Vulnerability

On Twitter a new security flaw gets currently exploited. Hackers found a way to inject malicious JavaScript code into tweets with the onMouseOver event. This can lead to pop-ups appearing, redirecting to websites, re-tweeting spam, or even worse things like cookie stealing (compromising the user accounts). The problem is that Twitter doesn’t properly filter out some tags in tweets. Users should be very cautious when seeing colored text blocks (background and text colors are the same, called “rainbow tweets”) – these are currently mostly used to exploit the security vulnerability. Hopefully, Twitter closes the security hole soon! Until then, using the NoScript web browser extension or disabling JavaScript on Twitter helps against the attack. Also, using twitter applications which rely upon the Twitter API aren’t affected. ...

Adobe fixed the vulnerability in Flash Player in a record time again. Just one week after the 0-day became public and started to get exploited, an update is available to close the security hole. Even though Adobe Reader and Acrobat are affected (which are supposed to get an update in 2 weeks), until now we’ve only seen exploits against the Windows Flash Player. ...

One unique security feature of Android is the permission check when installing 3rd party apps. The system lists all permissions that an app requires and asks the user to check if that’s alright. Such permissions are the ability to receive your location, send or receive text messages, internet access, phone calls and many more. The user can be sure that the app is not doing any of such activities without the appropriate permission. In case the developer forgets to add a particular permission then the operating system will simply block the corresponding function which leads to a “Force Close”, which means the app will be terminated. ...

A malicious PDF file has turned up which exploits a new security vulnerability in Adobe Reader and Acrobat – even in the most current version 9.3.4 and 8.2.4, on all supported platforms. There is currently no update available from Adobe which fixes the vulnerability. The company is aware of the problem though. The weakness is a buffer overflow within the CoolType.dll of the Adobe Reader and Acrobat installation. While parsing a PDF document with specially prepared SING (Smart INdependent Glyphlets) fonts it is possible to abuse the vulnerability to execute malware. ...

A whole bunch of Windows applications is vulnerable to a so-called binary-planting attack which allows for remote code execution. Microsoft released a security advisory about this issue which isn’t easy to fix properly. This issue arises due to the (defined and well documented) behavior of Windows when loading libraries by an application. A .dll to load gets searched in a certain standard path list. This list also includes the current working directory, which is the place a document gets opened from for example. When a file with the name of a DLL which the corresponding application needs to load is placed into the working directory, it will get loaded – this can be a malicious DLL though. ...

Microsoft has posted an advisory that explains the “DLL preloading attacks” and offers a work-around tool that “allows customers to disable the loading of libraries from remote network or WebDAV shares. This tool can be configured to disallow insecure loading on a per-application or a global system basis.” When an application loads a .dll file, but doesn’t name a full path name,Windows searches a pre-defined set of directories for it. Exploiting this, an intruder could social engineer a victim into loading a malicious .dll from a USB drive or from a network and execute arbitrary code. ...

Sigh… The latest “exploit” that affects hundreds of programs and will be the end of the world as we currently know it is actually a well documented feature of Windows. It has actually been around since the DOS days. In the old days we used to call these Companion viruses. It worked by using a different file extension that will be executed before the real executable. For example if you had a “gwbasic.exe” you would create a “gwbasic.com” anywhere in the path and if the user just typed “gwbasic” he would execute the “gwbasic.com” and not the “gwbasic.exe”. If the author of the “gwbasic.com” was ‘nice’ he could execute the “gwbasic.exe” so as to make the existence of the “gwbasic.com” file harder to detect. ...

Microsoft discontinued support for Windows XP Service Pack 2 on July 13th, and that means there is no SP2 update for the recent LNK shortcut vulnerability (KB2286198). If you review the comments from this SANS Diary post, you’ll see that there was some initial confusion regarding SP2 support, due to a typo in Microsoft’s Security Bulletin (MS10-046). The bulletin is now corrected. However, even today, the download for Windows XP still includes SP2 in the file properties. ...

It should go without saying that the best way to deal with malware is of course, not to get infected in the first place. Being aware of what products are being targeted by the bad guys may help you as well, so it may be useful to know that at the moment Adobe products are virtually the number one target across the world with millions of PCs being hit by infected Adobe PDFs. Others are being pwned via Adobe Flash ads via Facebook and other social media web sites. ...

Didier Stevens, security professional and blogger, has found a “feature” in the PDF file format that makes it possible to package an executable in a PDF file which will run in Foxit PDF reader or run in Adobe Reader with a bit of social engineering. “With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).” ...