http://www.techsupportforum.com The Latest Computer Security News en Sat, 21 Nov 2009 01:13:30 GMT vBulletin 60 http://www.techsupportforum.com/cwd/images/misc/rss.jpg http://www.techsupportforum.com http://www.techsupportforum.com/security-center/computer-security-news/433689-how-avoid-joining-botnet.html Fri, 20 Nov 2009 19:58:16 GMT Banging the drum for security awareness never gets old. As much as CSOs try to get folks to bone up on safe practices (both online and in the office), there are always going to be some who need reminding. Online, the biggest battle these days is against botnets: networks of infected computers... Banging the drum for security awareness never gets old. As much as CSOs try to get folks to bone up on safe practices (both online and in the office), there are always going to be some who need reminding.

Online, the biggest battle these days is against botnets: networks of infected computers which hackers can use, unbeknownst to the machine's owner, for online crimes including sending out spam or launching a denial of service attack.

Unfortunately, the black hat techniques employed to snare users into a botnet web have evolved to a level that makes them often undetectable by even the most sophisticated security products. Combine that with a lack of user knowledge, and the threat of infection becomes very high.

"The frustrating thing is they can make their chances of getting infected much, much smaller," said Steve Santorelli, who sees how users fall prey to easily avoidable traps every day. Santorelli, director of global outreach with the non-profit security investigations firm Team Cymru, spends his days monitoring malicious online activity, particularly botnets.

Santorelli notes that while just one strategy probably won't cover you, with several tools in the tool box, the rate of infection within an organisation significantly drops.

Tip 1: Have work AND home machines regularly updated with patches and antivirus software

The average user doesn't necessarily have a lot of technological knowledge, said Santorelli. They might not realize the importance of working with IT to ensure they are up to date with patching and software upgrades. This problem may be especially prevalent among workers who are exclusively remote.

In fact, a study conducted by security firm Sophos last year found most computer users ignore security updates and turn off their firewalls. Sophos scanned 583 computers for 40 days and found that 81 percent of the machines failed one or more basic security checks. Most machines, 63 percent, were lacking security patches for the operating system, office application and programs like Windows Media Player and Adobe Flash. More than half, 51 percent, had disabled their firewall and another 15 percent had outdated or disabled antivirus and antispam software.

Those are exactly the folks that criminals love.


http://howto.techworld.com/security/...otnet/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/433689-how-avoid-joining-botnet.html http://www.techsupportforum.com/security-center/computer-security-news/433688-microsoft-denies-building-security-backdoor-windows-7-a.html Fri, 20 Nov 2009 19:57:15 GMT Microsoft has denied building a backdoor into Windows 7, responding to concerns from privacy organisations after it was revealed that the National Security Agency (NSA) had worked on the operating system.

But these concerns have been met with a firm denial. "Microsoft has not and will not put 'backdoors' into Windows," a company spokeswoman said.

Earlier this week, Richard Schaeffer, the NSA's information assurance director, told the Senate's Subcommittee on Terrorism and Homeland Security that the NSA had worked on the creation of Windows 7 "to enhance Microsoft's operating system security guide."

Echoing earlier concerns, Marc Rotenberg, the executive director of the Electronics Privacy Information Center (EPIC), questioned the wisdom of letting the NSA participate in OS development. "The key problem is that NSA has a dual mission, COMPUSEC, computer security, now called cyber security, and SIGINT, signals intelligence, in other words surveillance," said Rotenbergl.

Yesterday, he raised the issue, which isn't new, of whether the NSA pressures companies like Microsoft to craft so-called "backdoors" into their code that would let the agency track users and intercept users' communications. Rotenberg called it an "obvious concern," and added that it might be difficult for major software makers to turn down NSA "suggestions" because the US federal government is an important customer.

Today's categorical denial by Microsoft was accompanied by further explanation of exactly how the NSA participated in the making of Windows 7. "The work being discussed here is purely in conjunction with our Security Compliance Management Toolkit," said the spokeswoman.

The company rolled out the Windows 7 version of the toolkit late last month, shortly after it officially launched the operating system.

The compliance management toolkit provides a set of security configurations that address additional levels of risks beyond those addressed out of the box, as well as tools to deploy these configurations and monitor what Microsoft calls "configuration drift." The toolkit is aimed at enterprises, government agencies and other large-scale organisations.

Microsoft's rejection of the idea that it's hidden a backdoor in Windows came as no surprise to security researchers, who yesterday expressed doubt that the company would put its reputation at such risk. "I can't imagine NSA and Microsoft would do anything deliberate, because the repercussions would be enormous if they got caught," Roger Thompson, the chief research officer of antivirus vendor AVG Technologies, said yesterday.


http://news.techworld.com/security/3...ows-7/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/433688-microsoft-denies-building-security-backdoor-windows-7-a.html http://www.techsupportforum.com/security-center/computer-security-news/433687-police-arrest-pair-over-global-banking-web-scam.html Fri, 20 Nov 2009 19:56:18 GMT British police said they've made the first arrests in Europe of two people for using Zeus, a sophisticated malicious software program that can scoop up any sensitive information on a PC.

A man and woman, both 20 years old, were arrested in Manchester, England, on 3 November, said the Metropolitan Police's Central e-Crime Unit (PCeU). The pair, who have been released on bail, will face charges under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Zeus is an advanced piece of malicious software. If installed on a PC, it can send spam, steal financial or other data or conduct a distributed denial-of-service attack against other computers. Machines infected with Zeus are essentially a botnet.

Those who have developed Zeus have also tailored it to be easy-to-use for less technical criminals, according to security vendor Symantec.

Zeus can be bought as a toolkit, which can create a unique Zeus variant. The toolkit also has a control panel for managing where Zeus will be hosted. Zeus will attack computers visiting a certain infected Web site by looking for software vulnerabilities in the victim's computer.

In the case of the two people arrested, Zeus had been configured to steal online bank account details and passwords and send that information to remote servers, according to police.

Police said the two people used Zeus to "harvest millions of lines of data from affected machines -- hundreds of thousands per day."


http://news.techworld.com/security/3...-scam/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/433687-police-arrest-pair-over-global-banking-web-scam.html http://www.techsupportforum.com/security-center/computer-security-news/433102-firefox-web-browser-locks-down-rogue-addons.html Wed, 18 Nov 2009 22:22:51 GMT Mozilla will add a new lockdown feature to Firefox 3.6 that will prevent developers from sneaking addons into the program, the company said.

The new feature, which Mozilla dubbed "component directory lockdown," will bar access to Firefox's "components" directory, where most of the browser's own code is stored. The company has billed the move as a way to boost the stability of its browser.

"We're doing this for stability and user control [reasons]," said Johnathan Nightingale, manager of the Firefox frontend development team, in an email. "Dropping raw components in this way was never an officially supported way of doing things, which means it lacks things like a way to specify compatibility. When a new version of Firefox comes out that these components aren't compatible with, the result can be a real pain for our shared users.

"Now that those components will be packaged like regular addons, they will specify the versions they are compatible with, and Firefox can disable any that it knows are likely to cause problems," Nightingale added.

His mention of "regular addons" referred to the new policy that will be enforced by Firefox 3.6, a minor upgrade to last summer's 3.5 that is to ship before the end of the year. Because third party developers will no longer be able to drop their code into the components directory, they must instead recreate their addons as XPI-based files, the standard Firefox extension format. Mozilla has posted information on its developer site to aid programmers who need to migrate addons to the XPI format.

Most, but not all, Firefox addons are available through Mozilla's Addon site, which boasts that more than 1.6 billion addons have been downloaded by users.

Nightingale said that rogue addons created performance and stability problems for Firefox users. "[They] can lead to all kinds of unfortunate behavior: lost functionality, performance woes and outright crashing, often immediately on startup," he wrote in a post to the Mozilla developer's blog.

Crashes are caused in large part because of developer lethargy, added Mozilla developer Vladimir Vukicevic, who headed up the work on the new lockdown feature. "Many of these components were written for Firefox 3.0, and have not been updated for Firefox 3.5," Vukicevic said in a blog post of his own. "Because a number of internal interfaces changed between the two versions, this leads to crashes or other problems when these components are used."


http://news.techworld.com/security/3...ddons/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/433102-firefox-web-browser-locks-down-rogue-addons.html http://www.techsupportforum.com/security-center/computer-security-news/433101-t-mobile-employees-accused-stealing-customer-data.html Wed, 18 Nov 2009 22:21:24 GMT Workers at T-Mobile UK have been selling customer data to brokers who work for the competition, T-Mobile and the Information Commissioner's Office said.

In an announcement from the ICO, the agency does not name the operator involved, but T-Mobile acknowledged that it alerted ICO about the data breach.

Employees sold details about customers' contracts, including the date that their contracts end, to brokers, according to the ICO. T-Mobile competitors bought the information and then called customers prior to the expiry of their contracts to offer them deals with the new operator, ICO alleges.

"Many thousands" of customer account details were sold to several brokers for substantial amounts of money, the ICO said.

T-Mobile appeared to have hoped that it wouldn't be named. "We had been asked before today to keep all information on this case strictly confidential so as to avoid prejudice to the investigation and prosecution. We were therefore surprised at the way in which these statements were made to the BBC today," it said in a statement.

The BBC reported that after the other mobile operators said they were not the subject of the investigation, T-Mobile confirmed its involvement.

T-Mobile worked with the ICO to identify the source of the breach, it said. "While it is deeply regrettable that customer information has been misappropriated in this way, we have proactively supported the ICO to help stamp out what is a problem for the whole industry," T-Mobile said in a statement. Both T-Mobile and ICO said they are hopeful that the involved parties would be prosecuted.



http://news.techworld.com/security/3...-data/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/433101-t-mobile-employees-accused-stealing-customer-data.html http://www.techsupportforum.com/security-center/computer-security-news/432783-ibm-researcher-hacks-twitter-using-ssl-flaw.html Tue, 17 Nov 2009 20:39:43 GMT An IBM researcher has shown how to hack Twitter using a previously disclosed bug in SSL. A flaw in the protocol used to secure communications over the internet could have been used to hack Twitter accounts, according to an IBM security researcher. Last week Anil Kurmus demonstrated how a flaw... An IBM researcher has shown how to hack Twitter using a previously disclosed bug in SSL.

A flaw in the protocol used to secure communications over the internet could have been used to hack Twitter accounts, according to an IBM security researcher.

Last week Anil Kurmus demonstrated how a flaw in the SSL (Secure Sockets Layer) protocol could be used to essentially trick victims into sending Twitter messages that contained their password information.

For the flaw to be exploited, a hacker would first have to find a way to get onto the victim's network, launching what's known as a man-in-the middle attack, so it would be hard to affect a large number of Twitter users with this technique. The issue was soon patched by Twitter, but it has security experts wondering how many websites might suffer from a similar problem.

A consortium of internet companies has scrambled to fix the SSL issue since November 5, when it was inadvertently made public on a discussion list. But there has been some debate about the seriousness of the flaw. Shortly after the bug was made public, IBM researcher Tom Cross said that, for the most part, major Web applications would not be affected by the issue.

But Cross changed his mind, writing: "Unfortunately, the situation is worse than I thought."

Webmail applications, in particular, may also be at risk from this attack. And security experts also worry that other applications - databases, for example - may be at risk.

Twitter.com was susceptible to the bug because it did what's called client renegotiation under SSL. Client renegotiation gives the website a way to ask the Twitter user for an SSL certificate after a user is already connected to the site. It's a useful tool for sites that let users log on using smart cards or for sites that restrict access to a select group of predefined web surfers, but until the flaw is fixed, client renegotiation also opens the door for SSL attacks.


http://news.techworld.com/security/3...-flaw/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/432783-ibm-researcher-hacks-twitter-using-ssl-flaw.html http://www.techsupportforum.com/security-center/computer-security-news/432780-hackers-skip-windows-7-activation-controls.html Tue, 17 Nov 2009 20:34:35 GMT Hackers are sidestepping Windows 7's activation process, winning their battle with Microsoft, which has blocked such tactics in the past. However, the company said that it knew about the hacks and was looking into ways to block them. "We're aware of this workaround and are already working to address it," said a company spokeswoman.

According to an article in My Digital Life, hackers have devised a pair of methods that circumvent the new operating system's product activation, a key component of Microsoft's antipiracy technologies.

Two utilities, called "RemoveWAT" and "Chew-WGA," remove the activation technologies or prevent them from running, said My Digital Life. Both hacking tools trick Windows 7 into reporting that it has been properly activated, preventing the nagging on-screen displays and other visual cues from appearing that Microsoft has built into its software to mark counterfeit software.

With Windows 7, Microsoft dropped the "Windows Genuine Advantage" (WGA) name for its integrated antipiracy software, and replaced it with "Windows Activation Technologies" (WAT). The end result on users' screens, however, remained similar to what Vista displayed. The most evident change to Windows 7 was the discarding of a delay during log-in on a machine with an inactivated copy of Windows. Under Vista's scheme, users had to wait 15 seconds before clicking the "Activate Later" button to proceed to the desktop. In Windows 7, users can click that button immediately.

Microsoft made dramatic changes to Vista's illegitimate software warnings nearly two years ago, then followed those with nearly identical modifications to the older Windows XP. In both operating systems, the company dumped the reduced functionality mode that essentially made the machine unusable, and instead boosted the number of on-screen messages and planted a black background on the desktop.


http://news.techworld.com/security/3...trols/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/432780-hackers-skip-windows-7-activation-controls.html http://www.techsupportforum.com/security-center/computer-security-news/432407-how-protect-yourself-windows-7-hacks.html Mon, 16 Nov 2009 20:30:39 GMT It was a notable accomplishment when Windows 7 was not impacted in any way by the vulnerabilities addressed in the six Security Bulletins released by Microsoft for the November Patch Tuesday. It would be even more impressive if Windows 7 proved invulnerable to the zero day exploit that hit the next... It was a notable accomplishment when Windows 7 was not impacted in any way by the vulnerabilities addressed in the six Security Bulletins released by Microsoft for the November Patch Tuesday. It would be even more impressive if Windows 7 proved invulnerable to the zero day exploit that hit the next day.

This newly found bug was discovered by Laurent Gaffie and details were posted on the Full Disclosure mailing list. Microsoft is investigating the reported flaw which basically crashes a Windows 7 system when exploited. The issue is in the SMB (Server Message Block) protocol that forms the backbone of Windows file sharing. When triggered, the flaw results in an infinite loop which renders the computer useless.

Tyler Reguly, Lead Security Research Engineer with nCircle, explains "Exploitation of this vulnerability occurs when a user attempts to browse to Windows Share hosted on the malicious server. On Windows 7, the DoS (denial of service) will occur as soon as you type '\\\' in the search box. "

The vulnerability actually impacts both Windows 7 and Windows Server 2008 R2. There are currently a couple different proof of concept exploits circulating, but there are no reported attacks in the wild at this point. Because the flaw only enables an attacker to crash the system, and doesn't provide any unauthorised remote access that could lead to compromising information or performing other malicious activities, the odds of the exploit being actively used by attackers is fairly slim.

With some SMB-based bugs, you can minimise the risk of exposure by blocking SMB traffic at the router or firewall, essentially making sure that no outside source would be able to attack systems on your network. Blocking TCP ports 135 through 139 and port 445 will prevent outside SMB traffic from entering the network.

With the firewall blocked, the threat still exists internally, but ostensibly the systems on the internal network should be more trusted than those on the Internet and hopefully nobody on the internal network would intentionally launch such an attack. You could block those ports on the internal network as well, but then systems would be unable to access file and folder shares on the network.

With this particular bug though, the firewall will not protect you completely from outside attacks. Reguly says "There is an Internet Explorer-based attack vector. By including a file stored on a share in the HTML of the web page the flaw can be triggered. But, once again the result is a denial of service."


http://howto.techworld.com/security/...hacks/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/432407-how-protect-yourself-windows-7-hacks.html http://www.techsupportforum.com/security-center/computer-security-news/432406-dns-hole-leads-more-ddos-attacks.html Mon, 16 Nov 2009 20:29:19 GMT Security experts say that misconfigured DSL and cable modems are worsening a well-known DNS problem making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims. According to research set to be released shortly, part of the problem is blamed on the... Security experts say that misconfigured DSL and cable modems are worsening a well-known DNS problem making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims.

According to research set to be released shortly, part of the problem is blamed on the growing number of consumer devices on the Internet that are configured to accept DNS queries from anywhere, what networking experts call an "open recursive" or "open resolver" system. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers said Cricket Liu, vice president of architecture with Infoblox, the DNS appliance company that sponsored the research. "The two leading culprits we found were Telefonica and France Telecom," he said.

In fact, the percentage of DNS systems on the Internet that are configured this way has jumped from around 50 percent in 2007, to nearly 80 percent this year, according to Liu.

Though he hasn't seen the Infoblox data, Georgia Tech Researcher David Dagon agreed that open recursive systems are on the rise, in part because of "the increase in home network appliances that allow multiple computers on the Internet."

"Almost all ISPs distribute a home DSL/cable device," he said in an e-mail interview. "Many of the devices have built-in DNS servers. These can sometimes ship in 'open by default' states."

Because modems configured as open recursive servers will answer DNS queries from anyone on the Internet, they can be used in what's known as a DNS amplification attack.

In this attack, hackers send spoofed DNS query messages to the recursive server, tricking it into replying to a victim's computer. If the bad guys know what they're doing, they can send a small 50 byte message to a system that will respond by sending the victim as much as 4 kilobytes of data. By hitting several DNS servers with these spoofed queries, attackers can overwhelm their victims and effectively knock them offline.


http://news.techworld.com/security/3...tacks/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/432406-dns-hole-leads-more-ddos-attacks.html http://www.techsupportforum.com/security-center/computer-security-news/431516-apple-safari-gets-security-fix-update.html Fri, 13 Nov 2009 21:52:07 GMT Apple has issued its second security update in three days, patching seven vulnerabilities in Safari, including one in the Windows version that the company fixed two months ago for most Mac users.

But unlike the operating system security update issued Monday , which didn't deliver patches for Mac OS X 10.4, aka Tiger, Wednesday's upgrade applies to users running Safari on that 2005 operating system.

Apple traditionally stops providing security updates for its oldest still-supported OS several months after the release of a new edition, but apparently will continue supporting Safari on Tiger.

Of the seven holes that Safari 4.0.4 plugs, six apply to the little-used Windows version of the browser, six affect Tiger, but just three impact Mac OS X 10.5 and 10.6, Leopard and Snow Leopard, respectively.

Only two of the vulnerabilities were accompanied by Apple's "may result in arbitrary code execution" phrasing, its way of noting that the bugs are serious and if exploited, could let attackers hijack a machine. Both of those critical vulnerabilities affect the Windows edition of Safari only.

The remaining five bugs included ones that could crash Safari, let hackers grab information from the targeted system and enable cross-site scripting attacks, which are often used by identity thieves.

Three of the seven flaws were in the WebKit rendering engine, the open-source foundation of Safari.

Apple also patched vulnerabilities in Safari for Windows and Tiger that were fixed for other versions of the Mac operating system as long ago as Sept. 10. One was patched for Leopard users in the 2009-005 security update, which was released on that date, while another was addressed Monday in the 2009-006 update for Leopard and Snow Leopard.

Safari last received a security update in mid-August, when Apple plugged six security holes , four of them critical.


http://news.techworld.com/security/3...pdate/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/431516-apple-safari-gets-security-fix-update.html http://www.techsupportforum.com/security-center/computer-security-news/431515-fortinet-detects-increase-malware-levels.html Fri, 13 Nov 2009 21:51:18 GMT Fortinet, a network security provider and unified threat management (UTM) solutions specialist has observed the highest level of total malware detected in more than a year. According to its October 2009 Threatscape report, the level of total malware detected was four times greater than detected... Fortinet, a network security provider and unified threat management (UTM) solutions specialist has observed the highest level of total malware detected in more than a year.

According to its October 2009 Threatscape report, the level of total malware detected was four times greater than detected in September. Scareware tactics hit an all-time peak last month and the attacks were very severe.

Frequency of these attacks has increased and they are occurring faster and harder than ever. A glance at the top 10 malware list shows that as many as seven malware variants point back to scareware. Researchers also observed recent scareware campaigns in the form of botnets and corrupted advertisements.

Fortinet's October Threatscape report reveals that scareware dominated October in the form of rogue security software, posing as the security suite AntiVirus Pro 2010. The damage is done in many ways.

Unsuspecting users can be encouraged to buy software that can harm their PCs and open them for cyber criminals. This kind of scareware activity has delisted the pesky Virut and Netsky out of the top 10 malware list for the first time in more than a year.

A combination of Trojan downloader Bredolab and scareware downloaders has taken users by surprise. Bredolab reports to its network to get the latest components to download and in October downloaded the AntiVirus Pro 2010 installers. According to the report, Bredolab was also linked up to ZBot keylogger through this download chain.

This nefarious alliance means users have to protect themselves from an information-siphoning Trojan and a scareware product. The researchers detected two main Bredolab variants this month: W32/Bredo.G and W32/Bredolab.X. These were included in fake DHL invoice spam campaigns.


Software downloaders are prime target
Threat statistics and trends for October were compiled by FortiGuard Labs based on data collected from FortiGate network security appliances and intelligence systems in production worldwide.

Scareware has topped the malware chart in October and the researchers say the high threat levels are in part due to the money-making affiliate programmes that promise participants a pay-out on each software download purchased. Tools and kits are readily available to participating affiliates, accelerating the distribution of scareware and other malicious components.


http://news.techworld.com/security/3...evels/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/431515-fortinet-detects-increase-malware-levels.html http://www.techsupportforum.com/security-center/computer-security-news/431514-flash-flaw-affects-nearly-every-web-user-say-researchers.html Fri, 13 Nov 2009 21:49:59 GMT Hackers can exploit a flaw in Adobe's Flash to compromise nearly every interactive website, according to security researchers.

"The magnitude of this is huge," said Mike Murray, the chief information security officer at Foreground Security. "Any site that allows user-uploadable content is vulnerable, and most are not configured to prevent this."

The problem lies in the Flash ActionScript same-origin policy, which is designed to limit a Flash object's access to other content only from the domain it originated from, added Mike Bailey, a senior security researcher at Foreground. Unfortunately, said Bailey, if an attacker can deposit a malicious Flash object on a website - through its user-generated content capabilities, which typically allow people to upload files to the site or service - they can execute malicious scripts in the context of that domain.

"This is a frighteningly bad thing," Bailey said. "How many websites allow users to upload files of some sort? How many of those sites serve files back to users from the same domain as the rest of the application? Nearly every one of them is vulnerable."

Bailey, who demonstrated how attackers could compromise a website and attack users in a post today on Foreground's blog, outlined how a hacker would leverage the Flash flaw. "It's relatively simple," he maintained. "All they need to do is create a malicious Flash object, and upload it to the [Web] server."

He used the example of a company that lets users upload content to a message forum to explain the process. "If the user forum lets people upload an image for their avatar, someone could upload a malicious Flash file that looks like an avatar image," Bailey said. "Anyone who then views that avatar would be vulnerable to attack."

Adobe has told Foreground that the flaw is "unpatchable," Murray and Bailey said. Instead, Adobe is trying to educate site administrators to close the hole on their end. But they've not had much success.

"Some of the big web properties have figured this out," said Bailey. "In a lot of cases, they're hosting user-generated content on another domain, perhaps for performance reasons." Among those site and services that have locked down their servers, Foreground cited Microsoft's Windows Live Hotmail and Google's YouTube. "But very few system administrators are even aware of this," Bailey added.

Even some of Adobe's web properties are vulnerable to such an attack. "How can Adobe expect others to protect themselves when they can't do it themselves?" asked Murray.


http://news.techworld.com/security/3...chers/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/431514-flash-flaw-affects-nearly-every-web-user-say-researchers.html http://www.techsupportforum.com/security-center/computer-security-news/431162-microsoft-probing-windows-7-zero-day-bug.html Thu, 12 Nov 2009 21:06:00 GMT A day after Microsoft plugged more than a dozen holes in its software, a security researcher unveiled a new unpatched bug in Windows 7 and Server 2008 R2 that, when exploited, locks up the system, requiring a total shutdown to regain control.

Microsoft acknowledged that it's investigating the flaw.

Laurent Gaffie posted details of the vulnerabilities, along with proof-of-concept exploit code, to the Full Disclosure security mailing list today, as well as to his personal blog. The attack code, said Gaffie, crashes the kernel in Windows 7 and its server sibling, Windows Server 2008 R2, triggering an infinite loop.

"No BSOD [Blue Screen of Death], you gotta pull the plug," Gaffie said in notes inserted into the exploit code .

Gaffie claimed that the exploit, powered by a vulnerability in the new operating systems' implementation of SMB (Server Message Block), could be successfully launched from within a network from an already compromised computer, or used to attack Windows 7 machines via Internet Explorer (IE) by transmitting a rogue SMB packet to the PC.

Unlike more serious flaws, the Windows 7 SMB bug cannot be used by attackers to hijack a PC, Gaffie confirmed. "No code execution, but a remote kernel crash," he said in an e-mail today.

Gaffie also said that Microsoft's security team has acknowledged the vulnerability, which he first reported to them last weekend, but was told by the company that it wasn't planning to fix the flaw with a security update, instead perhaps correcting it in the first service packs for Windows 7 and Server 2008 R2.

A Microsoft spokesman confirmed that the company is looking into Gaffie's claims. "Microsoft is investigating new public claims of a possible denial-of-service vulnerability in Windows Server Message Block," said the spokesman in an e-mail reply to questions. "Once we re done investigating, we will take appropriate action & [which] may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves."


http://news.techworld.com/security/3...y-bug/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/431162-microsoft-probing-windows-7-zero-day-bug.html http://www.techsupportforum.com/security-center/computer-security-news/431160-hackers-exploit-windows-bug-say-researchers.html Thu, 12 Nov 2009 21:02:57 GMT Hackers are going to exploit the Window kernel bug, patched by Microsoft this week, sooner rather than later said security researchers. The bug is in the Windows kernel, the heart of the operating system. The kernel improperly parses Embedded OpenType (EOT) fonts, a compact form of fonts... Hackers are going to exploit the Window kernel bug, patched by Microsoft this week, sooner rather than later said security researchers.

The bug is in the Windows kernel, the heart of the operating system. The kernel improperly parses Embedded OpenType (EOT) fonts, a compact form of fonts designed for use on web pages that can also be used in Microsoft Word and PowerPoint documents.

Microsoft rated the flaw as "critical," its highest threat rating, and gave the bug an exploitability ranking of "1," which means it expects a working exploit to appear in the next 30 days.

Outside researchers expect it much sooner than that. "An exploit will appear sooner rather than later," said Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "The target is Internet Explorer, and browsing is the number one attack vector in the world right now. Users can be infected simply by browsing to a [malicious] site."

Another researcher said an exploit may be imminent. HD Moore, the creator of the popular open-source Metasploit penetration testing framework and the chief security officer for security firm Rapid7, said he was already working on an exploit for the flaw. "I'm pretty close to having one working," Moore said.

The bug will be extremely attractive to hackers, Moore maintained, and not simply because it can be exploited in a classic "drive-by" attack that can silently hijack an unpatched Windows 2000 or Windows XP system when users visit a compromised or malicious website. On Vista, a successful exploit would give the attacker additional access to the machine, but could not be used to inject malware, Microsoft said.

"An EOT file can use both compression and encryption," noted Moore, referring to the font format that hackers will use to exploit the bug. Because the file can be compressed and encoded, most antivirus software will have a difficult, if not impossible, time detecting whether a web page's fonts are being used to launch attacks. "They will blow past any line of user protection," he said.

And since the EOT file is rendered at the kernel level, not by Internet Explorer (IE) itself, browser-based defenses won't help. "There's no JavaScript required for an exploit," Moore said, talking about the scripting language that's a popular tool for hackers who target browsers. Those kinds of attacks can be deflected by restricting JavaScript, or disabling it entirely.

On Vista PCs, IE7's and IE8's "sandbox," which is designed to prevent attack code from escaping the browser and worming its way into, say, the operating system, also will be useless, Moore said.


http://news.techworld.com/security/3...chers/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/431160-hackers-exploit-windows-bug-say-researchers.html http://www.techsupportforum.com/security-center/computer-security-news/430805-mega-d-spam-botnet-targeted-security-firm.html Wed, 11 Nov 2009 20:17:46 GMT computer security company known for battling botnets moved last week to try to shut down a persistent spam player. FireEye, a California company that makes security appliances, had been tracking a botnet called Mega-D or Ozdok. Mega-D, which is a network of hacked computers, has been responsible... computer security company known for battling botnets moved last week to try to shut down a persistent spam player.

FireEye, a California company that makes security appliances, had been tracking a botnet called Mega-D or Ozdok. Mega-D, which is a network of hacked computers, has been responsible for sending more than four percent of the world's spam, according to M86 Security. Many of the computers that make up Mega-D are infected home PCs.

Mega-D is one of several botnets that have implemented advanced technical measures to ensure its owners don't lose control of the hacked PCs. The hackers use command-and-control servers to issue instructions to the zombie PCs, such as when to run a spam campaign.

In the case of Mega-D, the hacked PCs will look for certain domain names in order to download instructions, wrote Atiq Mushtaq of FireEye on the company's blog. If those domains aren't active -- they are often shut down by ISPs if they're associated with abuse -- Mega-D machines will look for custom DNS (Domain Name System) servers to find live domains.

If that also fails, Mega-D is programmed to generate a random domain name based on the current date and time, Mushtaq wrote. When the hackers register the domain name, the infected machines can visit there to get new instructions.

Mega-D's mechanisms to ensure it stays alive have made it difficult for security companies. "Unless someone is committed enough to pre-register those domains, the bot herders can always come forward and register those domains and take the botnet control back," Mushtaq wrote.


http://news.techworld.com/security/3...-firm/?olo=rss ]]> Computer Security News Glaswegian http://www.techsupportforum.com/security-center/computer-security-news/430805-mega-d-spam-botnet-targeted-security-firm.html