As 2013 comes to a close, security experts are looking back at the major stories and developments of the year, including the Edward Snowden NSA leaks and major malware attacks. In this video, Vitaly Kamluk of Kaspersky Lab examines the biggest security news of 2013 and talks about the lasting effects they may have.
Microsoft’s crusade against botnets raged on yesterday as the Redmond, Wash., computer giant and a coalition of law enforcement agencies and Internet security companies disrupted the notorious ZeroAccess botnet.
ZeroAccess, or Sirefef as Microsoft likes to call it, is a malware platform that targets all major browsers and search engines. It’s two primary functions are to hijack search results, redirecting users to malicious websites hosting information stealing and other malware, and to commit click-fraud. In the past, ZeroAccess has demonstrated a proclivity for Bitcoin mining as well.
Microsoft teamed up with Europol’s European Cybercrime Centre (EC3), the FBI, and the application networking and security firm A10 Networks to take down ZeroAccess, which has reportedly infected some two million machines and costs online advertising firms nearly $3 million per month.
Back in the good old days (2010), a botnet take down was as simple as sink-holing the operation’s command and control server and ceasing its operations. At least in part because of this, many contemporary botnet handlers have moved to a peer-to-peer botnet architecture. This distributed botnet design means that the cybercriminals operating ZeroAccess could remotely control the botnet from tens of thousands of different infected machines. Thus, shutting ZeroAccess down required a cocktail of legal and technical measures.
Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.
“The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection,” said David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit.
Meanwhile outside the U.S., Europol shut down 18 malicious IP addresses and worked in conjunction with Latvia, Luxembourg, Switzerland, the Netherlands and Germany to execute search warrants and seizures of computer servers associated with the fraudulent IP addresses.
“This operation marks an important step in coordinated actions that are initiated by private companies and, at the same time, enable law enforcement agencies around Europe to identify and investigate the criminal organizations and networks behind these dangerous botnets that use malicious software to gain illicit profits,” said Troels Oerting, head of the EC3.
Microsoft and its partners realistically note that their actions against ZeroAccess are unlikely to shut the botnet down altogether. However, the legal and technological measures taken, they believe, will significantly disrupt ZeroAccess, prevent victim machines from contributing to its illicit behavior, and likely cause the botnet’s operators to rebuild.
“If the hacker community has not yet taken notice, today’s disruption of the ZeroAccess botnet is another example of the power of public-private partnerships,” FBI Executive Assistant Director Richard McFeely said. “It demonstrates our commitment to expand coordination with companies like Microsoft and our foreign law enforcement partners — in this case, Europol — to shut down malicious cyberattacks and hold cybercriminals accountable for exploiting our citizens’ and businesses’ computers.”
Siemens has patched a serious remotely exploitable vulnerability in its SINAMICS S/G ICS software that could enable an attacker to take arbitrary actions on a vulnerable installation without having to authenticate.
The vulnerability affects all versions of the Siemens SINAMICS S/G products with firmware versions earlier than 4.6.11. ICS-CERT, a pat of the Department of Homeland Security, said in an advisory that it is not aware of any public exploit attempts against this flaw, but that’s no reason to delay patching. An authentication bypass vulnerability for a product such as SINAMICS S/G, which is used to control the operations of drives in industrial facilities, could be a very useful tool for an attacker.
“Siemens has identified an authentication bypass vulnerability in the SINAMICS S/G product family. Siemens has produced a firmware update that mitigates this vulnerability and has tested the update to validate that it resolves the vulnerability. Exploitation of this vulnerability could allow an attacker to access administrative functions on the device without authentication,” the ICS-CERT advisory says.
“The affected product, SINAMICS S/G family, is used to control a variety of drives, especially in mechanical engineering and plant construction. In addition, SINAMICS S/G family interacts with motion controllers that are used to coordinate synchronous operations or complex technology functions.”
The vulnerability is considered quite easy to exploit, and Siemens said that organizations that are running vulnerable versions of the software should install the updated firmware, versions 4.6.11 and 4.7. The company also recommends that customers not provide public access to the SINAMICS interface over the network.
“As a general security measure Siemens strongly recommends to protect network access to the interface of SINAMICS S/G with appropriate mechanisms. It is advised to follow recommended security practices and to configure the environment according to operational guidelines in order to run the devices in a protected IT environment,” the Siemens advisory says.
Image from Flickr photos of Surber.
UPDATE: As if Bitcoin malware and Bitcoin mining malware weren’t enough to worry about, there was more trouble for the users of the digital crypto-currency last week as 96,000 Bitcoins disappeared from the Sheep Marketplace.
Bicoin’s value has surged in recent weeks, peaking at an astonishing $1,203 per coin last week before dropping back nearly $200 in value over the weekend. The Bitcoin exchange rate is climbing again and currently rests at $1,102 per coin, meaning that the value of the heist is currently $105,792,000.
To put that in a historical perspective – as far as popular heists go – the New York Times estimated in 2008 that cross-dressing thieves made off with roughly $105 million in the famous robbery of the Harry Winston jewelry store in Paris. According to a Wired article from 2009, Leonardo Notarbartolo made off with $100 million worth of loose diamonds, jewelry, and gold after robbing the Antwerp Diamond Center in Antwerp, Belgian in the early 2000s.
Certain reports without sources claim that the attackers managed to spoof user-interfaces so that member-accounts seemed to contain their correct balances. While it is not clear at the moment if this is true, user-interface spoofing is a common tactic among online bank account theft.
According to Tom Gorup, a security operation center (SOC) analyst at Rook Consulting, there are a number of factors that may have helped the attackers cover their tracks during and immediately following the attack.
For one, based on a description of the attack from the forum Bitcointalk.org, Gorup said it’s likely that the attackers hijacked the Sheep Marketplace’s domain name system (DNS) servers and routed incoming traffic through a set of servers under their control. Thus, the attackers could have displayed whichever content they liked to anyone attempting to access their account. Gorup said it’s probable that the thieves are operating a botnet, because as the robbery was ongoing, the service was experiencing a distributed denial of service attack. The DDoS attack would have the effect of knocking the Sheep Marketplace offline, making it impossible for the users to access and monitor their accounts.
Gorup told Threatpost that the most challenging aspect of the attack would have been finding an exploitable vulnerability in the vendor’s software. Once the attacker gained proper privileges via exploit, the process of actually stealing the Bitcoins, he said, is trivial.
Once an attacker has the money in hand, so to speak, another challenge presents itself: how do you use it without all your victims realizing? It would seem simple enough, given that Bitcoin is pseudo-anonymous, but, like all functional currencies, Bitcoin cannot be truly anonymous because there must be safeguards against double-spending.
This is where Bitcoin’s public ledger, the BlockChain comes into play. Every public transaction is recorded on the BlockChain. Therefore, the instant someone tries move a massive some of money, like 96,000 Bitcoins, from one wallet to another, the BlockChain will make record of that movement. More so, each Bitcoin is uniquely identifiable, creating another avenue for tracking the stolen digital crypto-currency.
It’s well known that Bitcoins are widely used to launder traditional currencies, but there are, of course, services for “cleaning” stolen Bitcoins as well. These services are called “tumblers.” Essentially, tumblers, like any money laundering service, take stolen Bitcoins or fractions of Bitcoins and re-distribute them with completely different fractions of completely different Bitcoins. Gorup notes that one downfall to tumbler services, from a criminal’s standpoint, is that many tumblers are replacing stolen Bitcoins with other stolen Bitcoins.
Both Gorup and a Reddit-thread dedicated to tracking the thief or thieves responsible for the theft indicate that it is still possible – albeit difficult – to use the BlockChain to track money going through tumblers.
Gorup noted that the vast scope of this theft is going to make it considerably more difficult for the attackers to tumble their newly acquired Bitcoins. However, he believes their botnet – if they do indeed have one – could make the process slightly easier.
“It can be safe to say that the attacker could have created a number of wallets distributed throughout his/her botnet in preparation for this attack and automated the exchange to distribute throughout these wallets,” Gorup told Threatpost. “Then potentially, if they felt it wasn’t clean enough already, utilize multiple tumbler services to further clean these coins. It would be complicated, but with proper preparation, like any decent attacker should do, this is probably close to how it was done.”
Initially, a New Statesman report indicates that the Sheep Marketplace’s administrators believed that an error by a third party vendor had caused a much smaller sum of money to go missing. It quickly became apparent that the amount lost was far greater.
Gorup claims that the drop in Bitcoin value over the weekend is not related to the theft:
“I think the drop wasn’t due to theft as the Sheep Marketplace theft took place five days prior to Bitcoins reaching an all-time high. I think it was a natural drop after a huge peak, just as this happens time to time in the stock exchange when everyone wants to capitalize on their investment. I wouldn’t be surprised to see one or two more surges like this before Bitcoin settles to a normal rate like any other traded material like gold or silver.”
Straight-up Bitcoin theft along with infections from Bitcoin mining malware and Bitcoin stealing malware are becoming daily occurrences. Recently published research suggested there are frailties within the underpinnings of the Bitcoin economy itself. Trouble isn’t likely to abate any time soon for digital crypto-currency, given that it is completely unregulated. That reality presents a number of very real problems, not the least of which is, how do you recover stolen coins? Users certainly won’t be repaid in civil or criminal suits. Not yet at least.
*A previous version of this story referred to the Sheep Marketplace as a Bitcoin exchange. A Bitcoin exchange is a place where Bitcoin holders can exchange their Bitcoins for traditional currency. Sheep Marketplace is an underground marketplace located within the Tor Hidden Services that caters to the sale of drugs, weapons, and other illicit goods.
The general population may have had its fill of Facebook at this point, but attackers sure haven’t. There is a new round of Facebook-related spam that is using fake messages about recent crimes involving recipients’ friends as a lure to direct them to Tumblr pages serving exploits.
The campaign comprises several different individual messages purporting to come from a victim’s Facebook friends, but all of them are using some variant of the same scam. The message says that either the sender or a close friend or relative has been the victim of a crime and needs the recipient’s help. The messages include a link to a Tumblr page that supposedly shows some images of the criminals. However, the link then redirects the victim to a phishing page that is a very close approximation of the Facebook site, researchers at the SANS Internet Storm Center said.
“The Tumblr links follow a pattern, but appear to be different for each recipient. The host name is always two or three random English words, and the URL includes a few random characters as an argument. The preview of the Tumblr page lists some random words and various simple icons,” Johannes Ullrich wrote in an analysis of the attacks.
“Once the user clicks on the link to the Tumblr page, they are immediately redirected to a very plausible Facebook phishing page, asking the user to log in. The links I have seen so far use the ‘noxxos.pw’ domain, which uses a wildcard record to resolve to 220.127.116.11 .”
If the user ends up on the fake Facebook page, he is then presented with a dialog that asks for his Facebook username and password, along with a secret question. The site also tries to run a Java applet, which may contain an exploit, Ullrich said. That sends the user to a fake YouTube page, which asks the victim to install a fake video player, which is actually a downloader for malware. Ullrich said that detection for the malware on VirusTotal is fairly low right now, with about 25 percent of anti-malware software detecting it.
“As an indicator of compromise, it is probably best right not to look for DNS queries for ‘noxxos.pw’ as well as connections to 18.104.22.168 (which is likely going to change. The server only returns 404 errors right now),” he said.
The infamous Zeus banking Trojan has gone 64-bit. But why?
Researchers at Kaspersky Lab’s Global Research and Analysis Team spotted a new version of the malware that behaves much like its 32-bit contemporaries: it too uses Web injects to steal banking credentials to drain online accounts, steal digital certificates and even log keystrokes. It also communicates with its command and control servers over the Tor anonymity network, another new feature of the 64-bit variety of Zeus.
The 64-bit quandary is perplexing. As Kaspersky researcher Dmitry Tarakanov points out, fewer than 1 percent of IE users are on the 64-bit version, and even those running 64-bit versions of operating systems are running 32-bit browsers.
“Perhaps it’s just a marketing gimmick—a new feature, even if it is mostly useless, with a bit of ‘wow’ factor,” Tarakanov wrote today on Securelist. “Support for 64-bit browsers—a great way to advertise the product and to lure buyers—the botnet herders.”
While 64-bit support may be a bit of overkill for today, it does set the prolific malware up for future success. And its use of Tor as a communication platform, while not unique, does bring it into some exclusive company.
“Whatever the intentions were of the malware author that created this piece of Zeus—be it a marketing ploy or the groundwork for some future needs—a pure 64-bit Zeus does finally exist, and we can conclude that a new milestone in the evolution of Zeus has been reached,” Tarakanov said.
The Zeus source code has been available online since the Spring of 2011. Since then, numerous tweaks have been made to the Trojan, including versions that communicate over peer-to-peer networks. The malware hooks into a user’s browser via a number of malicious Web injects that trigger when a victim visits their online banking account. The malware logs the user’s credentials and sends them to the hacker, either directly via a backdoor connection to a central server or through hops on a P2P chain. This version’s use of Tor brings a new level of stealth capabilities to the malware, one that even frustrates the NSA.
Tarakanov said Kaspersky researchers spotted the 64-bit Zeus sample tucked away inside a 32-bit version in June; the compile date on the malware was April 29. He said the 64-bit version of Zeus launches Tor.exe indirectly, first starting the svchost application in suspended mode and then injecting the Tor code into that process. Zeus then tunes the process to run Tor under the cover of svchost. The malware tells the browser to run traffic through TCP port 9050 and the stolen data will eventually land in an onion domain, egzh3ktnywjwabxb[.]onion, Tarakanov said.
Tarakanov said that Zeus also will create a hidden service that creates a configuration file for each infected host that includes unique private key for the service and an exclusive domain.The botmaster is then able to connect to the unique onion domains when they are online and use a remote desktop control feature in Zeus to control the victim’s machine.
This version of Zeus also includes a list of more than 100 programs that will trigger execution if present on victim machines.
“There are different types of programs, but all of them contain valuable private information that cybercriminals would love to steal—login credentials, certificates and so on,” Tarakanov said, adding that Zeus also logs keystrokes pre- and post-encryption. “So when operating inside these programs, Zeus is able to intercept and forward a lot of valuable information to the botnet operator.”
The more people switch to 64-bit platforms, the more 64-bit malware appears. We have been following this process for several years now. The more people work on 64-bit platforms, the more 64-bit applications that are developed as well. Sometimes these include some very specific applications, for example, banking applications.... If someone wants to hack into an application like this and steal information, the best tool for that would also be a 64-bit agent. And whats the most notorious banking malware? ZeuS, of course the trendsetter for the majority of todays banking malware. Its web injects have become a fundamental must-have feature of almost every banking malware family. And it was only a matter of time until a 64-bit version of ZeuS appeared but we didnt expect it to happen quite so soon.
Thats because cybercriminals dont actually need a 64-bit version. ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks. But nowadays people still use 32-bit browsers even on 64-bit operating systems. So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.
Then, out of the blue, we spotted a 32-bit ZeuS sample maintaining a 64-bit version inside. And its turned out that this 64-bit version has already been recorded being present in the wild at least since June, 2013 and compilation date specified in the sample is April 29, 2013! Moreover, this ZeuS version works via Tor. The initial 32-bit sample injects malicious code into target processes. If the target process belongs to a 64-bit application, ZeuS injects its 64-bit version into the process; otherwise, it pushes the 32-bit version. We ran tests to see how the 64-bit ZeuS works inside a 64-bit Internet Explorer and it demonstrated the usual ZeuS functionality: in any case, the web injects functioned as usual.
One zero-day down, one to go.
As expected, Microsoft did today patch a zero-day in its GDI+ graphics component (MS13-096) reported more than a month ago after exploits were spotted in the wild. The fix was one of 11 security bulletins—five critical—released as part of the December 2013 Patch Tuesday security updates.
Another zero-day, one affecting only Windows XP users, still remains unpatched despite active exploits targeting the vulnerability, which is found in the NDProxy driver that manages the Microsoft Telephony API. The attacks depend on a second vulnerability to deliver the exploit against an XP machine. Microsoft recommends turning off NDProxy as a mitigation until a patch is available.
While there were five critical bulletins released today, experts urge IT administrators to also prioritize an ASLR bypass vulnerability that was patched today and rated “important” by Microsoft.
MS13-106 takes care of an Office vulnerability that is being exploited in the wild, Microsoft said. Attackers hosting a malicious exploit online can trigger the vulnerability in the hxds.dll that enables a bypass of ASLR or Address Space Layout Randomization, a security feature in Windows that mitigates memory corruption exploits.
“The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer,” Microsoft said in its advisory. “The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.”
ASLR bypasses have been more frequent this year, and have been rolled into a number of exploit kits. Introduced in Windows Vista, ASLR hampers the reliability of exploits by negating an attacker’s ability to predict where machine instructions will exist in memory. ASLR is particularly effective against buffer overflow attacks.
“This particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the ‘ms-help:’ protocol handler,” said Craig Young, security researcher at Tripwire. “Until today, the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).”
Admins will also have to contend with yet another cumulative update for Internet Explorer. MS13-097 patches a number of remote code execution vulnerabilities in the browser, all the way back to IE 6. IE has been patched almost monthly this year and has been front and center in numerous targeted attacks.
Microsoft also patched a critical bug in its Authenticode signing algorithm that is being exploited. MS13-098 allows remote code execution if a user is enticed to run an application that contains a malicious and signed portable execution file. The patch modifies how the WinVerifyTrust function handles Windows Authenticode signature verification for PE files, Microsoft said.
“Attackers have been abusing installers from legitimate software makers to install malware. These installers are configured in a way to dynamically download code extensions that are not checked for correct signatures, and attackers have found a way to piggyback on that mechanism,” said Qualys CTO Wolfgang Kandek, who added that the patch prepares the system for a more stringent integrity check that prevents such exploits. Microsoft also issued a separate security advisory regarding the Authenticode patch, that after June 10, 2014 it will no longer recognize non-compliant signed binaries.
The two remaining critical bulletins, MS13-099 and MS13-105, patch remote code execution vulnerabilities in Microsoft Scripting Runtime Object Library and Exchange Server respectively. Three of the four Exchange vulnerabilities addressed in the bulletin, it’s worth noting, are publicly disclosed. The most serious is in the WebReady Document Viewing and DLP features of Exchange Server, Microsoft said.
The remaining bulletins—rated “important”—address one remote code execution bug, three privilege escalation issues and an information disclosure vulnerability:
- MS13-100 patches a remote code execution vulnerability in Microsoft SharePoint Server; an attacker would have to be authenticated to the server to exploit the vulnerability. A successful exploit would enable an attacker to run code in the context of the W3WP service account on the SharePoint site.
- MS13-101 fixes a privilege elevation issue in Windows Kernel-Mode Drivers. An attacker would have to log onto a system and run a malicious application to exploit the bug.
- MS13-102 is a patch for a vulnerability in the LRPC Client that would allow an attacker to elevate their privileges on an LRPC server. Doing so would allow an attacker to install programs, manipulate data or create accounts. Valid credentials are needed to exploit this bug.
- MS13-104 is a fix for an information disclosure vulnerability in Microsoft Office. Successful exploits could give an attacker access tokens used to authenticate a user on a SharePoint or Office server site.
Microsoft also sent out an advisory that revokes the digital signatures for nine private, third-party UEFI modules for Windows 8 and Windows Server 2012 machines. These modules would be loaded during a UEFI Secure Boot, if it is enabled.
Telecommunications giant AT&T has come under fire from privacy advocates after it acknowledged that it will not publicly disclose any of its dealings with the National Security Agency.
The company claimed that protecting customer privacy is at the crux of its decision not to share government requests in a letter to the U.S. Securities and Exchange Commission.
The letter, right, penned by the company’s legal counsel, is electing that the issue not be brought up at AT&T’s annual shareholder meeting next spring.
Shareholders, along with representatives from the ACLU, have been rallying for the company to publish a transparency report, much like those recently produced by Facebook, Twitter and Google, to clear the air around exactly what – and how much – customer information it shares with the government.
AT&T’s letter however argues that kind of information isn’t anyone’s business, especially its users or shareholders, arguing that it’s “a core management function” and “an integral part of AT&T’s day-to-day business operations.”
It goes on to say that disclosing such information could jeopardize the company’s legal strategy, noting several pending lawsuits that require the company to “provide personal information to other entities, such as government agencies, credit bureaus and collection agencies.”
While the letter more or less wholly rejects the concept of a transparency report, AT&T notes that if it were to produce one, it would be limited to the company’s responses to law enforcement requests for information and not information regarding the government’s surveillance activities.
Verizon and AT&T shareholders issued letters (.PDF) in November asking the companies to “publish semi-annual reports, subject to existing laws and regulation, providing metrics and discussion regarding requests for customers’ information by U.S. and foreign governments.”
Those letters cited a controversial June Wall Street Journal article that claimed AT&T “provided millions of U.S. customers’ call records to the U.S. National Security Agency (NSA),” and encouraged the company to follow in the footsteps of major Internet companies that have begun publishing similar transparency reports.
Both companies scored poorly on the Electronic Frontier Foundation’s “Who Has Your Back?” report card, issued back in May. The annual report, which culls major communication and social media companies’ stances on data privacy, points out that both companies fail to tell their users about data requests, fail to publish law enforcement guidelines and will not fight for its users’ privacy rights in court.
Meanwhile, public opposition to AT&T has begun to pick up steam in the wake of its stance.
A petition started by the San Francisco ACLU office urging both companies to be more transparent with what it does with user information has gathered nearly 32,000 supporters in the few days since AT&T’s statement.
“We’re working with our friends at SumOfUs to rally thousands of AT&T and Verizon customers and potential customers and prove to these giant telcos that their silence is putting their public image and bottom line at risk,” reads the petition.
AT&T is understandably absent from a list of eight companies: AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo, who formed a coalition yesterday, Reform Government Surveillance, calling for the reform of the government’s surveillance activities going forward, post-NSA revelations.
*AT&T image via mrbill‘s Flickr photostream, Creative Commons
Adobe published two security bulletins today, resolving a pair of vulnerabilities in both Shockwave and Flash Player.
The Shockwave security update applies to versions 22.214.171.124 and earlier on Windows and Mac OS X and addresses a pair of memory corruption vulnerabilities (CVE-2013-5333 and CVE-2013-5334) that could give an attacker the ability to execute code remotely. Adobe awarded this bug a priority rating of 1, meaning that attackers are likely targeting it – or soon will be targeting it – in the wild.
Adobe also pushed out security updates for versions 11.9.900.152 and earlier of its Flash Player on Windows and Mac OS X and for versions 126.96.36.1997 and earlier for Linux systems. The updates address a type confusion vulnerability (CVE-2013-5331) and a memory corruption vulnerability (CVE-2013-5332), each of which could enable remote code execution, causing crashes, and potentially giving an attacker control of affected machines.
“Adobe is aware of reports that an exploit designed to trick the user into opening a Microsoft Word document with malicious Flash (.swf) content exists for CVE-2013-5331,” Adobe says in the bulletin announcement. “Adobe Flash Player 11.6 and later provide a mitigation against this attack.”
Adobe is recommending that users of the following:
- Users of Adobe Flash Player 11.9.900.152 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.9.900.170.
- Users of Adobe Flash Player 188.8.131.527 and earlier versions for Linux should update to Adobe Flash Player 184.108.40.2062.
- Adobe Flash Player 11.9.900.152 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.9.900.170 for Windows, Macintosh and Linux.
- Adobe Flash Player 11.9.900.152 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.9.900.170 for Windows 8.0
- Adobe Flash Player 11.9.900.152 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 11.9.900.170 for Windows 8.1
- Users of Adobe AIR 220.127.116.110 and earlier versions for Windows and Macintosh should update to Adobe AIR 18.104.22.1680.
- Users of Adobe AIR 22.214.171.1240 and earlier versions for Android should update to Adobe AIR 126.96.36.1990.
- Users of the Adobe AIR 188.8.131.520 SDK and earlier versions should update to the Adobe AIR 184.108.40.2060 SDK.
- Users of the Adobe AIR 220.127.116.110 SDK & Compiler and earlier versions should update to the Adobe AIR 18.104.22.1680 SDK & Compiler.
Adobe is considering the Flash bugs in Windows and Mac OS X highest priority, while Linux Flash bug and the Adobe Air vulnerabilities are only receiving priority ratings of three, meaning that it is unlikely that attackers will target these bugs. Adobe acknowledges Liangliang Song and Honggang Ren from Fortinet for finding the Shockwave bugs and David D. Rude II of iDefense Labs Attila Suszter of Reversing on Windows blog for finding the Flash bugs.
This month Adobe's realing fixes for both Flash Player and Shockwave.
The vulnerabilies for Flash Player affect all platforms and concern two CVEs - CVE-2013-5331 and CVE-2013-5332, which both allow for remote code execution. Eploitation of CVE-2013-5331 using Microsoft Word as a leverage mechanism has been observed in the wild. Though Flash 11.6 introduced Click-to-Play for Office, users may still be socially engineered into running Flash content in Office documents. Make sure to apply this patch promptly.
Mozilla has released a major new version of Firefox, which includes fixes for more than a dozen security vulnerabilities as well as an important change that makes all Java plugins click-to-play be default. This feature prevents those plugins from running automatically on Web pages, which helps protect users against some Web-based attacks.
The modification to the way that Firefox 26 treats plugins is a significant security benefit for users, especially those who may not be aware of the security issues that plugins can cause. Attackers will use vulnerabilities in plugins such as Java, Flash or Silverlight to compromise users who visit a site that has content that is automatically rendered by those extensions. Mozilla began the process of changing the way that Firefox treats plugins earlier this year, but this is the first time that the change has shown up in the final version of the browser.
“Even though many users are not even aware of plugins, they are a significant source of hangs, crashes, and security incidents. By allowing users to decide which sites need to use plugins, Firefox will help protect them and keep their browser running smoothly,” Mozilla’s Benjamin Smedberg said earlier this fall about the upcoming change to Firefox’s handling of plugins.
Java has been a particular favorite of attackers in recent years, thanks to its long tail of security issues and ubiquity on the Web. Making all Java plugins click-to-play means that users will now have to explicitly choose to play a plugin anytime they encounter one. Other browsers, such as Google Chrome, give users the option of enabling click-to-play, as well.
In addition to the change to plugin behavior, Firefox 26 also has patches for a number of vulnerabilities, including five critical ones. A major fix in the new browser is Mozilla actively revoking trust in an intermediate certificate issued by the Agence Nationale de la Sécurité des Systèmes d’Information in France. The certificate was used to issue certificates for several of Google’s domains by mistake. Google researchers detected the issue and revoked trust for the certificate, as well, and notified other browser vendors. Mozilla officials said they don’t believe that the mistake put any users in danger, outside of the certificate authority’s network.
“An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website without browser warnings being triggered. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software. We believe that this MITM instance was limited to the subordinate CA’s internal network,” Kathleen Wilson of Mozilla said.
The other security fixes in Firefox 26 include:
MFSA 2013-116 JPEG information leak
MFSA 2013-115 GetElementIC typed array stubs can be generated outside observed typesets
MFSA 2013-114 Use-after-free in synthetic mouse movement
MFSA 2013-113 Trust settings for built-in roots ignored during EV certificate validation
MFSA 2013-112 Linux clipboard information disclosure though selection paste
MFSA 2013-111 Segmentation violation when replacing ordered list elements
MFSA 2013-109 Use-after-free during Table Editing
MFSA 2013-108 Use-after-free in event listeners
MFSA 2013-107 Sandbox restrictions not applied to nested object elements
MFSA 2013-106 Character encoding cross-origin XSS attack
MFSA 2013-105 Application Installation doorhanger persists on navigation
MFSA 2013-104 Miscellaneous memory safety hazards (rv:26.0 / rv:24.2)
Eight Microsoft Security Bulletins are being pushed out this month, MS13-096 through MS13-106. Five of them are rated \\"Critical\\" and another six are rated \\"Important\\". The top priorities to roll out this month are the critical GDI+ (MS13-096), Internet Explorer (MS13-097), and Scripting Runtime (MS13-099) updates.
Several of the vulnerabilities have been actively exploited as a part of targeted attacks around the world, and one of them is known to be ItW for at least six months or so.
The GDI+ update patches memory corruption vulnerability CVE-2013-3906, which we have been detecting as Exploit.Win32.CVE-2013-3906.a. We have seen a low number of ITW variations on exploitation of this vulnerability as a malformed TIFF file, all dropping backdoors like Citadel, the BlackEnergy bot, PlugX, Taidoor, Janicab, Solar, and Hannover. The target profile and toolset distribution related to these exploit attempts suggest a broad array of likely threat actors that got their hands on it since this July, and a wide reaching distribution chain that provided the exploit around the world. Considering the variety of uses and sources, this one may replace cve-2012-0158 as a part of targeted attacks in terms of overall volume.
The Internet Explorer Bulletin fixes seven different elevation of privilege and memory corruption vulnerabilities, any one of which effects Internet Explorer 6 on Windows XP SP 3 through Internet Explorer 11 on Windows Server 2012 R2 and Windows RT 8.1. We expect to see exploits for some of these vulnerabilities included in commodity exploit packs.
Finally, another critical vulnerability exists in the Windows Scripting Engine as yet another \\"use after free\\", which unfortunately enables remote code execution across every version of Windows out there and can be attacked via any of the common web browsers. Patch!
This post will likely be updated later today, but in the meantime, more about this month's patches can be found at the Microsoft site.
With the depths of domestic government surveillance still not fully realized, secure communications capabilities are at a premium, especially for the privacy conscious.
Already, we’ve seen some services such as Lavabit and Silent Circle’s Silent Mail shudder operations rather than hand over decryption keys to the government that would enable snooping over their respective users. Both companies realized shortcomings in their products’ email encryption capabilities that made it impossible for them to keep to their promises of preserving user privacy. Since then, however, the two companies have joined forces in what they’re calling the Dark Mail Alliance, an effort to develop an open protocol and architecture for private email.
In the meantime, while secure email may be a challenging hill to climb, secure end-to-end encrypted text messaging has been a bit easier to conquer, with successful systems, for example, storing encryption keys on the user’s device keeping them away from the NSA’s reach. And now, given an announcement yesterday, encrypted messaging is within reach of millions of Android mobile device users.
Open WhisperSystems announced that its TextSecure protocol will be integrated as part of the CyanogenMod OS-level SMS app, bringing encryption to 10 million users; CyanogenMod provides aftermarket firmware for Android devices.
Open WhisperSystems cofounder Moxie Marlinspike, right, said in the announcement it was important to have this be a seamless, transparent integration for the user, who would now be able to send encrypted text messages in as simple and reliable fashion as before. He also said this is just the first step toward providing secure communications capabilities to the masses, and that an end-to-end encrypted communications client for Apple iOS is in the works, as is a TextSecure browser extension.
“This effort marks the beginning of our transition to the data channel as a TextSecure transport, which should hopefully open up a host of ongoing opportunities,” Marlinspike said. “Soon we will have a truly cross platform seamless asynchronous messaging system built on open protocols and open source software, with an already massive user base.”
Unlike Silent Circle’s secure text messaging client Silent Text, for example, TextSecure does not require both ends of the conversation to have the client installed, nor are encryption keys stored with OpenWhipser Systems. Instead, they are kept on the user’s device.
Marlinspike said the native CyanogenMod SMS client was modified to support the TextSecure protocol, and that TextSecure for CyanogenMod runs on the TextSecure V2 protocol and supports forward secrecy and the 3DHE agreement for deniable messages.
“If an outgoing SMS message is addressed to another CyanogenMod or TextSecure user, it will be transparently encrypted and sent over the data channel as a push message to the receiving device. That device will then decrypt the message and deliver it to the system as a normal incoming SMS,” Marlinspike said. “The result is a system where a CyanogenMod user can choose to use any SMS app they’d like, and their communication with other CyanogenMod or TextSecure users will be transparently encrypted end-to-end over the data channel without requiring them to modify their work flow at all.”
Marlinspike said too that the recipient device does not have to be on in order for messages to be sent.
“The user doesn’t have to initiate a key exchange and wait for a round trip to complete, or know that the recipient is ‘online,’” he said.