Spyware, viruses, & security forum: NEWS - February 04, 2013

If you visited ZDNet earlier today and were warned by Google that you were entering a site with known malware, you weren't alone.

Internet advertising network NetSeer suffered a hack to its front-end Web site today that rippled across the Web sites of its advertising partners. The alerts warned visitors who were using the Chrome browser that the Web site they were visiting was a "known malware distributor." [Screenshot]

A spokesperson for NetSeer confirmed the successful hacking attempt at around 5:30 a.m. PT, but noted that it did not affect its advertising network infrastructure.

The company is currently working with Google to rectify the situation.

A NetSeer spokesperson confirmed that its corporate network had been infected with malware, and Google subsequently added its domain to a list of malware-affected Websites. Because NetSeer's corporate site has the same domain name as its advertising network, Google triggered warnings on end-user machines warning users to avoid any Web page that happened to include an ad served from NetSeer's servers.

But, visitors to these Web sites no point at risk from being served up malware from the NetSeer advertising network, the company said.

Continued : http://www.zdnet.com/netseer-suffers-hack-triggers-google-anti-malware-warnings-7000010776/

From the Kaspersky Lab Weblog:

Users of inexpensive Android smartphones typically look for ways to accelerate their devices, for example, by freeing up memory. Demand for software that makes smartphones work a little faster creates supply, some of which happens to be malicious. In addition to legitimate applications, apps that only pretend to clean up the system have appeared on Google Play.

We have come across PC malware that infects mobile devices before. However, in this case it's the other way round: an app that runs on a mobile device (a smartphone) is designed to infect PCs.

On January 22, 2013 Kaspersky Lab discovered the following application on Google Play: [Screenshot]

The app is obviously quite popular and has a good rating: [Screenshot]

This application has a twin brother that has an identical feature list but a different name:

Continued: http://www.securelist.com/en/blog/805/Mobile_attacks#page_top

Also : New Malware Attacks Smartphone, Computer to Eavesdrop

Hat tip to R. Proffitt !

The Common Vulnerability & Exposures (CVE) index, the industry standard for cataloging software security flaws, is growing so rapidly that it will soon be adding a few more notches to its belt: The CVE said it plans to allow for up to 100 times more individual vulnerabilities to be indexed each year to accommodate an increasing number of software flaw reports.

Currently, when a vulnerability is reported or discovered, it is assigned a CVE number that corresponds to the year it was reported, followed by a unique 4-digit number. For example, a recent zero-day Java flaw discovered earlier this year was assigned the identifier CVE-2013-0422. But in a recent publication, The MITRE Corp., the organization that maintains the index, said it wanted to hear feedback on several proposed changes, such as modifying the CVE to allow for up to 999,999 vulnerabilities to be cataloged annually.

"Due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year," CVE Project announced last month. "The current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year."

Continued: http://krebsonsecurity.com/2013/02/flaw-flood-busts-bug-bank/

"Exploit is the latest to subvert crypto used to secure Web transactions."

[Screenshot: A representation of how TLS works]

Software developers are racing to patch a recently discovered vulnerability that allows attackers to recover the plaintext of authentication cookies and other encrypted data as they travel over the Internet and other unsecured networks.

The discovery is significant because in many cases it makes it possible for attackers to completely subvert the protection provided by the secure sockets layer and transport layer protocols. Together, SSL, TLS, and a close TLS relative known as Datagram Transport Layer Security are the sole cryptographic means for websites to prove their authenticity and to encrypt data as it travels between end users and Web servers. The so-called "Lucky Thirteen" attacks devised by computer scientists to exploit the weaknesses work against virtually all open-source TLS implementations, and possibly implementations supported by Apple, Microsoft, and Cisco Systems as well.

The attacks are extremely complex, so for the time being, average end users are probably more susceptible to attacks that use phishing e-mails or rely on fraudulently issued digital certificates to defeat the Web encryption protection. Nonetheless, the success of the cryptographers' exploits—including the full plaintext recovery of data protected by the widely used OpenSSL implementation—has clearly gotten the attention of the developers who maintain those programs. Already, the Opera browser and PolarSSL have been patched to plug the hole, and developers for OpenSSL, NSS, and CyaSSL are expected to issue updates soon.

Continued : http://arstechnica.com/security/2013/02/lucky-thirteen-attack-snarfs-cookies-protected-by-ssl-encryption/

Related: Unlucky for you: UK crypto-duo 'crack' HTTPS in Lucky 13 attack

... in Limbo

It's the vulnerability that never was. Or was it?

In a saga that has spanned close to three months, 90 emails and a short novel's worth of back and forth between Adobe and Russian security company Group-IB over a reported zero-day sandbox-bypass exploit, there has been little in the way of a concrete resolution. Two members of Adobe's Product Security Incident Response Team (PSIRT) said today at the Kaspersky Lab Security Analyst Summit that the software vendor has been unable to reproduce the vulnerability, and has yet to receive proof of concept code from Group-IB, despite numerous promises to do so.

"We were hoping for a proof of concept, but we had a video [of the exploit] only," said David Lenoe, Adobe PSIRT group manager. "We did as much analysis, but without a proof of concept, we had to deal with what we had."

Group-IB did not reply to request for comments.

The sandbox bypass was reported Nov. 7 by Group-IB; the company added that exploit was being sold in a private version of the Blackhole Exploit Kit for anywhere between $30,000 and $50,000. This was an urgent situation for Adobe PSIRT since an exploit bypassing the sandbox had not been seen in the wild before.

Continued : https://threatpost.com/en_us/blogs/partial-disclosure-leaves-adobe-reader-zero-day-story-limbo-020413