Subscribe to RSS
Follow me on Twitter
Join me on Facebook
Security experts have spotted drive-by malware attacks exploiting a critical security hole in Windows that Microsoft recently addressed with a software patch. Separately, Symantec is warning users of its pcAnywhere remote administration tool to either update or remove the program, citing a recent data breach at the security firm that the company said could help attackers find holes in the aging software title.
Time to Patch
27
Jan 12
Warnings About Windows Exploit, pcAnywhere
10
Jan 12
Adobe, Microsoft Issue Critical Security Fixes
Adobe and Microsoft today each issued software fixes to tackle dangerous security flaws in their products. If you use Acrobat, Adobe Reader or Windows, it’s time to patch.
Microsoft released seven security bulletins addressing at least eight vulnerabilities in Windows. The lone “critical” Microsoft patch addresses a pair of bugs in Windows Media Player. Microsoft warns that attackers could exploit these flaws to break into Windows systems without any help from users; the vulnerability could be triggered just by browsing to a site that hosts specially crafted video content.
13
Dec 11
Security Updates for Microsoft Windows, Java
Microsoft today issued software updates to patch at least 19 security holes in Windows, including three flaws that earned the company’s most serious “critical” rating. Separately, Oracle released a security update that fixes several issues in its Java software.
The most talked-about vulnerability fixed in December’s patch batch is a critical flaw in all supported versions of Windows that’s been exploited for at least the past two months (and probably much longer) by the Duqu Trojan, a sophisticated information-stealer that experts say was an espionage tool constructed to extract sensitive data from industrial control systems. Continue reading →
30
Nov 11
Public Java Exploit Amps Up Threat Level
An exploit for a recently disclosed Java vulnerability that was previously only available for purchase in the criminal underground has now been rolled into the open source Metasploit exploit framework. Metasploit researchers say the Java attack tool has been tested to successfully deliver payloads on a variety of platforms, including the latest Windows, Mac and Linux systems.
On Monday, I disclosed how the Java exploit is being sold on cybercrime forums and incorporated into automated crimeware kits like BlackHole. Since then, security researchers @_sinn3r and Juan Vasquez have developed a module for Metasploit that makes the attack tool available to penetration testers and malicious hackers alike. According to a post on the Metasploit blog today, the Java vulnerability “is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they’re being exploited.”
Metasploit also posted the results of testing the exploit against a variety of browsers and platforms, and found that it worked almost seamlessly to compromise systems across the board, from the latest 64-bit Windows 7 machines to Mac OS X and even Linux systems.
This development should not be taken lightly by any computer user. According to Sun’s maker Oracle, more than three billion devices run Java. What’s more, Java vulnerabilities are by some accounts the most popular exploit paths for computer crooks these days. On Monday, Microsoft’s Tim Rains published a blog post noting that the most commonly observed type of exploits in the first half of 2011 were those targeting vulnerabilities in Oracle (formerly Sun Microsystems) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK).
28
Nov 11
New Java Attack Rolled Into Exploit Kits
A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground. The exploit, which appears to work against all but the latest versions of Java, is being slowly folded into automated attack tools.
The exploit attacks a vulnerability that exists in Oracle Java SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6 Update 29, or Java 7 Update 1, then you have the latest version that is patched against this and 19 other security threats. If you are using a vulnerable version of Java, it’s time to update. Not sure whether you have Java or what version you may be running? Check out this link, and then click the “Do I have Java?” link below the big red “Free Java Download” button.
A few weeks back, researcher Michael ‘mihi’ Schierl outlined how one might exploit this particular Java flaw. Over the weekend, I stumbled on a discussion in an exclusive cybercrime forum about an exploit that appears to have been weaponized along the same lines as described by Schierl. Below is a recording of a video posted by one of the members that shows the attack in action.
10
Nov 11
Critical Flash Update Plugs 12 Security Holes
Adobe has issued a critical software update for its Flash Player software that fixes at least a dozen security vulnerabilities in the widely-used program. Updates are available for Windows, Mac, Linux, Solaris and Android versions of Flash and Adobe Air.
The update fixes flaws present in Flash Player versions 11.0.1.152 and earlier for Windows, Mac, Linux and Solaris systems, and in Flash 11.0.1.153 and earlier for Android. The vulnerabilities are rated critical, meaning they could give hacked or malicious Web sites an easy way to install software on your machine.
Adobe’s advisory says users of Flash version 11.0.1.152 and earlier should update to v. 11.1.102.55; those using Flash v. 11.0.1.153 and earlier versions for Android should update to Flash Player 11.1.102.59. Users of AIR 3.0 for Windows, Macintosh, and Android should update to AIR v. 3.1.0.4880. The company says it is not aware of any active attacks against these flaws at this time.
9
Nov 11
Adobe, Apple, Microsoft & Mozilla Issue Critical Patches
Adobe, Apple, Microsoft and Mozilla all released updates on Tuesday to fix critical security flaws in their products. Adobe issued a patch that corrects four vulnerabilities in Shockwave Player, while Redmond pushed updates to address four Windows flaws. Apple slipped out an update that mends at least 17 security holes in its version of Java, and Mozilla issued yet another major Firefox release, Firefox 8.
The only “critical” patch from Microsoft this month is a dangerous Windows flaw that could be triggered remotely to install malicious software just by sending the target system specially crafted packets of data. Microsoft says this vulnerability may be difficult to reliably exploit, but it should be patched immediately. Information on the other three flaws fixed this week is here. The fixes are available via Windows Updates for most supported versions of the operating system, including XP, Vista and Windows 7. Continue reading →
20
Oct 11
Critical Java Update Fixes 20 Flaws
Oracle Corp. released a critical update to plug at least 20 security holes in versions of its ubiquitous Java software. Nearly all of the Java vulnerabilities can be exploited remotely to compromise vulnerable systems with little or no help from users.
If you use Java, take some time to update the program now. According to a report released this month by Microsoft, the most commonly observed exploits in the first half of 2011 were those targeting Java flaws. The report also notes that Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.
Methods for exploiting one of the flaws fixed by this update were detailed at a recent security conference in Buenos Aires, where researchers demonstrated a method for intercepting encrypted SSL and TLS traffic.
11
Oct 11
Critical Security Updates from Microsoft, Apple
Microsoft and Apple today released security updates to fix a slew of critical security problems in their software. Microsoft’s patch batch fixes at least 23 vulnerabilities in Windows and other Microsoft products. Apple’s update addresses more than 75 security flaws in the Windows versions of iTunes.
Nine of the 23 flaws Microsoft fixed with patches today are rated “critical,” meaning attackers could exploit them to break into vulnerable systems with little or no help from users. Eight of the nine critical bugs are in Internet Explorer. The remaining critical flaw is corrected in an update for the .NET Framework. Three of the vulnerabilities fixed with these updates were disclosed publicly prior to today, including a flaw in Windows Media Center that Microsoft believes crooks are likely to soon figure out how to reliably exploit.
The iTunes update brings the music player software to version 10.5, and is available for Microsoft systems running Windows 7, Vista, XP SP2 and later. Two new features of iTunes deserve mentioning: Apple says iPhone and iPad users who upgrade to iOS 5 when it is released later this week will be able to sync with iTunes wirelessly. More importantly from an update perspective, Apple has at long last untethered iTunes from QuickTime.
21
Sep 11
Flash Player Update Fixes Critical Flaws
Adobe today issued an out-of-band software update to fix dangerous security flaws in its Flash Player products, including at least one that is actively being exploited. Patches are available for versions of Flash on Windows, Mac, Linux, Solaris and Android operating systems.
Adobe said one of the bugs, a cross-site scripting flaw, is being exploited in the wild in targeted attacks to trick users into clicking on a malicious link delivered in an email message. At the moment there isn’t much more information about this vulnerability (other than Adobe credits Google with reporting it). That may soon change if news begin to surface about which organizations were targeted with the help of this flaw.
According to Adobe: “This universal cross-site scripting issue could be used to take actions on a user’s behalf on any website or webmail provider if the user visits a malicious website.”
