Internet Explorer zero-day exploit targets nuclear weapons researchers (Updated)

Attackers exploited a previously unknown and currently unpatched security bug in Microsoft's Internet Explorer browser to surreptitiously install malware on the computers of federal government workers involved in nuclear weapons research, researchers said on Friday.

The attack code appears to have exploited a zero-day vulnerability in IE version 8 when running on Windows XP, researchers from security firm Invincea said in a blog post. The researchers have received reports that IE running on Windows 7 is susceptible to the same exploit but have not been able to independently confirm that. Versions 6 and 7 of the Microsoft browser don't appear to be vulnerable.

Update: In an advisory published a couple of hours after this article went live, Microsoft confirmed a code-execution vulnerability in IE8. Versions 6, 7, 9, and 10 of the browser are immune to the exploit. People using IE8 should upgrade to versions 9 or 10, if possible. Those who are unable to move away from version 8 should take the following mitigations:

Read 5 remaining paragraphs | Comments

Google Glass and Tomorrow’s Security Concerns

If you haven’t heard, Google Glass, the latest gadget from the Silicon Valley giant, has set the media and tech world abuzz, with both admiration and controversy surrounding the device. Google Glass was released to the public last week and combines smartphone technology with wearable glasses that is reminiscent of something seen on Star Trek. Public, in this case, actually means beta testers (called Glass Explorers) who had to apply for the chance to purchase the spectacles in advance by writing a 50 word essay using the hashtag, #ifihadglass. Those chosen had the opportunity to purchase the device for $1,500 USD.

Along with the admiration of a device that appears to do everything, comes controversy.  The 8,000 individuals who were able to purchase the device were bound to a restrictive end user license agreement, in which the product would be deactivated and rendered useless if sold, loaned, or transferred to a third party. This was discovered after one winner decided to put his glasses on EBay and was contacted by Google. However, it appears there were no restrictions against modifying or rooting the device other than the loss of warranty and technical support.

Recently, James Freeman, a security researcher from the United States blogged about his acquisition of Google Glass from Google’s headquarters in Mountain View, California. His blog post set the tech world abuzz after he posted a picture showing that he had rooted the device. His main motivation in purchasing Google Glass was device customization. In order to make customize the device, he had to “jailbreak” or “root” it.

The foundation of Google Glass is Android 4.04. As with any operating system, there are publicly known vulnerabilities and exploits. In this case, the author analyzed an unnamed exploit which relies on a symlink traversal and a race condition to see if he could apply it to Glass. To gain full root access, Freeman realized he needed to open the Debug menu on Glass. The Debug menu is typically locked on smartphones and requires a PIN to access it, but this was not the case with Google Glass. Freeman discovered that the Debug menu on Glass was not locked down and allowed for easy access to the device:

“Even if you wear Glass constantly, you are unlikely to either sleep or shower while wearing it; most people, of course, probably will not wear it constantly: it is likely to be left alone for long periods of time. If you leave it somewhere where someone else can get it, it is easy to put the device into Debug Mode using the Settings panel and then use adb access to launch into a security exploit to get root.

The person doing this does not even need to be left alone with the device: it would not be difficult to use another Android device in your pocket to launch the attack (rather than a full computer). A USB "On-The-Go" cable could connect from your pocket under your shirt to your right sleeve. With only some momentary sleight-of-hand, one could "try on" your Glass, and install malicious software in the process.”

Although the vulnerability in Google Glass allows for anyone with malicious intent to install malware to their heart's desires, it does require physical access to the device. As those in the security community know, while this vulnerability is a definite flaw security wise, if you can have physical access to a device, it is not completely secure. This is why Linux distributions have a single user mode for forgotten or lost root passwords. If you have physical access to the device or computer, it can be considered insecure.

Wearable devices will give malware authors another avenue to exploit, as evidenced by their transition from desktops to mobile devices. Enterprising and creative malware authors will always try to find a way to exploit a vulnerability in anything, and it will only be a matter of time before it happens.

In theory, Glass or any device that can be worn and used to record at the same time can have security implications. We might not be far away from clever ways for these devices to be used against us. For example, privacy risks such as being recorded inconspicuously wherever you are and theft possibilities, such as having your ATM PIN recorded. These problems just scratch the surface—the list of security concerns might be endless.

.pw URLs in Spam Keep Showing Up

Last week, Symantec posted a blog on an increase in spam messages with .pw URLs. Since then, spam messages with .pw URLs have begun showing up even more.

pw TLD blog update.png

Figure 1. .pw TLD spam message increase

Symantec conducted some analysis into where these attacks are coming from in terms of IP spaces. As expected, Symantec observed a large quantity of mail being sent from an IP range and then moving to another IP range. While this is an expected behavior, there was an interesting twist. There were multiple companies (with different names) hosting .pw spammers using the same physical address in Nevada. 

Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam. The top 25 subject lines from .pw URL spam from May 1, 2013 were:

  • Subject: For all the moms in your life on Mother's Day.
  • Subject: Tax Relief Notification
  • Subject: Remove IRS Tax Penalties
  • Subject: Save on the most beautiful bouquets for Mom
  • Subject: Reusable K Cup for Keurig or single-brew coffee maker
  • Subject: Garden Today says, "By far the easiest hose to use"
  • Subject: HOME: Amazingly Strong water hose you can fit anywhere.
  • Subject: The LAST water hose you'll ever need
  • Subject: No Hassle Pricing on Ford Vehicles
  • Subject: Own a NEW Ford for the Summer
  • Subject: May 1st Ford Clearance Event
  • Subject: Lasik- Safe, Easy, and Affordable
  • Subject: Safe, Easy, and Affordable Lasik
  • Subject: We work with the Biggest and Best Brands in Fashion
  • Subject: Whos the hottest? Post . Vote . Win
  • Subject: Are You and Your Business seen at a global scale?
  • Subject: Power your entire House, Pool and more with Solar Energy
  • Subject: Most EFFECTIVE way to treat Hypertension
  • Subject: Solar power slashes your electric bill in half
  • Subject: Global Business Registry for Networking Professionals
  • Subject: Finally, an EFFECTIVE fat shredding solution
  • Subject: Register with other professionals
  • Subject: Easiest Way To Lower Blood Pressure
  • Subject: Secret To Lowering Blood Pressure Naturally
  • Subject: Refinance Today, Save Tomorrow

In addition to creating anti-spam filters as needed, Symantec has been in contact with Directi and working with the registrar to report and take down the .pw domains associated with spam. Symantec believes that collaborating with the registrar is a more progressive and holistic approach to solving this problem.

What’s a known source of malware doing in an iOS app? Ars investigates

A warning delivered by the Google Safe Browsing service. The link reported as malicious was embedded in a game available in Apple's iOS App Store.

At first blush, it looked serious: a Web link to a known source of malware buried deep inside of a highly rated app that has been available for months in Apple's iOS App Store. For years, antivirus programs have recognized the China-based address——as a supplier of malicious code targeting Windows users. Were the people behind the operation expanding their campaign to snare iPhone and iPad users?

Although Macworld writer Lex Friedman said the link was likely harmless, I wasn't so sure. As he pointed out, an iOS app from antivirus provider Bitdefender warned that the Simply Find It app, last updated in October, contained malware classified as Trojan.JS.iframe.BKD. Even more suspicious, Google's safe browsing service was causing the Firefox and Chrome browsers to block attempts to visit the address on the grounds that it had been reported as an attack page. "Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners," Google's advisory warned as recently as Thursday.

So, what was the link, embedded in an HTML tag known as an iframe, doing in an MP3 file included with the game? Who put it there? And, most importantly, was it infecting people who installed Simply Find It on their iOS devices?

Read 7 remaining paragraphs | Comments