“TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates,” Adam Langley, Software Engineer at Google wrote in a blog post on Thursday.
Microsoft on Thursday issued a security advisory on the incident and took measures to protect customers.
Because Intermediate CA certificates have the full authority of the CA, an attacker could use it to create a certificate for any website they want to impersonate. “The fraudulent certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties,” Microsoft’s advisory said. “This issue affects all supported releases of Microsoft Windows.”
When Wednesday’s announcement was made by the software giant, they promised that a full patch would be made available by the end of the week, and they delivered on that promise shortly after 1:00 p.m. EST today.
“The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically," Microsoft said. "For those manually updating, we encourage you to apply this update as quickly as possible... In addition to addressing the issue described in Security Advisory 2757760, MS12-063 also resolves four privately disclosed vulnerabilities that are currently not being exploited.”
While a patch is developed, Microsoft says that using their EMET tool will mitigate the vulnerability. “Deploying EMET will help to prevent a malicious website from successfully exploiting the issue described in Security Advisory 2757760. EMET in action is unobtrusive and should not affect customers’ Web browsing experience,” Microsoft explained.
In addition, customers can set Internet and Intranet settings to high in order to block ActiveX and Active Scripting. Finally, customers also have the option to configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones.
Security researcher Eric Romang discovered the vulnerability and exploit over the weekend while monitoring some infected servers said to be used by the alleged Nitro gang. To run the attack, a file named “exploit.html” is the entry point of the attack, which loads “Moh2010.swf”
According to analysis by VUPEN, the exploit takes advantage of a “use-after-free vulnerability” that affects the mshtml.dll component of Internet Explorer.
As mentioned, Romang's first found the new zero-day code on the same server that was initially used to spread the recent Java zero-day, making people think they if both codes were not created by the same group, they are at least related.
Internet Explorer users should be consider switching to other browsers, such as Chrome or Firefox for the time being.
Since ASA doesn't require the original source code, managers and executives can also use the tool to determine how a new application or software being considered would affect the organization's overall security before deploying it.
The tool takes snapshots of the system before and after an application was installed, and compares them to identify changes made when new applications were installed. A stand-alone wizard guides users through the scanning and analysis process and a command-line version is available for use with automated tools.
The $1 Trillion figure is attributed to anti-virus vendor McAfee, while the $388 million in IP losses number belongs to Symantec's Norton division. According to ProPublica, "The report was not actually researched by Norton employees; it was outsourced to a market research firm, StrategyOne, which is owned by the public relations giant Edelman."
The problem with both of these figures — $1Trillion and $388 million — is, as Microsoft researchers pointed out earlier this year in a report report fittingly titled "Sex, Lies, and Cybercrime", they are studded with outliers. In one example they cite that a single individual who claims $50,000 losses, in an N = 1000 person survey, is enough to extrapolate a $10 billion loss over the population. In another, one unverified claim of $7,500 in phishing losses translates into $1.5 billion over the population.
According to Symantec, the Snack module sniffs NetBIOS requests on the local network. NetBIOS name resolution allows computers to find each other on a local network via peer-to-peer, opening up an avenue for spoofing.
The findings have prompted Microsoft to say that it plans to harden Windows Update against attacks in the future, though the company did not immediately reveal details as to how.
“We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft,” Microsoft Security Response Center’s Jonathan Ness wrote in a blog post.
Microsoft is also warning that the same techniques could be leveraged by less sophisticated attackers to conduct more widespread attacks.
In response to the discovery, Microsoft released a security advisory detailing steps that organizations should take in order block software signed by the unauthorized certificates, and also released an update to automatically protect customers. Also as part of its response effort, Microsoft said its Terminal Server Licensing Service no longer issues certificates that allow code to be signed.
In March, Microsoft issued a patch in order to correct a flaw within Remote Desktop Protocol (RDP) (MS12-020). The patch was ranked as critical by the software giant, and security experts predicted that exploit code for the RDP flaw would arrive sooner rather than later. As it turns out, proof of concept code appeared within hours of the patch’s release, and Microsoft was indirectly responsible for the PoC code’s appearance.
When the PoC itself arrived on the Web, the researcher who discovered the vulnerability in the first place (Luigi Auriemma) recognized his own code within the source. Given that he turned his work over to ZDI, and ZDI quickly denied leaking the code, that left Microsoft as the only likely source. This was later confirmed when elements of the PoC contained markers used by MSRC. Thus, the security industry quickly came to the realization that someone within MAPP committed a serious breach of trust.
wiredmikey writes: With the rise in complex threats and new advanced malware flooding headlines and causing a stir, it’s easy to forget about some of the sizable threats that have graced the security word over the years—threats that may be out of mind, but shouldn’t be.
Why is Conficker's still so prevalent in organizations? Microsoft cites research that shows 92 percent of Conficker infections were a result of weak or stolen passwords, and 8 percent of infections exploited vulnerabilities for which a security update exists.
Conficker emerged in late November 2008, about a month after Microsoft pushed out an emergency patch for a critical vulnerability in Windows. Exploiting this vulnerability, the worm quickly spread to unpatched computers around the world, and one month later was followed up with a "B" variant.
"Conficker is one of the biggest security problems we face, yet it is well within our power to defend against," said Tim Rains, director of Microsoft Trustworthy Computing. "It is critically important that organizations focus on the security fundamentals to help protect against the most common threats."
According to Microsoft, organizations should focus first on MS12-027 and MS12-023. Already, MS12-027 has come under limited, targeted attack. MS12-027 addresses a vulnerability affecting the MSCOMCTL.OCX ActiveX control that could allow remote code execution if a user visits a website with specially-crafted content designed to exploit the vulnerability. This particular vulnerability affects several pieces of software, including versions of Microsoft Office, SQL Server and BizTalk Server.
John Harrison, group product manager with Symantec Security Response, advised organizations to also pay attention to MS12-024, which patches a critical vulnerability in Windows that could permit remote code execution if a user or applications runs or installs malicious, signed portable executable files on an affected system.
wiredmikey writes: Today, Microsoft announced in what it called its “most complex effort to disrupt botnets to date,” the company in collaboration with partners from the financial services industry, have successfully taken down operations that fuel a number of botnets that make us of the notorious Zeus family of malware.
While the operation is a big win for the anti-cybercrime community, it does not mean that it’s the end of Zeus and Zeus botnets. Microsoft noted that the goal of the actions was not to permanently shut down all impacted Zeus botnets, but it is expected to significantly impact the cybercriminals' operations and infrastructure, and help victims remove the malware from infected systems.
wiredmikey writes: This month, Ford is borrowing something from the software industry: updates. With a fleet of new cars using the sophisticated infotainment system they developed with Microsoft called SYNC, Ford has the need to update those vehicles—for both features and security reasons. But how do you update the software in thousands of cars?
Naming names can be a risky business. Previously, Microsoft alleged Dominique Alexander Piatti, dotFREE Group SRO and several unnamed “John Does” owned a domain cz.cc and used cz.cc to register other subdomains used to operate and control the Kelihos botnet. However, the company later absolved Piatti of responsibility when investigators found neither he nor his business was controlling the subdomains used to host Kelihos.
Whether naming Sabelnikov – who according to Krebs on Security, once worked as a senior system developer and project manager for Russian antivirus vendor Agnitum, will have the same effect as naming the Koobface gang remains to be seen.
Though Kelihos has remained defunct since the takedown last year, the malware is still on thousands of computers.