Less than five weeks into the new year, 2015 is already shaping up as one of the most perilous years for users of Adobe Flash, with active exploits against three separate zero-day vulnerabilities, one of which still wasn't fully patched as this post went live.
The latest attacks are hitting unsuspecting targets through drive-by downloads served through ads on dailymotion.com, theblaze.com, nydailynews.com, tagged.com, webmail.earthlink.net, and other sites, according to research from Malwarebytes. And while the vulnerability wasn't disclosed until this week, the exploits have been active and in the wild since December 3, Malwarebytes found.
While the attacks target Windows users running Flash in a Firefox or Internet Explorer browser, the underlying CVE-2015-0313 security bug is present in Flash for Macs and Linux machines as well. On late Wednesday, Adobe began distributing a fix to users who have opted to receive automatic updates. In the meantime, readers should consider disabling Flash altogether, or at the very least, using Flash inside Google Chrome, the browser many security experts say provides the most comprehensive anti-exploit protections. Attacks exploiting CVE-2015-0313 are unable to escape the Chrome security sandbox, research from Trend Micro found.
A malware campaign targeting European defense organizations, governments, and media organizations first detected on Windows computers late last year has now spread to iOS devices, according to a report by security researchers at TrendLabs. The spyware campaign, called "Operation Pawn Storm," has been linked by some researchers to the Russian government, beginning as tensions between Europe and Russia rose over the crisis in Ukraine.
Pawn Storm began with "spear phishing" attacks and targeted Web attacks from fake Outlook webmail pages and "typo-squatting" websites that used site names close to those of legitimate sites. Now, the attack has spread to Apple iOS devices—without having to jailbreak them. "We have seen one instance wherein a lure involving XAgent"—one of the two malware components discovered so far—"simply says 'Tap Here to Install the Application,'" the researchers reported. The "lure" website then delivers the malware via Apple's ad-hoc provisioning feature for developers. A .plist file on the remote server will install the application over broadband or Wi-Fi.
Once installed, the XAgent malware connects to a command and control (C&C) server and uploads data from the device, including text messages, contact lists, pictures, Wi-Fi status and Wi-Fi networks connected to, installed apps, and running processes. The malware can also take photos, capture screen grabs, start voice recording, and collect location data on the device. However, it appears the malware was written for iOS 7, and it is unable to hide itself or automatically restart itself on iOS 8 devices. The second malware agent, which is disguised as a game called "MadCap," is focused on recording audio and only works on jailbroken devices.
At the beginning of the year, I did something I've never done before: I made a new year's resolution. From here on out, I pledged, I would install only digitally signed software I could verify hadn't been tampered with by someone sitting between me and the website that made it available for download.
It seemed like a modest undertaking, but in practice, it has already cost me a few hours of lost time. With practice, it's no longer the productivity killer it was. Still, the experience left me smarting. In some cases, the extra time I spent verifying signatures did little or nothing to make me more secure. And too many times, the sites that took the time to provide digital signatures gave little guidance on how to use them. Even worse, in one case, subpar security practices of some software providers undercut the protection that's supposed to be provided with digitally signed code. And in one extreme case, I installed the Adium instant messaging program with no assurance at all, effectively crossing my fingers that it hadn't been maliciously modified by state-sponsored spies or criminally motivated hackers. More about those deficiencies later—let's begin first with an explanation of why digital signatures are necessary and how to go about verifying them.
By now, most people are familiar with man-in-the-middle attacks. They're waged by someone with the ability to monitor traffic passing between an end user and a website—for instance, a hacker sniffing an unsecured Wi-Fi connection or the National Security Agency sniffing the Internet backbone. When the data isn't encrypted, the attacker can not only read private communications but also replace legitimate software normally available for download with maliciously modified software. If the attack is done correctly, the end user will have no idea what's happening. Even when Web connections are encrypted with the HTTPS standard, highly skilled hackers still may be able to seed a website with malicious counterfeit downloads. That's where digital signatures come in.