"Security researchers have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date," writes The Register.
Worm.Win32.AutoRun.nox, as F-Secure calls it, extends the standard virus writer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows system that operate below the radar of anti-virus packages.
"Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode. Typically, a special driver is used to do this, " writes F-Secure. "AutoRun.nox is different — it uses "GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758)" to do the job. For malware, its rather unique to see such a technique being used." Microsoft patched the vulnerability in April 2007 update (MS07-017).
More detailed description of AutoRun.GM can be read from F-Secure Blog.
Tuesday, September 30, 2008
Saturday, September 27, 2008
Firefox 3.0.3 released
Firefox 3.0.3 contains the following change:
* Fixed a problem where users were unable to retrieve saved passwords or save new passwords (bug 454708)
Friday, September 26, 2008
Thunderbird 2.0.0.17 Released
Mozilla has released updated version of Thunderbird email client. New version contains patches for two critical and five moderate vulnerabilities.
Critical:
MFSA 2008-46 Heap overflow when canceling newsgroup message
MFSA 2008-37 UTF-8 URL stack buffer overflow
Moderate:
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
Thunderbird 2.0.0.17 Release Notes
Critical:
MFSA 2008-46 Heap overflow when canceling newsgroup message
MFSA 2008-37 UTF-8 URL stack buffer overflow
Moderate:
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
Thunderbird 2.0.0.17 Release Notes
Wednesday, September 24, 2008
Mozilla Releases Updates
Mozilla has released a new version of Firefox web browser. Version 3.0.2 fixes bunch of issues including following five vulnerabilities:
-MFSA 2008-44 resource: traversal vulnerabilities
-MFSA 2008-43 BOM characters stripped from JavaScript before execution
-MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
-MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
-MFSA 2008-40 Forced mouse drag
Of these -42 and -41 are categorized as critical, -44 and -43 are moderate and -40 low.
Version 2.0.0.17 fixes above mentioned and couple of other security issues for Firefox 2 series users.
Mozilla released also updated version of SeaMonkey (1.1.12). Part of listed five security issues affects Thunderbird too. 2.0.0.17 version should fix these but it's not yet available for downloading at the moment of writing this.
More information on the updates:
Firefox 3.0.2 Release Notes
Firefox 2.0.0.17 Release Notes
SeaMonkey 1.1.12 Release Notes
-MFSA 2008-44 resource: traversal vulnerabilities
-MFSA 2008-43 BOM characters stripped from JavaScript before execution
-MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
-MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
-MFSA 2008-40 Forced mouse drag
Of these -42 and -41 are categorized as critical, -44 and -43 are moderate and -40 low.
Version 2.0.0.17 fixes above mentioned and couple of other security issues for Firefox 2 series users.
Mozilla released also updated version of SeaMonkey (1.1.12). Part of listed five security issues affects Thunderbird too. 2.0.0.17 version should fix these but it's not yet available for downloading at the moment of writing this.
More information on the updates:
Firefox 3.0.2 Release Notes
Firefox 2.0.0.17 Release Notes
SeaMonkey 1.1.12 Release Notes
Monday, September 22, 2008
McAfee Makes A $465 Million Offer Of Secure Computing
Security company McAfee announced on Monday (22-09-08) that it has placed a deal to acquire security company Secure Computing. Deal is worth around US$465 million.
With Secure Computing, McAfee expects to be able to deliver the complete content and data lifecycle management at the network, spanning detection, filtering, encryption, blocking, archiving, reporting and compliance. Also, McAfee hopes to expand its security as a service offering and to sell more products and services to Secure Computing's 22,000 customers worldwide.
The deal is expected to close toward the end of the fourth quarter, McAfee said.
McAfee's press release
With Secure Computing, McAfee expects to be able to deliver the complete content and data lifecycle management at the network, spanning detection, filtering, encryption, blocking, archiving, reporting and compliance. Also, McAfee hopes to expand its security as a service offering and to sell more products and services to Secure Computing's 22,000 customers worldwide.
The deal is expected to close toward the end of the fourth quarter, McAfee said.
McAfee's press release
Saturday, September 20, 2008
VMware Fixes Vulnerabilities
VMware has fixed critical security vulnerabilities in two of its virtualization products, ESXi and ESX 3.5. The patches fix two buffer overflow bugs that reside in a component known as openwsman. It provides web services management functionality and is enabled by default. The vulnerabilities could be exploited by people without login credentials to the system. However, to exploit the vulnerabilities the attacker has to have access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network.
More information can be read from the correspondent VMware security advisory.
More information can be read from the correspondent VMware security advisory.
Tuesday, September 16, 2008
Hackers Attempt To Spread Malware On BusinessWeek Website
Hackers have broken into BusinessWeek's online site and set up an attack scenario in which visitors to a section of the site could have their own computers compromised and their data stolen, tells Graham Cluley from security company Sophos in his Blog.
The hackers used an increasingly common form of attack called SQL injection, in which a small malicious script is inserted into a database that feeds information to the BusinessWeek website. Injected code was pointing to a website behind a Russian domain, which could download malware onto the computers of BusinessWeek.com readers.
At the moment the Russian website is offline. Cluley points out that it’s status could potentially change at any time though.
The amount of SQL injections has increased a lot this year. "As we reported in our recent Security Threat Report, over 16,000 new infected webpages are discovered every single day. That’s one every five seconds - three times faster than the rate we saw during 2007", says Cluley.
Video containing more information on the matter can be seen on Graham Cluley's Blog.
The hackers used an increasingly common form of attack called SQL injection, in which a small malicious script is inserted into a database that feeds information to the BusinessWeek website. Injected code was pointing to a website behind a Russian domain, which could download malware onto the computers of BusinessWeek.com readers.
At the moment the Russian website is offline. Cluley points out that it’s status could potentially change at any time though.
The amount of SQL injections has increased a lot this year. "As we reported in our recent Security Threat Report, over 16,000 new infected webpages are discovered every single day. That’s one every five seconds - three times faster than the rate we saw during 2007", says Cluley.
Video containing more information on the matter can be seen on Graham Cluley's Blog.
Saturday, September 13, 2008
Fake YouTube Page Generator On Loose
Panda Security writes in its Blog about new virus constructor type malware.
Tool called as Constructor/YFakeCreator allows to create fake YouTube web pages with the objective to deceive users and distribute malware through them. Distributed malware can be of any type like for example worm, Trojan, virus or adware.
YTFakeCreator makes it easy for even unskilled people to set up an attack. It has a configuration menu that lets the would-be attacker select a warning message to be displayed on the fake video page and properties of the video, among other options.
"They've really commercialized malware. There's been an upsurge of sophisticated custom-built Trojans that come with service level agreements and tech support sold in underground forums," Ryan Sherstobitoff, a chief corporate evangelist of Panda Security, said according to CNET News.
More details about YTFakeCreator can be read in Panda's Encyclopedia.
Tool called as Constructor/YFakeCreator allows to create fake YouTube web pages with the objective to deceive users and distribute malware through them. Distributed malware can be of any type like for example worm, Trojan, virus or adware.
YTFakeCreator makes it easy for even unskilled people to set up an attack. It has a configuration menu that lets the would-be attacker select a warning message to be displayed on the fake video page and properties of the video, among other options.
"They've really commercialized malware. There's been an upsurge of sophisticated custom-built Trojans that come with service level agreements and tech support sold in underground forums," Ryan Sherstobitoff, a chief corporate evangelist of Panda Security, said according to CNET News.
More details about YTFakeCreator can be read in Panda's Encyclopedia.
Version 1.28 of Malwarebytes' Anti-Malware Released
Small update contains two changes:
New version can be downloaded here
1. (FIXED) Problem with heuristics on Windows 2000.
2. (ADDED) Better malware regeneration prevention on reboot.
New version can be downloaded here
Wednesday, September 10, 2008
WordPress Version 2.6.2 Released
There's been released a new version of WordPress which contains handful of bug fixes and updates for two found vulnerabilities. These vulnerabilities together may provide a way to hijack username.
Due to wide spread of WordPress software it's very likely that vulnerability will be actively exploited. Blogs that allow open user registration should update WordPress as soon as possible.
More information can be read here.
Due to wide spread of WordPress software it's very likely that vulnerability will be actively exploited. Blogs that allow open user registration should update WordPress as soon as possible.
More information can be read here.
Apple Patches Its Products
Apple has released four bulletins of 18 vulnerabilities in its products. Vulnerabilities affect iPod Touch device, iTunes and QuickTime mediaplayers and their components.
Summary of vulnerable versions:
- Apple iPod Touch prior version v2.1
- Apple iTunes prior version 8.0
- Apple QuickTime prior version 7.5.5
- Bonjour for Windows 1.0.5
Vulnerable versions should be updated by following Apple's instructions (see the links above in this post). iPod Touch -update is available through iTunes -software. Bonjour for Windows 1.0.5 is included in iTunes 8.0 -installation.
Summary of vulnerable versions:
- Apple iPod Touch prior version v2.1
- Apple iTunes prior version 8.0
- Apple QuickTime prior version 7.5.5
- Bonjour for Windows 1.0.5
Vulnerable versions should be updated by following Apple's instructions (see the links above in this post). iPod Touch -update is available through iTunes -software. Bonjour for Windows 1.0.5 is included in iTunes 8.0 -installation.
GDI+ interface update pack (MS08-052) problematic
Yesterday patched GDI+ interface sets specific challenges for system administrators. Interface is spread together with many Windows components and other Microsoft software, and also together with many 3rd party software installations. With 3rd party software spread interfaces are installed into either System32 directory of Windows or into product's own directory. Both cases bring problems.
If interface is installed into product's own directory must also these versions of interface be updated to protect system from vulnerabilities. If 3rd party software installs interface into System32 directory of Windows later into system installed software product may install vulnerable version of interface over Microsoft's version. If that happens the update must be re-installed.
System administrators should be careful when installing MS08-052 update. Installing Microsoft's update isn't enough to secure the system but all existing gdiplus.dll libraries in the system must be updated to the fixed version.
If interface is installed into product's own directory must also these versions of interface be updated to protect system from vulnerabilities. If 3rd party software installs interface into System32 directory of Windows later into system installed software product may install vulnerable version of interface over Microsoft's version. If that happens the update must be re-installed.
System administrators should be careful when installing MS08-052 update. Installing Microsoft's update isn't enough to secure the system but all existing gdiplus.dll libraries in the system must be updated to the fixed version.
Monday, September 8, 2008
Google Fixes Chrome Vulnerabilities - Details Not Revealed Yet
Google has begun releasing update to its Chrome web browser to fix some security problems, reports CNET.
The new version, 0.2.149.29, replaces the 0.2.149.27 that was released when Google launched the Chrome beta version last week. Update releasing was started on Friday.
"149.29 is a security update and we released it as fast as we could," said Mark Larson, Google Chrome program manager, in a mailing list posting on Sunday. "We would've liked more time to prepare things, but some of the vulnerabilities were made public without giving us a chance to respond, update, and protect our users first. Thanks for being patient as we work out the kinks in all of our processes."
Google doesn't tell yet what security issues the update fixes. The reason for this is that the company wants to wait until all Chrome users have got the update. To check if an update is available, Chrome users can click the wrench icon in Chrome's upper-right corner, then select "about Google Chrome." That will show both the version number and a message indicating whether an update is available.
Though Google didn't tell what vulnerabilities the 149.29 update fixes it revealed that the update contains a fix to JavaScript. That among others fixes a problem that would crash the entire browser if a person typed "about:%" into the address bar.
The new version, 0.2.149.29, replaces the 0.2.149.27 that was released when Google launched the Chrome beta version last week. Update releasing was started on Friday.
"149.29 is a security update and we released it as fast as we could," said Mark Larson, Google Chrome program manager, in a mailing list posting on Sunday. "We would've liked more time to prepare things, but some of the vulnerabilities were made public without giving us a chance to respond, update, and protect our users first. Thanks for being patient as we work out the kinks in all of our processes."
Google doesn't tell yet what security issues the update fixes. The reason for this is that the company wants to wait until all Chrome users have got the update. To check if an update is available, Chrome users can click the wrench icon in Chrome's upper-right corner, then select "about Google Chrome." That will show both the version number and a message indicating whether an update is available.
Though Google didn't tell what vulnerabilities the 149.29 update fixes it revealed that the update contains a fix to JavaScript. That among others fixes a problem that would crash the entire browser if a person typed "about:%" into the address bar.
Saturday, September 6, 2008
Microsoft Security Update For September 2008
Microsoft will release security update for September 2008 on Tuesday 9th of September 2008. This month's update packet consists of four updates which all are categorized as critical. Affected software are Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server and Visual Studio.
New version of Microsoft Windows Malicious Software Removal Tool will be released too.
Details about the update can be read here.
The easist way to get the updates is to use Microsoft automatic update service.
New version of Microsoft Windows Malicious Software Removal Tool will be released too.
Details about the update can be read here.
The easist way to get the updates is to use Microsoft automatic update service.
Wednesday, September 3, 2008
Google Chrome Beta Released - Security Flaws Found Already
Google released yesterday beta version of its own web browser, Google Chrome. The more popular Chrome becomes the more it will attract malware authors. Keeping that in mind Google has implemented some security features like sandboxing of each tab, built-in web reputation service and special privacy mode into Chrome.
Despite of that, there's already been found some vulnerabilities of Chrome. The first one was discovered just some hours after the browser release by researcher Aviv Raff. Rishi Narang for one discovered URL Handler Crash vulnerability in Chrome (version 0.2.149.27). Person using nickname "nerex" has released an example script that shows how Chrome can be made to allow files (e.g., executables) to be automatically downloaded to the user's computer without any user prompt.
Despite of that, there's already been found some vulnerabilities of Chrome. The first one was discovered just some hours after the browser release by researcher Aviv Raff. Rishi Narang for one discovered URL Handler Crash vulnerability in Chrome (version 0.2.149.27). Person using nickname "nerex" has released an example script that shows how Chrome can be made to allow files (e.g., executables) to be automatically downloaded to the user's computer without any user prompt.
Monday, September 1, 2008
Watch Out For Possible Gustav Related Scams
SophosLabs warns in its blog of possible scams related to the threat of Hurricane Gustav. Some years ago attackers exploited Hurricane Katrina in order to infect victims with malware.
Over the weekend, posts to the Internet Storm Center diary highlight the number of Gustav-related domains that are being registered (set 1, set 2, set 3, set 4). Though the domains may not be up to bad it's good to be aware of the potential scam sites appearing online in the next few days.
Over the weekend, posts to the Internet Storm Center diary highlight the number of Gustav-related domains that are being registered (set 1, set 2, set 3, set 4). Though the domains may not be up to bad it's good to be aware of the potential scam sites appearing online in the next few days.
Subscribe to:
Posts (Atom)