PHP 5.4 Remote Exploit PoC in the wild

ISC Diary:

There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port.

Since there is no patch available for this vulnerability yet, you might want to do the following:

• Block any file upload function in your php applications to avoid risks of exploit code execution.
• Use your IPS to filter known shellcodes like the ones included in metasploit.
• Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336 registered at the beginning of the month.
• Use your HIPS to block any possible buffer overflow in your system.

Source: http://isc.sans.edu

Call of Duty hacker jailed after meatspace burglary

theregister.co.uk wrote:

A Brit who distributed a Trojan horse that posed as a patch for popular shoot-em-up gameCall of Duty has been jailed for 18 months.

Lewys Martin, 20, of Deal in Kent, used the malware to harvest bank login credentials, credit card details and internet passwords from the compromised Windows PCs of his victims. Martin then apparently laundered the credentials via underground cybercrime forums, earning $5 or less for every credential, directing proceeds of his criminal activity towards an offshore account in Costa Rica, funds which remain beyond the reach of UK police.

Martin's activities might have gone undiscovered if not for his arrest during what police described as a drunken attempt to break into a local college and steal computer equipment. Police who raided his home discovered printouts of stolen credit card numbers and papers relating to a fraudulent bank loan, obtained under a false name.

The student was convicted last November but sentence was deferred to allow him to complete a university computer course. However, bail was revoked after Martin was caught with several other individuals trying to break into Walmer Science College in Deal.

He caused hundreds of pounds of damages in criminal damages during the bungled burglary, according to local reports.

Martin was prosecuted and subsequently convicted for three burglary and fraud charges, leading up to a sentence hearing this week when he was jailed for 18 months.

A court clerk at Canterbury Crown Court confirmed the terms of the sentencing this week, which following earlier guilty pleas on the specimen charges. Further fraud charges were taken into consideration in sentencing Martin to a substantial spell behind bars.

Gamers are a popular target for malware distributors. Much of this malign activity is directed at gamers in the Far East but Western shoot-em-up and role-playing fans are also at risk and ought to be wary of malware posing as gaming cracks and other common tricks, as explained in a blog post by Sophos here.

The Pirate Bay hit by DDoS attack

File-sharing website The Pirate Bay (TPB) has been hit by a Distributed Denial of Service (DDoS) attack.

The site has been largely inaccessible for the last 24 hours, and the service is intermittent in the UK.

The Pirate Bay has confirmed the attack on its Facebook page, saying that it did not know who was behind it, although it "had its suspicions".

A provider of DDoS defense systems said that it was unlikely that the attack came from hacking group Anonymous.

"There will be further attacks, but what's significant about this whole story is that people think that it is the Anonymous attacking a site which is typically a type of site that they defend," said Andre Stewart of Corero Network Security.

"It could be the record labels, or a government somewhere that has had enough of not being able to catch The Pirate Bay, it could be just one person who had rented some cloud power from Amazon and is sitting in a cafe, and is able to launch an attack."

Although some users may have attempted to access the site using proxies, TPB itself warned them against doing so.

Illegal file sharing

"Use proxies at own risk. Don't login unless you trust the proxy supplier. Don't freak out. You'll get your TPB fix tomorrow," said the site.

TPB allows users to illegally obtain copyrighted songs, films and other content for free.

Copyright holders argue this causes a significant loss in revenue.

However, others say that it is very difficult to assess the impact of downloading on sales.

"If they're losing money and seeing that the government is not being able to stop it, there's a real monetary value reason for them to try and bring it down," said Mr Stewart.

"And if they can do it in the name of Anonymous then it's great for them.

"Equally the governments that protect these industries are frustrated as well because they haven't been able to see it close down, unlike a number of other torrent sites."

Open and free

Virgin Media began preventing access to the file-sharing site following a High Court order last week.

Some time later the Virgin Media website suffered a hack attack that many thought was organized to protest against efforts to block access to TPB.

Twitter feeds associated with the Anonymous collective wrote: "Virgin Media - Tango Down #OpTPB".

But TPB criticized Anonymous for the attack, writing on its Facebook page that it did not "encourage these actions".

"We believe in the open and free internets, where anyone can express their views," wrote TPB.

"Even if we strongly disagree with them and even if they hate us. So don't fight them using their ugly methods. DDoS and blocks are both forms of censorship."

Source: BBC

Avira update fixes Service Pack bug

The H-Online: Avira says that it has resolved the problems caused by a Service Pack that was released for its Windows products earlier this week. Users are advised to trigger a manual update to download the fix. Once installed, the update should prevent the program from blocking legitimate Windows applications on systems running Avira.

On Monday, Avira released "Service Pack 0" for all of its Windows products. Once the update was installed, the "ProActiv" behavioral monitoring component in Avira Antivirus Premium 2012 and Avira Internet Security 2012 blocked the execution of essential programs and trusted system processes. For example, ProActiv blocked the Windows registry editor (regedit.exe) and the task scheduler (taskeng.exe).

As the behavior recognition is only included in the company's commercial products for 32-bit versions of Windows, the problem does not affect Avira Free Antivirus or users who run a 64-bit version of Windows.

Those who are affected by the problem need to update Avira manually; once the update has been installed, the ProActiv module can be reactivated. For systems where Windows is having difficulty booting, users are advised to start their systems in safe mode and install the Avira update.

QuickTime for Windows update plugs security holes

The H-Online: Version 7.7.2 of QuickTime for Windows has been released to address a total of 17 security vulnerabilities in the media player. According to Apple, these include integer, stack and buffer overflows, as well as memory corruption issues, all of which could be could exploited by an attacker to crash the application or execute arbitrary code on a victim's system. For an attack to be successful, a user must first open a malicious web site or a specially crafted file.

The company notes that, on Mac OS X, many of the holes have already been fixed in Mac OS X 10.7.3 and 10.7.4 Lion, and Security Updates 2012-001 and 2012-002 for Mac OS X 10.6.8 Snow Leopard systems. A majority of these vulnerabilities were discovered by members of TippingPoint's Zero Day Initiative (ZDI).

Further information about the QuickTime update can be found in Apple's security advisory. QuickTime 7.7.2 for Windows is available for Windows 7, Vista and XP SP2 or later from Apple's Support Downloads site. Alternatively, those who have the Software Update for Windows tool installed can update by selecting "Apple Software Update" from the Start menu.

RealPlayer update fixes security vulnerabilities

The H-Online: RealNetworks is warning users about multiple security vulnerabilities in its RealPlayer media player application for Windows; the company says that none of the, now fixed, holes are known to have been used to compromise systems.

The released update, version 15.0.4.53 of RealPlayer, closes three security holes. One hole is related to ASM RuleBook parsing that could be exploited by an attacker to remotely execute arbitrary code, another is a memory corruption problem related to MP4 file handling in the QuickTime plugin used by RealPlayer, and the third is a buffer overrun in the Media parser.

RealPlayer Versions 11.0 to 11.1 and 14.0.0 to 15.0.3.37, as well as RealPlayer SP 1.0 to 1.1.5 are affected; RealPlayer for Mac is not vulnerable. RealPlayer 15.0.4.53 – available for Windows 7, Vista SP1 and XP SP3 – corrects these problems. All users are advised to upgrade to the latest version. An alternative option is to simply uninstall RealPlayer as very few sites use it exclusively.

Chrome 19 released with tab syncing

The H-Online: Google has announced that Chrome 19 is the new stable version of its open source based web browser. As usual, the browser sees a number of security fixes: this time there are seven high-severity fixes specifically for Chrome including various use-after-free and out-of-bounds errors. Two fixes with a wider impact than Chrome are also mentioned – a workaround for a Linux NVIDIA driver bug and an "off-by-one out-of-bounds" write in libxml. In all, $7500 was paid out in rewards to security researchers, and Google notes it has also paid out $9000 to researchers to stamp out bugs before they reached its stable channel.

There is only one major new feature in Chrome 19: support for synchronizing tabs between Chrome running on different systems signed in as the same Google user. To access the synchronized tabs, open a new tab and at the bottom of the new tab display is a menu item for "Other Devices" – selecting this displays the various devices and the tabs they have open. This tab synchronization also works with the current Chrome Android Beta, offering an alternative to the Chrome2Phone extension as a way to exchange URLs between desktop and mobile Chrome. Although the functionality for tab synchronization is already in the stable version, Google will only be gradually rolling out the supporting service over the next few weeks.

Google has also included an experimental version of Web Intents in the new stable version of Chrome. Web Intents are designed as a mechanism to allow web applications to work together without having explicit knowledge of the other web applications. Google has been working with Mozilla and at the W3C to develop a specification for the process. Services can register Intents to handle particular tasks. When a web application wishes to perform one of these tasks, with Web Intents it can query the browser to find an appropriate service and then call on that.

The announcement explains that "it's impossible to build a complex API – especially one that requires an ecosystem of apps – without feedback from web developers using it in the wild". The developers expect there will be significant, possibly backwards-incompatible, changes in the API as they get feedback. The API is currently prefixed to stop it being confused with whatever the final version of the API is, and intents must be registered at the Chrome App Store. Web application developers interested in Web Intents can consult "Web Intents in Chrome".

Chrome 19 can be downloaded from Google's page for stable Chrome. Existing users of the Chrome stable channel should be automatically updated to the new version. Chrome is based on Google's open source browser Chromium.

Google bringing new smarts to Search with Knowledge Graph

Google's Knowledge Graph will display summaries of topics when your query is related to one of the 500 million items in Google's new database of things.

Google has long sought to index the world's information -- and it's now taking things a step farther with an effort to create "a database of everything in the world." And it's bringing this effort to your search results pages.

The new Knowledge Graph project, rolling out to English-language Google Search users over the next few days, provides more data snippets alongside its query results than the search engine currently provides. The results are based on Google's new database of 500 million people, places, and things, says Jack Manzel, Product Management Director of Search at Google. Manzel says there are 3.5 billion attributes and connections between these things in the database.

You'll be able to meander through lists of facts and connections when you are searching for items that are in the Knowledge Graph. As one Google example illustrates, if you search for Frank Lloyd Wright, you'll get a fact box with a summary about him (from Wikipedia), a small collection of biographical facts, and picture links to the buildings he designed. If you click on Fallingwater, you'll get another fact box about that house.

Google has both personnel and technology to curate what results appear in these fact boxes.

Continue Reading at Cnet: Google bringing new smarts to Search with Knowledge Graph

Avira AV update hangs systems

H-Online Says:

A faulty update for Avira's paid-for anti-virus software blocks harmless processes and may in some cases stop computers from booting. The update results in the ProActiv behavioral monitoring component becoming oversensitive in its treatment of executable files.

According to user reports, ProActiv blocks trusted system processes such as cmd.exe, rundll32.exe, taskeng.exe, wuauclt.exe, dllhost.exe, iexplore.exe, notepad.exe and regedit.exe. In some cases this results in Windows failing to boot properly. It also appears to be blocking non-OS applications such as Microsoft Office, the Opera web browser and Google's Updater program.

All versions which include the ProActiv behavioral monitoring component are affected, including Avira Antivirus Premium 2012 and the enterprise version; only 32-bit systems are affected, as ProActiv doesn't currently support 64-bit operating systems. On the Avira forum, an employee of a company which runs Avira on one hundred computers complains that, "This update has been pretty catastrophic. The whole company ground to a standstill."

In view of the arbitrariness with which the behavioral monitoring component is blocking files, users who have installed the update are advised to disable ProActiv. To do so, access Avira's settings, activate the Expert mode using the switch on the left and uncheck 'Enable Avira ProActiv' under 'Realtime Protection', 'ProActiv'. According to user reports, if Windows is having difficulty booting, this can be fixed in some cases by starting in safe mode and then deactivating ProActiv.

In a statement to The H's associates at heise Security, Avira confirmed the problem and said that its developers are currently working on an automatic update to resolve the bug. The potential scale of the bug is huge – according to Avira, the faulty update has already been downloaded more than 70 million times; this figure includes those running the free version of Avira which is not affected. The company has now stopped distributing the update.

Source: Heise Security

Update: Avira update fixes service pack bug

Sniffer tool displays other people's WhatsApp messages

The H-Online: WhatsApp Sniffer is an app able to display messages from other WhatsApp users connected to the same network as the app user. The tool diverts all data traffic on, for example, a Wi-Fi network through the user's smartphone and seeks out WhatsApp messages, which are transferred in plain text. All the user requires is a rooted Android smartphone.

The WhatsApp messaging service has established itself as an alternative to texting between smartphone users, because, unlike text messages, users only have to pay for data use. And if a user is in range of a free Wi-Fi point, then it is free to use.

But on public Wi-Fi networks, using WhatsApp turns out to be a very bad idea. Unlike, for example, iMessage, WhatsApp messages are transmitted in plain text, meaning that curious eavesdroppers, along with the intended recipient, can read them.

What previously would have required the use of a range of tools and some basic networking knowledge can now be performed at a stroke using WhatsApp Sniffer. The only way for users who have installed WhatsApp to avoid this is to refrain from using it on any Wi-Fi network that potentially untrusted users could be connected to.

The app uses ARP spoofing to divert all local network traffic through the smartphone. If it finds WhatsApp messages in this traffic, it displays them in a user-friendly conversation-style view. It displays both incoming and outgoing messages and can also display photos and video. A short test by The H's associates at heise Security found that the tool performed just as promised.

WhatsApp Sniffer was originally available to download from Google Play, but was removed a few days ago. This may slow down its dissemination, but it is not going to stop it altogether – a search on Google quickly unearths the APK installation file. The DroidSheep app, which allows users to intercept Facebook sessions and other web services, was also recently removed from Google Play, but is still proving popular.