There are still many people that do not believe that malware can be installed on their computer unless they perform some action that enables it. For example, they think they have to click on a link, or open a file attachment before they are infected. This simply isn’t the case anymore. Take for example the recent Adobe Flash vulnerability. Specially crafted PDF documents can trigger this malware being installed on your system just by visiting a website. This vulnerability is so critical that Adobe had to accelerate their scheduled quarterly update to reduce the risk since this exploit is being actively seen in the wild. The vulnerability in Flash was available June 10 and the fixes for Reader and Acrobat will be available on June 29.
Posts Tagged ‘0 Day Exploit’
Security Alert for Windows XP and Server 2003 Users
Tuesday, June 15th, 2010Perimeter E-Security customers should be aware of a Microsoft Windows XP and Server 2003 exploit. Exploit code has been posted online that shows attackers exactly how to compromise Windows XP and Server 2003 operating systems remotely. This is possible due to a newly discovered security flaw in the way Windows Help and Support Center process links. These systems are supposed to work based on a fixed “whitelist” (a list of approved and authorized URLs), however a security researcher at Google has shown how cyber criminals can add URLs to that whitelist. As a result, an attacker could trick a user into following a link which could download any file the hacker would like. The link and downloaded files can use the same permissions as the systems current user. Many systems are configured by default with the user having administrative privileges.
Microsoft said “Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” this includes worms and a host of other malware that can automatically exploit this code through a variety of methods.
This is worse than most vulnerabilities we see. Most vulnerabilities allow the system to be compromised in a specific way that may allow limited access or flexibility to the hacker. This vulnerability makes it very easy for the cyber criminal to install any software they want as if they are the system administrator.
The solution?
- There is no automated fix from Microsoft at this time. However, there is a manual ”work around.”
The manual “work around” involves editing the Registry. Note – only experienced system administrators should manually edit the registry. One wrong move can cause major stability and bootup problems. The details for the registry edit can be found in the Microsoft Security Advisory (2219475).
Beware that Microsoft says that this may break links that you are trying to use in the Help and Support Center. Microsoft has also posted a knowledge base article with a “fixit” here.
- Stay tuned for more details from Microsoft
Microsoft is working on a patch. The Google researcher who discovered the flaw has released a fix; however, Microsoft says that this fix is easily bypassed and that users should not rely on the Google fix to resolve the problem.
While Microsoft is working on a patch, Perimeter E-Security continues to encourage users (especially those using XP) to create a limited user account for everyday computing. Read more on this here. This will go a long way to protect systems from this exploit as well as many others we have seen in the past and will likely see in the future.
Contact us today at 800.234.2175 to talk with a security expert if you have further questions.
Tags: Windows XP exploit, Server 2003 exploit, vulnerability assessment tools, IT security, application penetration testing, managed service providers, intrusion detection system, security penetration testing
Critical Zero-Day Vulnerability in Adobe Reader and Flash Player
Tuesday, June 15th, 2010There is a critical zero-day flaw in Adobe Reader and Adobe Flash Player that can allow attackers to take full control of vulnerable computers. Of course, because nearly everyone has Adobe Reader and Flash Player, and because it is a 0-day exploit that means that nearly everyone is vulnerable. Well, that isn’t entirely true because it affects only particular versions, but still, it will affect a lot of people. There are some reports that say that the vulnerability is being exploited “in the wild”. The scary thing about application vulnerabilities is that they often affect more than just the operating system. This one is a good example where this flaw exists in Windows, Mac, Linux and Solaris.
New zero day vulnerability: Java Deployment Toolkit could be exploited to execute malicious code
Wednesday, April 14th, 2010“A vulnerability in a NPAPI plug-in and ActiveX control called Java Deployment Toolkit could be exploited to execute malicious code. The flaw affects all recent versions of Windows and may affect versions of Linux as well. Attackers can exploit the flaw through maliciously crafted websites that pass commands to Java components that start certain applications, including Internet Explorer and Firefox.
Disabling the Java plug-in does not protect users from attacks.”
New Microsoft Zero Day Exploit Targets Windows XP and Server 2003 via Internet Explorer
Thursday, March 11th, 2010Reports of a new Zero-Day flaw in VBScript and Windows Help has Microsoft scrambling around to test and fix it if it truly exists. The flaws affect MS Windows XP and Server 2003 with users running Internet Explorer 7 and 8.
Zero Day vulnerabilities are those bugs or flaws in code that have known exploits, but no patch or fix for the problem. They are essentially a window of huge opportunity for cyber criminals. In this case proof-of-concept code has been released and is available. There are some workarounds for the problem, but most people of course don’t even hear about these things, don’t do one of the workarounds, and can find themselves “owned”. For example, one of the workarounds is restricting access to the Windows help system. Who is really going to do that?
Zero-Day exploits are becoming a bigger and bigger problem. They used to be very rare, and now it seems like there is one a week.
New Zero Day Vulnerability in SSL and TLS Security Protocols
Friday, November 20th, 2009There is a zero day vulnerability in SSL and TLS protocols that vendors have been working on for a few months to resolve. As of right now, there is no patch or fix for this vulnerability. The vulnerability, if exploited, could allow an attacker to launch what is known as a “man-in-the-middle attack,” effectively getting in the middle of the session and monitor the traffic.
Most people consider TLS and SSL very secure due to the encryption that should ensure privacy. Those that use SSL (used in secure websites, VPN, and many, many other applications and services) or TLS (used for secure email communications), should monitor this closely and once available, patch their libraries with the updates.
Preventing Zero Day Attacks with Behavioral Based System Security
Friday, October 9th, 2009Zero Day vulnerabilities are more prevalent than ever. The very definition of a zero day vulnerability is that there is no patch or fix for available. As a result, we are seeing a greater and greater need for organizations to use different methods to protect their systems and networks. The methods that work best against this type of threat are behavioral in nature and reside right on the system themselves. Host based intrusion detection and prevention is one such technology that can look at the system behavior and say “something doesn’t look right”, or “why would that process be doing that?”. Because the software is configured specifically for that system, it can look for behavioral exceptions and can take action. Behavioral based system security software with 24×7 management and monitoring is going to become more and more necessary to detect and stop these malicious attacks.
Websites Subverting Browser Privacy Settings via Flash Cookies
Friday, August 28th, 2009A research report was released recently showing how websites can subvert browser privacy settings by using a technique called Flash cookies. What it essentially does is during the web session, regular cookies are created and used, and are supposed to be deleted. The sites are essentially copying or recreating the cookies and then deleting the regular cookies. The report identified over 100 sites that were using this technique.
This should be of major concern to those that are worried about browser and end user system exploit. Using techniques like this, especially with Flash, is like allowing access via command prompt to any website the system goes to. Many vendors want to capture, record, and use information about their customers. This “Big Brother” stuff is not appreciated or tolerated by most people. The Palm Pre was just found secretly sending information back to Palm.
You can learn how to disable third-party local objects here.
(Aside) You know, there are few commercials I dislike more than those Palm Pre commercials. I really don’t like that lady they got doing those.
iPhone SMS 0 Day Exploit
Thursday, August 6th, 2009With the popularity of the iPhone, it isn’t surprising that it is a highly prized target for hackers. While I didn’t go to this particular session at Black Hat in Las Vegas, I understand an active 0-Day exploit for the iPhone was announced. It uses SMS to compromise the phone and the only indication that you have been compromised is a SMS text message with a single square. It is recommended that you turn your iPhone off immediately if you see this. That being said, I can see a bunch of people sending a square (certain ASCII character) as a joke. The exploit can be fixed with the iPhone OS 3.0.1 update released on July 31st and only available through the latest version of iTunes. You can read more at Yahoo.com here.
0 Day Exploit Used on Web Hosting Provider
Wednesday, June 17th, 2009Web hosting provider Vaserv had an attack against 100,000 of their websites based on a 0 day exploit according to a recent article. A 0 Day exploit is when an exploit occurs while there is no patch or fix available. This exploit occured in the HyperVM software Vaserv was using to host all the sites using virtualized environments. Using virtualization is very popular among hosting providers because it allows them to host many more individualized, customized environments on a single hardware platform. This is why the cost of hosting has dropped so significantly over the past year or so.
In this attack, the perpetrators simply destroyed the sites. There was no mention if backups were available or not. Obviously for those that don’t have backups this is a major problem. For others, having their sites down for any period of time can be devistating to their business.
There are many people that when asked about their website security simply say “I don’t have to worry about it because it is hosted by a 3rd party”. I wonder if these 100,000 companies feel that way now?
Discovery of Thousands of Legitimate Websites Compromised with Malware
Thursday, June 4th, 2009Websense recently made this announcement:
“Websense Security Labs(TM) Threatseeker(TM) Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.
This mass injection attack does not seem related to Gumblar. The location of the injection, as well as the decoded code itself, seem to indicate a new, unrelated, mass injection campaign.
The exploit site is laden with vaious attacks. After successful exploitation, a malicious file is run on the exploited computer. The executed malware file has a very low AV detection rate. ”
——-
These methods cyber criminals are now using are very effective. When they can inject code into a legitimate, popular site that is accessed literally millions of times each day, that is how their malware spreads so quickly. Vulnerable systems (which are not short in supply) are then taken over by the cyber criminals and the user sitting at the computer would likely never know the difference.
Using a good web content filter is probably the best way to protect yourself from these types of attacks. Be sure to use one that dynamically reclassifies websites. So if a legitimate website that your users are normally allowed to go to becomes compromised, it is automatically reclassified into a blocked category until the site is done cleaning the site.
More Adobe Vulnerabilities
Thursday, April 30th, 2009Looks like there is another serious Adobe vulnerability. These are very serious because standard patching procedures employed by most organizations do not include patching 3rd party applications such as Adobe. Adobe has released notices putting people on high alert over several vulnerabilities in the last year. This is even more alarming as Adobe software is loaded on more systems than any other software in the world.
It is important to employ a patching technology that does more than just patch Microsoft. Most organization still only use the free Microsoft SUS (System Update Service) to patch their systems. The problem is that this only patches Microsoft OS and applications, leaving all the other software loaded on the system vulnerable. This includes Adobe which seems to have more than their fair share of vulnerabilities and was ranked #1 with the most application vulnerabilities in 2008.
Router Exploits Take Center Stage
Wednesday, April 1st, 2009Research has been conducted by Felix “FX” Lindner who demonstratated that many routers (especially Cisco) are susceptible to attack and compromise. Often these devices are overlooked from a vulnerability detection and patching perspective. Many organizations run vulnerability assessments against their publically accessible systems, but they usually only do their firewall, web server, email server, etc. They often forget about the router that connects all this to the Internet. Other times they know the device is there but are unwilling to pay extra to scan that system.
I believe one reason for this is because they think that anything on the outside of the firewall is someone else’s problem. Another reason is because most firewalls can’t simply be patched. You actually have to apply an entire new firmware (the equivelant of an operating system on a PC) to the router. This all-too-often leads to lost configurations, misconfigurations, and downtime. So the device is left to its own devices (no pun intended).
The successful compromise of a public Internet router on the outside of your firewall can still be very serious. The most obvious result could of course be denial of service. The criminals could simply turn off your Internet access. Beyond that, there are several things they could also do to monitor your traffic and more.
Cisco recently released multiple advisories for IOS (the firmware for Cisco routers) which makes this even more critical. The advisories are:
Cisco security advisories and apply any necessary workarounds or
updates to help mitigate the risks.
Relevant Update URLs:
- cisco-sa-20090325-ip : Cisco IOS Software Multiple Features IP Sockets Vulnerability
- cisco-sa-20090325-udp : Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
- cisco-sa-20090325-tcp : Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability
- cisco-sa-20090325-webvpn : Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
- cisco-sa-20090325-mobileip : Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
- cisco-sa-20090325-scp : Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
- cisco-sa-20090325-sip : Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
- cisco-sa-20090325-ctcp : Cisco IOS cTCP Denial of Service Vulnerability
My advice is to run vulnerability assessments against your external routers and make sure these devices are included in your patch management program…even if it is a little painful to deal with upgrading that firmware.
