CyberInsecure.com

Archive for the ‘Vulnerabilities’ Category

According to ZDNet, during the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity, Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising provider.

According to Google’s SafeBrowsing advisory for EyeWonder, the exploits were hosted on currently active and participating in the Cold Fusion injection attack domains, namely elfah .net, 2ici .cn and javazhu.3322 .org - the following have also managed to compromise Pakistan’s Telecommunication Authority.

By using RealPlayer Import stack overflow exploit and another one attempting a QVOD Player URL overflow, the cybercriminals then attempt to push eight different malware samples. Detection rates for the droppers are improving.

Interestingly, one of the malware samples attemps to download the updated list of malware binaries by connecting a compromised Italian site part of the Cold Fusion injection attacks (betheboss.it) since it appears to have been exploited in such a way.

This malware incident demonstrates how a single exploitation of a trusted third-party content/ad serving vendor can not only undermine its credibility, but potentially the credibility of the sites using the network. And since the ads on the affected sites are dynamically served through different networks, it remains questionable whether it was in fact EyeWonder that served malicious content, or a compromised partner of the network itself.

Case in point - the partnership between Facilitate Digital and EyeWonder comes in a very insecure fashion with EyeWonder having a permanent iFrame tag loading a domain (adsfac.us) belonging to Facilitate Digital on its front page.

For the time being, EyeWonder.com remains down for maintenance.

Credit: ZDNet.com Security Blogs

Hackers are running a mass compromise against sites running vulnerable ColdFusion application server installations.

Security watchers at the SANS Institute’s Internet Storm Centre are warning that a “high number” of sites have been hit over the last 36 hours or so. Miscreants are exploiting sites running older installations of some ColdFusion applications, such as FCKEditor (a popular HTML text editor) or CKFinder (an Ajax file manager).

The two main strands of the assault both target FCKEditor. Firstly version 8.0.1 of ColdFusion installs a vulnerable version of FCKEditor that is enabled by default. The security flaw creates a means for criminals to upload arbitrary files on affected servers. Details of how to resolve this problem can be found on ColdFusion’s site.

The second strand of the attack relies on third party applications, in particular the CFWebstore e-commerce app, that incorporate vulnerable versions of FCKEditor.

Hackers are taking advantage of the vulnerabilities to plant malicious scripts onto compromised websites, as part of a drive-by download attack that ultimately aims to infect visiting surfers.

SANS reckons the crackers behind the attack are the same as the gang that pulled off a similar attack back in March. Security researchers urge sites to review their ColdFusion installations, paying particular attention to deleting older applications that may have been left around as orphans during systems upgrades.

Credit: The Register

Earlier today, Trend Micro Technical Account Manager Fioravante Souza in Brazil spotted a (potentially harmful) URL that redirects users from the Best Buy domain site. Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, http://pics. bubbled.cn/gallery/
hardcore/?23c4f60c1b9f604d6ffb21cba599301f (do not visit). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page.

“If (the) requesting IP is from the Latin America Region (LAR), users are redirected to the ‘Choose English or Spanish’ page—and then bingo!” Macalintal says.

The source code of the landing page shows a garbled set of code found at the bottom of the script, a clear sign of code obfuscation. Beneath a 3-layer obfuscation, an iframe redirects the user to a Luckysploit-laden site. The Luckysploit web exploit kit and the obfuscation seen is reminiscent of that found in Gumblar.

The WHOIS info of the .CN site states that it has been created just last June 4, 2009 by the same old criminals. Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice it to say, the Russkranians are the culprits once again.

Best Buy has been informed of the said URL redirections and is resolving the matter.

Credit: TrendLabs/Trend Micro

Exploiting a bug in the way iPhones parse SMS messages, the principal analyst at Independent Security Evaluators has demonstrated how to crash a part of the phone that allows him to temporarily disconnect the device from the network. He’s still trying to figure out if the vulnerability will allow him to remotely execute code, a feat that would allow attackers to do much more nefarious things, including sending malicious commands to monitor the phone’s location or turn on its microphone so it becomes a remote bugging device.

“I can definitely make the thing crash,” Miller said. “I have still to determine whether it’s actually exploitable or not. This thing has the potential to be really serious, but I’m still looking at it and Apple is still looking at it.”

Miller presented his findings at the SyScan conference in Singapore on Thursday and plans to offer additional details later this month at the Black Hat security conference in Las Vegas. Researcher Collin Mulliner was also instrumental in discovering the bug, Miller said.

If the vulnerability turns out to be exploitable, it would be significant because there are few measures iPhone users can take to prevent an attack, said Dino Dai Zovi, a security researcher. Dai Zovi has yet to see technical details behind the vulnerability, but he has already experienced its effects last week.

While the two were speaking on a land line, Miller told Dai Zovi he found a new bug in the iPhone and, as a demonstration, instructed him to look at his own Apple handset. The display bore the words “No service.” (The outage caused by Miller’s proof of concept was only temporary).

“My reaction was that this has the potential to be a very serious vulnerability and likely the worst that has affected the iPhone to date,” Dai Zovi told The Register. “I was very surprised that he had a vulnerability that was triggerable with just an SMS message.”

Dai Zovi and several other iPhone experts said there is no way to prevent the iPhone from receiving SMS messages. While AT&T allows users to block text messages and multimedia messages sent as emails, there is no way to block all SMS messages. No comments were made by Apple so far.

Credit: The Register

Websense Security Labs has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Adobe Acrobat Reader and Adobe Shockwave.

According to Websense, the malware has an extremely low detection rate, with just two of 32 anti-virus engines identifying the threat. Once executed, it installs a rootkit on victims’ machines. If the user’s browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The file is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP. This IP address has ties to the Russian Business Network.

This isn’t the first time that security researchers have reported Torrentreactor is foisting malware on its users. In March 2008, the site suffered a similar iframe attack, according to Dancho Danchev.

Credit: The Register
Credit: Websense Security Labs

Manchester City Council was prevented from issuing hundreds of motoring penalty notices in time after the infamous Conficker worm knocked out parts of its IT systems.

Drivers caught on camera driving in bus lanes escaped punishment after the town hall fine processing system was taken offline in February, following infection by the infamous worm. Failure to issue 1,609 tickets within the statutory limit of 28 days left the city £43,000 out of pocket.

Clean up costs and consultancy fees were a far more significant cost, resulting in costs estimated at £600k. In additional, council IT chiefs spent a further £600k on Wyse thin client terminals as part of an enhanced backup strategy.

Town hall chiefs also spent a further £169,000 on extra staff needed to handle a backlog of benefits claims. Compensation payments to benefit claimants piled on the financial pain.

In total the incident cost the council an estimated £1.5m, the Manchester Evening News reports. Infection by the worm left council workers unable to send emails or print documents, and struggling with extra red tape after they were obliged to keep additional back-up paper records in case data was lost.

Council chiefs have banned the use of memory sticks, which were blamed (extracts from memos here) for causing the infection, as well as disabling all USB ports in response to the incident. Albert Square IT chiefs have also promised to revamp the council’s disaster recovery strategy, which the incident exposed as hopelessly inadequate.

Steve Park, Head of ICT at Manchester city council, told the MEN: “I’d like to reassure the public that we’ve built on and improved our disaster recovery strategy, which covers all our main networks.”

“This means that in the event of an emergency those key systems can be recovered with minimal disruption to the services involved.”

The fallout from the Conficker worm infection represents the second time in a week that Manchester City Council has made headlines following IT cock-ups. Data Watchdogs at the ICO put the council on notice over breaches of the Data Protection Act last week following the earlier loss of two unencrypted laptops from council premises. One of the stolen machines contained personal details on hundreds of teachers and support workers at local schools.

Previous victims of the Conficker worm have included the UK’s Houses of Parliament and hospitals in Sheffield, as well as many other organisations outside the UK.

Credit: The Register

Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker. According to Adobe, 450 million Internet-enabled desktops have installed Adobe Shockwave Player.

This issue is remotely exploitable and affects Adobe Shockwave Player 11.5.0.596 and earlier versions. According to Adobe’s advisory, this vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability (CVE-2009-1860). This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content.

To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available at http://get.adobe.com/shockwave/.

Credit: ZDNet.com Security BLogs

The recently exposed as vulnerable to trivial remotely exploitable flaws Chinese censorware Green Dam, has silently patched the security flaws. However, not only is the latest Green Dam v3.17 version still vulnerable to remotely exploitable flaws, but also, for over a week now a working zero day exploit (Exploit.GreenDam!IK; W32/GreenDam.A) has been circulating in the wild.

Green Dam intercepts Internet traffic using a library called SurfGd.dll. Even after the security patch, SurfGd.dll uses a fixed-length buffer to process web site requests, and malicious web sites can still overrun this buffer to take control of execution. The program now checks the lengths of the URL and the individual HTTP request headers, but the sum of the lengths is erroneously allowed to be greater than the size of the buffer. An attacker can compromise the new version by using both a very long URL and a very long “Host” HTTP header. The pre-update version 3.17, which we examined in our original report, is also susceptible to this attack.

According to Green Dam’s official web site, the latest 3.17 version which still remains exploitable, has already been downloaded 426,138 times, combined with raw data on over 7,172,500 downloads of the previously vulnerable version, the current situation could easily turn the “Great Botnet of China” from theory into practice if the exploits ends up embedded within a web malware exploitation kit.

Credit: ZDNet.com Security Blogs

Mozilla has released a new version of its Firefox browser that plugs nine security holes, four of which are rated “critical,” the foundation’s highest vulnerability level.

Version 3.0.11 squashes a javascript chrome privilege escalation bug, which Mozilla said allows attackers to execute malware on the computers of end users. Exploits would work by manipulating chrome privileged objects, such as a browser sidebar.

Other critical vulnerabilities include stability bugs in the browser engine, crashes that caused memory corruption and a race condition while accessing the private data of a NPObject JS wrapper class object. A complete list of fixes is available here.

Mozilla said some of same bugs have been fixed in version 2.0.0.22 of Thunderbird, but at time of writing, the most current version of the email application was 2.0.0.21. We wouldn’t be surprised if an update was released soon.

As usual, the update will be pushed directly to Firefox users and requires only a simple restart of the browser to be installed.

Credit: The Register

Mac fans are targeted via a pair of new malware-themed attacks, one of which is on offer through what purports to be a portal for adult videos.

The Jahlav-C Mac-specific Trojan poses as an ActiveX update needed to watch grumble flicks. The same booby-trapped website, which runs code to detect whether surfers are using Mac or Windows PCs, is a equal opportunity infector that also deploys code designs to infect Windows PCs using similar social-engineering trickery.

In addition to the Trojan, Sophos discovered a new strain of the Mac OS X-specific Tored worm on Thursday.

Mac-specific malware remains a rarity compared to the hundreds of thousands of Windows-specific virus strains, of course. However, it would be a mistake for Mac fans to think they are immune from malware when downloading warez or hunting for porn. “It is becoming more and more common for hackers to use social engineering tricks - like telling surfers that they need to download a plugin on their Mac to watch a video - to weasel their way onto computers,” said Graham Cluley, senior technology consultant for Sophos.

“Once the malware is running on your computer, it can download further code from the internet - opening the door for your computer to be infected by scareware, send out spam, or become part of a zombie botnet. Windows users are used to fighting malware, but many Mac users are oblivious of the battle taking place for control of the public’s computers.”

Credit: The Register