By Kelli Tarala | November 15, 2011
Adobe closed 12 critical holes in all supported versions of Flash Player up to and including version 22.214.171.124. The memory corruption vulnerabilities allowed attackers to inject malicious code on computers; visiting a specially crafted Web page is all that was required to become a victim. When Internet Explorer is used, attackers can exploit a further hole to bypass the cross-domain policy. It is recommended all users update to the latest version 126.96.36.199 of Flash to protect their systems. Flash Player for Android is also affected –- the most recent vulnerable version is 188.8.131.52; the update to version 184.108.40.206 can be installed via the Android Market. Version 3.0 of the AIR application platform (including Adobe AIR for Android) is also vulnerable. Updating to version 220.127.116.1180 fixes the issues.
sn3Ak3r hacks social network and leaks 57,000 credentials
Social network FindFriendz.com was attacked by An0nym0us sn3Ak3r, a member of t34m t!g3R, and credentials on 57,000 members were stolen. E Hacking News reported the social network’s Web site lost the information as a result of an SQL injection attack that took advantage of a common vulnerability. The hacker published only a small part of the stolen data, but he claimed he would make the rest available for anyone who requests it.
Valve says credit card data taken
Valve confirmed the hack of its Steam forums reported the week of November 7 may have included the theft of credit card numbers. The company e-mailed users saying the intruders that defaced its forums also accessed a database that included “information including user names, hashed and salted passwords, game purchases, email addresses, billing information, and encrypted credit card information.” Since the card data was encrypted, it may not be usable to the attackers, operating under the handle fkn0wned. However, according to the Washington Post and others, the e-mail from Valve’s founder advised customers to watch their credit card statements for evidence of misuse. Valve has sought to reassure users it was not slack with their personal information. A password reset was applied to all forum users, and the company suggests any gamers whose Steam password was the same as their forum password should reset that as well.
Duqu targeted each victim with unique files and servers
The creators of the Duqu malware that penetrated industrial manufacturers in at least eight countries tailored each attack with exploit files, control servers, and booby-trapped Microsoft Word documents that were different for each victim, according to research published November 11. Two of the drivers the sophisticated, highly modular rootkit used in one attack showed compilation dates of 2007 and 2008, the Kaspersky Lab expert and author of the report said. If the dates are genuine, they suggest the Duqu architects may have spent the past 4 years developing the malware. The Duqu version examined in the report was recovered by the Sudan Computer Emergency Response Team from an undisclosed company the attackers targeted in advance. Like attacks on other targets, it was launched using a booby-trapped Word document with content tailored to the receiving organization, and exploited a previously unknown vulnerability in the kernel of all supported versions of Microsoft Windows.
Patched Adobe Flash SWF vulnerability still makes victims
While Adobe patched a SWF file vulnerability in April 2011, users who failed to update their browser plug-ins are still highly targeted by attacks that rely on the outdated version of Flash Player, Softpedia reported November 11. Zscaler researchers noticed the phenomenon which still makes many victims out of the 7 percent of customers who still use an old version of the software. In April, Adobe made sure the weakness that would allow a cyber criminal to execute arbitrary code or launch a denial of service attack by using specially crafted Flash content, would never hurt customers who updated the player to the latest versions. Now, it turns out since many still rely on the old variants, they become easy targets for hackers who encapsulate malevolent swf files into Microsoft Office documents or html pages. A location discovered recently by the experts embedded a nb.swf flash file into a page executed by Adobe’s Flash Player when the site was loaded. The execution of the specially crafted element leads to a memory corruption in the player that allows for a piece of shellcode to be passed on as an input parameter. At the time when it was discovered, only half of the security vendors listed in Virus Total detected the swf file as a threat.
Apple closes iPhone keysigning hole
Apple released iOS 5.0.1 –- an update to October’s publication of iOS 5.0 for iPhones and iPads –- which includes fixes for two major security holes discovered since the release. A researcher recently revealed he was able to run unsigned code on Apple’s devices by exploiting a flaw in versions of iOS 4.3 and later. That flaw, a logic error in the kernel’s mmap system call and its checking of flags, is now corrected. Exploitation of the flaw could have allowed an attacker to inject unsigned code into a maliciously crafted signed application, bypassing many of Apple’s security restrictions. The problem with the iPad 2′s Smart Cover and iOS 5.0 which allowed the passcode lock to be bypassed has also been fixed. Among the other issues resolved in the update are two flaws said to “lead to the disclosure of sensitive information:” one in CFNetwork’s handling of URLs, and the other in the handling of DNS lookups. Apple also configured the default trust system for certificates to no longer trust DigiCert Malaysia’s certificates after they were found to be weak and incorrectly formed.
Chrome 15 update closes holes, updates Flash
Researchers find way to protect hardware against trojans
Researchers from the Polytechnic Institute of New York University (NYU-Poly) and the University of Connecticut managed to design a new technique thatshould assure the integrity of hardware components against malicious altering or manufacturing flaws. According to the Sacramento Bee, a professor of electrical and computer engineering at NYU-Poly believes people are falsely assuming hardware elements are free of malware. He claims that since products are in many cases assembled of components manufactured all over the world, during the transportation and in other processes, hardware elements can be tampered with. Since many organizations could end up with such units, the professor’s team believed something had to be done to verify the integrity of hardware, especially since in many cases it is utilized by critical infrastructure agencies. One of the techniques proposed by the scientists involved ring oscillators, devices composed of odd numbers or NOT gates whose output oscillates between two voltage levels. Since circuits that contain these devices produce specific frequencies, any kind of tampering would alter their original design, thus alerting testers the circuit was compromised. To make it difficult for criminals to replicate these frequencies, the researchers proposed the creation of more versions of the ring oscillator arrangements to make it impossible to keep track of.
Read the Full Daily Open Source Infrastructure Report:
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http:// http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Comments are closed.