Earlier this month, Adobe addressed a vulnerability issue that affects three products: Flash Player, Reader and Acrobat. While the Flash Player issue was fixed rather quickly, refer to Adobe Flash Player 10.1.53.64 Security Update, the latter two products did not receive similar love as their updates were only promised to be available at a later date, on June 29, 2010.
As promised, the security updates for Adobe Reader and Acrobat have finally arrived. Download the latest version for applicable product, which are available here.
When a company is hit with a cross-site scripting (XSS) attack, the natural reaction is to downplay the significance of the incident.
After all, an XSS vulnerability on a site does not mean that the site could be hacked or shut down. A typical XSS demonstration showing a funny dialog box on somebody else's site just emphasizes how harmless such an attack looks.
However, XSS is not harmless. We were just hit by one last night. And we do not want to downplay it.
The vulnerability on f-secure.com was found by security researcher Xylitol. He reported it yesterday evening. Xylitol is well-known for finding XSS vulnerabilities on sites such as army.mil, ibm.com and nasa.gov.
Above: result of accessing www.f-secure.com/en_EMEA/products/mobile/anti-theft-download/anti-theft-download-wizard.html?hidManufacturer=%27%22%3E%3C/title%3E%3Cscript%3Ealert%28/Mikko%20rulz/%29%3C/script%3E before the page was fixed. Screenshot from xssed.net.
We almost got it right. In fact, the script on our page does successfully filter out control characters and other dangerous content. Unfortunately, almost doesn't count. We do the filtering right once, and wrong once.
Apparently we added a feature to the page as an afterthought, and that feature did not go through code review or testing.
The problem has been fixed now. It was limited to our static Mobile Anti-Theft pages, and did not give access to any of our systems. This problem has not been used to do any harmful activities.
In any case, we were burned.
So, what could have been done with this vulnerability? Well, for example, somebody could have sent out a spam campaign, claiming to be from F-Secure, pointing to a link apparently at www.f-secure.com. And when that link would have been clicked, it would have downloaded malware (from some other site) to the user's computer. XSS vulnerabilities can be used to create serious problems. Luckily, in this case nothing bad happened.
Here's the time line of the incident:
• Xylitol published an article on the problem at early evening on 17th June • We noticed the article at 20.51 EEST 17th June • We started fixing the problem at 02.15 EEST 18th June • We shut down the Mobile Anti-Theft page temporary for fixing and isolating problem at 02.45 EEST 18th June • Page was republished at 06.05 EEST 18th June
Zynga's FarmVille is a popular social networking game and perhaps it should come as little surprise that many players want to learn FarmVille secrets and cheats. And so they turn to search engines to find them.
Currently, "farmville cheats" is a highly ranked suggestion:
Sad but true.
Anyway, we searched for farmville cheats and readily discovered farmville-secrets.spruz.com:
Here's what the site looked like:
The "Click Here" button opens a download dialog for a file called FarmVille_autobot.exe.
An autobot sounds like a convenient way to cheat, right? Only in this case the cheater will get more than they asked for because the file includes a variant of TDSS, an advanced backdoor rootkit. Best kept secrets indeed!
The MD5 of the file we analyzed (thanks JoJo) is 9c7812efa218ab3750e570a93015e884 and is detected as Trojan:W32/TDSS.FZ.
Adobe released a critical Flash update on June 10th. If you haven't seen it yet, this is the update notification:
Do you know what Flash version you have installed? No? Then use Adobe's version test page.
Once you have the current version, you may also wish to adjust your configuration. Flash's settings are rather curious as the controls themselves aren't located on the computer but are instead accessed through a Flash object hosted by Adobe.
Adobe: "The Settings Manager is a special control panel that runs on your local computer but is displayed within and accessed from the Adobe website. Adobe does not have access to the settings that you see in the Settings Manager or to personal information on your computer."
Beta testers receive a six month subscription and the opportunity to influence the final release.
The biggest new feature from the lab's point of view is our "DeepGuard 3" technology which utilizes cloud based reputation systems, prevalence, source, age, et cetera.
The end result is that if we don't know or trust it — it'll be blocked before it can do harm.
Here's an example screenshot that shows a "rare" file being blocked from an "unrated" site. This is a familiar malware/scareware scenario: short lived, unrated sites which use frequently produced and rare installation files.
We welcome you to give it a try. The download page includes links to the release notes and feedback forms. Cheers.
There's yet another Facebook spam application on the run.
It uses this string of text to lure folks: "I am shocked!!! The teacher nearly killed this boy: http://bit.ly/aWeBMl - Worldwide scandal!"
If you click on the link, you're directed to this application:
How many have clicked on the link so far?
Almost 140 thousand.
Hopefully not as many people allowed the application to access their profiles:
Updated to add: Now it's more than 140 thousand clicks and the applications page indicates almost 59 thousand active users. That indicates that about 40% plus of the users exposed to this lure are falling for it!
June 11th kicks off the 2010 FIFA World Cup, and not surprisingly, we're seeing a rise in related spam.
It's still just a small percentage of spam overall (under 2%) but when comparing the first three days from the last six months, we see a doubling in volume and 74 times the number of hits on related keywords from January to June.
As the tournament continues from June to July 11th, we expect to see more related threats.
The timing of this spam run seems a bit odd as it isn't using the current vulnerability, but perhaps the gang which uses this particular tactic knows that there's about to be a big push to update Adobe Reader. Current versions of Reader include the Trust Manager feature, and so this gang's window of opportunity will be narrowing soon.
We already detected this threat as Exploit.PDF-Dropper.Gen with our Internet Security 2010.
The PDF's MD5 is cff871a36828866de1f42574be016bb8. If allowed to run, the exploit will drop an alureon/dnschanger trojan.
Our telemetry indicates that several thousand customers have already been exposed to the exploit. We have no hits on the payload so we know that our generic detection is blocking the threat.
Hydra detection for the attachment/payload was published with database version 2010-06-08_03.
Updated to add: Here's a screenshot of the PDF attachment. The PDF is based on a resume/CV pulled from the Internet, and the /launch prompt is rather noisy.
There's going to be numerous updates published tomorrow by Microsoft.
But you'll more likely want to keep an eye on Adobe. Current versions of Flash are vulnerable.
"A critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems."
The vulnerability is currently being exploited in the wild. You can determine your version of Flash here.
As for Flash… well, unless you're Steve Jobs, you probably need or want to have Flash installed, at least sometimes. Adobe Labs has prereleases available here. The 10.1 release candidate does not appear to be vulnerable.
If you don't regularly use Internet Explorer, why not go ahead and uninstall or disable the Flash ActiveX control. What's the point of having it if you don't use it?
If you're a Firefox user, you could consider installing a Flash blocking add-on such as Flashblock. It's very simple to configure, unlike NoScript, easy to use and does its job well.
Well, while Windows 7 does significantly improve the AutoPlay/AutoRun user experience, it isn't bulletproof. There's a small, not likely to be exploited, loophole.
For example, Western Digital USB hard drives ship with Virtual CDs on board to install WD's SmartWare software.
You can see the CD device here along with the Passport:
This is how a default Windows XP installation handles the Virtual CD's autorun.inf:
It just launches the installer program, no questions asked.
Now this is how Windows 7 AutoPlay handles the Virtual CD's autorun.inf:
The installer on the Virtual CD is the default option, but it doesn't launch.
On the plus side, AutoPlay functionality can easily be turned off in Windows 7:
Do note that this isn't a Windows 7 vulnerability.
From Microsoft's Security Research & Defense blog: "It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see http://en.wikipedia.org/wiki/U3 for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level."
This is just a curiosity to be aware of — not a flaw.
Bottom-line, don't let Windows 7's improved handling of AutoPlay give you a false sense of security. There are more and more USB drives shipping with Virtual CDs, and sooner or later, one of them will be infected during the manufacturing process.
To quote Intego: "OSX/OpinionSpy is installed by a number of applications and screen savers that are distributed on sites such as MacUpdate, VersionTracker and Softpedia."
Back in March we said that Macs are generally safer but that doesn't mean more secure: "Houses located in a safer neighborhood are not technically more secure from burglary. Most of today's Macs just happen to exist in a safer online environment and aren't being targeted by cyber-criminals. Criminal's return on investment is simply better in the PC world."
Looks as if another threat is checking out the neighborhood.
Our F-Secure Mac Protection Beta, available here, detects the spyware as Spyware:OSX/OpinionSpy.A and Spyware:OSX/OpinionSpy.B. You'll find the release notes here.
More and more mobile phones are shipping with Windows installation files on microSD cards rather than on CD-ROMs. All that's needed to sync your phone with your PC is to connect the phone, detect it as a removable USB drive, and then run the installer. Many phone vendors also include an autorun.inf file to assist the process.
Unfortunately, autorun.inf files can be infected during the production process, and microSD cards aren't read-only.
Engadget is reporting that at least some German models of Samsung's Wave, a Linux based "iPhone killer", are shipping with an infected autorun.inf and a file called slmvsrv.exe.
The file's MD5 is bb9818d76fe60e68608e2a1e7bc6666b and we detect it as Trojan.Generic.3932466. We have telemetry indicating this is in the wild (but quite limited).
There's been a great deal of discussion (controversy?) recently regarding personal privacy and the pursuit of profit. Many pundits are concerned that businesses are putting personal data at risk for financial gains.
And so the question is being asked: Are Facebook and Google contributing to an erosion of personal privacy?
So let's take a look at that, shall we? If you want to find personal information about somebody, are you really dependent on Google? Or Facebook? Really? No… not really.
In fact, there's LOTS of personal information that's been available to academics and demographers for years.
For example, take the State of North Carolina, USA. The NC State Board of Elections website is a great place to start as it provides a form for checking *my* registration. And only two bits of data are required — first and last names.
Let's take a look at a public figure, Richard Burr. He's North Carolina's senior Senator.
Look what's available: his full name, voter registration number, registration date, address and race.
Let's see you get that info from Facebook. Not likely.
Now we know his home address is in Forsyth County, so let's visit the Forsyth County Tax Administration website and use their Geo-Data Explorer. It's super cool.
All you need the street address and presto, you get an aerial view with the property lines, the home value, property value, owners, et cetera.
Historical information is also available.
And check out this street view! Man, that beats Google's street view, hands down. No comparison at all. Google's an amateur.
Next, let's take a look at an online phone book, White Pages dot com.
Again, using very little information, just first name, last name, city and state, we get these results:
Richard Burr's work (local office) and home numbers.
So how exactly is Google and Facebook eroding privacy? Because they do in the open do what others do behind closed doors? Because they are trying to invent something new?
Guess that depends on what you consider privacy.
Governments have always known your personal details. Making some information public contributes to an open and healthy democracy. So many things aren't really private, are they? Someone, somewhere already knows plenty of things about you.
At least you get something, services, for using Google and Facebook. LexisNexis and others aren't going to give you a cent for your information.
And consider this, posting messages in online forums, commenting on blog posts and sharing links with your friends is kind of like having a private conversation in a public shopping mall. Sure, you can have a personal conversation at your local coffee shop, but do you really expect that conversation to be secure?
If somebody overhears your conversation, are you going to blame the shop owner for not protecting your personal information? No, of course not.
Facebook and Google are INTERNET services. Internet equals public space. Or at least, people should consider it to be so.
It's more accurate to say that information technologies are eroding the length of time that is required to access your data.
Yes, that does have an impact on our online and real-world lives. But should we panic about it?
Should we be pointing the finger at Facebook and Google saying that they're to blame because they are making business decisions? Don't think so, information technologies are going to continue to open up personal information regardless of whether or not Google and Facebook are trying to make a profit.
Do you want data and personal privacy protections? Then pass a law protecting personal privacy from being misused by employers. That's what people really care about — their jobs and their livelihood — not being marketed to.
Perhaps that's something Senator Burr will consider during his reelection campaign.