NEWS - January 08, 2013

"Company expects to release patches on January 15"

Adobe Systems warned users of its ColdFusion application server software that hackers are reportedly exploiting unpatched vulnerabilities in the product to take control of affected servers.

The company published a security advisory on Friday regarding three critical vulnerabilities - identified as CVE-2013-0625, CVE-2013-0629 and CVE-2013-0631- that affect ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.

CVE-2013-0625 can be exploited to bypass authentication controls and take control of a ColdFusion server, CVE-2013-0629 can allow unauthorized users to access restricted directories on a vulnerable server and CVE-2013-0631 can result in information disclosure.

Continued : http://news.techworld.com/security/3418957/adobe-warns-of-actively-exploited-coldfusion-flaws/

Also: Adobe ColdFusion Exploits in Wild; Patch Remains Week Away

Yahoo has begun to catch up with the other webmail providers and is now offering HTTPS as an option on its service. Support for HTTPS has been requested for a long time by users of the system to help improve their privacy when accessing mail, especially over Wi-Fi connections; logging in with HTTPS previously redirected users to an HTTP based service. Now users can select Options->Mail Options and select "Turn On SSL"; this will ensure that HTTPS is enabled on their connection.

According to user feedback, the option appears to be being rolled out slowly and may not be available to all user accounts yet. Yahoo has made no official statement about the new option. The Electronic Frontier Foundation congratulated Yahoo on moving to fulfill a request that the EFF made in November to ensure SSL was available to users, especially those under repressive regimes where internet monitoring was common. The organisation is now looking at how to enable the Yahoo Mail SSL option automatically in its HTTPS Everywhere software.

http://www.h-online.com/security/news/item/Yahoo-adds-HTTPS-support-to-Yahoo-mail-1779175.html

In the movies, hackers work hard breaking into electronic networks to steal passwords. In the real world, they just politely ask for your credentials using a phishing website designed to look exactly like a valid financial website. If you log in to the fake website, you compromise your own security.

Fortunately, most popular browsers include some degree of antiphishing protection. Unfortunately, their effectiveness varies widely. AV-Comparatives just released the results of a test examining how well popular browsers detect and block these frauds.

I test antiphishing protection for my own security reviews by checking URLs that have been reported as fraudulent, but not yet verified. I check each one myself, using only those that are clearly fraudulent and clearly attempt to steal login credentials. I find that a significant majority of current security suites are less effective at phishing prevention than Internet Explorer 8 alone. However, Internet Explorer didn't come out on top in the AV-Comparatives study.

Testing Methodology

Continued : http://securitywatch.pcmag.com/none/306686-best-browser-for-blocking-fraud-opera

A developer calling himself 'clrokr' has found a way of bypassing the code integrity checking feature in Windows RT. Windows RT is the version of Windows 8 designed for tablets containing ARM processors. The bypass should enable users to run unsigned desktop applications on Surface tablets and other devices running Windows RT.

The developer ascribes the breakthrough to the thoroughness with which Microsoft has ported its operating system to the ARM platform. Functionally, he says, Windows RT has been implemented so cleanly that, deep in the kernel, the same byte is used to specify the minimum level for code signing as is used in the desktop version. Windows uses this byte to determine the quality of code signatures. Unsigned applications receive the lowest possible classification of 0. Microsoft signatures are classed as 8 and Windows components are classed as 12.

On x86 desktop machines, applications run with a minimum signing level of 0. Windows RT by contrast only accepts signatures with level 8 or above, that indicates signatures directly approved by Microsoft. This figure is stored directly in the kernel, where it cannot be changed. Once the system has loaded this value into memory, however, it can be modified there. To do so, clrokr used the remote debugger to hook into the active user's CSRSS process and then inject modified code. The Client/Server Runtime Subsystem is a core component of the Windows kernel.

Continued : http://www.h-online.com/security/news/item/Jailbreak-for-Windows-8-RT-1779083.html

Related: Windows RT hack? Don't sweat it, Microsoft says

The EU's cyber security agency ENISA has published the first Cyber Threat Landscape analysis of 2012, summarizing over 120 threat reports.

The report identifies and lists the top threats and their trends, and concludes that drive-by exploits have become the top web threat.

The report summaries 120 recent reports from 2011 and 2012 from the security industry, networks of excellence, standardization bodies and other independent parties, making the report the world's most comprehensive synthesis presently available.

The report provides an independent overview of observed threats and threat agents together with the current top threats, and emerging threats trends landscapes. Moreover, the Threat Landscape report analyses the "cyber enemy"; identifying and also listing the top ten (out of a total of sixteen) threats in emerging technology areas.

The identified top ten threats are:

Continued : http://www.net-security.org/secworld.php?id=14194

Also: Drive-by attacks, Trojans and code injection the biggest threats, says ENISA

A Romanian national was sentenced today to serve 21 months in prison for his role in an international, multimillion-dollar scheme to remotely hack into and steal payment card data from hundreds of U.S. merchants' computers, announced the U.S. Department of Justice.

Cezar Butu, 27, of Ploiesti, Romania, was sentenced by Judge Steven J. McAuliffe in U.S. District Court in New Hampshire.

On Sept. 17, 2012, Butu pleaded guilty to one count of conspiracy to commit access device fraud.

In his guilty plea, Butu admitted that, from approximately 2009-2011, he participated in a Romanian-based conspiracy to hack into hundreds of U.S.-based computers to steal credit, debit and payment account numbers and associated data (collectively "payment card data") that belonged to U.S. cardholders.

Continued : http://www.net-security.org/secworld.php?id=14197

Also: Romanian sentenced to 21 months over payment card hacks

In the process of creating a system which would allow Facebook users with compromised accounts to regain control of their accounts, the company managed to open a hole which could have allowed attackers to reset users' passwords without knowing their old password and, ironically, allowing them to compromise users' accounts. The flaw was reported to Facebook and closed through its White Hat disclosure page.

The problem, discovered by Sow Ching Shiong and documented on his blog, required that the user be logged in and visit the https: // www.facebook.com/hacked URL. This URL is apparently designed for users who still have an active session but believe their account has been compromised; accessing it without logging in sends the user to forms which ask them to establish their identity. If they are logged in, the user was redirected to https: // www.facebook.com/checkpoint/checkpointme?f=[userid]&r=web_hacked and on clicking "Continue" on that page asked to enter a new password. But, contrary to best practice, the form did not ask for their old password.

Continued : http://www.h-online.com/security/news/item/Facebook-password-reset-bug-closed-1779440.html

Related: Serious Flaw in Facebook Allows Arbitrary Account Hijacking

GFI Software released a collection of the most prevalent threat detections encountered last month. In December, GFI threat researchers found a handful of phony Google Play app markets hosting mobile Trojans as well as a number of spam email campaigns posing as messages from Amazon, PayPal and LinkedIn.

"Cybercriminals often make the effort to create phony websites and spam emails that appear authentic in order to increase the chances of catching users off guard and infecting their PCs," said Christopher Boyd, senior threat researcher at GFI Software.

"Over the past year, we have seen cybercriminals improve their ability to fabricate even more convincing sites that prey on users who rush into providing personally identifiable information or installing applications without completely investigating the legitimacy of the source. Users should be extra careful in every situation by taking the time to look at URLs and manually navigating to the sites that they want to visit," Boyd added.

Continued : http://www.net-security.org/malware_news.php?id=2370