April Fool’s Day passed with much angst over and little action from the Conficker worm, but that doesn’t mean it’s not a threat or that you don’t have it. Joe Stewart from SecureWorks has put together an “eye chart” that sources its graphics from sites that Conficker would block. Click here to view the chart. If you can’t see one or more of the images, you’re either infected or image loading in your browser has been disabled. It’s a test based on the fact that Conficker blocks legitimate security Web sites. The logos are sourced remotely so if they can’t load, then the sites are also likely to be blocked.
PWN2OWN Hacking Competition – All browsers hacked
As he had already predicted, cracker Charlie Miller has won the PWN2OWN contest by cracking Safari and Mac OS X within seconds of the start of the competition. “It took a couple of seconds. They clicked on the link and I took control of the machine,” Miller said after his accomplishment. He took home the USD 10000 prize, as well as the MacBook he performed the exploit on. Internet Explorer 8 fell a while later by cracker Nils, who also cracked Safari and Firefox after being done with IE8.
Miller cracked Safari running on a fully patched installation of Mac OS X on a MacBook. The details of the exploit will not be given out until Apple has published a patch to ensure that others don’t run with the exploit and abuse it. This is the second year in a row that Safari on the Mac is the first to fall in the PWN2OWN contest, again by Miller’s hands.
A while after, Internet Explorer 8, running on Windows 7, also fell. Windows 7 was running on a Sony Vaio P, and was cracked by a cracker named Nils, who wishes to remain anonymous. He also won a cash prize and got to keep the Vaio P. Several Microsoft security folk were on sight to witness the exploit. This exploit is also kept under wraps until Microsoft releases a patch. Later on, Nils also broke into Safari (Mac) and Firefox.
All the cracks happened on day one of the contest, which means the operating systems and browsers were fully patched, with no additional plugins loaded. So far, only Chrome hasn’t been cracked yet, but that probably won’t take long, seeing how quick the first browsers were exploited.
Still on the table… this year’s contest will also offer a $10,000 prize for every vulnerability successfully exploited in Windows Mobile, Android, Symbian, and the iPhone and BlackBerry OSes. The competition runs through Friday… so it ain’t over yet.
Emergency Security Patch For IE
Microsoft will issue an emergency security patch Wednesday for all versions of Internet Explorer. The patch is considered a critical fix for the security flaw currently plaguing the IE browser. So far, more than 2 million computers are believed to have been infected.
The flaw can be used to let attackers steal personal data such as passwords if a user visits a compromised Web site, of which at least 10,000 are thought to already exist. Thus far, the vulnerability has been used primarily for grabbing gaming passwords for black market sales. The hole could, however, potentially also be used to steal more sensitive information such as banking passwords and other private information. YIKES!
Microsoft’s emergency security patch will become available Wednesday at 1 p.m. EST at the Microsoft Update site as well as at the Microsoft Download Center. All users of IE5, 6, and 7 are advised to install it. A separate patch is expected to be made available for users of IE8 Beta 2. Expect to see far more detail by midday Wednesday when Microsoft officially issues its security bulletin.
Course… you could always just run FireFox or Chrome. ;O)
Default Logins and Passwords for Networked Devices
Ever have to go work on a family members computer and need to get into their router. Routers comes with a default password, and most people don’t change them (bad bad bad). Here is a list of default logins and passwords for most devices. This listing is only provided as a resource to network administrators and security professionals. It is also meant to remind people that a serious problem exists when people configure a network or a computer system and do not change these passwords. The manufacturers of the listed devices, software or systems are not to blame for this problem, and we are not trying to discredit them or their products. A default login is a means for an end user of a product to complete the initial setup of the device or system. Most manufacturers strongly recommend their end users change these logins and passwords for security reasons.
Unstoppable Vista Hack Created
In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they’ve found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others. Essentially they’ve figured out a way to hack Vista using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.
What they are indicating is that they have revealed a fatal flaw in Windows Vista which potentially blows the OS wide open and in such a way that it cannot be fixed. The attacks themselves are not based on any new vulnerabilities in IE or Vista, but instead take advantage of Vista’s fundamental architecture and the ways in which Microsoft chose to protect it.
Many of the defenses that Microsoft added to Vista and Windows Server 2008 are designed to stop host-based attacks. ASLR, for example, is meant to prevent attackers from predicting target memory addresses by randomly moving things such as a process’s stack, heap and libraries. That technique is useful against memory-corruption attacks, but Dai Zovi said that against Dowd’s and Sotirov’s methods, it would be of no use.
“This stuff just takes a knife to a large part of the security mesh Microsoft built into Vista,” Dai Zovi said. “If you think about the fact that .NET loads DLLs into the browser itself and then Microsoft assumes they’re safe because they’re .NET objects, you see that Microsoft didn’t think about the idea that these could be used as stepping stones for other attacks. This is a real tour de force.”
They go on to imply the approach can also potentially be applied to other operating systems such as Windows XP and Mac OSX (but not with this specific technique).
Read more at TechTarget or TrustedReviews