« Microsoft releases fix for Applocker bypass flaw: DHS Open Source Report November 14th | Main | Scripting Automation for Continuous Auditing »
Adobe closes 12 critical holes in Flash: DHS Infrastructure Open Source Report November 15th
By Kelli Tarala | November 15, 2011
Adobe closed 12 critical holes in all supported versions of Flash Player up to and including version 11.0.1.152. The memory corruption vulnerabilities allowed attackers to inject malicious code on computers; visiting a specially crafted Web page is all that was required to become a victim. When Internet Explorer is used, attackers can exploit a further hole to bypass the cross-domain policy. It is recommended all users update to the latest version 11.1.102.55 of Flash to protect their systems. Flash Player for Android is also affected –- the most recent vulnerable version is 11.0.1.153; the update to version 11.1.102.59 can be installed via the Android Market. Version 3.0 of the AIR application platform (including Adobe AIR for Android) is also vulnerable. Updating to version 3.1.0.4880 fixes the issues.
Full Story: http://www.h-online.com/security/news/item/Adobe-closes-12-critical-holes-in-Flash-1377759.html
sn3Ak3r hacks social network and leaks 57,000 credentials
Social network FindFriendz.com was attacked by An0nym0us sn3Ak3r, a member of t34m t!g3R, and credentials on 57,000 members were stolen. E Hacking News reported the social network’s Web site lost the information as a result of an SQL injection attack that took advantage of a common vulnerability. The hacker published only a small part of the stolen data, but he claimed he would make the rest available for anyone who requests it.
Full Story:
http://news.softpedia.com/news/sn3Ak3r-Hacks-Social-Network-and-Leaks-57-000-Credentials-234240.shtml
Valve says credit card data taken
Valve confirmed the hack of its Steam forums reported the week of November 7 may have included the theft of credit card numbers. The company e-mailed users saying the intruders that defaced its forums also accessed a database that included “information including user names, hashed and salted passwords, game purchases, email addresses, billing information, and encrypted credit card information.” Since the card data was encrypted, it may not be usable to the attackers, operating under the handle fkn0wned. However, according to the Washington Post and others, the e-mail from Valve’s founder advised customers to watch their credit card statements for evidence of misuse. Valve has sought to reassure users it was not slack with their personal information. A password reset was applied to all forum users, and the company suggests any gamers whose Steam password was the same as their forum password should reset that as well.
Full Story:
http://www.theregister.co.uk/2011/11/13/steam_confirms_credit_card_database_attacked/
Duqu targeted each victim with unique files and servers
The creators of the Duqu malware that penetrated industrial manufacturers in at least eight countries tailored each attack with exploit files, control servers, and booby-trapped Microsoft Word documents that were different for each victim, according to research published November 11. Two of the drivers the sophisticated, highly modular rootkit used in one attack showed compilation dates of 2007 and 2008, the Kaspersky Lab expert and author of the report said. If the dates are genuine, they suggest the Duqu architects may have spent the past 4 years developing the malware. The Duqu version examined in the report was recovered by the Sudan Computer Emergency Response Team from an undisclosed company the attackers targeted in advance. Like attacks on other targets, it was launched using a booby-trapped Word document with content tailored to the receiving organization, and exploited a previously unknown vulnerability in the kernel of all supported versions of Microsoft Windows.
Full Story:
http://www.theregister.co.uk/2011/11/11/duqu_analysis/
Patched Adobe Flash SWF vulnerability still makes victims
While Adobe patched a SWF file vulnerability in April 2011, users who failed to update their browser plug-ins are still highly targeted by attacks that rely on the outdated version of Flash Player, Softpedia reported November 11. Zscaler researchers noticed the phenomenon which still makes many victims out of the 7 percent of customers who still use an old version of the software. In April, Adobe made sure the weakness that would allow a cyber criminal to execute arbitrary code or launch a denial of service attack by using specially crafted Flash content, would never hurt customers who updated the player to the latest versions. Now, it turns out since many still rely on the old variants, they become easy targets for hackers who encapsulate malevolent swf files into Microsoft Office documents or html pages. A location discovered recently by the experts embedded a nb.swf flash file into a page executed by Adobe’s Flash Player when the site was loaded. The execution of the specially crafted element leads to a memory corruption in the player that allows for a piece of shellcode to be passed on as an input parameter. At the time when it was discovered, only half of the security vendors listed in Virus Total detected the swf file as a threat.
Full Story:
http://news.softpedia.com/news/Patched-Adobe-Flash-SWF-Vulnerability-Still-Makes-Victims-233980.shtml
Apple closes iPhone keysigning hole
Apple released iOS 5.0.1 –- an update to October’s publication of iOS 5.0 for iPhones and iPads –- which includes fixes for two major security holes discovered since the release. A researcher recently revealed he was able to run unsigned code on Apple’s devices by exploiting a flaw in versions of iOS 4.3 and later. That flaw, a logic error in the kernel’s mmap system call and its checking of flags, is now corrected. Exploitation of the flaw could have allowed an attacker to inject unsigned code into a maliciously crafted signed application, bypassing many of Apple’s security restrictions. The problem with the iPad 2′s Smart Cover and iOS 5.0 which allowed the passcode lock to be bypassed has also been fixed. Among the other issues resolved in the update are two flaws said to “lead to the disclosure of sensitive information:” one in CFNetwork’s handling of URLs, and the other in the handling of DNS lookups. Apple also configured the default trust system for certificates to no longer trust DigiCert Malaysia’s certificates after they were found to be weak and incorrectly formed.
Full Story:
http://www.h-online.com/security/news/item/Apple-closes-iPhone-keysigning-hole-1377460.html
Chrome 15 update closes holes, updates Flash
Google released version 15.0.874.120 of Chrome. The maintenance and security update to the WebKit-based browser upgrades the V8 JavaScript engine to version 3.5.10.23, addresses several vulnerabilities, and includes the recent Flash Player 11.1 release, which also closes critical security holes. The Stable channel update fixes five “high-risk” bugs: a heap overflow in the Ogg Vorbis decoder, a double free issue in the Theora decoder, and a memory corruption regression in VP8 decoding, as well as a use-after-free error and a buffer overflow in shader variable mapping. Two medium-risk out of bounds reads in MKV and Ogg vorbis media handlers, and a low-risk issue that caused JRE7 to fail to ask for permission to run applets have also been fixed.
Full Story:
http://www.h-online.com/security/news/item/Chrome-15-update-closes-holes-updates-Flash-1377300.html
Researchers find way to protect hardware against trojans
Researchers from the Polytechnic Institute of New York University (NYU-Poly) and the University of Connecticut managed to design a new technique thatshould assure the integrity of hardware components against malicious altering or manufacturing flaws. According to the Sacramento Bee, a professor of electrical and computer engineering at NYU-Poly believes people are falsely assuming hardware elements are free of malware. He claims that since products are in many cases assembled of components manufactured all over the world, during the transportation and in other processes, hardware elements can be tampered with. Since many organizations could end up with such units, the professor’s team believed something had to be done to verify the integrity of hardware, especially since in many cases it is utilized by critical infrastructure agencies. One of the techniques proposed by the scientists involved ring oscillators, devices composed of odd numbers or NOT gates whose output oscillates between two voltage levels. Since circuits that contain these devices produce specific frequencies, any kind of tampering would alter their original design, thus alerting testers the circuit was compromised. To make it difficult for criminals to replicate these frequencies, the researchers proposed the creation of more versions of the ring oscillator arrangements to make it impossible to keep track of.
Full Story:
http://news.softpedia.com/news/Researchers-Find-Way-to-Protect-Hardware-Against-Trojans-233568.shtml
Read the Full Daily Open Source Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_111511.pdf
Security Disclaimer
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http:// http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Comments are closed.