65 replies to this topic

[AplusWebMaster]

FYI...

SpyEye targets Opera, Google Chrome...
- http://krebsonsecuri...e-chrome-users/
April 26, 2011 - "The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers*... Many people feel more secure using browsers like Chrome and Opera because they believe the browsers’ smaller market share makes them less of a target for cyber crooks. This latest SpyEye innovation is a good reminder that computer crooks are constantly looking for new ways to better monetize the resources they’ve already stolen..."
* http://krebsonsecuri.../04/spychop.jpg

[AplusWebMaster]

FYI...


WebGL - browser security flaw...
- http://www.cio.com/a...r_Security_Flaw
May 9, 2011 - "The WebGL graphics technology turned on by default in Firefox and Chrome poses a serious security risk*... WebGL will not, however, run reliably on an unknown number of graphics cards, including Intel's integrated graphics and most ATI chipsets... Disabling WebGL varies from browser to browser but in Firefox involves setting a required value to "false" using the about:config command."
* http://www.contextis...ces/blog/webgl/
"... enabled by -default- in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari..." (Flowchart available at the contextis.com URL above.)
- http://www.theregist...ecurity_threat/
"... In Firefox 4, type “about:config” (minus the quotes) into the address bar and set webgl.disabled to true. In Chrome, get to the command line of your operating system and add the --disable-webgl flag to the Chrome command. On a Windows machine, the command line would be "chrome.exe --disable-webgl".

> https://wiki.mozilla...raphics_Drivers
___

WebGL Security Risks
- http://www.us-cert.g..._warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."

- http://www.h-online....em-1240567.html
10 May 2011
- http://www.h-online....iew=zoom;zoom=2

Edited by AplusWebMaster, 16 June 2011 - 05:25 AM.

[AplusWebMaster]

FYI...

WebGL security risks - updated
- http://www.contextis...blog/webgl/faq/
11 May 2011 - "... we are releasing the following further information to aid in the understanding of the issues... in the longer term, Context believes that browser vendors should, by default, disable WebGL from within their web browsers. We would like to see functionality included that would allow users to opt-in for WebGL applications that they trust on a case by case basis... reported these issues and other vulnerabilities to the Mozilla Security group who has raised a number of internal bug reports regarding the issues that we have found, including issues that we have -not- publicly disclosed. They have also passed the information onto Google for Chrome. The Mozilla Security Group has been very receptive to the issues that we have raised and have been very responsive to our concerns."
(More detail at the contextis URL above.)

- http://www.us-cert.g..._warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."

Edited by AplusWebMaster, 16 June 2011 - 05:28 AM.

[AplusWebMaster]

FYI...

IE 0-day - all versions... cookiejacking
- http://www.informati...endly=this-page
May 26, 2011 - "... All versions of Internet Explorer on all versions of Windows are affected by the 0-day vulnerability, and are thus susceptible to cookiejacking. As the name implies, the attack is similar to clickjacking attacks, which trick users into clicking on innocuous-looking graphics or videos, to trigger arbitrary code execution. Cookiejacking takes that type of attack one step further, adding the zero-day vulnerability and some trickery to steal any cookie from a user's PC... To be successful, however, the attack must incorporate two details. First, it needs to know the victim's Windows username, to find the correct path to where cookies are stored... Second, an attacker needs to know which Windows operating system their victim is using, as each one stores cookies in different locations. Browsers, however, typically reveal this information via their navigator.userAgent object..."

- http://blog.trendmic...s-a-major-risk/
May 27, 2011

Edited by AplusWebMaster, 27 May 2011 - 09:05 AM.

[AplusWebMaster]

FYI...

Facebook and M$ de-cloak Chrome ...
- http://blog.eset.com...rivacy-advocate
June 3, 2011 - "What’s wrong with this picture?... I am using Google’s incognito mode and Clicker knows exactly who I am!... Facebook “Instant Personalization” destroys Google Chrome’s “Incognito mode”. There is nothing incognito about opening a clean browser with no cookies and going to a website you have never visited before and being called by name with your picture on the web page. Facebook and “Instant Personalization” partner sites deliberately ignores your obvious and explicit instructions NOT to track you. In October 2010 Gigaom.com posted an article http://gigaom.com/20...ersonalization/ that claimed “Microsoft today launched social search features for Bing created in partnership with Facebook. The two companies are teaming up to take on their common enemy: Google.” Perhaps there is truth to that. It is mind-boggling that Microsoft’s Bing ran an end game around the Microsoft Internet Explorer team by also defeating IE9’s “InPrivate Browsing”... Mozilla was caught in the crossfire as Microsoft and Facebook sneak around Firefox’s Private browsing feature as well. Apple’s Safari browser’s privacy mode was also hunted down and shot. Let’s call it like it is. Facebook rolls out a “feature” that deliberately over-rides a user’s explicitly expressed desire to browse in privacy without tracking... You might be interested to see how much information your browser reveals by going to https://panopticlick.eff.org/ * and running their test... It is true that in the above example “Clicker.com” does offer to let me disable their unauthorized Facebook enabled spying, however this does not happen until private browsing has already been subverted by Facebook... Having worked at Microsoft I can imagine how completely frustrating it must be for internal Microsoft privacy advocates to have to stand idle and watch Bing override Internet Explorer’s “InPrivate” browsing feature. Perhaps for IE10 Microsoft can make more open labels and claims of what the browser can really do. The whole issue would have been avoided had Facebook had the decency to let users choose BEFORE they sabotage your browser and privacy."
(Screenshot available at the eset URL above.)

[AplusWebMaster]

FYI...

Chrome extensions leak data...
- http://www.informati...endly=this-page
September 29, 2011 - "A review of 100 Google Chrome extensions, including the 50 most popular selections, found that 27% of them contain one or more vulnerabilities that could be exploited by attackers either via the Web or unsecured Wi-Fi hotspots. Those findings come from a study being conducted by security researchers Nicholas Carlini and Prateek Saxena at University of California, Berkeley. In particular, they analyzed the 50 most popular Chrome extensions, as well as 50 others selected at random, for JavaScript injection vulnerabilities, since such bugs can enable an attacker to take complete control of an extension. The researchers found that 27 of the 100 extensions studied contained one or more injection vulnerabilities, for a total of 51 vulnerabilities across all of the extensions. The researchers also said that seven of the vulnerable extensions were used by 300,000 people or more... attackers have turned their attention to exploiting vulnerabilities in the third-party code - including add-ons and extensions - used by browsers."

[AplusWebMaster]

FYI...

SpyEye hijacks SMS security...
- https://www.trusteer...nd-sms-security
October 05, 2011 - "... recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks. Using code we captured while protecting a Rapport user, we discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge... This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems. The only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks MITB techniques..."
(More detail available at the trusteer URL above.)

[AplusWebMaster]

FYI...

HTML5 – The Ugly ...
- http://blog.trendmic...html5-the-ugly/
Nov. 30, 2011 - "... With HTML5, attacker(s) can now create a botnet which will run on any OS, in any location, on any device. Being heavily memory-based, it barely touches the disk, making it difficult to detect with traditional file-based antivirus. JavaScript code is also very easy to obfuscate, so network IDS signature will also have a very hard time. Finally, being web-based, it will easily pass through most firewalls. Stages of A Browser-Based Botnet Attack..."
(More detail at the trendmicro URL above.)...
___

Global malware view
Top attackers and domains distributing malware
- http://sucuri.net/global

Edited by AplusWebMaster, 30 November 2011 - 07:40 AM.

[AplusWebMaster]

FYI...

Exposed and vulnerable...

- http://www.zdnet.com...a-versions/9541
October 4, 2011 - "... 31.3% of users were infected with the virus/malware due to missing security updates..."
Charted: http://i.zdnet.com/b...ser_plugins.png

- http://www.csis.dk/en/csis/news/3321
2011-09-27 - "... users who unknowingly have been exposed to drive-by attacks have used the following web browsers..."
Charted: http://www.csis.dk/images/browser.Png

[AplusWebMaster]

FYI...

Cache objects history enumeration weakness...
I.E.: https://secunia.com/advisories/47129/
Chrome: https://secunia.com/advisories/47127/
Firefox: https://secunia.com/advisories/47090/
Opera: https://secunia.com/advisories/47128/
Release Date: 2011-12-06
Solution Status: Unpatched...
"... caused due to an error when handling cache objects and can be exploited to enumerate visited sites..."

[AplusWebMaster]

FYI...

Rogue Chrome browser extensions ...
- https://www.computer...hrome_Web_Store
March 26, 2012 - "Cybercriminals are uploading malicious Chrome browser extensions to the official Chrome Web Store and use them to hijack Facebook accounts, according to security researchers from Kaspersky Lab*. The rogue extensions are advertised on Facebook by scammers and claim to allow changing the color of profile pages, tracking profile visitors or even removing social media viruses... Once installed in the browser, these extensions give attackers complete control over the victim's Facebook account and can be used to spam their friends or to Like pages without authorization. In one case, a rogue extension masqueraded as Adobe Flash Player and was hosted on the official Chrome Web Store... By the time it was identified, it had already been installed by 923 users... Few users are aware that browser extensions can intercept everything they do through the browser. Security compromises based on rogue browser extensions are also more persistent than those based on password theft or other methods, because these extensions can piggyback on active sessions to perform unauthorized actions even if the account owners change their passwords or enable two-factor authentication..."
* http://www.securelis...rome_extensions

Edited by AplusWebMaster, 26 March 2012 - 01:40 PM.

[AplusWebMaster]

FYI...

Cross-browser worm uses commercial Javascript extension engine
- http://h-online.com/-1582931
23 May 2012 - "A cross-browser worm spreading across Facebook is using a commercial cross-browser extension engine. That was the finding made by Kaspersky's Sergey Golovanov who reported* on his examination of the "LilyJade" worm. Golovanov found that a system called Crossrider is used by LilyJade. Crossrider allows developers to write extensions for the browser to its own API and then allows that code to work as a portable extension on Internet Explorer (version 7 or later), Chrome and Firefox. But when you have malware as a portable extension it can also infect browsers running on Linux or Mac OS X as well. Most AV software will not look for it as it is purely JavaScript and doesn't try to leave the browser. Malicious extensions are not new but have traditionally been written to target a particular browser – by using the Crossrider cross-browser extension kit, the LilyJade authors have ensured the maximum coverage for their MitB (Man in the Browser) attack. The LilyJade malware's actual payload appears to be focused on click fraud, spoofing ad modules on Yahoo, YouTube, Bing/MSN, AOL, Google and Facebook. It also has a Facebook-based proliferation mechanism..."
* https://www.secureli...yJade_in_action

[AplusWebMaster]

FYI...

Browser SSL trouble
- https://isc.sans.edu...l?storyid=14089
Last Updated: 2012-09-13 - "... new tool called "CRIME" at the upcoming Ekoparty 2012 conference in 5 days. Their tool takes advantage of a flaw in the SPDY (speedy) TLS compression protocol implementation. It allows an attacker to hijack an encrypted SSL session. It appears that for this attack to work both the website and the browser must support the SPDY protocol. Several widely used websites such as Google, Gmail and Twitter do support the SPDY protocol. Both the Firefox and Chrome browsers also support this protocol. Internet Explorer and Safari does not support SPDY and are not vulnerable. It is recommended that you disable the use of the SPDY protocol on your HTTPS websites until the problem is addressed.
References:
http://security.stac...beast-successor
http://arstechnica.c...https-sessions/
http://threatpost.co...sessions-090512
http://www.computerw...against_SSL_TLS ..."

- https://isc.sans.edu...d=14089#comment
"To disable SPDY support in Firefox 13 or later (previous versions have it disabled by default), edit the chrome settings:
network.http.spdy.enabled = false
network.http.spdy.enabledv2 = false (present in FF 15)"

(via "about:config" w/o the quotes)

[AplusWebMaster]

FYI...

MS12-063 released (KB2744842):
- http://technet.micro...lletin/ms12-063
Sep 21, 2012
- https://technet.micr...dvisory/2757760
V2.0 (Sep 21, 2012): Advisory updated to reflect publication of security bulletin.
___

IE 0-day in-the-wild...
- https://secunia.com/advisories/50626/
Last Update: 2012-09-18
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 6.x, 7.x, 8.x, 9.x
... vulnerability is caused due to a use-after-free error when handling "<img>" arrays and can be exploited via a specially crafted web page. Successful exploitation allows execution of arbitrary code... currently being actively exploited. The vulnerability is reported on a fully patched Windows XP SP3. Other versions may also be affected...
... Reported as a 0-day.
Original Advisory:
http://eromang.zataz...y-not-over-yet/
"... potential Microsoft Internet Explorer 7 and 8 zero-day... exploited in the wild... This file is recognized as a HTML file*..."
* https://www.virustot...5f265/analysis/
File name: F4537FE00E40B5BC01D9826DC3E0C2E8.dat
Detection ratio: 15/42
Analysis date: 2012-09-18 10:50:06 UTC
Microsoft: http://technet.micro...dvisory/2757760
___

- https://www.net-secu...ld.php?id=13614
18 Sep 2012 - "... The Rapid7 team got right on it and created a module exploiting the vulnerability for the Metasploit exploit toolkit during the weekend, and advised IE users to switch to other browsers such as Chrome or Firefox until Microsoft patches the flaw security update becomes available. Microsoft has reacted fast by issuing a security advisory yesterday, in which it confirms the existence of the flaw in Internet explorer 9 and all previous versions (IE10 is not affected), and offers instructions on steps the users can take to mitigate - but not yet remove - the threat:
• Deploy the Enhanced Mitigation Experience Toolkit (EMET) and configure it for Internet Explorer
• Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
• Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.
These steps could bring additional problems to the users, such as being bombarded by a slew of security warnings, so until Microsoft releases a definitive patch for the hole, maybe it would be easier for IE users to take Rapid7's advice and switch to another browser for the time being."

- http://h-online.com/-1710058
18 Sep 2012 - "... It remains to be seen whether patching the vulnerability will have to wait for the next scheduled Patch Tuesday in October or whether an unscheduled patch will be released..."

- https://isc.sans.edu...l?storyid=14107
Last Updated: 2012-09-17 - "... there is code in-the-wild that exploits this (since Sept14th)... there is no patch for it yet. If you're still running IE7, 8 or 9, today is a good day to think about switching browsers for a couple of weeks... (this zero day affects not just IE8, but also IE7 and IE9)..."

- http://labs.alienvau...ed-in-the-wild/
Sep 17, 2012 - "... The payload dropped is Poison Ivy...
> https://www.virustot...c32c6/analysis/
File name: a01dee0fdb5a752afea044c4e4fe4534ef5a23f6
Detection ratio: 25/42
Analysis date: 2012-09-18 06:19:29 UTC
The C&C server configured is ie.aq1 .co.uk that is currently resolving to 12.163.32.15 ...
We’ve also seen that the domain used in the previous attacks hello.icon .pk is also pointing to the new IP address. Once executed, the payload creates the file C:\WINDOWS\system32\mspmsnsv.dll and the service WmdmPmSN is configured and started..."

- http://h-online.com/-1709592
17 Sep 2012 - "... the remote administration tool (RAT) Poison Ivy is currently being distributed in this way in order to give the attackers complete access to the infected system. Users running Internet Explorer can play it safe by switching to another web browser..."

- http://www.symantec....-exploited-wild
17 Sep 2012 - "... this exploit was hosted on the same servers used in the Nitro attack*..."
* http://www.symantec....tro_attacks.pdf
Pg. 4 - PDF file: "... the threat used to compromise the targeted networks is Poison Ivy, a Remote Access Tool (RAT)... It comes fully loaded with a number of plug-ins to give an attacker complete control of the compromised computer..."

- https://community.ra...y-in-metasploit
Sep 17, 2012 - "... get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit..."

Edited by AplusWebMaster, 22 September 2012 - 06:19 AM.

[AplusWebMaster]

FYI...

Vulnerable browsers (out-of-date) put users at risk
Many users are waiting a month or more to apply important security updates that can protect them from exploits and malware.
- https://www.computer...t_users_at_risk
Nov 9, 2012 - "According to the results of a new survey from security software vendor Kaspersky*, nearly a quarter of the browsers currently in use are out of date. Surfing the Web with a vulnerable browser is a recipe for disaster. The Web browser has evolved to become the primary software used on many PCs. People access their email, surf websites, create documents and spreadsheets, access cloud-based file storage and sharing sites, and share with others on social networking sites - all through the browser. Attackers know this as well, which is why it is exceptionally risky to use a browser with known vulnerabilities... researchers analyzed the browser usage data from millions of customers around the world, and uncovered some concerning trends.
- 23% of browsers are not current: 14.5% are still using the previous version, while 8.5% are using even older, obsolete versions.
- When a new version of a browser is released, it can take nearly 10 days for it to surpass the previous version in usage, and an average of about a month for a majority of users to upgrade.
... With the holiday shopping season getting ready to kick off, millions of users will be researching gift ideas, and making holiday gift purchases online. Attackers have marked their calendars as well, and there will almost certainly be a spike in Web-based attacks. It's even more important during the holiday season to make sure you keep your browser, and your security software up to date."
* http://www.kaspersky...e_ENG_Final.pdf