Security

Naked Security wrote: The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted malware attack attacking the country, which has been dubbed Flame (also known as Flamer or Skywiper). In a statement, researchers say that they believe the malware is “a close relation” to Stuxnet, and claim that Flame is not detected by any of 43 anti-virus products it tested against, but that detection was issued to select Iranian organizations and companies at the beginning of May. ...

Microsoft Malware Protection Center wrote: Recently, we’ve seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability. The vulnerability related to this malware was addressed with a recent patch released by Adobe on May 4th. On the Windows platform, Flash Player 11.2.202.233 and earlier is vulnerable. If you’re using vulnerable version, you need to update your Flash Player now to be protected against these attacks. We had a chance to analyze how the malware (sha1: e32d0545f85ef13ca0d8e24b76a447558614716c) works and here are the interesting details we found during the investigation. ...

H-Online: A new type of phishing strategy, which aims to trick unsuspecting users into installing a trojan by pretending to be an account cancellation request from Facebook, has been discovered by Sophos. The email messages link to a third party application on the site that will install a Java applet and then prompt the user to update their Flash player, but will actually deliver the trojan malware. The email messages that are sent out claim to be from Facebook and state: “We are sending you this email to inform you that we have received an account cancellation request from you.” However, Facebook never sends such account cancellation confirmation messages via email. Users who want to cancel their Facebook account can do so by visiting facebook.com/deactivate.php to deactivate their account; they may later delete it after a cool down period has passed. ...

GFI Wrote: In September, our friends at Sophos wrote about a fake BBC website offering up the “chance” to work from home for predictably large sums of money. No more than a day later, we were covering fake BBC video posts targeting Facebook users. Today we’re looking at a fake BBC URL which drops the end-user onto a “work from home and earn $10,000+ a month” fake news site, but not before it’s attempted to load up the PC with malware via a rather nasty collection of exploits. The URL in question is bbcmoneynews(dot)com: ...

ISC Diary: There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port. Since there is no patch available for this vulnerability yet, you might want to do the following: Block any file upload function in your php applications to avoid risks of exploit code execution. Use your IPS to filter known shellcodes like the ones included in metasploit. Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336 registered at the beginning of the month. Use your HIPS to block any possible buffer overflow in your system. Source: http://isc.sans.edu

theregister.co.uk wrote: A Brit who distributed a Trojan horse that posed as a patch for popular shoot-em-up game_Call of Duty_ has been jailed for 18 months. Lewys Martin, 20, of Deal in Kent, used the malware to harvest bank login credentials, credit card details and internet passwords from the compromised Windows PCs of his victims. Martin then apparently laundered the credentials via underground cybercrime forums, earning $5 or less for every credential, directing proceeds of his criminal activity towards an offshore account in Costa Rica, funds which remain beyond the reach of UK police. ...

The H-Online: Version 7.7.2 of QuickTime for Windows has been released to address a total of 17 security vulnerabilities in the media player. According to Apple, these include integer, stack and buffer overflows, as well as memory corruption issues, all of which could be could exploited by an attacker to crash the application or execute arbitrary code on a victim’s system. For an attack to be successful, a user must first open a malicious web site or a specially crafted file. ...

The H-Online: RealNetworks is warning users about multiple security vulnerabilities in its RealPlayer media player application for Windows; the company says that none of the, now fixed, holes are known to have been used to compromise systems. The released update, version 15.0.4.53 of RealPlayer, closes three security holes. One hole is related to ASM RuleBook parsing that could be exploited by an attacker to remotely execute arbitrary code, another is a memory corruption problem related to MP4 file handling in the QuickTime plugin used by RealPlayer, and the third is a buffer overrun in the Media parser. ...

The H-Online: As previously announced, Microsoft has released seven bulletins to close a total of 23 vulnerabilities on its May Patch Tuesday. The total number of bulletins belies the scope of the patches, however, as the combined update MS12-034 closes various holes in numerous products. The reason for this is a critical hole in the code for processing TrueType fonts that was exploited by the Duqu spyware last year. The hole was closed in the Windows kernel on the December Patch Tuesday; however, Microsoft has since used a code scanner to track down the vulnerable code in numerous other components; among them is the gdiplus.dll library, which is used by various browsers to render web fonts. ...

The H-Online: The updates to PHP versions 5.3.12 and 5.4.2 released on Thursday do not fully resolve the vulnerability that was accidentally disclosed on Reddit, according to the discoverer of the flaw. The bug in the way CGI and PHP interact with each other leads to a situation where attackers can execute code on affected servers. The issue remained undiscovered for eight years. The best protection at present is offered by setting up filter rules on the web server. However, the RewriteRule workaround described on PHP.net is also, according to security expert Christopher Kunz, inadequate. He suggests a slightly modified form of the rule as an alternative. ...