English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
0.1
 

S. Korean handlers are slow to take down the publicly distributed malicious code exploiting CVE-2012-0003, a vulnerability patched in Microsoft's January 2012 patch release MS12-004. We have discussed with reporters that the code has been available since the 21st, and a site appears to have been publicly attacking very low numbers of Korean users over the past day or so. The site remains up at this time.

0.5
 

Microsoft finishes out this year of patching with a heavy release that's all over place. While techs were notified of an anticipated 14 bulletins, 13 were released for the month of December. Headline grabbing events and code are addressed in one of them, and while fewer are labelled "Critical", are they any less important?

Many speculative bits have been spilled on the group behind Stuxnet and its precursor Duqu, with our own researchers posting at least a half dozen Securelist writeups on Duqu findings alone. MS11-087 patches up the delivery vector for Duqu itself. This kernel mode vulnerability was publicly identified and confirmed at the beginning of November, but could well have been used quietly in attacks around the world for a year or more.

0.3
 

The SSL PKI has been in use and implemented for 15 years now to secure online communications. From its initial proprosals and immediate growth, the need for secured online communications has been met with challenges. The infrastructure and protocol itself is showing signs of wear, with multiple attacks and corrections to the scheme itself. And in its 15th year, an alternative to the Cerificate Authority infrastructure is finally being given some competition with the release and debate around Convergence, an open source alternative to the current system of Certificate Authorities. Feel free to right click and download for the full sized version; the graphic below provides a list of some of the major events for SSL/TLS PKI in the past 15 years.

SSL and a Search for Authenticity Infographic

Comment      Link
0.4
 

With headlines like "New cyber threat compromises financial information - Experts say new threat could affect millions of sites", you would think that the trust model of the internet is finally crumbled.

Following an hour long Friday evening wait for the demo, the Ekoparty demo for the SSL hack was staged. And it was interesting that the attack succeeded in cracking the SSL confidentiality model as implemented by the Mozilla Firefox browser when communicating with paypal.com web servers over https. At the same time, it seemed to be an impractical exploit targeting a weakness that was fixed three months ago in Chromium source code.

Also of note, is the fact that the attack has been well known for almost 10 years, it's just that there hasn't been a practical exploit implementing the attack. And that they refined their blockwise attack model far better than previous chosen-plaintext attack models, making it more effective than prior attacks.

So there seems to be another good security reason to use Google's Chrome browser, for those of you highly sensitive to security issues. Also interesting were some of the tricks they used to make it work. While they couldn't get it to work in pure javascript or flash, they implemented the exploit in a Java applet and attacked the stream between Firefox and https://paypal.com. The "tricks" they used to bypass "Same Origin Policy" with Java were surprising, and they came up with the entire stolen session cookie with which to log in to paypal.com as the victim over http in under three minutes. While I am sure that the other browser vendors will update their CBC encryption routines to better randomize their IV and overcome this attack as suggested almost ten years ago, one could use Chrome and maintain secure communications in regards to this exploit. To me, this exploit is a low risk one because of its impracticality. Whether they properly disclosed their work to all browser vendors, giving developers plenty of time prior to disclosure remains a question to me, but they did contact at least the Chrome team. Interesting research and impressive effort implementing a difficult to work concept certainly. These guys know crypto and communications technologies. But the sky has not fallen. Yet.

For related technical information, and thoughts from relevant developers and researchers, please check out my "Related Links" list to the right side of the post text. I try to be thorough in my selection.

UPDATE(9/26): Microsoft advises that they are investigating the matter for their Internet Explorer browser customers, stating that the issue is low risk anyways, "Considering the attack scenario, this vulnerability is not considered high risk to customers". Perhaps they were one of the browser vendors that were not contacted about the vulnerability.

Comment      Link
0.2
 

Microsoft released 13 bulletins addressing 22 CVE's in its own software: Microsoft Windows, Office, Internet Explorer, .NET and Visual Studio. We'll be watching for Adobe to coordinate any release of their own updates today.

This month's release of 13 bulletins is a sizable one, following up on Microsoft's four bulletin release last month. Everything from Microsoft operating system kernel and networking components to their Microsoft Internet Explorer web browser and development products are impacted to patch information disclosure, denial of service, memory corruption, and elevation of privilege vulnerabilities.

Of the long list, a few appear to be the most severe. All versions of Microsoft's Internet Explorer across mostly all of the Windows operating system are impacted in serious ways. Remote code execution exploits are possible along with information disclosure and less serious denial of service attacks. Microsoft Excel is effected by the manner in which its Windows Data Access Tracing component loads external libraries. An Excel file could be shared on a WebDAV directory along with a maliciously modified library. When it's opened, the library would load and execute on the system at the same privileges as the user that opened the Excel file. For vulnerabilities like these, we will be monitoring for related exploit inclusion in underground market exploit packs like BlackHole, NeoSploit and Phoenix, which is always a bad thing. Visio is also at risk of remote code execution for a second month in a row as attackers serve up modified Visio files. But we won't see its inclusion in the packs because of its low install base numbers.

Four of these Microsoft Security Bulletins patch vulnerabilities that may lead to severe problems like remote code execution, which are often included as a part of client-side drive-by attacks in exploit packs. But this month one of the more interesting vulnerabilities is server-side and may lead to remote code execution on Microsoft DNS servers. This one may be timely because of suggestions that the ongoing progress to DNSSEC implementation will alleviate the problems that the PKI infrastructure has seen related in certificate authorities, a huge subject Moxie Marlinspike addressed at Blackhat last week.

As always, we recommend patching your systems asap. Cheers to a problem free patch Tuesday!

Comment      Link
0.3
 

This month's patch Tuesday is a sizable one by any standards, following the quiet Tuesday that my colleague Roel Schouwenberg described last month. Microsoft is patching a total of 34 vulnerabilities in 16 bulletins, MS11-038 through MS11-051. At least eight different Microsoft product lines are updated, and Adobe is coordinating release of Reader, Acrobat, Shockwave and Flash updates as well today.

So we are looking at patching the following programs:
Microsoft Windows, Microsoft Office, Internet Explorer, .NET, SQL, Visual Studio, Silverlight, ISA and Adobe Reader, Acrobat, Shockwave and Flash player. More than half of the vulnerabilities being patched exist in the Internet Explorer and Microsoft Excel software components, frequent targets of drive-by and spear phishing attacks.

Most interesting is MS11-050, a single patch that knocks out 11 separate Internet Explorer vulnerabilities, some enabling information disclosure (cookiejacking), memory corruption and remote code execution: CVE-2011-1250, CVE-2011-1251, CVE-2011-1252, CVE-2011-1254, CVE-2011-1255, CVE-2011-1256, CVE-2011-1260, CVE-2011-1261, CVE-2011-1262. The additional VML patch MS11-052 knocks out another Internet Explorer vulnerability, CVE-2011-1266.

Microsoft already pointed out that the Internet Explorer patch addressing "cookiejacking" is not a particularly high risk issue because it is relatively unknown to them as an attack vector, and because there are more substantial social engineering techniques. While those points may be true, now that the techniques are more widely discussed, the risk of them being abused by more attackers goes up as well.

Eight different privately reported vulnerabilities are being patched in Microsoft Excel alone by MS11-045, each of which allow for remote code execution. We are still reviewing why the patch is rated "important" and not critical for the various Excel versions.

The patches that stand out result in remote code execution within Internet Explorer, Office and Silverlight. The recent history of attacks on consumer and corporate users, including the many successful spear phishing and APT attacks should help increase the urgency of these patches.

On the server side in the cloud, Microsoft is patching a vulnerability that could be abused in a DoS attack that could only be staged from within the cloud. MS11-047 is rated an "Important" patch for Windows 2008 versions, correcting a flaw in Hyper-V where a guest could send a malformed packet to the VMBus and result in denial of service on the server. MS11-039 is the Silverlight patch that could not only be used in a remote code execution attack on the client side, but also can be used to remotely run arbitrary code on vulnerable IIS web servers.

At least eight of the nine patches rated "Critical" requires a restart, be prepared for this interruption. We recommend applying all of this month's released patches asap.

Comment      Link
0.3
 

The Democratic Party of Hong Kong's website was compromised and malware uploaded to the web server. Interestingly, the server was distributing malicious flash and spyware nearly identical to the compromised UK Amnesty International servers at the beginning of this month. The server is being cleaned up.

The english version of the website did not include injected iframe links pointing to the exploit.html page, which in turn delivers three different version-appropriate malicious variants of flash detected by Kaspersky as "Exploit.SWF.CVE-2011-0611". The malicious flash was 0day at the beginning of this month, and will be effective on unpatched systems.

0.1
 

Instantly this news became  very fruitful  for all kinds of cybercriminals. Here is  some of the proof we found:

1) SEO optimized Google image searches leading to a malicious site with the exploit for the “Help Center URL Validation Vulnerability”. The exploit drops into the system a malicious executable file which is a password stealer malware. 

At the moment we found it, Kaspersky Anti-Virus detected the sample as Heur.Trojan.Win32 .  Meanwhile the Jotti multiscanner results were 1/20

The exploit also works with Opera and Firefox browsers by dropping into the system a malicious PDF file:

2) SEO optimized for all non-Russian Google searchers leading to Rogue AVs, in particular to “XP Anti-Virus 2011” which  actually  is quite  aggressive in blocking Internet access and extorting money for the activation

(Note: the third option anyway doesn’t allow browsing)

The infection scheme is quiet simple: a victim looks for pictures with the topic “Royal Wedding” and when the click comes with a Google reference a special malicious script redirects the victim to a malicious .cc domain with a classic Fake AV window.

3) Scams related to a fake Satellite TV where a victim should pay for the fake service. And of course, the credit card is being stolen once the payment is accepted.

4) Spam on Twitter just abusing TT and leading to misc. junk content sites

We highly recommend using the latest patched Browser with a plugin like NoScript, don’t click on any unknown link, and keep your AV updated and real-time protection working.

Comment      Link
0
 

News has spread pretty quickly about the latest IE 0-day exploit. Unfortunately, in trying to publicize the quality of his employer’s product in relation to this new exploit, according to Ryan Naraine, a researcher at McAfee inadvertently divulged too much information about the vulnerability leading to some unintended consequences.

The consequences were - the prompt creation of a PoC Metasploit module for the vulnerability, turning what was once an exploit used in targeted attacks into a potentially widespread issue for users IE 6 and 7.

What exactly was divulged? Well, I was curious too, as I frequently am faced with what information I should or should not mention. It turns out that all that was divulged was a list of file names involved with the exploit and malware dropped by the exploit, and the domain name that the malware connected to.

It seems pretty reasonable to list that information in a blog post, right? Surely someone writing IDS signatures would find the URL used by the malware useful, and other anti-virus researchers might gain benefit from knowing the file names associated with the attack.

This leads to the question then, exactly what can be safely disclosed? Should nothing be disclosed? As a technical individual I get frustrated when an author redacts all important information in regards to indentifying a threat; the McAfee researcher was obviously trying to keep people like myself interested.

My suggestion for researchers writing about live threats is simple. If the domain(s) hosting un-patched exploits are still active, don’t post the URL or filenames associated with the exploit: frequently Google will happily locate the page for you.

Does this mean researchers shouldn't share key information about live threats? Of course not, we do it all the time. But not in public - there are plenty of secure methods for sharing details about live threats.

Comment      Link

News|Patch now: MS10-002

Costin Raiu
Kaspersky Lab Expert
Posted January 22, 12:00  GMT
Tags: Microsoft Internet Explorer
0.1
 

Earlier today, Microsoft released the out-of-band (OOB) Microsoft Security Bulletin MS10-002 (rated “Critical”) to the public. The cumulative Security Update for Internet Explorer 978207 fixes a couple of serious issues which allow remote code execution through malicious HTML pages, vulnerabilities that are now known to have been used in the Google/Adobe hack.

The bulletin is available here:

http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

To patch, just use Windows Update.

In addition to that, Microsoft created a tool which will opt-in Internet Explorer to Data Execution Prevention (DEP), if your processor has this feature and the operating system is aware of it. DEP is a wonderful technology which makes it much harder for hackers to exploit vulnerabilities such as this one. We recommend that you check it out at:

http://support.microsoft.com/kb/978207

As usual, there are a few other fine alternatives to IE out there that you might want to try. I recommend Chrome (http://www.google.com/chrome), Firefox (http://www.getfirefox.com/) and Opera (http://www.opera.com/download/).

Comment      Link