Mark Russinovich, a software engineer hired by Microsoft to improve the stability of its Windows OS, may have found the key to preventing a significant majority of Windows exploits.
Experts say that, for years, one of Windows' primary vulnerabilities has been its tendency to try and "run" data as though it were computer code. This can be exploited fairly simply by inserting malicious code into heap memory and intentionally crashing the process - placing the system into a state where it looks to the malware itself for instructions, leading to identity theft or other bad results.
Russinovich, according to Beta News, says that one of the first steps to making Windows more secure is to make it more stable. In this way, he says, crash detection programs have more system resources to spend on analyzing the underlying cause of crashes and can more effectively monitor systems for unauthorized processes.
The Inquirer reports that Russinovich has designed a "fault-tolerant heap," which could provide additional help in preventing the type of exploits that have plagued previous versions of Windows.
Tag Archives: malware
Long-time Windows vulnerability might be fixed soon
Filed under Security News
Tagged as exploit, fault-tolerant heap, fix, heap, malware, Mark Russinovish, memory, vulnerability, Windows
Tagged as exploit, fault-tolerant heap, fix, heap, malware, Mark Russinovish, memory, vulnerability, Windows
Microsoft denies that Internet Information Services is vulnerable to attack
Responding to allegations of security vulnerabilities in its Internet Information Services infrastructure, Microsoft yesterday released a blog post, detailing its investigation into the product and its conclusions that there was no inherent vulnerability.
The problem, Microsoft said, lies with the users and not with the program itself. IIS is vulnerable to exploitation by spyware and malware when configured to allow read and write access on the same directory, but this is not the way it is configured by default, and Microsoft says that it specifically warns users against setting up IIS in this way.
However, if the read and write access were insecurely configured, hackers could take advantage of a flaw in the way the program understands semicolons in URLs and execute code remotely on IIS machines. Researcher Soroush Dalili's paper publicized the supposed flaw, but did not say which active web applications were vulnerable to its exploitation, citing security concerns.
Microsoft has patched a number of serious vulnerabilities in its products of late, including Windows 7 and the Office productivity suite.
The problem, Microsoft said, lies with the users and not with the program itself. IIS is vulnerable to exploitation by spyware and malware when configured to allow read and write access on the same directory, but this is not the way it is configured by default, and Microsoft says that it specifically warns users against setting up IIS in this way.
However, if the read and write access were insecurely configured, hackers could take advantage of a flaw in the way the program understands semicolons in URLs and execute code remotely on IIS machines. Researcher Soroush Dalili's paper publicized the supposed flaw, but did not say which active web applications were vulnerable to its exploitation, citing security concerns.
Microsoft has patched a number of serious vulnerabilities in its products of late, including Windows 7 and the Office productivity suite.
Has Microsoft pointed hackers to a way around anti-virus software?
Filed under Security News
Tagged as anti-virus, David Sancho, folders, malware, Microsoft, Sancho, software, system, Trend Micro, whitelist
Tagged as anti-virus, David Sancho, folders, malware, Microsoft, Sancho, software, system, Trend Micro, whitelist
The recent release of a "whitelist," detailing system folders that Microsoft says do not need to be scanned by anti-virus software, has caused a minor controversy in the world of computer security, with some experts saying that the software giant has showed potential malware pushers an easy way to circumvent anti-virus protection.
Security researcher David Sancho, writing on Trend Micro's company blog, warns that publicizing these virus scanning tips may have offered a target to would-be cyber criminals. Sancho says that, although excluding the files and folders in question - related to Windows Update and Group Policy - makes sense for users looking to minimize the performance hit caused by anti-virus software, making the recommendations public knowledge was an unnecessary risk.
The point, according to Sancho and others, is that the public recommendation by a trusted source like Microsoft is likely to cause numerous users to follow the advice and remove the anti-virus protection for the files and folders. While malware writers have not yet targeted those files and folders specifically, Microsoft's recommendation amounts to an open invitation to do so, experts say.
Novice users should not attempt to alter the relevant anti-virus settings, according to experts.
Security researcher David Sancho, writing on Trend Micro's company blog, warns that publicizing these virus scanning tips may have offered a target to would-be cyber criminals. Sancho says that, although excluding the files and folders in question - related to Windows Update and Group Policy - makes sense for users looking to minimize the performance hit caused by anti-virus software, making the recommendations public knowledge was an unnecessary risk.
The point, according to Sancho and others, is that the public recommendation by a trusted source like Microsoft is likely to cause numerous users to follow the advice and remove the anti-virus protection for the files and folders. While malware writers have not yet targeted those files and folders specifically, Microsoft's recommendation amounts to an open invitation to do so, experts say.
Novice users should not attempt to alter the relevant anti-virus settings, according to experts.
Cisco releases software updates to fix malware vulnerability
Filed under Security News
Tagged as buffer overflow, Cisco, malware, Player, videoconference, vulnerability, WebEx
Tagged as buffer overflow, Cisco, malware, Player, videoconference, vulnerability, WebEx
Cisco Systems this week announced the availability of patches for its WebEx Player software, which is used to record and play back data from videoconferences and online meetings.
The vulnerability is a buffer overflow issue, which can allow maliciously created files to temporarily enable the execution of remote code, allowing all manner of illicit access to affected machines. Experts say that such computers could be added to botnets, or make their users vulnerable to identity theft. Even if the remote code execution was unsuccessful - due to, for example, limited user access - the malware could still crash affected computers.
The company said that installations of the WebEx Player software that were automatically downloaded would update themselves without the need for user action, but that manual installations would require users to download the updates from Cisco's website and install them on their own.
ZDNet's Ryan Naraine says that companies who rely on WebEx for their day-to-day business should consider this update a critical one. Naraine reports that the fix targets six specific vulnerabilities that could be exploited in the same manner.
The vulnerability is a buffer overflow issue, which can allow maliciously created files to temporarily enable the execution of remote code, allowing all manner of illicit access to affected machines. Experts say that such computers could be added to botnets, or make their users vulnerable to identity theft. Even if the remote code execution was unsuccessful - due to, for example, limited user access - the malware could still crash affected computers.
The company said that installations of the WebEx Player software that were automatically downloaded would update themselves without the need for user action, but that manual installations would require users to download the updates from Cisco's website and install them on their own.
ZDNet's Ryan Naraine says that companies who rely on WebEx for their day-to-day business should consider this update a critical one. Naraine reports that the fix targets six specific vulnerabilities that could be exploited in the same manner.
Experts: Real-time search vulnerable to malware
The recent addition of real-time search results from blogs and social networking services has provided a fertile new target for cyber criminals, according to online security experts.
While standard search results are not uniformly spam- and virus-free, the instantaneous delivery speed of real-time results - most of which are currently delivered from Twitter, with Facebook to be added in the near future - makes filtering such search results difficult, writes USA Today.
That publication quoted sources at Google as saying that that company used "automatic and manual processes" to identify and block malicious website traffic and warn users against clicking on possibly malicious links, and said that Bing and Yahoo also "[took] great pains to deliver safe results."
Analysts say that any number of cyber security threats could use real-time seach as a delivery vector, including banking Trojans and bogus anti-virus products. The incorporation of real-time results into standard search engine traffic could prove particularly fruitful for the infamous Koobface worm, which already uses the same social networks that power real-time search to spread itself by spamming malicious links.
While standard search results are not uniformly spam- and virus-free, the instantaneous delivery speed of real-time results - most of which are currently delivered from Twitter, with Facebook to be added in the near future - makes filtering such search results difficult, writes USA Today.
That publication quoted sources at Google as saying that that company used "automatic and manual processes" to identify and block malicious website traffic and warn users against clicking on possibly malicious links, and said that Bing and Yahoo also "[took] great pains to deliver safe results."
Analysts say that any number of cyber security threats could use real-time seach as a delivery vector, including banking Trojans and bogus anti-virus products. The incorporation of real-time results into standard search engine traffic could prove particularly fruitful for the infamous Koobface worm, which already uses the same social networks that power real-time search to spread itself by spamming malicious links.
Massive rootkit campaign spreads via SQL injection on legitimate websites
Filed under Security News
Tagged as Backdoor.Win3.Buzus.croo, campaign, injection, malware, massive, rotkit, ScanSafe, SQL, The Register
Tagged as Backdoor.Win3.Buzus.croo, campaign, injection, malware, massive, rotkit, ScanSafe, SQL, The Register
A fast-moving malware campaign has infected almost 300,000 web pages, according to UK-based IT security site The Register. Anti-virus software has a mixed record of detecting the rootkit-enabled Trojan, with 22 out of 40 products tested by Virus Total able to stop the malware.
Online security firm ScanSafe says that the attacks started last month, and work by using SQL injection to plant a malicious, invisible iframe on a targeted website, which redirects users to a malware-serving domain.
Once at the malicious domain, the site checks for "at least five" separate application vulnerabilities while attempting to install the Backdoor.Win3.Buzus.croo malware on targeted machines, according to The Register. While fully patched versions of Windows, Internet Explorer, and Adobe Flash should be immune to the malware, experts urge users to take no chances by visiting infected sites.
Dark Reading reports that the websites infected with by this campaign vary widely in location and content, ranging from the City of Iowa City's municipal website to overseas news organizations and an English-language rental site for Paris apartments.
Online security firm ScanSafe says that the attacks started last month, and work by using SQL injection to plant a malicious, invisible iframe on a targeted website, which redirects users to a malware-serving domain.
Once at the malicious domain, the site checks for "at least five" separate application vulnerabilities while attempting to install the Backdoor.Win3.Buzus.croo malware on targeted machines, according to The Register. While fully patched versions of Windows, Internet Explorer, and Adobe Flash should be immune to the malware, experts urge users to take no chances by visiting infected sites.
Dark Reading reports that the websites infected with by this campaign vary widely in location and content, ranging from the City of Iowa City's municipal website to overseas news organizations and an English-language rental site for Paris apartments.
Researchers say that Gumblar botnet is entirely automated
Filed under Security News
Tagged as automated, botnet, Gumblar, injectors, Kaspersky, malware, password
Tagged as automated, botnet, Gumblar, injectors, Kaspersky, malware, password
The Gumblar botnet, an interconnected group of PCs infected by specific types of malware, appears to work more or less by itself, according to security experts at Kaspersky Labs.
Gumblar's password-stealing and malware-spreading activities are not directly controlled by a human being, but rather by a small number of specialized command-and-control servers known as dispatchers. Kaspersky's researchers estimate that there are fewer than 10 Gumblar dispatchers currently active, compared to roughly 50 injectors - which host the malicious code - over 700 infectors, and more than 40,000 redirectors, which are compromised sites that point users to the infection sites.
PC Magazine says that the dispatcher machines are probably PHP machines, and that they run Linux as an operating system. The actual human agency behind the Gumblar botnet only has to visit the dispatcher servers occasionally to update the malicious code so that it will continue to evade network security measures.
Botnets are a commercial enterprise these days, as the creators of the zombie computer groups frequently construct them and then sell or lease them to groups or individuals for use in DDoS attacks or spam campaigns.
Gumblar's password-stealing and malware-spreading activities are not directly controlled by a human being, but rather by a small number of specialized command-and-control servers known as dispatchers. Kaspersky's researchers estimate that there are fewer than 10 Gumblar dispatchers currently active, compared to roughly 50 injectors - which host the malicious code - over 700 infectors, and more than 40,000 redirectors, which are compromised sites that point users to the infection sites.
PC Magazine says that the dispatcher machines are probably PHP machines, and that they run Linux as an operating system. The actual human agency behind the Gumblar botnet only has to visit the dispatcher servers occasionally to update the malicious code so that it will continue to evade network security measures.
Botnets are a commercial enterprise these days, as the creators of the zombie computer groups frequently construct them and then sell or lease them to groups or individuals for use in DDoS attacks or spam campaigns.
Experts say that banking Trojans are growing in sophistication
Filed under Security News
Tagged as banking, banks, experts, malware, Silentbanker, sophisticate, Trojans, URLZone, vulnerable
Tagged as banking, banks, experts, malware, Silentbanker, sophisticate, Trojans, URLZone, vulnerable
While security measures have improved steadily in recent years, banks are still vulnerable to advanced malware that resists the best removal efforts of the digital security industry.
Some security experts have even declared that the latest banking Trojans amount to a revolution in malware design, with Finjan pointing to the dangerous URLZone Trojan as a "next-generation program," according to PC World. URLZone contains numerous features designed to inhibit virus detection and efficiently steal money from online banking accounts accessed via infected PCs. According to researchers at RSA Security, URLZone can even tell if it is being watched by security experts.
Other Trojans, like Silentbanker and Zeus, also use sophisticated programming techniques to frustrate any attempt at detection. Zeus spreads via phishing and can easily perform complete identity thefts without alerting the victim. Silentbanker is able to take screen captures of bank account information and add malicious redirects into browser sessions.
Security experts say that online banking should be done with extreme caution, and only after ensuring that all applicable software is properly patched and updated.
Some security experts have even declared that the latest banking Trojans amount to a revolution in malware design, with Finjan pointing to the dangerous URLZone Trojan as a "next-generation program," according to PC World. URLZone contains numerous features designed to inhibit virus detection and efficiently steal money from online banking accounts accessed via infected PCs. According to researchers at RSA Security, URLZone can even tell if it is being watched by security experts.
Other Trojans, like Silentbanker and Zeus, also use sophisticated programming techniques to frustrate any attempt at detection. Zeus spreads via phishing and can easily perform complete identity thefts without alerting the victim. Silentbanker is able to take screen captures of bank account information and add malicious redirects into browser sessions.
Security experts say that online banking should be done with extreme caution, and only after ensuring that all applicable software is properly patched and updated.
App Store is the next big target for cyber crooks
Filed under Security News
Tagged as App Store, criminals, Cyber, iPhone, malware, smartphone, target
Tagged as App Store, criminals, Cyber, iPhone, malware, smartphone, target
Experts say that the next frontier for writers and distributors of malicious software is the smartphone market, which is not adequately secured and growing at a rapid pace.
Nick Jones, an analyst at research firm Gartner, told Secure Computing magazine that Apple's App Store is a likely target for malware purveyors. "There is no way that Apple can afford to inspect the code of every application that goes onto the App Store. They do some lightweight inspection and testing, it goes up on the App Store and there is not a lot to stop it doing something malicious," said Jones.
Secure Computing writes that the App Store has served more than a billion downloads since its launch in 2008, and that 100,000 applications have been approved for distribution via the popular service. Enterprises have little control over the security of iPhones being used for business because they are frequently purchased by employees for both business and personal use.
The first iPhone malware vector has been different, with worms afflicting jailbroken iPhones with a variety of symptoms ranging from simple harassment to attempted identity theft.
Nick Jones, an analyst at research firm Gartner, told Secure Computing magazine that Apple's App Store is a likely target for malware purveyors. "There is no way that Apple can afford to inspect the code of every application that goes onto the App Store. They do some lightweight inspection and testing, it goes up on the App Store and there is not a lot to stop it doing something malicious," said Jones.
Secure Computing writes that the App Store has served more than a billion downloads since its launch in 2008, and that 100,000 applications have been approved for distribution via the popular service. Enterprises have little control over the security of iPhones being used for business because they are frequently purchased by employees for both business and personal use.
The first iPhone malware vector has been different, with worms afflicting jailbroken iPhones with a variety of symptoms ranging from simple harassment to attempted identity theft.
New zero-day flaw discovered in older versions of Internet Explorer
Filed under Security News
Tagged as exploit, flaw, IE, javascript, malware, Symantec, vulnerability, zero-day
Tagged as exploit, flaw, IE, javascript, malware, Symantec, vulnerability, zero-day
Security researchers at Symantec report that new malware has targeted a memory corruption vulnerability in Internet Explorer 6 and 7, which carries the potential for system crashes or malicious redirects.
The company revealed the vulnerability in a blog post over the weekend, saying that, while the current iteration of the malware showed "signs of poor reliability," they expect well-written exploit code to hit the internet in "the near future." The Javascript-based exploit - which the researchers have dubbed Bloodhound.Exploit.129 - requires prospective victims to visit an infected website.
As usual, the best way to avoid being infected by this malware is to ensure that all of the latest security patches and updates have been applied. Symantec recommends disabling Javascript and only visiting trusted websites until Microsoft can release a bugfix for the vulnerability.
Though long since superseded by Internet Explorer 8, Internet Explorer 6 and 7 are still widely used by some enterprise consumers for reasons of compatibility and familiarity. Experts recommend upgrading to the latest version and keeping all software patched.
The company revealed the vulnerability in a blog post over the weekend, saying that, while the current iteration of the malware showed "signs of poor reliability," they expect well-written exploit code to hit the internet in "the near future." The Javascript-based exploit - which the researchers have dubbed Bloodhound.Exploit.129 - requires prospective victims to visit an infected website.
As usual, the best way to avoid being infected by this malware is to ensure that all of the latest security patches and updates have been applied. Symantec recommends disabling Javascript and only visiting trusted websites until Microsoft can release a bugfix for the vulnerability.
Though long since superseded by Internet Explorer 8, Internet Explorer 6 and 7 are still widely used by some enterprise consumers for reasons of compatibility and familiarity. Experts recommend upgrading to the latest version and keeping all software patched.