- 25th May 2007 -
Apple security update fixes 17 flaws
Apple unveiled the year's fifth major security update for Mac OS X to patch 17 vulnerabilities.
If Apple sorted bugs by a ranking system - as does, for example, Microsoft -, then most of the bugs fixed by Security Update 2007-005 would be rated less than critical. In eight out of the 17, exploits could do no more damage than to generate a denial of service or crash of the affected component. Only five of the patched vulnerabilities could result in an attacker executing his own code.
Among the serious bugs is one in how Mac OS X 10.4, known as Tiger, handles PDF files. "By enticing a user to open a maliciously crafted PDF file, an attacker could trigger the overflow, which may lead to an unexpected application termination or arbitrary code execution," Apple's advisory said.
Another dangerous flaw fixed by the update exists in the code that maps ports on home networks in iChat, Apple's instant messaging service and software. An attacker needs only to send a malformed packet to trigger a buffer overflow, which could then be used to add malicious code to the Mac. The hacker, however, must have access to the local network to exploit the bug.
Other parts of Mac OS X that were patched include BIND (Berkeley Internet Name Domain), the de facto standard Domain Name System server software, which was patched against four vulnerabilities; the Ruby CGI library (two vulnerabilities); and Fetchmail (one vulnerability).
Although the latest update pushed Apple's year-to-date patch total to over 100, there was a bright side: It included fixes for fewer flaws than last month (25) and the month before (45).
The security update can be downloaded from the Apple site or using Mac OS X's built-in update service.
Resources:
> Apple: About Security Update 2007-005
(Source: Computerworld)
- 23rd May 2007 -
OpenOffice multi-platform macro worm reported
The worm, called BadBunny for the pornographic image it displays, targets Windows, Mac and Linux computers - but poses low threat.
Experts have detected a cross-platform worm targeted at OpenOffice users. Dubbed BadBunny and written in StarBasic — the macro scripting language of the OpenOffice suite —, the macro worm is considered no more than proof-of-concept code, and, as such, a low-risk threat.
OpenOffice users get infected if they open an OpenOffice Draw file called badbunny.odg. The macro first displays a bit of porn — an image of a man wearing a bunny suit performing a sex act in the woods. Then it asks the question:
Hey %username% you like my BadBunny?
(where %username% is the user's name), and displays an OK button. Whether the user presses the button or not, by this time the replicating code has already been executed.
Because StarBasic macros run on any platform that OpenOffice does, the worm can affect Windows, Linux and Mac OS X. The results vary by system, as follows.
> Windows: The worm drops a file called drop.bad, which is then moved to system.ini into the mIRC folder (if the user has one). It also drops and executes badbunny.js which is a JavaScript virus that replicates to other files in the folder.
> Mac OS: The worm drops one of two Ruby script viruses (in files called badbunny.rb or badbunnya.rb).
> Linux: The worm drops badbunny.py as an XChat script and also drops badbunny.pl which is a tiny Perl virus infecting other Perl files.
The dropped XChat and mIRC scripts are used to replicate in an attempt to distribute the virus. Sections of the code also attempt to knock out access to the following anti-virus websites:
www.ikarus.at
www.aladdin.com
www.norman.no
www.norman.com
www.kaspersky.com
www.kaspersky.ru
www.kaspersky.pl
www.grisoft.cz
www.symantec.com
www.proantivirus.com
www.f-secure.com
www.sophos.com
www.arcabit.pl
www.arcabit.com
www.avira.com
www.avira.de
www.avira.ro
www.avast.com
www.virusbuster.hu
www.trendmicro.com
www.bitdefender.com
www.pandasoftware.comm
www.drweb.com
www.drweb.ru
www.viruslist.com
The malware was written by a group that has written StarOffice malware in the past. The Stardust virus, created by the same team in May 2006, tried to download a picture of porn star Silvia Saint. BadBunny is the most complex sample of such malware to date and the first that attempts to infect multiple system platforms, at least in theory. Because of that, it has the highest chance to get into the wild of all StarOffice malware seen so far. Experts agree, however, that BadBunny is old-school malicious code written to show off a proof of concept, rather than a serious attempt to attack users.
OpenOffice.org issued a calming message to users. In a posting in their mailing list, they said: "The OpenOffice.org engineers take the security of the software very seriously, and will react promptly to any new issues. This 'proof of concept' virus is not new information, and does not require a software patch". The expert recommendation, as always, is: never trust a file from unknown sources.
(Source: Wired, The Register)
- 22nd May 2007 -
Microsoft releases Office security tools
Microsoft released a pair of tools to help protect computers from Office files containing malicious code.
Both tools are designed to block Office "zero-day" attacks, which take advantage of vulnerabilities before Microsoft releases a patch. These types of attacks have become more common in recent months.
The first tool, called Microsoft Office Isolated Conversion Environment (MOICE), is meant to protect users running Office 2003. MOICE works by converting Office 2003 binary files to the new Office Open XML format, used by 2007 Office, blocking out malicious code in the process. Importantly, this conversion takes place inside an isolated environment, which Microsoft said prevents malicious code from running on the computer.
The second tool, called File Block Functionality for Microsoft Office 2003 and the 2007 Microsoft Office system, enables system administrators to define which file types users can and cannot open. By blocking specific Office file types, administrators can temporarily deny users the ability to open such files, when a threat of attack from a given Office file type exists.
Microsoft detailed MOICE and File Block in a security advisory (937696), which provides links to several related Knowledge Base articles (935865, 922849, 922848 and 922847).
Resources:
> Microsoft Security Advisory 937696: Release of Microsoft Office Isolated Conversion Environment (MOICE) and File Block Functionality for Microsoft Office
(Source: Microsoft, Computerworld)
- 18th May 2007 -
Cracking WiFi security: "WEP is dead"
German researchers developed an attack against WiFi security protocol WEP, which can decrypt the key in less than 2 minutes with a probability of 95%.
When WEP was first compromised in 2001, the attack needed more than five million packets to succeed. During the summer of 2004, a hacker named KoreK published a new WEP attack (called chopper) that reduced by an order of magnitude the number of packets required. Recently, three PhD students at the Darmstadt University of Technology, Germany, developed an attack, which needs as few as 85,000 packets to crack WEP with a 95% probability.
The German team showed that their attack has a success probability of 50% with 40,000 packets and success probability of 95% with 85,000 packets. This means getting the key in less than 2 minutes.
Currently, WEP is normally implemented using 40/64 and 104/128 bit keys, though there are a few vendors, which implemented a 232/256 bit WEP. This is no remedy, according to the researchers who say that, with some additional development, they could also break WEP512. They simply declare WEP dead.
(Source: The Register)
- 14th May 2007 -
The dark side of the web: 10%
At least one in 10 web pages contain malware, according to Google.
A five-strong Google research team found that 450,000 pages, out of a sample of 4.5 million pages, had scripts to install malicious code, such as Trojans and spyware. This is certainly a conservative estimate, as another 700,000 pages were thought to be suspicious by Google.
The search giant's Ghost in the Browser study calls the attention to the volume of the "dark side" of the net. The authors also point out that malware can be injected into otherwise legitimate sites via a variety of tricks, including malicious advertising. User-generated content also creates a means to upload malware.
The researchers hope to use their findings to aid the development of a new generation of safe surfing tools that steer users away from harm.
(Source: The Register)
- 11th May 2007 -
Most badware sites hosted by 5 companies
Over 35% of the tens of thousands of malicious sites reported are hosted by a handful of ISPs, says StopBadware.org.
StopBadware.org's latest report is based on the analysis of 49,296 sites submitted to the initiative's Badware Website Clearinghouse. The study found that more than 35% of the malicious sites in their database are hosted by the following five companies:
> iPowerWeb, Inc. (10,834)
> Layered Technologies (2,513)
> ThePlanet.com Internet Services, Inc (2,056)
> Internap Network Services (1,437)
> CHINANET Guangdong province network (786)
The leaders of the initiative warned webmasters that their sites can get hacked, and, unknowingly, can infect their customers' computers.
(Source: StopBadware.org)
|
More Quick Links