Darknet – The Darkside

Bitcoin hasn’t been having a great time lately, there have been a few high profile, large dollar amount hacks of Bitcoin Exchange sites (basically the Bitcoin banks).

The latest involved $90,000USD and a high likelihood that the user database was compromised too. It seems like Bitcoin, despite all the hype, might die a slow death due to all these compromises which are destroying users trust and the overall credibility of the service.

It was touted to be a whole new global economy which is resistant to inflation, inflated GDP and totally decentralized. Obviously security wasn’t high on the list.

Bitcoin exchange site Bitcoinica suspended its operations on Friday after hackers managed to steal 18,547 bitcoins — valued at about US$90,000 — from its online wallet.

The user database probably was compromised as well, Bitcoinica’s administrators said in an announcement posted on the site’s home page. The information stored in the database included usernames, email addresses and account histories.

Account passwords were encrypted in a way that makes it extremely unlikely for them to be cracked, the Bitcoinica team said. However, to be on the safe side, the team advised users to change their passwords on other websites where they might have used them.

The compromised user information can be used to launch phishing attacks, as has happened in the past after many data breaches that exposed user email addresses.

Users should be suspicious of any messages received on their email addresses registered with Bitcoinica, the site’s administrators said. “It is always a best practice to never click an email link to login to any online service.”

Bitcoin is a cash-like digital currency that can be exchanged directly by users without the need for a central payment service. It uses the peer-to-peer model for synchronizing transaction records between users.

Bitcoinica noted that the stolen bitcoins belonged to the exchange, not the users, and said it will honor any withdrawal request. However, it’s not clear when or if the website will resume operations.

I’m not sure if the users from Bitcoinica will see any phishing mails, I’d imagine whoever the infiltrators were, they were purely after the Bitcoins and the money they could make from selling them.

User accounts are only really valuable if they have working credit card details – which these accounts don’t seem to have. The previous exchange that got attacked closed down shortly afterwards, it was at the time the largest – Inside the Mega-Hack of Bitcoin: the Full Story.

“It’s more serious than we thought,” said Bitcoinica founder Zhou Tong, in a post on the Bitcointalk forum on Saturday. “Likely we will either shut down the platform or re-develop entirely (which will take months instead of days).”

The company needs more time to come up with a plan to compensate users for the downtime and other issues resulting from this security incident, Zhou said.

In a separate post on Sunday, Zhou revealed that he sold Bitcoinica to an undisclosed investor back in November 2011 and stayed with the company as an employee in charge of daily operations until a new team took over two weeks ago. He also announced that he plans to retire from all bitcoin-related projects after this incident is resolved.

Security breaches at bitcoin exchanges don’t only affect the users of those exchanges, but the entire bitcoin community, because they negatively affect the value of the virtual currency. In June 2011, bitcoin prices plummeted after news broke that the largest bitcoin exchange, Mt.Gox, was compromised.

This is not the first time that Bitcoinica has lost a large number of bitcoins to hackers. Back in March, attackers managed to steal 43,000 bitcoins from the exchange after they compromised the servers of Web hosting provider Linode.

“It seems Bitcoin has the same problem(s) that other web applications possess: vulnerabilities, such as SQL injections, that make it susceptible to data theft,” Rob Rachwald, director of security strategy at security firm Imperva, said via email. “In the early days of legitimate online banking, when one breach hit a bank, the whole industry’s brand took a hit. Ironically, the same dynamic could play out in black market banking.”

I would imagine the site will close down and I hope they rebuild their platform from scratch – without secure programming principles in mind. The large attack on Mt.Gox effected value of Bitcoins across the whole network and required the founders to pump back in real cash from their own pockets to stabilize the eco-system.

It makes me wonder why people are interested in Bitcoins and Bitcoin trading in the first place, I guess the currency is only as secure as the Exchanges and the platforms they are running on.

Source: Network World

Introduction

Yes, there’s another new kid on the block when it comes to penetration testing training, this course is known as CODENAME: Samurai Skills by Ninja-Sec. I’m not going to go and compare this to any other course out there as I think there’s a place for all of them, and they all have pros and cons.

The author is one Mohamed Ramadan who does in fact know what he’s talking about, for a sample of his writing outside of this course-ware you can check here:

How Hackers Target and Hack Your Site

The course is marketed under the brand Ninja-Sec:

The main focus of this course is to teach you the following skills:

• Gather Information Intelligence
• Find Web Applications and System Security Vulnerabilities
• Scan Your Target Stealthily
• Exploit Web Applications and System Vulnerabilites
• Conduct Real World Client Side Attacks
• Conduct Tactical Post Exploitation on Windows and Linux Systems
• Develop Windows Exploits

They themselves consider this a medium level course and are promising to come out with a more advanced course soon. I consider this course a good introduction to pen testing or as a good supplement to other more hardcore courses (like OSCP).

There’s a fair mix of introductory material and slides + ample video which walks you through the slides and shows hands on demonstrations.

The Course

The course covers 8 modules:

• Module 1: Solid Introduction to Penetration Testing
• Module 2: Real World Information Intelligence Techniques
• Module 3: Scanning and Vulnerability Assessment
• Module 4: Network Attacking Techniques
• Module 5: Windows – Unix Attacking Techniques
• Module 6: Windows – Unix Post-exploitation Techniques
• Module 7: Web Exploitation Techniques
• Module 8: Windows Exploit Development

Each module contains a ‘book’ – which is basically a set of presentation slides and video content – the length of the video varies greatly between chapters (the shortest is the introduction at 35 minutes and the longest is almost 5 hours for module 7).

The presentation slides generally give some introductory material, then run through the relevant subject in a fair amount of depth. Here’s an example of a slide:

It runs all the way from a foundation introduction to penetration testing to a quite advanced module about Windows exploit development.

Here’s a sample of the video material, also about SQL Injection:

The course runs through a great variety of tools and techniques, from old to new. It’s actually a great companion for the Darknet site, as we have written about most of the tools featured in the course – but we haven’t published many tutorials on how to actually use them.

So for example if you a reasonable idea of what tools do, but aren’t really sure how, when and what to use them for exactly – this course would be very beneficial for you. For example it goes into depth into stuff on how to hone your skills on vulnerable sites like WackoPicko, plus in depth examples using Metasploit on other more niche tools like BeEF – The Browser Exploitation Framework.

The real monster of a module is 7 with 4 hours 58 minutes of video and 60 pages of slides, which is where the focus should be for me. Web Application Security is what is hot now and has been for the past couple of years, more and more web apps are being built and rolled out so it’s more likely you’ll land in a role where these skills are needed.

Labs

The labs consist of a 3-stage network with N00bs Network, Shad0w Network and Impossible Network. Each host is dual-homed so you have to attack them in sequence, you can’t for example attack Impossible Network straight from N00bs Network.

The lab is a great way to exercise some of the skills you’ve gained from following this penetration testing course and is definitely a plus point of signing up for this course.

Conclusion

This is a solid course, it’s not the most polished course I’ve ever seen – but it’s very technically competent. Some people may struggle with the heavy Arabic accent in the video material, so I’d suggest watching the samples first and make sure you’re ok with that and you can follow what Mohamed is saying.

Another thing which could be a pro or a con is the pacing, most educational videos tend to cut away when stuff is happening – which obviously makes the pace a lot faster. In CODENAME: Samurai Skills the screen-cast is in real time, which means if a tool is loading or takes a while to run (just like it does in real life) you can sit and watch it.

In a way it gives you a good insight into the reality of the pace of penetration testing (no it’s not like Swordfish) – but for some people, you may find this frustrating.

I’d say if you’re just starting out or you want to get your hands on some material that guides you step by step how to carry out attacks – this course will be valuable to you. It will take you to a place where you’ll be able to start carrying out penetration tests.

It’s not the most intense infosec/pen-testing course out there, but it does deliver a lot of value for the price and I’m looking forwards to seeing how it improves and checking out the more advanced course when it hits the market.

Other plus stuff is you get a FREE subscription to HAKIN9 Magazine when you enroll along with a full years support in the forums.

The pricing for the course & lab access is currently as follows:

• CODENAME: Samurai Skills Course Online v2 + 30 days access to Ninja-Sec Lab + NS|PT Certification = $490 USD
• CODENAME: Samurai Skills Course Online v2 + 60 days access to Ninja-Sec Lab + NS|PT Certification = $590 USD
• CODENAME: Samurai Skills Course Online v2 + 90 days access to Ninja-Sec Lab + NS|PT Certification = $690 USD

You can read more and sign up here:

http://ninja-sec.com/index.php/samurai-skills/

The CERT Basic Fuzzing Framework (BFF) is a software testing tool that finds defects in applications that run on the Linux and Mac OS X platforms. BFF performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways, looking for cases that cause crashes.) The BFF automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of BFF is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.

Traditionally fuzzing has been very effective at finding security vulnerabilities, but because of its inherently stochastic nature results can be highly dependent on the initial configuration of the fuzzing system. BFF applies machine learning and evolutionary computing techniques to minimize the amount of manual configuration required to initiate and complete an effective fuzzing campaign. BFF adjusts its configuration parameters based on what it finds (or does not find) over the course of a fuzzing campaign. By doing so it can dramatically increase both the efficacy and efficiency of the campaign. As a result, expert knowledge is not required to configure an effective fuzz campaign, and novices and experts alike can start finding and analyzing vulnerabilities very quickly.

Features

• Minimal initial configuration is required to start a fuzzing campaign
• Minimal supervision of the fuzzing campaign is required, as BFF can automatically recover from many common problems that can interrupt fuzzing campaigns
• Uniqueness determination through intelligent backtrace analysis
• Automated test case minimization reduces the effort required to analyze results by distilling the test case to the minimal changes to the input data required to induce a specific crash
• Online machine learning applied to fuzzing parameter and input file selection to improve the efficacy of the campaign
• Distributed fuzzing support
• Crash severity / exploitability triage

At the CERT/CC, they have already used the BFF infrastructure to find a number of critical vulnerabilities in products such as Adobe Reader and Flash Player; Foxit Reader; Apple QuickTime, Preview, and Mac OS X; Xpdf; Poppler; FFmpeg; JasPer; Wireshark; VMware VMnc video codec; the Indeo video codec; and many others.

You can download BFF here:

http://www.cert.org/download/bff/

Or read more here.

It’s been quite a while since we’ve posted any news about Russia, so here’s an article which in some ways is quite scary.

The global cybercrime market is being dominated by Russian-speaking nations and their activity doubled in 2011. It’s certainly a disproportionate amount of crime when you look at their population size.

Cybercrime is a HUGE business, especially when it comes to malware and trojans targeting banking details and the follow on phishing scams.

Russian-speaking criminals grabbed more than a third of the entire global cybercrime market in 2011 as a growth in online fraud activity turned the country into a major digital crime superpower, a new report has suggested.

Russian cybercriminals earned $4.5 billion in 2011

The State and Trends of the Russian Digital Crime market 2011 from Russian security research company Group-IB estimates (using public and partner data) that the global cybercrime market reached around $12.5 billion (APS7.74 billion) in size during the year, with Russians and Russian speakers (including those outside the country) accounting for $4.5 billion of that total.

At the same time, using its own internally-collected analysis, the Russia-only cybercrime market doubled to $2.3 billion compared to 2010, a disproportionate level of activity considering the country’s modest 143 million population.

The top Russian cybercrime activity was online fraud, equivalent to almost a billion dollars in revenue, just ahead of spam on $830 million, internal market services on $230 million and DDoS on with $130 million.

As well as startling growth, the Russian cybercrime scene also saw consolidation into larger, more organised groups increasingly controlled by conventional crime mafias. There was also evidence of co-operation between these groups, and the growth of an important internal ‘crime-to-crime’ (C2C) market to support its activities.

$12.5 Billion dollars is a LOT of zeros, that was the estimate of the money lost in 2011 to cybercrime. That’s almost $2 per person for the ENTIRE population of the World, that’s what I would colloquially call a shitload of cash.

It doesn’t stop there too, it amazes me that DDoS attacks are a multi-million dollar business! In Russia alone, according to this report anyway, these crims earnt $130 million USD carrying out DDoS attacks!

Coming from a Russian-based group of researchers, the report makes fascinating reading. There is a wealth of anecdotal evidence from crime busts and malware trends that Russia is a key hub for crybercrime but hard numbers are seldom put on its inner workings or business model.

An obvious question is why Russia has become such an important country for cybercrime. Beyond the traditional explanation of the large number of relatively poorly-paid programmers in the country, Group-IB also underlines the importance of policing and local laws.

The researchers note the case of Yevgeniy Anikin and Viktor Pleschuk, who were part of the gang that stole $10 million from the Royal bank of Scotland’s WorldPay ATM system in 2008 And yet received suspended sentences from Russian courts.

“Thus, because of imperfections in Russian laws and the lack of severe penalties, stable law enforcement practice, and regular training regarding counter cybercrime measures, cybercriminals are disproportionately [not held] liable for the crimes they commit,” note the researchers.

“The cybercrime market originating from Russia costs the global economy billions of dollars every year,” said Group-IB’s CEO, Ilya Sachkov.

The lax laws when it comes to cybercrime in Russia aren’t going to help the situation, but sadly – I’m not sure if they will even care.

If you want to read the original report you can do so here:

State and Trends of the Russian Digital Crime market 2011 [PDF]

Source: Network World

creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information (i.e. what was posted from that specific location) to provide context to the presentation.

Features

• Automatic caching of retrieved information in order to reduce API calls and the possibility of hiting limit rates.
• GUI with navigateable map for better overview of the accumulated information
• 4 Maps providers (including Google Maps) to use.
• Open locations in Google Maps in your browser
• Export retrieved locations list as kmz (for Google Earth) or csv files.
• Handling twitter authentication in an easy way using oAuth. User credentials are not shared with the application.
• User/target search for twitter and flickr.

Map Providers

• Google Maps
• Virtual Maps
• Open Street Maps

Information Retrieval Using

• Twitter’s tweet location
• Coordinates when tweet was posted from mobile device
• Place (geographical name) derived from users ip when posting on twitter’s web interface. Place gets translated into coordinates using geonames.com
• Bounding Box derived from users ip when posting on twitter’s web interface.The less accurate source , a corner of the bounding box is selected randomly.
• Geolocation information accessible through image hosting services API
• EXIF tags from the photos posted.

Social Networking Platforms Supported

• Twitter
• Foursquare (only checkins that are posted to twitter)
• Gowalla (only checkins that are posted to twitter)

Image Hosting Services Supported

• flickr – information retrieved from API
• twitpic.com – information retrieved from API and photo exif tags
• yfrog.com – information retrieved from photo exif tags
• img.ly – information retrieved from photo exif tags
• plixi.com – information retrieved from photo exif tags
• twitrpix.com – information retrieved from photo exif tags
• foleext.com – information retrieved from photo exif tags
• shozu.com – information retrieved from photo exif tags
• pickhur.com – information retrieved from photo exif tags
• moby.to – information retrieved from API and photo exif tags
• twitsnaps.com – information retrieved from photo exif tags
• twitgoo.com – information retrieved from photo exif tags

You can download creepy here:

CreepySetup_0.1.94.exe

Or read more here.

It seems like the latest target for Anonymous is the F1 due to the race that took place in Bahrain and the human rights issues in the country.

They DDoSed the official F1 site (formula1.com), which was up and down on Saturday and defaced another related site (f1-racers.net) which also contains some details from ticket sales.

I’m not entirely sure if it’s really Anonymous behind this or another fragment as the Blogspot has been killed and the AnonOps Twitter account hasn’t been updated since March 22nd.

Hackers claiming to be from Anonymous have taken down the official Formula One website as protests grow over this weekend’s controversial Grand Prix in the Kingdom of Bahrain.

“The F1 Grand Prix in Bahrain should be strongly opposed. The Al Khalifa regime stands to profit heavily off the race and has promised to use live ammunition against protestors in preparation,” the group said in a statement.

“They have already begun issuing collective punishment to entire villages for protests and have promised further retribution ‘to keep order’ for the F1 events in Bahrain. The Formula 1 racing authority was well-aware of the Human Rights situation in Bahrain and still chose to contribute to the regime’s oppression of civilians and will be punished.”

The statement also called for the release of Abdulhadi Alkhawaja, a prominent local human rights activist who was arrested at his home in April 2011 and sentenced to life in prison two months later on charges of aiding terrorist organizations. Amnesty International has declared him a ‘prisoner of conscience’ and he is now in the 70th day of a hunger strike.

So far the race looks like it will be going ahead anyway, although some members of the Force India team have left the country following an incident earlier in the week where they were caught in a riot and tear gassed. The country’s Crown Prince said to cancel the race now would “empower extremists,” Reuters reports.

The F1 in Bahrain went ahead without incident, the race track was heavily guarded by police with dogs etc. Bernie Ecclestone has also stated that he sees no reason to drop Bahrain from future F1 schedules, despite the controversy it provoked.

It’ll be interesting to see if the F1 now becomes a mainstay target for the Anonymous movement and their offshoots – F1 could suffer some serious damage from this.

The race was cancelled last year due to protests.

Bahrain was the first Middle Eastern state to hold a Formula One race in 2004 and the ruling family has a significant stake in the McLaren racing team. The 2011 race was cancelled after protests erupted across the country.

The protests began on Valentine’s Day last year, as part of the wave of uprisings across the Arab world. While uprisings in Tunisia, Egypt and Libya were successful (with some help from NATO in the last case,) the Bahraini uprising, which saw over 100,000 people take to the streets, was quickly crushed when the royal family asked the Saudi Arabian army to intervene. The US Navy 5th Fleet, which is based in Bahrain, did not take part.

After the initial uprising the former Metropolitan Police assistant commissioner John Yates, who resigned after being heavily criticized for his conduct of an investigation into the News of The World hacking scandal, was hired by the Bahraini royal family to investigate human rights abuses that may or may not have taken place.

Yates reportedly wrote to FIA president Jean Todt earlier this month, telling him that the protests were not as serious as the media was reporting and said he felt safer in Bahrain than he did in some parts of London.

“These are criminal acts being perpetrated against an unarmed police force who, in the face of such attacks, are acting with remarkable restraint,” he wrote. “They are not representative of the vast majority of delightful, law-abiding citizens that represent the real Bahrain that I see every day.”

The whole Anonymous thing has been pretty quiet lately, the last major target I recall was OccupyWallStreet, the Vatican and a few others. The last time we reported on Anonymous was about – Former LulzSec Leader Sabu Flips Sides & Informs For The FBI.

I guess the movement might have gotten too much press and there have been a LOT of arrests so it’s probably fragmented and gone a lot more underground – communicating offline and over more secure channels.

Source: The Register

We wrote about this tool originally last year – NfSpy – ID-spoofing NFS Client – Falsify NFS Credentials – and a new version just came out!

NfSpy has just been updated to support NFSv3, a more efficient and widespread protocol than the previous NFSv2. NfSpy is a FUSE filesystem written in Python that automatically changes UID and GID to give you full access to any file on an NFS share. Use it to mount an NFS export and act as the owner of every file and directory.

NFS before version 4 is reliant upon host trust relationships for authentication. The NFS server trusts any client machines to authenticate users and assign the same user IDs (UIDS) that the shared filesystem uses. This works in NIS, NIS+, and LDAP domains, for instance, but only if you know the client machine is not compromised, or faking its identity. This is because the only authentication in the NFS protocol is the passing of the UID and GID (group ID). There are a few things that can be done to enhance the security of NFS, but many of them are incomplete solutions, and even with all three listed here, it could still be possible to circumvent the security measures.

Features

• Use filehandles from packet captures instead of asking mountd.
• Hide from sysadmins by immediately “unmounting” while retaining access
• Specify port/protocol for NFS or Mountd if you don’t have access to the portmapper

You can download NfSpy here:

NfSpy.zip

Or read more here.

Early last year we wrote about China Facing Problems With Android Handsets & Pre-installed Trojans, then later last year there was a possibility Cybercrooks May Be Able To Force Mobile Phones To Send Premium-Rate SMS Messages.

The latest news about Android malware is malicious apps that are in the official Google marketplace (called Play) – they are masquerading as apps to deliver trailers for various content – but in fact steals your data in the background.

Security experts are warning of yet more malicious applications found on Google’s official online apps market Play, this time designed to steal personal data in the background while promising to show trailers for Japanese anime, video games and porn.

McAfee malware researcher Carlos Castillo explained in a blog post that the new Android Trojan had been discovered in 15 applications on Google Play so far and downloaded by at least 70,000 users.

The malware, specifically designed to target Japanese users, is hidden in apps which show internet-based video trailers.

On installation, the malicious apps request the user grants them permission to read contact data and read phone state and identity which.

If granted by the user, this will enable them to pilfer Android ID, phone number and the victim’s entire contacts list including names, email addresses and phone numbers.

It will then attempt to send the data in clear text to a remote server and, if successful, will request a video from that same server to display, said Castillo.

I think most of us are pretty safe from this set of nasties though as it targets the Japanese market specifically. It is a general problem with Android apps though, most of them ask for far more permissions than they actually need to function (lazy devs perhaps?) so Android users are very used to granting all kinds of permissions to fairly simple apps.

Thankfully McAfee mobile security app does detect these as a threat (although how many people really have AV software on their phones?!).

“Due the privacy risk that these applications represent to Android customers, all of them have been removed from the market,” he cautioned.

“McAfee Mobile Security detects these threats as Android/DougaLeaker.A. Users should verify in the Google Play market prior installation that the application does not request permission to perform actions not related to its purpose.”

Google’s relatively open Android ecosystem has led to a huge surge in malware hidden in legitimate looking applications.

Apart from data-sucking Trojans, cyber criminals have looked to distribute apps containing premium dialler malware, SMS fraud Trojans and malware designed to turn a user’s handset into a bot.

Worryingly, two-thirds of Android anti-malware scanners are not up to the task, according to recent research from AV-Test.

The firm said that there are more than 11,000 strains of malware in the wild targeted at the platform – a figure growing at some pace.

Google does seem to be fairly on top of removing these apps from the marketplace as soon as they are reported and verified as malware. I’d have though they should integrate some kind of malware scan (including heuristic scanning for dodgy calls) to Google Play when someone adds a new app.

As always just be careful what you’re downloading and what you are giving permissions to. If you are paranoid, hook your phone up to your desktop and proxy all the traffic through there and get sniffing.

Source: The Register

web-sorrow is a PERL based tool used for checking a Web server for misconfiguration, version detection, enumeration, and server information. It is NOT a vulnerability scanner, inspection proxy, DDoS tool or an exploitation framework.

Current Functionality

• -S – stands for standard. a set of Standard tests and includes: indexing of directories testing, banner grabbing, language detection (should be obvious), robots.txt, and 200 response testing (some servers send a 200 ok for every req)
• -Eb – stands for error bagging. The default config for servers is to put the server daemon and version and sometimes even the OS inside of error pages. web-sorrow reqs a URl of 20 random bytes with get and post methods.
• -auth – looks for login pages with a list of some of the most common login files and dirs. We don’t need to be very big list of URLs because what else are going to name it?
• -cmsPlugins – run a huge list of plugins dirs for cms servers. the list is a bit old (2010)
• -I – searches the responses for interesting strings
• -Ws – looks for web services such as hosting provider, blogging services, favicon fingerprinting, and cms version info
• -Fd – look for generally things people don’t want you to see. The list is generated form a TON of robot.txt so whatever it finds should be interesting.
• -proxy – send all http reqs via a proxy. example: 255.255.255.254:8080
• -e – run all the scans in the scanner

web-sorrow also has false positives checking on most of it’s requests (it pretty accurate but not perfect).

Examples

basic:

look for login pages:

most intense scan possible:

You can download web-sorrow here:

Wsorrow_v1.3.0.zip

Or read more here.

Now it was only last month when everyone was wrapped up in the MS12-020 RDP Exploit Code In The Wild issue.

As it turns out, Microsoft have been hiding some more serious security issues under the carpet. Apparently attackers are already exploiting the MS12-027 flaw in ActiveX in the wild – although Microsoft of course say there have been only ‘limited attacks’.

It’s a fair old bundle of updates and it must be serious if they are pushing an out of band patch and not just waiting for the next patch Tuesday (which is what they normally do).

Microsoft today delivered six security updates to patch 11 vulnerabilities in Windows, Internet Explorer (IE), Office and several other products, including one bug that attackers are already exploiting. The company also issued the first patch for Windows 8 Consumer Preview, the beta-like build Microsoft released at the end of February.

But it was MS12-027 that got the most attention today.

“Things got a bit more interesting today,” said Andrew Storms, director of security operations at nCircle Security, “because Microsoft is reporting limited attacks in the wild.”

Flaws that attackers exploit before a patch is available are called “zero-day” vulnerabilities. The single vulnerability patched in MS12-027 is in an ActiveX control included with every 32-bit version of Office 2003, 2007 and 2010; Microsoft also called out SQL Server, Commerce Server, BizTalk Server, Visual FoxPro and Visual Basic as needing the patch.

Storms, other security experts and Microsoft, too, all identified MS12-027 as the first update users should install.

Hackers are already using the vulnerability in malformed text documents, which when opened either in Word or WordPad — the latter is a bare bones text editor bundled with every version of Windows, including Windows 7 — can hijack a PC, Microsoft acknowledged in a post to its Security Research & Defense (SRD) blog today.

Now the good thing is, the flaw is not a remote access type exploit – meaning someone can’t hack you over the network with this. But it is serious as you can be jacked by opening a malformed document, which I assume would contain some type of ActiveX control.

Even so, it’s classed as remote code execution – which means if an attacker can get you to open the document in a browser – you’re owned.

There have been a lot of flaws like this (usually in Adobe Reader) and they have caused a fair amount of havoc, so tell whoever you know that’s running Windows to get their Windows Update on ASAP.

“We list MS12-027 as our highest priority security update to deploy this month because we are aware of very limited, targeted attacks taking advantage of [the] CVE-2012-0158 vulnerability using specially-crafted Office documents,” said Elia Florio, an engineer with the Microsoft Security Response Center, in the SRD blog post.

Microsoft did not disclose when it first became aware of the attacks, or who reported the vulnerability to its security team.

Storms speculated that an individual or company had been attacked, uncovered the bug and notified Microsoft. Microsoft rarely deploys a patch “out of cycle,” meaning outside its usual second Tuesday of every month schedule. The last such update was shipped in December 2011, and was the first for that year.

Also affected is software written by third-party developers who have bundled the buggy ActiveX control with their code or called it. Those developers will have to provide their own updates to customers.

“Any developer that has released an ActiveX control should review the information for this security bulletin,” said Jason Miller, manager of research and development at VMware. “These developers may need to release updates to their own software to ensure they are not using a vulnerable file in their ActiveX control.”

Attackers can also exploit this bug using “drive-by download” attacks that automatically trigger the vulnerability when IE users browse to a malicious site, Microsoft admitted.

And well if anyone is using Internet Exploder Explorer still – they are in trouble anyway.

The scary part is, 8 out of the 11 issues patched with this update were marked as Critical and it effects IE9 – the latest version of the Microsoft browser.

You can read the original Microsoft advisory here – Microsoft Security Bulletin MS12-027 – Critical – note they have marked this as a Critical issue.

Source: Network World