October 2008 - Posts

Update on MS08-067

Hello everyone,

This is Christopher Budd once again. As I said in my last post, we aren’t done when we release an update. Our response teams are constantly watching the situation around the world to understand as much as possible what’s going on with things like the threat environment and the state of security update deployments.

Based on some of our latest situation reports I wanted to provide you with an update as of this morning. You’ve told us it’s helpful for you to have this information on an ongoing basis.

In terms of the security update itself, we’re seeing strong deployments worldwide. We also have no reports of known issues with the security update at this time.

In terms of the overall threat environment, we’ve not seen any major changes so far. We are aware that people are working to develop reliable public exploit code for the vulnerability. We are aware of discussion about code posted on a public site, but our analysis has shown that code always results in a denial of service, to demonstrate the vulnerability. So far, we’ve not seen evidence of public, reliable exploit code showing code execution.

Additionally, we’re not aware of any broad attacks or new malware seeking to exploit this vulnerability since we’ve released the security update on Thursday. While there have been a couple of reports of a “new worm”, these reports are actually inaccurate: they’re talking about malware we found in our investigation of the original targeted and limited attacks that we talked about in our posting on Thursday. Specifically, these reports are talking about TrojanSpy:Win32/Gimmiv.A and TrojanSpy:Win32/Arpoc.A (which is the specific attack associated with Exploit:Win32/MS08067.gen!A). Both of these are trojans, not self-replicating worms.

While deployments of the updates are happening quickly and relatively smoothly, and the threat environment hasn’t changed significantly since Thursday, we don’t want customers to take that as a sign to decrease their pace of, or even delay, deployments for this update. This is a Critical vulnerability that is being actively attacked, though so far in a limited, targeted fashion. Those were the reasons we released this out-of-band and it is because of this that we continue to urge customers to aggressively test and deploy this update as soon as possible.

In addition, we are not relaxing our vigilance here. Our teams around the world continue to work around the clock, watching for any changes in the threat environment or issues that could impact customers’ ability to deploy these updates. As always, we will let you know through the MSRC weblog of any changes in this situation.

Thanks,

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Yellow to Green : MS08-067

Published: 2008-10-24,
Last Updated: 2008-10-24 16:28:04 UTC
by Stephen Hall (Version: 1)

0 comment(s)

You may have noticed that the ISC Infocon was raised from Green to Yellow. This was to highlight the increased level of threat from MS08-067.

We have just moved back to green. This is not because of any lowering of threat, but to return to our normal steady state. People use the INFOCON level as a matter of understanding what is going on with the Internet and security as a whole.

If you see it raise again over the weekend, you'll know its gotten a whole lot worse.

First Glimpse into MS08-067 Exploits In The Wild

Friday October 24, 2008 at 5:53 am CST
Posted by Geok Meng Ong

Trackback

It has been over 2 years since I last wrote about malware exploitation of a major vulnerability in the Windows Server Service (MS06-040) by malware.

In 2006, worm authors were quick to adopt the remotely executed exploit in just 4 day following a security update released as part of the regular Patch Tuesdays - IRC-Mocbot, W32/Sdbot, W32/Spybot, W32/Opanki, et ceteras.

Now in 2008, we are faced with malware authors, motivated by profits, more organized, and are more likely to target zero-day vulnerabilities, as we have reported on several critical incidents we have discovered since 2006. Like déjà vu, Microsoft released an out-of-cycle security update today to address in-the-wild attacks against a new MS08-067 vulnerability targeting the same Windows Server Service.

Attacks seen in the wild so far seem to have come from variants of the Spy-Agent.da trojan. When run, it may not be immediately apparent to the victim that it was using any exploits. Taking a quick glimpse into the binary code of basesvc.dll (Spy-Agent.da.dll), one of the DLL components installed by Spy-Agent.da, one can see strings that would look very familiar to those familiar with MS06-040.

MS08-067 strings

On closer analysis, Spy-Agent.da.dll seeks out potentially vulnerable Windows machines in the local network, and sends maliciously crafted DCERPC requests to exploit the Server Service (SvrSvc).

MS08-067 exploit

When successful, hardcoded shellcode embedded within the malware, is executed on the targeted machines to download Spy-Agent.da (or possibly other variants or files) from a web server hosted in Japan.

MS08-067 shellcode
(shellcode after decoding)

Just hours following the patch release, public source code has already been seen distributing on the Internet. What more can I say ? Patch your systems ! Yes, NOW !

Spy-Agent.da and Spy-Agent.da.dll are now detected using the current 5414 DATs. See Dave’s blog for McAfee’s coverage.

(thanks to Joey Koo and Xiaobo Chen for providing analysis data and packet dumps used in this blog)

Oct23

Clear and Present Danger: Out-of-Band MS Patch

by Carolyn Guevarra (Technical Communications)

Earlier today, Microsoft released a security bulletin regarding a critical vulnerability in the Server Service, which allows an attacker to perform remote code execution by sending a specially-crafted RPC request on a target system. This vulnerability may be used by malicious users in crafting a wormable exploit, which may, should hackers design it so, render corporate networks clogged and virtually unusable. According to Microsoft, they released this security bulletin outside of their monthly release cycle to protect their customers from any attempted attacks related to this flaw.

Not long after the release, TrendLabs received reports of a zero-day exploit that takes advantage of this vulnerability. According to Trend Micro Advanced Threats Researcher Paul Ferguson, this exploit downloads a malicious file from a specific IP address. We now detect the downloaded file as TSPY_GIMMIV.A. Based on initial analysis, this spyware has routines that involves the checking of the registry for entries related to antivirus software, possibly in an attempt to avoid detection.

The span of time between the discovery of the exploits and reports of the vulnerability is much too narrow that researchers have reason to believe that the vulnerability was first known to the hackers. Hackers may have already been actively exploiting this bug days before Microsoft received wind of the vulnerability. Note that patch Tuesday was released just a little over a week ago. But kudos to Microsoft for delivering this immediate solution to prevent more users from becoming victims.

Trend Micro Smart Protection Network already blocks the malicious URL where this spyware is downloaded from. We highly recommend users to immediately update your computers and download the fix patch provided by Microsoft.

Trend Micro is working on an in-depth analysis of this malware and the said exploit. Stand by for more details.

Out-of-band patch from Microsoft Posted by Patrik @ 04:07 GMT | postCount('00001519'); Comments

It doesn't happen very often, but when it does, it's for a good reason. Yesterday, Microsoft released an out-of-band patch for a new, critical vulnerability in Windows.

The patch MS08-067 fixes a remote procedure call (RPC) issue that would, if successfully exploited, enable an attacker to remotely execute applications on a computer running all currently supported versions of Windows.

This is exactly the type of vulnerability Blaster and Sasser used to infect millions of computers back in 2003 and 2004.



The reason for the out-of-band patch is that there is already malware actively using the vulnerability to infect computers, which we detect as Trojan-Spy:W32/Gimmiv.A. This trojan steals confidential information from the computer and sends it back to the attacker.

The situation is not as dire as in earlier years, as Windows XP SP2 and newer have a firewall in place by default. If you have file or printer sharing enabled however, your computer may be affected.

We recommend that everyone apply the update as soon as possible.

McAfee Coverage of the Microsoft Emergency Release

Thursday October 23, 2008 at 1:50 pm CST
Posted by David Marcus

Trackback

Due to the MS08-067 out-of-cycle release from Microsoft today we are in the process of releasing emergency DATs/coverage updates for many of our products and technologies. We are also working on an emergency Security Advisory as well.

Current state for each of the content areas is as follows:

Malware - Emergency DAT cut and testing in progress. ETA of 2 - 3 hours.

HIPS - Generic buffer overflow should provide coverage.

Intrushield - Partial existing coverage. Additional emergency sigset releasing today.

Foundstone
- Emergency signatures being released today.

V-Flash - Emergency signatures being released today.

MNAC - Emergency signatures being released today.

VirusScan Enterprise BOP - Should provide coverage for the buffer overflow.

We will continue to monitor this critical event to provide the most comprehensive coverage we can.

Its already started.  Hold on boys and girls

 

MS Windows Wormable Vulnerability, Out-of-Band Patch Released (MS08-067)

Date:10.23.2008

Threat Type: Malicious Web Site / Malicious Code

Websense® Security Labs™ has received reports of exploits circulating in the wild that take advantage of a serious Windows vulnerability. Microsoft just released an out-of-band patch to address this just hours ago (see MS08-067).
The remote code execution vulnerability is found in netapi32.dll, and carries a severity rating of "Critical" by Microsoft, affecting even fully patched Windows machines. This vulnerability (CVE-2008-4250) allows malicious hackers to write a worm (self-propagating malicious code without need for any user interaction), by crafting a special RPC request. A successful exploitation would result in the complete control of victim machine.

To date, we have seen attacks installing a Trojan (Gimmiv) upon successful exploitation. At the time of this alert, only 25% of 36 anti-virus vendors could detect this malicious code. Blocking TCP ports 139 and 445 at the firewall is only a partial solution because most desktops have file/printer sharing turned on. The out-of-band patch release by Microsoft testifies to the severity of this vulnerability and the urgency for an immediate fix.
Websense is monitoring the development of this attack, and has classified the corresponding Web sites and malicious code that the exploit downloads.

More information:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
http://blogs.technet.com/mmpc/archive/2008/10/23/get-protected-now.aspx
http://blogs.technet.com/swi/archive/2008/10/23/More-detail-about-MS08-067.aspx
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Thursday, October 23, 2008

Just some comments on MS08-067

I was stuck in meetings today and didn’t get a chance to write much more than I did earlier.

Just some quick notes on MS08-067.

– We have samples in-house of the trojans in-the-wild that are being used in targeted attacks, taking advantage of this exploit. These are currently only targeted attacks, not being used broadly by malware authors.

– It is not a light thing. The urgency is quite real — unpatched, you’ve got the spectre of another SQL Slammer, Code Red type of scenario if the malware writers create a worm. The other issue with this patch is that it affects a broad number of systems (XP, Windows 2000 and 2003 -- the Vista/2008 platform isn't at the same level of risk).

– It is an extraordinary event that pushes Microsoft to do an out-of-band update. This is a big deal for them — each update is tested on a vast number of machines. It underscores the potential seriousness of this vulnerability.

Patch like hell and let’s hope everything will be ok in the morning.


Alex Eckelbery

Patch now!!

http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

More detail about MS08-067, the out-of-band netapi32.dll security update

Today Microsoft released a security update that fixes a remote code execution vulnerability in the Windows Server Service. This is a serious vulnerability and we have seen targeted attacks using this vulnerability to compromise fully-patched Windows XP and Windows Server 2003 computers so we have released the fix "out of band" (not on the regular Patch Tuesday). Due to the serious nature of the vulnerability and the threat landscape requiring an out-of-band release, you probably have questions about your own organization's risk level, what actions you can take to protect yourself, and why newer platforms are at reduced risk. We hope to answer those questions in this blog post.

Which platforms are at higher risk?

An unauthenticated attacker can trigger this vulnerability remotely for code execution on Windows Server 2000, Windows XP and Windows 2003. By default, Windows Vista and Windows Server 2008 require authentication. However, the attacker must be able to reach the RPC interface to exploit the vulnerability. In the default out-of-the-box scenario, the interface is not reachable due to the firewall enabled by default on Windows XP SP2, Windows Vista, and Windows Server 2008. Unfortunately, either one of the following two conditions exposes the RPC endpoint:

1) Firewall is disabled
2) Firewall is enabled but file/printer sharing is also enabled.

When File/Printer Sharing is enabled on Windows Vista and Windows Server 2008, the firewall only expose the RPC interface to the network type shared. For example, if a printer is shared on a network type ‘Private’, the firewall will block incoming RPC connections if the computer switches over to a network type ‘Public’. If you then choose to share the printer on the network type ‘Public’, Vista and Windows Server 2008 will prompt to ask if you really want to enable “File and Printer Sharing” for ALL public networks.

For more information about file/printer sharing, visit the following URLs:

- for Vista http://technet.microsoft.com/en-us/library/bb727037.aspx
- for XP http://www.microsoft.com/windowsxp/using/security/learnmore/sp2firewall.mspx

The following picture illustrates the risk for each platform in more detail.

More about mitigations (DEP, ASLR, /GS)

On Vista and Windows Server 2008, the combination of Address Space Layout Randomization (ASLR, http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx) and Data Execution Protection (DEP, http://support.microsoft.com/kb/875352/EN-US/ ) will make the exploitation of this vulnerability more difficult. ASLR will randomize the base address of modules, heaps, stacks, PEB, TEBs, etc. making difficult the return into known locations. Known DEP bypass techniques will not be applicable on these platforms because of the presence of ASLR.

Regarding /GS protection, the stack frame of the function that contained the overflowed buffer was protected with a stack frame boundary cookie. However, due to the nature of this particular vulnerability, the exploit code is able to take advantage of another stack frame that was not meant to be protected by the /GS security cookie. The /GS security cookie is only emitted for functions meeting certain criteria.

UAC mitigates even when the prompting is disabled

As mentioned above, Windows Vista and Windows Server 2008 by default require authentication. But the security callback on the RPC interface has not been changed on the more recent platforms. Instead, the UAC and integrity level hardening work introduced with Vista is forcing the authentication requirement. The anonymous user connects with integrity level "Untrusted" while the named pipe requires at least a "Low" integrity level. Since "Untrusted" is lower than "Low" integrity level, the access check fails. Note that disabling the UAC prompt does not disable the integrity level access check. In other words, regardless of whether the UAC prompt is enabled or disabled, the integrity level check will be performed. The integrity level check will fail on Vista and Windows Server 2008 if the user connects anonymously. See http://msdn.microsoft.com/en-us/library/bb625963.aspx for more information.

There is a non-default scenario where a non-domain-joined Windows Vista and Windows Server 2008 can be exploited anonymously. If the feature “Password Protected Sharing” is disabled, anonymous connections come in at “Medium” integrity level. Because "Medium" integrity level is a higher integrity level than "Low", the integrity level check will succeed. This would allow Windows Vista and Windows Server 2008 to be exploited anonymously. This feature could be disabled through Vista’s Network Sharing Center in the “Sharing and Discovery” section.

Most perimeter firewalls will block exploit attempts from outside your organization

If you are behind a perimeter firewall that filters inbound connections to TCP ports 139 and 445, you will not be reachable from the Internet. This is a common home user scenario. In this scenario, only the machines in your local LAN will have the ability to exploit this vulnerability.

How you can protect yourself

You should apply the security update as soon as you can. This is the best way you can protect yourself. While you are testing the update and preparing your deployment process, you may choose to use one or more of the workarounds listed in the security bulletin. (link to security bulletin) We have researched several options that range from turning off the affected component to limiting the exposure to authenticated users.

There is one other workaround option that we didn't include in the bulletin because it is not a supported scenario. The Server service exposes the vulnerable code over an RPC named pipe. The access control list for the named pipe is specified in the netapi32.dll code. It can be changed for any current Windows session. When Windows is rebooted, the ACL will get reset to the default value. However, if you were to change the ACL on every boot after the service is started, the window of attack for anonymous users would be very small. We have developed a simple tool that can remove the ANONYMOUS access control entry is the named pipe's access control list. (Please remember that this is not a supported scenario.) Here's what it looks like when run:

C:\>chacl.exe \\.\pipe\srvsvc
opening up \\.\pipe\srvsvc
Got back 3 ACE entries
Found an entry for ANONYMOUS LOGON. Deleting it...
deleted that ACE

Setting new DACL changes...
Done

C:\>chacl.exe \\.\pipe\browser
opening up \\.\pipe\browser
Got back 3 ACE entries
Found an entry for ANONYMOUS LOGON. Deleting it...
deleted that ACE

Setting new DACL changes...
Done

We have attached the chacl.c source code at the bottom of this blog post.

Greetz

A great deal of investigation in a short amount of time went into this case. We'd like to publicly thank all the engineers who helped provide definitive answers (some requiring hours of debugging) to these hard technical questions.

- Bruce Dang, Fermin J. Serna, Damian Hasse, Andrew Roths and Jonathan Ness from the SVRD team
- Matt Miller and other members from the Microsoft Security Engineering Science Team
- David Kruse, Tassaduq Basu, and Jon Schwartz from the core file system, networking, and kernel teams (respectively)
- Carlos Trueba Salinas from the Windows Sustained Engineering team

Posting is provided "AS IS" with no warranties, and confers no rights.

Published Thursday, October 23, 2008 10:00 AM by swiblog

This is bad folks, PATCH NOW!!

 

Published: 2008-10-23,
Last Updated: 2008-10-23 17:31:02 UTC
by Mark Hofman (Version: 2)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=5227&rss'; digg_title = 'Microsoft out-of-band patch - Severity Critical'; digg_skin='compact'; digg_topic = 'security';

Updated:


As reported earlier this morning, Microsoft released a critical update today for Windows Operating System.  The update addresses a vulnerability with RPC calls which can be referenced from SMB connections.  As most of you remember, worms such as Blaster and its kin were able to propagate through RPC/DCOM vulnerabilities and is in a very similar area of code.  Microsoft has detected limited, targeted attacks exploiting this flaw in the wild.  It is expected that with the release of the update, much more of the hacker community will become aware of how to exploit this and create a major worm outbreak.
 

More information is available at  www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

 

 

Original Post: 2008-10-23 12:16:16 UTC

Microsoft has just released an advance notification of an out-of-band update to be released on 23rd of October.  They will hold a special webcast on the 23rd at 1:00 pm PT  to discuss the release.  The patch will be released at 10.00 am.

The information in the bulletin mentions a remote code exploit, but no further details are provided, however a restart will be required.

Microsoft rates the issue as critical for 2000/XP/2003 and important for vista/2008.

If we get more information we'll update this diary.

Mark

ps thanks to some very fast ISC supporters for letting us know.

 

Well this can't be good.

 

********************************************************************

Microsoft Security Bulletin Advance Notification for October 2008

Issued: October 22, 2008

********************************************************************

This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on October 23, 2008.

The full version of the Microsoft Security Bulletin Advance Notification for October 2008 can be found at http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx.

This bulletin advance notification will be replaced with the revised October bulletin summary on October 23, 2008. The revised bulletin summary will include the out-of-band security bulletin as well as the security bulletins already released on October 14, 2008.

For more information about the bulletin advance notification service, see http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications on http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on this out-of-band security bulletin on October 23, 2008, at 1:00 PM Pacific Time (US & Canada). Register for this out-of-band Security Bulletin Webcast at http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

This advance notification provides the software subject as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier. The security bulletins for this month are as follows, in order of severity:

Critical Security Bulletin

============================

Windows Bulletin

- Affected Software:

- Microsoft Windows 2000 Service Pack 4

- Windows XP Service Pack 2 and

Windows XP Service Pack 3

- Windows XP Professional x64 Edition and

Windows XP Professional x64 Edition Service Pack 2

- Windows Server 2003 Service Pack 1 and

Windows Server 2003 Service Pack 2

- Windows Server 2003 x64 Edition and

Windows Server 2003 x64 Edition Service Pack 2

- Windows Server 2003 with SP1 for Itanium-based Systems and

Windows Server 2003 with SP2 for Itanium based Systems

- Windows Vista and

Windows Vista Service Pack 1

- Windows Vista x64 Edition and

Windows Vista x64 Edition Service Pack 1

- Windows Server 2008 for 32-bit Systems

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for x64-based Systems

(Windows Server 2008 Server Core installation affected)

- Windows Server 2008 for Itanium-based Systems

- Impact: Remote Code Execution

- Version Number: 1.0

Other Information

=================

Non-Security, High-Priority Updates on MU, WU, and WSUS:

========================================================

For information about non-security releases on Windows Update and Microsoft update, please see:

* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base

Article 894199, Description of Software Update Services and

Windows Server Update Services changes in content for 2008.

Includes all Windows content.

* http://technet.microsoft.com/en-us/wsus/bb466214.aspx: New,

Revised, and Released Updates for Microsoft Products Other Than

Microsoft Windows

Oct17

Net Monitoring Spam Uses Old Whitespace Padding Trick

by Joey Costoya (Advanced Threats Researcher)

There’s another wave of malware-bearing spam. This time, the spam claims that “new clauses” have been added to the legislation regulating your online activities.


Figure 1. Spam sample

Attached in the spam email is the zip file Legislation.zip, which contains Legislation.doc{several whitespace characters}.exe. Yes, this is the age-old double-extension trick which uses a LOT of whitespace to hide the final .exe extension. As the screenshot below shows, the whitespace padding is enough to fool unsuspecting users to double-click the seemingly harmless .doc file inside the ZIP file.


Figure 2. Screenshot of spam attachment contents

Trend Micro Smart Protection Network detects the malware as TROJ_AGENT.DAM.

It must be noted that there was an earlier legislation spam wave earlier this month, with a different email attachment (Legislation-25.doc.exe inside a Legislation.zip attachment) that is already detected as TROJ_AGENTT.Q.

Oct20
by Mayee Corpin (Technical Communications)

Planning your fall holiday? Be careful when booking flights online or opening emails about your “online flight ticket”—or you could crash-land on a heap of malware trouble.

TrendLabs researchers caught spammed email messages featuring bogus eTickets supposedly from Continental Airlines, the fourth-largest airline in the U.S. The message thanks the recipient for availing of a new service called “Buy flight ticket Online” and provides account details (even a password). Then it makes the recipient simply print out the attached “purchase invoice and plane ticket” before they use these, and they’re off! How convenient!

Here’s a screenshot:

The attachment is named E-TICKET.ZIP, which in turn contains the file E-TICKET.DOC.EXE. “It’s the old double-extension trick to hopefully fool the user to double-click the attachment,” observed Advanced Threats Researcher Joey Costoya.

Trend Micro detects the file contained in the zipped attachment as WORM_AUTORUN.CTO. This worm propagates via removable drives and accesses websites to download other possibly malicious files. It also displays the icon of files related to Microsoft Word to avoid easy detection and consequent removal.

Costoya also said, “The phrase Your credit card has been charged… will just add more worry for the user, convincing him more to examine (read: double-click) the ‘flight details.’”

This seems to be a renewed campaign, as we first saw it in late August—only the featured airline then was Northwest Airlines, and the spam attachment led to rogue AV installation instead of a worm. Since then, the transaction fee has gone up; Northwest supposedly charged almost $700 while Continental about $915. And JetBlue Airways, it would seem, “charged” even more, according to this sample:

Users who receive the same messages, please don’t click on the attachment. Trend Micro has already stopped this worm’s takeoff with the Smart Protection Network.

Adobe plugs 'clickjacking' threat

No more spying webcams.
Robert McMillan, IDG news service
16 October 2008

Adobe has fixed a recently discovered security bug that threatened web surfers, after releasing a new version of its Flash Player software.

The new Flash Player 10 software, released Wednesday, fixes security flaws in Adobe's multimedia software including bugs that could allow hackers to pull off what's known as a clickjacking attack, wrote Adobe spokesman David Lenoe in a blog posting.

For those who can't update to this new version of Flash, a Flash 9 security patch is still about a month off, he added. Adobe rates the clickjacking bug as 'critical.'

Although not widely used by criminals, clickjacking has received a lot of attention since it was first discussed a month ago. Flash isn't the only software that is vulnerable to a clickjacking attack, but Flash attacks have been considered among the most dangerous.

The security researchers who discovered the problem, Robert Hansen and Jeremiah Grossman, had intended to fully discuss clickjacking at a security conference presentation in September. But they backed off and gave a slimmed-down version of their talk when Adobe asked for more time to patch its software.

Last week, however, security researcher Guy Aharonovsky showed how an Adobe Flash clickjacking attack would work, and with the information now out in the open, Hansen and Grossman went public with their findings.

In a clickjacking attack, the hacker users a variety of techniques to take control of what links the victim is actually clicking. In one attack, for example, the attacker would first have to trick the victim into visiting a malicious Web page and then clicking on what appeared to be a regular Web link. In reality the victim would be clicking on something altogether different such as a Flash object that turned on his microphone. "It's almost impossible for a user to determine what's going to happen when they click on a link," said Hansen, who is CEO of SecTheory.org, in an interview last week.

A clickjacker could wiretap victims' PCs, force them to execute online stock trades, delete blog pages, change a router or firewall configuration, create new Web mail accounts, or even force them to download software, Hansen said.

Because clickjacking affects other browser plugins, the best way to fix the clickjacking problem may be to change the way browsers work, Hansen said. "Browser makers understand the problem and they're trying to find ways to mitigate it," he said.

More Posts « Previous page - Next page »