Posts Tagged: mozilla firefox


15
May 14

The Mad, Mad Dash to Update Flash

An analysis of how quickly different browser users patch Adobe Flash vulnerabilities shows a marked variation among browser makers. The data suggest that Google Chrome and Mozilla Firefox users tend to get Flash updates relatively quickly, while many users on Microsoft’s Internet Explorer browser consistently lag behind.

The information comes from ThreatMetrix, a company that helps retailers and financial institutions detect and block patterns of online fraud. ThreatMetrix Chief Technology Officer Andreas Baumhof looked back over the past five months across 10,000+ sites the company serves, to see how quickly visitors were updating to the latest versions of Flash.

Baumhof measured the rates of update adoption for these six Flash patches:

Jan 14, 2014 – APSB14-02 Security updates available for Adobe Flash Player (2 critical vulnerabilities)

Feb 4, 2014 – APSB14-04 Security updates available for Adobe Flash Player (2 critical flaws, including 1 zero-day)

Feb 20, 2014 – APSB14-07 Security updates available for Adobe Flash Player (1 zero-day)

Mar 11, 2014 – APSB14-08 Security updates available for Adobe Flash Player (2 critical vulnerabilities)

Apr 8, 2014, – APSB14-09 Security updates available for Adobe Flash Player (4 critical vulnerabilities)

Apr 28, 2014 - APSB14-13 Security updates available for Adobe Flash Player (1 zero-day)

Overall, Google Chrome users were protected the fastest. According to Baumhof, Chrome usually takes just a few days to push the latest update out to 90 percent of users. Chrome pioneered auto-updates for Flash several years ago, with Firefox and newer versions of IE both following suit in recent years.

The adoption rate, broken down by browser type, of the last six Adobe Flash updates.

The adoption rate, broken down by browser type, of the last six Adobe Flash updates.

Interestingly, the data show that IE users tend to receive updates at a considerably slower clip (although there are a few times in which IE surpasses Firefox users in adoption of the latest Flash updates).  This probably has to do with the way Flash is updated on IE, and the legacy versions of IE that are still out there. Flash seems to have more of a seamless auto-update process on IE 10 and 11 on Windows 8 and above, and more of a manual one on earlier versions of the browser and operating system.

Another explanation for IE’s performance here is that it is commonly used in business environments, which tend to take a few days at least to test patches before rolling them out in a coordinated fashion across the enterprise along with the rest of the Patch Tuesday updates. Continue reading →


16
Dec 13

Botnet Enlists Firefox Users to Hack Web Sites

An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities, an investigation by KrebsOnSecurity has discovered.

The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.

The "Advanced Power" botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

The “Advanced Power” botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases.

Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.

The fraudulent Firefox add-on.

The fraudulent Firefox add-on.

The malicious code comes from sources referenced in this Malwr writeup and this Virustotal entry (please don’t go looking for this malware unless you really know what you’re doing). On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant” (this bogus add-on does not appear to be the same thing as this add-on by the same name). The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities.

Alex Holden, chief information security officer at Hold Security LLC, said the botnet appears to have been built to automate the tedious and sometimes blind guesswork involved in probing sites for SQL vulnerabilities.

“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” Holden said. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”

Holden said he believes the authors of this botnet may be natives of and/or reside in the Czech Republic, noting that a few transliterated text strings in the malware are auto-detected by Google Translate as Czech.

Continue reading →


8
Jul 13

Styx Exploit Pack: Domo Arigato, PC Roboto

Not long ago, miscreants who wanted to buy an exploit kit — automated software that helps booby-trap hacked sites to deploy malicious code  — had to be fairly well-connected, or at least have access to semi-private underground forums. These days, some exploit kit makers are brazenly advertising and offering their services out in the open, marketing their wares as browser vulnerability “stress-test platforms.”

Styx Pack victims, by browser and OS version.

Styx Pack victims, by browser and OS version.

Aptly named after the river in Greek mythology that separates mere mortals from the underworld, the Styx exploit pack is a high-end software package that is made for the underground but marketed and serviced at the public styx-crypt[dot]com. The purveyors of this malware-as-a-service also have made a 24 hour virtual help desk available to paying customers.

Styx customers might expect such niceties for the $3,000 price tag that accompanies this kit. A source with access to one Styx kit exploit panel that was apparently licensed by a team of bad guys shared a glimpse into their operations and the workings of this relatively slick crimeware offering.

The Styx panel I examined is set up for use by a dozen separate user accounts, each of which appears to be leveraging the pack to load malware components that target different moneymaking schemes. The account named “admin,” for example, is spreading an executable file that tries to install the Reveton ransomware.

Other user accounts appear to be targeting victims in specific countries. For example, the user accounts “IT” and “IT2″ are pushing variants of the ZeuS banking trojan, and according to this Styx panel’s statistics page, Italy was by far the largest source of traffic to the malicious domains used by these two accounts. Additional apparently country-focused accounts included “NL,” AUSS,” and “Adultamer” (“amer” is a derisive Russian slur used to describe Americans).

ZeuS Trojan variants targeted at Italian victims were detected by fewer than 5 out 17 antivirus tools.

ZeuS Trojan variants targeted at Italian victims were detected by fewer than 5 out 17 antivirus tools.

An exploit kit — also called an “exploit pack” (Styx is marketed as “Styx Pack”) is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed.

Unlike other kits, Styx doesn’t give a detailed breakdown of the exploits used in the panel. Rather, the panel I looked at referred to its bundled exploits by simple two-digit numbers. This particular Styx installation used just four browser exploits, all but one of which targets recent vulnerabilities in Java. The kit referred to each exploit merely by the numbers 11, 12, 13 and 32.

According to the considerable legwork done by Kafeine, a security blogger who digs deeply into exploit kit activity, Styx Kit exploit #11 is likely to be CVE-2013-1493, a critical flaw in a Java browser plugin that Java maker Oracle fixed with an emergency patch in March 2013. Exploit 12 is almost certainly CVE-2013-2423, another critical Java bug that Oracle patched in April 2013. In an instant message chat, Kafeine says exploit #13 is probably CVE-2013-0422, a critical Java vulnerability that was patched in January 2013. The final exploit used by the kit I examined, number 32, maps to CVE-2011-3402, the same Microsoft Windows font flaw exploited by the Duqu Trojan.

The Styx stats page reports that the hacked and malicious sites used by this kit have been able to infect roughly one out of every 10 users who visited the sites. This particular Styx installation was set up on June 24, 2013, and since that time it has infected approximately 13,300 Windows PCs — all via just those  four vulnerabilities (but mostly the Java bugs).

Continue reading →


11
Mar 13

Help Keep Threats at Bay With ‘Click-to-Play’

Muzzling buggy and insecure Web browser plugins like Java and Flash goes a long way toward blocking attacks from drive-by downloads and hacked or malicious Web sites. But leaving them entirely unplugged from the browser is not always practical, particularly with Flash, which is used on a majority of sites. Fortunately for many users, there is a relatively simple and effective alternative: Click-to-Play.

c2pGCClick-to-Play is a feature built into both Google Chrome, Mozilla Firefox and Opera (and available via add-ons in Safari) that blocks plugin activity by default, replacing the plugin content on the page with a blank box. Users who wish to view the blocked content need only click the boxes to enable the Flash or Java content inside of them.

To enable click-to-play on Chrome: From the main menu, click Settings, then in the search box type “click to play,” and click the highlighted box labeled “content settings.” In content settings, scroll down to the “plug-ins” section, and change the default from “run automatically” to “click to play”. To enable exceptions so that certain sites (krebsonsecurity.com?) are allowed to load Flash and other content by default, click the “manage exceptions” box. Alternatively, this can be done in Chrome through the address bar: when you browse to a site that has content blocked by the click-to-play feature, an icon will appear on the far right side of the address bar that allows you to add an exception for the current site.

c2pFFTo enable click-to-play in Firefox: Open a browser window and type “about:config” without the quotes. In the search box at the top of the resulting window, paste the follow “plugins.click_to_play”, again without the quotes. Double click the entry that shows up so that its setting under the “value” column changes from “false” to “true” (hat tip to F-Secure.com for this advice). To enable per-site exceptions, look for the blue lego-like icon in the lefthand portion of the URL bar, and click it; click the “activate” button to enable plugins just for that session, or to make it permanent for that site, click the down arrow next to “activate all plugins” and select the “always activate plugins for this site” option.

Continue reading →


1
Oct 12

In a Zero-Day World, It’s Active Attacks that Matter

The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.

This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.

Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 months.

The all-browsers-are-equally-exposed argument was most recently waged by Trend Micro‘s Rik Ferguson. Ferguson charges that it’s unfair and unrealistic to expect IE users to switch — however briefly — to experiencing the Web with an alternative browser. After all, he says, the data show that other browsers are similarly dogged by flaws, and switching offers no additional security benefits. To quote Ferguson:

“According to this blog post, in 2011 Google’s Chrome had an all time high of 275 new vulnerabilities reported, the current peak of an upward trend since its day of release. Mozilla Firefox, while currently trending down from its 2009 high, still had a reported 97 vulnerabilities. Microsoft’s Internet Explorer has been trending gradually down for the past five years and 2011 saw only 45 new vulnerabilities, less than any other browser except Apple’s Safari, which also had 45. Of course raw numbers of vulnerabilities are almost meaningless unless we consider the respective severity, but there again, of the ‘big three’ the statistics favour Internet Explorer. If zero-day vulnerabilities have to be taken into consideration too, they don’t really do much to change the balance, Google Chrome 6, Microsoft Internet Explorer 6 and Mozilla Firefox 4. Of course different sources offer completely different statistics, and simple vulnerability counts are no measure of relative (in)security of browsers, particularly in isolation. However, it cannot be ignored that vulnerabilities exist in every browser.”

Looking closer, we find that this assessment does not hold water. For one thing, while Ferguson acknowledges that attempting to rate the relative security of similar software products by merely comparing vulnerabilities is not very useful, he doesn’t offer much more perspective. He focuses on unpatched, publicly-highlighted vulnerabilities, but he forgets to ask and answer a crucial question: How do browser makers rate in terms of unpatched vulnerabilities that are actively being exploited?

Part of the problem here is that many security pundits rank vulnerabilities as “zero-day” as long as they are both publicly identified and unfixed. Whether there is evidence that anyone is actually attacking these vulnerabilities seems beside the point for this camp. But I would argue active exploitation is the most important qualifier of a true zero-day, and that the software flaws most worthy of worry and action by users are those that are plainly being exploited by attackers.

To that end, I looked back at the vulnerabilities fixed since January 2011 by Google, Microsoft and Mozilla, with an eye toward identifying true zero-day flaws that were identified publicly as being exploited before the vendor issued a software patch. I also queried both Mozilla and Google to find out if I had missed anything in my research.

As Ferguson mentioned, all browser makers had examples over the past 19 months of working or proof-of-concept exploit code available for unpatched flaws in their products. However, both my own investigation and the public record show that of the three browsers, Internet Explorer was the only one that had critical, unpatched vulnerabilities that were demonstrably exploited by attackers before patches were made available. According to Microsoft’s own account, there were at least six zero-days actively exploited in the past 18 months in IE. All but one of them earned Microsoft’s most dire “critical” rating, leaving IE users under zero-day attack for at least 152 days since the beginning of 2011.

If we count just the critical zero-days, there were at least 89 non-overlapping days (about three months) between the beginning of 2011 and Sept. 2012 in which IE zero-day vulnerabilities were actively being exploited. That number is almost certainly conservative, because I could find no data on the window of vulnerability for CVE-2011-0094, a critical zero-day flaw fixed in MS11-018 that Microsoft said was being attacked prior to releasing a patch for it. This analysis also does not include CVE-2011-1345, a vulnerability demonstrated at the Pwn2Pwn contest in 2011.

Continue reading →


21
May 12

Adware Stages Comeback Via Browser Extensions

The Wikimedia Foundation last week warned that readers who are seeing ads on Wikipedia articles are likely using a Web browser that has been infected with malware. The warning points to an apparent resurgence in adware and spyware that is being delivered via cleverly disguised browser extensions designed to run across multiple Web browsers and operating systems.

An ad served by IWantThis! browser extension. Source: Wikimedia

In a posting on its blog, Wikimedia noted that although the nonprofit organization is funded by more than a million donors and does not run ads, some users were complaining of seeing ads on Wikipedia entries. “If you’re seeing advertisements for a for-profit industry (see screenshot below for an example) or anything but our fundraiser, then your web browser has likely been infected with malware,” reads a blog post co-written by Philippe Beaudette, director of community advocacy at the Wikimedia Foundation.

The blog post named one example of a browser extension called “IWantThis!,” which is essentially spyware masquerading as adware. The description at the IWantThis! Web site makes it sound like a harmless plugin that occasionally overlays ads on third-party Web sites and helps users share product or online shopping wish lists with others. As I was researching this extension, I came across this helpful description of it at the DeleteMalware Blog, which points to the broad privacy policy that ships with this extension:

Examples of the information we may collect and analyze when you use our website include the IP address used to connect your computer to the Internet; login; e-mail address; password; computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform; the full Uniform Resource Locator (URL) clickstream to, through, and from the Site, including date and time; cookie; web pages you viewed or searched for; and the phone number you used to call us. Continue reading →


17
May 12

Facebook Takes Aim at Cross-Browser ‘LilyJade’ Worm

Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software.

At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google ChromeInternet Explorer, and Mozilla Firefox.  The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.

The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as Facebook.com, Yahoo.com, Youtube.com, Bing.com, Google.com and MSN.com. In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.

I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from hackforums.net. This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.

It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user is required to agree to before installing it.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview.  “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff claims his software is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites. Continue reading →


28
Oct 10

Critical Fixes for Shockwave, Firefox

Adobe Systems pushed out a critical security update for its Shockwave Player that fixes nearly a dozen security vulnerabilities.  The software maker also is warning that attackers are targeting a previously unidentified security hole in its Acrobat and PDF Reader products.

The Shockwave patch plugs 11 security holes in program, most of which attackers could use remotely to take control over an affected system.  Updates are available for Mac and Windows computers, from this link. The latest version is 11.5.9.615.  Before you blithely click through the process, keep a lookout for pre-checked “free” software that will install alongside this Shockwave update if you simply accept all the default options. When I tested the Shockwave installer, it included a “free PC performance scan from PC Tools’s Registry Mechanic. I opted to untick the check mark next to that option before proceeding with the rest of the install, which was otherwise uneventful.

Due to Adobe’s huge market share and apparent abundance of as-yet-undiscovered security holes, life with Adobe’s products can feel a bit like playing Whac-a-Mole: Just when you’ve patched one Adobe product it seems like there’s another one under assault by attackers. True to form, Adobe released a separate advisory today warning that hackers were targeting a critical flaw in the latest version of its Acrobat and PDF Reader products.

Continue reading →


24
May 10

Devious New Phishing Tactic Targets Tabs

Most Internet users know to watch for the telltale signs of a traditional phishing attack: An e-mail that asks you to click on a link and enter your e-mail or banking credentials at the resulting Web site. But a new phishing concept that exploits user inattention and trust in browser tabs is likely to fool even the most security-conscious Web surfers.

As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.

Consider the following scenario: Bob has six or seven tabs open, and one of the sites he has open (but not the tab currently being viewed) contains a script that waits for a few minutes or hours, and then quietly changes both the content of the page and the icon and descriptor in the tab itself so that it appears to be the login page for Gmail.

In this attack, the phisher need not even change the Web address displayed in the browser’s navigation toolbar. Rather, this particular phishing attack takes advantage of user trust and inattention to detail, or what Raskin calls “the perceived immutability of tabs.” Then, as the user scans their many open tabs, the favicon and title act as a strong visual cue, and the user will most likely simply think they left a Gmail tab open.

“When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in,” Raskin explained. “After the user has enter they have entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.”

Raskin includes a proof-of-concept at his site, which is sort of creepy when you let it run. In fact, at least once while composing this blog post in Firefox I went to click on the tab that had my Gmail inbox open, only to discover I’d accidentally clicked on Raskin’s page, which had morphed into the fake Gmail site in the interim.

It’s important to keep in mind that this attack could be used against any site, not just Gmail. Also, Raskin includes a few suggestions about how this attack could be made far sneakier — such as taking advantage of CSS history attacks.

Of course, if you are browsing with the excellent “Noscript” add-on and this is a site you have not allowed to run javascript, the proof-of-concept won’t work until you allow javascript on the page. It did not work completely against the Safari browser on my Mac (no favicon), and the test page failed completely against Google Chrome. [Update: As several readers have correctly pointed out, this attack does in fact work against Chrome, although it doesn’t seem to change the favicon in Chrome tabs].

I’m left wondering what this new form of phishing will be called if it is ever adopted by the bad guys. Tabnabbing? Tabgrabbing? See if you can coin a better phrase in the comments below.

Update, May 25, 7:55 p.m. ET: Researcher Aviv Raff has posted an interesting proof-of-concept of his own that shows how this attack can work against Firefox even when users have the Noscript add-on installed and in full paranoid mode. Raff crafted his page, which is a mock up of this blog post, to morph into an image of the Gmail login page, and it will reload every 20 seconds but will only change to the sample phish page if you move to another tab with your mouse, or after 10 reloads (in case you moved with the keyboard). So it will change only after 3 minutes or so, unless you move to another tab with your mouse.

“I was trying to find a way to work around the javascript need for the [proof-of-concept],” Raff said in an instant message. “First I was able to do this without knowing if the user moved to a new tab. Now I can almost be sure of that.”

Update, May 27, 11:41 p.m. ET: For Firefox users with the Noscript plugin, there is an update to the program that can block these types of tabnabbing attacks.