More and More Exploits are Now Targeting Clientside & Mobile

[img source]

(The facts that I’m gonna talk about are based on my observations)

Back in mid 2007, Mass SQL injection that contain malicious JavaScript started to bring havoc the our cyberspace. But it brought not enough impact to alert and educate the internet user.. Until mid 2008 where another flood of Mass SQL injection happened attacking MS SQL and not so long after that people cant stop talking about 0day in IE, follow by Adobe Flash Player, Adobe Acrobat Reader, Mozilla Firefox and etc..

This clearly shows that the attacking vector is now somehow changed into the client side. This is due to the number of victim on the client side is way more compare to on the server side. Normally the mission of this kind of attack is to force the vulnerable application to crash and execute arbitrary code usually used to download another malicious file and execute it (drive by download). The victim (client) is now part of the attacker’s botnet. Awuuuooo0… (That is how the botnet sound alike.. Hahahaha)

Now in 2009, more and more client side attacks appear abusing IE, Firefox, Thunderbird, Adobe Acrobat Reader, Adobe Flash Player, Microsoft Office Power Point, Microsoft Office Excel, Google Chrome, Apple QuickTime, Foxit PDF Reader, Sun Java Runtime Environment, Adobe Shockwave Player, ActiveX and etc.. The attackers are also aware of the current world issues and trends. That is why we can see some events like H1n1, death of Michael Jackson, independent day, April Fool and many more events have been abuse by the attacker to phish for their victim.

Lately, within thin 2 months, a few mobile phone vulnerabilities have been found. iPhone, Symbian and Windows Mobile were hooked in these exploits. The attackers not only manage to get sensitive data/info from the mobile device, they also able to take control of the mobile device, and from the recent cases, victim’s mobile phones have been used to send spam SMS, MMS and also Email and at the same time, the SMS, MMS and email sent, work as an agent to ‘invite’ more device to be part of the ‘mobile botnet’ society. Awuuuooo0…

Till next time..

P/S: I am writing this entry while I’m working on my presentation slide for next week presentation in one of the organization of standardization and quality. So, I think these issues need to be highlighted as well in my slides. Beside of trends, the impact also need to be highlighted and ‘how bad is the impact could be’ should also be in part of the slide. The after discussing about the trend and impact, please make this as a habit which is to discuss on the prevention and the mitigation part as well. This is important because leaving the presentation stage without prevention or mitigation steps will create FUD to the audience and this is totally not a good practice!

Exploit Shield 0.60 Beta Released

For those who are still booting into Microsoft Windows, a new version (0.60) of our F-Secure Exploit Shield Beta is now available.

You may also remember that Microsoft patched MS08-078 around the same time. Multiple versions of Internet Explorer were affected on multiple versions of the Windows OS and exploit code was circulating at the time. Exploit Shield 0.5 was able to proactively protect against those exploits.

Exploit Shield is designed to shield Web browsers between the development of an exploit and the release of the vendor’s patch.

To sum up, Exploit Shield provides:

• Zero Day Defense: Protects unpatched machines.
• Patch-Equivalent Protection: Vulnerability “shield” updates.
• Proactive Measures: Heuristic detection techniques.
• Protects Against All Websites: Regardless if untrusted or trusted and malicious or hacked.
• Automatic Feedback: detected exploit attempts are automatically reported to F-Secure.

Here’s the main menu:

Version 0.60 now includes 32-bit Vista support, includes more vulnerability coverage and also includes engine improvements.

Look for the download link from: www.f-secure.com/labs.

If you want or need a reason to test Exploit Shield, consider this month’s Microsoft Updates. There were two vulnerabilities in Internet Explorer 7 for Windows XP and Windows Vista that were patched last week…

Firefox isn’t completely immune either, see Mozilla’s Security Center for details on recent vulnerability patches.

[source: F-Secure Weblog]

P/S: Version 0.5 users will now see a prompt that their installation has expired. The database channel is now closed, but the existing shields and the proactive protections remain.

*** [updated on 22/2/2009] ***

F-Secure Exploit Shield proactively protected against MS09-002 (a vulnerability in Internet Explorer 7) without the need for a shield update.

Sorry to Say, But It is a Lame Exploit

As posted in SEBUG Security DB, puret_t released an exploit on WordPress 2.7.0 admin remote code execution vulnerability. I plan to discuss the exploit and the vulnerability in a knowledge sharing session, so I spent a few minutes to study them.

Sorry to puret_t because I have to say that it is a lame exploit. The reasons are :-

1. You need to have admin user name and password to execute the exploit.
2. The exploit will upload a webshell, but since you have admin user name and password, why dont you just use the upload function in wordpress?
3. The webshell itself contain error :-

   <?php eval($_POST[c]); ?>

   <?php eval($_POST[c]); ?>

   The correct one should be :-

   <?php eval($_POST['c']); ?>

   <?php eval($_POST['c']); ?>