“Help & Support” Exploit Used On 10,000 Systems

Nearly a month after a Google engineer (shame) irresponsibly disclosed details of a new Windows XP flaw, criminals are ramping up online attacks that leverage this bug.  Microsoft reported Wednesday that it has now logged more than 10,000 attacks.   At first it was only legitimate researchers testing proof-of-concept code.   Then on June 15th, the first real public exploits began to emerge.

“Those initial exploits were targeted and fairly limited.  In the past week, however, attacks have picked up.”  The attacks, which are being launched from malicious Web pages, are concentrated in the U.S., Russia, Portugal, Germany and Brazil, Microsoft said.   PCs based in Russia and Portugal, in particular, are seeing a very high concentration of these attacks.

To avoid falling victim, Microsoft advised users to turn off the part of the Help and Support system that is vulnerable. It has produced an automated tool that can do this for users.

BBCnews

FourSquare Privacy Issues

Ryan Singel at Wired News is covering a story involving privacy breaches for Foursquare users, and the company’s horrible and slow response to the matter. It all started on June 20, when they received an unsolicited message from a white-hat hacker telling them that they were leaking user data on a massive scale, and violating their own privacy policy.  Foursquare was publishing all users’ location data to the web despite its privacy-policy that users “can opt out of such broadcasts through your privacy settings.”

Foursquare responded stating that it would fix the problem within 9 days.  Nine days later, in a private e-mail to the Security Consultant Foursquare stated that it had fixed the privacy leak by modifying how an existing privacy setting worked, but had no solution yet for two other privacy holes that he had reported.  They were trying to figure out how to balance usability with privacy.

Wired

Legitimate Websites Delivering Malware

Web surfers are now most frequently attacked from legitimate providers’ hacked web sites.  The general assumption had always been that malware was only largely present on sex sites and other shady web sites, but these days all you need to do is visit your favourite newspaper website to come under silent attack.

Anti-virus vendor Avast reports reports that there are now 99 infected mainstream web sites for every infected “adult” site.  Current cases, such as the manipulation of Lenovo’s techical support server or of Vodafone’s UK server seem to support that finding. In the Vodafone case, attackers manipulated the BlackBerry product pages to upload an iFrame containing an exploit for an unpatched hole in the Windows Help Center.

Symantec has come to a similar conclusion.  Their report shows legitimate web site manipulation rose from 80% in 2009 to 90% this year.  Recently, for example, Chinese attackers managed to manipulate tens of thousands of Web servers via SQL injection vulnerabilities.  

Bottom Line:  Be CAREFUL Out There!  Consider taking advantage of some of the free tools noted on this site at home, and for pity sake, don’t scrimp on your protection at work!  Don’t fiddle with your anti-virus software, and do NOT disable your personal firewall software.  Remain cautiously optimistic about your email, and very skeptical of too good to be true offers.  And remember that clicking on links without taking precautions is just asking for trouble…

So Much For That Adobe Patch…

A security researcher says he can force Adobe’s widely used PDF reader to execute malicious commands despite an emergency security fix the company released earlier this week.

The update to Reader and Acrobat contained a patch to prevent attackers from using the apps as a launch point for potentially dangerous commands or files on end users’ machines.  Le Manh Tung, a senior security researcher at Viet Nam–based Bkis Internet Security, said he can bypass the fix by simply putting quotation marks around the command he wants a targeted machine to remotely execute.

The weakness being exploited here was first demonstrated by researcher Didier Stevens and later expanded upon by others.  While Adobe applications warn users they are about to execute a potentially dangerous program, Stevens showed it was possible to modify the wording, increasing the attacker’s chances of successfully socially engineering his victim.  Fellow security researcher Jeremy Conway soon adapted the technique to devise an attack that would allow a malicious payload stashed in one PDF file to spread to another document. A few days later a blogger who goes by the handle YunSoul, modified the attack further, showing how a single malicious PDF could infect an unlimited number of documents. 

Tung published his proof-of-concept on Thursday, showing how a PDF file can still be used to auto-launch the Windows calculator program.  Adobe had said it wanted to find a way to eliminate the threat without removing powerful functionality relied on by some users.