by Dancho Danchev
September 25th, 2008 @ 4:33 pm

Aditya K Sood from the EvilFingers community, which disclosed the first Chrome DoS vulnerability at the beginning of the month, has released a proof of concept demonstrating a memory exhaustion DoS vulnerability affecting Google’s Chrome versions Chrome/0.2.149.30 and Chrome/0.2.149.29 :

“The Google chrome browser is vulnerable to memory exhaustion based denial of service which can be triggered remotely.The vulnerability triggers when Carriage Return(\r\n\r\n) is passed as an argument to window.open() function. It makes the Google Chrome to generate number of windows at the same time thereby leading to memory exhaustion.

The behavior can be easily checked by looking at the task manager as with no time the memory usage rises high. The problem lies in the handling of object and its value returned by the javascript function. Once it is triggered the pop ups are started generating. The Google Chrome browser generate object windows continuously there by affecting memory of the resultant system. Probably it can be crashed within no time. User interaction is required in this.”

What’s Google’s take on this flaw, and have they acknowledged it already? Zero Day asked the researchers.

By John Leyden
24th September 2008 09:29 GMT

Mozilla published a new version of its Firefox web browser on Tuesday that fixes five security vulnerabilities, two of which it rates as critical. Firefox version 3.0.2 fixes a memory corruption bug and a separate critical bug involving privilege escalation and the XPCnativeWrapper component of the browser.

Both create possible mechanisms for hackers to inject hostile code into vulnerable systems using rigged websites, or perform similar tricks. The same two critical bugs are fixed in Firefox 2.0.0.17, for those still using the earlier version of the browser. There's no evidence that either critical flaw has been exploited by hackers but prudence would steer towards early patching.

Judging from past experience automatic updates from Mozilla will appear in about a day or so. The updates also fix three lesser flaws - two of which are rated as moderate and one of which earns a low risk rating. All five flaws are explained in Mozilla's release notes here and there's additional commentary from the good folk of the Internet Storm Centre here.

By John Timmer
September 23, 2008 - 05:15AM CT

For most of us, security issues happen to "other people"—we block popup ads, we carefully examine dialog boxes and, for those of us on the Mac platform, we snicker when confronted with something that attempts to mimic a Windows system warning. But everyone knows that they are exceptional—what's the behavior of a more typical user like?

Some researchers have tested how college students respond to fake dialog boxes in browser popup windows and found that the students are so anxious to get the dialog out of the way, they click right through obvious warning signs. The authors, who work in the Psychology Department of North Carolina State University, crafted a set of four fake dialog boxes.

All of them contained the following warning: "The instruction at '0x77f41d24 referenced memory at '0x595c2a4c.' The memory could not be 'read.' Click OK to terminate program." One of the warnings was indistinguishable from the standard Windows XP system dialog, but the remaining three were had a number of warning signs that should tip off users to potential malware.

In all cases, mousing over the "OK" button would cause the cursor to turn into a hand button, behavior more typical of a browser control; all dialogs also had minimize and maximize buttons, while a second added a browser status bar to the bottom of the window. Finally, the most blatant one alternated between black text and a white background and a white-on-black theme. All of these should metaphorically scream, "This is not safe!"

by Adam O'Donnell @ 8:46 pm
September 21st, 2008

One of the most important questions we should be asking ourselves in light of the Palin webmail hack discussed at length here, here and here is how it could have been prevented. There are several software techniques that I can think of off the top of my head that would help webmail prevent malicious password reset attacks.

I am generally not a believer in the “throw software at the problem” model of security. Software is a tool that should be purchased and applied when necessary, but it is not a panacea. However, I could think of several software solutions that would have stopped the social engineering attack. For example, some form of anomaly detection could be used on connecting IP addresses for the password reset form on Yahoo’s website.

The trigger rules for when to prevent an IP from resetting a password could be as simple as “if this person has never been to the geographical area associated with this IP address, don’t allow the password to be reset.” Another could be a client-side fingerprinting technique to determine if it is a completely novel computer system that is attempting to reset the password.

A third could be using her cell phone number as a second authentication factor, and have the password reset by sending a short code to her handset. Providers have to be very careful in the implementation of each of these proposals lest they increase the number of people who can’t use the automated systems and need to talk to a human being.

By Gregg Keizer
September 9, 2008

Microsoft Corp. today patched eight vulnerabilities, all rated critical, in four security updates for Windows, Office, Windows Media Player, Internet Explorer 6, SQL Server and other programs.

Unlike last month, when Microsoft issued 12 bulletins that fixed 26 flaws, today's patched vulnerabilities did not include any that have already been exploited in the wild. "It doesn't look too bad today," said Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., comparing the count to August's. "Although anything running Windows will have to be updated with MS08-052."

The update in that bulletin, highlighted by Storms and other experts as the one most crucial to apply immediately, fixes a total of five vulnerabilities in the GDI+ component of Windows. GDI+ (Graphics Device Interface) debuted in Windows XP and is a core part of Windows Vista and the current server-side operating systems, Windows Server 2003 and Windows Server 2008.

"It's one of the foundations for graphic display in Windows," said Storms. "Anyone running XP or newer -- and who isn't these days -- will have to update." Hackers could exploit the GDI+ bugs by sending specially-crafted image files in a variety of formats -- including EMF, GIF, WMF and BMG -- to a user via e-mail, or by convincing users to visit sites that contain malicious image files.

By Aharon EtengofF
5 September 2008, 9:20 AM

THE VOLE has announced plans to issue four critical patches on 9 September. Two of the patches are slated to correct serious security vulnerabilities found in Windows Media Player and Encoder.

Another patch labelled "Windows Bulletin" will fix multiple IE bugs, XP and Vista errors, as well as .net Framework glitches. Updates will also be provided for Digital Image Suite, Visual Studio, Visual Fox Pro, Forefront Client Security and Microsoft Server 2003\2008. The fourth patch should repair numerous Office security breaches discovered in XP, 2003, 2007 and OneNote.

All four security bulletins target critical vulnerabilities and are designed to prevent hackers from remotely installing malicious code, according to Microsoft's advanced notification. So should you happen to be a malicious hacker, you know what to concentrate on for the next few days.

By Gregg Keizer
September 1, 2008

Malware has once again managed to get from Earth onto the International Space Station, a NASA spokesman confirmed last week. The attack code infected at least one laptop used on the station, an international operation led by the U.S. and Russian space agencies.

The NASA spokesman declined to identify the malware, saying only that antivirus software had detected it on July 25. The SpaceRef.com news site last week identified the bug as W32.Gammima.AG. The spokesman said the worm posed no threat to the station or its crew. "It was never a threat to any command-and-control or operations computer," he said.

The spokesman refused to disclose how the malware was installed on the computer, though an entry into the station's daily logs, posted on NASA's Web site, suggests that digital camera storage cards may be responsible. The spokesman did acknowledge that "there have been other incidents" of malware discovered on space station computers.

"I don't know when the first one was, but the station will have been in orbit for 10 years [come] November," he said. The malware discovery was first disclosed in the daily log by space station Commander Sergey Volkov on Aug. 11. Volkov reported finding the malware after running "digital photo flash cards from storage through a virus check with the Norton AntiVirus application."

by Elinor Mills
August 20, 2008 1:06 PM PDT

A security researcher has unearthed evidence via Google and its Chinese counterpart that supports claims that several Chinese gymnasts are younger than they should be for competing. The New York Times was probably the first to report about digital evidence that the Chinese athletes are underage.

"Online records listing Chinese gymnasts and their ages that were posted on official Web sites in China, along with ages given in the official Chinese news media, however, seem to contradict the passport information, indicating that He (Kexin) and Jiang (Yuyuan) may be as young as 14--two years below the Olympic limit," stated the Times article, posted about three weeks ago.

Then last week, the Associated Press found evidence of its own--a Xinhua state news agency report listing He's age as 13 just nine months before the Olympics began. The AP saved a copy of the Web page, which it said could not be accessed later in the day. This week security researcher "Stryde Hax" detailed his findings about discrepancies in the gymnasts' ages that he found via his own Internet searches.

The data he gathered bolsters the claims made by the Times and the AP. Stryde, who says he is a consultant at security firm Intrepidus Group, wrote on Tuesday about how he searched Chinese Web sites for Excel spreadsheets containing "He Kexin" and "1994," which is her alleged birthday, according to some of the uncovered Internet evidence.

By Gregg Keizer
August 12, 2008

Security researchers today disputed claims that a well-known Russian hacker-hosting network is responsible for cyberattacks against sites belonging to Georgia, the former Soviet republic that has been battling Russian military forces since Friday.

Rather than blame the notorious Russian Business Network -- as researcher Jart Armin did over the weekend -- other researchers said today that it appears that the attacks originated from a "hacker militia" of Russian botnet herders and volunteers.

"They mobilize themselves without a need for a central location to do so, distribute the targets, discuss the attack approaches, come up with a plan on the coordination, and you have everyone participating," Bulgarian security researcher Dancho Danchev said in an instant messaging interview early today.

Danchev and others have found evidence that points to a self-starting militia composed of volunteer hackers and cybercriminals who control large-scale bots, or collections of previously-compromised computers, as being behind the escalating attacks that have knocked Georgian sites offline.

By Peter Bright
August 11, 2008 - 07:30AM CT

One of the papers presented at the Black Hat USA 2008 security conference was an analysis a number of the protection mechanisms built into Windows Vista and Windows Server 2008 that are designed to make it harder to convert software bugs into security flaws.

How to Impress Girls with Browser Memory Protection Bypasses, authored by security researchers Mark Dowd at IBM and Alexander Sotirov at VMware, presented a number of attacks against Vista's various security features in isolation, and then attacks that could disable multiple protections all together. Put together, the result is that Vista's mitigation mechanisms are circumvented, making buggy software exploitable.

The security features being bypassed are all intended to minimize the impact of buffer overflows. Buffer overflows are a particular kind of programming error that occur when a program attempts to store too much data in the buffer allocated for the data. This causes anything following the buffer to be overwritten. Buffer overflows are exploitable when it's possible to insert arbitrary executable code into a process and then make that code run.

If an attacker can do this then the attacker has gained the ability to do whatever he likes to the victim's computer. This kind of flaw is quite a common one, especially in the programming languages C and C++. Many high-profile software flaws have been of this type, from the Morris worm of the 1980s to the Code Red worm of 2001, and more recently the animated cursor vulnerability.

by Robert Vamosi
August 7, 2008 1:13 PM PDT

LAS VEGAS--How confident are you when using your laptop at a conference? For years, a group called Wall of Sheep has been showing attendees of Defcon when their network connections are insecure. The Wall of Sheep board has been a fixture at Defcon, Black Hat's sister conference set to begin tomorrow at the Riviera Hotel and Casino.

The board displays the names (with some identifying information obscured) of those connecting to the Internet in insecure ways. The idea is both meant to shame and educate users on best practices. "If the 'Best of the Best' in security can be hacked, think of the average users," said Riverside, a member of Aries Security, a group that maintains the Wall of Sheep.

For most of the year, the individual members (of which there are about seven) are scattered across the country, working in security at various companies. But for two weeks they come together in Las Vegas to plan and mount their equipment, though not without glitches. On Thursday, Riverside was addressing some hardware failures in a conference room at Caesars Palace.

"We have redundancy," he said. In the back of the room were various boxes and other electronic equipment and wires. In the past they've used their own equipment, although this year they're starting to get donations. "We're vendor agnostic," said Riverside, adding that they are using Windows, Mac, and various flavors of Linux.

By John Markoff
August 5, 2008 10:30 PM PDT

A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found.

The new form of attack indicates that little progress has been made in defusing the threat of botnets, networks of infected computers that criminals use to send spam, steal passwords, and do other forms of damage, according to computer security investigators. Several security experts say that although attacks against network administrators are not new, the systematic use of administrative software to spread malicious software has not been widely seen until now.

The gang was identified publicly in May by Joe Stewart, director of malware research at SecureWorks, a computer security firm in Atlanta. Stewart, who has determined that the gang is based in Russia, was able to locate a central program controlling as many as 100,000 infected computers across the Internet. The program was running at a commercial Internet hosting computer center in Wisconsin.

Stewart alerted a federal law enforcement agency that he declined to identify, and he said that it was investigating the matter. Although the original command program was shut down, the gang immediately reconstituted the system, he said, moving the control program to another computer in the Ukraine, beyond the reach of law enforcement in the United States.

By Joel Hruska
August 05, 2008 - 10:35PM CT

Social websites like Facebook and MySpace have attracted a great deal of attention as targets of opportunity for phishing scams, but they are scarcely the only two social networking sites.

New information suggests that hackers have tuned in to the newfound popularity of microblogging, and are at the very least evaluating Twitter as a potential target. In a blog post at Kaspersky Labs' Viruslist, Dmitry Bestuzhev describes the attack and how it functions. The Twitter profile itself was created specifically for the attack; profile information is posted in Portuguese.

There's nothing on the page but a link to a video promising hot girl action, actually clicking on the file redirects the browser and instructs the user to download a new version of Adobe Flash that's supposedly required to watch the "film." By this point, alarm bells should've been ringing if they haven't already gone off; end-users who install the fake Flash update end up with what Dmitry describes as 10 banker Trojans, all disguised as MP3 files.

Based on information in the profile, the location of the web servers, and the e-mail the malware program sends, he believes this attack originated in Brazil—though it's virtually impossible to be 100 percent sure. The actual payload is nothing new, and delivery requires little more than a web server and some Trojans. The threat, as is typical with phishing schemes, lies within the attack vector itself.

August 4, 2008
By Robert McMillan

Nearly a month after a critical flaw in the Internet's Domain Name System was first reported, vendors of some of the most widely used firewall software packages are scrambling to fix a problem that can essentially undo portions of the patches that address this bug.

The DNS flaw affects server software made by many vendors, including Microsoft, Cisco Systems, and the Internet Systems Consortium. Some firewall software undoes a source port randomization feature that was introduced in the DNS patches. While this change doesn't completely negate the DNS patch, it could make it easier for attackers to pull off a cache-poisoning attack against the DNS server, security experts say.

This could lead to virtually undetectable phishing attacks against users of those DNS servers. Firewalls that do IP address translation -- converting the IP addresses used by computers on their internal networks to different IP addresses that are used by the other computers on the Internet -- can sometimes undo the source port randomization, security experts say.

The scope of the problem initially took some DNS experts by surprise, said Dan Kaminsky, the IOActive researcher who first discovered the DNS bug. "This is to some degree our fault," he said in an e-mail interview. "We underestimated the number of firewalls out there that were deployed in front of DNS servers." "Cisco, Juniper, Citrix and a number of other firewall vendors have been absolutely scrambling to update their equipment," he added.

By Nick Farrell
04 August 2008, 11:53 AM

THOUSANDS OF PEOPLE are finding themselves without a ticket to the Beijing Olympics after being taken in by an online scam. The slick, professional-looking Website, beijingticketing.com, which boasts offices in Sydney, London and New York, is actually a scam and its owners have done a runner.

The International Olympic Committee (IOC) has received complaints from hundreds of alleged victims all over the world with some customers handing over thousands of dollars for non-existent tickets. It seems that the biggest victim was a Texas-based travel agent, Jolanta Sochacka who shelled out $57,000 for a family of seven. She said that the company looked so legitimate because its website was so elaborate.

Hacks have tailed the company to an empty office in Phoenix, Arizona and the IOC and the US Olympic Committee (USOC) will today ask a federal judge in San Francisco for an order to shut the website down.