Kaspersky has recently released a detailed description of the “Red October” attack, an espionage operation involving the infection of hundreds of computers targeting government networks, embassies, and scientific organizations. The victims have mostly been in Eastern Europe, according to Securelist, but computers around the world have been infected, including some in the United States.
The Kaspersky report linked above is fairly technical, but a number of other outlets have provided useful summaries of the analysis of Red October, including this article from TechNewsWorld and Securelist’s article linked above.
Reportedly, the attackers who wrote the code appear to be Russian-speaking. Red October also includes elements that have previously been used in attacks against Tibetan activists and other Asian military and energy targets.
Oracle has released a Java patch to address the major vulnerability reported a few days ago. Everyone is strongly recommended to install the update.
Sophos’ Naked Security blog offers this article that includes information about the vulnerability and the patch.
Oracle’s page for the the patch, Java 7 Update 11, includes technical details of the fixes for this and another vulnerability. Downloads for the latest version of Java, including this update, are located at java.com.
A new 0-day Java vulnerability has been discovered that is already being used in malware distribution kits “in the wild.” No update to fix the problem is yet available.
Naked Security has provided an overview of the vulnerability along with links to instructions on how to disable the Java extensions in all major browsers until an update is released. These extensions are the vector for attack via malicious web sites, so it may be a good idea to disable them, at least temporarily.
For convenience, here are the links for each browser:
The first line of defence, of course, is always to be careful not to visit suspicious web sites in the first place.
A significant Yahoo Mail vulnerability has been discovered that has reportedly already resulted in a number of compromised accounts. The attack was first demonstrated by a hacker named Shahin Ramezany, who now claims that Yahoo’s initial fix is easy to work around. The last link even includes a video explaining how the cross-site-scripting (XSS) vulnerability works.
The Next Web closes its articles about this vulnerability with a couple of useful tips: Yahoo users should change their passwords immediately and take care not to click on suspicious links, even from senders they know (their friends’ accounts may already be compromised, allowing the attacker to send email from them).
This particular attack relies on persuading the victim to click on a link directing them to a site that harvests the contents of their Yahoo Mail cookies. The attacker then replaces the contents of two of their own cookies with those of the victim, allowing the attacker to effectively use Yahoo Mail’s “Remember Me”-style feature to bypass the password entry screen.
Microsoft’s lightweight version of Windows 8 for tablets and ultra-low-end PCs, Windows RT, has apparently been hacked to allow desktop applications to run, albeit only those compiled for the ARM platform. An article from CIO reports that a hacker known as “clrokr” has developed a method for circumventing Windows RT’s code signing restrictions. This would allow programs other than those from the Windows Store to be run, even those that use the Windows desktop rather than the new Metro UI.
A blog post by clrokr explains the technical details of the hack. The effect is that Windows RT’s “minimum signing level” is adjusted to allow programs to be run that are not digitally signed by Microsoft (or by anyone). This effect is only temporary; UEFI Secure Boot forces the change to be reverted on every reboot, so the hack would have to be reapplied each time the device is powered on. The main limitation, however, is that only software compiled for the ARM processor architecture will run.
Google has reported that Chrome detected a fraudulent digital security certificate for the *.google.com domain. This could have potentially allowed whoever possessed the certificate to impersonate Google. The problem originated with a mistake by a Turkish Certificate Authority. From the Google blog post by software engineer Adam Langley:
TURKTRUST told us that based on our information, they discovered that, in August 2011, they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates.
The post from Google is a bit on the technical side, but The Register has a more straightforward explanation of the situation. To protect yourself against any potential misuse of these certificates, Microsoft recommends ensuring you have all the latest updates installed; Chrome and some other browsers update automatically.
Microsoft has issued an advisory warning of a 0-day vulnerability in Internet Explorer 6, 7, and 8 that could allow malicious code to be executed on a victim’s computer as soon as they visit a compromised web site. More recent versions of Internet Explorer are not affected.
Symantec describes the means of infection as a “watering hole” attack as it involves exploiting a site the victim is likely to visit.
A temporary fix has been made available until a permanent one can be prepared for Windows Update. While the effect appears to be limited to the United States at present, it would be a good idea to apply the fix if you are still running Internet Explorer 6, 7, or 8. Microsoft has also recommended upgrading Internet Explorer to version 9 or 10, but Windows XP does not support these versions.