Microsoft recently released an official statement confirming that Windows XP is also vulnerable to a newly discovered Zero-Day flaw. The security flaw affects users of Windows Vista, Windows Server 2008, Windows XP and Windows Server 2003. The programs that initiate this security flaw are Microsoft Office 2003 and Microsoft Office 2007 on any combination of the aforementioned operating systems.
“Currently, we are only aware of targeted attacks against Office 2007 users, In those attacks, Windows XP was the operating system seen in use.”
Microsoft says users of its new Office 2013 package will not be affected in any way regardless of their operating system, so you can run Office 2013 on Windows XP and still be secure. Microsoft’s statement already includes a DIY fix that users can undertake to secure their system if they are potentially affected by the zero-day flaw. An automatic Windows Update is expected to be released in the coming weeks that will fix the problem without users having to do anything at all.
James Forshaw works for a company called Context Information Security and he claims by the time they have taken “their cut” and then the taxman takes his cut, there isn’t actually much leftover for himself.
“When it comes to the bounties given for finding security flaws like this, most of it goes to the company you work for, and even if it didn’t, once the taxman has taken his cut it’s certainly not a life changing monetary sum – we’re not talking retirement money here.”
For those who cannot remember James Forshaw discovered a “mitigation bypass” class of vulnerability within Windows 8.1 that left it vulnerable to a whole different array of security exploits. It isn’t uncommon for big companies like Microsoft to outsource their code to security experts in return for discovering these types of vulnerabilities and they certainly chuck big money into it.
Image courtesy of Context Information Security/PA Wire
Microsoft pledged to offer researchers and software developers up to $100,000 if they were able to find various exploits in its new Windows 8.1 operating system. Engadget reports that Microsoft has duly delivered and has just forked out a hefty $100,000 to a software technology specialist for discovering a major security exploit in Windows 8.1. The $100K was paid to James Forshaw of Context Information Security for discovering a defence circumvention technique which Microsoft says wasn’t just a single bug but a whole class of security threat meaning that it can be replicated in many different ways. Microsoft won’t disclose details on the exploit until it develops a fix, to protect Windows 8.1 users from malicious attacks.
“The reason we pay so much more for a new attack technique versus for an individual bug is that learning about new mitigation bypass techniques helps us develop defenses against entire classes of attack. This knowledge helps us make individual vulnerabilities less useful when attackers try to use them against customers. When we strengthen the platform-wide mitigations, we make it harder to exploit bugs in all software that runs on our platform, not just Microsoft applications.”
PayPal phishing schemes drive me mad. I probably get about 5-10 emails everyday across my various work and personal email accounts from phishing sites trying to trick me into handing over PayPal details. A German email security provider has shed light on why this is such a frequent occurrence. Apparently everyday an average of 750 new PayPal phishing sites are set up. By simple math that means we see 22,000 of these rotten things every month and 270,000 in the average year.
Most of these Phishing pages are hosted on legitimate websites that have been compromised by cybercriminals so spotting a phishing site may not often be as obvious as you think, although if it isn’t on PayPal.com then it should be pretty obvious.
“The online payment service PayPal is not only one of the most popular online payment methods, but also a preferred target for phishers: PayPal regularly tops the lists of phishing topics worldwide. Every day, an average of 750 newly compromised websites are targeted primarily at PayPal users, according to numbers from Commtouch’s GlobalView URL filtering database – resulting in more than 22,000 new sites per month and 270,000 sites per year. The sites are usually legitimate websites that are compromised through security flaws. The findings highlight the need for hosters and website owners to protect their sites and for users to deploy an effective Web security solution.” Stated Eleven Research.
According to a PC World report, via Softpedia, three researchers demonstrated a UEFI vulnerability at the 2013 Black Hat conference. Andrew Furtak, Oleksandr Bazhaniuk and Yuriy Bulygin demonstrated two attack methods that can be used to bypass the secure boot to install a UEFI bootkit.
One of the attack techniques relies on a hole in the Unified Extensible Firmware Interface (UEFI). However, the particular attack requires access to the Kernel mode to launch which is difficult to do as it has the most privileges to contend with. This exploit was reported to have affected several vendors including ASUSTek though in most cases and products BIOS updates have fixed the flaw. Though the ASUS VivoBook laptop, which the presentation was given on, still has the vulnerability.
The second vulnerability which is much easier to do involves exploiting common applications such as Microsoft office, Java and Adobe Flash to bypass the Secure Boot. All security flaws revealed are recent discoveries and so vendors have been given time to address and provide details of the vulnerabilities and any fixes.
Despite the vulnerabilities of the BIOS the UEFI secure boot system is still the best way to keep computers bootkit free.
In an interesting story covered by the Australian Financial Review it is revealed that experts think the NSA has hardware level backdoors built into Intel and AMD processors. Steve Blank, recognised as one of Silicon Valleys leading experts, says that he would be extremely surprised if the American NSA does not have backdoors built into Intel and AMD chips. His reason is that the NSA finds “hacking” through backdoors significantly more simple than trying to crack encryption. For example trying to crack AES 256 bit encryption would require the power of 10 million suns to crack at the current TDP of processors. Steve Blank therefore claims that because cracking encryption is so infeasible the NSA uses hardware level backdoors instead. Steve Blank said that these suspicions arose when he saw the NSA could access Microsoft emails in their pre-encryption state and so he knew there was another way in.
Edit: Jonathan Brossard personally got into contact with us to inform us that such statements made by the AFR about his opinions and research were indeed misleading and not factually accurate at all. Jonathan Brossard claims that if you read his whitepaper from the Black Hat 2012 conference, which can be found here, it will give a totally different understanding of what he was actually saying as opposed to what the AFR interpreted him as saying. We would like to apologise for passing information onto you from the AFR that was factually inaccurate. Jonathan Brossard stated that:
“The CPU microcode update mechanism is a documented feature which helps Intel and AMD fix CPU bugs. Even if this would be an interesting attack vector, you must break strong asymmetric cryptography before you get to push microcode updates to a CPU. The article from the Australian Financial Review is misleading, and doesn’t bring the slightest proof that Intel or AMD are sharing those cryptographic keys with [the] NSA. I do not personally think [the] NSA is backdooring Intel (or AMDs) CPUs.”
Though after all that there are of course those who will say this is complete nonsense and that the reason it is undetectable is because it does not exist and it is just conspiracy theory. Indeed Intel has denied such speculation.
I myself am not sure what to make of all this but what do you think? Does the NSA have a hardware level backdoor built into every modern Intel and AMD CPU?
According to unconfirmed reports MSI.com has recently been hacked and can distribute Malware code. The report states that cyber-criminals have hacked MSI.com and have altered it to distribute malware that is hosted by Kristians1(dot)net and some other shady websites. The writer of the report, Conrad Longmore of Dynamoo’s Blog, reports that he notified MSI of such an exploit but they have not responded and the malware still remains in place.
Google’s safe browsing report of MSI.com suggests that 23 exploits including 2 Trojans have been hosted on MSI.com from 5 domains. Google’s safe browsing report is as follows (we have removed all hyperlinks so please do not attempt to visit any of these websites or you may put your computer’s safety at risk):
Of the 2469 pages we tested on the site over the past 90 days, 16 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-07-16, and the last time suspicious content was found on this site was on 2013-06-16.
Malicious software includes 23 exploit(s), 2 trojan(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 5 domain(s), including abdelmonem.net/, oportunidadesdesdesucasa.com/, jobsreal.biz/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including for-test-only.ru/.
Microsoft and other big browser companies often give out “bug bounties” for people who can discover exploits in their software. Microsoft offered up a rather large bug bounty for Internet Explorer 11 and is offering up to $11,000 for every security flaw people can find in the browser.
Katie Moussouris, Senior Security Strategist at Microsoft said:
“The security community has responded enthusiastically to our new bounty programs, submitting over a dozen issues for us to investigate in just the first two weeks since the programs opened. I personally notified the very first bounty recipient via email today that his submission for the Internet Explorer 11 Preview Bug Bounty is confirmed and validated. (Translation: He’s getting paid.)”
One of the winners of a bounty was Google information security engineer Ivan Fratric who bagged a healthy serving of the Internet Explorer 11 bounty. He previously won $50,000 back in 2012 in Microsoft’s BlueHat contest.
“We have other researchers who have qualified for bounties under the IE11 program as well, and their notifications will be coming from secure [at] Microsoft [dot] com this week and beyond. We plan to add an acknowledgement page on our bounty web site, listing the researchers who would like to be publicly recognized for their contributions to helping us make our products more secure, so look for that page to appear linked from www.microsoft.com/bountyprograms in the near future.”
Microsoft’s Internet Explorer 11 bug bounty window ends on July 26th.
You’d think the American government departments, with all their funding and extra-legal powers, would know how to effectively deal with a malware infection. Well apparently not. According to a report by the US Department of Commerce’s inspector general the Economic Department administration “dealt” with a malware infection by destroying the apparently infected equipment.
In December 2011 the US Computer Emergency Response Team (US-CERT) notified the Department of Commerce Computer Incident Response Team (DOC CIRT) that a potential malware infection was detected on their systems. The Department of Commerce’s cybersecurity contractors were called in to investigate and after a 2 week investigation claimed to have found nothing significant, with the majority of malware being false-positives. Yet the Department of Commerce proceeded with a total destruction of all electrical equipment destroying a staggering $170,000 worth of equipment including mice, keyboards, desktop PCs, TVs, cameras, printers and more.
What’s even more ludicrous is that they planned on destroying over $3 million worth of other equipment, but stopped as funds were running low. Naturally the costs incurred are for both the destroyed equipment and the cost of replacing that equipment. The inspector general of the investigation said the destruction of equipment was clearly unnecessary and led to the Department of Commerce spending half their 2012 fiscal year budget on the operation.
The phrase “EPIC FAIL” comes to mind after Ubisoft have just sent an email out to all Ubisoft account holders warning of a massive data breach. Apparently a staggering 58 million accounts have been hacked allowing the hackers to gain access to user names, email addresses and encrypted passwords. Ubisoft reports that no debit or credit card information was lost as Ubisoft does not store them.
In response Ubisoft has advised all users to change their passwords on their Ubisoft accounts, and change your password that is the same and used with the same email address on any other site. I am quite shocked at Ubisoft’s incompetence. Firstly, that they didn’t auto-reset passwords for all Ubisoft accounts to prevent hackers gaining access to them without the associated emails. Secondly, if they went to such extraordinary measures of outsourcing payment details to another company with better security, why did they not do a similar thing for account details?
This isn’t the first time Ubisoft have been victim to a “hack-attack” and last year a security hole allowed hackers to download software from its store for free that hadn’t even been released yet. I guess some companies will never learn.
According to Opera’s official blog they have recently halted and contained a targeted attack on the company’s internal network. Opera’s Sigbjørn Vik said that on June 19th an attack took place which didn’t compromise any user data but stole at least one old and expired Opera code signing certificate. Hackers can then use this signing certificate to sign malware which allows them to distribute it as appearing to be either the Opera browser itself or a program verified by Opera.
“This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser” said Opera’s Sigbjørn Vik
Apparently Opera are working hard to try and fix the problem by introducing a new version of the Opera browser that uses a new code signing certificate. Any users who used Opera between 1:00 and 1:36 UTC on the day of the breach (June 19th) could have had malicious software installed onto their computer automatically without their knowing.
As if Opera wasn’t having a hard enough time already of tempting users over from the “big four” (IE, FireFox, Chrome and Safari) this latest incident is sure to make things even harder for them.
Facebook revealed in a security update announcement that a bug had made the data of six million users vulnerable. Apparently it was possible to use Facebook’s data export tool to reveal six million email addresses and usernames.Facebook says the data was not widely leaked and the data only reached a handful of people most of which would of known a lot of people on the list of exposed data as it was based on contact data similarities.
Normally Facebook asks you to import contact data from other social networks, email or your phone and then this would be stored privately and securely from the main user data. At no stage should the data be shared with anyone and is only meant for use in a people-data matching algorithm. Yet somehow the data did get stored to some people’s accounts and Facebook was made aware of the bug in its “White Hat” program which offers up cash sums for finding bugs and exploits in the website.
“We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.”
Phil Purviance, an information security specialist for AppSec Consulting exposed a vulnerability in Linksys EA2700 Network manager. The network manager has a cross-site request forgery exploit and also doesn’t require the current password to be used even when the passcode has been changed.
He also found a security bug in WRT54GL, but added that some of the exploits can be taken advantage of only if the attacker can correctly guess the default gateway of the router. But since most users don’t really change that, the attackers will use the common IP address required to gain access with the Linksys router. There is a fix for that, and that’s upgrading WRT54GL with the newer Linksys Smart Wi-Fi firmware.
Purviance told Ars Technica,”If you have this router on your network and you browse a malicious website, five seconds later your router now has a new password and is available from the Internet. So an attacker can just log into it as if he was on your network.”
The company made a statement: Network security is top of mind in everything we do. We have a layered approach via our hardware and software that provides immediate protection for our customers out of the box and enables us to react to new vulnerabilities quickly.