NEWS - September 20, 2012

Microsoft Will Patch IE Zero-Day on Friday; Fixit Available as Stopgap

Microsoft announced last night it would issue an out-of-band patch on Friday for a zero-day Internet Explorer vulnerability disclosed earlier this week. In the meantime, Microsoft made a FixIt available on Wednesday that would temporarily mitigate the threat posed by active exploits found in the wild.

The out-of-band patch will be available by 1 p.m. ET on Friday, said Yunsun Wee, director of Trustworthy Computing for Microsoft.

This has been a fluid story this week, starting with discovery of exploits for a previously unknown use-after-free memory corruption vulnerability in versions 6-9 of the browser. Soon thereafter, three more exploits were found and were tied to a hacker group in China known as Nitro, the same group responsible for exploits of two zero-day Java flaws disclosed three weeks ago.

"Earlier this week, an issue impacting Internet Explorer affected a small number of customers. The potential exists, however, that more customers could be affected," Wee said in a post on the Microsoft Security Response Center blog.

Continued :

Microsoft Issues Stopgap Fix for IE 0-Day Flaw
Microsoft Releases Fix It Tool for IE Security Flaw
Microsoft issues Fix-it tool for critical IE security hole

See: Microsoft Out of Band Advance Notice | Fix it Solution
Discussion is locked
Reply to: NEWS - September 20, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 20, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Apple closes numerous security holes with iOS 6

With the release of iOS 6.0, Apple not only delivers several new features to the mobile operating system but also closes an impressive number of security vulnerabilities. The major update deals with a list of almost 200 CVE items, some of which each apply to several vulnerabilities.

The problems grant hackers almost free reign: they range from a hole that lets attackers circumvent the passcode on the lock screen, to the ability to fake text message sender information, and to code injection through specially prepared web sites or media files. For many of the exploits, Apple provides short one or two sentence explanations of their outcomes.

However, Apple does not provide information about one important vulnerability, even though it is actually quite dangerous. Caused by an error in the way the operating system parses some configuration files, the hole allows attackers to pretend an important system update is available for the user's device. This update appears to be signed by Apple or the user's mobile carrier, when in fact it is completely fake. If the user installs the so-called "update", the malicious configuration file is able to change critical system settings.

Continued :

See Vulnerabilities & Fixes : Apple iOS Multiple Vulnerabilities

- Collapse -
Sophos antivirus glitch causes false positive chaos

Security firm Sophos has been had to issue an embarrassing apology after the company's antivirus program suddenly started classifying every and any software update - including the company's own - as 'Shh/Updater-B' malware.

The issue became apparent on Wednesday morning when the firm's support forums were deluged with reports from customers that the software was generating large numbers of false positives for legitimate programs including Java, Adobe Reader, Microsoft and Google. [Screenshot]

"I've just started seeing this reported from all of my workstations; scads of emails. The Sophos tech support number is giving a 'fast busy' signal, as everyone calls to ask wtf?," wrote one annoyed admin.

"We had roughly 40% "infection" rate here in about a ten minute span of time... a few hundred machines...," added another.

The company's support forum reports eventually ran to several dozen pages of comments on the same theme: large numbers of malware reports with no easy way to stop them coming.

False positives hit all antivirus programs from time to time but in this case it appears that because the program was also quarantining its own remote update many users were unable to rectify the problem.

Continued :

From Sophos: Shh/Updater-B false positive by Sophos anti-virus products

- Collapse -
Bank group warns of heightened risk of cyber attacks

A financial services industry group warned U.S. banks, brokerages and insurers on Wednesday to be on heightened alert for cyber attacks after Bank of America and JPMorgan Chase experienced unexplained outages on their public websites.

The Financial Services Information Sharing and Analysis Center, which is widely known as FS-ISAC, raised the cyber threat level to "high" from "elevated" in an advisory to members, citing "recent credible intelligence regarding the potential" for cyber attacks as its reason for the move.

The problems with the websites at the two banks came after an unidentified person posted a statement on the Internet threatening to attack Bank of America and the New York Stock Exchange as a "first step" in a campaign against U.S. companies. The posting said the attacks would continue until the film that had stirred up anti-U.S. protests across the Middle East was "erased" from the Internet.

It was not possible to identify the person who posted the statement. Nor was it clear if the threat had anything to do with the issues at either of the two banks.

Dan Holden, director of security research at Arbor Networks, said that several U.S. banks were under assault by a distributed denial of service (DDoS) campaign. He declined to identify them by name.

Continued :

- Collapse -
EuSecWest 2012: That thing in your pocket

Ryan Naraine @ the Kaspersky Lab Weblog:

As part of my job monitoring security threats and trends for Kaspersky Lab's global research team, I'm exposed to a healthy dose of paranoia from white hat researchers who find it trivial to hack into modern operating systems and platforms.

After a few days of hanging out in the hallways with exploit writers, I find myself clutching my laptop to my chest a little tighter and constantly peeking at my mobile phone to make sure nothing out of the ordinary is happening.

None of this paranoia is misplaced. Just pay attention to the lessons from the Pwn2Own challenges organized by the CanSecWest / EuSecWest folks (shout-out to Dragos Ruiu for putting together top-notch events) and you get a real-world understanding of why it's near impossible to keep away a motivated adversary.

This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.

For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices.

Continued :

Related: Mobile Pwn2Own: iPhone 4S hacked by Dutch team

- Collapse -
Twitter Video Facebook App: Rogue DMs, Fake Flash Umbra..
.. Loaders

From the GFI Labs Blog:

A Facebook app page has been doing the rounds on Twitter recently, with Direct Messages being sent to other Twitter users bearing the message "lol ur famous now" and a link to the app page. The link included the word "FailVids", and if there's one thing likely to make a panicked user click on things it's the suggestion they're fail-vidding all over the place. [Screenshot]

Clicking the link would bring end-users to the following app page: [Screenshot]

Uh oh.

As you can probably imagine, entering your login details here would not log the end-user into Twitter, but rather provide the people behind the scam with the ability to send more fake "oh dear, what have you been up to" style messages via Twitter DMs (this kind of linkbait is fairly common on Twitter but here's a few that have been bouncing around since the start of September).

After hitting the Sign In button and handing away their login credentials, the end-user would then be taken to the following website, woot(dot)tweetelf(dot)info: [Screenshot]

Continued :
- Collapse -
Attack Easily Cracks Oracle Database Passwords

"Oracle's software update for the flaw doesn't protect all versions of the database"

A researcher tomorrow will demonstrate a proof-of-concept attack that lets outside attackers and malicious insiders surreptitiously crack passwords for Oracle databases with a basic brute-force attack.

Esteban Martinez Fayo, a researcher with AppSec Inc., will show at the Ekoparty security conference in Buenas Aires, Argentina, an attack exploiting cryptographic flaws he discovered in Oracle's database authentication protocol. It lets an attacker without any database credentials brute-force hack the password hash of any database user so he then can get to the data.

Martinez Fayo and his team first reported the bugs to Oracle in May 2010. Oracle fixed it in mid-2011 via the patch set, issuing a new version of the protocol. "But they never fixed the current version, so the current 11.1 and 11.2 versions are still vulnerable," Martinez Fayo says, and Oracle has no plans to fix the flaws for version 11.1.

That leaves those database users at risk of what Martinez Fayo says is a fairly simple -- yet potentially devastating -- attack against the so-called stealth password cracking vulnerability. "It's pretty simple. The attacker just needs to know a valid username in the database, and the database name. That's it," he says.

Continued :

CNET Forums