Donna's SecurityFlash

Opera 10.01 Remote Array Overrun (Arbitrary code execution)

donna — Fri, 20 Nov 2009 16:20:30 GMT

Topic : Opera 10.01 Remote Array Overrun (Arbitrary code execution)
SecurityAlert : 73
CVE : CVE-2009-0689
SecurityRisk : High (About)
Remote Exploit : Yes
Local Exploit : Yes
Exploit Given : Yes
Credit : SecurityReason Research
Date : 20.11.2009
Affected Software :
- - Opera 10.01
- - Opera 10.10 Beta
NOTE: Prior versions may also be affected.

Opera fix: The vulnerability was fixed in the latest release candidate Opera RC3

Vulnerability details in http://securityreason.com/achievement_securityalert/73

Note: For users who have the new beta build: Opera v10.10 Build 1892 (BETA), you should check with Opera ASA if it's affected

Zero-day vulnerabilities in Firefox extensions discovered

donna — Fri, 20 Nov 2009 16:12:49 GMT

One of the reasons behind Firefox's popularity is the availability of a vast library of extensions. Users use them to modify the browser to their liking and make their browsing experience easier and more pleasant. The problem is, unbeknown to them, these extensions are exposing them to risk.

At the SecurityByte & OWASP AppSec Conference in India, Roberto Suggi Liverani and Nick Freeman, security consultants with security-assessment.com, offered insight into the substantial danger posed by Firefox extensions.

Mozilla doesn't have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension.

Any Mozilla application with the extension system is vulnerable to same type of issues. Extensions vulnerabilities are platform independent, and can result in full system compromise.

The researchers believe that the weakest link in the chain is the human factor. Many add-on developers do it for a hobby and are not necessarily aware of how dangerous a vulnerable extension can be.

More in http://www.net-security.org/secworld.php?id=8527

Dumb code could stop computer viruses in their tracks

donna — Fri, 20 Nov 2009 14:11:31 GMT

On the day a new computer virus hits the internet there is little that antivirus software can do to stop it until security firms get round to writing and distributing a patch that recognises and kills the virus. Now engineers Simon Wiseman and Richard Oak at the defence technology company Qinetiq's security lab in Malvern, Worcestershire, UK, have come up with an answer to the problem.

Their idea, which they are patenting, is to intercept every file that could possibly hide a virus and add a string of computer code to it that will disable any virus it contains. Their system chiefly targets emailed attachments and adds the extra code to them as they pass through a mailserver. A key feature of the scheme is that no knowledge of the virus itself is needed, so it can deal with new, unrecognised "zero day" viruses as well as older ones.[...]

"This is not based on virus signature detection, so it is not something malware writers can imagine their way around," Wiseman says. Qinetiq, which has just acquired the military networking firm Boldon James, plans to exploit the trick in future secure mailservers. "It sounds like it might have some promise," says Ross Anderson, a software security engineer at the University of Cambridge. But he adds: "I'm not sure that injecting raw machine code into attachments will be a panacea."

http://www.newscientist.com/article/mg20427355.600-dumb-code-could-stop-computer-viruses-in-their-tracks.html

New York voting machines hit by malware to lead to allegations of voter fraud and machine failures

donna — Fri, 20 Nov 2009 13:52:29 GMT

Voting machines in a New York town have been hit by a virus casting doubt on the accuracy of counts retrieved from any of the machines.

According to the Gouverneur Times Cathleen Rogers, the democratic elections commissioner in Hamilton County, claimed that a problem had been found with their voting machines the week prior to the election, and the ‘virus' had been fixed by a technical support representative from Dominion, the manufacturer. [...]

In Symantec's 2010 security predictions, it claimed that highly specialised malware was uncovered in 2009 that was aimed at exploiting certain ATMs, indicating a degree of insider knowledge about their operation and how they could be exploited.

http://www.scmagazineuk.com/new-york-voting-machines-hit-by-malware-to-lead-to-allegations-of-voter-fraud-and-machine-failures/article/158190/?

Security Trends to Watch in 2010

- Antivirus is Not Enough
- Social Engineering as the Primary Attack Vector
- Rogue Security Software Vendors Escalate Their Efforts
- Social Networking Third-Party Applications Will be the Target of Fraud
- Windows 7 Will Come into the Cross-Hairs of Attackers
- Fast Flux Botnets Increase
- URL-Shortening Services Become the Phisher’s Best Friend
- Mac and Mobile Malware Will Increase
- Spammers Breaking the Rules
- As Spammers Adapt, Spam Volumes Will Continue to Fluctuate
- Specialized Malware
- CAPTCHA Technology Will Improve
- Instant Messaging Spam

http://www.symantec.com/connect/blogs/don-t-read-blog
http://www.symantec.com/podcasts/detail.jsp?podid=b-2010_security_outlook

Students Signing Up For Computer Hacking

donna — Fri, 20 Nov 2009 13:45:52 GMT

The threat of cyber attacks on businesses and governments has led to a rapid increase in the number of universities offering students the chance to learn how to hack computer networks. The degrees have been set to feed the expanding industry of "ethical hacking", in which companies pay hackers to infiltrate their systems and expose weaknesses.

The prospect of a lucrative career in the security services, police, defence and IT industries has fuelled the popularity in the courses, with hundreds of undergraduates and graduate students already enrolled.

The ethical hacking degree at Abertay University in Dundee was set up in 2006 and was the first of its kind in the UK. Since then, other courses have been set up at Coventry, Northumbria and Sunderland, with more in the pipeline at Glasgow Caledonian, Edinburgh Napier and Leeds Metropolitan amongst others.

Colin McLean, the programme tutor in Ethical Hacking and Countermeasures at Abertay, told Sky News that teaching his students to hack networks means they will have the skills to protect banks, businesses and the critical national infrastructure against cyber attacks.

"The current people in those jobs are not protecting against hackers," he said.

"There should be jobs for people who know exactly what hackers are doing and obviously how to stop the hackers as well."

Critics have warned of the dangers of arming young people with knowledge that could so easily be turned to criminal endeavour.

http://news.sky.com/skynews/Home/Technology/More-Universities-Offer-Hacking-Courses-As-Govts-And-Frims-Look-To-Counter-Cyber-Criminal-Threat/Article/200911315458299?

MS discovers flaw in Google plug-in for IE

donna — Fri, 20 Nov 2009 11:33:35 GMT

Microsoft has helped discover a flaw in the Google Chome Frame plug-in for Internet Explorer users.

The plug-in allows suitably coded web pages to be displayed in Internet Explorer using the Google Chrome rendering engine. Redmond warned that the plug-in made IE less secure as soon as it became available back in September, an argument bolstered by the discovery of a cross-origin bypass flaw in the add-in

Successfully exploiting the flaw creates a means for hackers to bypass security controls though not to go all the way and drop malware onto vulnerable systems.

Google acknowledged the flaw and urged users to update to version 4.0.245.1 of Google Chrome Frame. All users should be updated automatically to the latest version of the software, which also tackles a number of performance and stability glitches. Chief among these are problems handling iFrames, as explained in Google's security advisory here.

http://www.theregister.co.uk/2009/11/20/google_plug_in_bug/

IE8 bug makes 'safe' sites unsafe

donna — Fri, 20 Nov 2009 11:31:43 GMT

The latest version of Microsoft's Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe.

The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe, according to two Register sources, who discussed the bug on the condition they not be identified. Microsoft was notified of the vulnerability a few months ago, they said.

Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that's designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a "significant flaw" in the IE 8 feature but declined to provide specifics.[...]

Late on Thursday afternoon, Microsoft told The Register: "Microsoft is investigating new public claims of a vulnerability in Internet Explorer. We're currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."

Once its investigation is finished, the company will "take appropriate action," including issuing a patch or guidance on how users can protect themselves against exploits.

http://www.theregister.co.uk/2009/11/20/internet_explorer_security_flaw/

Cisco's free iPhone app grabs security feeds

donna — Fri, 20 Nov 2009 11:23:46 GMT

Cisco has made available a free iPhone app that can be used to receive more than a dozen security-related information feeds in customizable form related both to Cisco products and to general security topics, such as newly detected threats.

The Cisco SIO To Go iPhone application draws from the wealth of information continuously generated in Cisco's security intelligence operations (SIO) that monitor and consolidate information drawn from sensors and other sources about security threats worldwide. Michael Weir, manager of marketing for security, says the tool is Cisco's first iPhone app specifically for security; a few others were designed for use with Cisco's WebEx service and utilities.

"It's data that's valuable and actionable for you," says Weir about Cisco SIO To Go, which lets users select from a range of information, including risk reports or news-related events.

http://www.networkworld.com/news/2009/111909-cisco-iphone-app-security.html

Up Close and Technical look at SocialPet

donna — Fri, 20 Nov 2009 11:21:58 GMT

SocialPet, a new product from Jetmetric, lets administrators send fake phishing e-mails to selected employees to determine which ones know enough to ignore the messages and which don't - posing a threat to company security.

http://www.eweek.com/c/a/Security/Up-Close-and-Technical-look-at-SocialPet/

Job Spam Uses Twitter

donna — Fri, 20 Nov 2009 11:18:33 GMT

TrendLabs researchers were alerted to the discovery of spammed messages that contained Twitter URLs. The spam uses subjects such as N3 Earn Extra Income! 7L, C2 Exrtra Income Daily 4P, and Q0 $$$ Oppurtunity 6O. It informs users about supposed work-from-home opportunities for Google that pay good sums of money. It then entices users to click the Twitter URL to view the details of the bogus 'opportunities.'

When users click the link, they will land in the sender's Twitter page where another URL is posted in a tweet along with a message that encourages them to work online. The said URL points to a bogus site about working online and some success stories. This spam attack used Twitter as a technique to lure users into clicking the link. Since Twitter is a trusted source, users may think the email they received is legitimate.

http://blog.trendmicro.com/job-spam-uses-twitter/

Malicious Java Applet Poses as Carrie Prejean Video

donna — Fri, 20 Nov 2009 11:15:56 GMT

McAfee Labs has observed various spam runs exploiting the recent sensational Carrie Prejean news. The Prejean video is rapidly becoming one of the most searched-for topics ever on the net since the existence of the tape became common knowledge.

Evil Maid wanted, B.S. in Computer Science a plus

donna — Fri, 20 Nov 2009 11:10:58 GMT

Some weeks ago, Polish researcher Joanna Rutkowska published an attack on the TrueCrypt Full-Disk Encryption (FDE) software, which allows an attacker with access to an unattended PC to install a password sniffer in a first strike, and to steal the PC including the FDE password in a second strike.

She coined the term "evil maid attack" for this kind of incident, as it specifically applies to scenarios in which a traveller leaves a portable PC unattended in a hotel room, and a person who has access, but not necessarily dedicated technical skills (e.g. a room maid) actually executes the attack.

Technically, this person (in the absence of any reliable data on popular names for room maids, let’s just call her Trudy) inserts a bootable medium (e.g. a CD-ROM or USB stick), turns the laptop on, and consequently the bootable malware code on the medium gets executed.

This code then installs a transparent key logger in the Master Boot Record (MBR) of the hard disk. Later, the unsuspecting owner turns on his laptop, enters the passphrase and boots up. Without his knowledge, the keylogger intercepts the passphrase and stores it on the hard disk.

Finally, Trudy only needs to steal the laptop and to hand it over to the person who targeted the victim. Both steps don't require any particular technical knowledge, and can be performed by a person instructed/bribed by the master attacker.

It's not only TrueCrypt which is susceptible to this kind of attack, but basically all pure software FDE products. These products don't employ any additional hardware (e.g. TPM chip) to maintain the integrity of the boot process.

There are several ways to mitigate them quite efficiently (in Mac and Windows), find out in http://www.sophos.com/blogs/gc/g/2009/11/20/guest-blog-evil-maid-wanted-bs-computer-science/

Europe’s heartland in large-scale credit card theft

donna — Fri, 20 Nov 2009 10:55:46 GMT

Initial reports of a possible large scale breach of credit card data from a payment processing company in Spain are sketchy at best and the lack of information is not helping to allay the concerns of credit card customers across Europe.

In a statement released today, the Zentraler Kreditausschuss (Central Credit Committee) explained that German banks were acting in response to a warning issued by Visa and Mastercard over a potential data theft at a Spanish company. The Spanish company in question has not yet been identified as it is the subject of police investigations but it is widely believed to be a payment processing company responsible for dealing with payments made in Spain using credit cards issued in foreign countries.

In what is being described as a "primarily preventative measure" many German banks have begun cancelling more than 100,000 credit cards, notifying the card holders and issuing replacements. The mass replacement of cards is not restricted to Germany; banks in Austria Sweden and Finland have also begun to reissue credit cards according to reports.

http://countermeasures.trendmicro.eu/europes-heartland-in-large-scale-credit-card-theft/

AVIRA AntiVir Announcement: New Update Scheme

donna — Thu, 19 Nov 2009 22:42:51 GMT

Today Avira changed the update scheme in order to improve update speed and size.
Because of this, update servers are/will be very crowded (download size is about 30 Mb). Please be patient and use the following command to update:

"C:\Program Files\Avira\AntiVir Desktop\update.exe" /DM="0" "/NOMESSAGEBOX /receivetimeout=180"

For 64 bit systems, the command is:

"C:\Program Files (x86)\Avira\AntiVir Desktop\update.exe" /DM="0" "/NOMESSAGEBOX /receivetimeout=180"

(copy/paste this entirely in Start -> Run and press Enter).

http://forum.avira.com/wbb/index.php?page=Thread&postID=875394#post875394

Finally! Mozilla will kill buggy add-ons for Firefox

donna — Thu, 19 Nov 2009 14:30:57 GMT

Mozilla Security Team said:

We hate crashes. When Firefox crashes, we try to get you back on your feet as quickly as possible, but we’d much rather you not crash in the first place. In Firefox 3.6, we are changing the way that some third party software hooks into Firefox which should eliminate a good chunk of those crashes without sacrificing our extensibility in any way. In the process, we’ll also be giving you greater control over the code that runs in your browser.

http://blog.mozilla.com/security/2009/11/16/component-directory-lockdown-new-in-firefox-3-6/

That's good news. That's why I am Opera user where no add-ons. It simply works.. the browser.

Police make "trojan" virus arrests

donna — Thu, 19 Nov 2009 13:53:28 GMT

Detectives have made the first arrests in Europe to tackle a "trojan" computer virus which is believed to have infected tens of thousands of computers across the world, London police said on Wednesday.

The ZeuS or Zbot trojan, a type of sophisticated malicious computer programme, has been used to collect millions of lines of data from machines allowing those responsible to obtain a mass of personal information.

The Metropolitan Police said the trojan was configured so that once installed in an affected computer, it recorded users' bank details and passwords, credit card numbers and other information such as passwords for social networking sites.

The financial gains for the criminals and the potential losses to individuals and institutions affected were very substantial, detectives said.

Police said a man and a woman, both aged 20, had been arrested on November 3 in Manchester. They have been released on police bail pending further inquiries.

"The ZeuS trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world," said Detective Inspector Colin Wetherill of the Met Police's Central e-Crime Unit.

http://www.reuters.com/article/internetNews/idUSTRE5AH43Y20091118

Avast! Antivirus 'aswRdr.sys' Driver Local Privilege Escalation Vulnerability

donna — Thu, 19 Nov 2009 13:48:24 GMT

Avast! Antivirus is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to execute arbitrary code with superuser privileges and completely compromise the affected computer. Failed exploit attempts will result in a denial-of-service condition.

Vulnerable:
Avast! Antivirus Professional Edition 4.8.1356
Avast! Antivirus Professional Edition 4.8.1351
Avast! Antivirus Professional Edition 4.8.1335
Avast! Antivirus Professional Edition 4.8.1169
Avast! Antivirus Professional Edition 4.7.1098
Avast! Antivirus Professional Edition 4.7.1043
Avast! Antivirus Professional Edition 4.7.844
Avast! Antivirus Professional Edition 4.7.827
Avast! Antivirus Professional Edition 4.6.691
Avast! Antivirus Professional Edition 4.6.665
Avast! Antivirus Professional Edition 4.6.652
Avast! Antivirus Professional Edition 4.6.603
Avast! Antivirus Professional Edition 4.6
Avast! Antivirus Professional Edition 4.0
Avast! Antivirus Home Edition 4.8.1356
Avast! Antivirus Home Edition 4.8.1351
Avast! Antivirus Home Edition 4.8.1335
Avast! Antivirus Home Edition 4.8.1169
Avast! Antivirus Home Edition 4.7.1098
Avast! Antivirus Home Edition 4.7.1043
Avast! Antivirus Home Edition 4.7.869
Avast! Antivirus Home Edition 4.7.844
Avast! Antivirus Home Edition 4.7.827
Avast! Antivirus Home Edition 4.6.691
Avast! Antivirus Home Edition 4.6.691
Avast! Antivirus Home Edition 4.6.665
Avast! Antivirus Home Edition 4.6.655
Avast! Antivirus Home Edition 4.6.652
Avast! Antivirus Home Edition 4.6
Avast! Antivirus Home Edition 4.0

http://www.securityfocus.com/bid/37031/discuss

How to hack China for just $1,800

donna — Thu, 19 Nov 2009 13:45:07 GMT

A Chinese domain name that is for sale could be misused, security experts say

Fraudsters may have a hot deal waiting for them in the form of an obscure Chinese domain name that's for sale on the Internet.

The wpad.cn domain is for sale, according to a note posted on the Web site. That fact probably doesn't mean much to most people, but to Duane Wessels it's a big deal. He says that if it fell into criminal hands it could be misused for phishing or other types of fraud.

Wessels, the president of Measurement Factory, owns five wpad domains -- wpad.com, wpad.net, wpad.org, wpad.biz and wpad.us. Between them, he gets 5 million hits per day. Most of them come from Windows computers erroneously looking for network configuration information, thanks to a decade-old Windows bug that Microsoft first fixed in 1999.

Nobody knows why sites like Wessels' continue to get so much traffic long after Microsoft patched the flaw. He thinks it may come from old versions of Windows, obscure programs with built-in Web components, or perhaps even misconfigured servers on the network. Microsoft did not respond to a query about the issue on Tuesday.

http://www.networkworld.com/news/2009/111809-how-to-hack-china-for.html

64-bit Windows safer, claims Microsoft

donna — Thu, 19 Nov 2009 13:18:39 GMT

Windows users running 64-bit versions of the operating system are less likely to get infected by attack code, Microsoft's security team said yesterday.

But that doesn't mean they won't, countered an outside security researcher.

"64-bit Windows has some of the lowest reported malware infection rates in the first half of 2009," said Joe Faulhaber of the Microsoft Malware Protection Center in a post to the group's blog yesterday. "64-bit malware is still exceedingly rare in the wild."

Faulhaber cited statistics gleaned from Microsoft's Malicious Software Removal Tool (MSRC), a free malware detection and deletion utility the company updates and pushes to users monthly. According to Microsoft's data, the 64-bit version of Windows XP was 48% less likely to be infected than the 32-bit edition during the first half of 2009; PCs running Vista 64-bit, meanwhile, were 35% less likely to be infected than Vista 32-bit.

That's not necessarily true, said Alfred Huger, formerly with Symantec and currently vice president of engineering at security start-up Immunet. "There's a lot of 64-bit malware," said Huger.

Continued in http://www.computerworld.com/s/article/9141017/64_bit_Windows_safer_claims_Microsoft

Read the blog of MSRC in http://blogs.technet.com/mmpc/archive/2009/11/16/whats-another-32bits-to-malware.aspx

Malware writers feeding on Twilight mania

donna — Thu, 19 Nov 2009 13:17:52 GMT

Online scammers get their teeth into unsuspecting victims

Growing interest about the Twilight vampire series is making life risky for fans seeking information online, experts have warned.

Security firm PC Tools documented a growing number of attacks and scams related to the popular book and movie series. The company expects such attacks to increase with the release of the New Moon sequel.

PC Tools said that many of the attacks follow familiar patterns, such as fake video sites. Scammers have loaded comment and forum pages with spam messages linking users to sites which claim to offer exclusive videos of New Moon.

Rather than watching a bootleg of the movie, however, users are subjected to the classic 'fake codec' attack in which the user is duped into installing a Trojan application disguised as a video player or plug-in.

http://www.v3.co.uk/v3/news/2253535/malware-writers-feeding