Upload File

microsoft struggles with ie flaws

1
NEWS January 2013 Computer Fraud & Security 3 ...Continued from front page ‘ENISA Threat Landscape; Responding to the evolving threat environment’ provides a meta-analysis of 120 reports published during 2011 and 2012 by the security industry, standardisation bodies and other independent parties. It provides an overview of observed threats and threat agents together with the current top threats, and emerging trends. The report also analyses what it calls the “cyber enemy”; identifying the top 10 threats in emerging technology areas, including mobile computing, social media, critical infrastructure, trust infrastructures, cloud and big data. The 10 most important threats it identifies are: 1. Drive-by exploits (malicious code injects to exploit web browser vulnerabilities). 2. Worms/trojans. 3. Code injection attacks. 4. Exploit kits (ready-to-use software packages to automate cybercrime). 5. Botnets (hijacked computers that are remotely controlled). 6. (Distributed) Denial of Service attacks (DDoS/DoS). 7. Phishing (fraud mails and websites). 8. Compromising confidential information (data breaches). 9. Rogueware/scareware. 10. Spam. Finally, the Agency makes a number of conclusions for industry and stakeholders on how to better fight the cyberthreats facing business, citizens and the digital economy at large. They include: the use of a common terminology within threat reports; accommodating the end-user perspective; developing use cases for threat landscapes; collecting security intelligence from incidents, including starting point and target of an attack; performing a shift in security controls to accommodate emerging threat trends; collecting and developing better evidence about attack vectors and methods so as to understand attack workflows; collecting and developing better evidence about the impact of attacks; collecting and maintaining more qualitative information about threat agents. The report is available here: http://bit. ly/201301enisa. Microsoft struggles with IE flaws A zero-day flaw in Microsoft’s Internet Explorer (IE) browser has been exploited by attackers – possibly as part of the allegedly state-sponsored Elderwood Project. And while the company moved quickly to issue an out-of-band fix, researchers have shown that problems persist. The flaw, classified as CVE-2012-4792, affects IE versions 6-8 and can be used to achieve remote code execution with the user’s privileges. As many Windows users routinely operate their computers using accounts with administrator privileges, this could be a serious problem. The flaw doesn’t exist in IE versions 9 and 10; however, the earlier versions of the software are still in widespread use. Microsoft issued a temporary FixIt work-around and has also recommended using its Enhanced Mitigation Experience Toolkit (EMET), pending a proper patch. The company’s advisory is available here: http://bit.ly/201301ms. The exploit works on Windows XP and Windows 7 and can bypass protections such as Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR). The attack uses a ‘use after free’ exploit, in which the memory from a deleted object is used to run arbitrary code, in this case by injecting a DLL. Researchers at security firm Exodus said the FixIt solution from Microsoft failed to prevent the exploit triggering in all cases. It also uncovered another way to exploit the vulnerability, albeit one that does not appear to be in use in the wild. An exploit using the flaw was discovered in late Dec 2012 by FireEye. It had been injected into the website of the Council on Foreign Relations (CFR). Research by Sophos suggests that the exploit had been in place for about three weeks, and the firm found several other sites infected with the exploit. These are very varied, including a site aimed at the Uyghur people of East Turkestan (who are campaigning for independence from China), a Taiwanese travel agency, a Russian science site and an Iranian oil company. However, the majority appear to have a human rights or political connection to some degree. Security firm Avast also claims that two of the infected sites hosted identical binaries that also match an attack, back in September, that was attributed to the Chinese Nitro gang. Inevitably, fingers have been pointed at China with a suggestion that the malware is aimed at dissidents. According to some reports, the exploit is set to trigger if the user’s browser language setting is English, Chinese, Chinese (Taiwan), Japanese, Korean or Russian. It places a cookie on the victim’s machine to ensure the attack is made only once. The attack code also contains elements in Mandarin Chinese. Sophos believes the payload shows similarities to those used in earlier attacks, including the use of a function called ‘HeapSpary’ – a notable misspelling of the term ‘heap spray’, a technique commonly used by malware. According to research by Symantec, these attacks may have had state backing. In what it dubbed the Elderwood Project, Symantec identified a number of attack campaigns that appear to have access to large numbers of zero-day vulnerabilities (for more information, go to: http:// bit.ly/201301elderwood). Finding and exploiting zero-day flaws requires major resources – something that run-of-the-mill cyber-criminals have not demonstrated. There is no obvious connection between the compromised websites, although plenty of speculation that they may constitute ‘watering hole’ sites – websites commonly used by people from the organisation that’s actually the target of the cyber-criminals’ activities. Placing drive-by malware on such a site is often easier than directly attacking the targeted organisation. Windows RT jailbroken M icrosoft is also facing attack on another front. A researcher, CL Rokr (aka ‘clrokr’), claims to have found a way of bypassing the code integrity checking in Windows RT – the version of Windows 8 ported to ARM Continued on page 20...

Upload: hanguyet

Post on 31-Dec-2016

213 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Microsoft struggles with IE flaws

NEWS

January 2013 Computer Fraud & Security3

...Continued from front page‘ENISA Threat Landscape;

Responding to the evolving threat environment’ provides a meta-analysis of 120 reports published during 2011 and 2012 by the security industry, standardisation bodies and other independent parties. It provides an overview of observed threats and threat agents together with the current top threats, and emerging trends.

The report also analyses what it calls the “cyber enemy”; identifying the top 10 threats in emerging technology areas, including mobile computing, social media, critical infrastructure, trust infrastructures, cloud and big data. The 10 most important threats it identifies are:1. Drive-by exploits (malicious code injects

to exploit web browser vulnerabilities).2. Worms/trojans.3. Code injection attacks.4. Exploit kits (ready-to-use software

packages to automate cybercrime).5. Botnets (hijacked computers that are

remotely controlled).6. (Distributed) Denial of Service attacks

(DDoS/DoS).7. Phishing (fraud mails and websites).8. Compromising confidential

information (data breaches).9. Rogueware/scareware.10. Spam.

Finally, the Agency makes a number of conclusions for industry and stakeholders on how to better fight the cyberthreats facing business, citizens and the digital economy at large. They include: the use of a common terminology within threat reports; accommodating the end-user perspective; developing use cases for threat landscapes; collecting security intelligence from incidents, including starting point and target of an attack; performing a shift in security controls to accommodate emerging threat trends; collecting and developing better evidence about attack vectors and methods so as to understand attack workflows; collecting and developing better evidence about the impact of attacks; collecting and maintaining more qualitative information about threat agents.

The report is available here: http://bit.ly/201301enisa.

Microsoft struggles with IE flaws

A zero-day flaw in Microsoft’s Internet Explorer (IE) browser

has been exploited by attackers – possibly as part of the allegedly state-sponsored Elderwood Project. And while the company moved quickly to issue an out-of-band fix, researchers have shown that problems persist.

The flaw, classified as CVE-2012-4792, affects IE versions 6-8 and can be used to achieve remote code execution with the user’s privileges. As many Windows users routinely operate their computers using accounts with administrator privileges, this could be a serious problem. The flaw doesn’t exist in IE versions 9 and 10; however, the earlier versions of the software are still in widespread use.

Microsoft issued a temporary FixIt work-around and has also recommended using its Enhanced Mitigation Experience Toolkit (EMET), pending a proper patch. The company’s advisory is available here: http://bit.ly/201301ms. The exploit works on Windows XP and Windows 7 and can bypass protections such as Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR). The attack uses a ‘use after free’ exploit, in which the memory from a deleted object is used to run arbitrary code, in this case by injecting a DLL.

Researchers at security firm Exodus said the FixIt solution from Microsoft failed to prevent the exploit triggering in all cases. It also uncovered another way to exploit the vulnerability, albeit one that does not appear to be in use in the wild.

An exploit using the flaw was discovered in late Dec 2012 by FireEye. It had been injected into the website of the Council on Foreign Relations (CFR). Research by Sophos suggests that the exploit had been in place for about three weeks, and the firm found several other sites infected with the exploit. These are very varied, including a site aimed at the Uyghur people of East Turkestan (who are campaigning for independence from China), a Taiwanese travel agency, a Russian science site and an Iranian oil

company. However, the majority appear to have a human rights or political connection to some degree.

Security firm Avast also claims that two of the infected sites hosted identical binaries that also match an attack, back in September, that was attributed to the Chinese Nitro gang.

Inevitably, fingers have been pointed at China with a suggestion that the malware is aimed at dissidents. According to some reports, the exploit is set to trigger if the user’s browser language setting is English, Chinese, Chinese (Taiwan), Japanese, Korean or Russian. It places a cookie on the victim’s machine to ensure the attack is made only once. The attack code also contains elements in Mandarin Chinese.

Sophos believes the payload shows similarities to those used in earlier attacks, including the use of a function called ‘HeapSpary’ – a notable misspelling of the term ‘heap spray’, a technique commonly used by malware.

According to research by Symantec, these attacks may have had state backing. In what it dubbed the Elderwood Project, Symantec identified a number of attack campaigns that appear to have access to large numbers of zero-day vulnerabilities (for more information, go to: http://bit.ly/201301elderwood). Finding and exploiting zero-day flaws requires major resources – something that run-of-the-mill cyber-criminals have not demonstrated.

There is no obvious connection between the compromised websites, although plenty of speculation that they may constitute ‘watering hole’ sites – websites commonly used by people from the organisation that’s actually the target of the cyber-criminals’ activities. Placing drive-by malware on such a site is often easier than directly attacking the targeted organisation.

Windows RT jailbroken

Microsoft is also facing attack on another front.

A researcher, CL Rokr (aka ‘clrokr’), claims to have found a way of bypassing the code integrity checking in Windows RT – the version of Windows 8 ported to ARM

Continued on page 20...

http://bit.ly/201301ms
http://bit.ly/201301elderwood
http://bit.ly/201301elderwood

Invisible Struggles

CATION FLAWS

Bastille flaws analysis

Merits and Flaws

3-1 Last time Program security Flaws, faults, and failures Types of security flaws Unintentional flaws Buffer overflows Incomplete mediation TOCTTOU

Struggles - Relationships

10 Flaws CaseHistory

NDT Intro. Flaws

Struggles & movements

Flaws Theme

Struggles - Contentment

2012 facts n flaws

Flaws A cappella

God's Struggles

Struggles - Compassion

[PPT]Software Flaws and Malware - WordPress.com · Web viewWhat are software flaws and malware ? Program flaws (unintentional) Buffer overflow Race conditions Malicious software (intentional)

Flaws in Practice Flaws in Practice

Fixes and flaws 2000 uneven lies for common flaws

Sectional Struggles

Struggles & Triumps

Web app flaws

Struggles - Rest

Player’s Options: Flaws - DriveThruRPG.comwatermark.drivethrurpg.com/pdf_previews/90063-sample.pdf · Player’s Options: Flaws introduces flaws to the Pathfinder Roleplaying Game

The Art of Exploiting Logical Flaws in Web Apps · The Art of Exploiting Logical Flaws in Web Apps ... Why Logic Flaws? ... The Art of Exploiting Logical Flaws in Web Apps

Injection Flaws

Implementation Flaws

HIGHLIGHTS IPCC FLAWS

Japan's Struggles

: CCNC Flaws:

Struggles - Authenticity

Welding flaws

Design Flaws

Software Security, Implementation Flaws, and Memory …cs161/sp10/slides/1.22.implflaw.pdf · Software Security, Implementation Flaws, and ... The zero-day attack that exploited IE

D20 Flaws List

Compliance Management Flaws