November 6th, 2009
High-risk flaw dings Google Chrome

Posted by Ryan Naraine @ 9:18 am


Google has pushed out a Chrome browser update to fix a pair of security vulnerabilities that expose uses to malicious hacker attacks.

One of the flaws carry a “high-risk” rating because of the threat of arbitrary code execution.

[ SEE: Study: Silent patching best for securing browsers ]

Vulnerability #1: The user was not warned about certain possibly dangerous file types such as SVG, MHT and XML files. In some browsers, JavaScript can execute within these types of files. Because the JavaScript runs in the local context, it may be able to access local resources. Details are being withheld until the fix is pushed out to a majority of users.

Vulnerability #2: A malicious site could use the Gears SQL API to put SQL metadata into a bad state, which could cause a subsequent memory corruption. This may lead to a Gears plugin crash or possibly arbitrary code execution. Google says this issue will be made public once a majority of users are up to date with the fix.

The patch is being silently distributed to all Google Chrome users.

Detailed:
http://blogs.zdnet.com/security/?p=4861

By Jeremy Kirk
November 6, 2009 06:40 AM ET

IDG News Service - ScanSafe researchers are seeing renewed activity regarding Gumblar, a multifunctional piece of malware that spreads by attacking PCs visiting hacked Web pages.

Gumblar can steal FTP credentials as well as hijack Google searches, replacing results on infected computers with links to other malicious sites.

When the Gumblar malware was found in March, it looked for instructions on a server at gumblar.cn. That domain was taken offline at the time, but has been reactivated within the last 24 hours, wrote Mary Landesman, a senior security researcher with ScanSafe, on a company blog.

Web sites that are infected with Gumblar contain an iframe, which is a way to bring content from one Web site into another. Malware writers usually make those iframes invisible. When a victim visits the site, the iframe will launch a series of exploits hosted on a remote computer to try and hack the visiting machine.

Gumblar checks to see if the victim's PC is running unpatched versions of Adobe Systems' Reader and Acrobat programs. If so, the machine will be compromised by a so-called drive-by download.

Usually, domain name registrars suspend domain names that have been used for malicious purposes, and malware writers frequently change the domains their software looks to for instructions as those bad domains are blacklisted. For some reason, the gumblar.cn domain was released and is in use again.

Landesman wrote that Web sites still infected with Gumblar may now be able to call back to the newly activated domain. It would allow those infected PCs to get updated with new malware.

"It's a mess," Landesman wrote. "Stay tuned."

Inadvertent disclosure forces vendors to speed effort to produce a fix
By Robert McMillan
November 5, 2009 03:03 AM ET

IDG News Service - Software makers around the world are scrambling to fix a serious bug in the technology used to transfer information securely on the Internet.

The flaw lies in the Secure Sockets Layer (SSL) protocol, which is best known as the technology used for secure browsing on Web sites whose URLs begin with HTTPS. The bug lets attackers intercept secure SSL communications between computers using what's known as a man-in-the-middle attack.

Although the flaw can only be exploited under certain circumstances, it could be used to hack into servers in shared hosting environments, as well as mail servers, databases and many other secure applications, according to Chris Paget, a security researcher who has studied the issue.

"It's a protocol-level flaw," said Paget, chief technology officer at H4rdw4re LLC, a Sunnyvale, Calif.-based security consultancy. "There's a whole lot of stuff that's going to have to get fixed on this one: Web browsers, Web servers, Web load balancers, Web accelerators, mail servers, SQL Servers, ODBC drivers, peer-to-peer protocols."

Although an attacker would first need to hack into the victim's network to launch the man-in-the-middle attack, the results would then be devastating -- especially if the hack was a targeted attack to gain access to a database or a mail server, Paget said.

Because it is so widely used, SSL is constantly under the microscope of security researchers. Late last year, researchers found a way to create fake SSL certificates that would be trusted by any browser, and in August researchers unveiled a handful of new attacks that could compromise SSL traffic. But unlike those attacks, which had to do with the infrastructure used to manage SSL's digital certificates, this latest bug lies in the SSL protocol itself and will be much harder to fix.

Further complicating matters is the fact that the bug was inadvertently disclosed on an obscure mailing list Wednesday, forcing vendors into a mad scramble to patch their products.

The flaw was discovered in August by researchers at PhoneFactor Inc., a mobile phone security company. They had been working for the previous two months with an association of technology vendors called the Industry Consortium for Advancement of Security on the Internet (ICASI) to coordinate an industry-wide fix for the problem, dubbed Project Mogul.

But their careful plans were thrown into disarray Wednesday when SAP AG engineer Martin Rex stumbled across the bug on his own. Apparently unaware of the seriousness of the issue, he posted his observations on the issue to an Internet Engineering Task Force discussion list. It was then publicized by security researcher HD Moore.

By Wednesday afternoon, enough people were talking about the issue that PhoneFactor decided to go public with its findings. "At that point, we felt like the bad guys knew and we felt we had a responsibility for the good guys to know too," said Sarah Fender, vice president of marketing at PhoneFactor in Overland Park, Kan.

Fender couldn't say who was ready to patch the flaw, but she noted that a number of open-source projects are "anxious" to push out a patch. "I think we'll see some patching in the near future," she said.

ICASI could not be reached for comment Wednesday evening.

Although security experts say the flaw has probably existed for years, it is not thought to have been exploited in any attacks.

"While we consider it to be a material vulnerability, it's not the end of the world," Fender said.

We can remember it for you wholesale

By John Leyden

Posted in Spyware, 3rd November 2009 09:50 GMT

Devious virus writers have come up with a new twist on ransomware-style malware.

A new strain of Trojan encrypts recently-opened files on compromised Windows PCs. But instead of demanding a ransom for a decryption key to unlock files, the malware relies on users to search the web for a possible way-out.

Hackers have cleverly baited searches for likely terms, with links to sites offering a supposed fix actually developed by the crooks behind the ruse.

A fuller explanation of the scam can be found Symantec's write-up on the Ramvicrype Trojan here and in a blog posting by Symantec researcher Shunichi Imano here. ®

November 2, 2009 6:00 AM PST

Phishing, worms spike this year, say Microsoft and McAfee

by Elinor Mills

Scammers are targeting social networks with phishing scams and relying more heavily on worms and Trojans to attack computers, according to security trend reports to be released Monday by Microsoft and McAfee.

Phishing attacks saw a big spike in May and June, primarily because of campaigns targeting social-networking sites, according to Microsoft's report covering the first half of 2009. Gaming sites, portals, and Web sites of banks and retailers were also popular targets for phishing attacks, the report said.

Trojans, including rogue security software, remained the most prevalent category of threats, while Microsoft statistics show that worms rose from fifth place in the second half of last year to become the second most prevalent category, led by Conficker and followed by Taterf, which targets multiplayer online role-playing games.

More information:
http://news.cnet.com/8301-27080_3-10387768-245.html

29 October 2009, 18:06
Norman raises false alarm on Windows PCs - Update

Norman ASA is warning its customers of a false alarm that's being raised by its Windows anti-virus software which results in the file kernel32.dll being detected as malware. The cause of the false positive appears to be a bad signature and the company has stopped sending out the signature in question and has taken its update server offline.

Norman is advising affected users not to restart their PCs and not to acknowledge the alert flagged up by the real time anti-virus scanner. Users are advised to simply ignore the alert and to continue working on their PCs as normal. The company is currently working on an updated signature and is aiming to bring the update server back online once this is ready. Users should then initiate the update manually. Until that happens, users can get around the problem by creating an entry for kernel32.dll in the anti-virus software's exclusion list.

Details:
http://www.h-online.com/security/news/item...ate-845762.html

USB stick security flaw puts data at risk

Security firm warns of imminent threat to sensitive information

David Neal

V3.co.uk, 30 Oct 2009

USB sticks have been found to contain a significant security flaw which could be exploited to break into millions of computers around the world, according to researchers at MWR InfoSecurity.

The UK firm claimed that the flaw could allow the creation of USB sticks that "interrogate a computer and download the contents".
The researchers added that such devices are just months away from development, and are likely to be used by malevolent and sophisticated criminals to steal the contents of entire hard drives.

"What millions of us have seen in countless James Bond and other spy thrillers around the world has now taken a step closer to being realised," said Alex Fidgen, commercial director at MWR InfoSecurity.

Details at:
http://www.v3.co.uk/v3/news/2252293/usb-st...security-threat

Nasty Halloween Trick: Fake Antivirus Sites

Carrie-Ann Skinner, PC Advisor

Saturday, October 31, 2009 11:12 AM PDT

Hackers are exploiting web users searching for Halloween-related content on the web, says Panda Security.

Research by the security vendor revealed that hundreds of websites designed to distribute fake antivirus software, are coming up top in results offered by some the web's most popular search engines.

Fake antivirus software, which is also known as scareware, encourages web users to part with their hard-earned cash to download hoax security software that serves no purpose.

According to Panda Security, these fake antivirus programs display aggressive messages to users claiming they are infected and that to resolve the problem they need to buy a license (for the program). A simple click will take the user to an apparently legitimate web page, from where they are defrauded.

More:
http://www.pcworld.com/businesscenter/arti...irus_sites.html

By Robert McMillan
October 30, 2009 04:25 PM ET

IDG News Service - The Conficker worm has passed a dubious milestone. It has now infected more than 7 million computers, security experts estimate.
On Thursday, researchers at the volunteer-run Shadowserver Foundation logged computers from more than 7 million unique IP addresses, all infected by the known variants of Conficker.

They have been able to keep track of Conficker infections by cracking the algorithm the worm uses to look for instructions on the Internet and placing their own "sinkhole" servers on the Internet domains it is programmed to visit. Conficker has several ways of receiving instructions, so the bad guys have still been able to control PCs, but the sinkhole servers give researchers a good idea how many machines are infected.

Although Conficker is probably the computer worm most known about, PCs continue to get infected by it, said Andre DiMino, co-founder of The Shadowserver Foundation. "The trend is definitely increasing and breaking 7 million is pretty much of a landmark event," he said.

Conficker first caught the attention of security experts in November 2008 and received widespread media attention in early 2009. It has proved remarkably resilient and adept at re-infecting systems even after being removed.

The worm is very common in, for instance, China and Brazil. Members of the Conficker Working Group, an industry coalition set up last year to deal with the worm, suspect that many of the infected PCs are running bootlegged copies of Microsoft Windows, and are therefore unable to download the patches or Microsoft's Malicious Software Removal Tool, which could remove the infection.

Despite its size, Conficker has rarely been used by the criminals who control it. Why it hasn't been used more is a bit of a mystery. Some members of the Conficker Working Group believe that Conficker's author may be reluctant to attract more attention, given the worm's overwhelming success at infecting computers.

"The only thing I can guess at is the person who created this is scared," said Eric Sites, chief technology officer with Sunbelt Software and a member of the working group. "This thing has cost so many companies and people money to get fixed, if they ever find the guys who did this, they're going away for a long time."

IT staffers often discover a Conficker infection when a user is suddenly unable to log into a computer. That happens because infected machines try to connect to other computers on the network and guess their passwords, trying so many times that they are eventually locked out of the network.

But the cost of the worm would be even greater if Conficker were to be used for a distributed denial of service attack, for instance.

"This is certainly a botnet that could be weaponized," DeMinno said. "When you have a net of this magnitude, the sky's the limit in terms of what could be done."