Advertisement
<a href="http://krebsonsecurity.com/dont-need-java-junk-it/?administer_redirect_1=http://www.phonefactor.com/whitepaper-home-krebsonsecurity?utm_campaign=70150000000OqBA"><img src="/a-pf/Loyalty_PhoneCall_banner.gif" /></a>
  • About the Author
  • About this Blog

    • Latest Warnings

    A Little Sunshine / Latest Warnings65 Comments
    11
    Jun 10

    Don’t Need Java? Junk It.

    I am often asked to recommend security software,  but it’s important to remember that staying secure is just as much about removing little-used software that increases your exposure to online threats. At the very top of my nix-it-now list is Java, a powerful application that most users have on their systems but that probably few actually need.

    Not only do most users have some version of Java on their systems, most Windows users likely have multiple copies of this program on their PCs, because older installers failed to remove previous, insecure versions of the software.

    Worse still, Java is now among the most frequently-attacked programs, and appears to be fast replacing Adobe as the target of choice for automated exploit tools used by criminals.

    Readers of the blog are no doubt familiar with my previous stories on the Eleonore Exploit Pack, a commercial software package sold by and to criminals that is used to booby trap Web sites with exploits for the most common Web browser vulnerabilities. Check out past posts on Eleonore, and it’s clear Java flaws are a key target of this increasingly common exploit pack.

    Below are a few screen shots taken from the administration page of yet another working Eleonore Exploit Pack: The first image shows the exploits used by this pack, along with the number of times each exploit  (“sploit”) was successful in delivering malicious software payloads (or “loads”) to the visitor. As we can see, the “java2e” and “javae0″ are by far the most successful of the exploits.

    Continue reading →

    A Little Sunshine / Latest Warnings41 Comments
    9
    Jun 10

    ZeuS Trojan Attack Spoofs IRS, Twitter, Youtube

    Criminals have launched an major e-mail campaign to deploy the infamous ZeuS Trojan, blasting out spam messages variously disguised as fraud alerts from the Internal Revenue Service, Twitter account hijack warnings, and salacious Youtube.com videos.

    According to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, this latest attack appears to be an extension of a broad malware spam campaign that began at the end of May.

    The fake IRS e-mails arrive with the tried-and-true subject line “Notice of Underreported Income,” and encourage the recipient to click a link to review their tax statement.

    All of the latest e-mails use a variety of URL shortening services. For example, this shortened link (currently live and dangerous, and therefore neutered here)…

    Continue reading →

    Latest Warnings / Time to Patch28 Comments
    8
    Jun 10

    Microsoft, Apple Ship Big Security Updates

    In its largest patch push so far this year, Microsoft today released 10 security updates to fix at least 34 security vulnerabilities in its Windows operating system and software designed to run on top of it. Separately, Apple has shipped another version of Safari for both Mac and Windows PCs that plugs some four dozen security holes in the Web browser.

    Microsoft assigned three of the updates covering seven vulnerabilities a “critical” rating, meaning they can be exploited to help attackers break into vulnerable systems with no help from users. At least 14 of the flaws fixed in this month’s patch batch are in Microsoft Excel, and another eight relate to Windows and Internet Explorer.

    According to Microsoft, the most serious of the bugs involves a weakness in the way Windows handles certain media formats, and is present in all supported versions of Windows. Another critical update nixes six different insecure ActiveX controls (plug-ins for Internet Explorer), while the third critical update corrects at least a half dozen vulnerabilities in IE.

    Microsoft notes that Office XP users may not be able to install one of the needed updates; Rather, Redmond is releasing what it calls a “shim,” or essentially and point-and-click “FixIt” tool that apparently does the job. If you use Office XP, go ahead and click the “FixIt” icon at this link when you’re done installing the rest of the updates.

    The Microsoft patches are available through Windows Update or via Automatic Update. As usual, please drop a note in the comments below if you experience any problems as a result of installing these updates.

    Apple’s Safari 5.0 update fixes at least four-dozen security vulnerabilities in Safari on Mac OS X and Windows versions. Updates are available for Mac OS X v 10.4.11, Mac OS X v10.5.8, Mac OS X v10.6.2 or later, Windows 7, Vista, and XP. Mac users can grab the update from Software Update or Apple Downloads; Safari users on Windows will need to update using the bundled Apple Software Update utility.

    Latest Warnings / Time to Patch34 Comments
    5
    Jun 10

    Adobe Warns of Critical Flaw in Flash, Acrobat & Reader

    Adobe Systems Inc. warned late Friday that malicious hackers are exploiting a previously unknown security hole present in current versions of its Adobe Reader, Acrobat and Flash Player software.

    “There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player and Adobe Reader and Acrobat,” the company said in a brief blog post published Friday evening. “This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.”

    Adobe said the vulnerability exists in Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and a component (authplay.dll) of Adobe Reader and Acrobat versions 9.x for Windows, Mac and UNIX operating systems.

    The company notes that the Flash Player 10.1 Release Candidate, available from this link, does not appear to be vulnerable. Adobe also said Adobe Reader and Acrobat 8.x are confirmed not vulnerable. Further, Adobe Reader and Acrobat users can mitigate the threat from this flaw by deleting, renaming or removing access to the “authplay.dll” file that ships with Reader and Acrobat (although users may still experience a non-exploitable crash or error message when opening a PDF that contains Flash content).

    The vulnerable component should be located at these spots for Windows users:

    Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll

    Acrobat: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll

    Adobe says it is working on an official patch for the problem. Stay tuned for more details.

    Update, June 7, 11:25 a.m. ET: Symantec is reporting that one strain of malware exploiting this vulnerability is something it calls Trojan.Pidief.J, which is a PDF file that drops a backdoor onto the compromised computer if an affected product is installed. Clearly, this is a follow-the-bouncing-malware type of exploit: “Upon analysis of an attack, it is also observed that a malicious [Shockwave Flash] file (detected as Trojan Horse) is used in conjunction with an HTML file (detected as Downloader) to download another malware (detected as Backdoor.Trojan) from the web,” the company said. Symantec notes that while the current attacks against this flaw are targeted and limited, that will likely soon change as more criminal groups start taking advantage of the vulnerability.

    Update, June 8, 12:40 p.m. ET: Adobe said today that it plans to issue a patch for the Flash vulnerability (on 10.x versions of Flash) on Thursday, June 10, for Windows, Linux and Mac. But the software maker said it doesn’t expect to ship an update for Windows, Linux and Mac versions of Adobe Reader and Acrobat until June 29. Adobe also posted steps that Mac and Linux users can take to mitigate any threat from these vulnerabilities, in an updated advisory.

    Latest Warnings17 Comments
    1
    Jun 10

    Wi-Fi Street Smarts, iPhone Edition

    If you use your iPhone to connect to open or public wireless networks, it’s a good idea to tell the device to forget the network’s name after you’re done using it, as failing to do so could make it easier for snoops to eavesdrop on your iPhone data usage.

    For example, if you use your iPhone to connect to an open wireless network called “linksys,” — which happens to be the default, out-of-the-box name assigned to all Linksys home Wi-Fi routers — your iPhone will in the future automatically connect to any Wi-Fi network by that same name.

    The potential security and privacy threat here is that an attacker could abuse this behavior to sniff the network for passwords and other sensitive information transmitted from nearby iPhones even when the owners of those phones have no intention of connecting to a wireless network, simply by giving his rogue access point a common name.

    Continue reading →

    A Little Sunshine / Latest Warnings / Web Fraud 2.029 Comments
    24
    May 10

    Revisiting the Eleonore Exploit Kit

    Not long after I launched this blog, I wrote about the damage wrought by the Eleonore Exploit Kit, an increasingly prevalent commercial hacking tool that makes it easy for criminals to booby-trap Web sites with malicious software. That post generated tremendous public interest because it offered a peek at the statistics page that normally only the criminals operating these kits get to see. I’m revisiting this topic again because I managed to have a look at another live Eleonore exploit pack panel, and the data seem to reinforce a previous observation: Today’s attackers care less about the browser you use and more about whether your third-party browser add-ons and plugins are out-of-date and exploitable.

    Hacked and malicious sites retrofitted with kits like Eleonore have become more common of late: In a report issued this week, Web security firm Zscaler found that roughly 5 percent of the browser exploits they identified during the first quarter of this year were tied to hacked or malicious sites that criminals had outfitted with some version of Eleonore.

    Like most exploit kits, Eleonore is designed to invisibly probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software. The hacker’s end of the kit is a Web-based interface that features detailed stats on the percentage of visitors to the booby-trapped site(s) that are successfully attacked, and which software vulnerabilities were most successful in leading to the installation of the hacker’s malware.

    This particular Eleonore kit — which is currently stitched into several live adult Web sites — comes with at least a half-dozen browser exploits, including three that target Internet Explorer flaws, two that attack Java bugs, and one that targets a range of Adobe PDF Reader vulnerabilities. According to this kit’s stats page, the malicious adult sites manage to infect roughly every one in ten visitors.

    As we can see from the landing page pictured above, Windows XP users represent by far the largest group of users hitting these poisoned porn sites.

    Once again, Eleonore shows just how heavily Java flaws are now being used to infect computers (the above graphic shows the number of successful malware installations or “loads” per exploit). The last time I reviewed a working Eleonore admin panel, we saw that Java flaws were the second most reliable exploits. This time around, Java was the biggest source infections. In the Eleonore kit I wrote about earlier this year, some 34 percent of the systems that were successfully exploited were attacked via a Java flaw. In this installation, four out of every ten victims who were hacked were compromised because of they were running an outdated version of Java.

    Continue reading →

    A Little Sunshine / Latest Warnings / Security Tools34 Comments
    20
    May 10

    ReclaimPrivacy.org: Facebook Privacy 101

    If you’ve been watching the slow motion train wreck that is Facebook.com‘s recent effort to revamp its privacy promises, you may be wondering where to start making sense of the dizzying array of privacy options offered by the world’s largest online social network. Fortunately, developers are starting to release free new tools so that you don’t need to read a statement longer than the U.S. Constitution or earn a masters degree in Facebook privacy in order to get started.

    Reclaimprivacy.org hosts an easy-to-use, open source tool that can help Facebook users very quickly determine what types of information they are sharing with the rest of the world. To use it, visit reclaimprivacy.org and drag the “bookmarklet” over into your bookmarks area. Then log in to facebook.com, and browse to your privacy settings page. Then, click the bookmark and it will run a series of Javascript commands that produce a report showing your various privacy settings, and suggest ways to strengthen weaker settings.

    Continue reading →

    Latest Warnings32 Comments
    13
    May 10

    Stolen Laptop Exposes Personal Data on 207,000 Army Reservists

    A laptop stolen from a government contractor last month contained names, addresses and Social Security numbers of more than 207,000 U.S. Army reservists, Krebsonsecurity.com has learned.

    The U.S. Army Reserve Command began alerting affected reservists on May 7 via e-mail. Col. Jonathan Dahms, chief public affairs for the Army Reserve, said the personal data was contained on a CD-Rom in a laptop that was stolen from the Morrow, Ga. offices of Serco Inc., a government contractor based in Reston, Va.

    The laptop was one of three stolen from the Serco offices, but it was the only one that contained sensitive personal information, Dahms said.

    Serco held the data on reservists as part of its contract with the U.S. Army’s Family and Morale, Welfare and Recreation division. As a result, Dahms said, some of the data on the missing laptop may belong to dependents and spouses of U.S. Army reservists.

    Continue reading →

    Latest Warnings / Time to Patch22 Comments
    12
    May 10

    Microsoft, Adobe Push Critical Security Updates

    Microsoft Corp. and Adobe Systems each released security updates on Tuesday. Microsoft issued two “critical” patches that address one security flaw apiece, while Adobe’s patches fix a whole mess of serious vulnerabilities in its software.

    One of the critical updates pushed by Microsoft fixes a flaw in Outlook Express, Windows Mail and Windows Live Mail. On older versions of Windows (Windows XP for example) Outlook Express is installed by default, while Windows Mail and Windows Live Mail generally require users to affirmatively download and install the program.

    The other MS patch addresses a vulnerability in Microsoft Office, but the problem may turn out to be more complex down the road for some users. The trouble is that the vulnerable component, Microsoft Visual Basic for Applications is used not only by Microsoft Office products, but it’s also a component that is potentially installed by many third-party software apps built to work with Windows.

    Continue reading →

    A Little Sunshine / Latest Warnings / The Coming Storm / Web Fraud 2.017 Comments
    8
    May 10

    Visa Warns of Fraud Attack from Criminal Group

    Visa is warning financial institutions that it has received reliable intelligence that an organized criminal group plans to attempt to move large amounts of fraudulent payments through a merchant account in Eastern Europe, possibly as soon as this weekend.

    In an alert sent to banks, card issuers and processors this week, Visa said it “has received intelligence from a third-party entity indicating that a criminal group has plans to execute “a large batch settlement fraud scheme.”

    Continue reading →

    ← Older Entries
    Newer Entries →