Monthly Archives: December 2013

Installation of IIS malware through ColdFusion flaw

Attackers used an authentication bypass vulnerability in Adobe’s ColdFusion software as a stepping stone in an attack that infected web servers with malware. Additional details about the attack emerged in recent days as researchers from Trustwave’s SpiderLabs continued to dig into reports of malware disguised as modules for Microsoft’s Internet Information Services (IIS) software. According to Trustwave, the malware – which they have dubbed ISN – is designed to steal data and targets information in POST requests. The vulnerability the attackers used was CVE-2013-0629, which Adobe actually patched back in January. “It is important to also highlight the criticality of having an expedited patching life-cycle,” Trustwave’s Ryan Barnett blogged, noting that in one incident, the targeted organizations was compromised less than two months after Adobe disclosed the vulnerability. <more>

IE exploit used in operation Aurora still in action

Regular software patching is often touted as one of the best things you can do to keep your computer safe against malware infection. Unfortunately, not all users follow that advice, and that realisation often demoralises IT security professionals. Cyber attackers are, on the other hand, overjoyed that some users don’t even know what software patching means and entails, because this allows them to recycle old exploits and still succeed in their attacks. Zscaler’s Pradeep Kulkarni has recently unearthed an attack taking advantage of the Internet Explorer zero-day vulnerability that has been exploited in the infamous Aurora attacks against Google and many other big Internet, finance, technology, media and chemical companies. <more>

Microsoft December Patch Tuesday fixes 24 vulns

Microsoft on last Tuesday released fixes for critical vulnerabilities in Internet Explorer, Microsoft Office, SharePoint, and the Windows operating system, including patches for two different zero-day vulnerabilities. But it has yet to patch a zero-day vulnerability that was first spotted in late November. The fixes came as part of Microsoft’s regular patch-release cycle, which this month addressed 24 different vulnerabilities, as documented in 11 Microsoft security bulletins. Five of those bulletins were rated as “critical,” meaning the flaws could be exploited remotely by attackers to take full control of a vulnerable system. Multiple information security experts have recommend starting with the fix for a zero-day Microsoft Graphics component memory corruption vulnerability (CVE-2013-3906), which was first discovered in early November via in-the-wild attacks. “The vulnerability could allow a remote-code execution if a user views TIFF files in shared content,” said Microsoft. Exploit code for this bug has also already been built into the open-source Metasploit penetration testing tool. <more>

Chrome OS eyes on Password-free authentication

Google has a vision for how Chrome OS users will one day be able to lock and unlock their devices, without requiring a password. The Chromium OS team is building support for unlocking and locking devices running the operating system with a new Chrome API called “chrome.screenlockPrivate.” The API was first spotted by developer and Google open-source Chromium evangelist François Beaufort, who points to a Chromium code review with a very short description: “The chrome.screenlockPrivate API allows select apps to control the ChromeOS ScreenLocker.” Thankfully, it also includes a Google Docs link titled “chrome.screenlockPrivate – New Chrome API Proposal.” <more>

Google’s Nexus phones vulnerable to SMS attacks

Google is reportedly looking into a problem with the latest versions of Nexus smartphones that could force the devices to restart, lock or fail to connect to the Internet. All Galaxy Nexus, Nexus 4 and Nexus 5 devices that run Android 4.0 contain a flaw that can render the phones vulnerable to a denial-of-service attack when a large number of Flash SMS messages are sent to them. According to a description on the programming site Stack Overflow, Flash SMS messages, also known as Class 0 SMS, are messages that show up – or flash – on screens immediately and dim the screen around the text. The messages are part of the GSM messaging infrastructure and are often used for sending emergency messages. Since the messages are not saved in phone’s inboxes by default and simply appear, users can select to read or dismiss them. If a message is received on top of another however, they can stack up quickly. <more>

D-Link patches router back-door vulnerability

D-Link has released firmware patches for a number of its older routers sporting a critical authentication security bypass vulnerability discovered in October. The flaw was discovered and its exploitability proved with a PoC by Tactical Network Solutions’ security researcher Craig Heffner. D-Link confirmed the existence of the problem a few weeks later. “Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string. This backdoor allows an attacker to bypass password authentication and access the router’s administrative web interface,” D-Link explained in a security advisory. <more>