Weekly roundup of vulnerabilities and exploits in the wild
Here is a summary of this week's vulnerabilities and exploits in the wild, as reported by Secunia, Websense and other security firms. Actually, this has been a quieter week than most.
Websense has been following a website code injection event they named the "Nine Ball Mass Injection," which is a follow-up to the "Beladen" and "Gumblar" mass injection attacks last month This is a situation where cyber criminals exploit vulnerable web application scripts that have not been secured by the webmasters who operate those websites. Too many webmasters use free scripts that are rarely, if ever updated to patch announced vulnerabilities. Hackers send out automatic scripts (a.k.a. robots, spiders) that try to upload hostile files to any website they come across. Once they find an unpatched point of entry they are able to alter the codes on any web pages (usually the home page) they want. In the past, hackers would deface home pages with gibberish or slogans for their causes. Now, it is criminals who sneak in dangerous hidden codes that redirect innocent visitors to hostile websites, where malware is attempted to be downloaded to the victims' computers. Most are successful, because most people do not, or cannot keep up with patches released by every vendor of the add-ons and plug-ins used by their browsers.
Most of the malware being downloaded by the Nine Ball and similar exploits is fake security applications that pretend to scan you computer, announce so many threats found, then demand payment to remove those threats. These are tandem malware programs, with part one being the fake alerts and part two being the fake remover. After you pay to unlock the remover, it only removes the alerts its sister placed there in the first place. You will have submitted your credit or debit card information to cyber criminals in the Former Soviet Union and can expect to have your accounts drained shortly.
The rest of this weeks vulnerabilities and exploits are in my extended comments.
More of this week's vulnerabilities and exploits
Adobe has just released a new, patched version of its Shockwave Player; version 11.5.0.600. There have been exploits announced that are targeting all versions of Shockwave going back several years, when Macromedia owned the rights to it. It took a little while for Adobe to come up with the patch, but it is now available on the Adobe Shockwave page, as a free download. It is advised that you first uninstall any previous versions of Shockwave, reboot, then install the new version. If you have a not too old version of Shockwave installed you can probably remove it via Control Panel > Add/Remove Programs > Adobe Shockwave > Uninstall. Uninstall Shockwave, reboot, then download and install the latest version, directly from the Adobe.com Shockwave download page listed above. Do not download Shockwave from any other website than Adobe.
Criminals constantly try to fool their victims into downloading "required" or "updated" versions of Flash or Shockwave from hostile web pages. In fact, those files are Trojans that will wreak havoc on your PC. Fake Codecs, fake Flash and Shockwave and Adobe Reader updates happen all the time and lead to everything from fake security scanners/removers/applications, to Botnet executables being installed. Botnets are constantly being expanded by luring victims into self infecting their computers with fake security applications or fake browser add-on updates.
Speaking of fake anti-virus applications, there is a new spam run sent by a very large Botnet that is feasting on the unfortunate deaths this week of Farrah Fawcett and Michael Jackson (here is a Websense video report about the Michael Jackson spam links). These spam messages contain links that claim to lead to a video performance, or other special news site about the deceased, where instead of, or in additions to seeing the content you expect, you may be infected behind the scenes simply by visiting that website. That is, if you have any vulnerable third party applications running in your browser. Remember this. Criminal are always targeting unpatched versions of the following commonly installed browser helpers:
Adobe Acrobat
Adobe Flash
Adobe Reader
Adobe Shockwave
Sun Java
Apple QuickTime
The most exploitable browser in history is Microsoft's Internet Explorer. The latest version, 8.0, is definitely more secure than previous versions, but only when used in a Windows Vista or newer computer. Under Vista Internet Explorer can be placed into "Protected Mode." This separates any activity in the browser from accessing or replacing operating system files. Downloads cannot happen without your knowledge using protected mode, but, you can still be fooled into allowing them yourself (Trojans). So, if you are not running Windows Vista, or Windows 7, or newer, and have Internet Explorer 8, and are operating as an administrator, you could still be exploited without your knowledge, simply by getting redirected to a hostile website.
Apple's Safari browser is highly exploitable, as is the new Google Chrome. Mozilla's Firefox, while being constantly targeted by hackers, is very fast when it comes to releasing patched versions. I have seen them push out two patched versions in two or three days. I use Firefox (current version) exclusively to browse the Internet. Safari and Chrome updates often come months apart. Internet "Exploder" is typically updated once a month, at best.
Users who operate their PCs as Administrators are always at higher risk than folks who operate as Limited, Standard, or Power Users. To better understand this please read my February 2009 blog article about how running with reduced user privileges stops 92% of malware attacks from succeeding.
Not relying on email spam alone, criminals have been busy hacking into Twitter accounts with keyloggers, then placing phony "Tweets" containing links that lead directly to malware distribution servers, or that do so through multiple redirects that are encoded into each stop. The most recent report has links in Twitter accounts leading to the Koobface Trojan, which usually spreads on Facebook.
You should always keep your computers protected from malware threats with a current version of your preferred anti-virus and anti-spyware program, or suite. If you use Trend Micro Internet Security, or Internet Security Pro, you are already protected against web based threats, email spam with hostile links, Bots, or dangerous downloads. Additionally, I strongly recommend that you routinely visit the Secunia Online Software Inspector and run it to see what, if any unpatched applications are found on your PCs. Read the results and follow its directions to obtain patched versions of any exploitable software it finds. This includes Windows Updates.
That's all for now. I'll be back next week with the latest threats and vulnerabilities that you need to be concerned with.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.