Page 2 of 7 FirstFirst 123456 ... LastLast
Results 11 to 20 of 61

Thread: Browsers under attack - archive

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post Controlling ActiveX Controls

    FYI...

    Controlling ActiveX Controls
    - http://www.securityfocus.com/blogs/671
    2008-03-13 - "...here are some quick thoughts on why browser accessible ActiveX controls are so frustrating:
    1. ActiveX controls aren’t (usually) tied to the websites that installed them.
    Meaning, any website can instantiate one and communicate with it. And by communicate with it, I mean perform memory corruption attacks that lead to remote code execution.
    2. They are often written poorly.
    Even more poorly than most 3rd party software. Overflows, arbitrary file access, you name it. You could probably find an ActiveX control that is actually vulnerable to every bug class.
    3. They persist (and can be difficult to remove)...
    After they get installed, you forget about it. Forever. Long after you have even logged into the website that convinced you to install it. Just waiting for someone to take advantage of issues 1 and 2 to make you part of their botnet.
    4. They can be difficult to update.
    Unlike a lot of software, ActiveX controls rarely have auto-update functionality. As a result, most people that are vulnerable, stay that way.
    5. They are rarely necessary.
    The worst part is, ActiveX controls are often add-ons that no one really needed and wouldn’t miss if they disappeared. A lot of times that I have seen them used, they were mostly there to make a UI feel more Win32 and less webby. The risk to benefit ratio has rarely been worth it..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Ongoing mass SQL-injection attacks...

    FYI...

    - http://www.symantec.com/avcenter/thr...earnabout.html
    (03.20.2008) - "...DeepSight Threat Analyst Team is currently monitoring a number of ongoing mass SQL-injection attacks that are manipulating victim servers to host malicious content to browsing clients... Clients are advised to browse using strict security policies. The following list of strategies may prevent or hamper an attack:
    - Run browser software with the least privileges possible.
    - Disable JavaScript, IFRAMEs, and ActiveX controls.
    - Enable OS security mechanisms such as Data Execution Prevention (DEP).
    - Ensure that browsing software is up to date.
    - Filter all web activity through security products such as an Intrusion Prevention system."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Drive-by-downloads now the primary threat from hacks

    FYI...

    - http://www.f-secure.com/weblog/archives/00001408.html
    March 31, 2008 - "...Nowadays sending .EXE attachments in e-mail doesn't work so well for the criminals because almost every company and organization is filtering out such risky attachments from their e-mail traffic. The criminals’ new preferred way of spreading malware is by drive-by downloads on the Web. These attacks often still start with an e-mail spam run but the attachment in the e-mail has been replaced by a web link, which takes you to the malicious web site. So instead of getting infected over SMTP, you get infected over HTTP. Infection by a drive-by download can happen automatically just by visiting a web site, unless you have a fully patched operating system, browser and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware. There are several methods criminals use to gather traffic to these websites.
    - A common approach is to launch an e-mail spam campaign containing messages that tempt people to click on a link...
    - Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites...
    - The third method of distributing malware involves the criminals hacking into existing high profile, high traffic web sites. Unlike the joke defacements that some hackers played on the front pages of prominent web sites in the past, today’s criminal hackers don’t change the front page at all. They simply insert a line of javascript on the front page which uses an exploit to infect your machine when you go there... This has happened to the web sites of some popular magazines which can have a million users every single day...
    - Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don’t have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites.

    It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their e-mail gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't. Individuals and companies should therefore be scanning their web traffic for malware – as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious e-mails that link to malware via FTP links..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.f-secure.com/weblog/archives/00001411.html
    April 1, 2008 - "We've seen tons of banking trojans lately, but now we've run into something quite unique. This new banking trojan was found today from a drive-by-download site. We've added detection for it as Win32.Pril.A It not only infects the MBR of the machine, but also reflashes the boot code in the Flash BIOS, making disinfection problematic. Once an infected machine is online, the trojan monitors the users actions, waiting him to go to go to one of several hundred online banks, located all over the world. Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim. Now, the really surprising part is what the trojan does. Normal banking trojans would insert extra transactions or change the deposit account numbers on-the-fly. However, Win32.Pril.A doesn't withdraw money from you - it actually inserts money TO your account. This looked so weird we had to test it several times, on all of our accounts. The drive-by-download site is still up..."

    (Screenshot available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.f-secure.com/weblog/archives/00001412.html
    April 2, 2008 - "Injected iframes into legitimate sites are becoming more and more common these days. One of the latest targets is a Chinese government site... Please note that while the site adminstrators have been notified, the injected iframe is still present in the site at the time of this posting. The iframe downloads a page from another chinese site that redirects the browser to a .com site - that contains tons of new iframes. End result of this iframe jungle is that exploits try to download executables to the users computer... Drive-by-downloads are getting more sophisticated nowadays with this case using several exploits including MDAC and Real Player exploits. As always, remember safe computing pratices even when on familiar grounds, lest you find yourself iframed... Turns out that sony.com.cn seems to have similar iframe's added to some of it's page as well. We have been in touch with Sony and CERTs on this..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation -Mebroot- Spreading through High-Traffic, Compromised Web Sites

    FYI...

    - http://preview.tinyurl.com/yrxcym
    April 2, 2008 (Symantec Security Response Weblog) - "Symantec is tracking more and more high-traffic Web sites that become compromised and then used to spread malicious code. After the breach our MSS team spotted out on Tata*, we have been notified of another Web site with a similar issue. Today the Italian Web site www .emule-italia .it had been compromised and was hosting an obfuscated script... The script, when deobfuscated, was showing an -iframe- pointing to http ://[REMOVED]xes.com/ld/grb, which was redirecting users to a server (http ://[REMOVED]fir.com/cgi-bin/mail.cgi?p=grobin) hosting the Neosploit tool. Neosploit is forcing vulnerable PCs to download and install the latest version of the infamous Trojan.Mebroot. Symantec notified the ISP involved about this issue and the ISP has since worked to remove the malicious content from the affected Web site. High-traffic Web sites are becoming more and more targeted, because the huge number of visits they receive turns into a huge number of machines getting compromised in a short period of time. Therefore, application security is even more important for these sites:
    - periodic penetration testing,
    - code review, and
    - sound application security practices
    ...in the overall development lifecycle can protect site owners [and visitors, too!] from these kind of threats."
    * http://preview.tinyurl.com/yqhseh
    (Symantec Security Response Weblog - February 28, 2008)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    nmidahena
    - http://isc.sans.org/diary.html?storyid=4240
    Last Updated: 2008-04-04 16:06:43 UTC - "In case you haven't done so yet, consider blocking nmidahena-dot-com on your proxy. And don't go there to find out if it is bad. It is. Several high profile sites have apparently been hit with what is a continuation of the "iframe injection" that we've covered repeatedly*."
    * http://isc.sans.org/diary.html?storyid=4210
    Update on IFRAME SEO Poisoning

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    - http://www.symantec.com/about/news/r...id=20080407_01
    April 8, 2008 – "...Today, hackers are compromising legitimate Web sites and using them as a distribution medium to attack home and enterprise computers. Symantec noticed that attackers are particularly targeting sites that are likely to be trusted by end users, such as social networking sites. Attackers are leveraging site-specific vulnerabilities that can then be used as a means for launching other attacks. During the last six months of 2007, there were 11,253 site specific cross-site scripting vulnerabilities reported on the Internet; these represent vulnerabilities in individual Web sites. However, only 473 (about 4 percent) of them had been patched by the administrator of the affected Web site during the same period, representing an enormous window of opportunity for hackers looking to launch attacks... “Avoiding the dark alleys of the Internet was sufficient advice in years past”... “Today's criminal is focused on compromising legitimate Web sites to launch attacks on end-users, which underscores the importance of maintaining a strong security posture no matter where you go and what you do on the Internet”..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb

    FYI...

    - http://preview.tinyurl.com/45hmwg
    April 10, 2008 (Symantec Security Response Weblog) - "...Since the Web browser is the primary gateway to the Internet for most users, Web pages that they visit frequently... are a useful means of compromising computers for attackers... Because of the success of kits like MPack and Ice-Pack, it seems that malicious code authors have begun to incorporate similar features in the threats they create... two of the top ten -new- malicious code families modified Web pages. There are two ways in which these samples modify Web pages. The first is that the malicious code adds its own code to a Web page so that other people who view the page may become infected. The second way is that an iframe tag is added to the Web page that redirects users to another Web site. Usually this Web site tries to exploit Web browser and plug-in vulnerabilities in a shotgun-style attack*. This type of attack is similar to the one employed by MPack... As more threats use the Web—in particular, browsers and their plug-ins—to install themselves on computers, users need to be careful even when visiting sites they know and trust. Make sure your Web browser is kept up to date with the latest security patches. Just as important is to make sure that any browser plug-ins you have installed are also fully patched. And, as always, make sure you have antivirus software running with the most recent definitions, as well a good intrusion prevention system.
    *A shotgun attack is one where a malicious Web page attempts to exploit multiple vulnerabilities at once in order to increase the chances of a user being compromised."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI... 4.10.2008

    - http://www.symantec.com/security_res...atconlearn.jsp
    "The ThreatCon is currently at Level 2: Elevated.
    The ThreatCon is currently at level 2. On April 8, 2008, Adobe released a security bulletin for Flash Player that includes a vulnerability that can remote attackers can leverage to execute arbitrary code. Attackers could create a malicious Flash object embedded in a web page or email to gain access to a vulnerable system. Adobe has reported that Flash Player 9.0.115.0 (and earlier) and 8.0.39.0 (and earlier) are affected. Patches are available. The vulnerabilities have not been seen in the wild. Adobe considers this a 'critical' update and recommends that customers upgrade to Flash Player 9.0.124.0* to fix the issue. Adobe's security bulletin: ( http://www.adobe.com/support/securit...apsb08-11.html )
    Bugtraq entry: ( http://www.securityfocus.com/bid/28694/references )"

    * http://forums.spybot.info/showpost.p...37&postcount=2

    Last edited by AplusWebMaster; 2008-04-17 at 19:39.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •