This Month in the Threat Webscape - March 2011

Month of March

Major hits

March 17 of this year will be remembered very well for a long time - in fact, we should celebrate it as the BreachID Day from now on. RSA’s Executive Chairman Art Coviello wrote an open letter explaining a short background about the breach, which happened in their “kitchen” as an “extremely sophisticated cyber attack” that put their SecurID product at risk. Even though the breach probably did not disclose any very sensitive data, it pointed out just how fragile the security is.

Popular streaming service Spotify got compromised via third-party ads that served malicious content to all free users.Seems like free does come at a price after all.

Comodo, a cerificate vendor, informed us that nine bogus SSL certificates had been issued for several top Alexa domains. The certificates were revoked immediately. Well, once Comodo found out what had been going on. However, it happened again for two more and again and - in fact, who knows what else?

Are you using TripAdvisor when planning your holidays? You really should expect more spam in the future. The companyannounced a breach losing all members data. Fortunately, no credit card details - for this time at least.

First the EU, then the French government - it looks like a new “fashion” hype. “We have been hacked!” or “attacked” or “infiltrated” or ... This month revealed more than one cyber attack. Probably, we should just call it the BreachID Month after all this.

Some may think a couple of breaches a month is not that unusual of a thing. Well, there is more. Play.com let “only customer emails” go for a walk not knowing where. Maybe they'll come back in fit form one day, won’t they? Ah, and of course, there is another one: PHP.net found some muddy tracks on one of their servers. You see, the BreachID Month suddenly makes more sense now.

Some may STILL say these are normal issues. We have one more in our back pocket though. LizaMoon mass injectioncompromised some hundreds of thousands of URLs in a matter of hours. iTunes was one of the big names there. You see, this March was really an unusual month in the end.

Web 2 dot uh oh

Ashton Kutcher's twitter account appeared to be hacked in early March, posting 2 tweets on his behalf. This compromise challenges Twitter's security policies in using SSL.

Facebook recently introduced Report Suicidal Content, a service that would allow Facebook users to report any Facebook friend who has posted suicidal content on their accounts. This is in response to the growing number of suicidal posts in Facebook in the last few months.

A 17-year old was arrested in connection with the Facebook birthday hoax in Sydney. The suspect apparently posted a birthday invite after creating a fake Facebook account of a girl, which then hauled 200,000 positive replies.

Browser and friends

This month, Apple has more stories to tell us. Firstly, Apple releases iTunes 10.2 for patching a whopping 57 security  vulnerabilities, some  serious enough to get complete control if a user simply opens an image file or surfs to a compromised website. 50 out of 57 vulnerabilities were fixed in Webkit. Also, Apple has  security updates  for Pwn2Own vulnerability, which is exploited by the winning hacker in Pwn2Own 2011. It is used to hijack an iPhone 4 address book when users surf to a rigged website hosting a Microsoft PowerPoint document via iPhone 4’s built-in Safari browser.

And finally, there is a Java update for  MAC OS X users. One of the most serious flaws could allow an untrusted Java applet to execute  arbitrary code outside of the Java sandbox.

Adobe has announced a Flash Player update to fix a critical security hole: new 0-day vulnerability. This vulnerability could cause a system crash or allow attackers to get in via a Flash(.swf) file embedded in a Microsoft Excel(.xls) file, delivered as an email attachment.

Firefox  4 releases included a number of significant security features. Mozilla also provided security updates for some older browsers and added some newly blacklisted SSL certificates from the “Comodo Affair.”

This month, WordPress has released an update for its version to 3.1.1 where three security issues have been fixed.

Microsoft

Microsoft released three bulletins that patched four security holes in Windows and Microsoft Office in patch Tuesday of this month. Two vulnerabilities were fixed in critical bulletinMS11-015, which resolved one publicly disclosed vulnerability CVE-2011-0032 in DirectShow and one privately reported vulnerabilityCVE-2011-0042 in Windows Media Player and Windows Media Center. The vulnerabilities only can fire when a user opens a specially crafted Digital Video Recording(.dvr-ms) file. If this is not opened, the attack will not be successful.

The second update MS11-016  patched Microsoft Groove Insecure Library Loading Vulnerability CVE-2010-3146 that could allow remote code execution if a user opens a legitimate Groove-related file that’s located in the same network directory as a maliciously crafted library file. Users who have administrative rights are easily impacted compared with users who own fewer rights on the system.

The third one MS11-017 rated as an “important” bulletin is covering a code execution flawCVE-2011-0029 in the Windows Remote Desktop Client. Like the vulnerabilities in the first bulletin, the user has to manually execute a RDP file for Remote Desktop in order to work the attack successfully.

Except for the batch of updates, some well-known vulnerabilities like the XSS vulnerabilityCVE-2011-0096 remain unpatched. Microsoft provides the fix workaround in one advisory to help users. Also for the Malware Protection Engine Elevation of Privilege vulnerability CVE-2011-0037, Microsoft suggests users ensure that the Microsoft Malware Protection Engine is kept up to date automatically, which can solve this issue.

Windows Internet Explorer 9 was released to the public on March 14, 2011. To protect the security and privacy of your information, IE9 has introduced Tracking Protection and ActiveX Filtering. Tracking Protection can limit a browser's communication with certain websites to help keep your information private; ActiveX Filtering blocks ActiveX controls for all sites. Other security features are also included such as SmartScreen Filter, Cross site scripting (XSS) filter, and Domain highlighting. IE9 is supported by all new versions of MS Windows but not by Windows XP.

Hello ThreatSeeker® Network. You've got mail!

One of the largest spam generator botnets - Rustock was taken down by the Microsoft digital crime unit and U.S. federal law enforcement agents. Global spam volumes noticeably decreased since March 16.

Following the disaster in Japan on March 11, cybercriminals tried to utilize every possible underground technique to benefit from this occurrence. Apart from already known vectors such as phishing and malicious spam emails, criminals used Viral Facebook applications.

Fake Facebook email, the Black Hole Exploit Kit, and Zeus are three well-known tools/techniques used by criminals on a daily basis.  On March 18, a malicious campaign masquerading as Facebook emails was seen in the wild. The campaign was originated by Cutwail/Pushdo spam bot, had a link leading to the Black Hole Exploit Kit, which was serving a Zeus/Zbot Trojan as a payload.

Security trends

RIM bulks out its consumers offering to locate, back up and remotely wipe users’ BlackBerry handsets. The free BlackBerry protect service is now in open beta without an IT department behind users. The application has been in closed beta since December, but can now be downloaded from the BlackBerry App World.

Security researcher Luigi Auriemma has released proof of concept code for 34 vulnerabilities affecting popular SCADA systems. The majority of the vulnerabilities allow remote code execution on Internet-connected systems, with the remaining offering access to stored data.

A Dutch court has ruled that hacking into an open wireless networks is not a crime in the Netherlands. The law in the Netherlands defines a computer as a machine involved in the "storage, processing and transmission of data." Since a router is not used to store data, a judge reasoned it fails to qualify as a computer – and thus the computer hacking law isn't applicable.

Intel start working with customers using embedded computers in all kinds of devices after its $7.7 billion acquisition of security software maker McAfee. The security can be baked into the devices such as printers, automated teller machines, televisions, and cars. They're drawing a plan to provide more security-assisting features on Intel's future chips.

This month's roundup contributors:

Ivan Sabo
Grace Timcang
Qiong Ran
Xue Yang
Artem Gololobov
Lei Li