Friday, October 31, 2008

Opera Patches Two Vulnerabilities

Opera has released patched version of its Opera web browser. At this time, the update fixes two vulnerabilities.

The first vulnerability is related to History Search functionality.
"When certain parameters are passed to Opera's History Search, they can cause content not to be correctly sanitized. This can allow scripts to be injected into the History Search results page. Such scripts can then run with elevated privileges and interact with Opera's configuration, allowing them to execute arbitrary code."


There're have already been public demonstrations of this vulnerability.

The second vulnerability is related to links panel in Opera.
"The links panel shows links in all frames on the current page, including links with JavaScript URLs. When a page is held in a frame, the script is incorrectly executed on the outermost page, not the page where the URL was located. This can be used to execute scripts in the context of an unrelated frame, which allows cross-site scripting."


Above meantioned vulnerabilities affect Opera versions prior 9.62. Opera instructs users of those versions to update to the latest version found here.

More information on the vulnerabilities:
Advisory: History Search can be used to execute arbitrary code
Advisory: The links panel can allow cross-site scripting

Wednesday, October 29, 2008

Vulnerabilities In OpenOffice 2.x Software

There has been found two vulnerabilities in OpenOffice software. The vulnerabilities are related to WMF and EMF file processing. Due to the lack of proper checks it's possible to cause buffer overflow in target system. Vulnerabilities can be exploited by attracting a user to open specially crafted StarOffice/StarSuite document. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Affected are all OpenOffice 2.x versions prior 2.4.2. OpenOffice users are instructed to update their version to 2.4.2 or 3.0.0 which is not affected by the vulnerabilities.

More information on the vulnerabilities:
CVE-2008-2237
CVE-2008-2238

Tuesday, October 28, 2008

Multiple Vendor Web Browser FTP Client Cross Site Scripting Vulnerability

Multiple vendors' web browsers are prone a cross-site scripting vulnerability that arises because the software fails to handle specially crafted files served using the FTP protocol.

Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.

Vulnerable are Mozilla Firefox 3.0.1 - 3.0.3 versions and Google Chrome 0.2.149 30.

Currently, there're no patches available (Firefox version 3.0.4 is under work).
Source

Friday, October 24, 2008

Critical Vulnerability In Windows Operating Systems

Microsoft has released a new security update outside of common update cycle for Microsoft Windows operating systems. Fixed vulnerability is related to RPC message handling in server component. Vulnerability affects to systems which have file-sharing enabled. The file-sharing has not been activated by default in Windows XP SP2 and newer Windows versions.

Vulnerability can be used directly over network and it allows an attacker to execute arbitrary code in target system with full privileges.

Microsoft rates the vulnerability critical in all supported Windows operating systems excluding Windows Vista and Server 2008. In those two the vulnerability has been rated important. Public exploitation method against the vulnerability exists already.

The vulnerability will be very likely exploited in attacks and malicious programs. It is possible that this vulnerability could be used in the crafting of a wormable exploit.

Security update can be downloaded with Windows updating tool. The easiest way to install the update is Windows Update service.

The vulnerability can be also limited by disabling server service or by filtering network traffic into ports 139 and 445 by using either 3rd party or internal firewall. In Vista and Server 2008 it's also possible to filter the affected RPC identifier.

More details can be read from Microsoft Security Bulletin MS08-067.

Wednesday, October 22, 2008

Opera Patches Vulnerabilities

Opera Software has released updated version of its Opera web browser. New version fixes three vulnerabilities.

The first vulnerability makes it possible for an attacker to inject Javascript code into browsing history search page making it possible to look through the user's browsing history, including the contents of the pages user has visited.

The second vulnerability makes it possible to execute scripts in the context of an unrelated frame, which allows cross-site scripting.

The third vulnerability is related to an incomplete blocking of Javascript code while previewing news feed. These scripts are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information.

Opera users with version below 9.61 are instructed to update their browsers to the latest version.

Monday, October 20, 2008

Software Update Monitor (Sumo)

As Internet has become more widespread different security holes of programs and operating systems have risen to a major security threat. Program vulnerabilities are exploited constantly, and often a worm or Trojan horse may use one of these holes to get into system.

Program authors publish quite well updates for found problems nowadays. Unfortunately, all programs are not yet using the automatic update, in which case updating is left to the user's responsibility. Hunting fresh versions is not an easy task, so it's no wonder that system contains quite often outdated programs which may also contain serious security holes.

Software Update Monitor (Sumo) is a wonderful tool to keep track on installed software versions. The program can monitor installed programs and check if any new updates for these programs exists. Sumo can also tell, will the available update fix security holes, and whether updating is important.


List of features in a nutshell (list taken from program homepage):
* Automatic detection of installed software
* Detects required updates / patchs for your software
* Filter / authorize Beta versions (user setting)
* Ignore list : only tracks software YOU want to track
* More compatibility and less false positive than others Update Monitors (according to users feedback ;-)
* Internationalization support.

Saturday, October 18, 2008

Emerging Cyber Threats Report for 2009

On October 15, 2008, the Georgia Tech Information Security Center (GTISC) hosted its annual summit on emerging security threats and countermeasures affecting the digital world. At the conclusion of the event, GTISC released Emerging Cyber Threats Report—outlining the top five information security threats and challenges facing both consumer and business users in 2009.

Interesting report can be obtained here.

Thursday, October 16, 2008

Vulnerabilities In Adobe Flash Player

Adobe has reported about several vulnerabilities in Adobe Flash Player -software. Vulnerabilities affect to Flash Player for Windows, Mac OS X, Linux operating systems.

Vulnerable are Adobe Flash Player 9.0.124.0 and previous versions. There isn't an update for version 9 available yet. Adobe has announced that it will release a fix for version 9 in the beginning of November. However, if possible, Adobe recommends updating directly to version 10.0.12.36. It can be downloaded here.

More information about reported vulnerabilities can be read from corresponding Adobe Security Advisory.

Wednesday, October 15, 2008

Oracle Update Packet Released

Oracle has released updates that contains fixes to 36 different vulnerabilities. The fixes are part of the company's quarterly CPU (critical patch update).

Exact list of the vulnerabilities and instructions how to apply the fixes can be read from Oracle's Critical Patch Update Advisory.

Next critical patch update Oracle plans to release in January 2009.

Tuesday, October 14, 2008

Security Update For October 2008 From Microsoft

Microsoft will release today, 14.10.2008, its monthly security update packet. This month update contains 11 updates. Four of the updates are critical, six important and one moderate. Critical vulnerabilities have been found in Windows, Internet Explorer, Microsoft Office and Host Integration Server.

New version of Microsoft Windows Malicious Software Removal Tool will be released too.

More information about the updates can be read here.

The easist way to get the updates is to use Microsoft automatic update service.

Monday, October 13, 2008

Russian Company Uses NVidia Graphics Cards To Break WiFi Encryption

According to Russian security company Global Secure Systems WiFi networks' WPA and WPA2 encryption systems can be broken even 100 times faster than before using NVidia graphics cards' processors.

David Hobson, managing director of GSS, told SC Magazine that companies can no longer view standards-based WiFi transmission as sufficiently secure against eavesdropping to be used with impunity but VPN encryption system should be used too to secure data.

Saturday, October 11, 2008

Fast-Flux Botnet Observations

New research brings more light into the matter of how botnets work. Domain names and victim systems used by attacking network are changed all the time. Single victim or domain won't last very long.

Two professionals from Arbor Networks company and University of Mannheim have researched botnets. Especially they researched how the criminals hide themselves behind captured systems and several domains. Interesting report can be found here.

Thursday, October 9, 2008

Opera Patches Vulnerabilities

Opera has released a new version of its Opera web browser. Among other changes version 9.60 contains also patch to two vulnerabilities.

First vulnerability makes it possible to execute arbitrary code in target system using specially crafted addresses. If a malicious page redirects Opera to a specially crafted address (URL), it can cause Opera to crash. Given sufficient address content, the crash could cause execution of code controlled by the attacking page.

Another, Java applets related vulnerability, makes it possible to read sensitive information. Once a Java applet has been cached, if a page can predict the cache path for that applet, it can load the applet from the cache, causing it to run in the context of the local machine. This allows it to read other cache files on the computer or perform other normally more restrictive actions. These files could contain sensitive information, which could then be sent to the attacker.

Opera users are recommended to update their versions to version 9.60.

Changelogs can be found here.

More information on the vulnerabilities:
http://www.opera.com/support/search/view/901/
http://www.opera.com/support/search/view/902/
http://www.securityfocus.com/bid/31631
http://www.securityfocus.com/bid/31643
http://www.matasano.com/log/1182/i-broke-opera/

Flash Player workaround available for "Clickjacking" issue

Adobe has released a workaround for so called "clickjacking" issue in Adobe Flash Player versions 9.0.124.0 and earlier.

Below is a quote from Adobe's security advisory

Customers:

To prevent this potential issue, customers can change their Flash Player settings as follows:

1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL:
http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
2. Select the "Always deny" button.
3. Select ‘Confirm’ in the resulting dialog.
4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.

IT Administrators:

IT Administrators can change the AVHardwareDisable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions. For more information on the mms.cfg file and AVHardwareDisable, please refer to page 57 of the Adobe Flash Player Administration Guide: http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide/flash_player_admin_guide.pdf#page=57.

Adobe is working to address the issue in an upcoming Flash Player update, scheduled for release before the end of October. Further details will be published on the Adobe Security Bulletin page at http://www.adobe.com/support/security.

Additionally, all documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service at the following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert. Users may also monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt

Wednesday, October 8, 2008

Vulnerabilities In WMware Software

There has been released new updates for VMware products that fix several vulnerabilities:
1) Privilege escalation on 64-bit Windows and 64-bit FreeBSD guest operating systems and possibly other 64-bit operating systems (Linux guest operating systems excluded)
2) Password displayed in cleartext under certain circumstances in VirtualCenter -software.
3) Java JRE update in VirtualCenter -software

Vulnerable versions:
-VirtualCenter 2.5 before Update 3 build 119838
-VMware Workstation 6.0.4 and earlier
-VMware Workstation 5.5.7 and earlier
-VMware Player 2.0.4 and earlier
-VMware Player 1.0.7 and earlier
-VMware ACE 2.0.4 and earlier
-VMware ACE 1.0.6 and earlier
-VMware Server 1.0.6 and earlier
-VMware ESXi 3.5 without patch ESXe350-200809401-I-SG
-ESX 3.5 without patch ESX350-200809404-SG
-ESX 3.0.3 without patch ESX303-200809401-SG
-ESX 3.0.2 without patch ESX-1006361
-ESX 3.0.1 without patch ESX-1006678


More information regarding found vulnerabilities and their fixes can be read from VMware Security Advisory.

Tuesday, October 7, 2008

Symantec's Report Reveals: Increase Of Spam-Sending Zombie PCs In September

Symantec has released its monthly State of Spam report.

After a 37 percent drop in botnet-related spam for August, Symantec observed a 101 percent increase in September. The growth appears to be focused in Europe, the Middle East, and Asia, with South Korea experiencing the largest increase at 4,236 percent. It was followed by Kazakhstan (761 percent), Romania (607 percent), Saudi Arabia (555 percent), and Vietnam (540 percent).

Biggest amount of active zombie machines was in Turkey, 12 percent. It was followed by Brazil (9 percent), Russia (8 percent), United States (6 percent), India (6 percent) and China (6 percent).

Symantec says that it's difficult to determine an exact reason behind the one month increase but admits that it coincides with the increase in email messages carrying links to downloadable exploits which were characterized by their use of sensational news headlines. It also coincides with an increase in email messages carrying attached viruses in the form of zip and RAR files. When looking at the geography of the virus attacks versus the zombie data there can be seen similar increases in certain countries on both accounts.

O.J. Simpson Guilty Verdict Could Lead To Malicious Spam

IT security company MX Logic warns in its blog about possible spam related to the OJ Simpson guilty verdict from last week.

"It appears that some search engines are already being poisoned with links to malicious video downloads based off of certain search criteria related to the verdict. It is typical for these types of tactics to start bleeding into email as well", writes Sam Masiello, vice president of information security at MX Logic.

Similar to the CNN and MSNBC campaigns from August it is likely that these spam emails will use a lure to an online video to trick users into visiting malicious web sites that download alleged video codecs that are actually malware.

Sunday, October 5, 2008

Microsoft Updated CAPTCHA protections - Busted Again By Criminals

Cat and mouse game of security has expanded itself to protections of web services. Earlier criminals developed a program that could pass Hotmail email service CAPTCHA tests. Microsoft updated protection but criminals have now busted the new protection too. Accuracy isn't big but it's enough for computer.

Internet's big free email services like Google's Gmail and Microsoft's Hotmail are attracting targets for criminals. These services are not put to block lists and email can be sent for free through them. The services use so called CAPTCHA tests to prevent mass account creation with criminals' automatic programs.

Security company Websense presents details about new attack in its blog. Microsoft's old CAPTCHA protections based on text scrambled with lines. Revised CAPTCHA contains badly twisted text but automatic program can now read this too.

Accuracy isn't big. According to Websense only every 8th or 10th attempt is successful (a success rate of 10 to 15%). For computer program this isn't obstacle since attempts can be made continuously.

This latest spambot targeting Microsoft's revised CAPTCHA system includes the combined features of spambots used to target Google's Blogger and Microsoft's Live Hotmail. Websense reported on these anti-CAPTCHA operations earlier this year (2008).

Friday, October 3, 2008

Unpatched Vulnerability In Adobe Flash Player Plug-in

There has been found a vulnerability in Adobe Flash Player plug-in. If a Flash 9 SWF loads two SWF files with different SWF version numbers from two distinct HTTP requests to the exact same URL (including query string arguments), then Adobe's Flash Player plug-in will try to dereference a null pointer. For browsers where plug-ins run in the same process (e.g., Internet Explorer 6 and 7, Firefox 3, and Safari 3 on Windows
and OS X) the vulnerability causes the entire browser process to crash.

Vulnerable are at least following versions on Windows, OS X and Linux:
- 9.0.45.0
- 9.0.112.0
- 9.0.124.0
- 10.0.12.10

At the moment of writing this there isn't patch available for the vulnerability.

More information:
SecurityFocus BugTraq note
Adobe Flash Player plug-in browser crash (bug reporter's site)

Google Trend Exploited By Hackers

Criminals have once again found a new way to trick net users to load dangerous malware tells security company Webroot in its Threat Advisory. This time Google Trend service is used to reach the target. Google Trend is a service that lists the day's most frequently searched topics.

According to Webroot criminals check some top story of the day using Google Trends and then copy the topic to their fake blogs. Into these blogs they insert links that appear to be pointing to topic related videos. That way criminals can attract users to visit the site and it raises higher in the search engine results. When user tries to watch video behind the link the site tells that to see a video a codec must be installed. This codec is actually malware.

Anything new there? Well, yes and no. The codec trick itself is old one but exploiting Google Trends is a new thing which unfortunately raises amount of users who end up to these malicious sites.

Webroot gives 5 step recommendations to users to prevent this kind of malware attack. Those are:
1. Always have a current version of antispyware, antivirus and firewall product
2. Never download free product or purchase them from unknown Web sites and vendors, or peer to peer networks
3. Download videos and other multimedia files only from known and trusted Web sites or blogs
4. Make sure the computer is up-to-date by always installing the latest Microsoft or Apple security updates and
5. Use a credit card that has sufficient fraud protection when shopping and never use a debit card online.

Thursday, October 2, 2008

Sandbox Security Clients Versus Web Threats

"Many sandbox security vendors claim that their products stop all known and unknown attacks. Even assuming the ability to curtail all known attacks could be proven, it's simply impossible to believe that any piece of software could halt all unknown attacks. Of course, that doesn't prevent the vendors from making empty promises or the malware authors from proving them wrong." writes Roger A. Grimes in his article in PCWorld.

In Grimes' testing of five sandbox security clients -- Authentium's SafeCentral, Check Point's ZoneAlarm ForceField, Prevx, Sandboxie, and SoftSphere Technologies' DefenseWall HIPS -- he exposed all the products to dozens of malicious attacks, both well known and not so well known. Two malware programs, in particular, stretched the various competitors to their breaking points: the Adobe Flash clipboard hijack exploit and the XP Antivirus malware program. None of the tested sandbox clients passed the first meantioned and most failed to accurately clean up from the XP Antivirus. In the end, Grimes' favourite products were Prevx and Sandboxie.

Grimes' review can be read here.