McAfee Labs Messaging Security recently observed a spam campaign based on the Boston Marathon bombing and the Texas fertilizer plant explosion. The messages take advantage of our interest in these tragic events to lure victims to malware and exploits. Last week my colleague Paras Gupta blogged about the use of the Black Hole exploit kit Read more…
According to a recent survey, nearly half of all consumers believe that their smartphones and other mobile devices are less secure than their laptop or desktop computers. In the same survey, only 36% of respondents said they trust online retail sites to keep their personal data safe. Still, holiday shopping from mobile phones increased by Read more…
With the PCI DSS 3.0 release only 6 months away, compliance should be on every merchant’s mind. Nevertheless, these regulations often come as an afterthought, especially for Level 3 and Level 4 businesses. As the number of online shoppers continues to grow, there are more and more opportunities for cybercriminals to strike. Increased vigilance on Read more…
We’ve always been told to “read the fine print before you sign on the dotted line,” but let’s be frank. In today’s digital world, all we want to do is play that new game, test that new app and hear that new song. The fine print seems like an unnecessary barrier to our fun. Most Read more…
“Malware” is a shortened version of the words malicious software. It is defined as: a generic term used to describe any type of software or code specifically designed to exploit a computer/mobile device or the data it contains, without consent. Most malware is designed to have some financial gain for the cybercriminal. Whether they are Read more…
Zero-days progress into attack kits before patches are available
In the first quarter of 2013, we spotted quite a few zero-day vulnerabilities affecting Oracle Java, Adobe Flash, Adobe Reader, and Microsoft Internet Explorer being exploited in the wild. This blog discusses the details of these zero-days exploited to spread malware in the first quarter of 2013.
Java zero-day vulnerabilities
During the month of January 2013, we saw some interesting Oracle Java SE zero-day issues being actively exploited in the wild. On January 13, 2013, Oracle released a security alert for Oracle Java Runtime Environment Multiple Remote Code Execution Vulnerabilities (CVE-2013-0422) to address multiple vulnerabilities in Java SE. The first vulnerability occurs in the way the public “getMBeanInstantiator” method in the “JmxMBeanServer” class is used to obtain a reference to a private “MBeanInstantiator” object, and then retrieving arbitrary Class references using the “findClass” method. The second vulnerability occurs because of using the Reflection API with recursion in a way that bypasses a security check by the “java.lang.invoke.MethodHandles.Lookup.checkSecurityManager” method due to the inability of the “sun.reflect.Reflection.getCallerClass” method to skip frames related to the new reflection API.
Immediately, after patching CVE-2012-0422, Oracle alerted the public about Oracle Java Runtime Environment Remote Code Execution Vulnerability (CVE-2012-3174) being exploited in wild to execute arbitrary code. Specifically, the issue occurs when the “MethodHandle” abstract class is used to invoke a method in the “sun.misc.reflect.Trampoline” class. This can allow the Security Manager to be bypassed.
On February 1, 2013, Oracle released a massive patch update for Java SE addressing 50 vulnerabilities. The Critical Patch Update (CPU) was originally scheduled for February 19, however it was released well in advance because of the exploitation in the wild of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers. The details about this vulnerability are currently unknown. On February 19, Oracle released an updated Critical Patch Update (CPU) with an additional five fixes, bringing the total of fixes in the February 2013 CPU to 55.
On March 4, 2013, Oracle released yet another security alert about Oracle Java SE Remote Code Execution Vulnerability (CVE-2013-1493). This issue is prone to a remote code execution vulnerability that leads to arbitrary memory read and writes in the JVM process. This allows attackers to corrupt the memory and disable the Security Manager component.
Figure 1. Untrusted Applet exploits a vulnerability to disable the Security Manager and access system resources
The exploit conditions for all these vulnerabilities are the same i.e. they are remotely exploitable, without authentication, to execute arbitrary code in the context of the currently logged-in user. To successfully exploit the vulnerabilities, an attacker must entice an unsuspecting user into visiting a specially crafted webpage that contains a malicious applet. Successful exploits can impact the availability, integrity, and confidentiality of a user’s system. Please note that these vulnerabilities do not affect Java running on servers, standalone Java desktop applications, or embedded Java applications.
Adobe Flash and Adobe Reader zero-day vulnerabilities
On February 7, 2013, Adobe released a security bulletin, APSB13-04, that included fixes for Adobe Flash Player Buffer Overflow Vulnerability (CVE-2013-0633) and Adobe Flash Player Remote Memory Corruption Vulnerability (CVE-2013-0634) which also affected the Adobe Flash application. These vulnerabilities were exploited in targeted attacks through spear phishing email messages targeting numerous industries. CVE-2013-0633 is a remote buffer-overflow vulnerability and CVE-2013-0634 is a remote memory-corruption vulnerability. An attacker can exploit these issues and execute arbitrary code in the context of the application or cause denial-of-service conditions. The samples discovered in-the-wild were delivered by tricking users into opening a Microsoft Word document sent as an email attachment that contains malicious Flash (SWF) content. These issues can also be exploited by enticing a user to visit a specially crafted site. Symantec detects these threats as Bloodhound.Flash.19 and Bloodhound.Flash.20.
On February 20, Adobe released a security bulletin, APSB13-07, that contained fixes for two interesting zero-day vulnerabilities, Adobe Acrobat And Reader Remote Code Execution Vulnerability (CVE-2013-0640) and Adobe Acrobat And Reader Remote Code Execution Vulnerability (CVE-2013-0641), affecting Adobe Reader X. The exploit for these issues worked in the latest versions of Adobe Reader and Adobe Acrobat that were available at the time, including versions X and XI, which both have a sandbox protection feature.
Figure 2. CVE-2013-0640 and CVE-2013-0641 vulnerabilities combine to bypass sandbox
The exploit was highly sophisticated and contained multiple evasion techniques, including heavily obfuscated JavaScript, ROP-only shellcode, and a multi-staged payload. The exploit worked in two stages. The first stage exploited the first vulnerability to have a code execution inside the sandboxed process in order to drop a malicious DLL file as the payload. The second stage used this payload to exploit the second vulnerability in a broker process and bypass the sandbox protection to drop the malware. Symantec detects the malicious PDF file as Trojan.Pidief and the two dropped DLL files as Trojan.Swaylib.
On February 26, 2013, the Adobe Product Security Incident Response Team (PSIRT) announced the availability of new security updates for Adobe Flash Player. This was the third time in February that they patched their code. The latest security bulletin, APSB13-08, addressed three Flash vulnerabilities, two of which were exploited in wild. These issues were used in targeted attacks that trick a user into visiting a site that contains malicious Flash (SWF) content. The exploits used for Adobe Flash Player Unspecified Security Vulnerability (CVE-2013-0643) and Adobe Flash Player Remote Code Execution Vulnerability (CVE-2013-0648) were designed to target the Mozilla Firefox browser. Specifically, the issue related to CVE-2013-0648 exists in the “ExternalInterface ActionScript” feature and CVE-2013-0643 exists because of a permissions issue with the Flash Player Firefox sandbox.
Microsoft Internet Explorer vulnerability
On December 27, 2012, a new Internet Explorer zero-day vulnerability was discovered being exploited in wild. Although this is not a 2013 zero-day, the exploitation of this issue continued into the first quarter of 2013. On January 14, 2013, Microsoft released a security bulletin containing fixes for this issue. The vulnerability occurred because of a user-after-free error when handling the “CButton” object in the mshtml.dll file. Certain popular websites were compromised to host the exploit as a part of a watering hole style attack. When users visited the compromised website, their computers were infected with malware, allowing attackers to extract valuable and sensitive information. Symantec had earlier published a research document surrounding watering hole attacks (The Elderwood Project) detailing targets, growing trends, and attack platforms that have been seen since 2009.
On March 16, 2013, we saw Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1288) being exploited in wild. The issue occurred when handling the “CParaElement” object that was already freed and reused later and thus triggering the vulnerability. The issue was already patched by Microsoft on March 12, 2013. Discovering new zero-days can be a costly and time consuming business for malware authors. So it is speculated that the attackers may have reverse-engineered the patches to understand this vulnerability and craft an exploit. Though most systems would have already been patched, there would still be many unpatched systems during the first few days that attackers can compromise.
Conclusion
In total, we observed 11 zero-day vulnerabilities exploited in the first three months of 2013 affecting Oracle Java, Adobe Flash, Adobe Reader, and Microsoft Internet Explorer, which is quite high. This shows an increase in the finding and exploiting of zero-days. Plus the issues were discovered in popular applications allowing for maximum damage. Most of these flaws can be exploited over the Internet by enticing users to visit a site hosting the exploit. We also observed the attackers have started digging deeper to find vulnerabilities in the sandbox protection features of applications in order to bypass the restrictions for complete exploitation. A number of these flaws are used in different exploit kits and sold on the underground market.
Symantec recommends users to follow these best security practices:
The Online Certificate Status Protocol (OCSP) is the protocol used by browsers to obtain the revocation status of a digital certificate attached to a website. Naturally OCSP speed is considered one of the main criteria for quality, as browsers reach out to webservers and confirm that the SSL certificate is valid.
It is the first criteria, but certainly not the only one. Most of the major Certificate Authorities (CAs) measure similarly in OCSP speeds according to reputable third party tests, some trending slightly lower or higher. Mindful investments in infrastructure and architecture keep the speed battle going, and competition is fierce. But there are four aspects to OCSP and the whole SSL certificate verification structure that should be considered, and held equal in importance.
A second factor is reliability. When a Certificate Authority is tricked into issuing a legitimate SSL certificate for third party fraudulent activities, the entire industry can suffer a loss of trust. A few years ago, DigiNotar went out of business after they had a reliability failure when an attacker obtained fraudulent certificates for several dozen Internet domains. In return, the major Web browser vendors had to remove all trust from DigiNotar’s certificates, and the CA folded. Reliability creates trust. A CA needs reliable, audited business practices for authentication and revocation alike.
Availability is the simplest to talk about to a lay person: Either a site is up or it’s down. Either an OCSP response returns or it does not. These are simple concepts, but reputation can still play a factor. If your company is known to have major outages, and by major let’s define longer than 10 minutes at a time, your reputation for availability will start to suffer. There are sites dedicated to tracking the uptime of various vendors for online availability, so clearly it matters to consumers and businesses alike.
Fourth there’s security, both physical and logical. To maintain a public CA, your physical and logical security must be beyond reproach. Your business continuity and disaster planning has to be extensive. CAs invest in security infrastructure, building or buying malware-protection systems, conducting regular audits, and run vulnerability assessments to cover all known vectors of attack. Multi-layer security and continuous monitoring is expensive, but a necessary part of overhead to protect the integrity of the business and the consumer.
Smaller and local CAs globally often discover that the overhead and expense of running a mainstream commercial CA is too high, and sometimes they go out of business. But none of these four core components to OCSP, or indeed the whole commercial CA security ecosystem, can be sacrificed for any other and still maintain a web of trust on the internet.
Read more about PKI, OCSP, and best practices HERE.
The Online Trust Alliance has published a whitepaper on CA best practices as well HERE.
Contributor: Avdhoot Patil
Promotion for Telugu movies has gained momentum in the world of phishing as they continue to be targeted with phishing scams. The phishing site featuring the movie “Brindavanam” is one example. In a more recent case, phishers used a captivating song from the Telugu movie, “Saitan” as bait.
The phishing site displayed a picture from a captivating musical number from the movie “Saitan” starring Telugu actress, Santosh Samrat, and Sri Lankan film and teledrama actress, Akarsha, on the left side of the phishing page. The picture from the musical number was taken from the legitimate movie website. The phishing site was titled, “Samantha & Kajal Very Hot Song” but in fact, these celebrities were not a part of this movie. Phishers used the popularity of these celebrities to attract large numbers of Samantha and Kajal fans.
The phishing page then encouraged users to enter their login credentials and stated that after logging in, they could watch the video. After a user’s login credentials were entered, users were redirected to the legitimate movie website which featured a different song from a different movie, “Ye Maya Chesave”, starring Naga Chaitanya and Samantha Ruth Prabhu.
Due to the intimate nature of the musical number and the use of misleading names, phishers were probably hoping for a large audience, increasing the number of user credentials they could steal. If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes. The phishing site was hosted on a server based in Montreal, Canada.
Internet users are advised to follow best practices to avoid phishing attacks:
Question of the week: Since I have been using avast! I have been conscious of staying secure online. Does it matter which search engine I use? Is one safer than the other? Thanks for using avast! to protect your computer. Yours is a great question, but maybe not one that people consider when thinking about the […]