4 X Security Team

Guest editorial by Aviv Raff

If you ask any Opera fanboy, he will tell you that Opera is the most secured browser. Well frankly, it really is a good and secure browser, implementing many restrictions that other browsers simply ignore.

For example, while other browsers allow scripts running from local resources to access local files Opera doesn’t. And by that, it is almost impossible to steal local files, or execute code by exploiting vulnerabilities local resources.

You probably noticed that I used the word almost. It is almost impossible, due to the fact that one, and only one local resource, does allow you to access local files and other browser settings. The local resource is opera:config.

[ SEE: On Opera patch day, a new zero-day flaw ]

One of the many settings this local resource can be used to change is the mail external application. The mail external application will be opened whenever you click on a “mailto:” link, or whenever your browser redirects to a “mailto:” URL. If an attacker can change this setting it means that he can automatically execute arbitrary code on the user’s machine from remote.

This is of course irrelevant, unless you can actually change the settings automatically from remote, and unfortunately for Opera users, there was a way.

Today, Opera released a new version, 9.62, with a fix for a vulnerability in a different local resource - the “History Search” page (opera:historysearch). The problem was that Opera did not sanitize specific parameters correctly, and an arbitrary script could be injected to this page. An attacker could then execute a script that will create an iframe which will open the opera:config local resource. And then, it will call a script within the opera:config page, which will change the settings and execute arbitrary code on the user’s machine as previously explained.

[ SEE: Opera bitten by ‘extremely severe’ browser bug ]

The vulnerability in the “History Search” page was found by Stefano Di Paola, during our discussion on the full-disclosure mailing about an older vulnerability in the “History Page” that was found by Roberto Suggi and was fixed by Opera in version 9.61. I’ve created proof-of-concept codes which demonstrate the vulnerabilities. Both can be found on milw0rm.com.

While both vulnerabilities in the “History Page” are now fixed, the core problem which makes it possible to execute code from remote, still isn’t.

There is still no Same Origin Policy restriction between local resources in Opera. It is still possible for a script to access one local resource (e.g. opera:cache) from another (e.g. opera:config). In my submission to Opera I’ve asked them to fix this issue as well, and I really hope they will do so before other vulnerabilities will be found in more local resources.

Nevertheless, my recommendation for Opera users is still to upgrade to the latest version.

* Aviv Raff manages a security research team for a Fortune 500 company. You can read about his research at his blog or follow his daily activities on Twitter.

[Source: zdnet]

My colleague at Kaspersky Lab Roel Schouwenberg (see disclosure) has written a very interesting piece on the banker malware landscape, warning that attacks against financial institutions will get much more targeted and sophisticated.

Schouwenberg’s Attacks on Banks paper takes a close look at how malicious programs targeting financial institutions are designed to evade anti-malware and examines how phishing and money mules serve as the hub for global identity theft attacks.

Some important highlights:

• More sophisticated banker malware will use a MitM [man-in-the-middle] attack; this not only enables cyber criminals to attack more banks, but also ensures a higher return, as data is processed in real time. A MitM attack uses a malicious server to intercept all traffic between the client and the server i.e. the customer and the financial organization. Although everything will seem normal to the user, when s/he is asked to authorize a transaction, s/he is actually authorizing a transaction created by the cyber criminal. Malware which uses a MiTM attack typically either hides browser notifications about false web site certificates or, more commonly, shows a fake notification.
• With cyber criminals remaining eager to maximise their returns and remain at liberty, they have been examining other ways of conducting attacks. Thus, we are now seeing an increase in so-called next generation financial malware - Man-in-the-Endpoint (MitE).
• The increased usage of two-factor authentication by financial organizations has resulted in an increase in malware capable of defeating this type of authentication. This means that the eventual adoption of two-factor authentication will not have any significant long-term effect. It will simply raise the benchmark for financial malware.

Read the full report here.
* Image source: The akaalias Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

(See update below for statement from Yahoo).

Malicious hackers are exploiting a cross-site scripting flaw on Yahoo’s HotJobs site to phish for Yahoo credentials, according to a warning from Netcraft.

In the ongoing attack, Netcraft discovered that the vulnerability allows the attacker to inject obfuscated JavaScript into the affected page to steal authentication cookies that are sent for the yahoo.com domain.

The stolen authentication cookies are then passed to a different web site in the United States, where the attacker is harvesting stolen authentication details.

• Simply visiting the malign URLs on yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim’s email — the victim does not even have to type in their username and password for the attacker to do this. Both attacks send the victim to a blank webpage, leaving them unlikely to realise that their own account has just been compromised.

Netcraft said it notified Yahoo of the latest attack but warned that the HotJobs vulnerability and the attacker’s cookie harvesting script are both still present at the vulnerable site.

UPDATE: Yahoo e-mailed the following in response to this story:

The team was made aware of this particular Cross-Site Scripting issue yesterday morning (Sunday, Oct. 26) and a fix was deployed within a matter of hours. Yahoo! appreciates Netcraft’s assistance in identifying this issue.

As a safety precaution, we recommend users change their passwords, should they still be concerned. Users should always verify via their Sign-in Seal that they are giving their passwords to Yahoo.com.

[Source: zdnet]

The Facebook worm that has been squirming its way through the popular social network now has a new friend — Google Reader.

According to researchers at Fortinet, the worm’s creators are wrapping Google’s RSS reader around fake video downloads as part of a strategy to strengthen the social engineering component of the attack. From Fortinet’s advisory:

• This “hop” via a Google Reader share serves an essential purpose: it gives the targeted user the feeling that the video is hosted on Google. Thus it must be safe. Combo that with the “it’s a message from a friend” factor, which naturally lowers down users’ wariness shields, and you get quite a good chance of seeing your victim perform the dreaded click.

[ SEE: Web worms squirm through Facebook, MySpace ]

Fortinet researcher Guillaume Lovet believes the cyber-criminals behind the Facebook worms registered Google Reader accounts (either manually, or automatically via phishing operations or automated CAPTCHA solvers) for the sole purpose of loading them with links to malicious sites.

Fake video lures are used to infect Windows machines with rogue security software.

Image source: Jacob Botter’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]

Reliable exploit code for the remote code execution vulnerability patched with Microsoft’s MS08-067 update has been posted to the Internet, prompting a new “patch immediately” advisory from the Redmond software maker.

The exploit, which has been added to the freely available Metasploit point-and-click attack tool, provides a roadmap for code execution on Windows 2000, Windows XP, and Windows Server 2003. A second exploit has been posted to Milw0rm.com, increasing the likelihood of in-the-wild malware attacks.

[ SEE: MS ships emergency patch for Windows worm hole ]

From the Microsoft advisory:

• Our investigation of this exploit code has verified that it does not affect customers who have installed the updates detailed in MS08-067 on their computers. Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows.

Several proof-of-concepts have also been publicly released.

Microsoft shipped an out-of-band update last week to plug the hole after discovering “limited, targeted attacks” against Windows users. The attacks included the use of reconnaissance Trojans hijacking sensitive system information.

The vulnerability is due to the Windows Server service not properly handling specially crafted RPC requests. The vulnerable Windows Server service provides RPC support, file and print support, and named pipe sharing over the network. It is also used to allow the sharing of your local resources (such as disks and printers) so that other users on the network can access them.

[Source: zdnet]

Everyone was discussing the MS08-067 vulnerability and its out-of-cycle patchlast week. My post on the topic elicited several comments from our readers, including the following by frgough:

If this had been Apple, the article slant would have been all about
poor security models, inherently flawed structure with lots of
adjectives like massive, dangerous, overconfident, etc. thrown into
the mix.

Truth be told, ever since OS/X came out I have gladly contributed a significant portion of my salary to Apple over the years. From a security standpoint, however, Apple has yet to face the same threats that drove Microsoft to develop the Security Development Lifecycle, an process management system created to help grow better software and software engineers. As I discussed in the past, Apple won’t have to face the same sort of threats that are projected at Microsoft until their market share increases. However, I am certain that Apple will step up when and if they begin to experience those issues.

[Source: zdnet]

If you have not yet upgraded to Firefox 3, keep in mind that Mozilla is very close to pulling the plug on support for older versions of the browser.

Support for Firefox 2, which includes security and stability patches, is scheduled to end six months after Firefox 3 shipped (June 17, 2008), which puts the end-of-life date in the mid-December range.

[ SEE: Talking Firefox security with Mozilla’s Window Snyder ]

Mozilla has not yet set a final date for Firefox 2 end-of-life activity but the open source group has started discussing the “requirements or issues” that would force a deadline extension. The current plan is for the next Firefox 2 patch to the final update of that version.

According to Mozilla’s Mike Beltzner, only about one-third of Firefox users are running older versions of the browser.

• Presently 2/3rds of our users are using Firefox 3, with more than 50% accepting the first major upgrade offer back in late August. We’re looking through Hendrix and other sources to understand why people didn’t want to upgrade and ensure that those bugs have been fixed.

Firefox 3 is considered a major security improvement over Firefox 2 because of the addition of an anti-malware blocker and improved Web forgery warnings.

[Source: zdnet]