CyberInsecure.com

Archive for the ‘Vulnerabilities’ Category

Microsoft has confirmed that an unpatched Internet Explorer vulnerability makes it potentially dangerous to press F1 if you are running earlier versions of Windows.

A security bug in the VBScript technology bundled with Internet Explorer means that it might be possible to create a web site that displays a specially crafted dialog box that pushes malware providing a victim is tricked into pressing the F1 (help menu) key while viewing a booby-trapped site using Internet Explorer. The novel exploit technique works on older versions of Windows (Win 2000, XP and Server 2003). Vista, Windows 7 and Windows Server 2008 are immune.

Proof of concept code is reportedly in circulation but Microsoft said: “We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time.”

Redmond went on to criticise security researchers for not coming to them with the problem first in an advisory, published on Monday.

“Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.”

The advisory expands on an earlier holding statement in providing a list of potentially vulnerable systems, a preliminary risk assessment and suggested workarounds. Redmond security gnomes are still investigating the flaw but a decision to develop a patch looks like a big odds-on favourite if past form holds true.

Microsoft gave no indication of when a patch might become available but the next scheduled Patch Tuesday is only six days away, cutting it very fine to develop, much less test, a fix. An April or even May update for IE seems more likely.

Credit: The Register

Computer scientists at Rutgers University this week are demonstrating ways that rootkits can attack new generations of smart mobile phones. The researchers, who are presenting their findings at a mobile computing workshop in Maryland, are showing how a rootkit could cause a smartphone to eavesdrop on a meeting, track its owner’s travels, or rapidly drain its battery to render the phone useless — all without the user’s knowledge.

“Smartphones are essentially becoming regular computers,” says Vinod Ganapathy, assistant professor of computer science in Rutgers’ School of Arts and Sciences. “They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by [malware].”

Ganapathy and computer science professor Liviu Iftode worked with three students to study the use of rootkits in smartphone operating systems. They note that while many PCs carry virtual machine monitors to help detect rootkits, most smartphones cannot support a VM monitor.

Rootkit attacks on smartphones — or upcoming tablet computers — could be more devastating because smartphone owners tend to carry their phones with them all of the time, the researchers say. This creates opportunities for potential attackers to eavesdrop, extract personal information from phone directories, or just pinpoint a user’s whereabouts by querying the phone’s GPS receiver. Smartphones also have new ways for malware to enter the system, such as through a Bluetooth radio channel or via text message.

“What we’re doing today is raising a warning flag,” Iftode says. “We’re showing that people with general computer proficiency can create rootkit malware for smartphones. The next step is to work on defenses.”

In one test, the researchers showed how a rootkit could turn on a phone’s microphone without the owner knowing it happened. In such a case, an attacker would send an invisible text message to the infected phone, telling it to place a call and turn on the microphone, such as when the phone’s owner is in a meeting and the attacker wants to eavesdrop.

In another test, they demonstrated a rootkit that responds to a text query for the phone’s location as furnished by its GPS receiver. This would enable an attacker to track the owner’s whereabouts.

In a third test, the researchers showed a rootkit turning on power-hungry capabilities — such as the Bluetooth radio and GPS receiver — to quickly drain the battery.

The researchers are careful to note they did not assess the vulnerability of specific types of smartphones. They did their work on a phone used primarily by software developers versus commercial phone users. Working within a legitimate software development environment, they deliberately inserted rootkit malware into the phone to study its potential effects.

The research was supported by the National Science Foundation and the U.S. Army.

Credit: DarkReading.com

A researcher has unearthed a bug in software used to install Adobe’s ubiquitous Reader and Flash applications that can be exploited to remotely install malicious files on end user PCs.

The Adobe Download Manager is an ActiveX script that is invoked when people install or update Reader or Flash using Internet Explorer. Researcher Aviv Raff has figured out how to exploit it to install any file he wishes simply by tricking a user into clicking on a link on the Adobe.com domain.

The attack combines a vulnerability on Adobe’s website with a defect in the download manager. The result: he was able to install and execute his own instance of the Windows calculator on a Register test machine. Aviv demonstrated the exploit on the condition further technical details be withheld.

“Instead of admitting that this design flaw is indeed a problem which can be abused by malicious attackers, Adobe decided to downplay this issue,” Raff wrote. He was referring to unpublished comments an Adobe spokeswoman made to Zero Day blogger Ryan Naraine.

In part, the comments said the download manager “is designed to remove itself from the computer after use at the next restart,” “can only be used to download the latest version of software hosted on Adobe.com,” and “presents a very large user dialog box when downloading software.”

But because the download manager remains on a machine until it is rebooted, attackers have ample opportunity to exploit the bug. Assuming the typical machine is restarted once every 24 to 72 hours, attacks have a reasonable chance of success as long as they are launched within the first one to three days of a recent update. (We’re guessing a fair percentage of people would be unfazed by the dialog box).

And once that happens, attackers have the ability to remotely install malicious code on an untold millions of PCs.

In response to Raff’s post, Adobe spokeswoman Wiebke Lips wrote: “Adobe is aware of the recently posted report of a remote code execution vulnerability in the Adobe Download Manager. We are working with the researcher, Aviv Raff, and the third party vendor of this component to investigate and resolve the issue as quickly as possible.”

The myriad bugs that over the past few years have routinely imperiled the entire internet have made Adobe the Toyota of the software industry. Company security personnel seem intent of correcting the problems, but the only way for that to happen is to launch a comprehensive initiative that makes a top-to-bottom review of the company’s entire code base.

Credit: The Register

A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla’s Firefox browser.

The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.

“We’ve played a lot with it in our labs - it was very reliable,” Legerov wrote in an email to The Reg. “Works against the default install of Firefox 3.6. We’ve tested it on XP and Vista.”

The report comes as Mozilla pushed out a Firefox update that tackles three critical vulnerabilities in version 3.5.7. One of those bugs is also described as a heap corruption vulnerability, but Legerov said the flaw is different from the one his code exploits.

Mozilla issued a statement that read in part: “Mozilla takes all security vulnerabilities seriously, and have as yet been unable to confirm the claim of an exploit. We value the contributions of all security researchers and encourage them to work within our security process, responsibly disclosing vulnerabilities to ensure the highest level of security and best outcome for users.”

Legerov said his firm does not provide advanced notification to software makers under an arrangement often referred to as responsible disclosure.

If Legerov’s claim pans out, it would be one of the few times in recent memory that a zero-day vulnerability for Firefox has circulated in the wild. While the exploit is currently available only to those who pay a hefty licensing fee, wider circulation can’t be far behind.

Credit: The Register

Already besieged by complaints of shoddy user privacy, Google Buzz is susceptible to exploits that allow an attacker to commandeer accounts and even learn where victims are located, a security researcher said Tuesday.

The XSS, or cross-site scripting, vulnerability is unusual because it affects google.com, the domain that sets authentication cookies for a variety of popular Google services, including Mail, Calendar and Documents. That means an attacker might be able to hijack victims’ account simply by tricking them into visiting a booby-trapped link.

What’s more, the vulnerability ties into to the much-vaunted Google Location Services, making it possible for the attacker to learn the geographical location of users who have already opted in.

“It’s a pretty nasty vulnerability, actually,” Robert “RSnake” Hansen, CEO of secTheory.com, said. “If you’ve already agreed to that before being exploited, which most people will do, then the attacker also gets to know your location.”

The vulnerability is the result of web applications that fail to adequately scrutinize user input for malicious commands that inject unauthorized content and javascript into browsers visiting google.com addresses. The vulnerability, which Hansen said was reported by a hacker known as TrainReq, is also notable because it works over the SSL, or secure sockets layer, protocol.

The resulting “https” and “google.com” included in the address is likely to lead some victims into believing the address is safe, he said.

Over the years, Google engineers have done a good job at fortifying the site against XSS flaws. In the rare instances the bugs get through, Google personnel are usually quick at stamping them out once they’ve been reported.

Credit: The Register

A popular Twitter service called Twitter Grader was hacked yesterday causing thousands of unauthorized tweets to be posted from the accounts of its users. Twitter Grader, which is normally available from grader.com along with other free grading applications, allows Twitter users to see how influential they are on the micro-blogging platform. The service is developed by an Internet marketing company called HubSpot.

The company’s founder and CTO, Dharmesh Shah, was completely taken by surprise yesterday when Twitter Grader users, including himself, started posting a strange message on their feeds. The unauthorized tweets contained a link to a 2006 video of Biz Stone promoting the micro-blogging platform.

Rik Ferguson, solutions architect at antivirus vendor Trend Micro, analyzed the message and concluded that, “The link that has been endlessly tweeted by grader users does not appear to host any malicious content.” The researcher also launched a possible explanation for the attack. “The domain name of the destination site [seonix.org] however might give us a clue to the motivation behind the attack. Seonix presumably refers to Search Engine Optimisation and perhaps that is the real purpose of this attack,” he wrote.

Access to the entire grader.com domain has been temporarily suspended until the issue is addressed and all applications are moved to more secure servers. The company also stresses that customers of its commercial services have not been affected, as these are hosted on a different infrastructure. Additionally, the usernames and passwords of Twitter users have not been compromised, because the Twitter Grader service used OAuth, a technology that doesn’t require login credentials.

The responses to the official blog post about the attack are overwhelmingly favorable, commending the company for its openness and seriousness in handling the incident. “Ladies and gents, is an object lesson in how to deal with an event like this. Much respect to HubSpot,” Rik Ferguson wrote, while an executive officer with a different company noted that, “How you handled it […] should be a lesson (case study?) for others.”

Credit: Softpedia.com News

Veracode today released Blackberry-specific spyware, which the code-review specialist intends as a “call for defensive research” to show that the BlackBerry is vulnerable to spyware problems.

“The Blackberry ‘sandbox’ keeps you from getting into the operating system level. It’s effective for that,” says Tyler Shields, senior researcher at Veracode Research Lab and author of the Blackberry spyware. “BlackBerry is one of the better operating systems in regards to security,” he says, “but in the sandbox you can steal data.”

Shields says the point in releasing the spyware source code, which he calls TXSBBspy, is to “show how easy it is to write this code.” He calls the source code a blueprint for malware on the BlackBerry, showing how it’s possible to remotely dump all the contents, send the contents via e-mail, and conduct real-time monitoring of phone messages.

Shields says his purpose is to inspire a “call to action” to encourage development of BlackBerry applications to make it clear what these apps do before releasing them.

Credit: IT News

Security researchers warn that a significant number of WordPress websites have been compromised recently as part of what looks to be a money-generating affiliate scheme. The header.php template files are being injected with obfuscated JavaScript code.

“Late last week, I noticed something of a surge in reports of a particular threat: hoards of legitimate pages were being injected with a malicious JavaScript, pro-actively blocked as Mal/ObfJS-H. Thus far, the common link between the affected sites appears to be Wordpress. One user report suggests that the malicious script is being added to the header.php template script used by Wordpress,” Fraser Howard, principal virus researcher at Sophos, writes on the company’s blog.

The obfuscated script is inserted right after the tag and its purpose is to load additional content via an IFrame and to pass visitors through a series of silent redirects. One of these 302 redirects pass the affiliate account of the attacker to a remote script, probably for remuneration purposes.

According to Mr. Howard’s analysis, a cookie for a domain name rich-traffic.com is set in the visitors’ browsers, this site being a Russian affiliate network allowing users to sell or to buy IFrame traffic. “We sell only high quality iframe traffic for your various needs!” is written on the main page. Apparently, this offer refers to huge amounts of unique visitors spread across a wide variety of countries.

The issue of header.php files being modified without authorization has also been discussed in the support forums over at wordpress.org, with users suggesting that compromised FTP accounts might be the cause. This is consistent with the Sophos researcher’s conclusion, who writes that, “In this particular attack however, an out of date Wordpress installation does not appear to be the root cause – many of the sites I checked, appear to be running the latest available version (2.9.1 at time of writing).”

It is worth noting that TechCrunch, one of the most popular technology blogs on the Internet, has recently faced several attacks, which resulted in its home page being altered. At least in one particular attack, the header.php file was modified to include a rogue message.

Credit: Softpedia.com News

Apple’s iPhone is vulnerable to exploits that allow an attacker to spoof web pages even when they’re protected by the SSL, or secure sockets layer, protocol, a security researcher said.

The fault lies in a feature that makes it easy to configure large numbers of iPhones so they meet an organization’s IT policies, said Charlie Miller, a researcher at Independent Security Evaluators. Not only does the provisioning feature work over the internet, it can be tricked into accepting malicious configuration files.

“If the user accepts, the attacker can make changes to the phone’s configuration which can cause harm,” Miller explained.

The revelation comes after the hack was discussed in an anonymous blog post over the weekend. It explained how it was possible to sign an XML-based configuration file using a SSL certificate registered to a fictitious company called Apple Computer. Because the iPhone checks only that the certificate was signed by a trusted CA, or certificate authority, the author’s rogue update.mobilconfig file was accepted and executed.

The author claimed the hack could be used to change an iPhone’s proxy settings, a change that would allow attackers to do much more nefarious deeds such as funnel traffic to servers under their control. Miller said he wasn’t sure such an attack was possible, but he didn’t rule it out, either.

“It definitely allows them to change the trusted certs which means that you can’t trust SSL anymore,” Miller wrote. “I don’t have the cert the guy generated to really confirm things on my own. I’m very confident that it can do a lot though.”

In addition to changing trusted certificates, Miller said, a rogue configuration file could be used to disable Safari or other iPhone apps or block access to particular websites that can be accessed.

For an exploit to work, an attacker would have to apply a fair amount of social engineering. First, a user would have to be tricked into clicking on an email attachment or visiting a website hosting the configuration file. The user would then be presented with a window saying the update has been “verified” and would have to click OK to install it.

The most serious consequence Miller could confirm was the ability to spoof SSL-protected pages, but given the difficulty of the attack, he wasn’t sure how useful that would be.

“If you can get someone to install this thing AND go to your phishing site, the guy probably would have fallen for it without SSL,” he said.

Credit: The Register

Underscoring a little-known web vulnerability, hackers are exploiting a weakness in the Mozilla Firefox browser to wreak havoc on Freenode and other networks that cater to users of internet relay chat.

Using a piece of javascript embedded into a web link, the hackers force users of the open-source browser to join IRC networks and flood channels with diatribes that include the same internet address. As IRC users with Firefox follow the link, their browsers are also forced to spam the channels, giving the attack a viral quality that has has caused major disruptions for almost a month.

“Huge numbers of users of the Freenode network ended up getting banned themselves because they would click the link and then they would join the network and flood the network,” one of the hackers, who goes by the moniker Weev, said. “We get his huge rollover effect.”

He added: “We got the the people who run Freenode to actually k-line each other,” a reference to the process of banning a user from an IRC server for spamming or other inappropriate actions.

The malicious javascript exploits a feature that allows Firefox to send data over a variety of ports that aren’t related to web browsing. By relaying the scripts over port 6667, users who click on the link automatically connect to the IRC server and begin spewing a tirade of offensive text and links. The attack doesn’t work with Internet Explorer or Apple Safari, but “might” work with other browsers, Weev said.

IRC channels such as Efnet and OFTC have managed to block the attacks, but at time of writing Freenode operators were still struggling to repel them.

“While we are doing what we can to mitigate the spam, we would ask that you take a careful look at any unusual sites or URLs you might visit in the near future to be sure you are not being tricked into visiting such a site,” a note on Freenode’s website read. Representatives of the network didn’t respond to an email seeking comment.

Security researchers have long known that it’s possible to abuse features designed to make browsers work seamlessly with other internet applications. Web security expert Robert “RSnake” Hansen calls the technique “interprotocol exploitation.”

“It’s the first time I’ve actually seen it used in the wild,” he said. “We’ve been theorizing this attack was possible for some time. Browsers absolutely should not be able to connect to ports unrelated to HTTP.”

Hansen said other internet technologies, such as the Sip protocol for voice over IP, are also ripe for abuse.

Credit: The Register