Tag: zero day

SAP releases patches

The software maker which makes esoteric expensive business programmes which no one is really sure what they do, has patched vulnerabilities in its latest HANA software.

The holes had a high risk of giving hackers control over databases and business applications used to run big multinational firms.

Vulnerabilities in big business software are more lucrative to attackers as these tools store data and run transactions. The flaws were “zero day” vulnerabilities and were the most critical ever found in HANA.  For those who came in late, HANA runs SAP’s latest database, cloud and other more traditional business apps.

The holes were spotted by the insecurity outfit Onapsis which said that the vulnerabilities lay in a HANA component known as “User Self Service” (USS) which would allow malicious insiders or remote attackers to fully compromise vulnerable systems, without so much as valid usernames and passwords.

It reported 10 HANA vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time.

The resulting patch issued by SAP on Tuesday was rated by it as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.

Onapsis Chief Executive Mariano Nunez praised SAP for doing such a great job by releasing fixes much faster than in past situations.


Adobe rushes out a flash update

flash_superhero_running-t2Adobe has issued an emergency update for Flash after researchers discovered a security flaw that was being exploited to deliver ransomware to Windows PCs.

The software maker urged the more than a billion users of Flash on Windows, Mac, Chrome and Linux computers to update the product as quickly as possible.

The bug was being exploited in “drive-by” attacks that infect computers with ransomware and poisoned websites.

Ransomware encrypts data, locking up computers, then demands payments that often range from $200 to $600 to unlock each infected PC.

Japanese security software maker Trend Micro Inc said that it had warned Adobe that it had seen attackers exploiting the flaw to infect computers with a type of ransomware known as ‘Cerber’ as early as March 31.

Cerber “has a ‘voice’ tactic that reads aloud the ransom note to create a sense of urgency and stir users to pay,” Trend Micro said on its blog.

Adobe’s new patch fixes a previously unknown “zero day” security flaw.

FireEye said that the bug was being used to deliver ransomware in what is known as the Magnitude Exploit Kit. This is an automated tool sold on underground forums that hackers use to infect PCs with viruses through tainted websites.

New zero day flaw for IE tips up

Software king of the world Microsoft is warning that its Internet Exploder software has a zero day flaw which allows hijackers to install malicious software without any help from users.

All a potential victim has to do is visit the wrong site and they are toast.

In an alert posted on Saturday, Microsoft said it is aware of “limited, targeted attacks” against the vulnerability (CVE-2014-1776) so far.

The flaw was found by security firm FireEye with discovering the attack.

In its own advisory, FireEye says the exploit currently is targeting IE9 through IE11 and the weakness also is present in all earlier versions of IE going back to IE6.

It uses a well-known Flash exploitation technique to bypass security protections on Windows.

So far, Microsoft has not yet issued a stopgap “Fix-It” solution for this vulnerability. For now, it is urging IE users to download and install its Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help beef up security on Windows.

However, Vole admits that EMET 3.0 does not mitigate this attack, and that affected users should instead rely on EMET 4.1.

According to information shared by FireEye, the exploit also can be blocked by running Internet Explorer in “Enhanced Protected Mode” configuration and 64-bit process mode, which is available for IE10 and IE11 in the Internet Options settings.

Vole has also indicated that this is one of many zero-day attacks and vulnerabilities that will never be fixed for Windows XP users.

Microsoft last month shipped its final set of updates for XP. Unfortunately, many of the exploit mitigation techniques that EMET brings do not work in XP.

Of course, XP users could solve the problem by running Firefox or any other browser which is not Internet Explorer. 

Whistleblower sheds light on global zero day exploits market

Security researchers and hackers around the world are in locked in a constant struggle to detect security weaknesses in a wide range of software, and a whistleblower has revealed the enormous market for selling on the information.

The result of their fattening labour are zero-day exploits, bits of custom code specifically tailored to exploit software flaws which have not been made public yet. While they may sound scary to the average user, they are also a vital resource for security researchers. However, in the wrong hands they can cause plenty of havoc, as they can be deployed as cyber weapons used by governments, or the 21st century equivalent of a crowbar in the ever growing cybercrime scene.

What most people don’t know is that zero-day exploits are being traded on a routine basis. Legitimate companies are selling them to governments, law enforcement agencies or other security outfits. However, as Slate found in its excellent report, the market is unregulated and there are concerns that rogue governments could simply buy exploits they might need for their next cyber attacks.

For example, undisclosed vulnerabilities in Windows were put to good use by the developers of the Stuxnet virus, which targeted Iranian nuclear enrichment facilities. A Chinese hacker group also used zero-day exploits found in Flash and Internet Explorer to target more than 1,000 computers used by corporations and human rights groups.

The risky trade has prompted whistle-blowers to come forward and shed a bit more light on the practice. Andriel Desautels, a 36-year-old exploit broker from Boston, claims to have sold exploits for as much as $250,000. However, although the market is unregulated, Desautels has his own rules. His company will not sell exploits abroad, it only operates with US clients who he claims are rigorously vetted before any deal is sealed.

“As technology advances, the effect that zero-day exploits will have is going to become more physical and more real,” he said. “The software becomes a weapon. And if you don’t have controls and regulations around weapons, you’re really open to introducing chaos and problems.”

Desautels warns that greedy and irresponsible people could sell exploits to anybody, or that they could sell the same exploit over and over again. In one scenario, two governments could use the same exploit to target each other.

“If I take a gun and ship it overseas to some guy in the Middle East and he uses it to go after American troops – it’s the same concept,” Desautels said.

The dangers of the exploit trade have already been recognised in Europe. Dutch politician Marietje Schaake is calling for new laws which should curb the trade. She describes zero-day exploits as “digital weapons” and says the European Commission should take action. Schaake believes the commission should create an entirely new regulatory framework that would include the trade in zero-day exploits.

Such a move would encourage researchers and hackers to act more responsibly and fix the vulnerabilities, rather than sell them on to the black or gray markets. 

Microsoft warns of big problems with Internet Explorer 9

Microsoft has told us about a fresh bug in its Internet Explorer web browser which is being exploited in a zero day attack.

A spokesVole said attackers can exploit the bug to infect the PC of somebody who visits a malicious website and then take control of the victim’s computer.

The software maker advised customers on its website late on Monday to install the security software as an interim measure, buying it time to fix the bug.

Security researchers think that Vole will have an update for its browser in about a week.

The tool that Microsoft is suggesting is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available through an advisory on Microsoft’s website: blogs.technet.com/b/msrc/

The software needs to be downloaded, installed and then manually configured to protect computers from the newly discovered threat.

This makes it pretty useless to the great unwashed who still have not worked out how to program their video recorders.

The company also advised customers to adjust several Windows security settings to thwart potential attackers, but warned that this might make the PC harder to use.

It looks like most people will just have to wait for Microsoft to fix the browser or to use Chrome, Firefox or Opera instead.

Eric Romang, a researcher in Luxembourg, discovered the flaw in Internet Explorer on Friday, when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs.




Zero day threats overblown claims Microsoft

Microsoft’s Security Intelligence Report says that the problem of zero-day vulnerabilities is overblown.

Volish researchers looked at data from more than 600 million systems in more than 100 countries and came to the conclusion that less than one percent of exploits worldwide were against zero-day vulnerabilities.

In fact 99 percent of attacks in the first half of 2011 distributed malware through social engineering and vulnerabilities for which updates or a “patch” exist.

The conclusion was that cyber criminals appeared less interested in finding new holes in software and were targeting old vulnerabilities. Vole worked out that 90 percent of vulnerabilities exploited had security updates or “patches” available for more than a year.

Of course today’s zero day vulnerabilities are tomorrow’s old vulnerabilities, but Microsoft thinks it has a point when the press gets all hysterical about a new zero day vulnerability.

Instead we should all be worried that the people are behind with their patches and virus checking updates.

According to the report, the zero-day vulnerability is especially alarming for consumers and IT professionals because it combines fear of the unknown and an inability to fix the vulnerability, which leaves users and administrators feeling defenseless.

“It’s no surprise that zero-day vulnerabilities often receive considerable coverage in the press when they arise, and can be treated with the utmost level of urgency by the affected vendor and the vendors’ customers,” the report says.

Vole points out that some small-scale, targeted attacks using zero-day exploits may escape detection and not be included in the final figures. Is it just me, but wouldn’t Zero Day be a great  name for a band? 

Skype zero day bug opens Mac security can of worms

Macs are completely vulnerable to a zero day flaw which allows hackers to gain control of the user’s system using the message system in Skype.

Aussie insecurity outfit Pure Hacking has told AP that the vulnerability in Skype was dangerous.

Apparently the Mac’s faith-based security implodes if someone sends it a malicious instant message.

Writing in his bog Gordon Maddern, wrote that he first discovered the bug when he sent a client’s payload to his colleague on Skype.

Later he wrote a proof-of-concept malicious pay-load and tested it on Skype.

An attacker needs only to send a victim a message and they can gain remote control of the victim’s Mac. It could be designed to link to a worm and turn the mac into a zombie network.  Well, at least,  a different one from iTunes.

Maddern told Skype about the vulnerability about a month ago and got a reply informing that it was aware of the problem and would release a patch for it soon.

After a month Maddern decided to tell peoplec about the vulnerability. He said he had withheld a few details so hackers could not write much code based around the flaw.

Skype released a patch in a few days which the outfit claims completely fixes the vulnerability.

Although Zero day bugs exist on other computer systems, cracking open a Mac by sending a message on Skype seems to be a bit easy.

Still Apple users are usually secure in the fact that there is not enough of them for a hacker to be interested, and after all, who will want to copy a Mac User’s Coldplay collection? 

Intel working on zero-day proof security system

Intel is working on a security system that is zero-day proof, according to Intel’s Chief Technology Officer, Justin Rattner, and it could be ready by the end of this year.

Intel is still being tight-lipped about its security project, which has been the source of mounting speculation since the company acquired security software firm McAfee for $7.68 billion in August of last year.

While Rattner was keen to not spill the beans completely on Intel’s security system, he gave plenty of hints about what we can expect. One thing is certain: it will be hardware-based, but may also have a software element.

Intel was also working on this long before the McAfee deal, he said, but he did not confirm or deny that McAfee is involved in the project. It appears likely that it is and that this project was the reason McAfee came onto Intel’s radar in the first place.

The security system also won’t depend on signatures, like traditional anti-malware. Rattner said that the old approach means that if you haven’t encountered an attack before then it simply goes unnoticed. Intel’s approach will be “radically different,” he added, raising hopes for a better solution to the growing malware threat.

“We’ve found a new approach that stops the most virulent attacks,” he said in an interview with Computerworld. “It will stop zero-day scenarios. Even if we’ve never seen it, we can stop it dead in its tracks.”

That’s a lot of big expectations, which Intel may be unable to deliver on, but if it manages to pull off an answer to zero-day attacks it could secure a major advantage over competitors on the market.

Rattner said that he hopes to see the technology ready this year.