Adobe races to patch zero-day vulnerability in Flash Player

Adobe has issued a security advisory about an as-yet unpatched vulnerability in its popular Flash Player software, affecting users of Windows, Mac, Linux, Solaris and even Google Android.

 

The critical security hole could allow an attacker to take control of your computer and run malicious code.

 

The firm also confirmed that the vulnerability also affects Adobe Reader 9.3.4 for Windows, Mac and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac. The reason that Acrobat and Reader are also affected is because the programs support Flash content inside PDF files

 

The new warnings follow closely after news last week of another vulnerability in Reader and Acrobat that was being exploited by malware authors.

 

Adobe has announced that an update for Flash Player tackling the latest vulnerability is expected to be available during the week of September 27, and an update for Acrobat and Reader will be available the following week.

 

Last month, Sophos blogger Chet Wisniewski interviewed Brad Arkin, Adobe’s Senior Director of Product Security and Privacy, about the firm’s security strategy and their upcoming sandboxing technology.

 

You can also download the interview directly in MP3 format.

 

 

Read More…

 

Justin Bieber fans under fire in YouTube XSS attack

If there are any breathless fans of Justin Bieber reading this – let me calm you straight away: Justin Bieber has not died in a car crash.

 

But you may have imagined that he did if you checked out some of his YouTube videos this long US Independence Day holiday weekend, or read one of the many internet rumours that spread over the last day or so.

 

A vulnerability in YouTube’s comment system was exploited widely this weekend, allowing mischief-makers to embed code through a cross-site scripting (XSS) flaw. And one of the things they did was post messages claiming that the teen pop sensation had died in a car crash.

 

Normally YouTube is smart enough to weed out offending code left in the comments left for videos, but it appears that the hackers found a way to waltz past the site’s defences.

 

Those watching YouTube videos of Justin Bieber and others could find their eyeballs assaulted by other prankish pop-ups and offensive messages or redirected to tasteless websites.

It took about two hours before Google, YouTube’s parent company, got things under control.

 

XSS attacks are a serious problem, of course. Potentially they can fool unsuspecting users into handing over their login details (although this doesn’t appear to have happened on this occasion) or direct them to a malicious webpage.

 

Read More…

 

The sexiest video ever? Facebook users hit by Candid Camera Prank attack (Video)

 

Video Source : Websense Security Labs

More info

Critical security updates from Microsoft and Adobe

It was “Patch Tuesday” yesterday, which means another parcel of security updates for computer users to unwrap, and this time the fixes aren’t just from Microsoft, but from Adobe too.

 

First on the menu is Microsoft, which has served up two security bulletins detailing vulnerabilities that could be exploited by hackers to execute malicious code (such as a worm) on your computer.

 

The first of these security holes exists in Outlook Express, Windows Mail, and Windows Live Mail. Microsoft’s Security Research & Defense blog goes into some detail about the vulnerability, explaining that although the security hole is given a “critical rating” on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, it is considered less serious for Windows 7 users as Windows Live Mail is not installed by default on that platform.

 

The other patch from Microsoft addresses a vulnerability in Visual Basic for Applications, a component used by Microsoft Office and other third-party products. Microsoft has given this security update its highest possible rating – “Critical” – for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. It is also rated “Important” for all supported editions of Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System.

 

Next up is Adobe, who have released patches to squash over 20 security vulnerabilities in its Shockwave and ColdFusion products.

 

The critical vulnerabilities identified in Adobe Shockwave Player 11.5.6.606 and earlier versions impact both Windows and Macintosh users, and could allow attackers to run malicious code on your computer.

 

Adobe recommends that users update their version of Adobe Shockwave Player to version 11.5.7.609.

 

Details of the ColdFusion vulnerabilities, classed as “important”, are provided in Adobe Security Bulletin APSB10-11.

 

Enough of waffle. Download and install the patches if your computer is affected.

 

By Graham Cluley, Sophos

 

Critical Firefox security hole fixed – have you updated?

Mozilla has responded to concern about a critical security vulnerability in Firefox 3.6, by releasing version 3.6.2 of its popular browser ahead of schedule.

 

Firefox 3.6.2 fixes a vulnerability first discovered by security researcher Evgeny Legerov last month, which could allow hackers to launch malicious code on users’ computers.

 

As I blogged yesterday, concern about the bug was so high that the likes of the German government had advised internet users to switch to an alternative browser until a fix from Mozilla was available (at the time that fix was not scheduled until March 30th).

 

However, concern about the severity of the security flaw encouraged Mozilla to accelerate its timetable for release and speed up the schedule.

 

If you are a Firefox 3.6 user, go to the Help menu and choose “Check for Updates” to update your installation of Firefox to the latest version. You can also visit www.getfirefox.com if you wish to download the full version.

 

I would also strongly recommend that all Firefox users consider using NoScript, the Firefox addon that provides a higher level of protection by allowing you to choose which websites are allowed to run active content (such as JavaScript).

 

By Graham Cluley, Sophos

 

 

Windows and Mac users urged to update Safari

Apple has released version 4.0.5 of its Safari browser, fixing a number of issues with its browser for Windows and Mac OS X including – most importantly – a grand total of 16 security vulnerabilities.

 

If you dilly-dally over updating your computer, it’s possible that hackers could exploit the security bugs – including some that could mean that simply visiting a webpage with a maliciously crafted image could lead to malicious code being automatically run on your computer.

 

Interestingly, one of the bugs (CVE-2009-2285) fixed in Safari 4.0.5 was announced and patched in Mac OS X 10.6.2 back in December 2009, and in Mac OS X 10.5 since January, meaning that Windows users of Safari have been vulnerable for over two months to the way their browser handles booby-trapped TIFF images.

 

But it doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website.

 

Safari users should practise safe computing, and update their systems as soon as possible.

 

By Graham Cluley, Sophos

 

 

Critical security update for Adobe Reader and Acrobat

Adobe has issued a security bulletin urging users of its Adobe PDF Reader and Acrobat products to update their software before hackers take advantage of two critical vulnerabilities.

 

Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh are vulnerable to a flaw that could be exploited by hackers to make unauthorised cross-domain requests. This same vulnerability was revealed in Adobe Flash Player last week.

 

Meanwhile, another flaw could give hackers an opportunity to inject malicious code onto computers via vulnerable installations of Reader and Acrobat.

 

As we’ve mentioned many times before, it’s essential that you keep your installations of Adobe’s software up-to-date as they are increasingly being taken advantage of by hackers to launch attacks.

 

Adobe recommends users of Adobe Reader 9.3 and earlier versions for Windows, Macintosh and UNIX update to Adobe Reader 9.3.1 if possible. Similarly, Adobe Acrobat should be updated to version 9.3.1. It’s a shame, therefore, that Adobe’s Reader advisory makes such a bad job of linking to the right files.

 

For instance, the link it is giving for the Mac update actually links to a page full of Windows files:

 

Hopefully Adobe will sort that out soon, and make it clearer where users can download the right patches for their operating system from. I, for one, am still finding it difficult to locate Adobe Reader 9.3.1.

 

By Graham Cluley, Sophos

 

 

Automatic Propagation of Malicious Code via HTTP

Well we know that the processes by automating the propagation of malware is one of the basic objectives of any cyber criminal, regardless of the attack vectors and technologies used.

 

In this sense, the Internet has become the cradle that rocked different parts alternatives through alternative malicious attack that evolves daily. Several years ago it was quite difficult to assume that by merely accessing a page is a danger of infection if certain requirements are met the system requirements that have to do primarily with operating system updates and applications.

Today, we find script’s whose instructions are made maliciously and are part of a cycle of spread and infection, unfortunately, very effective. A concrete example of not only evolution but also of effectiveness, it’s the art Drive-by-Download with his attacks evolved version of Multi-Stage, highly used by botmasters to propagate threats.

 

The following is an actual scenario that more clearly exemplifies what I have. This is a site hosted in EEUU under the IP 66.116.197.186 in AS32392. Below shows a screenshot of the website.

The domains hosted on that IP are:

• phonester.biz
• phonester.com
• phonester.info
• phonester.net
• phonester.org

When accessed from Windows, through a script embedded in HTML code, it automatically runs a window offering to download Flash Player. It’s obviously false. The file that is propagated is called “install_flash_player.exe” (abed2d16e5e4c3e369114d01dff4b19c) and has a low detection rate, as only about 25% of the antivirus engine detects malware that is In-the-Wild.

 

 

However, in a transparent way the script is run that prompts to download the fake Flash Player. Now … the issue doesn’t end here. From a more technical standpoint, there are many details that aren’t difficult to grasp.

 

In principle, desofuscar the script, get a series of relevant data. The script has iframe tags that address a range of websites from where you download other malicious files.

• diggstatistics.com/flash/pdf.php
• diggstatistics.com/flash/directshow.php
• diggstatistics.com/flash/exe.php

Download files are “tylda.exe” (abed2d16e5e4c3e369114d01dff4b19c) that has a low detection rate (5/41-12.20%) and “pdf.pdf” (9cc400edcdc5492482f5599d43b76c0c) with a detection rate too low (13/41-31.71 %) and designed to exploit vulnerabilities in Adobe Reader and Acrobat. Adobe util.printf overflow (CVE-2008-2992) and Adobe getIcon (CVE-2009-0927) respectively.

 

Moreover, in the unlikely event that the file is downloaded in the first instance (install_flash_player.exe) is executed, the connection set against 174.120.61.126/~ garynic/ from where you downloaded the binary “coin.exe” (258c0083f051b88ea36d3210eca18dd7) with a detection rate also quite poor. This file is downloaded at random from:

• digital-plr.com
• giggstatistics.com
• xebrasearch.com

 

With regard to the ASN in which these threats are, pose a criminal history interesting as it’s used to carry out activities such as spreading malware phishing. In the next image, the highest peak of phishing activities took place on 1 March 2009, while the malicious code was on 12 September 2009.

That is, these activities are operated together, not in isolation. This information doesn’t assume that the pattern behind all these criminal activities is hiding some botmaster greed, since the actions are typical of a botnet.

 

By Jorge Mieres from http://evilfingers.blogspot.com/