Browsers under attack - archive

[AplusWebMaster]

FYI...

- https://forums2.symantec.com/t5/blog.../article-id/13
03-24-2009 - "... simply visiting your favorite website can either lead to malware silently being installed on your computer without ever clicking on anything, or being plagued by misleading applications, such as fake antivirus software, seems to be a surprise to many users and IT managers alike... Our recently published Web-based attacks white paper* highlights some of the top Web threat trends that our security analysts observed during 2008... When your system is compromised, there is usually no indication—it happens silently without flashing lights or having to click on anything. All it takes is one vulnerable browser, multimedia application, document viewer, or browser plug-in and your computer can be compromised. I spoke with one user who couldn’t believe that one of the top 100 sites on the Internet would be attacking his computer. There was another customer whose own Web server kept attacking and infecting his computer... Web-based attacks are occurring everywhere and users’ computers are being attacked and infected in enterprise and consumer environments alike..."

* http://www.symantec.com/business/the...d=threatreport
Web Based Attacks: February, 2009 - "...
Top Web Threat Trends for 2008
1. Drive-by downloads from mainstream Web site are increasing
2. Attacks are heavily obfuscated and dynamically changing making traditional antivirus solutions ineffective
3. Attacks are targeting browser plug-ins instead of only the browser itself
4. Misleading applications infecting users are increasing
5. SQL injection attacks are being used to infect mainstream Web sites
6. Malvertisements are redirecting users to malicious Web sites
7. Explosive growth in unique and targeted malware samples ..."

[AplusWebMaster]

FYI...

TinyURL abuse... E-cards lead to malware...
- http://blog.trendmicro.com/e-cards-u...t-dating-site/
Mar. 24, 2009 - "The misuse of legitimate services continue as after recent reports of cybercriminals exploitng the redirecting service TinyURL to slip past spam filters, legitimate e-card services are now being used. We have received email samples that arrive as ecards... The greeting cards were from Regards.com, the web’s largest collection of free greeting cards. The email claims to be sent by a user under an alias..."
(Screenshot available at the URL above.)
________________________________________

See: http://tinyurl.com/preview.php?disable=0
"Don't want to be instantly redirected to a TinyURL and instead want to see where it's going before going to the site? Not a problem with our preview feature."

[AplusWebMaster]

FYI...

Browsers under attack - 2009
- http://www.trustedsource.org/blog/24...rowser-Attacks
June 4, 2009 - "... this paper* deals with the many complexities of browser security and attacks. From the paper:
Web Browsers: An Emerging Platform Under Attack
'The widespread use of highly interactive “rich client” web applications for e-commerce, business networking, and online collaboration has finally catapulted web browsers from straightforward HTML viewers to a full-blown software platform. And as corporate users are performing a significant portion of their work on the web, whether it’s researching or collaborating, the safety of the underlying platform is critical to the company’s success.' Other areas the paper covers include:
• The shift in spam to mainly malicious web link usage
• “Web 2.0” sites—whether weblogs, social networking or portal sites—are increasingly spammed with links to malicious sites
• Legitimate sites are compromised and misused to either host malicious code or link to a malicious website
• Use of malicious video banners placed in advertisement networks
• Use of popular search terms to advertise and drive (search query) traffic to a malicious website. In a recent case in Germany, attackers used Google AdWords to attract users who searched for “flash player” to the attacker’s fake Adobe-look-alike site ..."
* http://www.mcafee.com/us/local_conte...wsers_w_en.pdf

[AplusWebMaster]

FYI...

More 0-Day exploits for browsers...
- http://blog.trendmicro.com/more-zero...-and-ie-flaws/
July 21, 2009 - "Earlier today... spotted several malicious script files that exploited Mozilla Firefox and Microsoft Internet Explorer vulnerabilities:
• JS_DIREKTSHO.B exploits a vulnerability in Microsoft Video Streaming ActiveX control to download other possibly malicious files.
• JS_FOXFIR.A accesses a website to download JS_SHELLCODE.BV. In turn JS_SHELLCODE.BV exploits a vulnerability in Firefox 3.5 to download WORM_KILLAV.AKN.
• JS_SHELLCODE.BU exploits a vulnerability in Microsoft OWC to download JS_SHELLCODE.BV.
Initial analysis... shows that the scripts above may be unknowingly downloaded through either Firefox -or- Internet Explorer.
According to Mozilla, a Firefox user reported suffering from a crash that developers determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, the just-in-time (JIT) compiler could get into a corrupt state. This could then be exploited by an attacker to run arbitrary code. However, this vulnerability does not affect earlier versions of Firefox, which do not support the JIT feature. Firefox 3.5 users can avoid this vulnerability by disabling the JIT compiler as described in the Mozilla Security Blog*. This workaround is, however, unnecessary for Firefox 3.5.1 users.
* http://blog.mozilla.com/security/200...in-firefox-35/
> On the other hand, the vulnerability in Microsoft Video ActiveX Control allows remote code execution if a user views a specially crafted web page with Internet Explorer, executing the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
> Microsoft is aware of attacks attempting to exploit the said vulnerabilities and advises its customers to prevent the OWC from running either manually or automatically using the solution found in Microsoft Knowledge Base Article 973472*.
* http://support.microsoft.com/kb/973472#FixItForMe
Trend Micro advises users to refer to the following pages to download updates/patches for the vulnerabilities the aforementioned script files exploit:
• Firefox: Mozilla Foundation Security Advisory 2009-41
http://www.mozilla.org/security/anno...sa2009-41.html
• OWC: Microsoft Security Advisory (973472)
http://www.microsoft.com/technet/sec...ry/973472.mspx
• DirectShow: Microsoft Security Bulletin MS09-032
http://www.microsoft.com/technet/sec.../MS09-032.mspx ..."

[AplusWebMaster]

FYI...

Multi-browser hole exploited by banking trojan
- http://news.cnet.com/8301-27080_3-10363836-245.html
September 29, 2009 - "Researchers at security firm Finjan have discovered details of a new type of banking Trojan horse that doesn't just steal your bank log in credentials but actually steals money from your account while you are logged in and displays a fake balance. The bank Trojan, dubbed URLZone, has features designed to thwart fraud detection systems which are triggered by unusual transactions, Yuval Ben-Itzhak, chief technology officer at Finjan, said in an interview Tuesday. For instance, the software is programmed to calculate on-the-fly how much money to steal from an account based on how much money is available. It exploits a hole in Firefox, Internet Explorer 6, IE7, IE8, and Opera, and it is different from previously reported banking Trojans, said Ben-Itzhak. The Trojan runs an executable only on Windows systems, he said. The executable can come via a number of avenues, including malicious JavaScript or an Adobe PDF, he added. The specific Trojan Finjan researchers analyzed targeted customers of unnamed German banks, according to the latest Finjan report*. It was linked back to a command-and-control server in Ukraine that was used to send instructions to the Trojan software sitting inside infected PCs. Finjan has notified German law enforcement... This is the first Trojan Finjan has come across that hijacks a victim's browser session, steals the money while the victim is doing online banking, and then covers its tracks by modifying information displayed to the victim, all in real time, Ben-Itzhak said. People should keep their antivirus, operating system, browser and other software up to date to protect against this type of attack, he said."
* http://www.finjan.com/Content.aspx?id=1367
"... cybercrooks used a combination of Trojans and money mules to rake in hundreds of thousands of Euros and to minimize detection by the anti-fraud systems used by banks. After infection, a bank Trojan was installed on the victims’ machines and started communication with its Command & Control (C&C) server for instructions. These instructions included the amount to be stolen from specific bank accounts and to which money mule-accounts the stolen money should be transferred. The use of this Anti anti-fraud method signals a new trend in cybercrime."
- http://www.finjan.com/MCRCblog.aspx?EntryId=2345
Sep 30, 2009

[AplusWebMaster]

FYI...

Rogue AV spreads thru XSS attacks in browsers
- http://www.theregister.co.uk/2009/12...ue_av_attacks/
16 December 2009 - "Malware purveyors are exploiting web vulnerabilities in appleinsider .com, lawyer .com, news .com.au and a dozen other sites to foist rogue anti-virus on unsuspecting netizens. The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites... As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected... The links work because appleinsider .com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. More about the attack is available from the Zscaler blog here*."
* http://research.zscaler.com/2009/12/...d-iframes.html

> http://en.wikipedia.org/wiki/Cross-s...loit_scenarios

> http://en.wikipedia.org/wiki/Browser_exploit

[AplusWebMaster]

FYI...

Malicious JavaScript infects websites
- http://blog.trendmicro.com/malicious...ects-websites/
Dec. 31, 2009 - "Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, -redirecting- the user to several malicious websites. This is done so users will not suspect that they are already infected. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen... Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va. According to the Unmask Parasites blog*, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL..."
* http://blog.unmaskparasites.com/

[AplusWebMaster]

FYI...

Browser -redirects- on the Web...
> http://forums.spybot.info/showpost.p...&postcount=193
January 25, 2010 - "It has been a month since we added detection for Troj/JSRedir-AK* and figures generated today show that over 40% of all web-based detections have been from this malicious code. Translating the numbers into a more human comprehensible form: 1 site every 15 secs was being detected as Troj/JSRedir-AK... will redirect the web browser to other malicious websites..."

Q4 '09 web-based malware data and trends
> http://forums.spybot.info/showpost.p...&postcount=194
January 26, 2010

[AplusWebMaster]

FYI...

Safari v4.0.5...
- http://secunia.com/advisories/39670
Last Update: 2010-05-18
Criticality level: Highly critical
Solution Status: Unpatched...
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1939
CVSS v2 Base Score: 7.6 (HIGH)
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1940
CVSS v2 Base Score: 4.3 (MEDIUM)

Firefox v3.6.3...
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1986
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1987
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1988 CVSS v2 Base Score: 10.0 (HIGH)
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1990
Last revised: 05/21/2010
- https://wiki.mozilla.org/Releases
Firefox 3.6.4 - June 1 ...

IE 6, 7, and 8
- http://web.nvd.nist.gov/view/vuln/de...=CVE-2010-1991
Last revised: 05/21/2010
CVSS v2 Base Score: 5.0 (MEDIUM)

[AplusWebMaster]

FYI...

Safari v5.0 released
- http://secunia.com/advisories/40105/
Release Date: 2010-06-08
Criticality level: Highly critical
Impact: Security Bypass, Cross Site Scripting, Spoofing, Exposure of system information, Exposure of sensitive information, System access
Where: From remote ...
Solution: Update to version 4.1 (available only for Mac OS X v10.4 systems) or upgrade to version 5.0.
Original Advisory: Apple:
http://support.apple.com/kb/HT4196
...Note: Safari 5.0 and Safari 4.1 address the same set of security issues. Safari 5.0 is provided for Mac OS X v10.5, Mac OS X v10.6, and Microsoft Windows systems. Safari 4.1 is provided for Mac OS X v10.4 systems.

- http://support.apple.com/downloads/
June 07, 2010

- http://www.apple.com/support/safari/

- http://secunia.com/advisories/40110/
Release Date: 2010-06-08
Solution Status: Unpatched ...
... The security issue is confirmed in version 5.0 for Windows. Other versions may also be affected...

- http://www.theregister.co.uk/2010/06...fari_5_reader/
8 June 2010
___

MS Security Bulletin MS10-035 - Critical
Cumulative Security Update for Internet Explorer (982381)
- http://www.microsoft.com/technet/sec.../ms10-035.mspx
June 08, 2010 - "... resolves five privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page..."