Archive for the ‘security news’ Category

« Older Entries

Windows shortcut flaw goes wild?

Wednesday, July 21st, 2010

On July 16, Microsoft released Security Advisory 2286198 confirmed the Windows shortcut flaw that exposes all windows user of all current versions of Windows system to very serious attacks, including fully patched Windows 7 system.

Just by opening a directory containing the infected shortcut will get user infected. Once the infected shortcut icon is displayed in Windows Explorer, malicious code is launched without any further user interaction. Hackers have already developed malware that spreads via USB sticks, using this vulnerabilities.  Independent security researcher Frank Boldewin had found the attack is currently targeted toward the WinCC SCADA system by Siemens. “Looks like this malware was made for espionage,” Boldewin writes.

On Sunday, a researcher known as “Ivanlef0u” published aproof-of-concept code to several locations on the Internet. There is already a Metasploit module that implements the exploit with the WebDAV method.

To protect yourself from the attack, Microsoft suggests disabling the displaying of icon for shortcut and turning off WebClient service as workarounds against possible attacks. Please reference Microsoft advisory for details of how to “Disable the displaying of icons for shortcuts“. Another way to protect yourself is to use Didier Stevens’ tool Ariad .

Additional information on the flaw can be found in a blog post by the SANS Institute’s Internet Storm Centre here.

source:

Experts Warn of New Windows Shortcut Flaw

MS confirms Windows shortcut zero-day flaw

Preempting a Major Issue Due to the LNK Vulnerability – Raising Infocon to Yellow

Tags: , , ,
Posted in security news | No Comments »

New Linux OS REMnux Designed For Reverse Engineering Malware

Tuesday, July 20th, 2010

A new OS called REMnux has been released from Lenny Zeltser, a security expert specializing on malware reverse engineering. REMnux is a lightweight version of Ubuntu originally distributed as a VMware virtual appliance, which can be booted via several VMware products or through X-Windows. The OS was also recently released as an ISO image of a Live CD.

The classical approach to analyze malware is to set up a virtual machine on a computer specifically designed for that purpose and then release the malware and monitor how it affects the system. The drawback of this protocol is that much of the malware’s behavior can remain hidden, while deeper analysis is not a convenient option.

REMnux comes as a solution to these disadvantages and offers an alternative approach for taking apart a malicious code. Typically, infection of another laboratory system with the malware sample is followed by direction of the potentially-malicious connections to the REMnux “monitoring” ports.

This approach combines a generous number of popular malware-analysis, reverse-engineering, network monitoring, and memory forensic tools. Amongst them, REMnux contains three tools for analyzing Flash-specific malware, namely SWF tools, Flasm, and Flare. Furthermore, it contains several applications for analyzing malicious PDFs, such as the Didier Steven’s analysis tools. The OS also provides a lot of tools for de-obfucating JavaScript, including Rhino debugger, a NoScript-version of Firefox, JavaScript Deobfuscator and Firebug, and Windows Script Decoder. In addition to the above analysis tools, a small Web server, an IRC server, and a pseudo-DNS server are also included. Further, several tools for network monitoring and interactions, such as the virtual honeypot server, HoneyD, as well as Wireshark, INetSim, fakedns and fakesmtp scripts, and NetCat are also part of REMnux.

Behind the development of REMnux stands the idea of providing a useful set of tools for people interested in the field, rather than a be-all reverse-engineering environment. As Zeltser himself puts it: “This doesn’t have every tool in it, because I think people can get distracted with too many tools in there”. On the contrary, Zeltser states that this OS targets beginners or people that are not Linux experts. He also hopes that users’ input and comments will aid in further development of REMnux to reach an improved version of the OS.

Any interested and adventurous potential developers, who would like to contribute to the improvement of REMnux,  are welcomed to contact Lenny Zelter directly.

Tags: , , , , , , , ,
Posted in security news | No Comments »

Danger in the Internet Cafe? New Computer Security Threat for Wireless Networks: Typhoid Adware

Saturday, May 22nd, 2010

Typhoid Adware is a software which resembles the healthy carrier of typhoid called  Typhoid Mary. This kind of threat works to the full potential on computer networks and specifically on wireless networks. Actually, the internet cafes and other similar public places where the customers can access internet wirelessly without any data encrpytion, are the most convenient places for being infected Adware software. Typhoid Adware comes from another’s person computer and convinces other laptops to communicate with it and not the legitimate access point. Then the Typhoid adware automatically inserts advertisements in videos and web pages on the other computers.

John Aycock who co-authored a paper with assistant professor Mea Wang and students Daniel Medeiros Nunes de Castro and Eric Lin have come up with solutions which support computers with security defences against threats of various Adwares like the Typhoid Adware.

Click here for more information.

Posted in security news | No Comments »

Windows 7 hole…

Thursday, May 20th, 2010

A vulnerability has been discovered in  64-bit Windows 7 , in graphics display component that could be exploited to crash the system or potentially take control of the computer by running code remotely.The vulnerability is  in the Canonical Display Driver (cdd.dll) which could allow code execution(Microsoft isn’t aware of this ,cause vulnerable code execution is unlikely due to memory randomization)  caused due to an error while drawing in kernel space by using the cdd.dll . This can be exploited to dereference invalid memory in a write operation and corrupt kernel memory.When the Windows Aero theme is installed, does not perform the expected data parsing after user-mode data is copied to kernel mode, which allows context-dependent attackers to cause a denial of service or possibly execute arbitrary code via a crafted image file.

http://news.cnet.com/8301-27080_3-20005420-245.html?tag=mncol;title

http://www.microsoft.com/technet/security/advisory/2028859.mspx

http://secunia.com/advisories/39577

Posted in security news | No Comments »

Mozilla extends plug-in detection page to all major browsers

Tuesday, May 18th, 2010

The Mozilla Firefox development team has recently came with the idea of warning Firefox users about outdated, insecure or buggy plug-in. It was first implemented for Adobe flash plug in. It was created as a What’s New page and integrated in recent Firefox updates.

The scripts on the page check for installed plugins and compare the version of the installed plugin with the latest version that is offered officially by the developer of the plugin. Some supported plug-ins (among others) are Apple Quicktime, Shockwave Flash, Adobe Acrobat, Java, RealPlayer and Windows Media Player plugins. Furthermore the Mozila Firefox development team now extends the page to support all the popular browsers.

(more…)

Posted in forward, security news | No Comments »

IE 8 XSS filter used for XSS attacks!

Tuesday, May 18th, 2010

The XSS filter that was the developed from Microsoft and added to the last IE version to prevent XSS attacks can be used for the very exact opposite reason! The cross-site scripting (XSS) filter can be abused by attackers to launch cross-site scripting attacks (XSS) on websites and web pages that would otherwise be immune to this threat.

The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful.

(more…)

Posted in security news | No Comments »

Apple Safari highly critical vulnerability

Tuesday, May 18th, 2010

A high critical zero day vulnerability for Apple’s web browser, Safari, was discovered by Krystian Kloskowski and Vin Lisciandro and published last week by Secunia.

The security issue affects current version of Safari (v. 4.0.5) for Microsoft Windows (confirmed) and probably for Mac. Earlier versions of Safari might also be vulnerable. Successful exploitation of the issue leads to remote code execution or exposure of victim’s private data. Secunia has released advisory SA39670, which explains that the flaw exists because of ‘a use-after-free error when handling pop-up boxes created from a child window’ which can result in a function call using an invalid pointer. It is also stated that it ‘can be exploited to execute arbitrary code when a user visits a specially crafted web page’. Another issue mentioned is that Safari includes HTTP basic authentication credentials in an HTTP request if a web page that requires HTTP basic authentication redirects to a different domain (e.g. via a “Location” header).

(more…)

Tags: , ,
Posted in security news | No Comments »

New version of YAHOO IM worm aims a blow at Skype

Saturday, May 15th, 2010

According to the security firm Bkis, this worm has delevoped a more efficient way of persuading people follow the steps that lead to the trap and achieving its goals. The main means of spreading are Yahoo Instant Messanger and Skype, so the first indirect contact with the malware is done via a message that is selected from a various set of messages which is followed by a link.

An example of that kind of messages is shown below.

(more…)

Posted in security news | No Comments »

Critical vulnerability in Windows Outlook Express, Windows Mail and Windows Live Mail

Friday, May 14th, 2010

A recent critical vulnerability has been identified in Windows Outlook Express, Windows Mail and Windows Live Mail. This security issue can allow remote code execution if the users visits a malicious e-mail server. The attacker can gain the same privileges of the computer as the user has.The security update addresses the vulnerability by correctly validating e-mail server responses.Patches have been released.

source:

http://www.theregister.co.uk/2010/05/12/may_patch_tuesday/

http://www.microsoft.com/technet/security/Bulletin/MS10-030.mspx

Posted in security news | No Comments »

XSS filter – Internet explorer 8

Wednesday, April 28th, 2010

The cross-site scripting enables malicious attackers to inject client-side script into web pages viewed by other users. As The Register reported in November, Internet explorer 8 contains a bug and can be exploited to introduce cross-site scripting. In other words the attacker can figure out a flaw in IE 8 as a result to create a specific string to tranformed into an actual attack on the web page.

(more…)

Posted in security news | No Comments »

« Older Entries