Month of November
Amnesty International's Web site in Hong Kong was compromised and was attempting to infect its visitors using various exploits for Adobe Flash, Adobe Shockwave, Apple Quicktime, and even the latest zero-day for Internet Explorer. In other parts of Asia, India's number 1 financial portal (moneycontrol.com) was also compromised and injected with a malicious iframe.
Malicious hackers capitalized on important local and global events, such as midterm elections (US), Veteran's Day (US), and Prince William's engagement (UK), to infect more Web users via poisoned search engine results. This scam is of the usual garden variety: fake antivirus Web sites, or sites offering fake Adobe updates and fake Firefox updates, which prompt a user to download an .exe file that is really malware.
Web 2 dot uh oh
Google recently launched "Google Instant Previews," a new service that aims to give Google-rs a bird's eye view of what the site they are about to visit looks like. This service should initially protect users against unwanted content, but our research proves that it could mislead users when snapshots used in the service are not as current as assumed.
Social engineering is the game in Facebook this month. Our Defensio Facebook App spotted scam wall posts containing a link that attempts to post on the victim's behalf. Phishing messages claiming to be from Facebook Security warn that a user account will be deactivated unless it's reconfirmed. The phishing page itself is either loaded from within Facebook via iframe or redirected from the link provided in the message.
Browser and friends
Adobe released a security update for Adobe Flash Player in early November. Eighteen security holes have been patched, including vulnerability CVE-2010-3654, which is a zero-day vulnerability in the wild found in October.
Another zero-day vulnerability (CVE-2010-4091) has been identified in Adobe Reader 9.4 (and earlier versions) and Adobe Acrobat 9.4 (and earlier versions). A proof of concept has been published that it could lead to a Denial of Service, although that has not been demonstrated. Arbitrary code execution may be possible. Adobe patched the hole in 2 weeks; the security update is here.
A vulnerability in Shockwave Player has been discovered. Successful exploitation allows the execution of arbitrary code, but a user must be tricked into opening the "Shockwave Settings" window when viewing a Web page.
Google patched several high-risk vulnerabilities in Chrome 7.0.517.44. A $7500 award was paid out of Google's new vulnerability reward program.
A Denial of Service vulnerability has been found in Firefox 3.6.12. The proof of concept is published here.
The recent security update for Safari 5.0.3 and 4.1.3 contains 27 patched vulnerabilities. More than 40 vulnerabilities have been patched in iOS 4.2. Click here for details.
This month's round of "Black Tuesday" Microsoft patches was rather light, but contained fixes for some particularly severe issues.
On the unpatched side, Windows is currently vulnerable to 2 known privilege escalation exploits, one of which was found in a kernel API, allowing users to bypass user account control (UAC) entirely. The second, an exploit originally used in StuxNet, attacked the Windows Task Scheduler.
Internet Explorer once again finds itself host to an actively exploited bug (CVE-2010-3962) caused by a dereferencing error.
Hello ThreatSeeker. You've got mail!
An increase in the number of phishing emails has been a focal point over the course of this month. Most of them seem to be directed attacks at Email Service Providers (ESPs) in order for the attackers to gain access to "industry-grade email deployment systems" to do their bidding. Spear-phishing, as it is known to most, is on the rise with several of these messages having the look and feel of legitimate requests to the unsuspecting user. Like most of the email campaigns reported in the past, the format is usually the same: A user is lured into clicking a link within an email or to open an attachment, which results in the machine being infected.
Also in this month, with the release of the new, improved version of Adobe Reader, came the recycled phishing email messages enticing and advising users to upgrade their readers to the newer version with all the bells and whistles. As reported in Lenny Zeltser's blog, the format of these messages did not change much. These types of email messages are not new, although it is interesting to note that cyber-criminals are keeping abreast of current changes and news and taking advantage of them.
A new version of the GpCode ransomware has been detected, using RSA-1024 and AES-256 as crypto-algorithms. It is now stronger than before, because it overwrites data in the files instead of deleting it after encryption, so users cannot get data back by using data-recovery software.
Google announced an experimental new vulnerability reward program that applies to Google Web properties. Google said it would pay the bounty for any serious bug that “directly affects the confidentiality or integrity of user data.”
Adobe released the Reader X version on November 19, 2010. A built-in sandbox feature has been implemented to contain the damage from potentially malicious PDF files. Adobe's blog posted a multi-part series about the new sandboxing technology used in the Adobe Reader.
A security researcher named Nitesh Dhanjani has discovered that a rogue Web site, or a Web site whose client code may have been compromised by a persistent XSS, can pull the user out of the Safari browser in iOS. A malicious Web site can initiate a phone call without the user's explicit permission with the us of insecure handling of URL Schemes. He also discusses a particular UI Spoofing behavior of Safari on iPhone, The consequence of full screen apps in iOS using UIWebView as the default Web browser on iPhone means the UI can display the fake URL bar on a page while the real URL bar is hidden.
This month's roundup contributors:
- Jay Liew
- Lei Li
- Grace Timcang
- Ulysses Wang
- Amon Sanniez
- Paul Westin