Subscribe to This Feed

« | Main | »

VMware breached, more hypervisor source code to come: DHS Infrastructure Highlights April 30th

By Kelli Tarala | April 30, 2012

Hypervisors — such as VMware ESXi and Xen — provide the platform on which virtualized guest operating systems run, and are therefore a core component of any business’s virtual infrastructure. A 2010 study from IBM found that 35 percent of all vulnerabilities in a virtualized environment could be traced to the hypervisor. Those vulnerabilities are cause for concern in the wake of VMware’s April 23 confirmation that source code dating to 2003 and 2004 was publicly released by a hacker billing himself as Hardcore Charlie. Furthermore, he said the release was a “sneak peak” of the 300 MB of VMware source code he said is in his possession, which he said will be publicly released May 5. Charlie said he obtained the VMware kernel source code via March attacks against China Electronics Import & Export Corporation.

Full Story:

NYSE receives credible cyber threat against website
The New York Stock Exchange (NYSE) received a credible threat to disrupt its external Web site as part of an apparent cyber attack attempt against many U.S. exchanges, the Fox Business Network reported April 26. The threat, which is not tied to NYSE’s trading systems, prompted the Big Board to beef up security and monitoring for a potential cyber attack, sources familiar with the matter said. The April 26 threats centered around a potential denial-of-service attack strictly focused on the exchange’s external Web site, and having nothing to with its trading systems, a source said. The cyber threat appears to be tied to an anti-capitalistic online posting by a cyber group called “L0NGwave99” that promised to hit stock exchanges with a denial of service attack April 26 in support of the “great and rooted 99% movement.” In addition to the NYSE, the group claimed it will put “into a profound sleep” the Web sites of the Nasdaq Stock Exchange, BATS, the Chicago Board of Options Exchange, and the Miami Stock Exchange. While the posting said it would start the operation at 9 a.m., none of those exchanges appeared to be suffering any Web site difficulties as of early the afternoon of April 26.

Full Story:

One vulnerable site can serve multiple cybercriminal groups, experts find
Security researchers found that a single vulnerable Web site may be used by a number of cybercriminal organizations, each one altering the site to serve its own purposes. In many cases, Web sites are compromised and altered to lead visitors to domains that push fake antivirus programs, which lately have become a great way for cyber criminals to earn a profit. A Zscaler expert explained that once the criminals overtake the site, they rely on Blackhat SEO techniques to increase traffic towards their malicious plots. In order to do this, they set up two different pages on the compromised domain. First, they create a spam page that search engines, security scanners, and blacklisting mechanisms see as harmless. This page does not contain obfuscated code and performs the redirect via a PHP or .htaccess file. The second page contains the redirect to a site in charge of performing the attack on users. More recently, researchers identified many overtaken Web sites designed to send users to fake antivirus were also infected with a malicious piece of JavaScript, which held an IFRAME injection that pointed to several different locations.

Full Story:

PHP 5.4.1 and PHP 5.3.11 released
The PHP developers released the first update for PHP 5.4, the latest version of their popular scripting language, and an update to PHP 5.3, the older stable branch of the language. The developers said “All users of PHP are strongly encouraged to upgrade” to the new releases. PHP 5.4.1 has more than 20 bug fixes, including some related to security. One security bug concerned insufficient validating of the upload name, which then led to corrupted $_FILES indices. Another notable change was open_basedir checks being added to readline_write_history and readline_read_history. The PHP 5.3.11 upate fixes nearly 60 bugs including correcting a regression in a previously applied security fix for the magic_quotes_gpc directive. A new debug info handler was also added to DOM objects, and the developers added support for version 2.4 of the Apache Web server.

Full Story: 3

Ghost of HTML5 future: Web browser botnets
During a presentation at the B-Sides Conference in London, England, April 25, a senior threat researcher at Trend Micro outlined how HTML5 could be used to launch browser-based botnets and other attacks. The new features in the revamped markup language — from WebSockets to cross-origin requests — could cause major issues for the information security arena and turn browsers such as Chrome and Firefox into complete cybercrime toolkits. Many attack scenarios involve using JavaScript to create memory-resident “botnets in a browser,” the researcher warned, which can send spam, launch denial-of-service attacks, or worse. Because an attack is browser-based, anything from a Mac OS X machine to an Android smartphone can run the platform-neutral code, simplifying the development of malware. Creating botnets by luring users into visiting a malicious Web page, as opposed to having them open a booby-trapped file that exploits a security flaw, offers many advantages to hackers. Malicious Web documents held in memory are difficult to detect with traditional file-scanning antivirus packages, which seek out bad content stored on disk. JavaScript code is also very easy to obfuscate, so network gateways that look for signatures of malware in packet traffic are easy to bypass — and HTTP-based attacks pass through most firewalls.

Full Story:

Critical bug reported in Oracle servers
There is a critical remotely exploitable vulnerability in all of the current versions of the Oracle database server that can enable an attacker to intercept traffic and execute arbitrary commands on the server. The bug, which Oracle reported as fixed in the most recent Critical Patch Update (CPU), is only fixed in upcoming versions of the database, not in currently shipping releases, and there is publicly available proof-of-concept exploit code circulating. The vulnerability lies in the TNS Listener service, which on Oracle databases functions as the service that routes connection requests from clients to the server itself. A researcher said he discovered the vulnerability several years ago and then sold the details of the bug to a third-party broker, who reported it to Oracle in 2008. Oracle credited the researcher for reporting the bug in its April CPU, but he said in a post on the Full Disclosure mailing list the week of April 23 that the flaw was not actually fixed in the current versions of the Oracle database server.

Full Story:

Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at  Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.

Topics: DHS Infrastructure Reports | No Comments »