Shortcut zero-day attack code goes public

If you’ve been following Chet Wisniewski’s blog over the last few days you will already know about the serious zero-day vulnerability that has been found in versions of Windows.

 

Since confirmed by Microsoft, there exists a vulnerability in versions of Windows which allows a maliciously-crafted Windows shortcut file (.lnk) run a malicious DLL file, simply by being viewed on a USB stick.

 

Furthermore, the attack can be initiated automatically by viewing an affected USB storage device via Windows Explorer, even with AutoRun and AutoPlay are disabled. The Microsoft Security Response Center (MSRC) says that the security hole can also be remotely exploited via WebDAV and network shares.

 

You can watch the following YouTube video where Chet shows the attack in action:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

In this case, the DLL executed carries a rootkit – helping hide the infection from prying eyes.

 

What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – as it would certainly be a useful tool in any malware’s arsenal. The chances of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the internet.

 

In the past we’ve seen worms (Conficker is perhaps the most famous example) spread successfully via USB devices, which prompted many firms to disable AutoPlay.

 

There is a real risk that more malware will take advantage of the zero-day exploit now the code is “out there”, taking things to a whole new level.

 

So far, Microsoft has not made a patch available for the problem and has given no timeline as to when a proper fix will be available. However, I’m sure they are feverishly working on a security update for this critical vulnerability.

 

Sophos detects the malware we’ve seen so far using the exploit as W32/Stuxnet-B and Troj/Cplink-A.

 

 

Read More…

 

German Government: Don’t use Firefox

The German government has advised computer users not to run Firefox and run an alternative browser instead, because of a critical security flaw.

 

The advice, which comes from BürgerCERT, part of the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI), recommends that computer users stop using Firefox until Mozilla releases a fix.

 

The reason why Germany is suggesting such seemingly drastic action is that there is a critical vulnerability in currently available versions of Firefox that could be exploited by hackers to launch malicious code on users’ computers.

For its part, Mozilla has acknowledged the security vulnerability, and advises that a patched version 3.6.2 of Firefox is scheduled to be available on March 30th.

 

Here is a rough translation (courtesy of Google Translate):

Recommendation
Because of the Mozilla Foundation, a privately disclosed vulnerability Bürger-CERT recommends the use of alternative browser until Mozilla has released Firefox version 3.6.2. The current release of Firefox 3.6.2 Plan provides for delivery on Tuesday 30 Before March 2010.

 

Description
There is an as yet unspecified vulnerability in Mozilla Firefox version 3.6. A remote attacker to execute using rigged websites the opportunity to inject malicious code in the context of the logged on user.

 

Security researcher Evgeny Legerov discovered the vulnerability last month, controversially making code which exploited it available to those who were prepared to pay. That’s not an approach which is likely to have won him many friends at Mozilla, who would much prefer that vulnerability researchers worked with them on responsible disclosure.

 

It must be an uncomfortable time for German web users too. After all, in January they were advised not to use Internet Explorer, and now they’re being told to keep a wide berth from Firefox until it’s fixed.

 

It’s certainly a lot easier for computer-savvy home users to leapfrog from browser to browser than companies.

 

Switching your web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it’s worth. For instance, imagine how much training some users will require to switch from one browser to another.

 

And it’s worth bearing in mind – what are you going to do when your replacement browser itself turns out to contain a vulnerability? Are you going to switch yet again?

 

My advice is to only switch from Firefox if you really know what you are doing with the browser you’re swapping to. If you stick with Firefox, apply the security update as soon as its available.

 

If you can’t wait – Mozilla says it has produced a release candidate build of Firefox 3.6.2 which already contains the fix (obviously it hasn’t been through their complete quality assurance process yet). You can download it from their website at https:/ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

 

By Graham Cluley, Sophos

 

 

Operation Aurora: Microsoft knew about Internet Explorer flaw for four months

On Thursday there were sighs of relief from all corners as Microsoft released a security patch for a vulnerability that had been exploited by hackers.

 

The patch fixed a critical zero-day vulnerability in versions of Internet Explorer that would have meant visiting a boobytrapped webpage could have infected your computer, opening a backdoor for remote hackers.

 

Nasty stuff, especially as it was being alleged that the security hole had been exploited by Chinese hackers who broke into the likes of Google and Adobe in an attack dubbed “Operation Aurora”.

 

Interestingly, details are now emerging that Microsoft was first told about the security hole early last September – a full four months before it hit the world’s headlines.

 

According to reports, Microsoft was informed about the security problem with its software (and the potential for hackers to take advantage of it) by security researcher Meron Sellen, and the company planned to roll-out a fix in a cumulative update for Internet Explorer scheduled for next month.

 

Now, if you were one of the high-tech, financial or miltary targets that are said to have been struck by the Chinese hackers you might be feeling a little bit miffed that Microsoft didn’t roll out its patch for this critical vulnerability sooner.

 

For their part, Microsoft may well feel that as the flaw primarily affected Internet Explorer 6 that such organisations should already have updated to a more secure version of their browser (such as version 8.0).

 

Is four months too long a time to fix a security hole of this severity? I’m not sure. One thing we have to bear in mind is that it can be very complicated developing and then testing a security patch to ensure that it works in all environments with multiple different versions of the software being patched.

 

I would rather a patch worked than was rushed out and caused more problems than the bug it was trying to solve.

 

The thing we should all be grateful for is that there is now a patch for Internet Explorer, meaning there really is no excuse for any company to be breached via this particular security hole again.

 

But if Microsoft knew about this critical security vulnerability four months ago, I wonder how many other security holes there are that they secretly know about, but we don’t have a clue about yet.

 

Oh, and don’t forget, there’s nothing to suggest that the hackers only exploited this Internet Explorer flaw. Chances are that they took advantage of a whole bunch of different weaknesses in different products, as well as some social engineering tricks, to break into computers inside the affected companies.

 

By Graham Cluley, Sophos

 

German Government: Don’t use Internet Explorer

The German government has advised computer users not to run Internet Explorer and run an alternative browser instead, because of a critical zero-day security flaw.

 

The advice, which came in the form of an official statement from the German Federal Office for Security in Information Technology (known as the Bundesamt für Sicherheit in der Informationstechnik or BSI) says that the as yet unpatched vulnerability is likely to be the same one blamed for hacker attacks on Google and other US companies last week.

 

The BSI advisory claims that although Microsoft’s advice to run Internet Explorer in ‘protected mode’ and disable Active Scripting makes it more difficult for hackers to attack, it does not completely prevent them.

Here is a rough translation (courtesy of Google Translate) of the BSI statement:

Critical vulnerability in Internet Explorer

BSI recommends the temporary use of an alternative browser
Bonn, 15.01.2010.

In Internet Explorer there exists a critical yet unknown vulnerability. The vulnerability allows attackers to inject malicious code via a specially crafted webpage into a Windows computer, in order to infiltrate and control computers. The past week has become known in the Hacker Attack on Google and other U.S. companies has probably exploited the vulnerability.

Affected are the versions 6, 7, and 8 of Internet Explorer on Windows XP, Vista and Windows 7. Microsoft has published a security advisory, in which it discusses ways of minimizing risk and is already working on a patch for the security hole. The BSI expects that this vulnerability will be used in a short time for attacks on the Internet.

Although running Internet Explorer in "protected mode" as well as disabling Acitve Scripting does make it more difficult to attack, it can not completely prevented. Therefore, the BSI recommends that users switch to an alternative browser while waiting for Microsoft's patch.

Once the vulnerability has been closed, the BSI on its warning and information service MayorCERT also informed. Keep informed about the civic-CERT and the BSI warns citizens and small and medium enterprises from viruses, worms and vulnerabilities in computer applications. The expert analysis of the BSI around the clock, the security situation in the Internet and send alerts when action is needed and safety information via E-mail.

 

The vulnerability means that a hacker could send you a message, perhaps pretending to be from a colleague or friend, and – if you clicked on a link in that email – your vulnerable installation of Internet Explorer would visit a malicious webpage infecting your Windows PC with a Trojan horse.

 

At that point the hackers could effectively grab control of your computer, with the potential of stealing company secrets, personal information or using it to spread spam or other attacks. The problem is that right now Microsoft doesn’t have a patch to fix their software.

 

Of course, the German government’s advice that internet users should switch to alternative browsers is unlikely to well received at Microsoft, and pressure is sure to grow on the company to release an “out-of-band” patch to resolve the security flaw as soon as possible.

 

With Google pointing the finger of blame for the attacks at China, it’s perhaps not surprising that the German government should be keen to ensure that its own computers (whether they be in government or industry) are not next in the firing line of hackers.

 

Alternative internet browsers such as Firefox, Safari and Opera have all suffered from security vulnerabilities in the past, of course.

 

You can read SophosLabs’s write-up on the Microsoft security flaw here, as well as further commentary by principal virus researcher Vanja Svajcer.

 

With all this talk about state-sponsored cyber-spying originating from China clearly spooking the German authorities, it’s perhaps a little ironic that the Germans themselves were accused of using the internet and malware to spy on another country a couple of years ago.

 

by Graham Cluley, Sophos

 

Critical flaws fixed in Firefox 3.5.4

If your a user of the Firefox web browser then it’s time to update your software again, as Mozilla has issued an important update that fixes a number of critical flaws.

 

In total, 16 vulnerabilities are patched in Firefox 3.5.4 – with 11 given the highest rating of “critical”. What does that mean? Well, according to Mozilla’s own website a “critical” vulnerability is one which “can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”

 

In other words, critical vulnerabilities can be used to invisibly install and run malicious code on your computer – such as a Trojan horse or worm.

 

As we revealed in the Sophos Threat Report [PDF] published earlier this year, SophosLabs sees in excess of 23,000 new malicious webpages every day – infected with the intention of compromising your computer. So it’s really important that alongside running up-to-date with anti-virus software, you ensure your web browser – whether it be Firefox, Internet Explorer, Safari, Opera, or something else – is protected with the latest patches.

 

The update is now available from the Mozilla website, but hopefully most existing users will be pestered into updating by Firefox’s auto-update facility.

 

Firefox’s security is becoming ever more important as it creeps up on Microsoft Internet Explorer’s pole position as number one browser for the web. It is estimated that there are now over 330 million users of Firefox - more than the population of the United States!

 

by Graham Cluley, Sophos