English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
0.1
 

The folks at the Microsoft Security Response Center are winding down 2012 with another full release of seven Security Bulletins containing fixes for memory corruption on application, server, and system code along with a Certificate Bypass problem and set of fixes for Oracle Outside In software components. Within the seven Bulletins, they are patching at least 11 vulnerabilities, accurately described in the Advanced notification for this month. The MSRC recommends that their Internet Explorer (MS12-077) and Microsoft Word (MS12-079) updates are addressed asap.

The December 2012 Microsoft Security Bulletin Release fixes a varying array of versions of software and platforms per Bulletin. For consumers, that mostly means ensuring that the Microsoft Update software is enabled, run, and selected patches applied. For the vast majority of Windows customers, this month's release also requires that customers reboot their systems following the updates - the Internet Explorer, the kernel level font parsing updates and the file handling updates all require a reboot and hotpatching is not supported. The lack of hotpatch support means that the fix is not enabled on the system until it is rebooted. For IT folks in large and small organizations, this month's Release also requires some time set aside to understand whether or not your organization is running the versions of software requiring patches and accordingly address your environment.

The Microsoft Internet Explorer code maintains three different use-after-free vulnerabilities that are being patched this month. This "use-after-free" category of bugs is continuing to prove very difficult to stamp out, even in meaty, prevalent attack vectors like Internet Explorer. It was this sort of vulnerability that was abused in the 2010 Aurora cyber-espionage attacks on Google, Adobe, and the long list of other international corporate names that continue to maintain their incidents undisclosed and in the dark. At least one of these Internet Explorer vulnerabilities is likely to have exploit code developed against it.

As a vector of delivery for spearphish attacks, Microsoft Office seems to me to be the most popular target in the second half of the year. CVE-2012-0158 and CVE-2010-3333 continue to be identified in malicious attachments (both malicious Word and Excel files) in targeted attacks across the globe, while Adobe Reader and Flash, which were heavily abused, almost have fallen off the map. I don't know if this coincides with the release and distribution of the newly armored Adobe Reader X software and more sandboxing for Flash, or simply that offensive security investment in late summer had been directed toward producing toolkits that pump out the Office exploits we are seeing now. Either way, be sure to patch this Word flaw CVE-2012-2539 asap.

Follow me on Twitter

Unfortunately, we have seen kernel level exploits bundled into mass-exploitation kits like Blackhole. The Duqu exploit, previously used in very targeted attacks throughout the middle east, is being re-used in this manner. And MS12-078 this month patches kernel mode RCE for OpenType and TrueType font parsing flaws. The recent mass-exploitation activity increases and interest in kernel level font parsing vulnerabilities coincides with the open source github release of Microsoft font fuzzing tools and projects.

More of the Oracle Outside In code is being updated this month with a pile of publicly known critical vulnerabilities being patched much like in August of this year. Critical and Important Microsoft Exchange, DirectPlay, and IPHTTPS components are also being patched this month.

Also following up the annnouncement of the Microsoft software update release, Microsoft announced the availability of security updates for Adobe Flash that effect Internet Explorer users, among others. The flaws include a RCE buffer overflow vulnerability (CVE-2012-5676), RCE integer overflow vulnerability (CVE-2012-5677), and memory corruption vulnerability (CVE-2012-5678). For my production workstations and mobile devices, I've got multiple web browsers, and each one uses a different implementation of Flash. In my case, on my production systems, I visit this page with each browser to determine whether or not I have the lastest version of Flash. Android systems are effected too, and you can find more information at Adobe's APSB12-27. Perhaps we will see a resurgence of Flash exploitation over the next few weeks and into the New Year.

Comment      Link
0.5
 

Several days ago, a number of leaked documents from the “Syrian Ministry of Foreign Affairs” were published on “Par:AnoIA”, a new wikileaks-style site managed by the Anonymous collective.

One of our users notified us of a suspicious document in the archive which is detected by our anti-malware products as Exploit.JS.Pdfka.ffw. He was also kind enough to send us a copy of the e-mail for analysis.

We’ve checked the e-mail, which contains a PDF file with an exploit (CVE-2010-0188, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188), a typical spear-phishing attack:

0.7
 

In our previous blogpost, we discussed the Madi campaign, uncovered through joint research with our partner Seculert.

In this blogpost, we will continue our analysis with information on the Madi infrastructure, communications, data collection, and victims.

The Madi infrastructure performs its surveillance operations and communications with a simple implementation as well. Five command and control (C2) web servers are currently up and running Microsoft IIS v7.0 web server along with exposed Microsoft Terminal service for RDP access, all maintaining identical copies of the custom, C# server manager software. These servers also act as the stolen data drops. The stolen data seems to be poorly organized on the server side, requiring multiple operators to log in and investigate the data per each of the compromised systems that they are managing over time.

The services at these IP addresses have been cycled through by the operators for unknown reasons. There does not appear to be a pattern to which malware reports to which server just yet. According to sinkhole data and other reliable sources, the approximate locations of Madi victims are distributed mainly within the Middle East, but some are scattered lightly throughout the US and EU. It seems that some of the victims are professionals and academia (both students and staff) running laptops infected with the Madi spyware, travelling throughout the world:

Here is an approximate global map representing the approximate location of Madi victims, dependent on GeoIP data. While the overwhelming percentage of Madi victims in the middle east is not best visualized in this graphic, it helps to understand the Madi reach:

0.1
 

The Adobe AIR and Adobe Flash Player Incubator program updated their Flash Platform runtime beta program to version 5, delivered as Flash Player version 11.2.300.130. It includes a "sandboxed" version of the 32-bit Flash Player they are calling "Protected Mode for Mozilla Firefox on Windows 7 and Windows Vista systems". It has been over a year since Adobe discussed the Internet Explorer ActiveX Protected Mode version release on their ASSET blog, and the version running on Google Chrome was sandboxed too.

Adobe is building on the successes that they have seen in their Adobe Reader X software. Its sandbox technology has substantially raised the bar for driving up the costs of "offensive research", resulting in a dearth of Itw exploits on Reader X. As in "none" in 2011. This trend reflects 2011 targeted attack activity that we’ve observed. 2011 APT related attacks nailed outdated versions of Adobe Flash software delivered as "authplay.dll" in Adobe Reader v8.x and v9.x and the general Flash component "NPSWF32.dll" used by older versions of Microsoft Office and other applications. Adobe X just wasn't hit. IE Protected Mode wasn't hit. Chrome sandboxed Flash wasn't hit. If there are incident handlers out there that saw a different story, please let me know.

Publications|The Top 10 Security Stories of 2011

Costin Raiu
Kaspersky Lab Expert
Posted January 04, 09:08  GMT
Tags: Google, Adobe, Microsoft, Apple, RedHat, Comodo, Sony
0.2
 

As we turn the page to 2012, it makes sense to sit back and take a look at what happened during the past twelve months in the IT Security world. If we were to summarize the year in one word, I think it would probably be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to crack into top 10 of security stories of 2011.
Follow me on Twitter
What I was aiming for with this list is to remember the stories that also indicate major trends or the emergence of major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.
0.2
 

Web based threats such as malicious links on social medias, infected websites and malicious ads are terms that we read about quite often. We security experts have for quite some time tried to emphasize the importance of protecting both your website and computer from being infected, since these malicious websites often exploit client vulnerabilities. These vulnerabilities have been one of the major attack vectors for malware writers in recent years, but is it still a problem?

We are constantly seeing new software vulnerabilities , and the bad guys are very quick to developg exploits which are then hosted in their exploit kits. The vulnerabilities themselves are not dangerous unless the attacker is able to exploit them on the victim’s computer. The attackers have therefor developed ways to get victims to visit a website, for example, which then triggers the exploit. Some common ways are through social engineering or infecting a legitimate website with redirection code that points to the exploit kit.

Last month almost all major vendors released critical security updates for their software, such as Adobe, Oracle, Apple, Microsoft and Mozilla. I then started to research the current threat landscape, and focused on Sweden since I am the security researcher for the Nordic region; and after just a few minutes I saw that both Swedish websites and Swedish users were under attack.

In September we saw a 3700% increase in JavaScript-based redirection scripts, specifically Trojan.JS.Redirector.ro. This malicious redirector went from 908th place to 15th place in the list of the most detected malware in Sweden in one month. This code only redirects users to another URL, and I thought it was strange that we did not really see an increase of detected malware in September?

Events|Adobe's cost of popularity

Tim
Kaspersky Lab Expert
Posted September 22, 17:29  GMT
Tags: Adobe
0.4
 

Adobe pushed an emergency update to its ubiquitous Flash player yesterday that closed holes on 6 separate vulnerabilities. Of the 6, 4 were related directly to code execution (CVE-2011-2426, CVE-2011-2427, CVE-2011- 2428, CVE-2011-2430) One revolves around a universal cross-site scripting issue (CVE-2011-2444), and the last vulnerability can lead to information disclosure (CVE-2011-2429).

We recommend that you update all systems immediately. Adobe also states that CVE-2011-2444 relating to cross-site scripting, has reportedly been seen in the wild. The update is available here: UPDATE

0.3
 

In addition to today's Microsoft updates, users of Adobe's Reader and Acrobat software on both Windows and Apple systems need to update their software ASAP. Adobe released Bulletin APSB11-24, addressing at least thirteen memory corruption flaws, and several privilege escalation, logic flaw, and bypass issues.

In today's earlier post about Microsoft's patched vulnerabilities, Excel was highlighted as the target of choice in many targeted attacks. Along those lines, Adobe's Reader and Flash are among the most commonly exploited software applications that are attacked by professional attackers.

0.1
 

In this special edition Ryan Naraine joins David Lenoe, Head of the Product Security Incident Response Team, Adobe, in a discussion about how Adobe is responding to attacks against zero-day vulnerabilities in PDF Reader and Flash Player.

Comment      Link
0.2
 

Microsoft released 13 bulletins addressing 22 CVE's in its own software: Microsoft Windows, Office, Internet Explorer, .NET and Visual Studio. We'll be watching for Adobe to coordinate any release of their own updates today.

This month's release of 13 bulletins is a sizable one, following up on Microsoft's four bulletin release last month. Everything from Microsoft operating system kernel and networking components to their Microsoft Internet Explorer web browser and development products are impacted to patch information disclosure, denial of service, memory corruption, and elevation of privilege vulnerabilities.

Of the long list, a few appear to be the most severe. All versions of Microsoft's Internet Explorer across mostly all of the Windows operating system are impacted in serious ways. Remote code execution exploits are possible along with information disclosure and less serious denial of service attacks. Microsoft Excel is effected by the manner in which its Windows Data Access Tracing component loads external libraries. An Excel file could be shared on a WebDAV directory along with a maliciously modified library. When it's opened, the library would load and execute on the system at the same privileges as the user that opened the Excel file. For vulnerabilities like these, we will be monitoring for related exploit inclusion in underground market exploit packs like BlackHole, NeoSploit and Phoenix, which is always a bad thing. Visio is also at risk of remote code execution for a second month in a row as attackers serve up modified Visio files. But we won't see its inclusion in the packs because of its low install base numbers.

Four of these Microsoft Security Bulletins patch vulnerabilities that may lead to severe problems like remote code execution, which are often included as a part of client-side drive-by attacks in exploit packs. But this month one of the more interesting vulnerabilities is server-side and may lead to remote code execution on Microsoft DNS servers. This one may be timely because of suggestions that the ongoing progress to DNSSEC implementation will alleviate the problems that the PKI infrastructure has seen related in certificate authorities, a huge subject Moxie Marlinspike addressed at Blackhat last week.

As always, we recommend patching your systems asap. Cheers to a problem free patch Tuesday!

Comment      Link