>the laziest blog on earth...contact me: mudwerks AT gmail DOT com
ALL MY SONGS!...
AVAILABLE NOW on bandcamp!
Adobe Systems has released a patch for two Flash player vulnerabilities that are being actively exploited online to surreptitiously install malware, one in attacks that target users of Apple’s Macintosh platform.
While Flash versions for OS X and Windows are the only ones reported to be under attack, Thursday’s unscheduled release is available for Linux and Android devices as well. Users of all affected operating systems should install the update as soon as possible.
The Mac exploits target users of the Safari browser included in Apple’s OS X, as well as those using Mozilla’s Firefox. That vulnerability, cataloged as CVE-2013-0634, is also being used in exploits that trick Windows users into opening booby-trapped Microsoft Word documents that contain malicious Flash content, Adobe said in an advisory. Adobe credited members of the Shadowserver Foundation, Lockheed Martin’s Computer Incident Response Team, and MITRE with discovery of the critical bug.
The other bug under attack, CVE-2013-0633, also works by tricking Windows users into opening a Word document containing malicious Flash content. It was discovered by researchers from antivirus provider Kaspersky Lab…
(via Massive search fraud botnet seized by Microsoft and Symantec | Ars Technica)
A botnet that redirected clicks from millions of PCs has been, at least for the moment, shut down by Microsoft and Symantec. Based on the fraudulent traffic generated by the Bamital botnet, the two companies estimate that its operators netted more than $1 million a year by redirecting unsuspecting computer users to websites they didn’t intend to go, cashing in on the traffic with online advertising networks.
Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet. A server in an ISPrime data center in Weehawken, New Jersey was seized, while the operators of a LeaseWeb data center in Manassas, Virginia voluntarily shut down a server at the company’s headquarters in the Netherlands. LeaseWeb is providing an image of that server to Microsoft and Symantec. ”These servers were command and control servers, and were also absorbing the malicious traffic the botnet was creating,” said Vikram Thakur, Principal Security Response Manager at Symantec in an interview with Ars…
Twitter is looking to add another layer of protection to its user authentication. After having at least 250,000 accounts’ passwords compromised in an attack against its service last week, Twitter apparently plans to implement two-factor authentication as an option to help users better protect their accounts—or at least it’s hiring people to help do that.
In a job listing posted by Twitter this week, the company seeks software engineers to develop “user-facing security features, such as multifactor authentication and fraudulent login detection.” When contacted by Ars, a representative for Twitter said the company has no specific details to share about its plans at this time.
Twitter currently uses OAuth as its authentication protocol via applications (either mobile apps or other Web services), which prevents attackers from recording and replaying session information trying to hijack open user sessions. For direct user authentication, Twitter uses secure socket layer (SSL) encryption to pass user credentials from Web browsers and other Twitter clients.
Those measures protect users’ passwords and sessions from being directly intercepted and taken over in most cases. But they don’t guard against “man-in-the-middle” attacks, where a malicious access point or firewall using an SSL proxy intercepts encrypted Web traffic. Hackers have grabbed users’ Twitter credentials in the past through malicious webpages using cross-site scripting, e-mail “phishing” attacks, and other means. Last August, for example, the Reuters news service had its Twitter feed taken over by pro-Syrian hackers who pulled the Twitter password from the service’s blogging platform…
Security experts are advising that a networking feature known as Universal Plug and Play be disabled on routers, printers, and cameras, after finding it makes tens of millions of Internet-connected devices vulnerable to serious attack.
UPnP, as the feature is often abbreviated, is designed to make it easy for computers to connect to Internet gear by providing code that helps devices automatically discover each other over a local network. That often eliminates the hassle of figuring out how to configure devices the first time they’re connected. But UPnP can also make life easier for attackers half a world away who want to compromise a home computer or breach a business network, according to a white paper published Tuesday by researchers from security firm Rapid7.
Over a five-and-a-half-month period last year, the researchers scanned every routable IPv4 address about once a week. They identified 81 million unique addresses that responded to standard UPnP discovery requests, even though the standard isn’t supposed to communicate with devices that are outside a local network. Further scans revealed 17 million addresses exposed UPnP services built on the open standard known as SOAP, short for simple object access protocol. By broadcasting the service to the Internet at large, the devices can make it possible for attackers to bypass firewall protections.
“Unfortunately, the realities of the consumer electronics industry will leave most systems vulnerable for the indefinite future,” the Rapid7 white paper warned. “For this reason, Rapid7 strongly recommends disabling UPnP on all Internet-facing systems and replacing systems that do not provide the ability to disable this protocol….”
(via How Java dumps useless add-ons and toolbars on PC users | Ars Technica)
Remember the Ask search engine? Oracle sure does—and by extension, so do Java users. Oracle has taken the practice of bundling useless add-ons and toolbars with legitimate software to new heights while collecting a commission each time it tricks a user into installing an Ask toolbar.
That’s what Windows expert and legendary skeptic Ed Bott of ZDNet reports after examining Java’s installation and update practices. Bott has done extensive reporting on “foistware,” previously crowning Adobe and Skype as the worst offenders. But over the past year, Adobe and Skype have reformed themselves a little bit, while Oracle’s Java now deserves the crown for “king of foistware,” he wrote today.
“The evidence against Oracle is overwhelming,” Bott wrote, continuing:
- When you use Java’s automatic updater to install crucial security updates for Windows, third-party software is always included. The two additional packages delivered to users are the Ask Toolbar and McAfee Security Scanner.
- With every Java update, you must specifically opt out of the additional software installations. If you are busy or distracted or naïve enough to trust Java’s ‘recommendation,’ you end up with unwanted software on your PC.
- IAC, which partners with Oracle to deliver the Ask toolbar, uses deceptive techniques to install its software. These techniques include social engineering that appears to be aimed at both novices and experienced computer users, behavior that may well be illegal in some jurisdictions.
- The Ask.com search page delivers inferior search results and uses misleading and possibly illegal techniques to deceive visitors into clicking paid ads instead of organic search results…
Security researchers have confirmed that the latest version of Oracle’s Java software framework is vulnerable to Web hacks that allow attackers to install malware on end users’ computers.
“We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21),” Adam Gowdiak, CEO of Poland-based Security Explorations, wrote in an advisory posted Friday to the Full Disclosure mailing list. “As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code).”
Gowdiak’s advisory comes a few days after researchers from security firms Trend Micro and Immunity Inc. independently reported the emergency patch Oracle released on Sunday was incomplete. While attacks actively waged online last week exploited two vulnerabilities in the an older version to surreptitiously install malware on computers that browsed to malicious websites, Java 7 Update 11 fixed only one of them, those researchers said. On Wednesday, KrebsOnSecurity reported exploit code for that version was being sold in underground Internet forums.
In an e-mail, Gowdiak told Ars that his exploits aren’t able to bypass a security protection added to Sunday’s Update 11 that prevents unsigned or self-signed Java applets from running in a browser unless the end-user clicks an OK button. He said his attack would still work if attackers are able to use social engineering techniques to trick users into allowing the applet. Attackers likely could also circumvent the protection by using a stolen valid certificate…
UNINSTALL - most will never need it and never miss it…
(via $5,000 will buy you access to another, new critical Java vulnerability (Updated) | Ars Technica)
An exploit for yet another critical Java software vulnerability began circulating online amid reports that the patch Oracle issued two days ago is incomplete.
In an article published Wednesday morning on KrebsOnSecurity, reporter Brian Krebs said a fully “weaponized” executable that exploits the bug was being advertised for $5,000 in an underground Internet forum. The price also included source-code for the exploit so that it could be folded into other types of attacks. The advertisement came one day after Oracle rushed out a fix for an earlier critical vulnerability that was being “massively” exploited online. Researchers classified that vulnerability asCVE-2013-0422.
Krebs said the latest attack exploited “a different and apparently still-unpatched zero-day vulnerability in Java.” His article came around the same time researchers from antivirus provider Trend Micro warned that the Oracle patch may not be effective at blocking some attacks.
“Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete,” Trend Vulnerability Research Manager Pawan Kinger wrote in a blog post. Kinger went on to explain that the vulnerability stemmed from flaws in two parts of the Java code base: one involving the
findclassmethod and the other involving theinvokeWithArguments()method. While Sunday’s patch fixed the latter issue, thefindclassmethod can still be used to get references to restricted classes, leaving a hole that attackers can exploit…
On Saturday, Microsoft published a security advisory warning users of Internet Explorer 6, 7, and 8 that they could be vulnerable to remote code execution hacks. The company said that users of IE 9 and 10 were not susceptible to similar attacks and recommended that anyone using the older browsers upgrade. Still, customers who still run Windows XP can not upgrade to IE 9 and 10 without upgrading their OS.
Microsoft’s confirmation comes after reports from several security groups that the attack sprung from the Council of Foreign Relations website, creating a “watering hole attack” that left people who visited the site through older versions of the browser open to further attack…
Electronic lock manufacturer Onity has finally agreed to reimburse its customers—major hotel chains like Marriott, Hyatt, and InterContinental (IHG)—for some of the costs of replacing its hackable locks.
Back in July, a security researcher exposed the fact that Onity locks (in use on around 4 million hotel rooms worldwide) could be disabled in a matter of seconds using a custom-designed kit that cost about $50. The company acknowledged the flaw but did not offer much in the way of a response until November.
Last month, following the theft of a laptop from a Texas hotel room using this hardware hack, the company began instituting a temporary hardware fix by physically blocking access to the ports with epoxy, and more recently, with a plastic plug and “security screws.”
Now, Forbes, which has been following this story for months, reports in a new corporate memo that the company has come to agreements with its hotel customers but has been less than forthright as to who will pay for these fixes.
“Just how much of the fix Onity is paying for in each customer’s case seems to vary,” Forbes reporter Andy Greenberg wrote on Thursday. “Though Onity seems to be offering the full price of the hardware fix for returned circuit boards from IHG and Marriott, the Hyatt memo states that Onity would charge $11 for every new circuit board it installed and repay only $6 for the replaced ones. It also mentions a $10 charge per lock for on-site firmware upgrades, as opposed to the free firmware upgrades in the other two deals.”
Greenberg published one of the internal corporate memos between Onity and Marriott-managed and franchised hotels, which Onity declined to confirm or deny was authentic.
When Ars contacted Onity for comment, Suzanne Fritz, a company spokesperson returned essentially the same canned statement that she gave to Forbes, which makes no mention of a permanent, technical replacement to the vulnerable locks.
“As of November 30, 2012, Onity has shipped 1.4 million solutions for locks to hotel properties,” she said by e-mail. “Over the next several weeks, we will ensure all hotel properties in our database receive the mechanical solution. These mechanical caps and security screws block physical access to the lock ports that hackers use to illegally break into hotel rooms. The mechanical solution remains free of charge to customers.”
A quickly spreading worm on Tumblr has caused media companies The Verge, Reuters, and a large number of other account holders to publish a post laced with racist epithets and other offensive content.
The stunt, attributed to long-time Internet trolling collective GNAA, caused affected Tumblr accounts to display the post. People who viewed the post while logged into Tumblr were in turn forced to publish the offensive content, causing the attack to spread virally according to security researchers. More than 86,000 accounts were affected, according to unconfirmed claims from GNAA members. Tumblr issued a statement saying site engineers are working to combat a “viral post circulating on Tumblr.” It advised anyone who has viewed the post to immediately log out of all browsers that may be logged in.
According to researchers at antivirus provider Sophos, the GNAA post spread by including malicious code that exploited weaknesses in Tumblr’s reblogging feature. A coding tag contained in the post linked to malicious code on another website. The JavaScript exploit, which was included in an iframe tag that pointed to an outside website, used what is known as base-64 encoding. It’s a technique that uses printable ASCII characters to represent large chunks of binary data and has the benefit of making it harder to know exactly how a script will behave when executed.
“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post,” Sophos Senior Technology Consultant Graham Cluley wrote. “Our assumption is that the attackers managed to skirt around Tumblr’s defenses by disguising their code through Base 64 encoding and embedding it in a data URI.”
It’s unclear how the worm was able to spread so rapidly, but one theory that couldn’t be ruled out as of the time of this writing is the possibility of an XSS hole found on Tumblr’s site. Short for cross-site scripting, XSS techniques allow attackers to inject browser code of their choice into websites that are trusted by millions of users. In turn, miscreants can exploit XSS holes to perform drive-by malware installations, steal Web authentication credentials, post unauthorized content, or carry out other tasks not intended or initiated by the end user…
