Month of January
Major Hits
Billy Rios brought up a neat way to bypass Flash's local-system sandbox. To get the local files from the hard drive to an external server, he needed to use a non-blacklisted protocol handler. His PoC shows how how the MHTML protocol handler can break the strongly defined restrictions that Adobe Flash has. As the method looked so cute, somebody got inspired and successfully tried the same protocol against Microsoft too.
We had at least two more victims of malicious hacking this month. Lush left their customers vulnerable to credit card fraud for several months, and Trapster leaked more than 10 million registered users' details. Sometimes being warned about speed cameras is not actually that valuable.
On 27th January 2011 the world blacked out. At least for Egypt. All communication channels were suspended by the national government in an apparently desperate effort to block political protests. More than 80 million people stopped communicating. You should probably book holidays in a different location this year.
Open source software development and distribution portal SourceForge was hit by a major attack. This action exploited several of their servers and many others have been shut down proactively. It looks like "you-know-who" does not like open source at all. Who is "you-know-who" though?
Unlike the Egyptian government, Tunisia apparently decided to keep their communications on but intercept all user names and passwords for the major Web 2.0 portals, including Gmail, Facebook, and Yahoo. An injected code was found on all of the mentioned Web sites "siphoning off login credentials". One government rules them all. By the way, Tunisia is not the greatest destination for this year either.
Amazon was apparently gimmicking Gawker. A failing security implementation caused issues with older Amazon.com accounts' passwords, making them case-insensitive or allowing added-on extra characters. So a password "protected" was the same as "PROTECTED" or even better, as "ProtecTED1234" and so forth. This applied to older accounts only, so simply by changing your password to a new one (or even the same one) make things much more secure. Have you been with Amazon for a long time now? Go and change your password "just for fun".
Web 2 dot uh oh
A slew of malicious attacks streamed Facebook this month. A worm, disguised as a photo viewer application, tricked users into installing the said malware when the "View Photo" button was clicked. Koobface is making its rounds once more and employing a couple of new tactics at hand as a new campaign spread using compromised accounts to send out direct messages. French President Nicolas Sarkozy and Facebook CEO Mark Zuckerberg's fan pages were apparently hacked and were used to distribute unusual political messages.
Facebook celebrated Data Privacy Day by offering its users the option to enable HTTPS connections. They also introduced Social Authentication, a concept very similar to Image CAPTCHA, but instead of using dictionary images, this feature uses actual pictures of a user's Facebook friend and asks him or her to name that person.
Malware authors abused Google's redirection service, goo.gl, in their Twitter worm campaign which ultimately redirects users to fake AV sites.
Browser and friends
Google Chrome has fixed multiple vulnerabilities in stable channel versions prior to 8.0.552.237. These vulnerabilities include a stack corruption vulnerability in the PDF renderer component, two memory corruption vulnerabilities in the Vorbis decoder, and a video frame size error resulting in a bad memory access.
The VirusTotal Web site released a plugin for Firefox named VTzilla. It allows users to scan downloads directly with VirusTotal's Web application before storing them. Moreover, it will not only scan files, but also URLs.
Apple fixed a man-in-the-middle attacker vulnerability in OS X 10.6. This vulnerability may be able to cause an unexpected application termination or arbitrary code execution if using a special formatted string in PackageKit's handling of distribution scripts.
Microsoft
The start of 2011 feels a bit far away by now but it was just the start of the year that unleashed a new zero day vulnerability in Microsoft’s Graphical Rendering Engine (CVE-2010-3970). The exploit takes advantage of the way thumbnails or previews are processed and presented to the user by Explorer.exe and can be triggered by crafting an exploit file and sending it to a target (the victim must view the file in a folder where thumbnails or previews are set). The security hole hasn't been patched yet and was added to the Metasploit framework.
January’s patch Tuesday brings an end to 3 major security holes in two released updates. One critical update fixes two issues in Microsoft Data Access Components (MDAC) where one of them could allow taking over a targeted system by visiting a specially crafted Web page (MS11-002). The second update fixes an issue in Microsoft Backup Manager where opening a legitimate remote Windows backup manager file can load a specially crafted malicious library – if located in the same directory (MS11-001). No attacks for any of the updates have been spotted in the wild. There are two holes in Windows that are yet to be patched, the mentioned vulnerability in Microsoft’s Graphical Rendering Engine and a vulnerability in Internet Explorer’s Cascading Style Sheets (CVE-2010-3971). We alerted on both vulnerabilities here and here. If you're wondering why Microsoft didn’t release a patch for those two holes in January’s patch Tuesday despite the fact that they have publicly available proof-of-concept code, how they prioritize patches is explained in their Research and Defense blog.
The end of January brings a vulnerability in Windows: this time it’s not remote code execution but a vulnerability in the MHTML protocol handler that could allow “information disclosure”. This effectively means that the MHTML protocol could be used to perform an XSS attack on the local machine when a user opens an HTML file with Internet Explorer (any version of it). More details on a workaround to prevent this attack and some examples in Microsoft Security Research and Defense blog
Some good news for Microsoft as it released some updates to its secure development tools suite. One of the tools is called “Attack Surface Analyzer” which aims to give security professionals a clear picture of an installed application's changes to the system, allowing them to determine any security implications. It does that by “diffing” the state of the system before and after the application is installed. The tool is in Beta and available for 64bit version of Windows only. More details about the tool here.
Hello ThreatSeeker. You've got mail!
Just when we thought it was all over! In contrast to the previous month, spam might have taken a short vacation but it sure is not a permanent one.
Januarty saw the Return Of The Spam as we managed to draw a conclusion that as long as there is a profit to be made with spamming, spammers will always be around. The blip and consequently the drop in spam was short-lived although we can just about conclude spammers like the holidays just as the rest of us do.
January also saw the awakening of Waledac as this seemed to have gone offline for a few days until apparently a new set of instructions was received from the CNC to wake up. Monitoring the behavior after the bot awoke showed this was geared to send out spam marketing the magic blue pill.
Towards the end of the month, we noticed within our ThreatSeeker network that spammers are quite up to date, having capitalized on the deadline for self assessment tax within the UK and similarly for filing tax returns in the USA.
Security Trends
An Android Froyo (2.2) vulnerability reported by Thomas Cannon last year should have been fixed by now. However, Xuxian Jiang proved that it is still present even with the newest Android Gingerbread (2.3). The data stealing exposure is not that great but still worrying enough to keep the browser far away from unknown sites.
The BlackBerry Attachment Service got hit with a critical PDF flow vulnerability. When a specially crafted PDF file is executed on a smartphone which has an association to the mentioned server, it can cause an unexpected process termination and arbitrary code execution. PDF complexity is haunting more than the Windows and MacOS platforms.
Allegedly several major Web sites (gov,mil,edu) have been hacked and put up for sale by a hacker claiming to be from the Anonymous group. Most likely SQL injections put more than a dozen of such Web sites into a vulnerable position freely offering credentials and personal data to interested parties. Did you want to easily get accepted to a university?
A short time after Mozilla announced support for the "Do-Not-Track" mechanism allowing the users to choose what data they want to be collected about their browsing habits and preferences. Google also released a Chrome extension letting users opt out for tracking cookies from different ad networks. The end of targeted ads on the Internet? We wish so.
When all legitimate services evolve, the same has to be done by fraudsters to remain "in the game". After targeting most major online banks, ZeuS creators started to adjust their "state-of-art" for online payment providers too. Money Bookers, Nochex, Netspend and also E-gold became further victims of this infamous malware. Are we going to use cash once again?
German security researcher Thomas Roth claims to have hacked into WPA-PSK protected Wi-fi networks using Amazon EC2 cloud services and a specialized program written by him. The worries over the cloud possibilities are becoming true.
Java trojans targeting Windows, Mac, and Linux computers at the same time are becoming a new trend among cybercriminals. Jnanabot is one of the latest. Do you really use Java on your computer?
This month's roundup contributors:
Ivan Sabo
Mary-Grace Timcang
Lei Li
Elad Sharf
Amon Sanniez