HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

NEWS - March 31, 2010

by Carol~ Forum moderator / March 31, 2010 1:59 AM PDT
PDF exploit requires no specific security hole to function

Bad news: PDF security specialist Didier Stevens has developed a PDF document which is capable of infecting a PC ? without exploiting a specific vulnerability. The demo exploit works both in Adobe Reader and in Foxit. Stevens says he used the "Launch Actions/Launch File" option, which can even start scripts and EXE files that are embedded in the PDF document. This option is part of the PDF specification.

Although Adobe Reader asks users to agree to the execution of the file, this dialogue can be designed in such a way that users have no idea they may be allowing an infection in to their systems. The Foxit reader doesn't even provide a warning. The Sumatra PDF reader is said to be unaffected.

Stevens intends to keep his PDF document with the embedded code under wraps until the vendors respond. However, he has provided a document (direct download) which launches the command prompt when the PDF file is opened. When tested by the heise Security team, this worked under Windows 7 with the current versions of Adobe Reader and Foxit. In principle, this concept is also said to be suitable for starting an FTP transfer to download and start a trojan.

Continued here: http://www.h-online.com/security/news/item/PDF-exploit-requires-no-specific-security-hole-to-function-968140.html
Discussion is locked
You are posting a reply to: NEWS - March 31, 2010
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - March 31, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Spam Site Registrations Flee China for Russia
by Carol~ Forum moderator / March 31, 2010 2:07 AM PDT
In reply to: NEWS - March 31, 2010

A crackdown by the Chinese government on anonymous domain name registrations has chased spammers from Chinese registrars (.cn) to those that handle the registration of Russian (.ru) Web site names, new spam figures suggest. Yet, those spammy domains may soon migrate to yet another country, as Russia is set to enforce a policy similar to China?s beginning April 1.

In mid-December 2009, the China Internet Network Information Center (CNNIC) announced that it was instituting steps to make it much harder to register a Web site anonymously in China, by barring individuals from registering domains ending in .cn. Under the new policy, those who want to register a new .cn domain name need to hand in written application forms, complete with a business license and an identity card.

Chinese authorities called the move a crackdown on phishing and pornographic Web sites, but human rights and privacy groups marked it as yet another effort by Chinese leaders to maintain tight control over their corner of the Internet. Nevertheless, the policy clearly caught the attention of the world?s most profligate spammers, who spam experts say could always count on Chinese registrars as a cheap and reliable place to buy domains for Web sites that would later be advertised in junk e-mail.

Continued here: http://www.krebsonsecurity.com/2010/03/spam-site-registrations-flee-china-for-russia/

Collapse -
Technical paper: SEO poisoning attacks
by Carol~ Forum moderator / March 31, 2010 2:07 AM PDT
In reply to: NEWS - March 31, 2010

From SophosLabs Blog:

Regular readers will have seen numerous recent SophosLabs blogs describing how attackers are poisoning search engine results in order to hit victims with malware [1,2,3,4]. In recent months, these type of Search Engine Optimisation (SEO) attacks have become a route through which fake anti-virus malware is being distributed [5].

One thing common to the attacks is that the SEO pages are hosted within legitimate sites. This makes it harder for the search engines to identify the rogue pages, and exclude them from search results. It also lets the SEO pages piggyback on the reputation of that host site, which may help boost the search engine ranking. As an example, the map below shows the global distribution of sites that SophosLabs have seen over the last week which are (unknowingly) hosting one specific SEO attack. [...]

As you can see, in this case the problem is not limited to a single hosting provider. Sites hosted by numerous hosting providers have been compromised, and are being used to host the SEO pages that lure victims to malware.

Continued here: http://www.sophos.com/blogs/sophoslabs/?p=9264

Collapse -
Mozilla updates Thunderbird, SeaMonkey and older FF browsers
by Carol~ Forum moderator / March 31, 2010 2:07 AM PDT
In reply to: NEWS - March 31, 2010
Mozilla has announced the release of updates for its Thunderbird email client, the SeaMonkey "all-in-one internet application suite" and older versions of its Firefox web browser. In addition to the usual bug fixes, all of the updates address several security vulnerabilities ? many of them rated as critical.

Less than two years after its initial release, Mozilla has issued version 3.0.19 of Firefox, the last security and stability update to the 3.0.x branch. Mozilla had originally planned to discontinue support for Firefox 3.0 in January of this year, however, delays in releasing Firefox 3.6 extended its life for a few more months. On top of stability improvements, Firefox 3.0.19 fixes several security issues found in previous versions of the end-of-life legacy browser. Details of the security updates in version 3.0.19, however, have yet to be posted to Mozilla's Security Center site.

Alongside version 3.0.19, the Mozilla developers also announced the release of Firefox 3.5.9. The update corrects a total of eight vulnerabilities, five of them rated by Mozilla as critical. These include a privilege escalation to dangling pointer vulnerabilities and a memory corruption issue that could lead to the execution of arbitrary code on a users system. The Firefox 3.5.x branch will continue to receive security and stability updates until August 2010, although the developers strongly encourage users to upgrade to the latest Firefox 3.6 release.

Continued here: http://www.h-online.com/security/news/item/Mozilla-updates-Thunderbird-SeaMonkey-and-older-Firefox-browsers-968158.html

Additional Information in Vulnerabilities & Fixes Thread:
Mozilla SeaMonkey Multiple Vulnerabilities
Mozilla Thunderbird Multiple Vulnerabilities
Mozilla Firefox Multiple Vulnerabilities
Mozilla Firefox Multiple Vulnerabilities (2)
Collapse -
Google frets over Vietnam hacktivist botnet
by Carol~ Forum moderator / March 31, 2010 2:27 AM PDT
In reply to: NEWS - March 31, 2010

Hackers used malware to establish a botnet in Vietnam as part of an apparently politically motivated attack with loose ties to the Operation Aurora attacks that hit Google and many other blue chip firms late last year, according to new research from McAfee and Google.

Unknown miscreants used malware disguised as Vietnamese language support software to create a botnet. The malware masqueraded as a VPSKeys keyboard driver software and was discovered in computers inside a subset of the organisations hit by Aurora. Infected systems were controlled by command and control systems accessed predominantly from IP addresses inside Vietnam.

Continued here: http://www.theregister.co.uk/2010/03/31/vietnam_botnet/

At the Google Online Security Blog: The Chilling Effects of Malware

Collapse -
Facebook bug exposes private emails
by Carol~ Forum moderator / March 31, 2010 2:27 AM PDT
In reply to: NEWS - March 31, 2010

"Addresses were visible for up to 30 minutes"

Facebook has been hit by another privacy scandal after an apparent technical glitch led to the site disclosing the private email addresses of its users.

The privacy mishap, which according to reports lasted for half an hour yesterday, was discussed by angry users on Twitter.
Advertisement

"Last night during Facebook?s regular code push, a bug caused hidden email addresses to be visible briefly,? said a Facebook spokesman.

Although Facebook maintained that the bug was noticed and corrected within minutes, this was not quick enough for some eagle-eyed users, who warned others via Twitter.

?Everyone?s email addresses are now visible on Facebook, even those of people who are not your friends,? said Twitter user atakan.

?Check your Facebook profile your email will be exposed to the public. There is no privacy settings to hide your email,? said another Tweet by isatwhoville.

Continued here: http://www.v3.co.uk/v3/news/2260541/facebook-bug-discloses-private

Collapse -
Yahoo targeted in China cyber attacks
by Carol~ Forum moderator / March 31, 2010 2:27 AM PDT
In reply to: NEWS - March 31, 2010

The Yahoo e-mail accounts of foreign journalists based in China and Taiwan have been hacked, according to a Beijing-based press association.

Rival Google has been involved in a high-profile row with the Chinese government following similar cyber-attacks against Gmail accounts.

The Foreign Correspondents' Club of China (FCCC) has confirmed eight cases of Yahoo e-mail hacks in recent weeks.

Yahoo said it condemned such cyber-attacks.

But the FCCC accused Yahoo of failing to update users about the situation.

"Yahoo has not answered the FCCC's questions about the attacks, nor has it told individual mail users how the accounts were accessed," a spokesman told the news agency.

Continued here: http://news.bbc.co.uk/2/hi/technology/8596410.stm

Also: China cyber attack targets journalists

Collapse -
Spike in File Infectors Highlight Continuing Threat
by Carol~ Forum moderator / March 31, 2010 2:52 AM PDT
In reply to: NEWS - March 31, 2010

From the TrendLabs Malware Blog:

In the past week, TrendLabs noticed a significant growth in the number of file infectors in the wild, particularly in Latin America. A significant increase in PE_SALITY.BA cases was particularly spotted in the region. A rise in VIRUX variants, particularly PE_VIRUX.R, was also spotted at around the same time.

File infectors are not a new threat nor do they have the notoriety of much-talked-about threats like ZBOT, KOOBFACE, and FAKEAV. However, this does not make them any less of a problem, particularly for enterprise users. In addition, these attacks are growing in sophistication as well.

According to TrendLabs? Escalation Team, previous versions of SALITY file infectors such as PE_SALITY.SA used simpler encryption techniques. In particular, they used only one layer of encryption, making analysis a simpler affair by looking at sections of the file that have only zeroes as shown in Figure 1. [...]

Continued here: http://blog.trendmicro.com/spike-in-file-infectors-highlight-continuing-threat/

From the Kaspersky Lab Weblog: A new version of Sality at large

Collapse -
Java 6 Update 19 closes 26 security holes
by Carol~ Forum moderator / March 31, 2010 2:52 AM PDT
In reply to: NEWS - March 31, 2010

Security updates for Java SE and Java for Business have been released as Java 6 Update 19. The novel part of this announcement is that, for the first time since the Oracle acquisition of Sun, the advisory appears as an Oracle Critical Patch Update (CPU). The change in format makes the advisory much easier to read and includes ratings on the Common Vulnerability Scoring System (CVSS) making it easier to asses how critical a vulnerability is and what priority should be given to closing the problem.

The holes include buffer overflows within the Java Runtime Environment (JRE) in ImageIO, Java 2D, WebStart, the Java plug-in from browsers, sound and in the HotSpot server. The issues affect Java 6 update 16, Java 5.0 update 23, Java 1.4.2_25 and Java 1.3.1_27.

Continued here: http://www.h-online.com/security/news/item/Java-6-Update-19-closes-26-security-holes-967976.html

From Vulnerabilities & Fixes: Sun Java JDK / JRE Multiple Vulnerabilities
From Updates Thread: Java Runtime Environment (JRE) 6 Update 19

Collapse -
I've just read this elsewere myself.
by MarkFlax Forum moderator / March 31, 2010 6:14 AM PDT
In reply to: NEWS - March 31, 2010

Scary!

Mark

Collapse -
Is "this" scary thing you read about elsewhere..
by Carol~ Forum moderator / March 31, 2010 6:44 AM PDT

titled _______? Devil

Of the above 9 items, my guess would be the "PDF exploit". Most of the news I post, I find scary. Even it's only about 26 security holes in Java.

It's why I ask.

Carol

And speaking of PDF.... Does PDF stand for Problematic Document Format?

Collapse -
Ohh yes!
by MarkFlax Forum moderator / March 31, 2010 6:49 AM PDT

Stupid of me Carol! Happy

I meant the PDF exploit, that isn't a vulnerability exploit.

Ouch, I read that article about spcifications for the PDF file format. I begin to understand why PDF readers are scary.

I wish you hadn't shown me that. Happy

Mark

Collapse -
PDF Arbitrary Code Execution - vulnerable by design.
by Carol~ Forum moderator / March 31, 2010 8:52 AM PDT

Didier Stevens, who probably knows the PDF format better then most and has written some great PDF analysis tools, published a very interesting and concerning blog post .

In this post, he outlines how PDFs can be used to execute code. Nothing new you may say... plenty of exploits have done this in the past. This is different: He is not using a vulnerability, but a feature. Evidently, PDFs have the ability to execute code by design. Since this is not an implementation, but a design problem, various PDF readers are vulnerable. In his blog, Didier show a video of the exploit using Adobe's PDF reader. Adobe's reader will show a warning and ask the user for permission. However, the wording of this warning may be changed by the attacker. Foxit, a popular alternative to Adobe's reader, will show no warning.

At this point, Didier does not provide a public PoC exploit. However, he says he is in contact with vendors.

Continued here: http://isc.sans.org/diary.html?storyid=8545

From Didier Stevens:
Escape From PDF
Escape From Foxit Reader

Collapse -
Email Vampires Claim to Protect Your Privacy
by Carol~ Forum moderator / March 31, 2010 7:10 AM PDT
In reply to: NEWS - March 31, 2010

Keeping personal information private on the Internet is always a concern for computer users. In a new spam tactic, spammers seem keen to bring disrepute to social networking sites and Webmail services by introducing fear, uncertainty, and doubt regarding the security of private online data.

In this spam attack, spammers allege that social networking and Webmail service providers are spying on and reading every email that users send and this can seriously impact use, privacy, and safety. Spammers are targeting human emotions, such as concern for children?s safety and personal online security. The spam message states that a privacy protection service will help users keep social networking and email accounts from being spied on.

Sample email: [...]

The so-called ?privacy protectors? claim to give subscribers audio updates about the privacy invaders. To protect the privacy of personal information such as email, videos, photos, etc., spammers ask users to subscribe to their service. After clicking the subscribe link, the user is asked to make the payment: [...]

Continued here: http://www.symantec.com/connect/blogs/email-vampires-claim-protect-your-privacy

Collapse -
Persistent Domain-Renewal Scam Alive and Kicking
by Carol~ Forum moderator / March 31, 2010 7:10 AM PDT
In reply to: NEWS - March 31, 2010

From the McAfee Labs Blog:

A friend of mine forwarded a suspicious email message recently. I?ve replaced the domain, order number, etc. below:
?????????-
From: Customer Support <support@droa.com>
Subject: Order Confirmation for <domain>, Order ######

To <registered domain holder>,

Thank you for registering/renewing the following domains with the Domain Registry of America, America?s fastest growing Domain Registrar.
We take pride in offering you superior customer service and competitive pricing.

*******************************************************
Order Information
*******************************************************
<domain> renewal/transfering
The order number for <domain> is #####.

*******************************************************
Payment Information
*******************************************************
Your check ##### for $30.00 has been received.

Domain Registry of America
support@droa.com

?????????-
I validated for my friend that the email was bogus. The domain was not held by Domain Registry of America (DROA), and never had been. The domain was not expiring in the next 90 days.

Later he received a follow-up email: [...]

Continued here: http://www.avertlabs.com/research/blog/index.php/2010/03/30/persistent-domain-renewal-scam-alive-and-kicking/

Collapse -
QuickTime update patches 16 vulnerabilities
by Carol~ Forum moderator / March 31, 2010 7:45 AM PDT
In reply to: NEWS - March 31, 2010

Apple has released version 7.6.6 of its QuickTime multimedia player. The update closes a total of 16 critical vulnerabilities, all of which could be used by an attacker to inject and execute arbitrary code with the users current privileges. According to Apple, for an attack to be successful a user need only open a manipulated image, audio or video file. It is also sufficient to visit a specially crafted web page.

All users are advised to update as soon as possible. QuickTime 7.6.6 is available to download for Windows XP SP2, Vista, Windows 7 and Mac OS X 10.5.8. The QuickTime vulnerabilities for Snow Leopard were already fixed in yesterdays 10.6.3 update for Mac OS X.

Continued here: http://www.h-online.com/security/news/item/QuickTime-update-patches-16-vulnerabilities-968472.html

In Vulnerabilities & Fixes thread: Apple QuickTime Multiple Vulnerabilities

Collapse -
Millions in China have no antivirus software, survey shows
by Carol~ Forum moderator / March 31, 2010 8:52 AM PDT
In reply to: NEWS - March 31, 2010

"The number of Chinese Internet users without security software rose in 2009"

The massive number of Chinese Internet users running no antivirus software increased last year, a survey showed, even though online security risks continued to multiply in the country.

The percentage of Internet users in China with no security software was 4.4 percent last year, up from 3.9 percent the previous year, according to survey results released late Tuesday by the China Internet Network Information Center (CNNIC) and China's National Computer Network Emergency Response Technical Team (CNCERT).

CNNIC estimates that 384 million people in China used the Internet in the second half of last year. By that calculation, the number of people in the country surfing the Internet with no antivirus software was nearly 17 million, representing a huge pool of PCs that attackers could easily infect and use for malicious ends.

Continued here: http://www.computerworld.com.au/article/341621/millions_china_no_antivirus_software_survey_shows/

Collapse -
Mozilla to Fix CSS History Leak Soon
by Carol~ Forum moderator / March 31, 2010 8:53 AM PDT
In reply to: NEWS - March 31, 2010

The developers at Mozilla soon will be adding a new privacy enhancement to the Firefox browser that will help prevent attackers and the operators of third-party Web sites from seeing which other sites a user has visited.

The technology is meant to address one of the older privacy problems on the Web, namely the fact that Web sites can see which links a user has visited. On most sites, any link that a user clicks on will turn a different color after the user clicks. This was designed as a convenience for Web users, enabling them to see where they'd gone on a given site.

However, the JavaScript function that carries out that operation behind the scenes allows other sites to see which links a user has followed, which is not optimal for privacy. So Mozilla officials are planning to implement a change that will make all links appear as though they're unvisited, regardless of the reality.

Continued here: http://threatpost.com/en_us/blogs/mozilla-fix-css-history-leak-soon-033110

Collapse -
Microsoft runs fuzzing botnet, finds 1,800 Office bugs
by Carol~ Forum moderator / March 31, 2010 8:53 AM PDT
In reply to: NEWS - March 31, 2010

"Finds, fixes huge number of Office 2010 bugs by tapping idle company PCs"

Microsoft uncovered more than 1,800 bugs in Office 2010 by tapping into the unused computing horsepower of idling PCs, a company security engineer said today.

Office developers found the bugs by running millions of "fuzzing" tests, said Tom Gallagher, senior security test lead with Microsoft's Trustworthy Computing group.

Fuzzing, a practice employed by both software developers and security researchers, searches for flaws by inserting data into file format parsers to see where programs fail by crashing. Because some crash bugs can be further exploited to successfully hack software, allowing an attacker to insert malicious code, fuzzing is of great interest to both legitimate and criminal researchers looking for security vulnerabilities.

Continued here: http://www.computerworld.com/s/article/9174539/Microsoft_runs_fuzzing_botnet_finds_1_800_Office_bugs

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.