December 18, 2018

In Brief: Microsoft publishes official Fix It for IE 8 vulnerability

internet-explorer-logo(LiveHacking.Com) –  Microsoft has updated Security Advisory 2749920 to include new information about the official Fix It that the company said it would release.  The Fix It, which is a temporary measure issued by Redmond until a full patch can be delivered, is a response to the zero-day vulnerability found in Internet Explorer 6,7 and 8.

The Fix It uses a shim to change a few bytes of data in a .dll and so prevent the vulnerability from being used for code execution. If triggered the browser will now just crash. Applying the Fix it does not require a reboot.

“While we have still observed only a few attempts to exploit this issue, we encourage all customers to apply this Fix it to help protect their systems,” said Dustin Childs from Microsoft’s Trustworthy Computing unit.

 

New Critical zero-day vulnerability found in IE 6,7 and 8

security news at livehacking.com(LiveHacking.Com) –  While investigating reports that the Council on Foreign Relations (CFR) website had been compromised, FireEye discovered that the site was hosting malware that exploited a previously unknown (zero-day) vulnerability in Internet Explorer 8. The attack seen by FireEye uses Adobe Flash to generate a heap spray attack against IE. According to Microsoft’s Security Advisory 2794220, the issue impacts Internet Explorer 6, 7, and 8 and that there are a small number of targeted attacks happening in the wild. A successful exploit, which is normally triggered by getting a victim using IE 8 to browse a malicious website, allows remote code execution. Internet Explorer 9 and 10 are not affected by this issue, so upgrading to these versions will help defend from this vulnerability. However neither IE 9 or IE 10 is available for Windows XP users.

The vulnerability exists because of the way that Internet Explorer accesses a previously deleted chunk of memory. The vulnerability can corrupt memory in such a way that it allows an attacker to execute arbitrary code in the context of the current user within IE. By making a specially crafted website, that is designed to trigger an exploit, the vulnerability can be used when an Internet Explorer 6,7 or 8 user is convinced/tricked into viewing the site.

Microsoft’s initial investigation has shown that at least four attacks exist in the wild, each exploiting the vulnerability using a different attack method. Along with the Flash based heap spray, Microsoft have also seen some obfuscated Javascript that can be to trigger the vulnerability, an ASLR bypass using either Java6 MSVCR71.DLL or Office 2007/2010 hxds.dll and a DEP bypass via a chain of ROP gadgets.

What can you do?

Aside from upgrading to IE9 and IE 10 and while IE 8 users are waiting for a patch, IE users can can block the current targeted attacks by disabling the attack vectors:

    • Disabling Javascript will prevent the vulnerability from being triggered initially.
    • Disabling Flash will prevent the ActionScipt-based heap spray from preparing memory such that the freed object contains exploit code.
    • Disabling the ms-help protocol handler AND ensuring that Java6 is not allowed to run will block the ASLR bypass and the associated ROP chain.

Of course trying to use IE8 with Javascrit disabled is probably next to impossible. So while Microsoft are working on a comprehensive update to IE there is a trick which Microsoft is releasing as a Fix It. The trick does not address the vulnerability but does prevent the vulnerability from being exploited for code execution by making a two-byte change  (to replace a je instruction with a jmp) to mshtml.

Known as a shim, the change may have the side effect in some circumstances of the default form button not being selected by default.

The shim is currently being packaged and code-signed as a one-click, deployable Microsoft Fix It tool. The 32-bit and 64-bit shims are attached to this blog post and also available at the following URLs:

 

New zero-day Java exploit on sale for a five digit sum

(LiveHacking.Com) – A new zero-day Java exploit has been offered for sale on an underground black market cyber criminal Internet forum. The new threat is advertised as working on Java JRE 7 Update 9, the most recent version of Java, but doesn’t affect Java 6 or earlier versions.

According to Brian Krebs, the exploit is serious enough that an attacker could use it to remotely seize control over any systems running the program. This typically means it would be used to spread malware. If a cyber criminal did buy this exploit it would most likely be used to spread a banking Trojan so that the buyer could recoup the money spent. In the end it is all about money (illegally and immorally gained of course).

The exploit has been offered for sale on an invite-only Underweb forum for an undisclosed sum but the seller suggested that it needs to be five digits (meaning $100,000 or more). There are not many details, but the vulnerability is said to be in ‘MidiDevice.Info,’ a Java class which handles MIDI devices. The seller has tested the exploit on Firefox and Internet Explorer running on Windows 7.

“I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly,” the exploit seller is reported to have written.

Many security experts, including us here at Live Hacking, have lots of concerns about the number of possible vulnerabilities in Java. If you don’t need Java it is best to remove it completely from your system.

As an alternative you can also disable your current Java Plug-in temporarily to prevent being vulnerable to Java-based threats. For Windows systems, go to “Control Panel” and select “Java”. When the “Java Runtime Environment Settings” dialog box appears, select the “Java” tab. From there, click the “View” button. You will see a list of the currently installed versions of Java. Uncheck the “Enabled” check box to disable that installation from being used by Java Plug-in and Java Web Start. Oracle has published a detailed description of these settings.

Security researchers say they already have zero-day exploits for Windows 8

(LiveHacking.Com) – Windows 8 has been available for a few days now and the security research company VUPEN, who specialize in finding security exploits in software and then selling them to government agencies, claims it already has working zero-day exploits for Microsoft’s new operating system.

Before Windows 8 was released the company promised that it would be ready to release exploits to its customers on the launch day: “Windows 8 will be officially released by MS on Oct 26th, we’ll release to customers the 1st exploit for Win8 the same day.” Then a few days after the launch, Chaouki Bekrar, the CEO & Head of Research at VUPEN, tweeted: “We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations.” You might need help decoding that a bit, 0Ds means zero-day exploits and pwn means to hack  in order to “own” it.

This means that VUPEN has confirmed that it has working zero-day exploits for Windows 8 using IE10 as one of the attack vectors.

According to Forbes, the Windows 8 attack will be included in the company’s Threat Protection Program, the defensive aspect of VUPEN’s business, it is’t clear if the exploits will also be sold as an offensive measure, however he does say that their customers can use the exploits for ” for national security purposes”.

“The in-depth technical details of the flaws will be shared with our customers and they can use them to protect their critical infrastructures against potential attacks or for national security purposes,” Bekrar wrote to Andy Greenberg.

The fact that VUPEN has working exploits for Windows 8 is quite interesting. Windows 8 comes with a pre-installed anti-malware program known as Windows Defender and also has a revamped version of  its Address Space Layout Randomization feature. ASLR rearranges the memory layout in such a way that  a software exploit shouldn’t be easily able to take advantage of a buffer overflow or heap corruption. Also IE10 comes with sandboxing techniques.

New zero-day vulnerability discovered for Internet Explorer

(LiveHacking.Com) – Security researcher Eric Romang was monitoring some infected servers, allegedly being used by the Nitro gang for targeted attacks using the recent Java 7 zero-day vulnerabilities, when he found four files on the server which have turned out to be an unknown exploit for IE 7 , IE8 and IE9. The four files (an executable, a Flash Player movie and two HTML files called exploit.html and protect.html) are used in conjunction to download a malicious executable on to the victim’s computer.

The attackers can upload any executable of their choosing and use sthe victim’s machine as part of a botnet or install a banking information stealing trojan. According to a tweet by Malc0de the currently used payload could be Poison Ivy (http://bit.ly/PkRPIP).

Eric discussed his findings with a variety of security researchers @binjo and @_sinn3r. He also got further help from those who frequent the Metasploit IRC channel. The conclusion is that the files represent a vulnerablity in all versions of Internet Explorer, from IE 7 onwards, that is not dependent on any known Adobe Flash vulnerabilities.

It appears as if his actions haven’t gone unnoticed:

The guys who developed this new 0day were not happy to have been caught, they have removed all the files from the source server just 2 days after my discovery. But more interestingly, they also removed a Java 0-day variant from other folders.

It is thought that a Metasploit exploit module will be released sometime today and progress on the module is going well.

Oracle knew of Java vulnerabilities in April and had proof of concept code examples

(LiveHacking.Com) – It turns out that the latest Java vulnerabilities, which are being used to spread malware across the global, aren’t zero day vulnerabilities at all. PC World is reporting that Oracle knew about the existence of the two unpatched Java 7 vulnerabilities since April. Polish security firm Security Explorations reported 19 Java 7 security issues to Oracle on Apr. 2. Those issues included the two zero-day vulnerabilities that are being exploited in the wild now. Including further vulnerabilities that the company reported to Oracle in May, the total reported problems was 29. “We demonstrated 16 full Java SE 7 sandbox compromises with the use of our bugs,” said Adam Gowdiak, the founder and CEO of Security Explorations.

According to the press release which Security Explorations issued at the time, the  security issues violated the “Secure Coding Guidelines for the Java Programming Language”  and most of them demonstrate a specific problem related to Java SE security. As part of the research, Security Explorations developed reliable Proof of Concepts for ALL of the issues found. This included 12 exploits that demonstrated a complete JVM security sandbox bypass.

This means that for the last four months Oracle has had information about critical Java vulnerabilities including proof of concept code. The last status report that Adam Gowdiak received from Oracle revealed that the company was planning to fix the two vulnerabilities, which are being exploited today, in its October Critical Patch Update (CPU).

“Although we stay in touch with Oracle and the communication process has been quite flawless so far, we don’t know why Oracle left so many serious bugs for the Oct. CPU,” Gowdiak said.

Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16.

Concern grows as zero day Java exploit spreads

(LiveHacking.Com) – Concerns about the impact (even devastation) of the recently discovered zero day Java exploit are starting to grow as the exploit has been added to the infamous Blackhole exploit kit. It has also been discovered that the attacks, which have now become global with cases recorded in the United States, Russia, Belarus and Germany,  are actually using two unpatched vulnerabilities in Java 7 – not one, as was originally thought. Kurt Baumgartner, a senior security researcher at security firm Kaspersky Lab, wrote in a blog post that the infections are becoming more common and have spread out from their initial starting point in China.

Oracle have yet to comment on the vulnerability and since every major browser is susceptible to the attack, US-CERT has released Vulnerability Note VU#636312 which advises users to disable the Java browser plugin.

  • To disable the Java web plug-in in Safari, open Safari > Preferences, click “Security” and uncheck “Enable Java”.
  • To disable Java applets in Firefox, click on the Firefox button and then click Add-ons., select the Plugins panel, click on the Java (TM) Platform plugin and then click on the Disable button.
  • For Chrome,  type chrome://plugins/ into the address bar, scroll down to Java and click Disable.
  • Disabling Java in Internet Explorer isn’t easy, detailed instructions can be found here, here and here.

Disclosure concerns
There have also been some concerns about how this exploit was disclosed. It appears that some bloggers irresponsibly reported the vulnerability by including links to known sites serving the attack. “Would you encourage folks to walk down a mugger’s dark alley with no protection or would you work to communicate the muggers’ whereabouts to the right folks and work on lighting the alley or giving better directions?” wrote Kurt Baumgartner from Kaspersky.

Also since the exploit was added to the Metasploit penetration testing framework it became available to every would-be hacker. The counter argument is that such full disclosure will force Oracle to deliver an out-of-band patch, which in the past it has failed to do.  The company’s next scheduled Java security updates is on October 16 2012.

 

New zero day Java vulnerability spotted in the wild

(LiveHacking.Com) – A zero day vulnerability is considered by some as their worst security nightmare. It is a vulnerability (bug) in software that no-one knew about (hence zero day) which allows hackers to execute remote code on a victim’s machine. And that is exactly what has happened over the weekend with the discovery of a new zero day vulnerability in Java 7. According to FireEye, all versions of JRE 1.7x are vulnerable and the exploit has been successfully tested against the latest version of FireFox with JRE version 1.7 update 6 installed. It appears that Java 6 is not vulnerable.

The exploit is hosted on the domain ok.XXX4.net which resolves to an IP address in China. After a successful exploit the dropper MD5: 4a55bf1448262bf71707eef7fc168f7d (which is only detected by 28 out of 42 antivirus scanners as Gen:Trojan.Heur.FU.bqW@a4uT4@bb; Backdoor:Win32/Poison.E) is installed on the infected machine from http://ok.XXX4.net/meeting/hi.exe. Then the dropper talks to a command and control server (hello.icon.pk) in Singapore.

The worrying thing is that Oracle use a 4 month patch cycle (middle of February, June, October) and the next patch is scheduled for October 16. That is nearly two months away. Oracle rarely issues out-of-cycle patches. We can only hope that Oracle makes an exception in this case.

“It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit. Our investigation is not over yet; more details will be shared on a periodic basis,” wrote FireEye researcher Atif Mushtaq on the company blog. 

A module has been published for Metasploit and it is my advice that you disable Java on all your systems! Most home users don’t run Java programs and have no need for it. On top of that the majority of security experts agree that the risk of running Java outweighs the potential benefits.

AlienVault and DeependResearch have further analysis of the vulnerability.

Adobe Reader Zero-day Vulnerability Patch Coming Today?

(LiveHacking.Com) – Ten days ago Adobe published a security advisory for Adobe Reader and Acrobat detailing a “critical” zero-day vulnerability that was already being actively exploited on the Internet, specifically against Adobe Reader 9.x on Windows.

The vulnerability is present in Adobe Reader and Adobe Acrobat X and 9.x, however Reader X and Acrobat X users can protect themselves against it by using Protected View / Mode. However there is no work around for Adobe Reader 9.x. Therefore Adobe promised a new release of Adobe Reader and Adobe Acrobat  9.x to fix the problem. This update is expected today.

According to Brad Arkin, the Senior Director for Product Security and Privacy at Adobe, the rationale behind releasing a hot fix only for Adobe Reader and Acrobat 9 on Windows is that “this is the version and platform currently being targeted.”

Soon after Adobe published details of the vulnerability, researchers at Symantec released details of attacks seen in the wild saying that the “critical vulnerability has recently been seen exploited in the wild in targeted attack emails sent on November 1st and 5th. This attack leverages the zero-day vulnerability in order to infect target computers with Backdoor.Sykipot.”

To exploit the zero-day vulnerability the attackers sent out emails with a specially crafted PDF attachment. This PDF uses a bug in Adobe’s Universal 3D (U3D) processing to cause a memory corruption and deliver its payload. News reports suggest that the emails targeted defense contractors, however companies in the Telecoms, Wholesale, and computer hardware industries have also been targeted.

Adobe Reader X and Adobe Acrobat X users should verify that they are using Protected View / Mode:

  • To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure “Files from potentially unsafe locations” or “All files” with “Enable Enhanced Security” are checked.
  • To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that “Enable Protected Mode at startup” is checked.

Adobe Acrobat has Critical Zero-Day Vulnerability

(LiveHacking.Com) – Adobe has published a security advisory for Adobe Reader and Acrobat detailing a “critical” vulnerability which when exploited can cause a crash and potentially allow an attacker to take control of the affected system. There are also reports that this vulnerability is being actively exploited on the Internet, specifically against Adobe Reader 9.x on Windows.

The vulnerability, which affects Adobe Acrobat X and Adobe Reader X and earlier versions for Windows and Macintosh, and Adobe Reader 9.x versions for UNIX, is in the Universal 3D (U3D) processing. U3D is a compressed file format standard for 3D computer graphics data which is natively supported by PDF. A U3D memory corruption causes the vulnerability and can allow an attacker to take control of the affected system.

Adobe Reader X using Protected Mode and Adobe Acrobat X using Protected View are not vulnerable. Therefore Adobe will release a fix for Adobe Reader 9.x and Acrobat 9.x for Windows no later than the week of December 12, 2011. However, Adobe Reader X and Adobe Acrobat X will be updated in the next quarterly security update which is currently scheduled for January 10, 2012 when the Mac and UNIX versions will also be updated.

According to Brad Arkin, the Senior Director for Product Security and Privacy at Adobe, the rationale behind releasing a hot fix only for Adobe Reader and Acrobat 9.4.6 on Windows is that “this is the version and platform currently being targeted.”

“All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE)” he wrote.

It is therefore essential that Adobe Reader X and Adobe Acrobat X users verify that they are using Protected View / Mode.

  • To verify Protected View for Acrobat X is enabled, go to: Edit >Preferences > Security (Enhanced) and ensure “Files from potentially unsafe locations” or “All files” with “Enable Enhanced Security” are checked.
  • To verify Protected Mode for Adobe Reader X is enabled, go to: Edit >Preferences >General and verify that “Enable Protected Mode at startup” is checked.