies, a vulnerability management company.

[Source: zdnet]

BlackBerry bitten by ActiveX control flaw

Research in Motion (RIM) today raised an alarm for a serious security vulnerability in the BlackBerry Application Web Loader, warning that it exposes Windows users to code execution attacks.

  • When a BlackBerry device user browses to a web site that is designed to install the BlackBerry Application Web Loader ActiveX control on BlackBerry devices over a USB connection, and clicks Yes to install and run the ActiveX control, the ActiveX control introduces the vulnerability to the computer.

An advisory from US-CERT explains that a malicious hacker could use booby-trapped HTML documents or Web pages to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer to crash.

To fix this issue, install the updated version of the BlackBerry Application Web Loader:

  1. Click the link to download the BlackBerry Application Web Loader v1.1.
  2. Complete the installation wizard.

A separate update rollup for Active killbits Microsoft provided cover for this BlackBerry issue and two other ActiveX control vulnerabilities.

[Source: zdnet]

Microsoft: ‘Consistent exploit code likely’ for IE vulnerabilities

Microsoft today shipped four bulletins with patches for at least 8 documented security vulnerabilities affecting Windows users and warned that “consistent exploit code could be easily crafted” to launch attacks via the Internet Explorer browser.

The Patch Tuesday batch includes fixes for a pair of code execution holes in IE, two bugs in the Microsoft Exchange Server, a remote code execution issue in the Microsoft SQL Server, and three separate flaws haunting users of Microsoft Office Visio.

The Internet Explorer bulletin (MS09-002) should be treated with urgency because the flaws can be exploited to launch drive-by download attacks.

  • This security update is rated Critical for Internet Explorer 7 running on supported editions of Windows XP and Windows Vista. For Internet Explorer 7 running on supported editions of Windows Server 2003 and Windows Server 2008, this security update is rated Moderate.

The Microsoft warning that consistent exploit code was likely suggests that it’s very easy for an attacker to host a specially crafted Web site and attack unpatched users who surfed to the rigged Web site.

  • The attacker could also take advantage of compromised Web sites and Web sites that accept or host user-provided content or advertisements. These Web sites could contain specially crafted content that could exploit this vulnerability.

Enterprise administrators will also want to pay special attention to the Microsoft Exchange update (MS09-003) which covers two different vulnerabilities that expose users to code execution or denial-of-service attacks.

Microsoft explains:

  • The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.

The company says it expects to see “inconsistent exploit code” published for this bulletin. However, nCircle director of security operations Andrew Storms says this is a very serious problem.

“This vulnerability means that any cybercriminal sending a well crafted email attachment to an enterprise could gain complete control over the server and gaining one of the keys to the kingdom,” Storms said.

“All kinds of highly confidential and proprietary information pass through an Exchange server every day. Gaining control over it and its content would be a gold mine to any cyber criminal,” he added.

[Source: zdnet]

Report: 92% of critical Microsoft vulnerabilities mitigated by Least Privilege accounts

A recently released report by BeyondTrust entitled “Reducing the Threat from Microsoft Vulnerabilities” indicates that that according to the company’s analysis of all the security bulletins Microsoft published in 2008, 92% of the critical vulnerabilities could have been mitigated by the principle of the least privilege.

Despite the fact that Microsoft’s products continue topping the “successfully exploited charts” in each and every web malware exploitation kit (go through sample infection rates), long gone are the days when Microsoft’s products are targeted exclusively. Nowadays, in order to better optimize a malware campaign, a web malware exploitation kit is targeting a diverse set of client-side software/browser plugins.

Here are some of the key points from the report :

  • 92% of Critical Microsoft vulnerabilities are mitigated by configuring users to operate without administrator rights
  • Of the total published Microsoft vulnerabilities, 69% are mitigated by removing administrator rights
  • By removing administrator rights companies will be better protected against exploitation of 94% of Microsoft Office, 89% of Internet Explorer, and 53% of Microsoft Windows vulnerabilities
  • 87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights

Interestingly, starting from the basic fact that the client-side vulnerabilities exploited through the web exploitation kits have had their associated patches for months, sometimes years, end users appear to not only lack understanding of least privilege accounts, but also, still believe that patching their browser is where the self-auditing process both, starts and ends.

Moreover, the ongoing Conficker/Downadup malware campaign which has already passed the 10 million infected hosts milestone, is a very recent example of another phenomenon - the fact that millions of end users and possibly companies, are on purposely using pirated copies of Windows and are therefore using highly vulnerable, yet Internet connected, versions of it. The proof? Symantec’s geolocated graph of infected Conficker hosts speaks for itself, as the countries having the highest software piracy rate, are in fact the ones most heavily hit by the malware.

However, least privilege accounts can always be used by both, legitimate users and software pirates altogether, which when combined with a decent situational awareness in the sense of knowing the current attack tactics, is prone to decrease their chance of getting successfully compromised.

[Source: zdnet]

Fake Antivirus XP pops-up at Cleveland.com


Have we reached the phrase when targeted advertising would equal evasive malware campaigns pushed through third-party ad networks, to a geolocated set of visitors only? Could be. During the weekend, rogue antivirus XP pop-ups were served to visitors of Cleveland.com, according to visitors’ complaints which I also managed to verify.

Investigating further reveals that the very same ad network that was used to serve similar Antivirus 2009 pop-ups at AllRecipes.com in November, appears to have been the one (tacoda.net) that cybercriminals once again used in Cleveland.com’s case.

With efficiency-centered ad networks in terms of allowing publishers faster access to their networks, every cybercriminal, no matter the ad network in question, can easily become a publisher - the basics of malvertising whose key advantage from the cybecriminal’s perspective remains the opportunity to target high trafficked web sites which aren’t susceptible to common exploitation tactics.

What ad networks should set as a priority is establishing a more transparent process about what measures — if any — have they undertaken to verify that the publisher’s sites aren’t disseminating malware or client-side exploits. For instance, plain simple cross-checking (for starters) of the rogue security software domains that appeared at Cleveland.com against Google’s Safebrowsing database, indicates that they’re already marked as harmful.

[Source: zdnet]

MS Tuesday heads-up: Critical IE, Exchange flaws

Microsoft plans to ship four security bulletins next Tuesday with patches for a range of serious security vulnerabilities affecting millions of Windows users.

Two of the four bulletins will be rated “critical,” Microsoft’s highest severity rating. Those will cover remotely exploitable flaws in the Internet Explorer browser and the Microsoft Exchange Server.

[ GALLERY: How to configure Internet Explorer to run securely ]

The other two bulletins will carry an “important” severity rating and will provide fixes for code execution holes in Microsoft SQL Server and Microsoft Office (Visio).

The Internet Explorer update will apply to all supported versions of the Windows operating system, including Windows Vista and Windows Server 2008.

[Source: zdnet]

Fuzzing for Oracle database vulnerabilities

Database security vendor Sentrigo has released an open-source fuzz testing tool to help pinpoint security-related coding deficiencies in Oracle databases.

The tool, called FuzzOr, runs on Oracle 8i and is aimed at PL/SQL programmers and DBAs looking to find and eliminate vulnerabilities that may be exploited via SQL injection and buffer overflow attacks — the most common techniques used to launch hacker attacks on databases.

[ SEE: Hacker finds 492,000 unprotected Oracle, SQL database servers ]

From Sentrigo’s announcement:

  • A dynamic scanning tool, FuzzOr enables DBAs and security pros to test PL/SQL code inside Oracle-stored program units. Once vulnerabilities are detected by FuzzOr, a programmer can then repair the PL/SQL code.

Pete Finnigan, who had a look at FuzzOr prior to today’s release, explains the nitty-gritty of how it works:

  • It’s written in PL/SQL, tests PL/SQL packages, functions and procedures and is driven by a set of database tables to hold the configuration and the results. The idea is that you can target a particular package or a complete schema.
  • The nature of a fuzzer is that it sends random input to a particular function or procedure so its running that code hoping to crash it. Therefore do not run this tool on a production database or any database that you do not want to damage.

The tool is available as a free download (registration required).

[Source: zdnet]

phpBB.com hacked; Details scarce

[ UPDATE: A reader e-mailed a link to this blog describing a blow-by-blow attack against phpBB.com. ]

One of the most widely used open-source bulletin board system in the world has been attacked by malicious hackers.

According to a brief “maintenance” notice posted on the phpbb.com home page (screenshot below), the attack occurred through a vulnerability in an outdated PHPList installation.

No other details were offered. On the bright side, the phpBB maintainers said no vulnerabilities were found in the phpBB software itself.

The phpBB.com home page and related sites are currently unavailable.

[Source: zdnet]

Cisco warning: Serious flaws in Wireless LAN controllers

Routing and switching giant Cisco has released an alert to warn of multiple security flaws in some of its Wireless LAN controllers.

The company documented at least four vulnerabilities that could lead to denial-of-service or privilege escalation attacks. Affected product lines include Cisco Wireless LAN Controllers (WLCs), Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers.

The skinny:

  • CVE-2009-0058: Web authentication is a Layer 3 security feature that causes the
    controller to drop IP traffic (except DHCP and DNS related packets) from a
    particular client until that client has correctly supplied a valid username and
    password.
  • CVE-2009-0059: An attacker may cause a device reload when sending a malformed post
    to the web authentication “login.html” page.
  • CVE-2009-0061: Affected Cisco WLC, WiSM and Catalyst 3750 Wireless LAN Controller
    models are vulnerable to a DoS condition that is triggered by the receipt of
    certain IP packets. Upon receiving these IP packets, the affected device may
    become unresponsive and require a reboot to recover.
  • CVE-2009-0062: A privilege escalation vulnerability exists only in WLC software
    version 4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to
    gain full administrative rights on the affected system.

One of these flaws carry a CVSS Base Score of 9.0, meaning it should be treated as a “high priority” update.

[Source: zdnet]

Commercial Twitter spamming tool hits the market

Last week, a commercial Twitter spamming tool (tweettornado.com) pitching itself as a “fully automated advertising software for Twitter” hit the market, potentially empowering phishers, spammers, malware authors and everyone in between with the ability to generate bogus Twitter accounts and spread their campaigns across the micro-blogging service.

TweetTornado allows users to create unlimited Twitter accounts, add unlimited number of followers, which combined with its ability to automatically update all of bogus accounts through proxy servers with an identical message make it the perfect Twitter spam tool.

TweetTornado’s core functionality relies on a simple flaw in Twitter’s new user registration process. Tackling it will not render the tool’s functionality useless, but will at least ruin the efficiency model. Sadly, Twitter doesn’t require you to have a valid email address when registering a new account, so even though a nonexistent@email.com is used, the user is still registered and is allowed to use Twitter.

So starting from the basics of requiring a validation by clicking on a link which will only be possible if a valid email is provided could really make an impact in this case, since it its current form the Twitter registration process can be so massively abused that I’m surprised it hasn’t happened yet. Once a Twitter spammer has been detected, the associated, and now legitimate email could be banned from further registrations, potentially emptying the inventory of bogus emails, and most importantly making it more time consuming for spammers to abuse Twitter in general.

If TweetTornado is indeed the advertising tool of choice for Twitter marketers, I “wonder” why is the originally blurred by the author Twitter account used in the proof (twitter.com/AarensAbritta) currently suspended, the way the rest of the automatically registered ones are? Pretty evident TOS violation, since two updates and 427 followers in two hours clearly indicate that a spammer’s tweeting.

[Source: zdnet]

Mozilla plugs 7 security holes in Firefox

Mozilla’s flagship Firefox 3 browser has undergone another security makeover to fix at least 7 documented security vulnerabilities that expose users to malicious hacker attacks.

The Firefox 3.0.6 upgrade patches at least two critical Firefox flaws that may lead to arbitrary code execution attacks and another “high risk” bug that could be used to steal a victim’s data.

The raw details:

  • MFSA 2009-06: Paul Nel reported that certain HTTP directives to not cache web pages, Cache-Control: no-store and Cache-Control: no-cache for HTTPS pages, were being ignored by Firefox 3. On a shared system, applications relying upon these HTTP directives could potentially expose private data. Another user on the system could use this vulnerability to view improperly cached pages containing private data by navigating the browser back.
  • MFSA 2009-05: Developer and Mozilla community member Wladimir Palant reported that cookies marked HTTPOnly were readable by JavaScript via the XMLHttpRequest.getResponseHeader and APIs. This vulnerability bypasses the security mechanism provided by the HTTPOnly flag which intends to restrict JavaScript access to document.cookie. XMLHttpRequest.getAllResponseHeaders. The fix prevents the XMLHttpRequest feature from accessing the Set-Cookie and Set-Cookie2 headers of any response whether or not the HTTPOnly flag was set for those cookies.
  • MFSA 2009-04: (Moderate severity) Mozilla security researcher Georgi Guninski reported that the fix for an earlier vulnerability reported by Liu Die Yu using local internet shortcut files to access other sites (MFSA 2008-47) could be bypassed by redirecting to a privileged about: URI such as about:plugins. If an attacker could get a victim to download two files, a malicious HTML file and a .desktop shortcut file, they could have the HTML document load a privileged chrome document via the shortcut and both documents would be treated as same origin. This vulnerability could potentially be used by an attacker to inject arbitrary code into the chrome document and execute with chrome privileges. Because this attack has relatively high complexity, the severity of this issue was determined to be moderate.
  • MFSA 2009-03: (High severity) Mozilla security researcher moz_bug_r_a4 reported that a form input control’s type could be changed during the restoration of a closed tab. An attacker could set an input control’s text value to the path of a local file whose location was known to the attacker. If the tab was then closed and the victim persuaded to re-open it, upon restoring the tab the attacker could use this vulnerability to change the input type to file. Scripts in the page could then automatically submit the form and steal the contents of the user’s local file.
  • MFSA 2009-02: (High severity) Mozilla security researcher moz_bug_r_a4 reported that a chrome XBL method can be used in conjuction with window.eval to execute arbitrary JavaScript within the context of another website, violating the same origin policy. Firefox 2 releases are not affected. Disable JavaScript until a version containing these fixes can be installed.
  • MFSA 2009-01: (Rated Critical) Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

The patch is being released automatically via Firefox’s built-in update mechanism. This should be treated as a high-priority update for any user that has Firefox installed, whether you use the browser or not.

[Source: zdnet]

Google flags entire Web as ‘malware’

UPDATE: Google explains, blaming “human error.”

A major hiccup at Google this morning caused the entire Internet to be flagged as malware.

The problem appears to be centered around the Google Safe Browsing APIeven that returned a “This site may harm your computer” warning (see screenshot below) — the security diagnostics service that powers Firefox’s malware blocking service.

There has been no official word from Google yet but the blogosphere and Twittersphere is abuzz with screenshots and complaints from unhappy Web surfers. (See Techmeme discussion).

For a short period during the hiccup, Firefox was blocking access to Web sites with the standard “This is an attack site!” warning.

With all the damaged reputations from this episode, how soon before we see a high-level warning about the dangers of the Google monoculture?

[Source: zdnet]

Google plugs ‘high-risk’ holes in Chrome browser

a high-priority Chrome browser patch with fixes for three security vulnerabilities that expose users to cross-site scripting and data theft attacks.

Google Chrome’s beta and stable channels have been updated to version 1.0.154.46 to mitigate an issue with the Adobe Reader plug-in (two separate vulnerabilities) and to fix a bug in the V8 JavaScript engine could allow bypassing same-origin checks.

The skinny:

  • CVE-2007-0048 and CVE-2007-0045: Workaround for Adobe Reader Plugin Open Parameters Cross-Site Scripting Vulnerability
    • Google Chrome now refuses requests for javascript: URLs in Netscape Plugin API (NPAPI) requests from the Adobe Reader plugin. Adobe is aware of this issue and has helped us develop this mitigation while they work on a fix for all users.
    • Severity: Moderate. This could allow a PDF document to run scripts on arbitrary sites.
  • CVE-2009-0276: Javascript Same-Origin Bypass
    • A bug in the V8 JavaScript engine could allow bypassing same-origin checks in certain situations.
    • Severity: High. A malicious script in a page could read the full URL of another frame, and possibly other attributes or data from another frame in a different origin. This could disclose sensitive information from one website to a third party.

The patch (see release notes) also fixes problems with Yahoo Mail and Windows Live Hotmail.

ALSO READ:

[Source: zdnet]