TIFF CVE-2010-0188: Fixed?
Yet another example of why learned helplessness (relying on vendors for the “only” solution to a bug in their product) is bad. So there’s a patch that everyone thinks solved everything and what we see is that those who can work with POC are able change a few things and BOOM! The bug is actually STILL THERE. Of course, thanks to non-disclosure, only the bad guys are figuring this out.
Recently, we also found very frequent, targeted attacks, making use of the patched (not complete ) TIFF vulnerability (CVE-2010-0188).
What is interesting is that these exploits insert the javascript as well as crafted TIFF(exploit.tif) into XML Form, and generate malicious PDF by Adobe livecycle ES. The javascript is embedded within the form, and there is not detected by AV.
FDIC: Clueless on MFA and ACH
I just love how Zeus now gets credit for beating “multi”-factor authentication when in fact, what Zeus beat was the bank’s crappy implementation of multi-factor authentication or, in other cases, the snake-oil javascript sold as “multi”-factor. The only case I am aware of where a real, true, multi-factor authentication has been “defeated” is where the criminals called the victim and had the victim read the numbers off their securID. That’s like “defeating lojack” by conning someone into “loaning” you their car.
So now the snake oil salesmen have done more damage than simply putting a fake cure out on the market – they’ve gone and placed a stigma on the only real solution going today. Now rather than pushing forward into true multi-factor authentication, we’re sitting here as if the direction is now unclear. One more time: You don’t trust the Internet, you use SSL from “point to point”; you don’t trust the PC, you extend that tunnel all the way to the smart card in the level 3 (PIN pad on the) reader.
…”It seems all kinds of authentication methods were being defeated,” Nelson said. “You can't rely on any one control when it comes to these new sophisticated attacks.”
The Zeus Trojan, which cybercriminals have used to steal banking credentials, has the ability to circumvent two-factor authentication. Zeus botnets target small and midsize businesses that originate ACH and wire transfers, Nelson said.
via FDIC: ACH fraud losses climb despite drop in overall cyberfraud losses | HostExploit News.
Mariposa Botnet Malware Found On Vodafone HTC Magic
A pretty ballsy attack here. We’ve long been afraid of backdoors being added to vendor source code – be that OS or Firmware; in the form of an environmental variable, secret user accounts or even the more subtle route of intentional “bugs”. But a standard botnet worm spreading to PCs through phones “right out of the box”? Not very subtle as we can see from how quickly this was discovered and analyzed. Seems like just another vector for the Spanish botnet recently shut down and reported on in HNNCast. The real news here is that unlike P2P, USB and HTML links, THIS vector demonstrates the compromise of Vodafone deep enough inside to actually alter shipping product. What we DON’T know yet is whether this is related to a recent Vodafone website compromise, an unrelated Internet compromise, a physical break-in, an attacker getting “the right job” or what. We think this will become an interesting story as the details get filled in.
Following Energizer’s acknowledgment last week that it had been distributing infected software in conjunction with its DUO USB charger comes a report that malware has been found on a Vodafone HTC Magic running Google’s Android OS.
The malware in question includes code to create a Mariposa bot, the Conficker worm, and a trojan software designed to steal passwords from the game Lineage.
via Mariposa Botnet Malware Found On Vodaphone HTC Magic — InformationWeek.
