View Full Version : Browsers under attack - archive

2008-02-28, 15:48
FYI... http://www.theregister.co.uk/2008/02/15/browser_exploitation/
15 February 2008 - "Cybercriminals are stepping up their efforts to exploit vulnerabilities in web browsers to spread malware using drive-by download techniques. Research by Google's anti-malware team on three million unique URLs on more than 180,000 websites automatically installed malware onto vulnerable PCs. Hackers are increasingly trying to trick search sites into pointing surfers onto maliciously constructed sites. More than one per cent of all search results contain at least one result that points to malicious content, Google reports*, adding that incidents of such attacks has grown steadily over recent months and continues to rise. Google's team also reports that two per cent of malicious websites are delivering malware via tainted banner ads. Israeli security firm Finjan has also observed a rise in the tactic over recent months, noting that many malicious ads are served from legitimate websites. A security report from IBM's X-Force division said cybercriminals are "stealing the identities and controlling the computers of consumers at a rate never before seen on the internet"..."
* http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html

>>> (Keep things patched! Is your browser up-to-date?...)

Cumulative Security Update for Internet Explorer
- http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx

Firefox v2.0.0.12 released
- http://www.mozilla.com/firefox/

Opera v9.26 released
- http://www.opera.com/download/

Safari -not- recommended by PayPal
- http://preview.tinyurl.com/yr8d4z
February 27, 2008 (Computerworld) - "...Safari doesn't make PayPal's list of recommended browsers because it doesn't have two important anti-phishing security features, according to Michael Barrett, PayPal's chief information security officer. "Apple, unfortunately, is lagging behind what they need to do, to protect their customers," Barrett said in an interview. "Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera." Safari is the default browser on Apple's Macintosh computers and the iPhone, but it is also available for the PC. Both Firefox and Opera run on the Mac. Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari's lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site... Barrett says data compiled on PayPal's Web site show that the EV certificates -are- having an effect..."
* https://www.paypal-media.com/inthenews.cfm


2008-02-28, 20:25

- http://www.secprodonline.com/articles/58887/
February 28, 2008 - "...Hacking continues to evolve in sophistication and the Web browser now presents an opening for sensitive information to be stolen by increasingly simple methods. This includes basic coding that allows malicious Web sites to automatically steal sensitive information from visitors. Commonly associated with "seedy" Web sites ("warez," gambling and pornography), the threat of browser-based attacks has expanded to more "acceptable" sites that might include social networking, religious organization and university sites. Further complicating the issue is the high demand for browser functionality that often outweighs the demand for security. Many well-known and useful technologies that are integrated with current browser environments, including Flash, ActiveX, QuickTime, Java and JavaScript, each pose a potential attack vector into the enterprise. Other vulnerabilities include how browsers themselves handle particular pieces of code, such as iFrames, whose weaknesses have been known to cause massive incidents in enterprises when exploited... To help thwart browser-based security threats, IT security professionals increasingly are focusing resources and attention at better protecting the Web browser through hardy URL filtering solutions. These Web content filtering solutions block sites that are not related to business activities, greatly reducing the risk of browser-related infections. However, simple filtering methods will not completely eliminate the malware danger. More sophisticated solutions, such as anti-malware, automated code filtering and botnet detection, are currently being added to Web filtering technologies in an effort to thwart complex browser-related attacks."


2008-02-29, 15:42

- http://blog.trendmicro.com/arsenal-fan-site-compromised-serves-malware/
February 28, 2008 - "Sports fan sites being compromised by malicious authors is not unheard of. We’ve seen it happen to a Jets fan site in early January this year, and we’re seeing it again in another fan site – this time of Arsenal, a popular English soccer team. The compromised Web site in this case is Onlinegooner.com, which was reported by ScanSafe OI to be “maliciously active.” STAT* confirmed that the fan site had been injected with malicious code..."
* http://preview.tinyurl.com/ytkm9m
February 22, 2008 (Scansafe blog) - "...STAT discovered the site had been the victim of a code injection compromise. Visitors to the site are subjected to exploits which lead to the initial download of malware ...(hosted in Thailand). That malware then attempts to download additional malicious files ...(hosted in Hong Kong) and ...(another, hosted in Moscow, Russia). Installed malware includes a kernel-mode rootkit, keylogger, backdoor, and a DNS client used for ARP poisoning and DNS spoofing (Man-in-the-Middle attacks). Capabilities of the DNS client include intercepting, interpreting and rerouting of MX (email), NS (specifies authoritative nameservers), A (resolves hostnames to IP address), CNAME (resolves multiple hostnames to a single IP), and PTR (reverse lookups). Detection among traditional antivirus vendors is extremely low with only 8/31 scanners detecting the initially downloaded malware and 4/31 scanners detecting the maliciously installed DNS client used in the man-in-the-middle attacks. The attack itself is silent thus visitors to the site who have been impacted will unlikely be aware that some pretty severe malware has just been foisted onto their system..."

Leading nominee for "Worst 'drive-by download' of the Year"...


2008-03-03, 17:58

- http://www.f-secure.com/weblog/archives/00001393.html
March 3, 2008 - "...The MBR is the rootkit's launch point. Therefore it doesn't need to make any registry changes or to modify any existing startup executables in order to launch itself. This means that the only hooks it needs to make are used to hide and protect the modified MBR. Essentially this means that the rootkit hooks only two DWORDs from the disk.sys driver object... It is known that the rootkit's main purpose is to act as an ultimate downloader. To be stealthy and effective it is essential that the rootkit does not trigger nor is blocked by personal firewalls... During the weekend our Security Lab started to receive information about multiple drive-by exploit sites spreading the latest version... The actual site hosting the exploit code utilizes the following exploits:
Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow ...
The downloaded payloads seem to clearly target online banking and other financial systems. We detect the latest MBR rootkit variant as Backdoor.Win32.Sinowal.Y. The exploit site is currently resolving to an IP address of and seems to still be active..."

(Screenshots available at the URL above.)


2008-03-04, 00:19

Google - scope of drive-by malware is 'significant'
- http://preview.tinyurl.com/2ks9cw
03/03/2008 (Network World) - "How ironic that Google allows you to initiate a Web search by clicking on a button labeled "I'm Feeling Lucky." The button is supposed to take you to the first Web site that turns up in your search. Instead, it just might take you to malware hell. In a preliminary report issued by Google in early February (see All Your iFrames Point to Us in the Google blog*), researchers reveal the depth of the worldwide malware problem and conclude “the scope of the problem is significant”... Not long ago, wide-scale attacks that took aim at overwhelming computing resources were the preferred game plan. Such attacks use a “push” model. As network tools got better at defending against denial-of-service attacks, the bad guys adopted a “pull” model that has users inadvertently downloading unwanted payloads... For example, clicking on a link to an e-card that turns out to be bogus. The second, more ominous method is to automatically deliver the payload when the user lands on a compromised Web page. Worst of all is that landing on a malicious site is often completely out of the hands of the Web surfer, as he may actually be taken there without his knowledge... Seemingly benign Web sites – perhaps the kind that you visit everyday for work or pleasure – have the ability to deliver dangerous malware payloads. Suddenly, I don’t feel so lucky anymore..."
* http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html


2008-03-05, 13:18

- http://www.f-secure.com/weblog/archives/00001396.html
March 5, 2008 - "ZDNet Asia is one of my bookmarked online resources that I frequently visit. The site is NOT compromised per se; rather, their site's search engine was abused by an attacker with queries of popular keywords. Leveraging on the fact that the site is, legitimate, and has high page ranks, the popular search engines are returning some of these 'iFRAME'ed results in the first few pages of the search results. And the objective? To get the unsuspecting user to click on the link... The last time we checked, 20,600 cached pages loading the iFRAME was found. Upon clicking on the malicious link, you get redirected to some Russian Business Network's IPs and RBN* is notoriously known for hosting not only malware but also rouge antivirus and antispyware applications. At the end of the redirects, the unsuspecting user might be a victim of a Zlob trojan. We detect it as Trojan-Downloader:W32/Zlob.HOG."
(Screenshot available at the URL above.)

* http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080301


2008-03-06, 21:48

- http://www.theregister.co.uk/2008/03/06/googe_iframe_piggybacking/
6 March 2008 - "Updated: Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as TorrentReactor, ZDNet Asia and several other CNET-owned properties. As a result, more than 101,000 Google search results that appeared to lead to pages of legitimate sites actually directed end users to sites that attempted to install malware... Almost 52,000 Google results contained such redirects for ZDNet Asia... There were almost 50,000 poisoned links for TV.com sites and a handful for News.com and MySimon.com..."


2008-03-07, 16:42

- http://www.securitypark.co.uk/security_article.asp?articleid=260438&Categoryid=1
March 7, 2008 - "Today, e-crime is the domain of organised gangs, often from eastern Europe or China. They have just one motive. Now it’s all about making money. The main targets of today’s hackers are e-commerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that’s needed to empty a victim’s bank account. Their operations are so slick that stolen data is exploited within seconds of it being submitted by unwitting victims. The big growth area in e-commerce right now is in the use of web-based applications to replace traditional over-the-counter or telephone-based transactions. Hackers have, understandably, latched onto this. According to Gartner, 75% of security breaches are due to flaws in software. Primarily because those applications have been put together as quickly as possible in order to get a working system out there, without due regard being given to the security implications. As the hackers continually attempt to up their game, the securities and futures industry in the US recorded, in 2007, a 150% annual increase in the amount of suspicious activity detected on its systems... To assist developers in ensuring that they write secure applications, various companies produce automatic software solutions that can help. These include code analysers that automatically scan source code for possible security issues. Others sit between web browser and server on your development network, analysing data flows and highlighting any potential problems, such as an opportunity for a hacker to redirect a web form to their own site. The internet is here to stay, as is internet crime..."

2008-03-07, 21:55

- http://www.f-secure.com/weblog/archives/00001398.html
March 7, 2008 - "A year or two ago, the malware author's preferred way of spreading their wares was via e-mail attachments. We all remember mass outbreaks like Bagle, Mydoom and Warezov. Well, sending EXE attachments in e-mail doesn't work anymore. Almost every organization is now dropping such risky attachments from their e-mail traffic. So virus writers have made a clear shift away from e-mail attachments to the Web: drive-by-downloads. This attack often still starts with an e-mail spam run; there's just no attachments in the e-mail anymore as it has been replaced by a web link. Some of these malicious web sites use exploits to infect you just by visiting a web page, others use compelling stories to fool you into downloading and running a program from the page. Many have missed this shift of attacks from e-mail to the web. There's a lot of companies measuring their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't. Those organizations that are not scanning their web traffic for malware should seriously consider starting to do it, right now. However, virus writers are moving again. We're now seeing more and more malicious e-mails that link to malware — not via HTTP but via FTP links. Case in point, a fake Hallmark greeting card spam we saw today... the link takes you to an owned computer which has an FTP site setup on it. And when the executable is downloaded, it turns out to be a Zapchast mIRC-bot variant. Better make sure your gateway scanner is configured to scan FTP traffic as well..."

(Screenshots available at the URL above.)


2008-03-08, 19:15
Another option...

- http://www.secureworks.com/research/blog/index.php/2008/03/07/
March 7, 2008 - "...The modern web browser is an incredible, complicated piece of software with a large attack surface. Throw on some third party software like ActiveX controls (most of which are chock full of buffer overflows) and you have a hacker’s playground. To make matters worse, all modern day browsers contain JavaScript interpreters which give attackers the ability to obfuscate their attacks in an infinite number of ways. Luckily there is a method for users to fight back against the majority of these JavaScript- based attacks: No Script (Firefox) and Trusted Sites (Internet Explorer). These methods take the same approach to security: Enumerating the good. Instead of playing whack-a-mole with all the new type of attacks that appear you allow the list of sites where JavaScript is allowed to come from.
To do this with Internet Explorer you must first disable active scripting for web sites in the “Internet” zone and then add trusted commonly access pages to the “Trusted Sites” zone. This change can be done through Active Directory and pushed out to all computers in your organization.
To achieve the same effect in Firefox you must install the No Script extension. By default this plug-in will block all JavaScript, java and flash (no more flash ads) content. You can then enable this content on a per page basis or import a list of trusted sites. By using either one of these methods you will be able to block the vast majority of browser-based attacks."

NoScript: http://noscript.net/

Using group policy to manage the list of trusted sites: http://support.microsoft.com/kb/816703

2008-03-15, 21:03

Controlling ActiveX Controls
- http://www.securityfocus.com/blogs/671
2008-03-13 - "...here are some quick thoughts on why browser accessible ActiveX controls are so frustrating:
1. ActiveX controls aren’t (usually) tied to the websites that installed them.
Meaning, any website can instantiate one and communicate with it. And by communicate with it, I mean perform memory corruption attacks that lead to remote code execution.
2. They are often written poorly.
Even more poorly than most 3rd party software. Overflows, arbitrary file access, you name it. You could probably find an ActiveX control that is actually vulnerable to every bug class.
3. They persist (and can be difficult to remove)...
After they get installed, you forget about it. Forever. Long after you have even logged into the website that convinced you to install it. Just waiting for someone to take advantage of issues 1 and 2 to make you part of their botnet.
4. They can be difficult to update.
Unlike a lot of software, ActiveX controls rarely have auto-update functionality. As a result, most people that are vulnerable, stay that way.
5. They are rarely necessary.
The worst part is, ActiveX controls are often add-ons that no one really needed and wouldn’t miss if they disappeared. A lot of times that I have seen them used, they were mostly there to make a UI feel more Win32 and less webby. The risk to benefit ratio has rarely been worth it..."


2008-03-20, 17:47

- http://www.symantec.com/avcenter/threatcon/learnabout.html
(03.20.2008) - "...DeepSight Threat Analyst Team is currently monitoring a number of ongoing mass SQL-injection attacks that are manipulating victim servers to host malicious content to browsing clients... Clients are advised to browse using strict security policies. The following list of strategies may prevent or hamper an attack:
- Run browser software with the least privileges possible.
- Disable JavaScript, IFRAMEs, and ActiveX controls.
- Enable OS security mechanisms such as Data Execution Prevention (DEP).
- Ensure that browsing software is up to date.
- Filter all web activity through security products such as an Intrusion Prevention system."


2008-03-31, 17:14

- http://www.f-secure.com/weblog/archives/00001408.html
March 31, 2008 - "...Nowadays sending .EXE attachments in e-mail doesn't work so well for the criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic. The criminals’ new preferred way of spreading malware is by drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP. Infection by a drive-by download can happen automatically just by visiting a web site, unless you have a fully patched operating system, browser and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware. There are several methods criminals use to gather traffic to these websites.
- A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link...
- Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites...
- The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today’s criminal hackers don’t change the front page at all. They simply insert a line of javascript on the front page which uses an exploit to infect your machine when you go there... This has happened to the web sites of some popular magazines which can have a million users every single day...
- Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don’t have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites.

It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't. Individuals and companies should therefore be scanning their web traffic for malware – as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links..."


2008-04-01, 23:04

- http://www.f-secure.com/weblog/archives/00001411.html
April 1, 2008 - "We've seen tons of banking trojans lately, but now we've run into something quite unique. This new banking trojan was found today from a drive-by-download site. We've added detection for it as Win32.Pril.A It not only infects the MBR of the machine, but also reflashes the boot code in the Flash BIOS, making disinfection problematic. Once an infected machine is online, the trojan monitors the users actions, waiting him to go to go to one of several hundred online banks, located all over the world. Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim. Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw money from you - it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts. The drive-by-download site is still up..."

(Screenshot available at the URL above.)


2008-04-02, 18:32

- http://www.f-secure.com/weblog/archives/00001412.html
April 2, 2008 - "Injected iframes into legitimate sites are becoming more and more common these days. One of the latest targets is a Chinese government site... Please note that while the site adminstrators have been notified, the injected iframe is still present in the site at the time of this posting. The iframe downloads a page from another chinese site that redirects the browser to a .com site - that contains tons of new iframes. End result of this iframe jungle is that exploits try to download executables to the users computer... Drive-by-downloads are getting more sophisticated nowadays with this case using several exploits including MDAC and Real Player exploits. As always, remember safe computing pratices even when on familiar grounds, lest you find yourself iframed... Turns out that sony.com.cn seems to have similar iframe's added to some of it's page as well. We have been in touch with Sony and CERTs on this..."


2008-04-03, 03:46

- http://preview.tinyurl.com/yrxcym
April 2, 2008 (Symantec Security Response Weblog) - "Symantec is tracking more and more high-traffic Web sites that become compromised and then used to spread malicious code. After the breach our MSS team spotted out on Tata*, we have been notified of another Web site with a similar issue. Today the Italian Web site www .emule-italia .it had been compromised and was hosting an obfuscated script... The script, when deobfuscated, was showing an -iframe- pointing to http ://[REMOVED]xes.com/ld/grb, which was redirecting users to a server (http ://[REMOVED]fir.com/cgi-bin/mail.cgi?p=grobin) hosting the Neosploit tool. Neosploit is forcing vulnerable PCs to download and install the latest version of the infamous Trojan.Mebroot. Symantec notified the ISP involved about this issue and the ISP has since worked to remove the malicious content from the affected Web site. High-traffic Web sites are becoming more and more targeted, because the huge number of visits they receive turns into a huge number of machines getting compromised in a short period of time. Therefore, application security is even more important for these sites:
- periodic penetration testing,
- code review, and
- sound application security practices
...in the overall development lifecycle can protect site owners [and visitors, too!] from these kind of threats."
* http://preview.tinyurl.com/yqhseh
(Symantec Security Response Weblog - February 28, 2008)


2008-04-04, 18:25

- http://isc.sans.org/diary.html?storyid=4240
Last Updated: 2008-04-04 16:06:43 UTC - "In case you haven't done so yet, consider blocking nmidahena-dot-com on your proxy. And don't go there to find out if it is bad. It is. Several high profile sites have apparently been hit with what is a continuation of the "iframe injection" that we've covered repeatedly*."
* http://isc.sans.org/diary.html?storyid=4210
Update on IFRAME SEO Poisoning


2008-04-08, 16:30

- http://www.symantec.com/about/news/release/article.jsp?prid=20080407_01
April 8, 2008 – "...Today, hackers are compromising legitimate Web sites and using them as a distribution medium to attack home and enterprise computers. Symantec noticed that attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites. Attackers are leveraging site-specific vulnerabilities that can then be used as a means for launching other attacks. During the last six months of 2007, there were 11,253 site specific cross-site scripting vulnerabilities reported on the Internet; these represent vulnerabilities in individual Web sites. However, only 473 (about 4 percent) of them had been patched by the administrator of the affected Web site during the same period, representing an enormous window of opportunity for hackers looking to launch attacks... “Avoiding the dark alleys of the Internet was sufficient advice in years past”... “Today's criminal is focused on compromising legitimate Web sites to launch attacks on end-users, which underscores the importance of maintaining a strong security posture no matter where you go and what you do on the Internet”..."


2008-04-10, 15:39

- http://preview.tinyurl.com/45hmwg
April 10, 2008 (Symantec Security Response Weblog) - "...Since the Web browser is the primary gateway to the Internet for most users, Web pages that they visit frequently... are a useful means of compromising computers for attackers... Because of the success of kits like MPack and Ice-Pack, it seems that malicious code authors have begun to incorporate similar features in the threats they create... two of the top ten -new- malicious code families modified Web pages. There are two ways in which these samples modify Web pages. The first is that the malicious code adds its own code to a Web page so that other people who view the page may become infected. The second way is that an iframe tag is added to the Web page that redirects users to another Web site. Usually this Web site tries to exploit Web browser and plug-in vulnerabilities in a shotgun-style attack*. This type of attack is similar to the one employed by MPack... As more threats use the Web—in particular, browsers and their plug-ins—to install themselves on computers, users need to be careful even when visiting sites they know and trust. Make sure your Web browser is kept up to date with the latest security patches. Just as important is to make sure that any browser plug-ins you have installed are also fully patched. And, as always, make sure you have antivirus software running with the most recent definitions, as well a good intrusion prevention system.
*A shotgun attack is one where a malicious Web page attempts to exploit multiple vulnerabilities at once in order to increase the chances of a user being compromised."


2008-04-10, 20:24
FYI... 4.10.2008

- http://www.symantec.com/security_response/threatconlearn.jsp
"The ThreatCon is currently at Level 2: Elevated.
The ThreatCon is currently at level 2. On April 8, 2008, Adobe released a security bulletin for Flash Player that includes a vulnerability that can remote attackers can leverage to execute arbitrary code. Attackers could create a malicious Flash object embedded in a web page or email to gain access to a vulnerable system. Adobe has reported that Flash Player (and earlier) and (and earlier) are affected. Patches are available. The vulnerabilities have not been seen in the wild. Adobe considers this a 'critical' update and recommends that customers upgrade to Flash Player* to fix the issue. Adobe's security bulletin: ( http://www.adobe.com/support/security/bulletins/apsb08-11.html )
Bugtraq entry: ( http://www.securityfocus.com/bid/28694/references )"

* http://forums.spybot.info/showpost.php?p=180537&postcount=2


2008-04-22, 17:18

One new infected webpage found every 5 seconds - Sophos
- http://www.sophos.com/pressoffice/news/articles/2008/04/secrep08q1.html
21 April 2008
- Top ten countries hosting web-based malware...
- Hacked sites pose greatest risk to IT security...
(...Top 10 malware found on the web Q1-2008, 29% is iframe related...)

- http://wiki.castlecops.com/IFRAME_2008


2008-04-23, 20:54

- http://preview.tinyurl.com/64qbkd
April 23, 2008 (Infoworld) - "...Web sites are rife with security problems: In 2006, the Web Application Security Consortium surveyed 31,373 sites and found that 85.57 percent were vulnerable to cross-site scripting attacks, 26.38 were vulnerable to SQL injection and 15.70 percent had faults that could let an attacker steal information from databases...
Vendors have typically only tested their software patches on machines in default configurations, which isn't representative of the real IT world, Paller said. Many businesses use custom applications with custom configurations, which require rigorous testing to ensure a patch won't break their applications. The U.S. Air Force was one of the first organizations that tried a new approach when contracting IT systems with Microsoft and other application vendors about two years ago to enable speedier patching, Paller said.
The Air Force's CIO at the time, John M. Gilligan, consolidated 38 different IT contracts into one and ordered all new systems to be delivered in the same, secure configuration. Then, he ordered that application vendors certify that their applications would work on the secure configurations, Paller said. Then Gilligan took his case to Microsoft. At the time, it took the Air Force about 57 days between the time a patch was released until their 450,000 systems were up-to-date. Gilligan wanted Microsoft to test its patches on machines with the same configuration as the Air Force's, shifting the cumbersome testing process back to the vendor. The negotiations, which didn't start off well, culminated with a meeting with CEO Steve Ballmer. "The story is that he [Gilligan] use a four-letter word in the meeting," Paller said. "You know what the four-letter word was? Unix."
Gilligan won. Now, the Air Force can patch in about 72 hours now, and they're looking to cut that to 24 hours, Paller said. The idea was so successful that as of Feb. 1, the U.S. government implemented the same conditions for all of its agencies..."


2008-06-01, 22:58

Cross-site scripting also used in Mass Compromises
- http://blog.trendmicro.com/xss-methods-also-seen-being-used-in-mass-compromises/
May 31, 2008 - "We were about to investigate further on malicious activities related to banner82(dot)com/b.js but the URL was already inaccessible around Tuesday. Soon enough the malicious script in www(dot)adw95(dot)com caught our interest. A rough survey of the sites compromised by this script reveal that the sites involved some cross-site scripting (XSS*), or SQL injection vulnerabilities, or a combination of both... XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.
XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.
An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more... Mass compromises seem to be all the rage these days, and exploiting XSS vulnerabilities are just one of the methods criminals can employ to silently worm their way into users’ PCs..."
* http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios


2008-06-09, 22:41

Malware redirects...
- http://sunbeltblog.blogspot.com/2008/06/malware-distributors-move-to-dogpile.html
June 08, 2008 - "First Google, then DoubleClick* redirects, now Dogpile is a new favorite for XSS redirects by malware authors..."
* http://sunbeltblog.blogspot.com/2008/06/google-fixes-redirects-now-it.html
June 02, 2008 - "On May 25th, we noticed that spammers and malware distributors had moved from using Google redirects, to Doubleclick redirects. If you’re tracking this stuff, you’re undoubtedly seeing extensive use of these redirects..."

(Screenshots available at both URLs above.)

:fear: :sad: :fear:

2008-06-12, 15:20

Safari 'carpet bomb' attack code released
- http://preview.tinyurl.com/65fe66
June 10, 2008 (Computerworld) - "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code, along with a demo of the attack, was posted Sunday on a computer security blog. It can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks... the vulnerability has to do with the way Windows handles desktop executables and recommended that Windows users "restrict use of Safari as a Web browser until an appropriate update is available from Microsoft and/or Apple." The attack affects all versions of Windows XP and Vista, Microsoft said in its advisory*..."

- http://isc.sans.org/diary.html?storyid=4562
Last Updated: 2008-06-12 11:22:32 UTC
...Since the proof of concept is easily available, if you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at
* http://www.microsoft.com/technet/security/advisory/953818.mspx


2008-06-16, 15:09

- http://ddanchev.blogspot.com/2008/06/malicious-doorways-redirecting-to.html
June 16, 2008 - "...bottom line - malicious doorways are slowly starting to emerge thanks to the convergence of traffic redirection and management tools with web malware exploitation kits, and just like we've been seeing the adaptation of spamming tools and approaches for phishing purposes, next we're going to see the development of infrastructure management kits, a feature that DIY phishing kits* are starting to take into consideration as well."
* http://ddanchev.blogspot.com/2008/05/diy-phishing-kits-introducing-new.html

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.


2008-06-20, 12:45

Safari version 3.1.2...
- http://blog.washingtonpost.com/securityfix/2008/06/apple_issues_fix_for_safari_on_1.html
June 19, 2008 - "Apple today pushed out a new version of its Safari browser for Microsoft Windows users. The latest iteration plugs at least four security holes, including one that allowed automatic downloading of files to the Windows desktop. In some cases, these files could be started without the user's knowledge. Safari version 3.1.2 corrects a flaw, which allows any rogue Web site to "carpet bomb" the user's Windows Desktop... The new version is available from Apple Downloads* ..."
* http://www.apple.com/support/downloads/
"This update is recommended for all Safari Windows users and includes stability improvements and the latest security updates."

- http://secunia.com/advisories/30775/
Release Date: 2008-06-20
Critical: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Safari for Windows 3.x ...
Solution: Update to version 3.1.2 ...
Original Advisory: Apple:

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2540


2008-06-26, 19:47

- http://www.us-cert.gov/current/index.html#microsoft_internet_explorer_6_cross
June 26, 2008 - "US-CERT is aware of publicly available proof-of-concept code for a new vulnerability in Microsoft Internet Explorer 6. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. This could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 does not appear to be affected by this issue. US-CERT strongly encourages users to upgrade to Microsoft Internet Explorer 7 and follow the best security practices as outlined in the Securing Your Web Browser document to help mitigate the risk. Additional information about this vulnerability can be found in the Vulnerability Notes Database*..."
* http://www.kb.cert.org/vuls/id/923508

- http://secunia.com/advisories/30857/


(Another) IEv6 vuln... aka "Cross-Site Cooking"
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3173
Last revised: 7/15/2008 - "...NOTE: this issue may exist because of an insufficient fix for CVE-2004-0866*..."
* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-0866


2008-06-30, 10:53

- http://secunia.com/advisories/30851/
Last Update: 2008-06-30
Critical: Moderately critical
Impact: Security Bypass, Spoofing
Where: From remote
Solution Status: Unpatched...
Solution: Do not visit or follow links from untrusted websites...
- http://www.kb.cert.org/vuls/id/516627
Last Updated: 06/27/2008 - "...Limited testing has shown that IE 6, 7, and 8 beta 1 are vulnerable...
We are currently unaware of a practical solution to this problem. Please consider the following workarounds:
Disable Active Scripting
This vulnerability can be mitigated by disabling Active Scripting in the Internet Zone, as specified in the "Securing Your Web Browser" document*."
* http://www.us-cert.gov/reading_room/securing_browser/#Internet_Explorer

> http://www.us-cert.gov/current/#microsoft_internet_explorer_frame_vulnerability


2008-07-02, 04:19

40% of Web users surf with Unsafe Browsers
- http://preview.tinyurl.com/4nhr4n
July 1, 2008 (blog.washingtonpost.com/securityfix) - "A comprehensive new study of online surfing habits released today found that only 60 percent of the planet's Internet users surf the Web with the latest, most-secure versions of their preferred Web browsers. The study, conducted by researchers from Google, IBM and the Communication Systems Group in Switzerland, relied on data from server logs provided by Google for search requests between Jan. 2007 and June 2008. The researchers found that of the 1.4 billion Internet users worldwide at the end of March 2008, 576 million surfed with outdated versions of Web browsers..."


2009-03-25, 17:37

- https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/istr/article-id/13
03-24-2009 - "... simply visiting your favorite website can either lead to malware silently being installed on your computer without ever clicking on anything, or being plagued by misleading applications, such as fake antivirus software, seems to be a surprise to many users and IT managers alike... Our recently published Web-based attacks white paper* highlights some of the top Web threat trends that our security analysts observed during 2008... When your system is compromised, there is usually no indication—it happens silently without flashing lights or having to click on anything. All it takes is one vulnerable browser, multimedia application, document viewer, or browser plug-in and your computer can be compromised. I spoke with one user who couldn’t believe that one of the top 100 sites on the Internet would be attacking his computer. There was another customer whose own Web server kept attacking and infecting his computer... Web-based attacks are occurring everywhere and users’ computers are being attacked and infected in enterprise and consumer environments alike..."

* http://www.symantec.com/business/theme.jsp?themeid=threatreport
Web Based Attacks: February, 2009 - "...
Top Web Threat Trends for 2008
1. Drive-by downloads from mainstream Web site are increasing
2. Attacks are heavily obfuscated and dynamically changing making traditional antivirus solutions ineffective
3. Attacks are targeting browser plug-ins instead of only the browser itself
4. Misleading applications infecting users are increasing
5. SQL injection attacks are being used to infect mainstream Web sites
6. Malvertisements are redirecting users to malicious Web sites
7. Explosive growth in unique and targeted malware samples ..."


2009-03-25, 23:45

TinyURL abuse... E-cards lead to malware...
- http://blog.trendmicro.com/e-cards-used-to-advertise-adult-dating-site/
Mar. 24, 2009 - "The misuse of legitimate services continue as after recent reports of cybercriminals exploitng the redirecting service TinyURL to slip past spam filters, legitimate e-card services are now being used. We have received email samples that arrive as ecards... The greeting cards were from Regards.com, the web’s largest collection of free greeting cards. The email claims to be sent by a user under an alias..."
(Screenshot available at the URL above.)

See: http://tinyurl.com/preview.php?disable=0
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature."


2009-06-11, 03:44

Browsers under attack - 2009
- http://www.trustedsource.org/blog/248/New-McAfee-Whitepaper-on-Browser-Attacks
June 4, 2009 - "... this paper* deals with the many complexities of browser security and attacks. From the paper:
Web Browsers: An Emerging Platform Under Attack
'The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success.' Other areas the paper covers include:
• The shift in spam to mainly malicious web link usage
• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites
• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website
• Use of malicious video banners placed in advertisement networks
• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site ..."
* http://www.mcafee.com/us/local_content/white_papers/wp_webw_browsers_w_en.pdf


2009-07-21, 19:59

More 0-Day exploits for browsers...
- http://blog.trendmicro.com/more-zero-day-exploits-for-firefox-and-ie-flaws/
July 21, 2009 - "Earlier today... spotted several malicious script files that exploited Mozilla Firefox and Microsoft Internet Explorer vulnerabilities:
• JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.
• JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.
• JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.
Initial analysis... shows that the scripts above may be unknowingly downloaded through either Firefox -or- Internet Explorer.
According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature. Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog*. This workaround is, however, unnecessary for Firefox 3.5.1 users.
* http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
> On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
> Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472*.
* http://support.microsoft.com/kb/973472#FixItForMe
Trend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:
• Firefox: Mozilla Foundation Security Advisory 2009-41
• OWC: Microsoft Security Advisory (973472)
• DirectShow: Microsoft Security Bulletin MS09-032
http://www.microsoft.com/technet/security/Bulletin/MS09-032.mspx ..."


2009-09-30, 19:46

Multi-browser hole exploited by banking trojan
- http://news.cnet.com/8301-27080_3-10363836-245.html
September 29, 2009 - "Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log in credentials but actually steals money from your account while you are logged in and displays a fake balance. The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available. It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added. The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report*. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement... This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said. People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said."
* http://www.finjan.com/Content.aspx?id=1367
"... cybercrooks used a combination of Trojans and money mules to rake in hundreds of thousands of Euros and to minimize detection by the anti-fraud systems used by banks. After infection, a bank Trojan was installed on the victims’ machines and started communication with its Command & Control (C&C) server for instructions. These instructions included the amount to be stolen from specific bank accounts and to which money mule-accounts the stolen money should be transferred. The use of this Anti anti-fraud method signals a new trend in cybercrime."
- http://www.finjan.com/MCRCblog.aspx?EntryId=2345
Sep 30, 2009


2009-12-16, 15:49

Rogue AV spreads thru XSS attacks in browsers
- http://www.theregister.co.uk/2009/12/16/rogue_av_attacks/
16 December 2009 - "Malware purveyors are exploiting web vulnerabilities in appleinsider .com, lawyer .com, news .com.au and a dozen other sites to foist rogue anti-virus on unsuspecting netizens. The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites... As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected... The links work because appleinsider .com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. More about the attack is available from the Zscaler blog here*."
* http://research.zscaler.com/2009/12/xss-embedded-iframes.html

> http://en.wikipedia.org/wiki/Cross-site_scripting#Exploit_scenarios

> http://en.wikipedia.org/wiki/Browser_exploit


2009-12-31, 21:33

Malicious JavaScript infects websites
- http://blog.trendmicro.com/malicious-javascript-infects-websites/
Dec. 31, 2009 - "Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, -redirecting- the user to several malicious websites. This is done so users will not suspect that they are already infected. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen... Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va. According to the Unmask Parasites blog*, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL..."
* http://blog.unmaskparasites.com/


2010-01-26, 04:40

Browser -redirects- on the Web...
> http://forums.spybot.info/showpost.php?p=357168&postcount=193
January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK... will redirect the web browser to other malicious websites..."

Q4 '09 web-based malware data and trends
> http://forums.spybot.info/showpost.php?p=357350&postcount=194
January 26, 2010


2010-05-24, 17:49

Safari v4.0.5...
- http://secunia.com/advisories/39670
Last Update: 2010-05-18
Criticality level: Highly critical
Solution Status: Unpatched...
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1939
CVSS v2 Base Score: 7.6 (HIGH)
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1940
CVSS v2 Base Score: 4.3 (MEDIUM)

Firefox v3.6.3...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1986
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1987
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1988 CVSS v2 Base Score: 10.0 (HIGH)
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1990
Last revised: 05/21/2010
- https://wiki.mozilla.org/Releases
Firefox 3.6.4 - June 1 ...

IE 6, 7, and 8
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1991
Last revised: 05/21/2010
CVSS v2 Base Score: 5.0 (MEDIUM)


2010-06-08, 15:05

Safari v5.0 released
- http://secunia.com/advisories/40105/
Release Date: 2010-06-08
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, System access
Where: From remote ...
Solution: Update to version 4.1 (available only for Mac OS X v10.4 systems) or upgrade to version 5.0.
Original Advisory: Apple:
...Note: Safari 5.0 and Safari 4.1 address the same set of security issues. Safari 5.0 is provided for Mac OS X v10.5, Mac OS X v10.6, and Microsoft Windows systems. Safari 4.1 is provided for Mac OS X v10.4 systems.

- http://support.apple.com/downloads/
June 07, 2010

- http://www.apple.com/support/safari/

- http://secunia.com/advisories/40110/
Release Date: 2010-06-08
Solution Status: Unpatched ...
... The security issue is confirmed in version 5.0 for Windows. Other versions may also be affected...

- http://www.theregister.co.uk/2010/06/08/safari_5_reader/
8 June 2010

MS Security Bulletin MS10-035 - Critical
Cumulative Security Update for Internet Explorer (982381)
- http://www.microsoft.com/technet/security/bulletin/ms10-035.mspx
June 08, 2010 - "... resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page..."


2010-06-26, 14:07

Multiple Vendor WebKit HTML Caption Use After Free Vulnerability
- http://atlas.arbor.net/briefs/index#418501501
Severity: Elevated Severity
Published: Wednesday, June 23, 2010 19:12
A use-after-free issue has been found in Google Chrome ( and, and Safari 4.0.4 (Windows XP/OS X 10.5.8), specifically in the WebKit core. A malicious webpage can force the browser to execute arbitrary code on the victim's PC. Updated software has been released to address this issue...

Safari v5.0 released
- http://secunia.com/advisories/40105/
Original Advisory: Apple:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1392
Last revised: 06/24/2010
CVSS v2 Base Score: 9.3 (HIGH)
"... Safari before 5.0..."

Google Chrome v5.0.375.99 released
- http://secunia.com/advisories/40479/
Release Date: 2010-07-05
Solution: Update to version 5.0.375.99.
Original Advisory:


2010-07-28, 23:57

Google Chrome
- http://www.securitytracker.com/id?1024256
Jul 28 2010

Apple Safari
- http://www.securitytracker.com/id?1024257
Jul 28 2010

Mozilla Firefox
- http://www.securitytracker.com/id?1024243
Jul 24 2010

- http://techblog.avira.com/2010/07/28/browser-updates-2/en/
July 28, 2010 - "... web browsers pose the highest risk for getting attacked by cyber criminals, they should be kept up-to-date and therefore the updates should be installed ASAP."


2010-09-08, 15:22

Firefox updated:
- http://securitytracker.com/alerts/2010/Sep/1024401.html
Sep 8 2010 - "... 3.5 prior to 3.5.12, 3.6 prior to 3.6.9..."
- http://securitytracker.com/alerts/2010/Sep/1024406.html
Sep 8 2010 - "... 3.5 prior to 3.5.12, 3.6 prior to 3.6.9..."

Safari updated:
- http://securitytracker.com/alerts/2010/Sep/1024400.html
Sep 8 2010 - "... 4.x prior to 4.1.2, 5.0 prior to 5.0.2..."

Google Chrome:
- http://securitytracker.com/alerts/2010/Sep/1024390.html
Sep 3 2010 - "... prior to 6.0.472.53..."

- http://techblog.avira.com/2010/09/08/browser-updates-3/en/


2010-10-06, 12:20

Browser security update tricks
- http://www.symantec.com/connect/blogs/misleading-apps-push-browser-security-update-trick
04 Oct 2010 - "... attackers use social engineering techniques to scare users into purchasing a misleading application. This time around, we have come across a couple of websites that are using a slightly different trick to mislead users. In order to trick users, these websites used bogus pages that look similar to those presented by security features or technologies when one is about to visit a malicious page. However, it presented a “Download Updates!!” button, unlike Google’s “Get me out of here” button... Regardless of what browser is used, the user is presented with the same misleading dialog box that seemingly forces the download of Firefox and Chrome updates. This misleading dialog box keeps on popping up, even if the user clicks on cancel button... The downloaded executable turns out to be a variant of the infamous misleading application called Security Tool. Once executed, it displays exaggerated pop-ups in an attempt to scare users... Unlike standard misleading application distribution websites, these sites don’t rely only on social engineering tricks to mislead users. If more savvy users don’t download the misleading application executable, then these websites will redirect users to a website that, in turn, further redirects to a malicious website that is hosting the infamous Phoenix exploit kit. Phoenix is an automated exploit kit that uses heavily obfuscated JavaScript code to evade security products... These exploit kits are used to deliver malware after exploiting a vulnerability, mostly those affecting Web browsers. If users don’t somehow fall victim to this latest browser update trick, then the attackers have the fall back of delivering misleading applications through these exploit kits..."
(Screenshots available at the URL above.)

- http://sunbeltblog.blogspot.com/2010/10/securitytool-rogue-begins-using-fake.html
October 07, 2010
- http://sunbeltblog.blogspot.com/2010/10/rogue-downloader-overlooks-ie-users.html
October 19, 2010
- http://www.f-secure.com/weblog/archives/00002051.html
October 20, 2010


2010-10-20, 17:32

'Need to stay on top of these updates - hacks do. Bug fixes are "reverse engineered" within -hours- of their release, and hacker exploits go right into production:

60 second check for updates here (http://secunia.com/vulnerability_scanning/online/?inclusion=1&task=load&rp_id=heiseuk).

Zombie infection kit - Success rates / Victim browser statistics:
- http://labs.m86security.com/wp-content/uploads/2010/10/zombie_browser.png
October 15th, 2010
- http://labs.m86security.com/2010/10/don%E2%80%99t-get-infected-by-zombies/
"... effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched... 15 percent... of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed..."
Zombie infection kit - Success rates / IE6,7,8 - Java - Adobe PDF reader - Flash
- http://labs.m86security.com/wp-content/uploads/2010/10/zombie_nexp.png


2010-10-27, 00:59

Firefox v3.6.12 released
- http://forums.spybot.info/showpost.php?p=387136&postcount=6
• Critical

Firefox 0-days...
- http://isc.sans.edu/diary.html?storyid=9817
Last Updated: 2010-10-26 19:02:22 UTC - "... There is a 0-day vulnerability for Firefox, including the latest version. This vulnerability is already being exploited, so beware... The good thing is that Mozilla is quite fast on those and already confirmed the issue and is working to get it fixed*. The second one is related to an Firefox extension released yesterday. It is called Firesheep**. In summary, it is an addon that will make it really easy to basically anyone hack accounts by sniffing traffic on public hotspots, such as airports, coffee shops,etc...
* https://bugzilla.mozilla.org/show_bug.cgi?id=607222

* http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/

** http://www.pcworld.com/article/208727/firefox_addon_firesheep_brings_hacking_to_the_masses.html

- http://krebsonsecurity.com/2010/10/nobel-peace-prize-site-serves-firefox-0day/
October 26th, 2010

- http://www.symantec.com/connect/blogs/limited-firefox-zero-day-attack-wild
Oct. 27, 2010

- http://secunia.com/advisories/41957/
Last Update: 2010-10-28
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution: Update to Mozilla Firefox version 3.5.15 or 3.6.12 and Mozilla SeaMonkey version 2.0.10.

- http://securitytracker.com/alerts/2010/Oct/1024645.html
Oct 28 2010


2010-11-20, 14:27

'Need to stay on top of these updates - hacks do... so should you. If you haven't updated, -now- would be the time.

Recent Browser updates:

60 second check for updates here (http://secunia.com/vulnerability_scanning/online/?inclusion=1&task=load&rp_id=heiseuk).

Multiple IE 0-day vulnerabilities...

IE drive-by bug ... "FixIt" available ...
- http://forums.spybot.info/showpost.php?p=393584&postcount=19

IE/MHTML vuln ... "FixIt" available ...
- http://forums.spybot.info/showpost.php?p=395022&postcount=23

Use stats
- http://www.w3schools.com/browsers/browsers_stats.asp


2010-12-07, 16:03

• Factsheets By Browser - 2010
- http://secunia.com/resources/factsheets/2010_browsers/

Other software:
- http://secunia.com/resources/factsheets/
Current Factsheets - 2010
• By Vendor
• By Windows Operating System


2011-02-15, 14:54

Browser 'BITB' attack...
- http://www.darkreading.com/taxonomy/index/printarticle/id/229218608
Feb. 14, 2011 - "... spin-off of the proxy Trojan, keylogger, and man-in-the-browser (MITB) attack. The "boy-in-the-browser" (BITB) attack... targeting users visiting their banks, retailers, and even Google... spotted in the wild. BITB is basically a "dumbed-down" MITB in which the attacker infects a user with its Trojan, either via a drive-by download or by luring the user to click on an infected link on a site... Imperva's advisory on the attacks is here*."
* http://www.imperva.com/resources/adc/adc_advisories_Boy_in_the_Browser.html
Feb. 14, 2011 - "... Nine Latin American banks were targeted..."


2011-03-10, 22:56

Safari, IE defeated, Chrome, Firefox Survive
Apple and Microsoft get "pwned" again at CanSecWest's Pwn2Own ...
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=229300728
March 10, 2011 - "... Apple's timely release wasn't enough... security researchers from VUPEN, a penetration testing company based in France, defeated Safari 5.0.4 decisively... Internet Explorer 8 was also defeated... Google Chrome emerged unscathed... Mozilla's Firefox also survived..."


2011-04-21, 18:34

Malware authors target Google Chrome
- http://www.zdnet.com/blog/bott/malware-authors-target-google-chrome/3162
April 21, 2011 - "... malware authors have begun preying on users of alternative browsers to push dangerous software, including Trojans and scareware. The problem is that most malware attacks aren’t triggered by exploits that target vulnerabilities in code. Instead, according to one recent study, “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.” I found a perfect example yesterday, thanks to an alert from Silverlight developer Kevin Dente. He had typed in a simple set of search terms—Silverlight datagrid reorder columns—at Google.com, using the Google Chrome browser on Windows... The first page of Google search results included several perfectly good links, but the sixth result was booby trapped... That led to a basic social engineering attack, but this one has a twist. It was customized for Chrome. If you’ve ever seen a Google Chrome security warning, you’ll recognize the distinctive, blood-red background, which this malware author has duplicated very effectively... After the fake scan is complete, another dialog box comes up, warning that “Google Chrome recommends you to install proper software”... When I submitted it to VirusTotal.com*, only five of the 42 engines correctly identified it as a suspicious file..."
(Screenshots available at the URL above.)
* http://www.virustotal.com/file-scan/report.html?id=621583f75348fe4f9a97d44fc325a1283be3661774e50d6ac570433d23eeb22b-1303383008
File name: InstallInternetProtection_611.exe
Submission date: 2011-04-21 10:50:08 (UTC)
Result: 8/42 (19.0%)


2011-04-26, 15:55

SpyEye targets Opera, Google Chrome...
- http://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/
April 26, 2011 - "The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers*... Many people feel more secure using browsers like Chrome and Opera because they believe the browsers’ smaller market share makes them less of a target for cyber crooks. This latest SpyEye innovation is a good reminder that computer crooks are constantly looking for new ways to better monetize the resources they’ve already stolen..."
* http://krebsonsecurity.com/wp-content/uploads/2011/04/spychop.jpg

:mad: :mad:

2011-05-09, 22:08

WebGL - browser security flaw...
- http://www.cio.com/article/681749/WebGL_Hit_By_Hard_to_Fix_Browser_Security_Flaw
May 9, 2011 - "The WebGL graphics technology turned on by default in Firefox and Chrome poses a serious security risk*... WebGL will not, however, run reliably on an unknown number of graphics cards, including Intel's integrated graphics and most ATI chipsets... Disabling WebGL varies from browser to browser but in Firefox involves setting a required value to "false" using the about:config command."
* http://www.contextis.com/resources/blog/webgl/
"... enabled by -default- in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari..." (Flowchart available at the contextis.com URL above.)
- http://www.theregister.co.uk/2011/05/11/chrome_firefox_security_threat/
"... In Firefox 4, type “about:config” (minus the quotes) into the address bar and set webgl.disabled to true. In Chrome, get to the command line of your operating system and add the --disable-webgl flag to the Chrome command. On a Windows machine, the command line would be "chrome.exe --disable-webgl".

> https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drivers

WebGL Security Risks
- http://www.us-cert.gov/current/archive/2011/05/10/archive.html#web_users_warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."

- http://www.h-online.com/security/news/item/WebGL-as-a-security-problem-1240567.html
10 May 2011
- http://www.h-online.com/security/news/item/WebGL-as-a-security-problem-1240567.html?view=zoom;zoom=2


2011-05-16, 17:30

WebGL security risks - updated
- http://www.contextis.com/resources/blog/webgl/faq/
11 May 2011 - "... we are releasing the following further information to aid in the understanding of the issues... in the longer term, Context believes that browser vendors should, by default, disable WebGL from within their web browsers. We would like to see functionality included that would allow users to opt-in for WebGL applications that they trust on a case by case basis... reported these issues and other vulnerabilities to the Mozilla Security group who has raised a number of internal bug reports regarding the issues that we have found, including issues that we have -not- publicly disclosed. They have also passed the information onto Google for Chrome. The Mozilla Security Group has been very receptive to the issues that we have raised and have been very responsive to our concerns."
(More detail at the contextis URL above.)

- https://www.us-cert.gov/current/archive/2011/05/10/archive.html#web_users_warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."


2011-05-27, 06:22

IE 0-day - all versions... cookiejacking
- http://www.informationweek.com/news/security/vulnerabilities/229700031?printer_friendly=this-page
May 26, 2011 - "... All versions of Internet Explorer on all versions of Windows are affected by the 0-day vulnerability, and are thus susceptible to cookiejacking. As the name implies, the attack is similar to clickjacking attacks, which trick users into clicking on innocuous-looking graphics or videos, to trigger arbitrary code execution. Cookiejacking takes that type of attack one step further, adding the zero-day vulnerability and some trickery to steal any cookie from a user's PC... To be successful, however, the attack must incorporate two details. First, it needs to know the victim's Windows username, to find the correct path to where cookies are stored... Second, an attacker needs to know which Windows operating system their victim is using, as each one stores cookies in different locations. Browsers, however, typically reveal this information via their navigator.userAgent object..."

- http://blog.trendmicro.com/contrary-to-reports-cookiejacking-presents-a-major-risk/
May 27, 2011


2011-06-06, 15:01

Facebook and M$ de-cloak Chrome ...
- http://blog.eset.com/2011/06/03/facebook-and-microsoft-de-cloak-chrome-%E2%80%93-ms-neuters-their-privacy-advocate
June 3, 2011 - "What’s wrong with this picture?... I am using Google’s incognito mode and Clicker knows exactly who I am!... Facebook “Instant Personalization” destroys Google Chrome’s “Incognito mode”. There is nothing incognito about opening a clean browser with no cookies and going to a website you have never visited before and being called by name with your picture on the web page. Facebook and “Instant Personalization” partner sites deliberately ignores your obvious and explicit instructions NOT to track you. In October 2010 Gigaom.com posted an article http://gigaom.com/2010/10/13/bing-launches-facebook-instant-personalization/ that claimed “Microsoft today launched social search features for Bing created in partnership with Facebook. The two companies are teaming up to take on their common enemy: Google.” Perhaps there is truth to that. It is mind-boggling that Microsoft’s Bing ran an end game around the Microsoft Internet Explorer team by also defeating IE9’s “InPrivate Browsing”... Mozilla was caught in the crossfire as Microsoft and Facebook sneak around Firefox’s Private browsing feature as well. Apple’s Safari browser’s privacy mode was also hunted down and shot. Let’s call it like it is. Facebook rolls out a “feature” that deliberately over-rides a user’s explicitly expressed desire to browse in privacy without tracking... You might be interested to see how much information your browser reveals by going to https://panopticlick.eff.org/ * and running their test... It is true that in the above example “Clicker.com” does offer to let me disable their unauthorized Facebook enabled spying, however this does not happen until private browsing has already been subverted by Facebook... Having worked at Microsoft I can imagine how completely frustrating it must be for internal Microsoft privacy advocates to have to stand idle and watch Bing override Internet Explorer’s “InPrivate” browsing feature. Perhaps for IE10 Microsoft can make more open labels and claims of what the browser can really do. The whole issue would have been avoided had Facebook had the decency to let users choose BEFORE they sabotage your browser and privacy."
(Screenshot available at the eset URL above.)


2011-09-30, 22:40

Chrome extensions leak data...
- http://www.informationweek.com/news/security/vulnerabilities/231602411?printer_friendly=this-page
September 29, 2011 - "A review of 100 Google Chrome extensions, including the 50 most popular selections, found that 27% of them contain one or more vulnerabilities that could be exploited by attackers either via the Web or unsecured Wi-Fi hotspots. Those findings come from a study being conducted by security researchers Nicholas Carlini and Prateek Saxena at University of California, Berkeley. In particular, they analyzed the 50 most popular Chrome extensions, as well as 50 others selected at random, for JavaScript injection vulnerabilities, since such bugs can enable an attacker to take complete control of an extension. The researchers found that 27 of the 100 extensions studied contained one or more injection vulnerabilities, for a total of 51 vulnerabilities across all of the extensions. The researchers also said that seven of the vulnerable extensions were used by 300,000 people or more... attackers have turned their attention to exploiting vulnerabilities in the third-party code - including add-ons and extensions - used by browsers."


2011-10-06, 18:55

SpyEye hijacks SMS security...
- https://www.trusteer.com/blog/spyeye-changes-phone-numbers-hijack-out-band-sms-security
October 05, 2011 - "... recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks. Using code we captured while protecting a Rapport user, we discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge... This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems. The only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks MITB techniques..."
(More detail available at the trusteer URL above.)


2011-11-30, 14:15

HTML5 – The Ugly ...
- http://blog.trendmicro.com/html5-the-ugly/
Nov. 30, 2011 - "... With HTML5, attacker(s) can now create a botnet which will run on any OS, in any location, on any device. Being heavily memory-based, it barely touches the disk, making it difficult to detect with traditional file-based antivirus. JavaScript code is also very easy to obfuscate, so network IDS signature will also have a very hard time. Finally, being web-based, it will easily pass through most firewalls. Stages of A Browser-Based Botnet Attack..."
(More detail at the trendmicro URL above.)...

Global malware view
Top attackers and domains distributing malware
- http://sucuri.net/global

:fear: :spider:

2011-12-04, 23:20

Exposed and vulnerable...

- http://www.zdnet.com/blog/security/37-percent-of-users-browsing-the-web-with-insecure-java-versions/9541
October 4, 2011 - "... 31.3% of users were infected with the virus/malware due to missing security updates..."
Charted: http://i.zdnet.com/blogs/infection_browser_plugins.png

- http://www.csis.dk/en/csis/news/3321
2011-09-27 - "... users who unknowingly have been exposed to drive-by attacks have used the following web browsers..."
Charted: http://www.csis.dk/images/browser.Png

:fear: :fear:

2011-12-06, 21:16

Cache objects history enumeration weakness...
I.E.: https://secunia.com/advisories/47129/
Chrome: https://secunia.com/advisories/47127/
Firefox: https://secunia.com/advisories/47090/
Opera: https://secunia.com/advisories/47128/
Release Date: 2011-12-06
Solution Status: Unpatched...
"... caused due to an error when handling cache objects and can be exploited to enumerate visited sites..."