Search



SpiderLabs Services
Resources

Research Stats

Categories

Security Advisories

Trustwave Press Releases

Zero-Day Feed

03 June 2013

The Speed is from the Devil – Some Thoughts about Google’s New Disclosure Policy

If you follow info-security news, you might have heard about Google considering a change in its vulnerability disclosure policy. Here is a link to their blog. Until now, when Google came across a new vulnerability of software from some vendor, it notified them and then posted the details only after 60 days. That is, the software vendor had a grace period of two months to investigate the issue and release a patch. With the new policy, Google will disclose the details in 7 days if the issue is already “under active exploitation”. Not yet confirmed by the software behemoth, it does signal a significant change. If Google has notified you of a vulnerability in a product you own, you have only one week, yes only one week, to get it investigated and patched or you’ll be in a very unpleasant situation: The details of your weakness will be up in the public while your customers are not going to have a patch to install and get protected. They are not likely to be very happy… You’d have to move fast, actually very fast, to avoid this undesired situation.

Regardless who you are and what your job is, a worker in the hi-tech industry, an IT security administrator, a journalist or one of many other positions, you may likely think that this is a great move by Google. If the issue is being exploited out there, it means that the bad guys already have the exact information how to leverage it for their needs and customers are at great risk of being targeted with limited ability to defend their systems. This rationale makes a lot of sense. But is it all that simple? Let’s think about it a little further.

Continue reading "The Speed is from the Devil – Some Thoughts about Google’s New Disclosure Policy" »

Posted by on 03 June 2013 at 17:10 in Application Security, Zero-Day | | Comments (0)

05 May 2013

Mayday! 0-Day

While many workers around the world were celebrating the May 1st events, the US Department of Labor website got hacked and was used to redirect browsers to a 3rd party site which served a new IE 8 0day exploit, known as CVE-2013-1347. Microsoft already released an advisory about it last Friday.

Having a quick look at the in-the-wild exploit code, it can be seen that the exploit creator targeted only victims running IE 8 on windows XP computers, by using Javascript that triggers the exploit based on the user agent. However, the exploit can work with IE8 on other versions of Windows such as Windows 7. The reason for limiting this attack to Windows XP users is currently unknown. 

Apparently, the attackers collected technical statistics on the victims’ browser plugins BEFORE serving them with the IE exploit, for example whether plug-ins from their antivirus product, from Fiddler Proxy or from TamperData are installed. That information is then sent to the aforementioned 3rd party site. 

According to a tweet from one of Metasploits’ exploit developers, a module for this CVE will be released soon. Therefore an increase in exploit attempts of this CVE is quite likely.

And to the good news: Trustwave SWG Server (versions 10.1 and higher) blocks this attack out-of-the-box using its generic protection engines, without any further update, thus maintaining good record of blocking the recent 0-day attakcs.

Posted by on 05 May 2013 at 14:40 in MAPP, Secure Web Gateway, Zero-Day | | Comments (0)

16 January 2013

Q&A w/ SpiderLabs Research: Java 0day CVE-2013-0422

Q: What’s going on? People are talking about some Java 0day which threatens the whole world… Bring me up to speed, now!

A: About a week ago, an independent researcher has reported a previously unknown (0day) Java vulnerability being used in order to infect innocent users with malware. When a 0day vulnerability is discovered it is usually reported to the affected vendor and that vendor will issue a patch that fixes the software bug, hence closing the security hole. However in this case the vulnerability was discovered by someone who chose not to do the responsible thing (reporting to the vendor), and instead took advantage of this finding for personal profit. A 0day vulnerability gives the attacker an imperative advantage over the victim for two main reasons:

  1. The victim has no prior knowledge of the risk.
  2. The victim has no effective means of protecting himself, since no patch is available.

In such cases being aware of the attack and its specifics is of highest importance, thus we have analyzed this vulnerability and posted our findings on the very same day it was discovered and verified out-of-box protections in Trustwave's Secure Web Gateway product.

Continue reading "Q&A w/ SpiderLabs Research: Java 0day CVE-2013-0422 " »

Posted by on 16 January 2013 at 13:29 in Java, Oracle, Zero-Day | | Comments (0)

14 January 2013

Microsoft Patch Tuesday, January 2013 - Part II

It's now official, there is another bulletin (MS13-008) release for the month of January and affected Microsoft Windows users should be expecting a out-band security patch soon. This out-of-band security patch fixes one memory corruption vulnerability discovered in Internet Explorer affecting version 6-8 that can result in remote code execution.  Any vulnerability that allow remote code execution is critical and it should be patched ASAP.  

Continue reading "Microsoft Patch Tuesday, January 2013 - Part II" »

Posted by on 14 January 2013 at 13:21 in MAPP, Secure Web Gateway, Zero-Day | | Comments (0)

10 January 2013

First Java 0day For The Year 2013

Today @Kafeine was the first to announce the new Java 0day. This 0day allows an attacker to execute malicious code on any desktop with Java 1.7 u10 (or prior) installed – which is the latest version from Oracle.

After some preliminary analysis it seems this 0day is using a similar tactic to CVE-2012-5088, which was patched by Oracle last October. On top of using java.lang.invoke.MethodHandle.InvokeWithArguments() from CVE-2012-5088, the attacker smartly takes advantage of MBeanInstantiator in order to get a reference to a restricted class from a trusted caller (MBeanInstantiator is trusted). This is accomplished via the findClass method, which in turn will call the inner loadClass method.

The “heart” of the exploit: Java 0day
We are glad to announce that all our customers using Trustwave's Secure Web Gateway are protected against this 0day attack. There’s no need for any additional updates to be applied. A good continuation of last year’s streak of 4 out of 4 Java 0days blocked out of the box.

We will continue monitoring this threat and provide protection to our customers.

Posted by on 10 January 2013 at 10:06 in Java, Oracle, Secure Web Gateway, Zero-Day | | Comments (1)

08 January 2013

Goodies released with Trustwave SWG Security Update 141

As cliché as it may sound, security is done in layers and so, using our generic rules, we were able to provide 0-day protection against the recent Internet Explorer 0-day CVE-2012-4792 with our Secure Web Gateway (SWG). You can read more in our previous blog posts:
exploit analysis and payload analysis.

With today’s release of Security Update 141 for SWG we are
adding detection rule which is specific to CVE-2012-4792, named “Internet
Explorer CDwnBindInfo Object use-after-free vulnerability”. This rule will
provide another layer of defense against exploits of this vulnerability.

TURKTRUST Inc., a trusted CA, has incorrectly created two subsidiary certificates which one of them was later used to generate a fraudulent digital certificate of Google. That certificate
was then used in an active attack. As a result, SU141 is removing SWG trust of the following certificates:

  • *.google.com issued by
    *.EGO.GOV.TR
  • e-islem.kktcmerkezbankasi.org
    issued by TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri
  • *.EGO.GOV.TR issued by
    TURKTRUST Elektronik Sunucu Sertifikasi Hizmetleri

For further information, see Microsoft’s Security Advisory 2798897.

Security Update 141 comes with some more goodies. Here is a link to the release notes for further information.

Stay safe.

Posted by on 08 January 2013 at 10:27 in Secure Web Gateway, Security Research, SSL, Zero-Day | | Comments (0)

04 January 2013

Dissecting a CVE-2012-4792 Payload

A little while ago I was fortunate enough to get ahold of a sample that was dropped on a system after it was infected via the exploit outlined in CVE-2012-4792. For those that may not have heard, this CVE has gotten quite a bit of buzz as of late, mainly because it exploited a zero-day vulnerability in Microsoft’s Internet Explorer browser. Microsoft's original advisory can be found here. Rami Kogan, of SpiderLabs, also recently wrote a blog post that dealt with the exploit itself. You can find it here.

Unfortunately (or fortunately depending how you're looking at it), the malware campaign that provided this executable quickly was taken offline. As such, I had to go into this sample somewhat blind. No matter, as I always enjoy a fun challenge. So let's dig in.

Continue reading "Dissecting a CVE-2012-4792 Payload" »

Posted by on 04 January 2013 at 14:26 in Malware, Zero-Day | | Comments (0)

03 January 2013

Microsoft Advance Notification for January 2013

If you were hoping for a nice relaxing Patch Tuesday after the holidays, well, sorry to disappoint you.  Microsoft will be issuing seven new bulletins next week, two of them are rated as ‘Critical’. Both critical bulletins can result in the holy grail of remote code execution.  The other five bulletins are all rated as ‘Important’. 

Of the two critical bulletins one of them lists all currently supported versions of Windows from XP SP3 up to Server 2008 R2 as well as several versions of Office, Sharepoint and Groove Server. This is most likely an issue in one of the base libraries meaning it will have a wide impact.  The other critical bulletin only lists Windows 7 and Server 2008 as vulnerable but it still results in RCE so it shouldn’t be taken as any less serious.

The five remaining ‘Important’ bulletins result mostly in Elevation of Privilege with one Security Feature Bypass and one Denial of Service. Six of them impact different versions of Windows and Windows Server with one Elevation of Privilege hitting Microsoft System Center Operations Manager. The MS SCOM is a cloud management platform allowing you to manage multiple hypervisors.

In addition to these you have probably heard of the zero-day vulnerability that exists in Internet Explorer 6, 7 and 8 that is actively being used in targeted attacks. While the update for the zero-day won't be included in this month's bunch of updates, Microsoft has already released a Fix-It tool for it.

But that’s not all, there are also active ongoing attacks using fraudulent certificates issued by TURKTRUST inc.  The fraudulent certs were issued for *.google.com and could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties. Microsoft has already updated the Certificate Trust List. If you are using the automatic updater of revoked certificates you are all set. If not, or you are still using XP or Server 2003, you will find an update for you in Microsoft Update.

We will have full details of all seven bulletins next Tuesday when Microsoft releases the full details.

Posted by on 03 January 2013 at 14:42 in MAPP, SSL, Zero-Day | | Comments (0)

18 December 2012

Finding Zero Days & Reading Your Mind in the Year 2052

A number of months ago, I was approach by the organizers of TEDxNaperville to speak at their next event. Until this time, I was loosely familiar with TED* and had heard many other people talk about the great talks they watched on their website or via their iOS app. I had never attended a TED event nor had I really watched a talk in its entirety before, so I wasn't sure what would excite this audience.

Obviously, the topic I was asked to speak about was security and privacy, but there wasn't anything more that was required of me.  As someone who often speaks at various events each year, I didn't want to do a talk based directly upon topics I normally speak about. I was also encouraged by the organizers to reach outside my comfort zone and really challenge myself. So I made a list of the items that I was not comfortable doing or talking about on stage (or to anyone for the most part):

  1. Giving a talk without slides or speaker notes
  2. Talking about my personal life
  3. Discussing my medical history
  4. Talking about religion and/or politics
  5. Making predictions about the far off future

Continue reading "Finding Zero Days & Reading Your Mind in the Year 2052" »

Posted by on 18 December 2012 at 10:45 in Conferences, Security Research, Zero-Day | | Comments (1)

20 September 2012

The New Zero-Day in Internet Exploder (Oops… Explorer)

The ride on the roller coaster called the web security world never stops and keeps providing us, the security researches, with new challenges. Blackhole v2 that just came out last week and which was in headlines seems like a distant history since the emergence of the new zero-day in Internet Explorer at the beginning of this week (CVE-2012-4969).

Continue reading "The New Zero-Day in Internet Exploder (Oops… Explorer)" »

Posted by on 20 September 2012 at 10:50 in Exploit Kits, Malware, Secure Web Gateway, Security Research, Zero-Day | | Comments (0)