Page 3 of 7 FirstFirst 1234567 LastLast
Results 21 to 30 of 61

Thread: Browsers under attack - archive

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    One new infected webpage found every 5 seconds - Sophos
    - http://www.sophos.com/pressoffice/ne...ecrep08q1.html
    21 April 2008
    - Top ten countries hosting web-based malware...
    - Hacked sites pose greatest risk to IT security...
    (...Top 10 malware found on the web Q1-2008, 29% is iframe related...)

    - http://wiki.castlecops.com/IFRAME_2008

    Last edited by AplusWebMaster; 2008-04-22 at 18:33.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Lightbulb

    FYI...

    - http://preview.tinyurl.com/64qbkd
    April 23, 2008 (Infoworld) - "...Web sites are rife with security problems: In 2006, the Web Application Security Consortium surveyed 31,373 sites and found that 85.57 percent were vulnerable to cross-site scripting attacks, 26.38 were vulnerable to SQL injection and 15.70 percent had faults that could let an attacker steal information from databases...
    Vendors have typically only tested their software patches on machines in default configurations, which isn't representative of the real IT world, Paller said. Many businesses use custom applications with custom configurations, which require rigorous testing to ensure a patch won't break their applications. The U.S. Air Force was one of the first organizations that tried a new approach when contracting IT systems with Microsoft and other application vendors about two years ago to enable speedier patching, Paller said.
    The Air Force's CIO at the time, John M. Gilligan, consolidated 38 different IT contracts into one and ordered all new systems to be delivered in the same, secure configuration. Then, he ordered that application vendors certify that their applications would work on the secure configurations, Paller said. Then Gilligan took his case to Microsoft. At the time, it took the Air Force about 57 days between the time a patch was released until their 450,000 systems were up-to-date. Gilligan wanted Microsoft to test its patches on machines with the same configuration as the Air Force's, shifting the cumbersome testing process back to the vendor. The negotiations, which didn't start off well, culminated with a meeting with CEO Steve Ballmer. "The story is that he [Gilligan] use a four-letter word in the meeting," Paller said. "You know what the four-letter word was? Unix."
    Gilligan won. Now, the Air Force can patch in about 72 hours now, and they're looking to cut that to 24 hours, Paller said. The idea was so successful that as of Feb. 1, the U.S. government implemented the same conditions for all of its agencies..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    Cross-site scripting also used in Mass Compromises
    - http://blog.trendmicro.com/xss-metho...s-compromises/
    May 31, 2008 - "We were about to investigate further on malicious activities related to banner82(dot)com/b.js but the URL was already inaccessible around Tuesday. Soon enough the malicious script in www(dot)adw95(dot)com caught our interest. A rough survey of the sites compromised by this script reveal that the sites involved some cross-site scripting (XSS*), or SQL injection vulnerabilities, or a combination of both... XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.
    XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.
    An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more... Mass compromises seem to be all the rage these days, and exploiting XSS vulnerabilities are just one of the methods criminals can employ to silently worm their way into users’ PCs..."
    * http://en.wikipedia.org/wiki/Cross-s...loit_scenarios

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Malware redirects...

    FYI...

    Malware redirects...
    - http://sunbeltblog.blogspot.com/2008...o-dogpile.html
    June 08, 2008 - "First Google, then DoubleClick* redirects, now Dogpile is a new favorite for XSS redirects by malware authors..."
    * http://sunbeltblog.blogspot.com/2008...ts-now-it.html
    June 02, 2008 - "On May 25th, we noticed that spammers and malware distributors had moved from using Google redirects, to Doubleclick redirects. If you’re tracking this stuff, you’re undoubtedly seeing extensive use of these redirects..."

    (Screenshots available at both URLs above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Safari attack code released...

    FYI...

    Safari 'carpet bomb' attack code released
    - http://preview.tinyurl.com/65fe66
    June 10, 2008 (Computerworld) - "A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers. The source code, along with a demo of the attack, was posted Sunday on a computer security blog. It can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks... the vulnerability has to do with the way Windows handles desktop executables and recommended that Windows users "restrict use of Safari as a Web browser until an appropriate update is available from Microsoft and/or Apple." The attack affects all versions of Windows XP and Vista, Microsoft said in its advisory*..."

    - http://isc.sans.org/diary.html?storyid=4562
    Last Updated: 2008-06-12 11:22:32 UTC
    ...Since the proof of concept is easily available, if you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at
    * http://www.microsoft.com/technet/sec...ry/953818.mspx

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Malicious doorways redirecting to malware

    FYI...

    - http://ddanchev.blogspot.com/2008/06...ecting-to.html
    June 16, 2008 - "...bottom line - malicious doorways are slowly starting to emerge thanks to the convergence of traffic redirection and management tools with web malware exploitation kits, and just like we've been seeing the adaptation of spamming tools and approaches for phishing purposes, next we're going to see the development of infrastructure management kits, a feature that DIY phishing kits* are starting to take into consideration as well."
    * http://ddanchev.blogspot.com/2008/05...ucing-new.html

    Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation

    FYI...

    Safari version 3.1.2...
    - http://blog.washingtonpost.com/secur...fari_on_1.html
    June 19, 2008 - "Apple today pushed out a new version of its Safari browser for Microsoft Windows users. The latest iteration plugs at least four security holes, including one that allowed automatic downloading of files to the Windows desktop. In some cases, these files could be started without the user's knowledge. Safari version 3.1.2 corrects a flaw, which allows any rogue Web site to "carpet bomb" the user's Windows Desktop... The new version is available from Apple Downloads* ..."
    * http://www.apple.com/support/downloads/
    "This update is recommended for all Safari Windows users and includes stability improvements and the latest security updates."

    - http://secunia.com/advisories/30775/
    Release Date: 2008-06-20
    Critical: Highly critical
    Impact: Exposure of sensitive information, System access
    Where: From remote
    Solution Status: Vendor Patch
    Software: Safari for Windows 3.x ...
    Solution: Update to version 3.1.2 ...
    Original Advisory: Apple:
    http://support.apple.com/kb/HT2092

    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2540

    Last edited by AplusWebMaster; 2008-06-20 at 14:03. Reason: Added Secunia advisory info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation IEv6 XSS vuln code released

    FYI...

    - http://www.us-cert.gov/current/index...plorer_6_cross
    June 26, 2008 - "US-CERT is aware of publicly available proof-of-concept code for a new vulnerability in Microsoft Internet Explorer 6. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. This could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 does not appear to be affected by this issue. US-CERT strongly encourages users to upgrade to Microsoft Internet Explorer 7 and follow the best security practices as outlined in the Securing Your Web Browser document to help mitigate the risk. Additional information about this vulnerability can be found in the Vulnerability Notes Database*..."
    * http://www.kb.cert.org/vuls/id/923508

    - http://secunia.com/advisories/30857/

    ===

    (Another) IEv6 vuln... aka "Cross-Site Cooking"
    - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3173
    Last revised: 7/15/2008 - "...NOTE: this issue may exist because of an insufficient fix for CVE-2004-0866*..."
    * http://nvd.nist.gov/nvd.cfm?cvename=CVE-2004-0866

    Last edited by AplusWebMaster; 2008-07-22 at 00:18. Reason: Another IEv6 vuln...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation IE v6, v7, v8 vuln - unpatched

    FYI...

    - http://secunia.com/advisories/30851/
    Last Update: 2008-06-30
    Critical: Moderately critical
    Impact: Security Bypass, Spoofing
    Where: From remote
    Solution Status: Unpatched...
    Solution: Do not visit or follow links from untrusted websites...
    - http://www.kb.cert.org/vuls/id/516627
    Last Updated: 06/27/2008 - "...Limited testing has shown that IE 6, 7, and 8 beta 1 are vulnerable...
    We are currently unaware of a practical solution to this problem. Please consider the following workarounds:
    Disable Active Scripting
    This vulnerability can be mitigated by disabling Active Scripting in the Internet Zone, as specified in the "Securing Your Web Browser" document*."
    * http://www.us-cert.gov/reading_room/...ernet_Explorer

    > http://www.us-cert.gov/current/#micr..._vulnerability

    Last edited by AplusWebMaster; 2008-06-30 at 13:03.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #30
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation 40% of Web users surf with Unsafe Browsers

    FYI...

    40% of Web users surf with Unsafe Browsers
    - http://preview.tinyurl.com/4nhr4n
    July 1, 2008 (blog.washingtonpost.com/securityfix) - "A comprehensive new study of online surfing habits released today found that only 60 percent of the planet's Internet users surf the Web with the latest, most-secure versions of their preferred Web browsers. The study, conducted by researchers from Google, IBM and the Communication Systems Group in Switzerland, relied on data from server logs provided by Google for search requests between Jan. 2007 and June 2008. The researchers found that of the 1.4 billion Internet users worldwide at the end of March 2008, 576 million surfed with outdated versions of Web browsers..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •