New Flash Player Zero Day

[tweetmeme source=”franscomputerservices” only_single=false]ZDNet reports, Adobe warns of new Flash Player zero-day attack:

Hackers are embedding malicious Flash Player files in Microsoft Word documents to launch targeted attacks against select businesses, according to a warning from Adobe.

These are being used to steal secrets from corporations, likely through downloaded and emailed MS Word documents such as Excel.

Adobe is working on patches for Flash 10.2.x and for earlier versions as well, for just about every OS out there.

Adobe Reader X protected mode will “prevent an exploit of this kind from executing.” The actual fix won’t come till their normal patch cycle in June for Adobe Reader. So be sure to get the latest version (Adobe Reader X)!

Much more in the article including information and links to Adobe’s security release.

Advertisements

Lizamoon and Epsilon breach

[tweetmeme source=”franscomputerservices” only_single=false]There are two major things that users need to be aware of right now, as if there weren’t enough already. 😉

One affects email and the other affects browsing/surfing the Internet. Both bad news, and we all need to be very aware of what has happened and why we have to be very vigilant in making sure we don’t click on links in email, open attachments sent in email, or respond to potential unexpected boxes and requests while surfing the Internet.

Financial and payment services are the biggest areas being hit right now, and will continue to be so much more effective and dangerous due to the current economy while people scramble to survive around the world.

Targeted Sectors Q2 2010 - Anti-Phishing Working Group (APWG)

Targeted Sectors Q2 2010 - Anti-Phishing Working Group (APWG)

Lizamoon/LizaMoon drive-by rogue malware infection

Lizamoon is a drive-by rouge antimalware or antivirus download infection. Thankfully you generally have to take some action to allow it to install as noted by Fred Langa in the comp copy of WindowsSecrets.com newsletter in his article entitled, “LizaMoon infection: a blow-by-blow account“. Must read!

The most important takeaway is that Fred said he had to take action on four separate occasions before the infection took place:

On the other hand, deliberate choices and actions by a user can defeat any software. LizaMoon required my active, voluntary involvement four different times before the infection took hold.

LizaMoon wasn’t even subtle: I had plenty of warnings and opportunities to abort the process, the malware itself provided abundant clues to its own bogus nature (such as an inability to keep its aliases straight).

Much more in the article. A must read for all who surf the Internet to be able to identify this rogue drive-by infection when it happens/if it happens.

The biggest takeaway:We can prevent these types of things by being aware and not clicking on things just because they are presented to us while surfing the Internet.

Epsilon breach – Spear Phishing attacks

Epsilon is an outsourcing marketing company for many big companies/banks. They have a huge database of people’s email addresses, names and the company or bank associated with each email address. This makes the spear phishing, generally a very effective social engineering technique and can make their attacks via email so much more effective…mainly because they know the email addresses are real, and more importantly they can link the real name and the actual company/bank connected the email address.

Computerworld reports, “Security experts today warned users to be on the watch for targeted email attacks after a breach at a major marketing firm that may have put millions of addresses in the hands of hackers and scammers.”

Brian Krebs (KrebsOnSecurity) and Heise Online Security report,

Epsilon has now confirmed that approximately 2 per cent of its total clients were affected. According to a blog post by security blogger Brian Krebs, financial services company Visa and American Express (Amex) say that they were not impacted by the Epsilon breach. However, the following banks, service providers and online retailers are said to have been affected:

1-800-FLOWERS
AbeBooks
Air Miles (Canada)
Ameriprise Financial
Barclay’s Bank of Delaware
Beach Body
Bebe Stores
Best Buy
Benefit Cosmetics
Brookstone
Capital One
Chase
Citigroup
City Market
College Board
Dillons
Disney Destinations
Eddie Bauer
Eileen Fisher
Ethan Allen
Euro Sport (Soccer.com)
Food 4 Less
Fred Meyer
Fry’s Electronics
Hilton Honors Program
Home Depot Credit Card (Citibank Editor)
Home Shopping Network
JPMorgan Chase
Kroger
Marks and Spencer
Marriott
McKinsey Quarterly
MoneyGram
New York & Co.
QFC
Ralph’s
Red Roof Inns
Ritz-Carlton
Robert Half International
Smith Brands
Target
TD Ameritrade
TiVo
U.S. Bank
Walgreen’s

Much more in these articles, must read, as well as others on the web including WashingtonPost, eWeek, BBC, and others.

The biggest takeaway: Don’t believe everything you see in email. Don’t trust links or downloads in email. Check with the person who sends it before opening any downloads and don’t give out information from your bank, and other sites, etc. unless you can confirm it definitely came from them. You can always go to the site directly from your own bookmarks/favorites and login to ensure you get to the right place. Don’t use their links in email unless you can verify it’s really from the company. In fact, one can get into trouble and get further compromised by clicking on links in email.

Side note: this is why I do not view email as HTML. So much can be hidden behind all the pretty pictures and code.

And be prepared. Keep your antivirus software and antimalware program as well, clear your Internet cache frequently. If you suspect you have been hit with one of these rogue antivirus/antimalware attacks, unplug the Internet/network cable from your computer to prevent further harm and take appropriate action by running Malwarebytes Antimalware, CCleaner (or other temporary Internet cleaner program you use), and then a scan with your antivirus software and take whatever recommended action they call for. Links to these programs provided on our Resources page.

If you make sure both of these are updated before you surf for the day, you will be in a much better situation should you somehow get hit with something.

And do your backups, and have an image of your OS to restore from if it becomes necessary. Windows 7 makes this very easy to do with their built-in image creator and backups, and system repair disk.

Internet Explorer Search Bar Malware Hijack

[tweetmeme source=”franscomputerservices” only_single=false]Recently, the Google Gala malware has been hijacking the Google Search engine in Internet Explorer’s Search Bar. In addition, Fast Browser Searching apparently has been being installed through some means and stealing the Google Homepage of other users.

Google Gala and Fast Search hijacks is nothing new, but they are making a serious comeback. I am not sure how they are injecting themselves into the Google Search on IE8 Search Bar, but they definitely are corrupting the Google Search engine in the IE8 Search Bar. This has been known to happen in Firefox in the past as well. And who knows how long it will be till Google Chrome and other browsers will be hit the same way, if not already.

Browser makers need to harden their Search Bar against this type of attack, but until they do, we have to take matters into our own hands.

If you feel the need to use Internet Explorer, I would strongly suggest hiding or removing the IE8 Search Box and going directly to Google website instead.

As shown at w7forums link above, to hide/remove the IE8 Search Box:

Start -> run -> gpedit.msc

Or better yet, change to an alternative browser, like Google Chrome or Mozilla Firefox.

The advantages of Google Chrome with built-in Flash player that is updated automatically through Google Chrome’s update mechanism is quite attractive. In addition, Google Chrome is fast to load and now has extensions such as Adblock Plus, WOT, FlashBlock and others, like Mozilla Firefox has had for a long time. In addition, Google Chrome has a built-in ‘sandbox’ feature which can save a world of hurt while browsing the web. Although it is not perfect, it is a great feature.

I have to say for years now, I have not used any built-in browser search bar. I go directly to the Google website, or other favorite search engine websites directly. I would suggest that, until browser developers harden their search bars, it would be wise to not make use of search bars for searching.

In addition, I would strongly suggest you install and run, CCleaner frequently. Close your browser after every use and right click on the Recycle Bin and choose Run CCleaner after every use of the browser.

If you do get hit with malware like Security Shield for any reason, but especially in this case, due to the redirection/hijack of search results in the IE8 Search Bar, you will need to use rkill or the Task Manager (if available) to find/kill the Security Shield oddball named process and then update and run Malwarebytes Antimalware to get rid of related registry entries, hidden files, etc., as shown at BleepingComputers Forum Security Shield (Uninstall Guide).

Or call your computer expert to help you with removal of the malware.

The most important thing is not to continue to use the computer on the Internet until it is removed to keep from getting hit with more malware. Redirection to malware sites posing as legitimate websites and searches is a strong possibility while infected with malware.

EDIT: I started writing this post yesterday morning and got it published at 12:06PM. Within hours, there was a security advisory by Microsoft and articles about:

Microsoft Security Advisory (2501696)
Vulnerability in MHTML Could Allow Information Disclosure

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is investigating new public reports of a vulnerability in MHTML on all supported editions of Microsoft Windows. This vulnerability manifests itself in Internet Explorer.

Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process, or providing an out-of-cycle security update, depending on our customer needs.

What is MHTML?
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. The MHTML protocol handler in Windows provides a pluggable protocol (MHTML:) that permits MHTML encoded documents to be rendered in applications.

What causes this threat?
The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could inject a client-side script in the user’s Internet Explorer instance. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

How could an attacker exploit the vulnerability?
In a Web-based attack scenario, an attacker could convince a user to click a specially crafted link that would inject a malicious script in the response of the Web request.

Sure sounds like this may be the problem I was writing about in this posting.

BetterPrivacy Firefox Addon

[tweetmeme source=”franscomputerservices” only_single=false]BetterPrivacy Firefox Addon

Ever wondered why you are still tracked though you tried everything to prevent it?

BetterPrivacy is a safeguard which protects from usually not deletable LSO’s on Google, YouTube, Ebay…

This is a great addon. I had no idea I had so many of these and some dated back to 2006!

They don’t show up in your normal cookies area of the browers.

So what are LSOs (wikipedia.org):

Local Shared Objects (LSO), commonly called flash cookies, are collections of cookie-like data stored as a file on a user’s computer. LSOs are used by all versions of Adobe Flash Player and Version 6 and above of Macromedia’s now-obsolete Flash MX Player.

Privacy concerns

LSOs can be used by web sites to collect information on how people navigate those web sites even if people believe they have restricted the data collection. More than half of the internet’s top websites use LSOs to track users and store information about them. There is relatively little public awareness of LSOs, and they can usually not be deleted by the cookie privacy controls in a web browser. This may lead a web user to believe a computer is cleared of tracking objects, when it is not.

Several services even use LSOs as surreptitious data storage to reinstate traditional cookies that a user deleted, a policy called “re-spawning” in homage to video games where adversaries come back to life even after being “killed”. So, even if a user gets rid of a website’s tracking cookie, that cookie’s unique ID will be assigned back to a new cookie again using the Flash data as “backup.” In USA, at least five class-action lawsuits have accused media companies of surreptitiously using Flash cookies.

In certain countries it is illegal to track users without their knowledge and consent. For example, in the UK, customers must consent to use of cookies/LSOs as defined in the “Guidance on the Privacy and Electronic Communications (EC Directive) Regulations 2003”:

Cookies or similar devices must not be used unless the subscriber or user of the relevant terminal equipment:

* is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
* is given the opportunity to refuse the storage of, or access to, that information.

There is more information in the links at the bottom of that wikipedia article on LSOs. Here’s just one from EPIC (Electronic Privacy Information Center) called EPIC Flash Cookie Page

If you install BetterPrivacy Firefox Addon, they have a very nice writeup on LSOs from the HELP button when looking at the options.

NOTE: The best part about BetterPrivacy is that you choose which ones to keep and which ones to delete. There are some sites that you likely will want to keep them and set them to be protected, but you certainly don’t need sites that you casually visit setting them and having them for years tracking your activities.

New security hole in Facebook through Yelp

[tweetmeme source=”franscomputerservices” only_single=false]Yelp Security Hole Puts Facebook User Data At Risk, Underscores Problems With ‘Instant Personalization’ (TechCrunch):

TechCrunch Facebook/Yelp image

TechCrunch Facebook/Yelp image

As if Facebook’s Instant Personalization needed another knock against it, tonight comes news of a security issue that makes the feature even more unnerving. Web security consultant George Deglin discovered an exploit that would allow a malicious site to immediately harvest a Facebook user’s name, email, and data shared with ‘everyone’ on Facebook, with no action required on the user’s part. This specific exploit has been patched, and no user data was compromised, but the security problems behind it remain.

Much more in the article. Thanks TechCrunch!

Yes, been fixed but after what damage? And a few weeks before a good guy figures it out. Thank you, George Deglin!

How many other vulnerabilities in Facebook that only the bad guys know about until a good guy discovers it?

I am so glad I deactivated my Facebook account.

Race Conditions aka TOCTOU and now KHOBE

[tweetmeme source=”franscomputerservices” only_single=false]There is a ‘supposedly new’ threat on the horizon for Windows XP users, and more so on multi-core systems called KHOBE (Kernel HOok Bypassing Engine).

Although this is a threat, it is not a new threat — in fact, this type of thing has been a threat to computing since 1998 when it was written about in PDF format: RaceConditions.pdf, and in 1996 in this PDF: racecond.pdf and many times since then in articles online about TOCTOU (noted below in this posting).

It definitely sounds pretty bad when it is reported that this ‘new’ KHOBE can bypass EVERY Windows security product in an article by the respected Adrian Kingsley-Hughes at ZDNet Blogs and as reported and tested by MATOUSEC here. And it certainly isn’t a non-issue…

However, let’s look at this objectively. First this is not the first, last or only situation that has or will arise. Race Conditions as noted above have been created by TOCTOU (Time of check to time of use) situations since the dawn of computing and yes, they are not easy to test for in all situations/hardware prior to release of software/Operating Systems, but these types of conditions have been a potential threat for a very long time in all kinds of software.

A time-of-check-to-time-of-use bug (TOCTTOU − pronounced “TOCK too”) is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

Before Windows was capable of true multi-tasking/multi-threading, it was possible to create these conditions on UNIX machines as noted in this 2001 article at InformationWorld.

So, why the fuss now? Windows 7 is basically claimed to be immune — by its omission in the ‘affected Windows Operating Systems’ list. Apparently only Windows XP (ONLY about 60% of Windows users –eeek! — per Adrian Kingsley-Hughes article above), or earlier Windows OSes are affected and in this particular case, and then only by security software that use the KHOBE (Kernel HOok Bypassing Engine).

Graham Cluely at his Sophos Blog notes,

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

In addition, Paul Ducklin’s Sophos blog notes,

The security panic of the week is the widely-reported story of a “vulnerability” called KHOBE. One news headline goes so far as to announce that this “new attack bypasses virtually all AV protection”.

I disagree.

The sample “attack”, which claims to be an 8.0 earthquake for desktop security software, describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

Much more in his blog entry. All of these links are must read if you wish to understand as much as is possible what the real threat is.

So, given all this, is the game over on security software because this is now disclosed to be possible (READ: it was always possible) — at least till they figure out how to prevent Race Conditions in security software?

Hardly. But due to the release of the information, this situation may make life interesting security-wise for Windows XP users (earlier Windows OSes like Win2K, Win98, WinME, WinNT shouldn’t even be on the net at this point for many reasons, the least of which is this situation).

So, if you are a Windows user what can you do in the meantime?

  • Keep your systems up to date
  • Make sure you have a hardware NAT or SPI Firewall/Router on your local network, and a software firewall in place and working properly and updated (if it’s a third party firewall – Windows Firewall is updated with your Windows Updates)
  • Keep your browsers up to date
  • Keep your browser plugins (Adobe products, Apple products, Java, etc.) and extensions (like Firefox’s AdBlock Plus, etc.) up to date
  • Keep all Internet facing programs (Adobe, Microsoft, etc.) up to date
  • Run your CCleaner (or other Temporary Files/Temporary Internet Files cleaner program) frequently (I actually run mine several times a day) – Fully close any browsers before running your ‘cleaner’ and then re-open it as needed after you run the ‘cleaner’
  • Make sure your antivirus software is updating as it should and doing its scheduled scans
  • Update and Run any cleaner software and secondary anti-malware programs (like Malwarebytes Anti-malware) at least once a week or more often and immediately if something seems odd on your computer
  • Don’t open suspicious emails, even from known senders
  • Be careful where you go on the Internet. Even some legitimate sites have been hacked
  • Be careful about links and friends on Facebook (if you haven’t deactivated your account yet), Twitter, LinkedIn, and other Web 2.0/dynamic Social Networking sites.

In short, do what you should always be doing to keep yourself safe. Because this isn’t over. It was always a possibility whether we were aware or not, and it will likely be a possibility for a long time to come.

You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system. *See EDIT below for a note from BillP about WinPatrol and kernel hooks.

And as I noted earlier, the focus of this issue, at this time, is apparently Windows XP, but any operating system is vulnerable to this type of attack and always has been — and that is not likely going to change any time soon.

EDIT: Added the following comment from BillP who developed WinPatrol:

* Thanks! I’m honored by the mention.
It’s a great topic and mentioning WinPatrol is appropriate since I don’t use any kernel hooking to detect changes. Thumbs Up!

Bill

Embedded PDF executable hack

[tweetmeme source=”franscomputerservices” only_single=false]Embedded PDF executable hack goes live in Zeus malware attacks (Ryan Naraine at ZDNet)

Yes, there has been a lot of coverage on Adobe Reader vulnerabilities, and this is no exception, and with good reason since this is being actively exploited.

This one is the same /launch vulnerability built into Adobe Reader that was being exploited to run malicious code. This one also comes via email, and the PDF has an embedded attachment within the document. The file is executable and if you run it, it will install the Zeus bot on your computer.

It’s no longer good enough to disable Javascripting alone. There is more needed to thwart this attack.

From the article:

Here are the instructions for mitigating a potential attack:

* Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”

It is important to download PDF files from email rather than opening them directly from email, as with any attachment, so you can virus scan the file prior to opening it.

While you are in the Preferences, you might want to make sure Javascripting is turned off. And you might want to disable viewing PDF files in browser windows. There are times when that may be inconvenient, but it will keep you safer at least for now.

One way to keep PDF files from opening in browsers if you are using Firefox is to install the PDF Download Extension which allows you to download rather than open a PDF file in the browser. It also gives you a chance to determine if this is really what you want to do.