Kernel-Level Vulnerability In Windows

Posted on August 9, 2010 by sophieparker

A kernel-level vulnerability has been identified by researchers, and is present in all Windows versions even W7. The flaw allows attackers to gain escalated privileges and possibly remotely execute malicious code.

The buffer overflow can be used to crash vulnerable machines as well as elevate privileges. IT research company, Vupen has said that it may also be possible for attackers to execute arbitrary code with kernel privileges.

Secunia have also posted a warning:

?The vulnerability is caused due to a boundary error in win32k.sys within the "CreateDIBPalette()" function when copying colour values into a buffer allocated with a fixed size when creating the DIB palette. This can be exploited via the "GetClipboardData()" API to cause a buffer overflow by specifying a large number of colours (greater than 256) via the "biClrUsed" field in a BITMAPINFOHEADER structure.
Successful exploitation may allow execution of arbitrary code with kernel privileges.?

The flaw effects fully patched installations of every supported Windows platform from XP SP3 to Server 2008. And is likely to affect earlier versions too. There have not been any reports that the vulnerability is being exploited in the wild, but now the cat is out of the bag. Microsoft has said it is investigating the issue.

100m Facebook Accounts Have Data Published To BitTorrent

Posted on August 3, 2010 by sophieparker

A security researcher has compiled the names and URLs of over 100 million Facebook accounts and made it available as a BitTorrent download.

Self titled certified penetration tester, Ron Bowles, said he used some quickly written code to collect the names of over 100 million who had made their account accessible to Google and other search engines. The list also includes the unique web address of each account. This means that even if the user sets their account to be private later, the pages can still be accessed.

In a blog post, Bowles wrote: ?Once I have the name and URL of a user, I can view, by default, their picture, friends, information about them, and some other details. If the user has set their privacy higher, at the very least I can view their name and picture. So, if any searchable user has friends that are non-searchable, those friends just opted into being searched, like it or not! Oops :) ?

Facebook does strictly forbid the scraping of it?s content, so Bowles? unauthorized move may well incur some action. Bowles? website at skullsecurity.org and skullsecurity.net also went down shortly after the revelation. It?s now back up and worth a visit to read his Facebook blog. Over 10,000 people have tried to download the file.

Facebook has reminded users that they can make their account inaccessible to search engines, but as Bowles pointed out that makes no difference to those who make the change after the fact.

It?s not a total surprise that information users have made available on the internet has ended up being available else where. When it on the internet, it?s on the internet. This is something that many netizens fail to recognise. Once something is on any website it becomes a permanent part of the internet record. Even when information is made ?private? that?s often not the case. A wealth of web applications means a wealth of vulnerabilities.

Fake Firefox Update Scareware In Disguise

Posted on July 30, 2010 by sophieparker

Scareware posing as a Firefox update has been developed by cyber criminals.

This tactic marks a change in approach from the usual for this kind of scam. Typically surfers are lured to malicious sites via search engine manipulation. Fake scans then ensue on their systems, reporting it as riddled with viruses. Marks are then conned into buying AV that is more than useless and often left with annoying alerts popping up constantly.

The scam uses Firefox?s ?just updated? page that is display after an update is completed. The fake page tells users that they need a flash update. When he users go to download the update they receive a malicious payload instead. The attack launches once a user visits the fake site, which is not associated with Firefox.

F-secure has a full write up on the attack on it?s site.

On a related tip, McAfee have warned of a fake trial version of it VirusScan software. which is actually a Trojan in disguise. New variants of the Bredolab Trojan were attached to spam emails.

Windows Shortcut security Hole Exploited By Zeusbot

Posted on July 27, 2010 by sophieparker

An unpatched shortcut handling flaw in Windows has begun to be exploited by the infamous Zeusbot. The flaw was first used by the sophisticated Stuxnet worm to target SCADA-based industrial control and power plant systems.

Attacks began appearing last week, and now the criminals behind the Zeusbot toolkit have joined in. The toolkit is used frequently to steal back login details from compromised systems.

the appearance of Zeus strains taking advantage of the flaw was first reported by F-Secure. E-mails posing as security messages from Microsoft are infected with the Zeusbot. The e-mails contain Zip attachments that dump the malicious payload onto systems once unzipped.

Other viruses have also joined in the exploitation, including the polymorphic Sality virus. Trend Micro have picked up variant strains of Zeus and Sality, while McAfee report the Downloader-CJX Trojan as having begun to exploit the bug too. So it seem inevitable that even more malware will start targeting the Windows hole.

the good news is that the all attackers a re currently using the same exploit method which makes it easier to block. A temporary work around has been provided by Microsoft until a full patch is released. Sophos have released a Shortcut exploit protection tool, which sys admins can obtain free of charge regardless of what AV they are using.

You can read more about the exploit in a previous blog here.

User Data Could Be Stolen Through Safari Vulnerability

Posted on July 23, 2010 by sophieparker

A Safari vulnerability revealed today can be exploited in order to steel users address book contact details through the autofill feature.

Apple was apparently notified about the vulnerability a month ago by blogger Jeremiah Grossman. Details that can be stolen from a users contacts include names, place of work, address and e-mail address.

The malicious code is powered by JavaScript and scans autofill information and anything that can be, without alerting the user. Grossman posted proof of concept code to a site that scans users info and displays what it has captured to the user.

It?s possible that the code could be hidden in websites via advertisements or other means, stealing a users information with out them knowing it. The code however, can?t scan numbers so your phone number is safe.

The vulnerability can only be exploited on Safari 4.x and 5.0 and takes information from the Address Book located on a Mac. Which is something users have to fill out when they boot up for the first time. So the code does struggle to capture information from Safari when run on a Windows machine but does still grab some.

The vulnerability is easily blocked, just turn of autofill. Users should do this until Apple provides a fix.

Google Questioned By 38 States About The Wifi Slurp

Posted on July 22, 2010 by sophieparker

38 US states have formed a coalition to probe Google on how the software that captured payload data from WiFi networks was included in their Street View cars.

attorney general of Connecticut, Richard Blumenthal, said in a statement issued Wednesday:

?We are asking Google to identify specific individuals responsible for the snooping code and how Google was unaware that this code allowed the Street View cars to collect data broadcast over WiFI networks. Information we are awaiting includes how the spy software was included in Google’s Street View network and specific locations where unauthorized data collection occurred.?

According to Blumenthal 38 states and the District of Columbia have joined the probe. Connecticut, Florida, Illinois, Kentucky, Massachusetts, Missouri, and Texas are on the coalition’s executive committee. The aim of the investigation is to determine whether any laws have been broken and whether legislation is needed to prevent similar events from occurring again.

The data was captured over a period of three years. During this period Google asserted that only network SSIDs and device MAC addresses were being collected. In May this year Google admitted that the Street view cars had collected payloads from unencrypted Wi-Fi networks that were within range. But that the software responsible was included by accident. The company reasserted this claim on Wednesday.

A spokeswoman for Google wrote in an e-mail: ?As we?ve said before, it was a mistake for us to include code in our software that collected payload data, but we believe we did nothing illegal. We?re continuing to work with the relevant authorities to answer their questions and concerns.?

Blumenthal added, in his statement: ?Google’s responses continue to generate more questions than they answer.?

There have been at least 7 civil lawsuits filed against Google over the WiFi grab. Canadian, Australian and European agencies have also opened investigations. The FTC has been called on by American Lawmakers to start it?s own enquiry. Blumenthal has said he is still recruiting other states to join the coalition.

New Zeus Crimeware Toolkit Out Now.

Posted on July 13, 2010 by sophieparker

A new version of the Zeus crimeware toolkit has been created by Hackers. It has been design to steel account etails for UK, US, Spanish and German banks.

CA has named the malware payload as Zeus v3 which is more selective about the banks it targets. Before, Zeus targeted financial institutions around the world. But this latest variant has two strains. One targets banks in Spain and Germany, and the other, banks in the UK and US.

this new version also makes it far harder for security researchers find out what it?s doing. The Zeus zombie drones operate in a more covert manner.

Senior research engineer with CA’s Internet Security Business Unit, Zarestel Ferrer says: "In earlier versions, Zeus handles this configuration file in a way that security researchers can easily manage to reverse engineer and capture the actual full configuration content. This is no longer the case for the latest Zeus bot version 3, which is already in the wild. It employs layers of protection by applying the principle of least privilege. It means that the bot must only access remote command, information and resources that are necessary to a specific function and purpose."

The command and control servers for the bot seem to be mostly located in Russia. In previous version UK,US Spanish and German banks were targeted the most. The cyber crooks have concentrated this focus with v3 to meet customer demand it would seem, by releasing localised versions to key geographical markets.

Apple Is A Winner In The Competition Of Most Security Bugs

Posted on July 12, 2010 by sophieparker

Secunia has reported that the number of security bugs recorded in the first half of 2010 is close to the total number for 2009.

Surprisingly (or not) Apple has ranked first ahead of Oracle and Microsoft, for the total number of security bugs found in all their products. in the first half of this year Secunia have logged 380 vulnerabilities in the top 50 most prevalent packages on typical end-user PCs. That equates to 89% of the total number to 2009.

Secunia also believes that security threats are shifting from being OS based to bugs in third party apps. They theorise that a typical PC with 50 application will be exposed to 3.5 times more security bugs in the third party programs installed than in the native applications. Secunia expects that this rate will increase to 4.4 in 2010.

Patching against these vulnerabilities is also complicated by the different software update mechanisms running on each PC. Between 2007 and 2009 the number of vulnerabilities affecting a typical PC has pretty much doubled from 220 to 420. And according to Secunia, this number is likely to increase at the same rate for 2010, to reach 760.

Spike In Attacks Targeting Vulnerable XP Machines

Posted on July 1, 2010 by sophieparker

The past week has seen the number of attacks on vulnerable XP machines rocket. Microsoft has warned customers to deploy counter measures until a patch is released.

On Wednesday Microsoft’s security team said it has detected over 10,000 that have experienced the attack. The vulnerability was disclosed on the 10th of June by Travis Ormandy. A bug in the Windows Help and Support Centre can be exploited to allow the remote installation of malware onto machines running XP or Server 2003 by tricking users into visiting booby trapped sites.

After the disclosure of the bug, attacks were targeted and few. But the past week and a half has seen a significant increase. Member of the Microsoft Malware Protection Center, Holly Stewart, revealed that the geographies suffering most from the attack are the US, Russia, Portugal, Germany, and Brazil. And advises strongly to implement one of the countermeasures if not already done so.

The attacks carried out are by ?seemingly-automated, randomly-generated html and php pages,? according to Stewart. When the attacks first started, a backdoor called Obitel was mostly installed. But over time Trojans have started to use the flaw, such as Win32/Swrort.A, Win32/Tedroo.AB, Win32/Oficla.M, and Win32/Neetro.A.

Microsoft is currently working on a patch to plug the hole, and including the workarounds, Security Essentials, Forefront Client Security and other Microsoft AV products will offer some protection.

The spike in attacks shows the negative side of a full-disclosure. Had the disclosure not been so broadly communicated the number of attacks would probably have remained at a minimum.

Google Can kill Or Install Apps Remotely On Android Phones

Posted on June 29, 2010 by sophieparker

Google has the power to remove and install application remotely from users Android Phones.

Google announced it?s "Remote Application Removal Feature" last week, and that it had been tried and tested, removing two apps from users phone over the airwaves. Security researcher Jon Oberheide who created the two killed apps, pointed out that if they can remove, they can also install.

When Google announced that it had successfully used the kill switch, it didn?t make any mention of Oberheide or his applications. They simply said that they had removed: "two free applications built by a security researcher for research purposes" and that "these applications intentionally misrepresented their purpose in order to encourage user downloads, but they were not designed to be used maliciously, and did not have permission to access private data ? or system resources beyond permission.INTERNET."

Android security lead Rich Cannings made the announcement in a blog post, he said : "After the researcher voluntarily removed these applications from Android Market, we decided, per the Android Market Terms of Service, to exercise our remote application removal feature on the remaining installed copies to complete the cleanup."

Oberheide of the Ann Arbor, Michigan-based security startup Scio Security, wrote in his own blog that Google had removed  a couple of applications  that he used to show how easy it is to bootstrap a rootkit onto devices through the Android Market. Oberheide?s application called Rootstrap, periodically phones home to retrieve native code that executed outside of Dalvik, the Android Java virtual machine. he got the tool into the market by disguising it as Twilight Eclipse Preview, claiming to be a seek peek at the up and coming film.

Oberheide wrote in his blog that: "An attacker could use such an approach to gain a large install base for a seemingly innocent application and then push down a local privilege escalation exploit as soon as a new vulnerability is discovered in the Linux kernel and root the device. Since carriers are fairly conservative in pushing out OTA [over the air] patches for their devices, an attacker could easily push out their malicious payload before the devices were patched."

At the SummerCon security conference, Oberheide spoke about his proof-of-concept bootstrap. Write ups on the talk alerted Google. Google claim that Oberheide voluntarily removed his applications from the Android Market. But Oberheide says that Google said they?d remove them if he didn?t. He was alerted to the possible removal but was notified that it had taken place until after it had been done.