CyberInsecure.com

Archive for the ‘Software’ Category

New Opera 9.61 makers correct an issue where History Search could be used to reveal browser history (rated extremely severe). Also fixed: a Fast Forward bug that allows cross-site scripting (highly severe) and an information disclosure flaw in news feeds (also highly severe). On the same day Opera shipped a browser update with patches for these three separate security vulnerabilities, hackers have already discussed a new zero-day flaw that exposes Windows users to remote code execution attacks.

A public discussion on the Full Disclosure mailing list exposed a zero-day vulnerability that could lead to cross-site scripting and even remote code execution attacks. The discussion began with this Roberto Suggi advisory on the History Search bug fixed in Opera 9.61 but quickly expanded to raise the possibility of code execution attacks.

Within hours, researcher Aviv Raff discovered a way to execute code from remote and released a harmless proof-of-concept exploit that launches the Windows calculator. Currently a separate exploit exists that launches harmful code remotely against fully patched versions of the Opera browser.

Until Opera can fix this new issue, users are strongly urged to consider a different browser or avoid clicking on links on untrusted Web pages.

Websense Labs are reporting a new malicious spam lure that uses the threat of a virus to encourage users to download a malicious Trojan. The email explains that by downloading the application linked within the email, users can protect themselves against a virus that spams messages to a user’s contacts. The email offers an update to Live Messenger Plus which is actually a Trojan (md5: 5F1D2521F6949F8B71B9FF93C17A8BE2). Current antivirus detection rate is low.

The URLs provided in the email redirect the user to a two-stage downloader named dsc.scr. As a distraction for the user, a dialog box is displayed explaining that the user will be redirected to msn.com.br. A browser then opens pointing to this site. The downloader first contacts http://*******.com/games_06.jpg, and then http://*******.com/games_04.jpg, adding the two files to the root of C: drive.

A scheduled task is then created, and modifications are made to autoexec.bat to disable GBPlugin and other tools promoted by Brazilian banks to protect against such keyloggers and other malware. The malware then goes on to conduct information-stealing activities.

On Tuesday Microsoft issued updates for least 20 security holes in Windows, Internet Explorer, Office, and other products. Among critical vulnerabilities were several in version 6 of the Internet Explorer browser when running on Windows 2000 and Windows XP. The vulnerabilities could allow attackers to remotely install malware on a machine with no interaction required from the user or to intercept transferred data. IE 7 and IE 6 running on Vista are also vulnerable but to lesser degree, Microsoft said.

Another batch of vulnerabilities affect the Excel spreadsheet program in Microsoft Office. The remote execution bug is rated critical for users of Office 2003 and important for more recent versions. Another critical vulnerability affected IE killbits in third-party applications.

The list of updates include:

MS08-056 - Cross site scripting (XSS) in the way Office XP SP3 handles the dialog window for the content-disposition:download and the cdo: protocol.

MS08-057 - Multiple vulnerabilities in Excel lead to random code execution. This also affect sharepoint server. Replaces MS08-043.

MS08-058 - Multiple vulnerabilities in MSIE lead to random code execution and or information leaks. Replaces MS08-045.

MS08-059 - RPC requests can bypass authentication and lead to random code execution.

MS08-060 - A buffer overflow in the LDAP services allows random code execution. LDAP over SSL is also afected. Replaces MS08-035.

MS08-061 - Multiple vulnerabilities in the windows kernel allow privilege escalation. Replaces MS08-025.

MS08-062 - An Interger overflow in IPP allows random code execution to authenticated users in Windows internet printing (IIS).

MS08-063 - Crafted filenames lead to random code execution in the SMB protocol. Replaces MS06-063.

MS08-064 - An integer overflow allows privilege escalation. Replaces MS07-066, MS07-022 and Advisory 932596.

MS08-065 - An input validation failure in an RPC of MSQS allows random code execution in Windows 2000 message queuing.

MS08-066 - An input validation failure allows privilege escalation in Windows ancillary function driver.

Advisory 956391 - Killbits for 3rd party (Microgaming, System Requirements Lab, PhotostockPro) as well as Microsoft ActiveX controls mentioned in MS02-044, MS08-017, MS08-041 and MS08-052.

This was the first Patch Tuesday in which Microsoft offered increased information about the likelihood of vulnerabilities actually being exploited. The company said that exploit code for a bug in Windows internet printing service is already circulating. In all, eight vulnerabilities were carried a warning that “consistent exploit code” was likely.

The updates came as miscreants started another spam wave that purported to a new “experimental private version of an update for all Microsoft Windows OS users.” It attempted to trick people into clicking on a program that installs a trojan known as Win32/Haxdoor, which logs passwords and other sensitive information typed on a PC and sends this data back to the attackers.

Users are advised to read the overview of the October 2008 Microsoft patches and update as soon as possible.

Adobe has released Flash Player 10 with numerous major security improvements, including patches and mitigation for at least five serious security vulnerabilities. According to Adobe, the vulnerabilities covered with Flash Player 10 could allow an attacker to bypass the software’s security controls.

Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform. Due to the possibility that these security enhancements and changes may impact existing content, customers are advised to review Adobe Developer Center article to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition.

The fix also takes care of clickjacking threat and clipboard hijack attacks. A patch for Flash Player 9, which is vulnerable to these attack scenarios, is not yet available. That patch is currently scheduled for early November.

A second “critical” bulletin was also released for Flash CS3 Professional to cover a code execution vulnerability. An attacker would need to convince a user to open a malicious SWF file to successfully exploit the issues. Adobe recommends that developers exercise caution when receiving unsolicited or suspicious SWF files. These issues do not affect Flash CS4 Professional. These issues do not affect the Mac version of Flash CS3 Professional.

New version can be downloaded from Adobe Download Center.

Danish security notification firm Secunia is urging security suites vendors to rethink how their products are designed, moving away from “ineffective signature-based detection” to a smarter form of defense. According to Secunia, internet security suites do little to protect users against online exploits.

Secunia tested 12 suites (which include firewall, anti-malware and anti-spam functions) against a range of 300 exploits targeting vulnerabilities in various high-profile programs. Even though it blocked only 64 out of 300 exploits, Symantec’s Norton Internet Security 2009 came out best from the test, detecting almost ten times more exploits than its nearest competitor. Security suites from the likes of Kaspersky, Check Point, Microsoft, AVG and McAfee all failed this test.

Security product bundles are marketed as comprehensive Internet Security Suites, leaving the impression that the user is fully protected against internet threats. Secunia’s tests suggest the products fail to do what they say on the tin. Symantec has recently begun introducing behavior-based detection, which helps to explain why its software did the best of a bad bunch.

Thomas Kristensen, chief technology officer at Secunia, said that the shortcomings of security suites combined with the fact users rarely keep systems fully patched made a recipe for trouble. “While we did suspect that the popular security vendors would score quite poorly in detecting exploits, the extremely low detection rate took us by surprise and this really begs the question: Does the customer get their money’s worth?”

Computer users therefore need to keep up to date with patches in order to have any hope of withstand hacking attacks. Secunia’s free Personal Software Inspector (PSI)* and the similar functionality within Kaspersky Internet Security 2009 make it easier to keep up to date with patching.

Graham Cluley, senior technology consultant at Sophos, which focuses on the corporate market and did not take part in the tests, agreed that applying patches was important. “There’s no such thing as a perfect security suite, but security software reduces threats and people shouldn’t come away from these tests with the conclusion that they these products are ineffective.”

Secunia said its tests illustrated the shortcomings of signature-based security suites. Generic detection of exploits would be a better approach because what triggers a vulnerability (unlike the payload of an attack) doesn’t alter, Kristensen pointed out.

An anti-virus expert whose firm’s products were not involved in the tests said Secunia’s approach only tested against one aspect of how security suites protect consumers, and were therefore potentially misleading.

Russian firm ElcomSoft has applied GPU acceleration technology to a new password recovery tool that allows PCs or servers running supported NVIDIA video cards to break Wi-Fi encryption up to 100 times faster than by using conventional microprocessors. Recovery times for Wi-Fi keys are increased by a factor between 10 to 15 in the use of Elcomsoft Distributed Password Recovery in combination with a regular laptop featuring NVIDIA GeForce 8800M or 9800M series GPUs. By running the same software on a desktop with two or more NVIDIA GTX 280 boards installed, this figure increases to a factor of 100.

The latest graphics cards have been used to break Wi-Fi encryption far quicker than was previously possible. Some security consultants are already suggesting the development blows Wi-Fi security out of the water and that corporations ought to apply tighter VPN controls, or abandon wireless networks altogether, in response.

The software needs to intercept only a few packets in order to perform a brute force attack, where a huge number of possible passwords are tried in an attempt to stumble upon the correct code. ElcomSoft positions the tool as a means of auditing corporate Wi-Fi networks for inappropriately weak passwords.

The previous generation of wireless encryption, WEP, was vulnerable to brute force attacks for years. The infamous compromise of TJX, which resulted in the compromise of at least 45.7m credit card records, has been traced back to a hack in a weak security retail network with older point of sale terminals running WEP. Elcomsoft now makes WPA and WPA2 encryption open to attack. In fact, the software is specifically designed to support “passport recovery” on Wi-Fi networks running either WPA or the newer WPA2 encryption.

The power of graphics chips, normally used as 3D graphic accelerators for games, can also be applied for a variety of other password-breaking uses beyond uncovering WiFi passwords. Elcomsoft Distributed Password Recovery can also be used to recover Windows startup passwords, crack MD5 hashes, and unlock password-protected documents created by Microsoft Office or PDF files created by Adobe Acrobat. The firm is also marketing its technology to forensic and government agencies, as well as data and password recovery services.

Although government agencies have probably applied similar approaches for some time the programming of FPGA is a tricky process, involving getting to grips with a specialist hardware programming language. Elcomsoft’s approach by contrast relies on off-the-shelf software and readily available components.

Security consultancy Global Secure Systems said that the development means Wi-Fi networks - even those running the latest encryption algorithm - can no longer be considered to be secure. This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data. As a result users using Wi-Fi might have to move on up to a VPN encryption system.

Brute force decryption of the WPA and WPA2 systems using parallel processing has been on the theoretical possibilities horizon for some time but the use of the latest NVidia cards to speedup decryption on a standard PC is worrying. The development could spur a step back from wireless to wired network connection in sensitive installation, such as financial services organizations, particularly concerned about data privacy.

Apple has released another pack of patches that cover a total of 40 documented vulnerabilities affecting the Mac OS X. The Security Update 2008-007, available for Tiger and Leopard, covers a range of third-party components and Mac OS X flaws that could users at risk of remote code executions attacks.

The more serious vulnerabilities include:

Apache: CVE-2007-6420, CVE-2008-1678, CVE-2008-2364) Apache is updated to version 2.2.9 to address several vulnerabilities, the most serious of which may lead to cross site request forgery. Note: Apache version 2 is bundled with Mac OS X Server v10.4.x systems, but is not active by default.

ClamAV: (CVE-2008-1389, CVE-2008-3912, CVE-2008-3913, CVE-2008-3914) Multiple vulnerabilities exist in ClamAV 0.93.3, the most serious of which may lead to arbitrary code execution.

ColorSync CVE-2008-3642) A buffer overflow exists in the handling of images with an embedded ICC profile. Opening a maliciously crafted image with an embedded ICC profile may lead to an unexpected application termination or arbitrary code execution.

CUPS (CVE-2008-3641) A range checking issue exists in the Hewlett-Packard Graphics Language (HPGL) filter, which may cause arbitrary memory to be overwritten with controlled data. If Printer Sharing is enabled, a remote attacker may be able to cause arbitrary code execution with the privileges of the ‘lp’ user. If Printer Sharing is not enabled, a local user may be able to obtain elevated privileges.

libxslt (CVE-2008-1767) A heap buffer overflow issue exists in the libxslt library. Viewing a maliciously crafted HTML page may lead to an unexpected application termination or arbitrary code execution.

MySQL Server (CVE-2007-2691, CVE-2007-5969, CVE-2008-0226, CVE-2008-0227, CVE-2008-2079) MySQL is updated to version 5.0.67 to address several vulnerabilities, the most serious of which may lead to arbitrary code execution.

PHP (CVE-2007-4850, CVE-2008-0674, CVE-2008-2371) PHP is updated to version 4.4.9 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution.

PSNormalizer (CVE-2008-3647) A buffer overflow exists in PSNormalizer’s handling of the bounding box comment in PostScript files. Viewing a maliciously crafted PostScript file may lead to an unexpected application termination or arbitrary code execution.

QuickLook (CVE-2008-4211) A signedness issue exists in QuickLook’s handling of columns in Microsoft Excel files may result in an out-of-bounds memory access. Downloading or viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution.

Security Update 2008-007 can be downloaded and installed via Software Update preferences, or from Apple Downloads.

TrendLabs report a new hacking tool that is circulating on the Internet and allows malicious users to create fake YouTube pages designed to deliver malware. The tool is detected by Trend Micro as HKTL_FAKEYOUT, features a Spanish-language user-friendly console that a “hacker” could use to create a pair of Web pages that look completely identical to legitimate YouTube pages.

This YouTube malware tool was is also being updated by its author. Recent change shows the modifications in its graphic user interface (GUI):

The new version, with the file name YouTube Fake Creator v1.2 Fixed.exe is also detected by Trend Micro as HKTL_FAKEYOUT.

With basic social engineering, unsuspecting users may be led to the first of the fake pages, INDEX.HTML. Here, users may be disappointed to see that they cannot view their video as they need a new version of Adobe Flash Player or some plugin or codec. A link is conveniently provided, and clicking the link leads users to the hacker’s file of choice, which most likely be some kind of malware or data stealing trojan. A sample error page, also generated by the tool.

A second fake page informing users that the video they were trying to view cannot be shown is then displayed. This is to make users think that nothing has really happened, when in fact by downloading the plugin, malware may already be running on their systems.

This tool is a dangerous addition to script kiddies arsenal who could now use it for their malware and hacking operations much more efficiently. Users are advised to always check the URLs of pages they are viewing. Also, product updates should be downloaded from the vendors themselves to ensure that these are legitimate and not malicious.

Fake codecs remain popular masks for malware. The popularity of YouTube also makes it a preferred target for malware users who want to infect more users.

An Israeli security researcher has released a demo of a “clickjacking” attack, using a JavaScript game to turn every browser into a surveillance zombie. The proof-of-concept game uses a PC’s video cam and microphone to secretly spy on the player.

The release of the demo follows last month’s partial disclosure of the cross-platform attack/threat, which affects all the major desktop platforms: Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The proof of concept used Flash, but the writer went on to say that the same thing could have been achieved using Java, SilverLight, or Dynamic Hyper Text Markup Language.

The demo appears to be a simple game that tests how quickly a user can click on a series of moving targets. Behind the scenes, it combines a generic clickjacking attack with weaknesses in Adobe’s Flash technology to record the player using the PC’s video camera and microphone. Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index.

The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he’s clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner ad that’s part of a click-fraud scheme, or any other destination the attacker chooses.

Another security researcher, Aviv Raff, has also built a proof-of-concept exploit using a hidden iFrame to hijack clicks to snag Twitter followers. Raff’s demo invisibly overlays a blank page over the Twitter site and sets the”Click Me!” button on the spot where Twitter’s “Follow” icon is displayed. If the target is logged into Twitter, the click on Raff’s demo is actually executed on Twitter’s site.

The idea behind these clickjacking demos can be easily exploited to make it easier to launch drive-by malware download using social engineering techniques. The list of ways this can be abused might include government spying, corporate espionage, cyber stalking, click fraud, and much more. Turning off the webcam may limit the damage, but it doesn’t remove the underlying threat.

Until the affected vendors can come up with adequate patches/mitigations, users might want to move to Firefox + NoScript to get some level of security. Adobe recently issued an advisory giving step-by-step instructions for working around the threat while a fix is pending. The company also said it expected to patch the vulnerability by the end of October. Until now, makers of Internet Explorer, Firefox, Java, Safari, SilverLight and other programs vulnerable to clickjacking have not offered any patches.

WinZip Computing released WinZip 11.2 SR-1 on September 25 with a critical update to all installations of WinZip 11. The release addresses a security vulnerability that exists in one of the modules shipped with WinZip 11. This component is not a WinZip module but rather a Microsoft module that WinZip Computing shipped for the convenience of our Windows 2000 customers.

Distribution files for WinZip versions 11.1 and 11.2 included an earlier gdiplus.dll which was placed in the WinZip program folder for Windows 2000 systems only. Other operating systems are not affected by these installations. Upgrading to WinZip 11.2 SR-1 or WinZip 12.0 on Windows 2000 systems will replace the earlier gdiplus.dll with a newer version that is not subject to the security vulnerability.

Versions of WinZip prior to 11.0 (10.0 or earlier) are not affected by this security vulnerability. Upgrading to WinZip 11.2 SR-1 (Build 8261) or WinZip 12.0 will remove the earlier gdiplus.dll from the WinZip program folder on Windows XP or Vista systems. On Windows XP or Vista, it is possible to delete the file from the WinZip folder (if it exists).

WinZip 11.2 SR-1 can be downloaded and installed over existing WinZip 11 installation. In order to preserve your existing WinZip registration information, do not uninstall your current WinZip 11 before installing this new version of WinZip 11.

Users should review the WinZip 11.2 SR-1 release notes and apply any necessary updates to help mitigate the risks.