CyberInsecure.com

Archive for the ‘Windows’ Category

A new Windows vulnerability that could allow for privilege escalation and arbitrary code execution has been identified. According to vulnerability research company VUPEN Security, the flaw affects all supported versions of Microsoft Windows.

The issue is described by VUPEN in its advisory as a Windows kernel memory corruption vulnerability, because it is located in the Win32k.sys kernel-mode device driver. The bug can be exploited by placing and retrieving specifically formatted bitmap data from the clipboard and can potentially be leveraged by local attackers to elevate their privileges or execute arbitrary code.

Malicious users can also generate a Denial of Service condition by crashing the system. “VUPEN has confirmed the vulnerability on fully patched Microsoft Windows 7, Windows Server 2008 SP2, Windows Server 2003 SP2, Windows Vista SP2, and Microsoft Windows XP SP3,” the company writes, noting that it is not aware of any patch supplied by the vendor.

The bug is rated as moderate risk and a researcher identified only as Arkon is credited with its discovery. It’s not clear if Microsoft has been informed of the issue, because VUPEN no longer supplies vulnerability intelligence to vendors for free and Redmond giant doesn’t want to pay for bug information.

Microsoft has recently rebranded its vulnerability disclosure guidelines as Coordinated Vulnerability Disclosure (CVD). “CVD’s core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action — and even then it should be coordinated as closely as possible,” the company explained.

Credit: Softpedia.com News

Microsoft on Monday rushed out an emergency patch for a critical vulnerability that criminals are exploiting to install malware on all supported versions of the Windows operating system.

As promised Friday, Microsoft released the update outside of its normal patching schedule because the vulnerability is being actively targeted. When the flaw first came to public attention three weeks ago, it was being used to attack SCADA — supervisory control and data acquisition — systems that control sensitive equipment at power plants, gas refineries, and other other critical infrastructure.

Since then, it’s been used to install general-purpose malware from Zeus and other do-it-yourself crimeware kits used to siphon credit card numbers and other sensitive data from compromised computers. The Windows flaw resides in a shortcut feature that makes it easy to store commonly accessed files and folders on the operating-system desktop.

Users who employed a stopgap FixIt published two weeks ago should roll back their machines using the “disable workaround” feature here. Those who don’t follow this advice will find that icons fail to display properly, causing folders and files to appear white without any of the customary graphics.

Users will most likely have to reboot their machines twice — once after uninstalling the workaround, and again after installing the update.

Credit: The Register

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.

Malware targeting the security weakness in the handling of ‘lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack.

In an advisory, VirusBlokAda says it has seen numerous incidents of the Trojan spy payloads dropped by the malware since adding detection for the malign code last month.

Even fully patched Windows 7 systems are vulnerable to attack in cases where a user views files on an infected USB drive using Windows Explorer, security blogger Brian Krebs reports. Instead of using Windows Autoplay the spread the malware takes advantage in security weaknesses involving shortcut files. Malicious shortcuts on the USB are reportedly capable of auto-executing if users open an infected storage device on Windows Explorer. Normally users would have to click on the link for anything to happen.

Independent researcher Frank Boldewin has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems.

“Looks like this malware was made for espionage,” Boldewin writes.

Firms faced with a spate of Windows autorun worms have responded by disabling outrun, but this advice may no longer be enough with the appearance of a new attack vector, Finnish security firm F-Secure warns. “Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files,” it adds.

Microsoft has released an advisory confirming a previously unknown vulnerability in the way Windows processes shortcut files (CVE-2010-2568). The critical bug is trivial to exploit, affects all versions of Windows and allows for arbitrary code execution.

According to Microsoft, all versions of Windows from Windows XP with Service Pack 3 forward, including both 32- and 64-bit flavors are affected. But, Chester Wisniewski, senior security advisor at Sophos Canada, points out that Windows 2000 and Windows XP SP2, which are no longer officially supported by Microsoft since earlier this week, are also vulnerable.

Even though the malware exploiting this vulnerability was spreading through USB devices, the bug itself can also be exploited from optical media, network shares and WebDAV. The temporary mitigation techniques suggested by Microsoft, involve disabling shortcut icons via a registry hack, which will result in a really weird experience for users, and stopping the WebClient service, which will severely impact SharePoint customers.

Credit: The Register

French vulnerability research company VUPEN Security reports the discovery of a use-after-free vulnerability affecting all versions of Internet Explorer that could possibly lead to code execution. According to the company’s new “no more bugs for free” policy, details of the flaw will not be shared with Microsoft unless it pays.

“We Discovered the 10th Unpatched Use-after-free Vulnerability in MS Internet Explorer. IE 8/7/6 are all affected,” a short announcement from VUPEN posted on Twitter reads. However, the research will only be available to its paying customers.

Use-after-free conditions occur when a program continues to use a pointer to a location in memory that has already been deleted or freed. According to an article from OWASP (Open Web Application Security Project) this type of vulnerability poses a very high risk level and has a high exploitation likelihood.

“The use of previously freed memory can have any number of adverse consequences - ranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw. If the newly allocated data chances to hold a class, in C++ for example, various function pointers may be scattered within the heap data. If one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved,” is explained in the article.

VUPEN Security, which was previously known as FrSIRT, has been credited with discovering numerous critical vulnerabilities in widely deployed software, including Microsoft products. The company recently claimed to have discovered the first two vulnerabilities in the new Microsoft Office 2010 suite.

However, VUPEN is no longer willing to give away its research for free to the affected vendors. Instead, it practices responsible disclosure only with software developers that pay for the information. “Why should security services providers give away for free information aimed at making paid-for software more secure?,” Chaouki Bekrar, VUPEN’s chief executive officer, commented for Heise Media.

The company continues to provide intelligence about the unpatched vulnerabilities, to various governments who are members of its Threat Protection Program, even if the vendor has not been informed. The information includes full binary analysis and detection guidelines.

This “no more bugs for free” policy appears to be a growing trend between security researchers. Proeminent white hat hackers like Charlie Miller, Alex Sotirov or Dino Dai Zovi have already already this stance since a year ago. Evgeny Legerov, founder of Moscow-based vulnerability research company Intevydis, who declared himself a responsible disclosure contester, compared the practice with doing free Quality Assurance work for vendors.

Credit: Softpedia.com News

The support site of leading Chinese PC manufacturer Lenovo has been compromised by unknown attackers who injected a rogue IFrame into the pages over the weekend. Security researchers warn that unwary visitors looking for drivers are exposed to several exploits that install the Bredolab trojan onto their computers.

According to a report from Vietnamese antivirus vendor Bkis, the pages have been infected since at least Sunday afternoon. However, some users have been reporting getting antivirus warnings when visiting Lenovo’s download website since Saturday.

The IFrame points to an exploit kit hosted on a domain called volgo-marun.cn. After performing several checks to determine what vulnerable software they had installed on their computer, the visitors were served with exploits targeting older versions of Internet Explorer, Adobe Reader or Adobe Flash player.

“These exploit codes attempt to load file hxxp://volgo-marun.cn/pek/exe.exe which is a virus, onto victim’s computer. The virus is a new variant of Bredolab Botnet […]. After being loaded onto the computers, the virus copies itself as %Programs%\Startup\monskc32.exe and receives commands from C&C server with domain sicha-linna8.com,” Le Minh Hung, senior security researcher at Bkis, writes.

At the moment, the malicious executable is detected by only ten of the 41 antivirus products listed on VirusTotal. The entire download.lenovo.com subdomain has been blacklisted by Google’s Safe Browsing service. This means that Firefox or Chrome users should see malware warnings when opening resources hosted on it.

“Of the 46 pages we tested on the site over the past 90 days, 39 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-06-20, and the last time suspicious content was found on this site was on 2010-06-20. Malicious software includes 1 trojan(s). Malicious software is hosted on 1 domain(s), including volgo-marun.cn/,” a detailed explanation of the Google warnings reads.

Even though the malicious .cn domain appears to be dead at the moment, it could return back online at any time. Therefore, users are advised to stay clear of the Lenovo support website for a couple of days, until the manufacturer has a chance to clean it up and plug the hole that allowed the compromise in the first place.

Credit: Softpedia.com News

Avira reports that the number of PDF documents rigged with malware rose by 50 percent in May compared with the previous month. Data gathered by the company also reveals that .ru was the preferred country code TLD for hosting malware and that .br had the largest number of phishing websites.

According to the German antivirus vendor, the most abused file extensions were exe, txt, php, jpg, dll, pdf, gif and com, while 31% of all malicious files detected had no extension at all. Even though the infected PDF documents represented only 1.20% of the total number, the increase compared with April was considerable – 52.14%. So were the monthly deviations for cmd (66.67%), ocx (56.25%) or swf (43.30%).

As far as domain TLD abuse goes, .com leads by far in both the phishing and malware hosting categories with 49.9% and 44.53%, respectively, although these numbers actually represent a decrease over the previous month. As expected, .com is followed in the stats by .net and .org, but the most interesting changes were registered for the country code TLDs.

While .kr (South Korea) dominated in both sections during April, this month, the .kr abuse registered major drops of 246.22% for phishing sites and of 27.72% for malware, leaving the lead to .br (Brazil) and .ru (Russia). “A big increase [of almost 100%] is noticeable in the usage of plain IP addresses,” Avira’s Manager of International Software Development, Sorin Mustaca, points out.

PayPal retains its domination in the stats for the most phish brands, being the target of 44.99% of registered attacks. The top five is completed by Ebay (16.05%), HSBC Bank (12.04%), Facebook (5.33%) and Bank of America (2.09%).

Finally, when it comes to spam, the preferred category for May was online pharmacy, which accounted for 13.37% of all junk email. This was followed by replica watches (7.34%), fake university degrees (7.26%), Nigerian 4190-like scams (2.80%) and loans (2.63).

Credit: Softpedia.com News

Microsoft has silently slipped a Firefox extension onto user machines via an automatic software update. Again.

This week, as part of its regular Patch Tuesday, Redmond released an update for its various browser toolbars, and as Ars Technica noticed, this update also installed an entire add-on for Internet Explorer and an extension for Mozilla Firefox – without asking users. Ars was unable to identify the installs, but Microsoft now says that the update was installing the latest version of its Bing toolbar on machines that were running the older Windows Live Toolbar or MSN Toolbar.

The company says it has now, um, updated the update, and the silent toolbar install no longer occurs. The company calls the silent install “a bug.”

“We discovered a bug in the latest update that was installing the Firefox extension for users with the Windows Live Toolbar and MSN Toolbar (specifically people who have not upgraded to the latest version of the Bing Bar),” the company tells us. “We fixed the update so that going forward folks who still have only the older Windows Live Toolbar or MSN Toolbar will not see this behavior anymore.”

The company apologizes for any inconvenience this may have caused.

Microsoft says that the update was supposed to include only its Search Enhancement Pack, a shared component used by the Windows Live Toolbar, MSN Toolbar, and Bing Bar. The Pack, the company says, enables certain toolbar features, such as the search suggestions drop down. The update was originally tagged with the Search Enhancement Pack label, but it also installed the Bing toolbar on certain machines.

The update was marked “important,” not “optional.” And Firefox users at MozillaZone weren’t too happy about the silent extension install. “I am still annoyed that Microsoft thinks it is ok to arbitrarily tack on something to my FF browser WITHOUT asking, and worst of all, disabling the Uninstall button! Why do they keep doing stupid things like that?!” says one posted.

Users were similarly peeved a year ago, when a service pack for the .NET Framework silently pushed a Firefox add-on. This add-on - Microsoft .NET Framework Assistant - enabled .NET apps to be installed with one click. It also shipped with a disabled uninstall button.

Credit: The Register

Olympus has apologised after it distributed a digital camera in Japan that came with added malware on its internal memory card.

An estimated 1,700 Stylus Tough 6010 digital compact cameras shipped pre-pwned with auto-run code designed to infect Windows PCs they were connected to, net security firm Sophos reports. The malware uses a USB connection infection route that has become one of the most popular means of malware distribution in recent years.

Olympus has apologised for the problem and promised to improve its quality control procedures to prevent future outbreaks. The incident is the latest in a long line of digital devices that come pre-infected with malware. Recent examples include Samsung Wave phones shipped in Germany, TomTom satellite navigation devices and Apple Video iPods. Last month IBM handed out malware-ridden USB sticks at a security conference in Australia.

These infestations normally start with an infected PC on production lines or testing rigs used by gadget manufacturers and their partners. Suppliers need to apply improved quality controls to minimise embarrassing digital device incidents. Meanwhile consumers are advised to disable Autorun in Windows, as a guard against possible attacks.

Credit: The Register

Adobe warns users that an unpatched vulnerability affecting Flash Player, Reader and Acrobat is actively being exploited in the wild. The critical flaw allows attackers to remotely execute arbitrary code.

The vulnerability affects the latest stable releases of Flash Player 10.0.x and 9.0.x, as well as any older versions, for all supported operating systems - Windows, Mac and UNIX. The company notes that the latest release candidate for the upcoming Flash Player 10.1 is not affected and advises users to upgrade to it:

Affected Versions

- Adobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris
- Adobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX

Not Vulnerable

- Flash Player 10.1 Release Candidate
- Adobe Reader and Acrobat 8.x

The bug also affects the latest versions of Adobe Reader and Acrobat through the authplay.dll library included in these products. This component is used to play SWFs embedded in PDF documents and has been affected by a similar vulnerability in July last year. Adobe proposes that this file be renamed, deleted or denied access to, until a fix becomes available.

“This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat,” is announced in Adobe’s Security Advisory on the issue. “Adobe Reader and Acrobat 8.x are confirmed not vulnerable,” the company also informs.

Adobe products have been plagued by many zero-day remote code execution vulnerabilities in recent years, which earned the company a bad image with security-conscious users. To make it easier for system administrators in large companies to deploy security updates, in June last year Adobe introduced a quarterly patching cycle aligned with Microsoft’s Patch Tuesday. However, because of critical bugs discovered in the wild, the company was forced to release out-of-band updates two times already, and it looks like this latest vulnerability might call for a third one.

Credit: Softpedia.com News

Miscreants have begun creating malware that overwrites software update applications from Adobe and others. Email malware that poses as security updates from trusted companies is a frequently used hacker ruse. Malware posing as update utilities, rather than individual updates, represents a new take on the ruse.

Vietnam-based anti-virus firm Bkis said the tactic is a logical follow-on from earlier approaches where viruses replace system-files and startup-program files.

Nguyen Minh Duc, director of Bkis Security, writes that the recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package.

Variants of the malware also pose as updaters for Java and other software applications.

Duc explains: “From analysis, we found that malware is written in Visual Basic, faking such popular programs as Adobe, DeepFreeze, Java, Windows, etc. In addition, on being executed, they immediately turn on the following services: DHCP client, DNS client, Network share and open port to receive hacker’s commands.”

Credit: The Register