Archive | March, 2011

Adobe Promises Patch For Flash 0-day Being Used In Targeted Attacks

Keep on Guard!


With all the new vulnerabilities with working exploits pouring out of Pwn2Own, I can’t say I expected to see another 0-day in Adobe Flash outside of the contest.

It wasn’t that long ago (back in October 2010) when there was another Critical 0-day Vulnerability In Adobe Flash Player, Reader & Acrobat and Adobe were scrambling to fix it.

They are promising an out of band patch for this vulnerability as it’s marked as critical and has apparently been seen in the wild, but only in a few targeted attacks according to this blog post by Adobe:

Background on APSA11-01 Patch Schedule

Adobe Systems plans to release emergency patches for its Flash and Reader applications after learning a critical vulnerability is being exploited to install malware on vulnerable machines.

The out-of-cycle patches for Adobe Flash Player 10 and Acrobat and Reader versions 9, 10, and X will arrive during the week March 21, the company said on Monday. The updates will cover all versions of those programs except for Reader X for Windows, which ships with a security sandbox that blocks the exploits Adobe has observed so far.

The announcement comes after members of Adobe’s security team received reports of targeted attacks aimed “at a very small number of organizations and limited in scope” that “install persistent malware on the victim’s machine,” the company said in an advisory. The exploits wield a booby-trapped Flash file hidden inside a Microsoft Excel file attached to an email.

The attacks exploit an unspecified flaw in Flash Player for the Windows, Mac, Linux, Solaris and Android operating systems. Adobe security members are unaware of other types of attacks, such as those that plant the malicious Flash file in documents using the the PDF, or portable document format, specification.

It’s a pretty tricky attack with multiple layers, it seems like the Flash exploit itself is embedded in an Excel file attached to e-mails. It looks like corporate users of Reader X will be out of luck as there is no patch for that version. But then Adobe states as Reader X comes with a sandbox the exploit won’t actually function anyway.

The patch is slated to come out next week sometime, there are no specifics as of yet – I guess it depends how long it takes them to fix the problem reliably. They are looking to rush the patch out though rather than waiting for the next cycle.


“However, attackers have leveraged these type [sic] of Flash Player vulnerabilities in the past via .pdf files to attack the embedded authplay.dll component shipping with Adobe Reader and Acrobat v9,” Brad Arkin, Adobe’s senior director of product security and privacy, wrote. “Out of a preponderance of caution we took the decision to ship out-of-cycle updates for Adobe Reader and Acrobat v9, and Acrobat X to mitigate the risk of attackers shifting the attack from an .xls container to a .pdf container.”

The unscheduled patch won’t cover Reader X for Windows, because that recently released version of the program contains a Sandbox that isolates remotely supplied payloads from the OS’s core functions. As a result, the exploits Adobe has seen to date aren’t able to successfully execute on machines that run it. Many Reader users, particularly those in corporate settings, still run versions 10 or 9 of Reader, meaning they will remain vulnerable until the emergency patch is installed.

Excluding Reader X for Windows from the out-of-cycle release will allow Adobe engineers to publish it more quickly than it otherwise could. The fix for that version will be released on June 14, during Adobe’s next scheduled quarterly update.

The Security Bulletin from Adobe is here:

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

It has been assigned the CVE Number: CVE-2011-0609

Source: The Register


Posted in: Exploits/Vulnerabilities, General News

Tags: , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, General News | Add a Comment
Recent in Exploits/Vulnerabilities:
- Mirai DDoS Malware Source Code Leaked
- mimikittenz – Extract Plain-Text Passwords From Memory
- Massive Yahoo Hack – 500 Million Accounts Compromised

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 236,514 views
- AJAX: Is your application secure enough? - 120,378 views
- eEye Launches 0-Day Exploit Tracker - 85,870 views


Agnitio v1.2 – Manual Security Code Review Tool

Outsmart Malicious Hackers


Agnitio is a tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.

v1.2 of Agnitio includes a new application metrics section to give better visibility of the security code review process and allows you to monitor trends etc across multiple reviews of an application.

More details about the changes and plans for upcoming v2.0 here:

Agnitio v1.2 released today

You can download Agnitio v1.2 here:


Agnitiov1_2.zip

Or read more here.


Posted in: Countermeasures, Programming, Security Software

Tags: , , , , , ,

Posted in: Countermeasures, Programming, Security Software | Add a Comment
Recent in Countermeasures:
- Pulled Pork – Suricata & Snort Rule Management
- Signal Messaging App Formal Audit Results Are Good
- Snort – Free Network Intrusion Detection & Prevention System

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,378 views
- Password Hasher Firefox Extension - 117,981 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,779 views


Day One At Pwn2Own Takes Out Microsoft Internet Explorer and Apple Safari

Outsmart Malicious Hackers


Well it’s March again and well we love March because it’s Pwn2Own time! Every year around this time we get some goodies to discuss way back since:

It took Microsoft till June last year to fix the Pwn2Own bug – Microsoft Patches At Least 34 Bugs Including Pwn2Own Vulnerability.

This time both Internet Explorer and Safari fell on the first day!

Contestants in a high-stakes hacking contest had no trouble toppling the Apple Safari and Microsoft Internet Explorer browsers, proving for a fifth year in a row that no software or application is safe from people with the expertise and motivation to exploit them.

The attacks came on Day One of the Pwn2Own contest, which pays more than $15,000 apiece for exploits that successfully give the attacker full remote access of the targeted machine. Wednesday’s event saw hackers take complete control of a fully patched Sony Vaio and MacBook Air by compromising IE and Safari respectively. Google’s Chrome browser was also up for grabs, but no one stepped forward to try hacking it.

“Every browser, every operating system, has its own vulnerabilities,” said Chaouki Bekrar, CEO of Vupen Security and the contestant who successfully hacked Safari. “This is what we wanted to demonstrate – that we can create a very reliable exploit for Apple Mac OS and Safari without even crashing the browser.”

Contest rules forbid him from disclosing most technical details behind the vulnerability, but he was permitted to say that it involved what’s known as a use-after-free flaw in the Apple browser. He said the exploit used a technique known as return-oriented programming to bypass a security protection known as data execution prevention that is built into many Apple programs.

There have been a barrage of patches recently too with Microsoft patching some very serious bugs in the March 2011 Black Tuesday, Apple patches critical Mac bugs with Java updates, Apple patching 62 bugs in Safari and Jon Oberheide killing his own Android bug by reporting it to Google.

Also sadly one of the Pwn2Own champions Geohot wasn’t present most likely to to the shit storm Sony is throwing at him.

It’ll be interesting to what else comes out of Pwn2Own this year.


After building the tools from scratch, it took him about two weeks to find the bug and set out to exploit it. The result was an attack that reliably commandeers a Mac when Safari visits a website that hosts the malicious code.

“Just after visiting the webpage with the affected version of Safari, we can, for example, launch the calculator or open a shell or do anything else we want,” he said a minute or two after demonstrating the exploit at the contest, which was attended by members of Apple’s security team. “We have the same privileges as the user who visited the webpage.”

He said users would have no way of knowing their machines have been compromised. There is no prompt asking for a password. The only way to thwart the attack is to run Safari from an account that has been configured to have limited privileges.

Under competition rules, contestants drew a lottery to determine who was the first to attempt hacking a particular browser. Once a browser was compromised, it was eliminated from the running. Both IE and Safari were hacked on the first try.

“I have an exploit all ready to go, and now it’s just sitting in my bag,” said Charlie Miller, a three-time Pwn2Own winner, shortly after Bekrar took this year’s prize. “You’d think Apple would be concerned about it.”

Miller said he’s had the working attack for more than nine months now. Even after Apple patched a whopping 62 Safari security bugs just hours before the contest started, Miller’s exploit still worked, he said.

Charlie Miller has a working exploit sitting in his back too after Bekrar already took the prize. It seems like it’s really quite worth developing a reliable, working 0-day exploit for $15,000!

The new sandbox in IE got pwned pretty easily too, which shows..slapping on some tonka toy security controls isn’t ever going to stop a dedicated attacker. There was one contestant who stepped up to the plate to take down Google’s Chrome, but perhaps the exploit didn’t work as there’s no reports on that.

Day two of Pwn2Own will see attacks on Smart-phone platforms – Windows 7 Mobile, an iPhone 4, a BlackBerry Torch 9800, and a Nexus S running Google’s Android. There are multiple contestants signed up for each platform!

Source: The Register


Posted in: Apple, Exploits/Vulnerabilities, Windows Hacking

Tags: , , , , , , , , , , , , , ,

Posted in: Apple, Exploits/Vulnerabilities, Windows Hacking | Add a Comment
Recent in Apple:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- FBI Backed Off Apple In iPhone Cracking Case
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan

Related Posts:

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 83,106 views
- Apple Struggling With Security & Malware - 24,150 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 16,039 views


PacketFence – Free, Open Source Network Access Control (NAC) System

Keep on Guard!


PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks – from small to very large heterogeneous networks. Among the different markets are:

  • banks
  • colleges and universities
  • engineering companies
  • manufacturing businesses
  • school boards (K-12)

.. and many more!

Why do I need PacketFence?

If your network is a breeding ground for worms, PacketFence is for you. If you have no idea who connects to your network and who owns a particular computer, PacketFence is for you. If you have no way of mapping a network policy violation to a user, PacketFence is for you.


Released under the GPL, PacketFence is built using trusted open-source components that allows it to offer an impressive amount of features.

Examples

What are some of the things you can do with PacketFence you may ask, well you can:

  • Block iPods wireless access
  • Forbid rogue access points
  • Perform compliance checks
  • Eliminate Peer-to-Peer traffic
  • Provide guest access
  • Simplify VLAN management

You can download PacketFence here:

packetfence-2.1.0.tar.gz

Or read more here.


Posted in: Countermeasures, Network Hacking, Security Software

Tags: , , , , , , , , , ,

Posted in: Countermeasures, Network Hacking, Security Software | Add a Comment
Recent in Countermeasures:
- Pulled Pork – Suricata & Snort Rule Management
- Signal Messaging App Formal Audit Results Are Good
- Snort – Free Network Intrusion Detection & Prevention System

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,378 views
- Password Hasher Firefox Extension - 117,981 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,779 views


Google Removes ‘DroidDream’ Malware From Android Devices

Outsmart Malicious Hackers


Android must be getting popular! It’s always a test of a new platform or OS, when does it start getting serious malware targeting it?

It seems like the time for Android is now, the news lately has been buzzing about the DroidDream malware that has been flooding the Android Market. Google pulled a number of malicious apps (rumoured to be more than 50) on March the 1st but kept hush – they later blogged about it on March 5th outlining some details about the malware and the vulnerability involved.

An Update on Android Market Security

Google has acknowledged that it removed “a number” of malicious malware applications from the Android Market on March 1, and it has now reached out over the airwaves to remove the apps from end users devices as well.

Last week, reports indicated that more than 50 Android apps had been loaded with info-pilfering software known as DroidDream. Google immediately responded by pulling the apps from the Market, but the company remained silent on the matter until tossing up a blog post on Saturday evening.

According to Google, the malware exploited known vulnerabilities that had been patched in Android versions 2.2.2 and higher. Google “believes” the attacker or attackers was only able to gather device-specific information, including unique used to identify mobile devices and the version of Android running on the device. But the company added that attackers could have accessed other data.

In addition to removing the apps from the Android Market, Google suspended the accounts of the developers involved and contacted law enforcement about the attack, and as it did on one previous occasion, the company used the “kill switch” that lets it remotely remove mobile apps that have already been installed by end users.

So Google does have a kill switch for software already installed on end user devices, some may complain – but honestly it’s only responsible to have such a thing (Apple has one for iOS of course).

And it’s all well and good saying it only effects phones with Android versions lower than 2.2.2…but sadly that is still the majority of phones. Only the phones directly pushed out by Google get the most recent version of Android, all the other (HTC, Samsung, Motorola etc.) models out there still have older (vulnerable) versions.


Google maintains a persistent connection to Android phones that let the company not only remotely remove applications from devices but remotely install them as well. The remote install tool is used when Android owners purchase apps via the new web incarnation of the Android Market. The Android Market Web Store lets you browse and purchase applications via a browser, as opposed to Android client loaded on handsets.

Apple maintains its own “kill switch” for the iPhone. In 2008, an iPhone hacker told the world that Apple had added an app kill switch to the iPhone, and Steve Jobs later confirmed its existence. “Hopefully, we never have to pull that lever,” Jobs said, “but we would be irresponsible not to have a lever like that to pull.”

On Saturday, Google also said that it is pushing a security update to all Android devices affected by the malware in question. If your device was affected, the company said, you will receive an email from android-market-support@google.com, and you’ll get a notification on your phone that a package called “Android Market Security Tool March 2011” has been installed. You may also receive a notification that the offending apps have been removed.

The company is taking additional measures to stop such attacks in the future, but it did not provide specifics. “We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues,” the blog post read.

Google will also be pushing out a security update to all Andoird hansets that were affected, if you’re an Android user you’ll see package called “Android Market Security Tool March 2011” installed which combats the malware.

Apparently it was quite easy to foil the malware if you were handy on the command line, all you needed to do was a create a file at /system/bin/profile/ using the terminal and the touch command then chmod 644 and you’re done.

Source: The Register


Posted in: Exploits/Vulnerabilities, Linux Hacking, Malware

Tags: , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Linux Hacking, Malware | Add a Comment
Recent in Exploits/Vulnerabilities:
- Mirai DDoS Malware Source Code Leaked
- mimikittenz – Extract Plain-Text Passwords From Memory
- Massive Yahoo Hack – 500 Million Accounts Compromised

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 236,514 views
- AJAX: Is your application secure enough? - 120,378 views
- eEye Launches 0-Day Exploit Tracker - 85,870 views


Microsoft Attack Surface Analyzer – Test Software Vulnerabilities

Keep on Guard!


Attack Surface Analyzer is developed by the Security Engineering group, building on the work of our Security Science team. It is the same tool used by Microsoft’s internal product groups to catalogue changes made to operating system attack surface by the installation of new software.

Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.

This allows:

  • Developers to view changes in the attack surface resulting from the introduction of their code on to the Windows platform
  • IT Professionals to assess the aggregate Attack Surface change by the installation of an organization’s line of business applications
  • IT Security Auditors evaluate the risk of a particular piece of software installed on the Windows platform during threat risk reviews
  • IT Security Incident Responders to gain a better understanding of the state of a systems security during investigations (if a baseline scan was taken of the system during the deployment phase)

System Requirements

Supported Operating Systems: Windows 7;Windows Server 2008;Windows Vista

Collection of Attack Surface data: Windows 7, Windows Vista, Windows Server 2008 R1 or Windows Server 2008 R2

Analysis of Attack Surface data and report generation: Windows 7 or Windows Server 2008 R2 with Microsoft .Net 3.5 SP1

You can download Attack Surface Analyzer here:

64-bitAttack_Surface_Analyzer_BETA_x64.msi
32-bitAttack_Surface_Analyzer_BETA_x86.msi

Or read more here.


Posted in: Countermeasures, Exploits/Vulnerabilities, Security Software, Windows Hacking

Tags: , , , , , , , , , , , ,

Posted in: Countermeasures, Exploits/Vulnerabilities, Security Software, Windows Hacking | Add a Comment
Recent in Countermeasures:
- Pulled Pork – Suricata & Snort Rule Management
- Signal Messaging App Formal Audit Results Are Good
- Snort – Free Network Intrusion Detection & Prevention System

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,378 views
- Password Hasher Firefox Extension - 117,981 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,779 views


Intel Completes $7.68B McAfee Buyout In All-Cash Deal

Outsmart Malicious Hackers


The big news in the last fews days is that Intel has completed it’s buy-out of McAfee in a $7.6 Billion dollar all-cash deal, it seems like security on the chipset/CPU is going to be a reality. We wrote about the initial acquisition back in August 201 and Intel have been working hard to get the deal past all the regulatory boards in the US and Europe.

McAfee is actually the world’s second-largest security software company after Symantec, so this acquisition makes them a serious player in the security industry.

Intel has completed its $7.68 billion acquisition of security vendor McAfee, the chip maker announced on Monday.

The all-cash deal makes Intel a security industry powerhouse, giving it a broad range of consumer and enterprise security products. Though the acquisition has left some observers scratching their heads, Intel says it needs the McAfee technology to help it bake security into its microprocessors and chipsets — especially as Intel looks to become more competitive in smartphones and other portable devices.

“Intel and McAfee believe today’s approach to security does not adequately address the billions of new Internet-ready devices, including PCs, mobile and wireless devices, TVs, cars, medical devices and ATM machines,” Intel said Monday in a statement announcing the acquisition’s close. “With the surge in cyber threats, providing protection to a diverse online world requires a fundamentally new approach involving software, hardware and services.”

They will be running McAfee as a fully owned subsidiary and they also be leveraging other companies they have acquired to work together with the McAfee arm (companies such as Wind River).

As they said, the current approach to computer security (especially in the consumer sector) is stuck at least 10 years behind what is actually happening. I’m not sure if this merger can improve anything, but more security in the hardware/CPU/chipset can’t hurt really can it?

Yah of course some clever chap is going to find a way to disable it/block it or simply circumnavigate the protection – but it’ll still be better than nothing.


Intel had been working to get the deal approved by U.S. and European Union regulators since it was announced last August. The European Commission, in particular, had expressed concerns that Intel would give McAfee special treatment when it came to its processors and chipsets, locking other security vendors out of the technology. Those concerns had reportedly been threatening to hold up the deal, but late last month the European Commission announced that Intel had assuaged its concerns.

Although McAfee’s technology can now be integrated into a wide range of Intel products, McAfee itself will be run as a subsidiary, operated out of Intel’s Software and Services Group. That group is run by Renée James, who will now be the boss of McAfee chief Dave DeWalt.

Anyway at least the acquisition is wrapped up now so we can keep an eye on any plans they have been brewing since last year. It’ll be interesting to see if there are any major changes in the direction of McAfee or to be really optimistic – will we see McAfee anti-virus software improve?

I don’t believe Intel will try and play the anti-trust game and lock AMD out of the McAfee party..but honestly – who knows what will happen?

Source: Network World


Posted in: Countermeasures, Hardware Hacking

Tags: , , , , , , , , , , ,

Posted in: Countermeasures, Hardware Hacking | Add a Comment
Recent in Countermeasures:
- Pulled Pork – Suricata & Snort Rule Management
- Signal Messaging App Formal Audit Results Are Good
- Snort – Free Network Intrusion Detection & Prevention System

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,378 views
- Password Hasher Firefox Extension - 117,981 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,779 views