14-05-2013, 12:10 #1
- Data de Ingresso
- Sep 2010
Internet Explorer tem falhas críticas corrigidas na Patch Tuesday
Internet Explorer tem falhas críticas corrigidas na Patch Tuesday
A Microsoft liberou uma porção de boletins de segurança críticos nessa Patch Tuesday, que afeta todas as versões do Internet Explorer e lida com um exploit que os crackers estão usando ativamente.
As versões 6, 7, 8, 9 e 10 do navegador são os alvos de uma correção para uma vulnerabilidade, que permite a execução remota de código no browser. Isso afeta todos os sistemas operacionais, exceto o Windows XP. "Nós sempre recomendamos a atualização para a versão mais recente de qualquer software", diz Paul Henry, analista forense e de segurança da Lumension. "Isso é, normalmente, o mais seguro a ser feito. Se o seu sistema é compatível com o IE 10 e você ainda não está usando, atualize agora."
As falhas abordadas podem incluir uma encontrada no IE 8 que roda em máquinas com Windows XP, e foi corrigida com um patch "hot-fix" emitido separadamente para lidar com um ataque 0-day, ativamente usado contra agências governamentais dos EUA, disse Henry.
As mesmas vulnerabilidades são classificados apenas como "moderado" para máquinas que executam servidores ao invés de sistemas operacionais de desktop.
"O patch inclui correções para outras vulnerabilidades menos críticas, que permitem execução remota de código e afetam o Office e o Lync", disse Lamar Bailey, diretor de pesquisa e desenvolvimento de segurança da Tripwire. "Essas brechas importantes atingem o DoS, elevação de privilégio e divulgação de informações."
O segundo boletim lida com outra vulnerabilidade do IE (acredita-se que essa seja uma das divulgadas em março durante o concurso anual Pwn2Own). A empresa deixou muitos surpresos na última Patch Tuesday, ao deixar de lado tal brecha. "Normalmente a Microsoft lança as correções para os bugs encontrados na Pwn2Own em abril, mas este ano outros patches tiveram prioridade", disse Andrew Storms, diretor de operações de segurança da Tripwire.
O restante dos 10 boletins desse mês foram classificados como "importante" - um abaixo de "crítico". E, como os dois mais críticos, três outros patches abordam problemas que podem levar a ataques de execução remota de código.
As falhas afetam principalmente o Office. "O mais amplamente instalado é provavelmente o boletim 7, que é para Word 2003 e Word Viewer", diz Wolfgang Kandek, CTO da Qualys. "O boletim 6 cobre o Microsoft Publisher, incluído no Office 2003, 2007 e 2010; e o Boletim 5 é para os módulos de mensagens instantâneas da Microsoft - Communicator 2007 e o Lync 2010."Siga-nos em nosso twitter: @wht_brasil
14-05-2013, 17:29 #2
zero-day exploit targets nuclear weapons researchers
"Watering hole" attack targets workers browsing federal government website.
by Dan Goodin - May 3 2013, 10:25pm -0300
Attackers exploited a previously unknown and currently unpatched security bug in Microsoft's Internet Explorer browser to surreptitiously install malware on the computers of federal government workers involved in nuclear weapons research, researchers said on Friday.
The attack code appears to have exploited a zero-day vulnerability in IE version 8 when running on Windows XP, researchers from security firm Invincea said in a blog post. The researchers have received reports that IE running on Windows 7 is susceptible to the same exploit but have not been able to independently confirm that. Versions 6 and 7 of the Microsoft browser don't appear to be vulnerable.
Update: In an advisory published a couple of hours after this article went live, Microsoft confirmed a code-execution vulnerability in IE8. Versions 6, 7, 9, and 10 of the browser are immune to the exploit. People using IE8 should upgrade to versions 9 or 10, if possible. Those who are unable to move away from version 8 should take the following mitigations:
Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
The attack was triggered by a US Department of Labor website that was compromised to redirect visitors to a series of intermediary addresses that ultimately exploited the vulnerability, according to Invincea. The exploit caused vulnerable Windows machines to be compromised by "Poison Ivy," a notorious backdoor trojan that had been modified so it was detected by only two of 46 major antivirus programs in the hours immediately following the attack. The specific webpages that were hacked dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy, the blog post said, citing this report from NextGov. That's consistent with so-called "watering hole" attacks, in which employees of a targeted organization are infected by planting malware on the sites they're known to frequent.
"The target of this attack appears to be employees of the Dept of Energy that likely work in nuclear weapons research," Invincea researchers wrote in a separate report published Wednesday. The report went on to cite this technical analysis from security firm AlienVault. It found indicators in the command servers Poison Ivy contacted that the attack was carried out by "DeepPanda," a group of hackers believed to be located in China and carry out espionage attacks on other countries.
Initial reports about the Department of Labor website compromise said an older IE vulnerability that Microsoft patched in January had been exploited. It was only in Friday's report that Invincea said this assessment is incorrect.
"For non-Invincea users, there are no known mitigations for this exploit that is currently in the wild," Friday's report warned. "For users of IE8, there is no patch currently available and with this exploit being out in the wild, the potential risk for damage is high."
14-05-2013, 17:33 #3
0-day attacks on US nuke workers hit 9 other sites
Months-old attacks apparently targeted workers in Aerospace, defense, labor.
by Dan Goodin - May 6 2013, 12:34pm -0300
Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least nine other websites, including those run by a big European company operating in the aerospace, defense, and security industries as well as non-profit groups and institutes, security researchers said.
The revelation, from a blog post published Sunday by security firm AlienVault, means an attack campaign that surreptitiously installed malware on the computers of federal government workers involved in nuclear weapons research was broader and more ambitious than previously thought. Earlier reports identified only a website belonging to the US Department of Labor as redirecting to servers that exploited the zero-day remote-code vulnerability in IE version 8.
A separate blog post from security firm CrowdStrike said its researchers unearthed evidence suggesting that the campaign began in mid-March. Their analysis of logs from the malicious infrastructure used in the attacks revealed the IP addresses of visitors to the compromised sites. The logs showed addresses from 37 different countries, with 71 percent of them in the US, 11 percent in South/Southeast Asia, and 10 percent in Europe. CrowdStrike's data showed IP addresses before exploit code was run against the visitors' machines. Not all those visitors were likely compromised since the exploit code worked only against people using IE8.
CrowdStrike researchers seemed to concur with their counterparts from Invincea, who—as Ars reported on Friday—said the attacks at least in part targeted people working on sensitive government programs. Malicious links embedded in the Department of Labor website focused on webpages that dealt with illnesses suffered by employees and contractors developing atomic weapons for the Department of Energy. But they went on to say the campaign could be much broader.
"The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium," CrowdStrike said. "Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector. Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector."
Such "watering hole" attacks—which plant malware exploits on websites that are frequented by specific groups or people—have become a common technique in targeted attacks. Once compromised by the IE zero-day, computers are infected with a version of Poison Ivy, a backdoor tool that has been widely used in past espionage campaigns. The command-and-control servers used to communicate with infected machines show signs that they were set up by a Chinese hacking crew known as DeepPanda.