The latest buzz on security and vulnerability these past few days revolves around Java, a software development platform originally created by Sun Microsystems and now owned by Oracle. Websites often run Java programs in them, normally as applets (.jar), in order to “provide interactive features to web applications that cannot be provided by HTML alone”. Initial reports reveal that the exploit used to take advantage of the vulnerability found in Java 7—version 1.7, updates 0 to 6—is an applet called applet.jar (Note that names of malicious files can change in the future).
Our friends at FireEye first uncovered the new 0-day Java Runtime Environment (JRE) vulnerability being exploited in the wild. It is leveraged by online criminals to perform targeted attacks, regardless of the Internet browser used or how updated it is. “The number of these attacks has been relatively low, but it is likely to increase due to the fact that this is a fast and reliable exploit that can be used in drive-by attacks and all kinds of links in emails.” said Andre’ M. DiMino and Mila Parkour of DeepEnd Research in their blog entry. An official patch from Oracle is yet to be released; however, our friends at DeepEnd are distributing a temporary fix, courtesy of Michael Schier, to system administrators only and by request. The said patch allows the execution of the exploit but stops the payload.
Once the vulnerability is successfully exploited, a binary is dropped on the compromised system. Based on initial reports, the binary is hi.exe (MD5: 4a55bf1448262bf71707eef7fc168f7d), whichGFI VIPRE Antivirus already detects as Trojan.Win32.Generic!BT.
Although earlier releases of Java do not have the said JRE vulnerability, security researchers advised against downgrading to versions 1.6 and below as flaws inherent to those versions can still affect users. Instead, users are advised to disable Java on their browser for the time being until an official patch is made available. It is expected in October based on their triannual Java patch release schedule.
Users of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.
The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.
In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:
- * Name
* Address (city, state, zip code)
* Email address
* Date of birth
* PlayStation Network/Qriocity password and login
* Handle/PSN online ID
In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.
As if that wasn’t bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:
While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.
The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.
So how could hackers exploit the information stolen from the Sony PlayStation Network?
1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.
So you should always use unique passwords.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Oh, and you better be sure that you have changed your “secret answers” too.
2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn’t be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.
3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account – if you notice that money is missing, you’ll have to go through the rigmarole of claiming the money back from your credit card company.
This security breach is not just a public relations disaster for Sony, it’s a very real danger for its many users.
If you’re a user of Sony’s PlayStation Network now isn’t the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.
That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you’re concerned the card is now compromised.
More information can be found in Sony’s blog post.
By Graham Cluley @ nakedsecurity.sophos.com
If you’re a customer of VioVet, the UK pet supplies and medications website, then be very careful opening your email this morning.
Customers are reporting that they have received an email purporting to contain a gift certificate from the company – but the files linked to by the email actually contain malware.
A couple of weeks ago two students conducting security research contacted me about a vulnerability which they believed they had found with Facebook.
Rui Wang and Zhou Li said that they had found a vulnerability which allowed malicious websites to access a Facebook user’s private data without permission. According to Rui and Zhou, it was possible for any website to impersonate other sites which had been authorised to access users’ data such as name, gender and date of birth.
Furthermore, the researchers found a way to publish content on the visiting users’ Facebook wall (under the guise of legitimate websites) – a potential way to spread malware and phishing attacks.
Microsoft has warned users of all supported versions of the Internet Explorer browser that an unpatched vulnerability exists in the product that is being actively exploited by malicious hackers in targeted attacks.
The zero-day vulnerability, described in aMicrosoft’s security advisory, allows cybercriminals to execute code on remote users’ computers without their permission.
In other words, simply clicking on a link in an email could take you to a webpage which would silently install malicious code (such as a backdoor Trojan horse) onto your computer. In short, you could be one click away from having a hacker access your computer or comandeer it into being part of a botnet.
Sophos is adding detection of the malicious webapges as Mal/20103962-A, and the Trojan horse that we have seen being downloaded as Troj/GIFDldr-A.
According to Microsoft’s advisory, Data Execution Prevention (DEP) – which is enabled by default in Internet Explorer 8 on Windows XP SP3, Windows Vista SP1, Windows Vista SP2, and Windows 7 – helps to protect against the attacks.
All eyes will now be on Microsoft to see how quickly they can issue a fix for this vulnerability – it would certainly be impressive if they managed to roll-out a patch in time for next Tuesday’s “Patch Tuesday”, but that may be a little optimistic.
Adobe has issued a security advisory about an as-yet unpatched vulnerability in its popular Flash Player software, affecting users of Windows, Mac, Linux, Solaris and even Google Android.
The critical security hole could allow an attacker to take control of your computer and run malicious code.
The firm also confirmed that the vulnerability also affects Adobe Reader 9.3.4 for Windows, Mac and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac. The reason that Acrobat and Reader are also affected is because the programs support Flash content inside PDF files
The new warnings follow closely after news last week of another vulnerability in Reader and Acrobat that was being exploited by malware authors.
Adobe has announced that an update for Flash Player tackling the latest vulnerability is expected to be available during the week of September 27, and an update for Acrobat and Reader will be available the following week.
Last month, Sophos blogger Chet Wisniewski interviewed Brad Arkin, Adobe’s Senior Director of Product Security and Privacy, about the firm’s security strategy and their upcoming sandboxing technology.
You can also download the interview directly in MP3 format.
If you’re a user of Windows or Flash (and I would imagine that covers the vast majority of you) then it’s time to roll out the latest critical security patches, as Microsoft and Adobe have released updates to their software.
First up is Microsoft, who have released a bumper bundle of fixes as part of their regular “Patch Tuesday” cycle, issuing 14 bulletins to remedy 34 security holes in Windows, Internet Explorer, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.
Eight of the bulletins have been Microsoft’s highest severity rating of “critical”, with the rest being labelled “important”.
The good news, as Chet Wisniewski explains, is that we haven’t yet seen any malware spreading by exploiting these vulnerabilities – but that may only be a matter of time.
Separately, Microsoft has also issued an advisory about a zero-day vulnerability, which could allow untrusted code to run on a user’s machine by exploiting a weakness in the Windows Service Isolation feature.
Meanwhile, another platform commonly targeted by malicious hackers has been updated to defend against security vulnerabilities.
Adobe has identified critical vulnerabilities in Adobe Flash Player version 10.1.53.64 and earlier, and urged users to update their installations of Flash and Adobe Air.
If you’re not sure which version of the Adobe Flash Player you have installed, visit the About Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.
I’m increasingly being asked by folks on Facebook if it’s possible to tell who has been viewing their Facebook profile. A number have been attracted to webpages and Facebook applications that claim to be able to give you a secret insight into who is spying on your profile.
Well, if you’re one of those people who are curious about who might be watching you online, take care.
Right now we’re seeing a significant number of Facebook users posting messages such as:
OMG OMG OMG... I can't believe this actually works! Now you really can see who views your profile!!! WOAH
See who views your Facebook profile in real-time!!!
However, like the “Justin Bieber cell phone number” scam and the “This mother went to jail for taking this pic of her son!” scam, the links pointed to in your friends’ status updates are not to be trusted.
If you make the mistake of clicking on the link to one of these pages offering to tell you who is viewing your Facebook profile, you will find that the people behind the “services” want you to do a few things first.
For instance, they’ll ask you to “Like” their pages (which means you are spreading the link to friends in your social network), and they will ask you to advertise their site by posting an “OMG” message (with a link) to at least five different places on Facebook.
After all that hard work you would hope that they would give you access to the powerful Profile Spy app wouldn’t you? But I’m afraid your luck is out.
They’ll next ask you to hand over your personal information by taking numerous surveys – before ultimately trying to trick you into handing over your cellphone number which they’ll sign up to an expensive premium rate service.
Remember, this scam doesn’t work as the result of clickjacking, or a vulnerability on Facebook. The scammers are achieving their ends because of human gullibility – pure and simple. If people considered what they were doing and thought twice about the possible consequences then we would see nothing like as many of these attacks occurring, and our news feeds on Facebook would see less spam.
Tomorrow (Tuesday 13 July 2010) Microsoft will issue its last ever security patches for Windows XP Service Pack 2 (SP2).
The service pack, which was first released in August 2004, will no longer be supported by Microsoft after Tuesday meaning that users will no longer receive any security patches – regardless of how critical any discovered vulnerability may be.
Furthermore, it’s not just Windows XP SP2 that Microsoft won’t be updating – but your installations for Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components also won’t receive security patches if you’re running that version of the operating system.
You may be wondering – “What’s the problem? After all, Windows XP SP3 was released in 2008, and replaced SP2, right?”
Well, yes. It did. But recently published statistics suggest that an alarming 77% of organisations are running Windows XP SP2 on 10% or more of their PCs.
That’s an awful lot of computers which may not be properly protected when a new vulnerability is discovered – and could potentially be vulnerable to a malware attack.
Microsoft would probably like you to update your computers to Windows 7, but that may be a tall order for many older PCs. If you’re not ready for Windows 7, make sure you apply the free update to Windows XP SP3. Windows XP SP3 will be supported by Microsoft until at least April 2014.
An Argentinian hacker named Ch Russo claims that he and two associates have found several SQL injection vulnerabilities in The Pirate Bay’s database, which granted him access to all user information, including usernames and e-mails.
According to KrebsOnSecurity, who spoke with Ch Russo on the phone, the hackers did not modify the user data or give it away to a third party. They did, as they say, consider how much this info would be worth to various anti-piracy outfits such as the RIAA.
“Probably these groups would be very interested in this information, but we are not [trying] to sell it. Instead we wanted to tell people that their information may not be so well protected,” Ch Russo said.
It seems that the vulnerability has been at least partially patched however, as Russo said the website component that gives access to The Pirate Bay’s database has been removed. Furthermore, The Pirate Bay site is currently down, sporting the following message: “Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”
Although it’s been under the attack of the entertainment industry for years now, The Pirate Bay has somehow been able to survive to this day, even in the wake of some other major torrent trackers, such as Mininova.
Security problems such as this one, however, might cause huge problems to the service if user information falls into the wrong (or right, depending on how you look at it) hands.
By :Stan Schroeder
Source : mashable.com