Showing posts sorted by date for query 0-day. Sort by relevance Show all posts
Showing posts sorted by date for query 0-day. Sort by relevance Show all posts

DHS & US-CERT Recommended to Disable Java in Web Browsers

Posted by Avik Sarkar On 1/18/2013 06:49:00 pm

DHS & US-CERT Recommended to Disable Java in Web Browsers Unless It's Absolutely Necessary

The running time is proving to be the worst period for Java, as it has been walking under serious security issues. Yet again security researchers have pointed out a zero-day security vulnerability in the Java program that hackers are exploiting. The exploit takes advantage of a vulnerability left open in Java 7 Update 10, released in October last year. It works by getting Java users to visit a website with malicious code that takes advantage of a security gap to take control of users' computers. Thus how Java is being used by cyber criminals to infect computers with malware. Oracle, hasn't specified the number of users who have downloaded Java 7 Update 10. However, Java runs on more than 850 million computers and other devices. When Oracle released Update 10, so it is predictable that more than 850 million devices run by Java is under threat. The exploit was first discovered by French researcher Kafeine, who claimed to have found it running on a site registering hundreds of thousands of page views daily. From that site, immediately that vulnerability and a large number of effected devices has been spotted in the wild. In Java 7 Update 10 the creator of Java, Oracle added several security control and fixed older bugs and promised more security enhancement, but its very unfortunate that Oracle failed to keep their promise. What ever after this newly discovered 0-day hole spotted wildly, Oracle Security Alert CVE-2013-0422 states that Java 7 Update 11 addresses this (CVE-2013-0422) and an equally severe, but distinct vulnerability (CVE-2012-3174). Immunity has indicated that only the reflection vulnerability has been fixed and that the JMX MBean vulnerability remains. Java 7u11 sets the default Java security settings to "High" so that users will be prompted before running unsigned or self-signed Java applets. It "strongly recommends" that Java SE 7 users upgrade immediately to avoid all kind of security hazards. 

After seeing all the drama, many of you have failed to keep trust in Java, and you all will be relieved when you will gone through the security advisory of CERT (Computer Emergency Response Team) where they have clearly instructed to disable Java in your popular web-browser. In their official release CERT said "Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future."

You will see similar advice in the advisory posted on the official DHS US-CERT website where DHS also suggested to disable Java until and unless it is that much necessary. "To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment." - said U.S. CERT in their advisory. 






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

VUPEN Researchers Said: They Have First Zero-Day Exploit for Windows 8 & Internet Explorer 10

Posted by Avik Sarkar On 11/04/2012 04:52:00 am

VUPEN Researchers Said: They Have First Zero-Day Exploit for Windows 8 & Internet Explorer 10

Everyday the users of Microsoft newly launched and so far most advanced windows operating system, I mean Windows 8 are increasing. But we have to keep in mind the security threats are also increasing in parallel. Recently well known French IT security firm Vupen, also known as controversial bug hunters and exploit sellers claimed to have Zero-day exploit of Windows 8. Experts at Vupen Security took credit of cracking the low-level security enhancements featured in Windows 8, Microsoft's latest operating system. According a tweet made by the official account of Vupen Security said it already has a Windows 8 exploit on offer. "Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed) is ready for customers. Welcome #Windows8" 
Apparently, the exploit combines several unpatched (0-day) security holes in the new version of Windows and the bundled Internet Explorer 10 browser to inject malicious code into systems via specially crafted web pages. Also VUPEN CEO and head of research Chaouki Bekrar sent out a pair of ominous Tweets yesterday claiming to have developed the first zero-day exploit for Windows 8 and Internet Explorer 10, both released Oct. 26. Bekrar hints the exploit is a sandbox bypass for IE10 with ASLR, DEP and anti-ROP mitigations enabled. “We welcome #Windows8 with various 0Ds combined to pwn all new Win8/IE10 exploit mitigations,” Bekrar wrote. 

The exploit allegedly bypasses all of Windows 8's malware protection features: for example the Address Space Layout Randomization (ASLR) function that Microsoft has extended in the current edition of Windows to cover more system areas and offer improved randomisation. Vupen claims that the exploit also bypasses the Data Execution Prevention (DEP) and ROP features as well as Internet Explorer's sandbox-like Protected Mode. A patch for the exploited holes may not become available in the foreseeable future: Vupen said that it discovered the vulnerabilities itself and doesn't plan to disclose them to Microsoft. The company is only offering its exploit to its paying customers, among them government investigation authorities. Should Microsoft close the holes, the elaborate exploit would significantly decrease in value.



-Source (The-H & threatpost)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Unpatchable Security Hole in PlayStation 3 Leading The "final hack" Also LV0 Cryptographic Keys Revealed

Posted by Avik Sarkar On 10/26/2012 05:59:00 am

Unpatchable Security Hole in PlayStation 3 Leading The "final hack" Also LV0 Cryptographic Keys Revealed

We all are very much aware that Sony along with its product's were always been a very hot favorite target of hackers. But here there are few twists, so the word 'Hack' will be be the appropriate one to describe of what happened to Sony. According to a report on Eurogamer Sony's PlayStation 3 is facing a new security threat - one it hasn't seen since the system was cracked via the PSJailbreak in 2011. The PS3 has been hacked before, but Sony was able to inhibit the hack with an update to its own firmware. This is much like the history of jailbreaking on Apple's iOS. But the latest PS3 break is being dubbed unpatchable and the final hack. That's because this hack isn't giving you an exploit to use against a programming hole. It's giving you Sony's so-called LV0 (level zero) cryptographic keys
A decryption key that is reported to be circulating on the net is said to remove the final protective barrier on some models of Sony's PlayStation 3 consoles. In the long run, the release of the key will probably allow unsigned software such as homebrew games, Linux distributions, or pirate copies of software to run on some PS3 consoles. Allegedly, the private key can be used to modify and sign the "LV0" (Level 0), for example to disable its security checks. When the PS3 system boots, from version 3.60 of the PS3's firmware, the LV0 is directly launched by the bootloader (bootldr) that is built into the system's hardware – which means that the chain of trust is broken at a very early stage. As Sony won't be able to update the bootloader with a software update, the hacker community considers this the "final hack" of the PS3 in its current forms. Eurogamer says that these keys may not have been released at all if not for a Chinese hacking outfit called "BlueDiskCFW," who gained access to the keys and planned to charge for new custom firmware updates it would create. The original group that created the LV0 had no plans on releasing them, but eventually they were leaked onto the Internet in some limited fashion. Seeing that someone was going to profit on them, the group known as "The Three Tuskateers" decided to release them into the wilds of the Internet. 
In a statement the hacker group says that "You can be sure that if it wouldn't have been for this leak, this key would never have seen the light of day, only the fear of our work being used by others to make money out of it has forced us to release this now," 





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Issues 'fix it' To Close Internet Explorer 0-day Vulnerability

Posted by Avik Sarkar On 9/20/2012 05:40:00 pm

Microsoft Issues 'fix it' To Close Internet Explorer 0-day Vulnerability 

Last few days the whole cyber world have gone through with so many drama of Internet Explorer's security bug, as researchers have unveiled four active exploits of a zero-day vulnerability in the browser. As expected the software giant Microsoft has released an emergency fix to get rid of these major security issues. Microsoft released a “fix it” tool for a critical security flaw in most versions of Internet Explorer 6, 7, 8 and 9  that hackers have been exploiting to break into Windows systems. The company said it expects to issue an official patch (MS12-063) for the vulnerability on Friday, Sept. 21. "While we have only seen a few attempts to exploit this issue, impacting an extremely limited number of people, we are taking this proactive step to help ensure Internet Explorer customers are protected and able to safely browse online," said Yunsun Wee, director of Microsoft Trustworthy Computing in a statement. The zero-day in IE 6-9 is a use-after-free memory corruption vulnerability, similar to a buffer overflow, that would enable an attacker to remotely execute code on a compromised machine. The original exploit payload dropped the PoisonIvy remote access Trojan (RAT) via a corrupted Flash movie file. The latest payload discovered dropped the PlugX RAT via the same corrupted Flash movie, Blasco said. He also said the new exploits are the work of the Chinese hacker group Nitro, the same group behind a pair of Java zero-day exploits disclosed in August.

Blasco also said the new exploits appear to be targeting defense contractors in the United States and India.
Microsoft recommended several workarounds Tuesday morning before announcing its intention to send out a FixIt.
  • Setting Internet and local Internet security zone settings to high, which would block ActiveX Controls and Active Scripting in both zones
  • Configure IE to prompt the user before running Active Scripting, or disable Active Scripting in both zones
  • Use of Microsoft's Enhanced Mitigation Experience Toolkit provides mitigations as well, and would not impact website usability, as both of the first two options might.
Microsoft also said that IE running on Windows Server 2003, 2008 and 2008R2 runs in a restricted mode that mitigates the vulnerability. Outlook, Outlook Express and Windows Mail also open HTML messages in a restricted zone, mitigating the vulnerabilty but should a user click a link in a message, they could still be vulnerable to exploit.





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

0-day Vulnerability Found in Java Spotted in the Wild

Posted by Avik Sarkar On 8/30/2012 01:39:00 am

0-day Vulnerability Found in Java Spotted in the Wild

Yet another 0-day vulnerability found by FireEye's Malware Intelligence Lab that affects all the latest version of Java , including the current Java 7 update 6, are also vulnerable to the hole that is already being exploited in the wild. With the publication of a vulnerability notice by the US-CERT and warnings from the German BSI (Federal Office for Information Security), the best advice for all users is to disable Java applets in their browsers on all operating systems. The vulnerability can be exploited when a user visits a specially crafted web site and can be used to infect a system with malware. The code to exploit the problem is already available on the internet, making its use for infecting systems very likely. There is no patch available for the flaw so it is essential that users disable the Java plugins used by their browsers. Instructions for the various browsers can be found below:


Several security firms have already declared that, this newly found Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. "Exploit code for the Java vulnerabilities has been added to the most prevalent exploit kit out there, Blackhole," said Websense in a short post on its company blog. The addition of the exploit to Blackhole was cited by FireEye researcher Atif Mushtaq in a similar blog entry yesterday as the basis for a spike in attacks. "After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands," said Mushtaq.


-Source (The-H, CW)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Fixed The Password Reset Vulnerability in Hotmail

Posted by Avik Sarkar On 5/01/2012 04:48:00 pm

Microsoft Fixed The Password Reset Vulnerability in Hotmail  

Recent security issue I mean the 0-day vulnerability on hotmail, which was allowing users to reset passwords remotely has been fixed. The vulnerability existed in Hotmail's password reset feature. Hackers were able to use a Firefox add-on called Tamper Data to intercept the outgoing HTTP request following a password reset request and modify the data, locking out the account holder and gaining access to their inbox.
 Microsoft security team said in a tweet on Friday that it had "addressed a reset function incident to help protect Hotmail customers", and that no further action was needed on the customer's part. "The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based) … Successful exploitation results in unauthorised MSN or Hotmail account access," the researchers wrote on Thursday. Although public disclosure only came on Thursday, reports had already been circulating of the flaw's exploitation.  The WhiteC0de blog noted a week ago that the exploit had "spread like wildfire across the hacking community", with victims losing money and, in some cases, valuable usernames. The Whitec0de report also noted rumours of a separate "critical vulnerability" in Hotmail that is also being exploited by hackers, but stressed that there was no evidence yet of these rumours' veracity.

-Source (ZDnet)  



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Internet Explorer & Firefox Also Became Victim To Hackers At Pwn2Own

Posted by Avik Sarkar On 3/12/2012 09:42:00 pm

Internet Explorer (IE 9) & Firefox 10.0.2 Also Became Victim To Hackers At Pwn2Own
At Pwn2Own contest the web-browsers are getting hacked in a series. First it was the turn of Google Chrome where Sergey Glazunov, a Russian security researcher has earned $60,000 by demonstrating how he could waltz past the security sandbox in Google's Chrome browser to run unauthorized code on fully-patched Windows 7 computers. Then the time came for Microsoft's Internet Explorer. A team from a French security firm managed to hack IE 9 on a fully patched Windows 7 SP1 machine. The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system. They managed to bypass the browser's DEP and ASLR protection with a 0-day heap overflow vulnerability, and then used a separate memory corruption bug to break out of its Protected Mode, which is effectively a sandbox. According to VUPEN founder Chaouki Bekrar, these particular flows have existed in previous incarnations of the browser - all the way back to IE 6 - and will very likely work on the upcoming IE 10.
Then the turn of Firefox came. Mozilla’s Firefox is the latest browser to fall victim to hackers at this year’s Pwn2Own hacker contest. Two researchers working together – Willem Pinckaers and Vincenzo Iozzo — exploited a single zero-day vulnerability in the latest Firefox 10.0.2 on a fully patched Windows 7 SP1 PC to cart off a $30,000 cash prize.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Armitage (Cyber Attack Management Tool For Metasploit) Ver 01.19.12 Released

Posted by Avik Sarkar On 1/23/2012 12:02:00 am

Armitage Ver 01.19.12 Released!!!


Earlier  couple of time we have discussed about Armitage. It is a graphical cyber attack management tool for Metasploit that visualizes your targets, recommends exploits, and exposes the advanced capabilities of the framework. Armitage aims to make Metasploit usable for security practitioners who understand hacking but don’t use Metasploit every day. If you are new in Metasploit adn want to learn its advanced features then Armitage can only help you. Now, the author has released an updated version – Armitage version 01.19.12!

Official Change Log For Armitage 01.19.12:- 

  • Data export now includes a sessions file. This lists all of the Metasploit sessions you had in your database. There’s some neat data here including which exploit was used, which payload, start time, and close time. You can calculate how much time you spent on your client’s boxes. Cool stuff.
  • Fixed a potential dead-lock caused by mouse enter/exit events firing code that required a lock. Nice landmine to defuse.
  • Fixed a weird condition with d-server detection. Sometimes (rarely) Armitage wouldn’t detect the d-server even when it’s present.
  • Added check to d-server allowing one lock per/client. Client won’t reobtain a lock until it lets it go. This prevents you from opening two shell tabs for a shell session in team mode.
  • Fixed an infinite loop condition when some Windows shell commands would return output with no newlines (e.g., net stop [some service]). Thanks Jesse for pointing me to this one.
  • Data export now includes a timeline file. This file documents all of the major engagement events seen by Armitage. Included with each of these events is the source ip of the attack system and the user who carried out the action (when teaming is setup).
  • Data export now exports timestamps with current timezone (not GMT)
  • Fixed a nasty bug that’s been with Armitage since the beginning! I wasn’t freeing edges properly in the graph view. If you had pivots setup in graph view and used Armitage long enough–eventually Armitage would slow down until the program became unusable. At least it’s fixed now.
  • Adjusted the d-server state identity hash combination algorithm to better avoid collissions.
  • Armitage now displays ‘shell session’ below a host if the host info is just the Windows shell banner. 

The latest Armitage is installed with Metasploit 4.1.0+. If you want to use Armitage as a remote Metasploit client Then Click Here




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle Issued Critical Patch Update (CPU) For 78 Security Holes

Posted by Avik Sarkar On 1/18/2012 11:31:00 pm


As expected Oracle today officially released their January security update. In this critical patch update they have closed 78 security holes.  The company says that these patch day updates address vulnerabilities in "hundreds of Oracle products". 16 of the vulnerabilities patched are remotely exploitable without authentication. Affected products include Oracle Database 10g and 11g, Fusion Middleware 11g, Application Server 10g, Outside In Technology, WebLogic Server, versions 11i and 12 of its E-Business Suite, Oracle Transportation Management, JD Edwards, Sun Ray, VM Virtualbox, Virtual Desktop Infrastructure, MySQL Server, and PeopleSoft Enterprise CRM, HCM and PeopleTools,. A vulnerability in Solaris 9, 10 and 11 Express's TCP/IP is the highest rated of these with a CVSS score of 7.8 out of 10.0.

According to Oracle:- 

Affected Products & Components:-

Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below.  The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column.   Please click on the link in the Patch Availability column below or in the Patch Availability Table to access the documentation for those patches.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policyis as follows:
Affected Products and VersionsPatch Availability
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3Database
Oracle Database 11g Release 1, version 11.1.0.7Database
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5Database
Oracle Database 10g Release 1, version 10.1.0.5Database
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0Fusion Middleware
Oracle Application Server 10g Release 3, version 10.1.3.5.0Fusion Middleware
Oracle Outside In Technology, versions 8.3.5, 8.3.7Fusion Middleware
Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)Fusion Middleware
Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3E-Business Suite
Oracle E-Business Suite Release 11i, version 11.5.10.2E-Business Suite
Oracle Transportation Management, versions 5.5, 6.0, 6.1, 6.2Oracle Supply Chain
Oracle PeopleSoft Enterprise CRM, version 8.9PeopleSoft
Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1PeopleSoft
Oracle PeopleSoft Enterprise PeopleTools, version 8.52PeopleSoft
Oracle JDEdwards, version 8.98JDEdwards
Oracle Sun Product SuiteOracle Sun Product Suite
Oracle VM VirtualBox, version 4.1Oracle Virtualization Product Suite
Oracle Virtual Desktop Infrastructure, version 3.2Oracle Virtualization Product Suite
Oracle MySQL Server, versions 5.0, 5.1, 5.5Oracle MySQL Product Suite


For More Information Click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

0-Day Vulnerability in Yahoo Messenger, An Attacker Can Change The Status Update Remotely

Posted by Avik Sarkar On 12/04/2011 04:41:00 pm


Zero day exploit found in Yahoo messenger allowing attackers to change the status update remotely. Version 11.x of the Messenger client (including the freshly-released 11.5.0.152-us) is infected with this 0day vulnerability. The status message change occurs when an attacker simulates sending a file to a user. This action manipulates the $InlineAction parameter (responsible for the way the Messenger form displays the accept or deny the transfer) in order to load an iFrame which, when loaded, swaps the status message for the attacker's custom text. This status may also include a dubious link. This iFrame is sent as a regular message and comes from another Yahoo Instant Messenger user, even if the user is not in the victim’s contact list. The exploit delivers its payload when the attacker simulates sending a file to the user. The bogus file tricks Messenger into loading an iFrame that then swaps the status message for whatever garbage the attacker wants to load, including a potentially "dubious" link, as Bitdefender describes it. The iFrame comes over as a regular message from another Yahoo Instant Messenger user, even if the user isn't in the victim's contact list.

  • Why it is so dangerous? 
Status messages are highly efficient in terms of click-through rate, as they address a small group of friends. Chances are that, once displayed, they will be clicked by most contacts who see them. One scenario: the victim's status message is swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments or even a PDF bug, to mention only a few. Whenever a contact clicks on the victim’s status message, chances are they get infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked.
Another lucrative approach to changed status messages is affiliate marketing (ie: sites that pay affiliates for visits or purchases through a custom link). Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business.


  • Who is Safe?
You are running a Bitdefender security solution (Bitdefender Antivirus Plus, Bitdefender Internet Security or Bitdefender Total Security). We detect this threat via the HTTP scanner and block it before it reaches the Messenger application.
You have Yahoo Messenger set to “ignore anyone who is not in your Yahoo! Contacts“(which is off by default).


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Duqu Detector Toolkit By CrySyS Lab

Posted by Avik Sarkar On 11/13/2011 08:55:00 pm

CrySyS Duqu detector toolkit released. 


The researchers at the lab credited with identifying the zero-day delivery mechanism of the Duqu bot, the Hungarian Laboratory of Cryptography and System Security (CrySyS), have released a toolkit for detecting the pest, even after components of it have been removed from a system.

According to CrySyS Lab Statement:-
"Our lab, the Laboratory of Cryptography and System Security (CrySyS) pursued the analysis of the Duqu malware and as a result of our investigation, we identified a dropper file with an MS 0-day kernel exploit inside. We immediately provided competent organizations with the necessary information such that they can take appropriate steps for the protection of the users."

The DuquDetector software comprises four executable tools which in turn scan for Duqu-infected system drivers, PNF files with "suspiciously high entropy", Duqu's temporary files and PNF files with no corresponding .inf files. It places these results in a logfile for an experienced practitioner to analyse. The combination of signature and heuristics-based analysis does mean that, as with other tools for detecting anomalies, false positives can get generated. For more details click Here

To download the Duqu Detector by CrySyS Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search