Tag Archives: Endpoint Protection (AntiVirus)

Microsoft Patch Tuesday – May 2014

      No Comments on Microsoft Patch Tuesday – May 2014

Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing eight bulletins covering a total of 13 vulnerabilities. Three of this month’s issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the May releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms14-may

The following is a breakdown of the issues being addressed this month:

  1. MS14-022 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)

    SharePoint Page Content Vulnerabilities (CVE-2014-0251) MS Rating: Important

    Multiple remote code execution vulnerabilities exist in Microsoft SharePoint Server. An authenticated attacker who successfully exploited any of these related vulnerabilities could run arbitrary code in the security context of the W3WP service account.

    SharePoint XSS Vulnerability (CVE-2014-1754) MS Rating: Critical

    An elevation of privilege vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker to perform cross-site scripting attacks and run script in the security context of the logged-on user.

    Web Applications Page Content Vulnerability (CVE-2014-1813) MS Rating: Important

    A remote code execution vulnerability exists in Microsoft Web Applications. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the W3WP service account.

  2. MS14-023 Vulnerability in Microsoft Office Could Allow Remote Code Execution (2961037)

    Microsoft Office Chinese Grammar Checking Vulnerability (CVE-2014-1756) MS Rating: Important

    A remote code execution vulnerability exists in the way that the affected Microsoft Office software handles the loading of dynamic-link library (.dll) files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

    Token Reuse Vulnerability (CVE-2014-1808) MS Rating: Important

    An information disclosure vulnerability exists when the affected Microsoft Office software does not properly handle a specially crafted response while attempting to open an Office file hosted on the malicious website. An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted Microsoft online service.

  3. MS14-024 Vulnerability in a Microsoft Common Control Could Allow Security Feature Bypass (2961033)

    MSCOMCTL ASLR Vulnerability (CVE-2014-1809) MS Rating: Important

    A security feature bypass vulnerability exists because the MSCOMCTL common controls library used by Microsoft Office software does not properly implement Address Space Layout Randomization (ASLR). The vulnerability could allow an attacker to bypass the ASLR security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow an arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.

  4. MS14-025 Vulnerability in Group Policy Preferences Could Allow Elevation of Privilege (2962486)

    Group Policy Preferences Password Elevation of Privilege Vulnerability (CVE-2014-1812) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that Active Directory distributes passwords that are configured using Group Policy preferences. An authenticated attacker who successfully exploited the vulnerability could decrypt the passwords and use them to elevate privileges on the domain.

  5. MS14-026 Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732)

    TypeFilterLevel Vulnerability (CVE-2014-1806) MS Rating: Important

    An elevation of privilege vulnerability exists in the way that the .NET Framework handles TypeFilterLevel checks for some malformed objects.

  6. MS14-027 Vulnerability in Windows Shell Handler Could Allow Elevation of Privilege (2962488)

    Windows Shell File Association Vulnerability (CVE-2014-1807) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows Shell improperly handles file associations. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Local System account. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights.

  7. MS14-028 Vulnerability in iSCSI Could Allow Denial of Service (2962485)

    iSCSI Target Remote Denial of Service Vulnerability (CVE-2014-0255) MS Rating: Important

    A denial of service vulnerability exists in the way that affected operating systems handle iSCSI packets. An attacker who successfully exploited the vulnerability could cause the affected service or services to stop responding.

    iSCSI Target Remote Denial of Service Vulnerability (CVE-2014-0256) MS Rating: Important

    A denial of service vulnerability exists in the way that affected operating systems handle iSCSI connections. An attacker who successfully exploited the vulnerability could cause the affected service or services to stop responding.

  8. MS14-029 Security Security Update for Internet Explorer (2962482)

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-0310) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

    Internet Explorer Memory Corruption Vulnerability (CVE-2014-1815) MS Rating: Critical

    A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Privacy Fears Spawn New Generation of Low Profile Social Networks

      No Comments on Privacy Fears Spawn New Generation of Low Profile Social Networks

mobile_device_social_anon.png

Is the era of oversharing over? Recent revelations about state-sponsored surveillance and mega-breaches engineered by cybercrime gangs have put the issue of privacy in the spotlight. After more than a decade where people appeared to be sharing more and more details about themselves online, there is some evidence that a backlash is now underway. Certainly the founders of a number of new social networking services seem to think so and they have made privacy one of the main selling points of their offerings.

One effort at building a more anonymous social network is Secret. Its creators decided to move in the opposite direction to most social networks and minimize the personal information its users share. Available as either an iOS or Android app, it doesn’t use real names or profile photos. Users instead anonymously share text and images. Their posts are shared with other friends who are also on Secret, but users are not told which of their friends authored the post. They can choose to share those posts with their own friends and, if a post goes two degrees beyond its author, it is shared publicly and marked with its broad location (e.g. California).

Secret goes to some length to reassure its users of their privacy. For example, it markets itself with the fact that customer data is stored on Google servers – the same servers used in Gmail – and all communications are encrypted with TLS. Message data is encrypted before being written to its servers and keys are stored in an off-site keystore service that rotates keys. When the app connects a user with someone they know from their contacts book, it doesn’t send phone numbers or email addresses to Secret’s servers. Contact details are locally hashed with a shared salt and the server then compares them against other hashed values.

Secret’s arrival is a sign that social media moguls have spotted which way the wind is blowing. The app was developed by online publishing platform Medium, which was founded by Evan Williams and Biz Stone. Williams was a co-founder of blogging platform pioneer Pyra Labs (and credited with coining the phrase “blogger”) and was later a co-founder of Twitter.

The latest service to launch is Cloaq, which goes far beyond Secret in the level of anonymity it offers its users. Users don’t have to provide any personal information when they sign up, such as their name, email address or phone number. Instead, they choose their own password and Cloaq assigns them a user ID. The company is handing out accounts in batches, e.g. @alpha1 through to @alpha999 and so on.  The downside of having such an anonymous service is that anyone who does forget their user ID or password has no way of retrieving it.

In addition to new social media ventures, established operators have also begun to perceive a market for private services. For example, Twitter chief executive Dick Costolo recently said that the company is exploring the option of introducing a “whisper mode” that will allow its users to move conversations into the private sphere. While the company already has a private direct messaging feature, Costolo indicated that the whisper mode would allow for a smoother transition between public and private conversations. Additionally, he indicated that the feature could enable private conversations between more than two people.

Revelations about surveillance have also prompted some of the main online service providers to beef up their privacy measures. For example, Google has now moved to a default encrypted HTTPS connection whenever a user of its email service Gmail logs on. Furthermore, the company said that it was encrypting all traffic on its data center network, meaning that Gmail data will also be encrypted if it moves between Google servers. The move is intended to allay privacy fears following revelations about state-sponsored surveillance of traffic between data centers.

Google isn’t the only company moving to enhance customer privacy. Yahoo has followed suit, switching on HTTPS as a default on Yahoo mail and encrypting traffic between its data centers. Microsoft too has responded to privacy concerns. Likening the threat posed by surveillance to that presented by malware, the company is encrypting content moving between itself and its customers, in addition to encrypting data center traffic.

Whether a permanent shift towards greater anonymity is underway remains to be seen. However it is clear that the entire industry, from start-ups to the major players, has recognized that it is, for now, a key concern for consumers.

Sophisticated Viknok Malware Proves That Click-fraud Is Still a Moneymaker for Scammers

      No Comments on Sophisticated Viknok Malware Proves That Click-fraud Is Still a Moneymaker for Scammers

Symantec has spotted a recent surge of infections of Trojan.Viknok, which can gain elevated operating system privileges in order to add compromised computers to a botnet. Trojan.Viknok, first observed in April 2013, infects dll files with a malicious payload. Since its initial discovery, the malware has evolved into a sophisticated threat, capable of obtaining elevated operating system privileges in order to infect system files on multiple Windows operating systems, such as the 32 and 64-bit versions of Windows XP, Vista and 7. 

Attackers have been observed using Viknok-infected computers to carry out Adclick fraud. While click-fraud activity has been prevalent for years, it still seems to be an effective way for scammers to make money. The scammers behind the current Viknok campaign have gone to a lot of effort to add more victims to their Adclick botnet, helping them make more money in the process.

While the Viknok malware was discovered last year, attackers have been increasingly using the threat in the last six months. In April 2014, Symantec observed a spike in Trojan.Viknok activity along with new reports of Viknok-infected computers playing random audio clips through victims’ speakers. In the first week of May alone, Symantec saw 16,500 unique Viknok infections. The majority of victims are located in the US.

In this blog, we’ll talk about how Viknok manages to alter a system dll to gain elevated privileges. We’ll discuss the techniques the threat uses to infect its targets and how it takes advantage of compromised computers to conduct click-fraud. Finally, we’ll show how many Viknok infections have occurred in recent months and talk about how to protect yourself from this threat.

Viknok’s privilege escalation exploit
Modifying a system dll is no easy task in today’s operating systems. Even if a user is operating from an administrator account, they will not have the permissions to alter core system files, such as rpcss.dll which lets software continue to run each time Windows restarts. So how can Viknok infect these files?

Viknok has an arsenal of techniques at its disposal to let it perform the silent infection of the system file rpcss.dll. These methods consist of: 

The most powerful of these techniques is the exploitation of CVE-2013-3660, which allows the threat to run code in kernel mode.

 figure1_8.png
Figure 1. The exploit’s payload code

The code shown in the previous image shows how the threat is able to assign itself the system process’ primary access token, giving the malware the same privileges as the user with the highest administrative rights. 

How Viknok infects computers
Depending on the privileges used to initially execute Viknok, the threat may try one or more of the previously mentioned techniques. The threat’s purpose is to infect the file rpcss.dll, so that the malicious code is executed every time Windows starts. The infection of this file merely provides a loader for the core of the malware itself, which is usually stored in an encrypted file in the %System% folder.

We tested several scenarios to verify Viknok’s infection capabilities, which have been summarized in the following image.

figure2a.png
Figure 2. Some common Viknok infection scenarios

There are several conditions that may affect the outcome of the infection process, such as if the threat is manually downloaded and run, if it is dropped through an exploit or if it is dropped by the browser or a browser plugin. The previous image does not exhaust all possibilities; however it shows configurations that are commonly found in user or corporate environments.

In many cases, the infection process is completely stealthy; the threat does not show any warning to the user. The malware is also difficult to detect since it does not show any suspicious running process, nor does it infect any of the standard load points. In some cases, the threat needs to show the User Account Control (UAC) prompt to the user in order to obtain the elevation of privileges. If the user does not grant the permission, the infection will fail. However, the threat uses system components to try and load its code for privilege elevation. As a result, the UAC prompt will look like it’s a part of normal system activity, as shown in the following image.

figure3_4.png
Figure 3. Example of UAC prompt

Payload & click-fraud activity    
As mentioned previously, attackers are currently using Viknok-infected computers to perform click-fraud activity. Attackers carry out this activity using malware detected by Symantec as Trojan.Vikadclick. Once Vikadclick is loaded by the Viknok-infected rpcss.dll file, it will periodically download commands from command-and-control (C&C) servers under the attackers’ control. These commands force the compromised computer to perform network activity related to Adclick fraud. 

As a result of Trojan.Viknok infections and the related Adclick fraud, unknowing victims have been experiencing random audio playback through their compromised computers. This is believed to be caused by Trojan.Vikadclick surreptitiously visiting Web pages in the background that contain streaming audio content. Our analysis has shown that Trojan.Vikadclick’s Adclick fraud content includes car insurance for teenagers, tickets to Paris and bulk domain name registration, to name a few. 

Prevalence 
Symantec telemetry shows that Viknok activity has increased considerably in the last six months, with Symantec detecting and remediating over 22,000 unique infections in April 2014. 

figure4_3.png
Figure 4. Growth in Viknok detections in the last 6 months.

From May 1 to May 6, Symantec telemetry shows that we have detected over 16,500 unique Viknok infections. The majority of the infections have been observed in the US. The number of Viknok detections for May 2014 is on track to reach the highest amount of infections of this malware recorded to date.  

figure5_2.png       
Figure 5. Heatmap for Viknok detections in May 2014 to date.

Protection 
Symantec protects users against Viknok under the following detection names:

Antivirus detections

The non-repairable infections are related to copies of legitimate infected dlls, which can be safely deleted without affecting the computer. 

Intrusion Prevention Signatures 

For the best possible protection, Symantec customers should use the latest Symantec technologies incorporated into our consumer and enterprise solutions. Finally, always keep computers up to date with the latest virus definitions and patches.

While still a relatively newcomer on the malware threat landscape, Trojan.Viknok has shown its ability to evolve and implement sophisticated infection techniques to circumvent operating system access control mechanisms. Its use of Adclick fraud to monetize the botnet shows that this form of fraud is still a popular mean of income for malware authors. The continued spike in Trojan.Viknok activity suggests that this threat looks to become a common player on the threat landscape, so Symantec will continue to monitor it closely. Symantec is continuing to investigate how this threat arrived on victims’ computers.

Covert Redirect ? OAuth ????????? Heartbleed ????

      No Comments on Covert Redirect ? OAuth ????????? Heartbleed ????

Heartbleed 脆弱性をめぐる騒動が一段落したかと思う間もなく、今度は「Covert Redirect(隠しリダイレクト)」と呼ばれるセキュリティ上の欠陥が見つかり、その報告がメディアを賑わしています。なかには「第二の Heartbleed」と称している報道もあるほどですが、Covert Redirect が実際に Heartbleed ほど深刻かというと、そんなことはありません。

「第二の Heartbleed」という言い方は正しいか

いいえ。これは、サービスプロバイダによる OAuth の実装で発見されたセキュリティ上の欠陥です。

Covert Redirect が Heartbleed ほど深刻でないのはなぜか

Heartbleed は OpenSSL に存在する深刻な脆弱性です。OpenSSL は暗号プロトコル SSL と TLS のオープンソース実装であり、50 万以上もの Web サイトで使われています。Heartbleed 脆弱性は、パッチ未適用のサーバーに要求を送信するだけで悪用できてしまいますが、Covert Redirect の場合、攻撃者は影響を受けやすいアプリケーションを見つけたうえで、ユーザーからの応答と許可を得る必要があります。

Covert Redirect とは

Covert Redirect はセキュリティ上の欠陥であり、脆弱性ではありません。狙われるのは、オープンリダイレクトの影響を受けやすいサードパーティ製クライアントです。

たとえば、攻撃者は影響を受けやすいサイトのアプリケーションを使って、密かにサービスプロバイダの API に要求を送信し、redirect_uri パラメータを改ざんすることができます。改ざんされた悪質な redirect_uri パラメータは、認証に成功するとユーザーを悪質なサイトにリダイレクトします。

標準的な要求: [プロバイダ]/dialog/oauth?redirect_uri=[影響を受けやすいサイト]&scope=email&client_id=123&response_type=token

悪質な要求: [プロバイダ]/dialog/oauth?redirect_uri=[影響を受けやすいサイト]/redirectKeepParams?w=1dpoa&url=[攻撃者のサイト]&scope=email&client_id=123&response_type=token

悪質な要求では、承認されたアプリケーションではなく、攻撃者がユーザーのアクセストークンを受信します。

OAuth とは

OAuth は、Web、モバイル、デスクトップの各アプリケーションから安全な認可を取得できるオープンプロトコルです。[Facebook でログイン]ボタンなどで OAuth を使うと、OAuth が認可メカニズムとして機能し、サードパーティ製アプリケーションでユーザーアカウントへのアクセス権を取得できるようになります。

ユーザーにとってどのようなリスクがあるか

この欠陥を悪用するには、ユーザーからの応答が必要です。アクセストークンを侵害するには、影響を受けやすいアプリケーションに対する許可をユーザーから付与される必要があります。許可が付与されてようやく、攻撃者はユーザーアカウントデータを取得して、さらに悪質な目的に利用できるようになります。

アプリケーション開発者にはどのような影響があるか

Web サイトでオープンリダイレクトが使われている場合、攻撃者はそのアプリケーションを Covert Redirect の標的とする可能性があるので、Web サイトでオープンリダイレクトを停止する必要があります。サービスプロバイダ各社も、アプリケーション開発者が OAuth リダイレクト URL のホワイトリストを作成することを推奨しています。

次の手順は

Covert Redirect は注意すべきセキュリティ上の欠陥ですが、Heartbleed と同レベルというわけではありません。アクセスを許可するアプリケーションは慎重に判断すべきであり、Covert Redirect はそのことを再認識する格好のきっかけとなりました。

パッチの公開は期待できません。それぞれの実装を保護して Covert Redirect の欠陥に効果的に対処するかどうかはサービスプロバイダ次第です。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Covert Redirect Flaw in OAuth is Not the Next Heartbleed

      No Comments on Covert Redirect Flaw in OAuth is Not the Next Heartbleed

Coming off the heels of the Heartbleed bug, a new report on a security flaw called “Covert Redirect” is garnering a lot of media attention—so much that some outlets are referring to it as the next Heartbleed. But is Covert Redirect as bad as Heartbleed? Definitely not.
 

Is this the next Heartbleed?

No, it is not. This is a security flaw in the implementation of OAuth by service providers.
 

Why is Covert Redirect not as bad as Heartbleed?

Heartbleed is a serious vulnerability within OpenSSL, an open source implementation of the SSL and TLS cryptographic protocols used by over a half a million websites. The Heartbleed vulnerability could be exploited just by issuing requests to unpatched servers. Covert Redirect, however, requires an attacker to find a susceptible application as well as acquire interaction and permissions from users.
 

What is Covert Redirect?

Covert Redirect is a security flaw, not a vulnerability. It takes advantage of third-party clients susceptible to an open redirect.

For example, an attacker could covertly issue a request to Facebook’s API using ESPN’s Facebook app and modify the redirect_uri parameter. The new modified redirect_uri parameter maliciously redirects users after they have successfully authenticated.

Standard Request: facebook.com/dialog/oauth?redirect_uri=espn.go.com&scope=email&client_id=123&response_type=token

Malicious Request: facebook.com/dialog/oauth?redirect_uri=m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoa&url=badsite.com&scope=email&client_id=123&response_type=token

In the case of a malicious request, the attacker receives the user’s access token, instead of the approved application.
 

What is OAuth?

OAuth is an open protocol to allow secure authorization from web, mobile and desktop applications. When using OAuth—like a “Login with Facebook” button—OAuth is the authorizing mechanism and enables third-party applications to obtain access to user accounts.
 

What is the risk to users?

For this flaw to be exploited, it requires interaction from users. A user would have to grant permissions to a susceptible application in order for the access token to be compromised. An attacker may then obtain user account data which could be used for further malicious purposes.
 

What is the impact to application developers?

If there is an open redirect on your website, an attacker could target your application for Covert Redirect. It is important to lock down open redirects on your website.
 

What is the next step?

While Covert Redirect is a notable security flaw, it is not on the same level as Heartbleed. Covert Redirect serves as a reminder to be careful about what applications you grant access to.

Do not expect a patch—it is up to the service providers to secure their own implementations to effectively address the Covert Redirect flaw.

As Snapchat Adds Native Chat Functionality, Expect Spammers to Adapt

      No Comments on As Snapchat Adds Native Chat Functionality, Expect Spammers to Adapt

Earlier today, photo-messaging application Snapchat unveiled new features that enable users to chat directly within the application, a frequently requested feature. The addition of this feature, while an improvement, provides the individuals responsible for Snapchat spam a new feature to play with in their efforts to target users of the service.

History of Snapchat Spam

Chat Snapchat 1.png

Figure 1. Previous iterations of porn and dating spam on Snapchat

We have written numerous blogs about the rise of Snapchat spam over the last six months. The common thread in each of these spam campaigns was that they were all hindered by the lack of chat functionality. This roadblock presented a challenge to spammers, which led to a common workaround. Each of the spam “snap” messages sent to users featured a caption that asked them to manually perform one of the following actions:

  • Add an attractive girl on Kik messenger
  • Visit a website intended to push diet spam
  • Inform them that they won a gift card or prize that could only be redeemed at an external website

Chat Snapchat 2.png

Figure 2. Previous iterations of diet spam on Snapchat

The Future of Snapchat Spam

Now that the chat functionality is native to Snapchat, spammers can remain within the application itself and tailor their spam to work with this new functionality in mind. They can start building chat bots that communicate directly with Snapchat users or find new ways to trick users into clicking on links.

Restrictions on Sharing Links

Chat Snapchat 3.png

Figure 3. Comparison of sharing links through Snapchat’s “Chat” feature

While spammers can send links within chat messages, the way they appear to the recipient can vary. For messages from non-friends, the links cannot be clicked on. For messages from friends, the links are active and clickable.

Understand that spammers are determined and will find ways to adapt. For instance, a spam campaign could begin with an initial photo message of a scantily clad woman that offers “sexier pictures” if a user adds them as friends to ensure that their links would be clickable as the campaign continues.

Review your privacy settings

Now would be a good time to review your Snapchat privacy settings and make sure that only your friends can send you snaps. Please note that even if you restrict who is allowed to send you snaps, you can still receive friend requests from spammers.

We’re keeping an eye out for new spam campaigns using this new feature and we think you should too. Tweet us @threatintel if you come across new Snapchat spam.

Vulnerabilidade de Dia-Zero do Internet Explorer está a Solta

      No Comments on Vulnerabilidade de Dia-Zero do Internet Explorer está a Solta

zero_day_IE_concept.png

A Symantec está ciente dos relatórios de vulnerabilidade de Dia Zero, Vulnerabilidade de Execução de Código Remoto para Microsoft Internet Explorer (CVE-2014-1776), que afeta todas as versões do Internet Explorer.

A Microsoft publicou um aviso de segurança sobre a vulnerabilidade no Internet Explorer, que está sendo utilizada em limitados ataques dirigidos. Atualmente não existe nenhum patch disponível para esta vulnerabilidade e a Microsoft, até o momento em que este texto foi escrito, não ofereceu uma data de divulgação desta correção.

Nossos testes confirmaram que a vulnerabilidade afeta o Internet Explorer do Windows XP. Esta é a primeira vulnerabilidade de Dia-Zero que não será corrigida para os usuários do Windows XP, pois a Microsoft encerrou o suporte deste sistema operacional em 8 de abril de 2014. No entanto, a Microsoft afirmou que o seu avançado kit de ferramentas de Mitigação (EMET) 4.1 e acima poderá mitigar essa vulnerabilidade do Internet Explorer que é suportado pelo Windows XP. Além de usar o EMET, a Symantec incentiva os usuários a mudarem temporariamente para um navegador da Web diferente até que uma correção seja disponibilizada pelo fornecedor.

Symantec protege os clientes contra este ataque, com as seguintes detecções:

Nós vamos atualizar este blog com mais informações assim que estiverem disponíveis.

Atualização – 28 de Abril

Com a finalidade de reduzir a Vulnerabilidade de Execução de Código Remoto para Microsoft Internet Explorer (CVE-2014-1776) , a Symantec ofrece as seguintes recomendações

A Microsoft declarou que versões do avançado kit de ferramentas de Mitigação (EMET) 4.1 e superiores podem atenuar essa vulnerabilidade no Internet Explorer. O kit de ferramentas está disponível para usuários do Windows XP também. Se a utilização do EMET não for uma opção, os usuários podem considerar como forma de reduzir o problema anulando o registro de um arquivo DLL chamado VGX.DLL. Este arquivo provê suporte para VML (Vector Markup Language) no navegador. Essa ação não é necessária para a maioria dos usuários. No entanto, ao anular o registro da Library qualquer aplicação que utilize DLL não funcionará de maneira apropriada. Igualmente, algumas aplicações potencialmente instaladas no sistema podem se registrar no DLL. Com isso em mente, a seguinte linha de instruções pode ser executada para tornar imune o sistema de ataques que tentem explorar esta vulnerabilidade. Esta linha de recomendações pode ser usada para todos os sistemas operativos afetados.

“%SystemRoot%\System32\regsvr32.exe” -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

Nós também desenvolvemos um arquivo de lote que pode ser utilizado para executar a tarefa para aqueles que necessitem administrar grandes infra-estruturas de TI.

bat_icon.png

Nota: Os usuários terão de renomear o arquivo usando uma extensão .bat

O arquivo de lote tem a capacidade de verificar o estado atual do arquivo DLL e cancelar o registro da DLL, conforme necessário. O roteiro descrito no arquivo de lote é muito simples e pode ser usado como uma base para customizar o código para atender às necessidades de certos ambientes de sistema.

Apesar de nenhuma ferramenta especial ser necessária para atenuar essa vulnerabilidade, por favor note que as recomendações, como as fornecidas aqui, podem não ser as mesmas possíveis para vulnerabilidades futuras. Recomendamos que os sistemas operacionais não suportados, como o Windows XP, sejam substituídos por versões atualizadas, logo que possível.

Vulnerabilidad Día Cero de Internet Explorer Puesta al Descubierto

      No Comments on Vulnerabilidad Día Cero de Internet Explorer Puesta al Descubierto

zero_day_IE_concept.png

Symantec está al tanto de los reportes de la vulnerabilidad de Día Cero, Vulnerabilidad de Ejecución de Código Remoto para Microsoft Internet Explorer, que afecta todas las versiones de Internet Explorer.

Microsoft dio a conocer un aviso de seguridad referente a una vulnerabilidad en Internet Explorer que está siendo empleada en limitados ataques dirigidos. Actualmente no existe un parche disponible para esta vulnerabilidad y Microsoft, hasta el momento que este texto fue escrito, no ha proporcionado una fecha de lanzamiento para uno.

Nuestras pruebas confirman que la vulnerabilidad afectó Internet Explorer en Windows XP. Ésta es la primera vulnerabilidad de Día Cero que no será arreglada para los usuarios de Windows XP, pues Microsoft concluyó el soporte para este sistema operativo el pasado 8 de abril de 2014. Sin embargo, Microsoft informó que su Kit de herramientas de Experiencia de mitigación mejorada (EMET, por sus siglas en inglés) 4.1 y superior podrá mitigar esta vulnerabilidad de Internet Explorer y es compatible con Windows XP.

Symantec Security Response recomienda a los usuarios, adicionalmente al uso de EMET, cambiar temporalmente por un navegador diferente hasta que el parche se encuentre disponible por parte del proveedor. Symantec protege a sus clientes contra este ataque con las siguientes detecciones:

Mantendremos actualizado este blog con información adicional tan pronto esté disponible.

Actualización – 28 de abril de 2014

Con la finalidad de reducir la Vulnerabilidad de Ejecución de Código Remoto para Microsoft Internet Explorer (CVE-2014-1776), Symantec brinda las siguientes recomendaciones.

Microsoft declaró que las versiones del Kit de herramientas de Experiencia de mitigación mejorada (EMET, por sus siglas en inglés) 4.1 y superior podrá disminuir esta vulnerabilidad de Internet Explorer. El kit de herramientas también está disponible para los usuarios de Windows XP. Si el uso de EMET no es una alternativa, los usuarios pueden considerar reducir el problema anulando el registro a un archivo DLL llamado VGX.DLL. Este archivo provee soporte para VML (Vector Markup Language) en el navegador. Esto no es necesario para la mayoría de los usuarios. No obstante al anular el registro del library cualquier aplicación que utilice DLL no funcionará apropiadamente. Igualmente, algunas aplicaciones instaladas en el sistema potencialmente pueden regresar el registro al DLL. Con esto en mente, la siguiente línea de instrucciones puede ser ejecutada para volver inmune al sistema de ataques que intenten explotar la vulnerabilidad. Esta línea de instrucciones puede ser usada para todos los sistemas operativos afectados:

“%SystemRoot%\System32\regsvr32.exe” -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll”

También hemos desarrollado un archivo de lote que puede ser usado para llevar a cabo la tarea de aquellos que requieran administrar infraestructuras de TI más grandes.

bat_icon.png

Nota: Los usuarios necesitarán renombrar el archivo usando una extensión .bat

El archivo de lotes tiene la habilidad de verificar el estado actual del archivo DLL y de remover el registro de DLL como se requiere. La secuencia de comandos descrita en el lote de archivos es muy simple y se puede utilizar como base para personalizar el código y  adaptarse a las necesidades de ciertos entornos de sistema.

Aunque no son necesarias herramientas especiales en particular para mitigar esta vulnerabilidad, por favor tome en cuenta que las recomendaciones, como las proporcionadas aquí, pueden que no sean útiles para futuras vulnerabilidades. Recomendamos que los sistemas operativos sin soporte, como Windows XP, sean reemplazados por versiones con soporte tan pronto sea posible.

Hacking Facebook: Scammers Trick Users to Gain Likes and Followers

      No Comments on Hacking Facebook: Scammers Trick Users to Gain Likes and Followers

Late last week, Facebook users in India were tricked by scammers who were claiming to offer a tool that could hack Facebook in order to obtain passwords belonging to the users’ friends. Unfortunately for these users, they actually ended up hacking their own accounts for the scammers and exposed their friends in the process.

Figure1_11.png

Figure 1. Scam promoting how to hack your Facebook friends

Want to hack your friends?
A post began circulating on Facebook from a particular page featuring a video with instructions on “Facebook Hacking” with a disclaimer stating that it was for education purposes only. The post links to a document hosted on Google Drive that contains some code that, according to the scam, will allow users to reveal their friends’ Facebook passwords. The instructions attempt to convince the user to paste the code into their browser console window and asks them to wait two hours before the hack will supposedly work.

You just hacked yourself

Figure2_7.png

Figure 2. Facebook account hijacked to follow and like various pages

What really happens when you paste this code into your browser console window is that a series of actions are performed using your Facebook account without your knowledge. Behind the scenes, your account is used to follow lists and users, and give likes to pages in order to inflate the follower and like counts defined by the scammers.

Figure3_5.png

Figure 3. What does the Fox say? I have over 56,000 likes!

Your account is also used to tag the names of all your friends in the comment section of the original post. This is done to help the scam spread further, playing off the curiosity of your friends, who may visit the post to find out more and hopefully follow the instructions as well.

Figure4_6.png

Figure 4. User’s compromised account tags friends in the original scam post

What is this type of scam called?
This scam is a variation of a method known as self-XSS (self cross-site scripting), where a user is tricked into copying and pasting code into their browser’s console that will perform various actions on their behalf.

Facebook is trying to discourage users from unwittingly causing harm to their accounts through this method. Some users that attempt to paste code may receive a warning from within their browser’s developer console that points to the following link:

https://www.facebook.com/selfxss

Is this type of scam new?
This type of scam originally began circulating back in 2011. This current iteration has been around since at least the beginning of 2014.

The original scammers behind this iteration had great success with the scam at the beginning of this year, netting between 50,000 to 100,000 likes and followers on a number of pages and profiles. Some of the variable names in the code (mesaj and arkadaslar) suggest the authors are of Turkish descent.

Why is this affecting users in India?
For this campaign, the individuals responsible are based in India. They have modified the original authors’ code by simply adding their own pages and profiles into the script to increase their follower and like counts.

What to do if you have fallen for this scam
If your account has liked and followed a number of pages and profiles without your consent, you should review your activity log. From your activity log, you can locate, unlike and unfollow the pages and profiles associated with this scam.  You should also consider posting a status update notifying your friends about the scam to make sure they don’t fall for the same trick.

The opposite of ethical hacking

Figure5_3.png

Figure 5. Scammers label their efforts as “ethical hacking”

While investigating this scam, we found that the individuals behind it were publicly discussing their efforts. Speaking in Punjabi, one of the individuals summed it up by saying, “Now this is the way ethical hacking is happening.” However, these efforts couldn’t be further from the concept of ethical hacking.

A lesson learned
Always remember that if it sounds too good to be true, it is. Being able to hack someone’s Facebook password by just pasting some code into your browser sounds way too easy and should signal that this is a scam. At the end of the day, your account would be impacted and the safety of your account could be at risk. It’s best to err on the side of caution and think twice before following instructions that ask you to paste code into your browser to hack passwords or unlock features on a website.

Adobe ?? Flash Player ???????????????????????

      No Comments on Adobe ?? Flash Player ???????????????????????

Adobe 社は、Adobe Flash Player に存在するバッファオーバーフローの脆弱性(CVE-2014-0515)に対するセキュリティ情報を公開しました。この新しいセキュリティ情報 APSB14-13 によると、複数のプラットフォームで、さまざまバージョンの Adobe Flash Player に影響するバッファオーバーフローの脆弱性が存在します。攻撃者は、この深刻な脆弱性を悪用して、リモートから任意のコードを実行できる可能性があります。 Adobe 社では、この脆弱性がすでに悪用されていることを確認しています。さらに詳しい調査により、この脆弱性は標的型攻撃で悪用されていることがわかっています。

セキュリティ情報によれば、次のバージョンの Adobe Flash Player に脆弱性が存在します。

  • Windows 版の Adobe Flash Player 13.0.0.182 およびそれ以前のバージョン
  • Macintosh 版の Adobe Flash Player 13.0.0.201 およびそれ以前のバージョン
  • Linux 版の Adobe Flash Player 11.2.202.350 およびそれ以前のバージョン

シマンテックセキュリティレスポンスは、今後も継続して状況を監視し、この脆弱性に関する追加情報が確認でき次第お知らせいたします。また、脆弱性悪用の可能性を軽減するために、Adobe 社が提供しているパッチを適用することをお勧めします。更新プログラムを入手するには、Adobe Flash Player のダウンロードセンターに直接アクセスするか、またはインストール済みの製品で表示される更新確認を承諾してください。Chrome および Internet Explorer に付属の Flash Player は、それぞれのブラウザを更新することで、脆弱性の存在しないバージョンに更新できます。

 

更新情報 – 2014 年 4 月 29 日:
シマンテック製品をお使いのお客様は、以下の検出定義によってこの攻撃から保護されています。

ウイルス対策
Bloodhound.Flash.24

侵入防止システム
Web Attack: Adobe Flash Player CVE-2014-0515

Symantec.Cloud サービスをお使いのお客様も、この脆弱性を悪用した電子メール攻撃から保護されています。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。