65 replies to this topic

[AplusWebMaster]

FYI...

Rogue AV spreads thru XSS attacks in browsers
- http://www.theregist...gue_av_attacks/
16 December 2009 - "Malware purveyors are exploiting web vulnerabilities in appleinsider .com, lawyer .com, news .com.au and a dozen other sites to foist rogue anti-virus on unsuspecting netizens. The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites... As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected... The links work because appleinsider .com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. More about the attack is available from the Zscaler blog here*."
* http://research.zsca...ed-iframes.html

> http://en.wikipedia....ploit_scenarios

> http://en.wikipedia....Browser_exploit

Edited by AplusWebMaster, 16 December 2009 - 10:02 AM.

[AplusWebMaster]

FYI...

Malicious JavaScript infects websites
- http://blog.trendmic...fects-websites/
Dec. 31, 2009 - "Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, -redirecting- the user to several malicious websites. This is done so users will not suspect that they are already infected. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen... Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va. According to the Unmask Parasites blog*, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL..."
* http://blog.unmaskparasites.com/

[AplusWebMaster]

FYI...

Browser -redirects- on the Web...
> http://forums.whatth..._...st&p=627622
January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK... will redirect the web browser to other malicious websites..."

> http://forums.whatth...=...st&p=627918
January 26, 2010

Edited by AplusWebMaster, 27 January 2010 - 03:38 PM.

[AplusWebMaster]

FYI...

Safari v4.0.5...
- http://secunia.com/advisories/39670
Last Update: 2010-05-18
Criticality level: Highly critical
Solution Status: Unpatched...
- http://web.nvd.nist....d=CVE-2010-1939
CVSS v2 Base Score: 7.6 (HIGH)
- http://web.nvd.nist....d=CVE-2010-1940
CVSS v2 Base Score: 4.3 (MEDIUM)

Firefox v3.6.3...
- http://nvd.nist.gov/...e=CVE-2010-1986
- http://nvd.nist.gov/...e=CVE-2010-1987
- http://nvd.nist.gov/...e=CVE-2010-1988 CVSS v2 Base Score: 10.0 (HIGH)
- http://nvd.nist.gov/...e=CVE-2010-1990
Last revised: 05/21/2010
- https://wiki.mozilla.org/Releases
Firefox 3.6.4 - June 1 ...

IE 6, 7, and 8
- http://web.nvd.nist....d=CVE-2010-1991
Last revised: 05/21/2010
CVSS v2 Base Score: 5.0 (MEDIUM)

Edited by AplusWebMaster, 24 May 2010 - 10:29 AM.

[AplusWebMaster]

FYI...

Safari v5.0 released
- http://forums.whatth...=...st&p=658684
June 07, 2010

IE MS10-035 released
Cumulative Security Update for Internet Explorer (982381)
- http://www.microsoft...n/ms10-035.mspx
June 08, 2010 - "... resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page..."

Edited by AplusWebMaster, 08 June 2010 - 03:24 PM.

[AplusWebMaster]

FYI...

Multiple Vendor WebKit HTML Caption Use After Free Vulnerability
- http://atlas.arbor.n...index#418501501
Severity: Elevated Severity
Published: Wednesday, June 23, 2010 19:12
A use-after-free issue has been found in Google Chrome (3.0.195.38 and 4.0.249.78), and Safari 4.0.4 (Windows XP/OS X 10.5.8), specifically in the WebKit core. A malicious webpage can force the browser to execute arbitrary code on the victim's PC. Updated software has been released to address this issue...

Safari v5.0 released
- http://secunia.com/advisories/40105/
Original Advisory: Apple:
http://support.apple.com/kb/HT4196
- http://web.nvd.nist....d=CVE-2010-1392
Last revised: 06/24/2010
CVSS v2 Base Score: 9.3 (HIGH)
"... Safari before 5.0..."

Google Chrome v5.0.375.99 released
- http://secunia.com/advisories/40479/
Release Date: 2010-07-05
Solution: Update to version 5.0.375.99.
Original Advisory:
http://googlechromer...nel-update.html

Edited by AplusWebMaster, 05 July 2010 - 07:22 AM.

[AplusWebMaster]

FYI...

Google Chrome
- http://www.securityt....com/id?1024256
Jul 28 2010

Apple Safari
- http://www.securityt....com/id?1024257
Jul 28 2010

Mozilla Firefox
- http://www.securityt....com/id?1024243
Jul 24 2010

- http://techblog.avir...r-updates-2/en/
July 28, 2010 - "... web browsers pose the highest risk for getting attacked by cyber criminals, they should be kept up-to-date and therefore the updates should be installed ASAP."

[AplusWebMaster]

FYI...

Firefox updated:
- http://securitytrack...ep/1024401.html
Sep 8 2010 - "... 3.5 prior to 3.5.12, 3.6 prior to 3.6.9..."
- http://securitytrack...ep/1024406.html
Sep 8 2010 - "... 3.5 prior to 3.5.12, 3.6 prior to 3.6.9..."

Safari updated:
- http://securitytrack...ep/1024400.html
Sep 8 2010 - "... 4.x prior to 4.1.2, 5.0 prior to 5.0.2..."

Google Chrome:
- http://securitytrack...ep/1024390.html
Sep 3 2010 - "... prior to 6.0.472.53..."

- http://techblog.avir...r-updates-3/en/

[AplusWebMaster]

FYI...

Browser security update tricks
- http://www.symantec....ty-update-trick
04 Oct 2010 - "... attackers use social engineering techniques to scare users into purchasing a misleading application. This time around, we have come across a couple of websites that are using a slightly different trick to mislead users. In order to trick users, these websites used bogus pages that look similar to those presented by security features or technologies when one is about to visit a malicious page. However, it presented a “Download Updates!!” button, unlike Google’s “Get me out of here” button... Regardless of what browser is used, the user is presented with the same misleading dialog box that seemingly forces the download of Firefox and Chrome updates. This misleading dialog box keeps on popping up, even if the user clicks on cancel button... The downloaded executable turns out to be a variant of the infamous misleading application called Security Tool. Once executed, it displays exaggerated pop-ups in an attempt to scare users... Unlike standard misleading application distribution websites, these sites don’t rely only on social engineering tricks to mislead users. If more savvy users don’t download the misleading application executable, then these websites will redirect users to a website that, in turn, further redirects to a malicious website that is hosting the infamous Phoenix exploit kit. Phoenix is an automated exploit kit that uses heavily obfuscated JavaScript code to evade security products... These exploit kits are used to deliver malware after exploiting a vulnerability, mostly those affecting Web browsers. If users don’t somehow fall victim to this latest browser update trick, then the attackers have the fall back of delivering misleading applications through these exploit kits..."
(Screenshots available at the URL above.)

- http://sunbeltblog.b...using-fake.html
October 07, 2010
- http://sunbeltblog.b...s-ie-users.html
October 19, 2010
- http://www.f-secure....s/00002051.html
October 20, 2010

Edited by AplusWebMaster, 20 October 2010 - 04:05 PM.

[AplusWebMaster]

FYI...

'Need to stay on top of these updates - hacks do. Bug fixes are "reverse engineered" within -hours- of their release, and hacker exploits go right into production:

60 second check for updates here.
___

Zombie infection kit - Success rates / Victim browser statistics:
- http://labs.m86secur...bie_browser.png
October 15th, 2010
- http://labs.m86secur...ted-by-zombies/
"... effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched... 15 percent... of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed..."
Zombie infection kit - Success rates / IE6,7,8 - Java - Adobe PDF reader - Flash
- http://labs.m86secur...zombie_nexp.png

Edited by AplusWebMaster, 22 January 2011 - 11:01 AM.
Link updates

[AplusWebMaster]

FYI...

Firefox 0-days...
- http://isc.sans.edu/...ml?storyid=9817
Last Updated: 2010-10-26 19:02:22 UTC
___

60 second check for updates here.

Edited by AplusWebMaster, 22 January 2011 - 11:03 AM.
Link updates

[AplusWebMaster]

FYI...

'Need to stay on top of these updates - hacks do... so should you. If you haven't updated, -now- would be the time.

Recent Browser updates:

60 second check for updates here.
___

Multiple IE 0-day vulnerabilities...

IE drive-by bug ... "FixIt" available ...
- http://forums.whatth...=...st&p=705415
2011.01.12

IE/MHTML vuln ... "FixIt" available ...
- http://forums.whatth...=...st&p=709198
2011.01.28
___

Use stats
- http://www.w3schools...wsers_stats.asp

Edited by AplusWebMaster, 04 February 2011 - 08:22 PM.
Link updates

[AplusWebMaster]

FYI...

• Factsheets By Browser - 2010
- http://secunia.com/r.../2010_browsers/

Other software:
- http://secunia.com/r...ces/factsheets/
Current Factsheets - 2010
• By Vendor
• By Windows Operating System

[AplusWebMaster]

FYI...

Browser 'BITB' attack...
- http://www.darkreadi...le/id/229218608
Feb. 14, 2011 - "... spin-off of the proxy Trojan, keylogger, and man-in-the-browser (MITB) attack. The "boy-in-the-browser" (BITB) attack... targeting users visiting their banks, retailers, and even Google... spotted in the wild. BITB is basically a "dumbed-down" MITB in which the attacker infects a user with its Trojan, either via a drive-by download or by luring the user to click on an infected link on a site... Imperva's advisory on the attacks is here*."
* http://www.imperva.c...he_Browser.html
Feb. 14, 2011 - "... Nine Latin American banks were targeted..."

[AplusWebMaster]

FYI...

Malware authors target Google Chrome
- http://www.zdnet.com...gle-chrome/3162
April 21, 2011 - "... malware authors have begun preying on users of alternative browsers to push dangerous software, including Trojans and scareware. The problem is that most malware attacks aren’t triggered by exploits that target vulnerabilities in code. Instead, according to one recent study, “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.” I found a perfect example yesterday, thanks to an alert from Silverlight developer Kevin Dente. He had typed in a simple set of search terms—Silverlight datagrid reorder columns—at Google.com, using the Google Chrome browser on Windows... The first page of Google search results included several perfectly good links, but the sixth result was booby trapped... That led to a basic social engineering attack, but this one has a twist. It was customized for Chrome. If you’ve ever seen a Google Chrome security warning, you’ll recognize the distinctive, blood-red background, which this malware author has duplicated very effectively... After the fake scan is complete, another dialog box comes up, warning that “Google Chrome recommends you to install proper software”... When I submitted it to VirusTotal.com*, only five of the 42 engines correctly identified it as a suspicious file..."
(Screenshots available at the URL above.)
* http://www.virustota...b22b-1303383008
File name: InstallInternetProtection_611.exe
Submission date: 2011-04-21 10:50:08 (UTC)
Result: 8/42 (19.0%)