Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Latest Blog Posts

View all posts > 

SSL - a FREAKishly long existence

Posted: 04 Mar 2015 02:00 AM | Tamas Rudnai | no comments


SSL, widely adopted and living on borrowed time, has clearly had a rough year. After Heartbleed, Poodle, and many other high-profile vulnerabilities comes FREAK (Factoring attack on RSA-EXPORT Keys), which at the time of publication of this blog breaks approximately 36% of all sites trusted by browsers as per this link including websites belonging to the NSA and FBI. About 12% of high ranked Alexa websites are also believed to be vulnerable to the flaw at this time, thereby placing visitors to these sites at high risk.

 

Exposure and Impact

 

The vulnerability, discovered by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team allows an active attacker to perform a man-in-the-middle attack by downgrading the encrypted connection between a vulnerable client and a server that accepts export-grade RSA keys to 512-bits. The captured key can then be factored using the public cloud in a matter of hours and further be used for decryption of communication between the client and the server. Once the key has been compromised, all personal information including passwords, financial data, etc. is at risk.

...

Read more > 

Filed under: , , ,

Angler Exploit Kit – Operating at the Cutting Edge

Posted: 05 Feb 2015 09:00 AM | AToro | no comments


As we promised in one of our previous blog posts about exploit kits ( Nuclear EK ), we are going to take a more in-depth look at Angler Exploit Kit. Angler EK is possibly the most sophisticated exploit kit currently used by cyberciminals. It has pioneered solutions that other exploit kits started using...

Read more > 

Filed under: ,

Another day, another zero-day – Internet Explorer's turn (CVE-2015-0072)

Posted: 05 Feb 2015 02:00 AM | Jose Barajas | no comments


Websense® Security Labs™ researchers are aware of a zero-day vulnerability affecting Internet Explorer that could allow a remote, unauthenticated attacker to bypass the Same-Origin Policy (SOP) to hijack the user’s session. The vulnerability is being called Universal Cross Site Scripting...

Read more > 

Filed under: , , , ,

CVE-2015-0235 - how to handle the "GHOST" vulnerability affecting Linux distributions

Posted: 28 Jan 2015 03:15 AM | Carl Leonard | no comments


Websense® Security Labs™ are aware that a vulnerability has been identified in the GNU C Library that can lead to remote code execution under certain circumstances. The GNU C Library ( glibc ) is a core component of GNU systems and those with the Linux kernel; thus it has potential for a very...

Read more > 

Filed under: , , ,

Flash forward – Angler, here we come

Posted: 27 Jan 2015 02:40 AM | Tamas Rudnai | no comments


As mentioned in the post, “Happy Nucl(y)ear - Evolution of an Exploit Kit”, we were planning to discuss the Angler exploit kit in detail in an upcoming post. However, the exploitation of a critical Adobe Flash 0-day vulnerability (CVE-2015-0311, patched) via the Angler exploit kit has fast-tracked our efforts and in this blog, we present the strategy adopted by the exploit kit to evade detection of the 0-day by security scanners. 0-days are valuable commodities and the longer they remain undiscovered, the more value they appropriate for the attacker(s).

 

 

Just as defense-in-depth is used as a strategy in the protection scenario, layered obfuscation is its equivalent in the evasion scenario. The attacker is interested in adopting a defense-in-depth approach to protect his / her investment and get the most ROI from exploits. A parallel in the physical world is a medieval castle which was protected by multiple wall system, so even when the external wall had taken down by catapults the so called inner castle was still standing strong.

...

Read more > 

Filed under: , , , ,

Flash 0-day being distributed by Angler Exploit Kit

Posted: 22 Jan 2015 04:41 AM | ngriffin | no comments


Websense is aware of a new zero-day vulnerability in Adobe Flash Player, which has been seen exploited in-the-wild by the Angler Exploit Kit. The exploit, as reported by security researcher Kafeine , is known to affect the latest 16.0.0.287 version of Flash Player and has been seen dropping a trojan...

Read more > 

Filed under: , , , , , , ,