May 20, 2013

You are here: Home / Archives for Zero day exploit

In Brief: Remote zero-day vulnerability found in Linksys WRT54GL router

January 18, 2013 by

linksys(LiveHacking.Com) –  A zero-day remote root access vulnerability has been found the Linksys WRT54GL routers with the possibility that other routers in the range are also affected. The vulnerability was found by DefenseCode who published a proof-of-concept video on YouTube.

According to DefenseCode, Cisco was contacted about the remote preauth (root access) vulnerability several months ago. The company also passed-on a detailed vulnerability description along with the PoC exploit for the vulnerability.

It seems that Cisco thought that the vulnerability was already fixed in the latest firmware, but according to DefenseCode it isn’t.

“Although we can confirm contact with DefenseCode, we have no new vulnerability information related to our WRT54GL or other home routers to share with customers at this time. We will continue to review new information that comes to light and will provide customer updates as appropriate,” said a Cisco spokeswoman told SC Magazine Australia.

However Cicso, who owns the Linksys brand, did finally admit to the problem: “Following our assessment of information recently released by DefenseCode, we have confirmed a vulnerability in the Linksys WRT54GL home router,” the company said in a e-mail to The Register. “At this point, no other Linksys products appear to be impacted.”

DefenseCode says that it will make a full disclosure of the vulnerability in the next two weeks.

Filed Under: Cisco, Cisco, News Tagged With: , , , ,

Another zero-day Java exploit for sale on Internet

January 17, 2013 by

Java(LiveHacking.Com) –  Less than a day after Oracle patched the zero-day vulnerability in Java 7, security journalist Brian Krebs has discovered that a new Java zero-day exploit is now available to purchase, in a crimeware and malware Internet forum, for US$5,000 per sale.

At the beginning of this week, an administrator of an exclusive cybercrime forum revealed that he is offering exploit code for a new zero-day vulnerability in Java, but he is only willing to sell it twice.

The seller was offering source files to the exploit plus an encrypted, weaponized version, ready for use. Since spotting the forum post, Krebs has noticed that the thread has since been deleted from the forum. This most likely means that buyers were found.

“To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program,” wrote Krebs.

The current frequency of Java exploit has led many to declare Java unsafe. Even after the latest update for Java 7, Adam Gowdiak, the founder and CEO of Security Explorations - who has found several critical vulnerabilities in Java, said that “We don’t dare to tell users that it’s safe to enable Java again.”

This was a sentiment echoed by HD Moore, chief security officer with Rapid7 – the custodians of Metasploit, “The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop.”

It looks like Gowdiak and Moore are right!

Filed Under: Java, News, Vulnerability Tagged With: , , ,

After latest vulnerability gets patched in Java, is it now seen as just too dangerous?

January 15, 2013 by

java-square(LiveHacking.Com) –  Oracle has released an update to Java 7 to address two Critical vulnerabilities. A few days ago, reports emerged about another new vulnerability in Java that was being exploited in the wild. The vulnerability allowed a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. An exploit for the vulnerability was quickly added to exploit toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK).

These vulnerabilities, known as CVE-2013-0422 and CVE-2012-3174, do not affect Java on servers, Java desktop applications, or embedded Java, however Java running in a web browser is affected.

To exploit the vulnerability, an unsuspecting user is tricked into visiting a website which has been designed specifically to infect their PC with malware. Once at the website the vulnerability allows for the execution of a malicious applet within the browser which then results in the execution arbitrary code (to install malware).

As part of Java 7 update 11, Oracle is switching the Java security settings to “high” by default. This means that users need to expressly allow the execution of any applets, which are either unsigned or are self-signed, in the browser. The idea is that any unsuspecting users visiting malicious web sites will be told before an applet is run.

Since update 10 of  Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

However questions are now being raised about the long-term viability of Java support in web browsers. Adam Gowdiak, the founder and CEO of Security Explorations - who has found several critical vulnerabilities in Java, told Reuters that “”We don’t dare to tell users that it’s safe to enable Java again.”

“The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” said HD Moore, chief security officer with Rapid7  - the custodians of Metasploit.

Filed Under: Java, News, Security, Vulnerability Tagged With: , , ,

Microsoft to fix IE8 zero-day vulnerability today with out-of-band fix

January 14, 2013 by

security news at livehacking.com(LiveHacking.Com) –  Microsoft will release an update to Internet Explorer today to fix the zero-day vulnerability which was found at the end of last year. An exploit was found, in the wild, for a previously unknown (zero-day) vulnerability during the clean up of the Council on Foreign Relations (CFR) website, which had been compromised by hackers, probably from China. The exploit found used a heap spray attack against the zero-day vulnerability.

Microsoft issued  Security Advisory 2794220 which confirmed that the issue impacts Internet Explorer 6, 7, and 8. Internet Explorer 9 and 10 are not affected by this issue, so upgrading mitigates the problem, however neither IE 9 or IE 10 is available for Windows XP users.

A few days later, Microsoft published a Fix It as a temporary measure until the full patch is available. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. However once the Fix It was out, security information company Exodus Intelligence published details on how it had managed to bypass the shim and make IE vulnerable again. This placed greater pressure on Microsoft to issue an out-of-band fix, which it will now do today.

“While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future.  The bulletin has a severity rating of Critical, and it addresses CVE-2012-4792,” said Dustin Childs, Group Manager of Microsoft’s Trustworthy Computing unit.

The patch will be made available for Windows XP, Vista and Windows 7 along with Windows Server 2003 and 2008. Microsoft will release the out-of-band security update at 10 a.m. PST on Monday, January 14, 2013.

Filed Under: Intenet Explorer, Microsoft, Microsoft, News, Vulnerability Tagged With: , ,

New zero-day Java 7 vulnerability being exploited in the wild

January 11, 2013 by

Java(LiveHacking.Com) – US-CERT has issued a security advisory about an unspecified vulnerability in the most up to date version of Java ( Java 7 Update 10) that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. According to TrendLabs the zero-day exploit is being used by toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK). Brain Krebs has noted that the author of the Blackhole exploit kit is calling the new exploit a ‘New Year’s Gift,’ to customers who use Blackhole.

Initial analysis of the exploit shows that it is probably bypassing certain security checks  tricking the permissions of certain Java classes like  in CVE-2012-4681 . According to US-CERT, the exploit works by leveraging unspecified vulnerabilities involving Java Management Extensions (JMX) MBean components and sun.org.mozilla.javascript.internal objects, an untrusted Java applet can escalate its privileges by calling the the setSecurityManager() function to allow full privileges, without requiring code signing.

The only good bits of news are that Java 6 doesn’t seem to affected and that since update 10 of  Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).

US-CERT (and others) where alerted to the existance of the zero-day vulnerability by a blogger named Kafeine at the site Malware don’t need Coffee.

“We can confirm that this is a new vulnerability,” said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, in an email to Computerworld. “We reproduced the exploitation mechanism on Java 1.7 Update 9 and Update 10. Other versions may be vulnerable as well, we’re currently analyzing whether other older updates are vulnerable.”

Filed Under: Java, News, Vulnerability Tagged With: , , ,

Someone has bypassed Microsoft’s Fix It for the IE 8 zero-day vulnerability already

January 8, 2013 by

security news at livehacking.com(LiveHacking.Com) – Security information company Exodus Intelligence has published a blog post claiming to have bypassed Microsoft’s Fix It for the current zero-day vulnerability in Internet Explorer 8. The official Fix It was released by Microsoft as a temporary workaround to the zero-day vulnerability found in Internet Explorer 6,7 and 8. The bug in IE can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. To exploit it, users are tricked into visiting a specially crafted website which uses either Flash or Javascript to generate a heap spray attack against IE. The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution.

According to Exodus Intelligence it is now possible to bypass the shim and compromise a fully-patched system. Due to the nature of its business, Exodus Intelligence has passed on the details about the bypass to its customers. Thankfully it has also notified Microsoft. The company promises to fully disclose the details of the bypass once Microsoft has fully addresses the issue.

“After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week,” said Exodus Intelligence on its blog.

Microsoft will release seven security bulletins today to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework. However a fix for the Internet Explorer vulnerability will not be among the patches.

Internet Explorer 9 and 10 are immune to the attack and upgrading to the later versions of IE will protect users (as will using a different browser like Firefox or Chrome), the problem is that XP users can’t upgrade IE beyond 8. Also Enterprise users may still be stuck on older versions of IE due to legacy application support. In combination this means that pressure is now mounting on Microsoft to make an out-of-band release for IE to fix the vulnerability.

Filed Under: Intenet Explorer, Microsoft, News Tagged With: , , ,

In Brief: Microsoft publishes official Fix It for IE 8 vulnerability

January 2, 2013 by

internet-explorer-logo(LiveHacking.Com) –  Microsoft has updated Security Advisory 2749920 to include new information about the official Fix It that the company said it would release.  The Fix It, which is a temporary measure issued by Redmond until a full patch can be delivered, is a response to the zero-day vulnerability found in Internet Explorer 6,7 and 8.

The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. If triggered the browser will now just crash. Applying the Fix it does not require a reboot.

“While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems,” said Dustin Childs from Microsoft’s Trustworthy Computing unit.

 

Filed Under: Intenet Explorer, Microsoft, News, Security Tagged With: , ,

New Critical zero-day vulnerability found in IE 6,7 and 8

December 31, 2012 by

security news at livehacking.com(LiveHacking.Com) –  While investigating reports that the Council on Foreign Relations (CFR) website had been compromised, FireEye discovered that the site was hosting malware that exploited a previously unknown (zero-day) vulnerability in Internet Explorer 8. The attack seen by FireEye uses Adobe Flash to generate a heap spray attack against IE. According to Microsoft’s Security Advisory 2794220, the issue impacts Internet Explorer 6, 7, and 8 and that there are a small number of targeted attacks happening in the wild. A successful exploit, which is normally triggered by getting a victim using IE 8 to browse a malicious website, allows remote code execution. Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help defend from this vulnerability. However neither IE 9 or IE 10 is available for Windows XP users.

The vulnerability exists because of the way that Internet Explorer accesses a previously deleted chunk of memory. The vulnerability can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. By making a specially crafted website, that is designed to trigger an exploit, the vulnerability can be used when an Internet Explorer 6,7 or 8 user is convinced/tricked into viewing the site.

Microsoft’s initial investigation has shown that at least four attacks exist in the wild, each exploiting the vulnerability using a different attack method. Along with the Flash based heap spray, Microsoft have also seen some obfuscated Javascript that can be to trigger the vulnerability, an ASLR bypass using either Java6 MSVCR71.DLL or Office 2007/2010 hxds.dll and a DEP bypass via a chain of ROP gadgets.

What can you do?

Aside from upgrading to IE9 and IE 10 and while IE 8 users are waiting for a patch, IE users can can block the current targeted attacks by disabling the attack vectors:

    • Disabling Javascript will prevent the vulnerability from being triggered initially.
    • Disabling Flash will prevent the ActionScipt-based heap spray from preparing memory such that the freed object contains exploit code.
    • Disabling the ms-help protocol handler AND ensuring that Java6 is not allowed to run will block the ASLR bypass and the associated ROP chain.

Of course trying to use IE8 with Javascrit disabled is probably next to impossible. So while Microsoft are working on a comprehensive update to IE there is a trick which Microsoft is releasing as a Fix It. The trick does not address the vulnerability but does prevent the vulnerability from being exploited for code execution by making a two-byte change  (to replace a je instruction with a jmp) to mshtml.

Known as a shim, the change may have the side effect in some circumstances of the default form button not being selected by default.

The shim is currently being packaged and code-signed as a one-click, deployable Microsoft Fix It tool. The 32-bit and 64-bit shims are attached to this blog post and also available at the following URLs:

 

Filed Under: Intenet Explorer, Microsoft, News, Vulnerability Tagged With: , ,

New zero-day Java exploit on sale for a five digit sum

November 28, 2012 by

(LiveHacking.Com) – A new zero-day Java exploit has been offered for sale on an underground black market cyber criminal Internet forum. The new threat is advertised as working on Java JRE 7 Update 9, the most recent version of Java, but doesn’t affect Java 6 or earlier versions.

According to Brian Krebs, the exploit is serious enough that an attacker could use it to remotely seize control over any systems running the program. This typically means it would be used to spread malware. If a cyber criminal did buy this exploit it would most likely be used to spread a banking Trojan so that the buyer could recoup the money spent. In the end it is all about money (illegally and immorally gained of course).

The exploit has been offered for sale on an invite-only Underweb forum for an undisclosed sum but the seller suggested that it needs to be five digits (meaning $100,000 or more). There are not many details, but the vulnerability is said to be in ‘MidiDevice.Info,’ a Java class which handles MIDI devices. The seller has tested the exploit on Firefox and Internet Explorer running on Windows 7.

“I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly,” the exploit seller is reported to have written.

Many security experts, including us here at Live Hacking, have lots of concerns about the number of possible vulnerabilities in Java. If you don’t need Java it is best to remove it completely from your system.

As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has published a detailed description of these settings.

Filed Under: Java, Malware, News, Vulnerability Tagged With: , , ,

Security researchers say they already have zero-day exploits for Windows 8

November 1, 2012 by

(LiveHacking.Com) – Windows 8 has been available for a few days now and the security research company VUPEN, who specialize in finding security exploits in software and then selling them to government agencies, claims it already has working zero-day exploits for Microsoft’s new operating system.

Before Windows 8 was released the company promised that it would be ready to release exploits to its customers on the launch day: “Windows 8 will be officially released by MS on Oct 26th, we’ll release to customers the 1st exploit for Win8 the same day.” Then a few days after the launch, Chaouki Bekrar, the CEO & Head of Research at VUPEN, tweeted: “We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations.” You might need help decoding that a bit, 0Ds means zero-day exploits and pwn means to hack  in order to “own” it.

This means that VUPEN has confirmed that it has working zero-day exploits for Windows 8 using IE10 as one of the attack vectors.

According to Forbes, the Windows 8 attack will be included in the company’s Threat Protection Program, the defensive aspect of VUPEN’s business, it is’t clear if the exploits will also be sold as an offensive measure, however he does say that their customers can use the exploits for “ for national security purposes”.

“The in-depth technical details of the flaws will be shared with our customers and they can use them to protect their critical infrastructures against potential attacks or for national security purposes,” Bekrar wrote to Andy Greenberg.

The fact that VUPEN has working exploits for Windows 8 is quite interesting. Windows 8 comes with a pre-installed anti-malware program known as Windows Defender and also has a revamped version of  its Address Space Layout Randomization feature. ASLR rearranges the memory layout in such a way that  a software exploit shouldn’t be easily able to take advantage of a buffer overflow or heap corruption. Also IE10 comes with sandboxing techniques.

Filed Under: Microsoft, News, Security Tagged With: , , ,
«Older Posts