Spyware, viruses, & security forum: NEWS - August 31, 2012

.. Hours After Release

Security researchers from Poland-based security firm Security Explorations claim to have discovered a vulnerability in the Java 7 security update released Thursday that can be exploited to escape the Java sandbox and execute arbitrary code on the underlying system.

Security Explorations sent a report about the vulnerability to Oracle on Friday together with a proof-of-concept exploit, Adam Gowdiak, the security company's founder and CEO said Friday via email.

The company doesn't plan to release any technical details about the vulnerability publicly until Oracle addresses it, Gowdiak said.

Oracle broke out of its regular four-month patching cycle on Thursday to release Java 7 Update 7, an emergency security update that addressed three vulnerabilities, including two that were being exploited by attackers to infect computers with malware since last week.

Java 7 Update 7 also patched a "security-in-depth issue" which, according to Oracle, was not directly exploitable, but could have been used to aggravate the impact of other vulnerabilities.

Continued : http://www.pcworld.com/businesscenter/article/261748/researchers_find_critical_vulnerability_in_java_7_patch_hours_after_release.html

Also:
Oracle patches Java 0-day, researchers say there's another one
Java Users Still Not Safe, Experts Report New Vulnerability to Oracle

From TrendLabs Malware Blog:

The security community has been focused on the new Java zero-day exploits that appear to have been taken from a Chinese exploit pack (known as Gondad or KaiXin) used in targeted attacks by the "Nitro" cyber-espionage campaign and then incorporated into criminal operations using the BlackHole Exploit Kit. While the connections between these developments are starting to emerge, it is important to remember that campaigns, such as Nitro, don't "come back" because they don't go away. The Nitro attackers continued to be active after their activities were documented in 2011.

In fact, before they acquired this Java exploit, the Nitro attackers were continuing to send out emails to their targets with direct links to Poison Ivy executables in early August 2012 (On a related note, another email was spotted in April 2012). [Screenshot: Sample Email]

The file Flashfxp.exe was hosted on one of the same servers that hosted the Java zero-day and Poison Ivy payload, and it connects to ok.{BLOCKED}n.pk which resolves to the same IP address, {BLOCKED}.{BLOCKED}..233.244. This is the same address as hello.{BLOCKED}n.pk, the domain used as the command and control server for the Poison Ivy payload dropped by the Java zero-day.

Continued : http://blog.trendmicro.com/the-nitro-campaign-and-java-zero-day

"Scammers, time to tweak your techniques again."

Facebook engineers have rolled out new technology that automatically removes fraudulent Likes that are mass-produced to exaggerate the popularity of a webpage or brand.

The social network recently increased its learning algorithms to detect the spammed endorsements, which are often generated by computers, fake Facebook accounts, or other fraudulent means, the company said on its security blog Friday morning. The post said the inauthentic Likes are a tiny sliver of the overall endorsements on the site; on average, less than one percent of the Likes on any given page are expected to be affected. We're guessing, however, that certain pages—say, some promoting things like male enhancement pills—will be heavily hit.

"These newly improved automated efforts will remove those Likes gained by malware, compromised accounts, deceived users, or purchased bulk Likes," the Facebook post stated. "While we have always had dedicated protections against each of these threats on Facebook, these improved systems have been specifically configured to identify and take action against suspicious Likes."

Continued : http://arstechnica.com/security/2012/08/facebook-puts-fraudulent-likes-on-notice/