All clear for Flash Player: current version not vulnerable

June 2, 2008 – 6:09 AM

The reported security hole in Flash Player can now be given the all clear. The general consensus is that users of the current version 9.0.124.0 are safe. For the first time ever Secunia, one of the most reliable sources of information about security issues, has even revoked its advisory about the hole in Flash Player.

Antivirus vendors have also backtracked and confirmed that the reported exploit only works in a previous version of the player. However, they intend to remain vigilant because the significance of the file named WIN%209,0,124,0ff.swf which appears on infected web pages remains unclear. This file name gave rise to the assumption that the current version could be affected.

The current version of Flash for Windows, Linux, Mac and Solaris has been available for download from Adobe’s web page since the beginning of April. Apple recently deployed the current version for the Mac platform in an update. If you want to be extra sure you can use FlashBlocker or NoScript to block Flash applets at least in Firefox.

Source: Heise Security

Phishers Target New Victims on LinkedIn

June 1, 2008 – 5:46 PM

Users of the professional-oriented social networking site LinkedIn are being warned that scam artists are using the site to nab lucrative bank account information from naive victims, say security experts.

Advanced fee fraud — also known as “419 scams” after the relevant section of the Nigerian penal code — have become well-known to most e-mail users. The fraudster poses as a foreigner that has lucked into millions, but needs help to keep their money secure (one fraudster even pretended to be an African astronaut aboard the International Space Station).

As soon as someone is naïve enough to share their bank account information, they find that money is withdrawn from their account — not deposited, as promised.

Read the rest of the story…

Microsoft urges Windows users to shut down Safari

June 1, 2008 – 10:05 AM

In an unusual move, Microsoft Corp. on Friday warned Windows users to swear off Apple Inc.’s Safari Web browser until a patch is available that plugs holes that could let attackers to compromise computers.

One security researcher noted that Microsoft’s public warning — and Apple’s silence on the subject — are typical for the two rivals and illustrate their different approaches to security.

Friday, the Microsoft Security Response Center (MSRC) issued a security advisory for what it called a “blended threat” caused by combination of a bug in Apple’s Safari Web browser and a vulnerability in how Windows XP and Windows Vista handle executable files placed on the desktop.

“Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed,” said the advisory.

The Safari bug Microsoft referred to is the same one disclosed two weeks ago by researcher Nitesh Dhanjani, which Apple declined to treat as a security issue, said Andrew Storms, director of security operations at nCircle Network Security Inc. “Clearly, that’s what they’re talking about,” said Storms.

Read the rest of the story…

Bogus Microsoft Update Delivers Nasty File Infector

June 1, 2008 – 8:54 AM

Even though Patch Tuesday is still two weeks from now, crimeware authors are already sending out fake Microsoft “critical updates.” The TrendLabs Content Security Team recently found a hoax purporting to be from Microsoft that urges users to update their computers due to a “critical security issue”.

The email, which has the subject heading Important update from Microsoft Windows XP/2003 Professional Service Pack 2(KB946026), urges recipients to install the latest security update to avoid a successful attack which could result in comprising therecipinets’s PC.

If the unlucky victim clicks on the file name, WINDOWS-KB946026-X86-ENU, they won’t be getting any security patch — but rather, malware detected by Trend Micro as PE_VIRUT.XZ.

PE_VIRUT.XZ is a pretty old variant that appends its code to EXE and SCR files, making a pretty big mess depending on where it is executed.

Admittedly, we have been seeing these fake security notifications for a long time (we’ve discussed this in the past here and here). But apparentlty, consumers still seem to fall for this trap anyway.

Always keep your OS, third-party applications, and other associated software updated — this is one sound piece of advice that consumers can bank on.

And also make sure to get those Windows updates only from the source, Microsoft Corporation.

Read the rest of the story…

XSS Methods Also Seen Being Used in Mass Compromises

June 1, 2008 – 8:50 AM

XSS (Cross-Site Scripting) Very Much Alive and Kicking

We were about to investigate further on malicious activities related to banner82(dot)com/b.js but the URL was already inaccessible around Tuesday. Soon enough the malicious script in www(dot)adw95(dot)com caught our interest. A rough survey of the sites compromised by this script reveal that the sites involved some cross-site scripting (XSS), or SQL injection vulnerabilities, or a combination of both.

XSS Holes Endanger Users with Increasing Risks

I want to shed some light again on XSS because although it has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.

XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.

XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.

An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.

Breaches in the Background

XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.

The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of the defenders don’t have).

There are numerous free attack tools available,and worse, the most efficient ones are created by career criminals who happen to be at the disposal of anyone willing to pay for their warez. These tools readily aid in finding these flaws, and are increasing often crafted to inject XSS attacks into a target site.

Read the rest of the story….