magmatic.com - Squawk Box

MAAS History

Adobe Confirms 0day Related to Flash and Acrobat

Thursday, October 28, 2010 at 12:37PM

Adobe has issues a security advisory which has confirmed a 0day that has been used in the wild which affects the Flash Player, Adobe Reader and Acrobat.The vulnerability is cross platform including earlier versions of Android.

The vulnerability casues a crash and will allow a malicious actor to execute command with the users priviledges. Adobe has posted mitigation method on the attached advisory but this is a summary.

Adobe Reader 9.x - Macintosh
1) Go to the Applications->Adobe Reader 9 folder.
2) Right Click on Adobe Reader.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

Acrobat Pro 9.x - Macintosh
1) Go to the Applications->Adobe Acrobat 9 Pro folder.
2) Right Click on Adobe Acrobat Pro.
3) Select Show Package Contents.
4) Go to the Contents->Frameworks folder.
5) Delete or move the AuthPlayLib.bundle file.

This vulnerability affects the AuthPlayLib.bundle file, we recommend using Preview.app for viewing of PDF files.

drStrangeP0rk |

Post a Comment |

2 References |

Acrobat,

Adobe,

Exploits,

Flash,

Wild,

Zero Day

Wednesday

Oct272010

Mac Trojan Spreading Via Social Networking Sites

Wednesday, October 27, 2010 at 07:30AM

There is a report that a Mac OSX Trojan is spreading via email, social media and networking sites. The delivery method uses Java, which has the added advantage to the attacker of being platform specific. The link usually states "is this you in this video" but has been seen in various forms.

Currently Microsoft has reported a raise in malware related to Java. Since it is widely used and is not platform specific it would only be logical to use for malicious activity. (Flash and Acrobat is choose for these reasons. Secure Mac has labeled the virus trojan.osx.boonana.a and is offering a free removal tool. Users can also use Java Preferences.app to limit the effects including amount of cache available and redistricting java apps using Verify Mixed Security Code that controls sand-boxing. Additionally setting related to allowing users to grant permissions and handling of signed/unsigned content.

If Java is not used then it should be disabled in Safari. Check back as more information becomes available.

Update on Wednesday, October 27, 2010 at 04:42PM by

drStrangeP0rk

Intego has provided more details regarding the malware reported and has tagged is OSX/Koobface.A. If you are infected the varient they have studied installs and invisible folder in the users home directory. In terminal perform ls -a to view invisible files. Look for a folder .jnana, if you have one then you are infected. The best defense option is to disable Java, notify users and check Java Preferences.app in /Utilities. Here you can set how an untrusted applet are handled.

The code within the sample we have is not sophisticated enough to really represent a high level of Mac Programming skill but Mac users should expect more. The Windows files match various Koobface worm signatures in that it attempts to steal sensitive information from the users computer. The Mac code connects to a server to load additional files which in Koobface fashion alters the DNS lookups of various sites, executes a web server and IRC server.

Some of the variants of Koobface include the following:

Worm:Win32/Koobface.gen!F, [Facebook]Microsoft Virus Definition
Net-Worm.Win32.Koobface.a, which attacks MySpace
Net-Worm.Win32.Koobface.b, which attacks Facebook.
WORM_KOOBFACE.DC, which attacks Twitter.
W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar.
W32.Koobface.D

MacOSX is becoming a enticing target for malware developers, no longer is security by obscurity an option.

In addition to checking the Intego link above vist http://www.zdnet.com/blog/security/koobface-for-mac-os-x-squirming-on-facebook/7579 for a write up.

Update on Friday, October 29, 2010 at 05:29PM by

drStrangeP0rk

Intego has posted an update related to OSX/Koobface.A an their assessment appears to be technically on the money. Most importantly Mac administrators and users need to prepare for malware directed at Apple products. AS the platform has increased in popularity so will the desire of malicious actors to compromise users systems usually with the goal of high jacking their high-speed connection for use in a botnet. I suggest that you stay informed by visiting their blog. More importantly their product, VirusBarrier along with WashingMachine are excellent products which I highly recommend.

This seems like a very primitive attempt to create Koobface Mac zombies, but as we know when in comes to criminals; if at first you don't succeed try, try again!"

drStrangeP0rk |

Post a Comment |

1 Reference |

Java,

Malware

Tuesday

Oct262010

Firefox 0day Delivers Windows Malware

Tuesday, October 26, 2010 at 09:50PM

A critical vulnerability exist in Firefox which affects all platforms and currently delivering Windows specific malware. One major concern is that this exploit targets an un-patch vulnerability. It would appear that the Bugzilla page which is password protected may have been part of the recon process in exploit discovery.

Open source code that is available for any coder to view represents a double edge sword, on the one hand the community works to improve the software. On the other side of that coin users with malicious intent have an excellent resource readily available including code and bugs reports. Currently open source and community based projects remain sound but code review is recommended for critical production systems.

If you are interested in exploit development source code can prove a useful tool. Many exploit and 0day authors will download open source code to truly understand how particular units may perform validation and verification of data. Skilled malicious actors do the same, normally however there are far more efficient methods for finding exploits. Code review is labor intense but the criminal life cycle is producing far more advanced skill sets.

Macintosh administrator and users should be aware of this exploit and remain vigilant. Using NoScript in conjunction with an anti-virus product may be the best defense. Currently this exploit can deliver Mac based malware include fake installers and root kits.

Update on Tuesday, October 26, 2010 at 10:58PM by

drStrangeP0rk

Current reports indicate that the Iranian Cyber Army is collectively accumulating bots. There is no indication that the two events are linked but malware delivery via political sites such as the Noble Peace Prize is at the very least interesting.

Update on Thursday, October 28, 2010 at 08:54AM by

drStrangeP0rk

Modzilla has released an update to Firefox to patch the vulnerability that was being exploited by a 0day in the wild. Users should select check for updates or download the update directly from this location. (The update server was very busy after the release.)

http://www.mozilla.com/en-US/firefox/3.6.12/releasenotes/

drStrangeP0rk |

Post a Comment |

1 Reference |

Wild,

Wednesday

Oct202010

Firefox 3.6.11

Wednesday, October 20, 2010 at 07:15PM

Mozilla.org has released an update to Firefox to address several security and stability issues. Taken directly from Firefox's security site:

MFSA 2010-72 Insecure Diffie-Hellman key exchange
MFSA 2010-71 Unsafe library loading vulnerabilities
MFSA 2010-70 SSL wildcard certificate matching IP addresses
MFSA 2010-69 Cross-site information disclosure via modal calls
MFSA 2010-68 XSS in gopher parser when parsing hrefs
MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
MFSA 2010-66 Use-after-free error in nsBarProp
MFSA 2010-65 Buffer overflow and memory corruption using document.write
MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)

Users should apply the update, in addition users should clear their DNS cache and browser storage.

drStrangeP0rk |

Post a Comment |

2 References |

Firefox,

Updates

Wednesday

Oct202010

APPLE-SA-2010-10-20-1 Java for Mac OS X 10.6 Update 3

Wednesday, October 20, 2010 at 07:08PM

Apple has released an updates to Java for Mac OSX Server and Client 10.6 to address server vulnerabilities which are dated. This includes a fix to prevent an unsigned applet from execution outside the sand-box, proper handling of MACH RPC messaging and improvement to handling window bonds.

Users should apply this update via Software Update, no restart is needed. Users also should clear out their Java Cache. For More information please see reference link.

drStrangeP0rk |

Post a Comment |

1 Reference |

Apple,

Java,

Updates