Spyware, viruses, & security forum: NEWS - January 18, 2013

From Trendlabs Security Intelligence:

Just a word of caution those who will update their systems with the recent Java zero-day security patch: make sure to get it from a reliable source or else face the possibility of a malware infection.

Oracle has recently released its fix to the much talked-about Java zero-day (CVE-2012-3174) incident though with lukewarm reception from certain sectors, which include the US Department of Homeland Security. However, we encountered a malware under the veil of a Java update.

We were alerted to reports of a malware that poses as Java Update 11 created by an unknown publisher. The said fake update in question is javaupdate11.jar (detected as JAVA_DLOADER.NTW), which contains javaupdate11.class that downloads and executes malicious files up1.exe and up2.exe (both detected as BKDR_ANDROM.NTW). Once executed, this backdoor connects to a remote server that enables a possible attacker to take control of the infected system. Users can get this fake update by visiting the malicious website, {BLOCKED}currencyreport.com/cybercrime-suspect-arrested/javaupdate11.jar.

[Screenshot: Website hosting fake Java update]

Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

... you can tell the difference

Verified accounts on Twitter can help you tell the difference between a real celebrity's account, and those of imposters and over-enthusiastic fans.

In this way, you can tell the real @britneyspears apart from the likes of @britney_spears and @britneyspear.

A Naked Security reader got in touch this morning asking us how on earth a fictional character (Percy Jackson) had managed to get his Twitter account verified:

"How is an RP account verified by Twitter?"

We took a look, and sure enough there's a blue verified badge beside @PerseusJackscn's name. [Screenshot]

Has Twitter messed up, and erroneously marked an account as verified?

After all, they don't have an unblemished record in this regard. Who can forget when it appeared as though Rupert Murdoch's wife Wendi Deng appeared to be flirting with Ricky Gervais on Twitter from a verified account?

In this case, however, the verified badge is bogus. Our reader was duped by a simple trick.

Here's how it works.

Continued : http://nakedsecurity.sophos.com/2013/01/17/twitter-fake-verified-account/

Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11," Java security researcher Adam Gowdiak of Security Explorations in Poland wrote a short while ago on the Full Disclosure mailing list.

Gowdiak said his organization reported two new flaws to Oracle today, along with working proof-of-concept code, a single exploit that relies on two vulnerabilities. He told Threatpost he would not share any details on the vulnerabilities, but said Oracle did confirm it had received the information he sent and had begun looking into the problem.

Reports surfaced earlier this week that the Java 7u11 update was incomplete, and that a vulnerability in the Java MBeanInstantiator had not been patched as promised by Oracle when it released the update last Sunday night. Researcher Esteban Guillardoy of Immunity Inc., said that attackers could pair that vulnerability with the reflection API with recursion in order to bypass Java security checks. The reflection issue was corrected in 7u11; Guillardoy said attackers with enough working knowledge of Java could pair another vulnerability with the MBeanInstantiator bug and have a working exploit.

Continued : https://threatpost.com/en_us/blogs/latest-java-update-broken-two-new-sandbox-bypass-flaws-found-011813

... PDFs Internally

A recently disclosed vulnerability in the Foxit PDF viewer has been patched in the latest software release. The issue, first discovered by Italian security researcher Andrea Micalizzi, centered on a code execution flaw that could have been exploited remotely.

According to Micalizzi, the flaw would allow an attacker to write to the memory location of their choosing. As mentioned previously, the vulnerability wasn't found within Foxit's software, but the DLL file that creates the link between Foxit and Firefox (npFoxitReaderPlugin.dll).

Foxit released an updated version of the vulnerable DLL file on the eleventh, but a fully patched download was released on Thursday.

The software firm is encouraging everyone to update. Foxit is a popular alternative to Adobe's PDF Reader, and the application often recommended as a more secure alternative. However, the continuous attacks on PDF-centric add-on software has led Mozilla to discuss plans to include a PDF reader as part of the core functions of their Firefox browser. "For a number of years there have been several plugins for viewing PDF's within Firefox. Many of these plugins come with proprietary closed source code that could potentially expose users to security vulnerabilities," a blog post from Mozilla, giving a slight poke to Adobe, explained.

Continued : http://www.securityweek.com/foxit-pdf-vulnerability-patched-mozilla-moves-render-pdfs-internally

Related: How to mitigate: Vulnerability reported in Foxit PDF plugin for Firefox

A security researcher has demonstrated how it is still possible to silently install extensions, or as Mozilla calls them add-ons, for the open source Firefox web browser. In a blog post, Julian Sobrier of ZScaler detailed the process, which makes use of the fact that Firefox uses an Sqlite3 database to maintain information about which add-ons are installed and, of those, which ones have been approved by the user.

This feature, introduced in Firefox 8, was designed to stop toolbars and other applications adding in their own add-ons without informing the user. Sobrier's technique shows though that the mechanism is relatively easy to overcome. Add-ons have privileged access to the browser and therefore a malicious add-on could do anything including stealing the user's history, modifying pages' contents or disabling security features in the browser. The add-on doesn't have to be malicious either, just unexpected; back in 2009 Mozilla found itself blocking a silently installed Microsoft extension which happened to expose Firefox users to a .NET Framework flaw. Without a user knowing what is installed, it becomes hard to react to security threats when they appear.

Continued : http://www.h-online.com/security/news/item/Silent-installs-of-add-ons-still-possible-in-Firefox-1787297.html