Microsoft Issues Worldwide Virus Alert

The talk and the footprint of computer viruses in the online world had reduced significantly in the last year. Hackers and online miscreants had moved on to other methods of attacking computers as viruses were considered to be too weak. But Microsoft recently announced that the trend is all set to change in the coming days. A security expert from the IT giant said that hackers were reverting back to the usage of viruses and coming up with innovative attack vectors. He said that this year, the world will witness a significant increase in the usage of viruses for attacking computers (both personal and corporate).

Low Broadband Penetration Rate

Tim Rains, the security expert who announced the news, said that Microsoft was monitoring the virus trends on the World Wide Web and noticed a spike in the volume of viruses for the first time. He said that low broadband penetration rate has increased the chances of a computer getting infected with any of the malicious software, including Trojans and worms. He said that this trend is being exploited by hackers and they are using viruses more actively to infect broadband connected computers (which is almost every internet enabled computer today). Microsoft also added that they had traced the infections to as far as Egypt, Pakistan, and Bangladesh.

Viruses Are Easy to Eliminate

Rains said that even today, viruses are very easy to be removed as their signatures can be easily detected and tracked. He said that users are expected to keep their anti-virus systems updated which will significantly reduce the chances of being attacked by a virus.

[via NBC News ]

AVG Mistakenly Flags Windows System File as Trojan

AVG antivirus software caused a bit of ruckus for Windows XP users on Thursday morning after incorrectly flagging the Windows system file, wintrust.dll as a Trojan,“Generic32.FJU.”

Users that followed the software’s instructions to remove the file and reboot the system would have their machines caught in a never-ending restart cycle.

At that point, users would have to use a Rescue CD to help boot the affected system and copy the wintrust.dll file (from another PC) back to the Windows System 32 folder in order to return things back to normal.

Thankfully AVG released a virus update to correct the problem shortly before 1pm, pushing out virus database 567 for AVG version 9.0 and 2012, and virus database #6174 for AVG 2013.

It is unclear how many users were affected by the false positive.

[via H Security]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Oracle Fixes Java 0-Days …Again (Last Java 6 Patch)

Oracle has released an emergency patch to address two critical vulnerabilities in Java 6 and Java 7, CVE-2013-0809 and CVE-2013-1493.

It was just last week that FireEye researchers advised users to disable Java browser plugins following the discovery that cybercriminals were exploiting CVE-2013-1493 to spread McRAT malware.

Oracle had intended to include a fix for the bug in the critical patch update scheduled for April 16^th, but decided to release it ahead of time given the ongoing attacks. The company has been aware of the bug since February 1^st, 2013.

Oracle recommends that users upgrade to the latest versions of Java, which are now Java 7 Update 17 or Java 6 Update 43 (no word on why Java 7 U16 or Java 6 U42 were skipped).

By the way, Oracle has stated that this will be the last security update for Java 6, so it's time to update to Java 7 if you wish to continue receiving public updates & security enhancements.

Users can upgrade Java by:

• Using the built-in auto update feature or manually check for updates through the Java Control panel.


• Downloading the latest version from java.com.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

NBC Website Safe to Visit Again, Said to Have Been Infected for 24hrs

NBC.com appears to be cleared of the malicious code performing drive-by-download attacks on unsuspecting visitors, but users should still make sure their antivirus programs are up-to-date and web filtering is enabled.

A NBC Universal spokeswoman told Reuters late Thursday that “a problem was identified and has been fixed,” but didn’t offer any details on what exactly happened.

The NBC spokeswoman did say that no NBC.com account information had been compromised, but could not confirm whether any users had been infected as a result of the hacking.

Although there have been reports that the site was compromised for only a few hours, antivirus firm ESET began receiving reports that the site had been infected as early as February 20^th at 17:00 CET (8:00 AM PST).

There was a long period of inactivity until 12:00 PM CET on February 21^st (3:00AM PST), which is when reports started flooding in. The cause of the gap is unclear, but it’s possible that the malicious iframe could have been pointing to a dead link.

The malicious iframes loaded compromised third-party websites housing the RedKit and Styx exploit kits, which would attempt to exploit Java and PDF vulnerabilities to drop a variety of malware.

ESET identified one of the dropped payloads as Win32/TrojanDownloader.Vespula.AY, a Trojan that downloads additional malware and another as Trojan.JS/Exploit.Agent.NCX. The Citadel banking Trojan & ZeroAccess were said to be some of the other pieces of malware dropped in the attack as well.

ESET users that attempted to visit NBC.com during the attack would be denied access by the antivirus to prevent infection. This block has since been lifted from the main NBC website since it has been cleaned up, but ESET warns that several other related sites may still be infected.

Keep Your PC Safe When Surfing the Web

As you can see, you don’t have to visit a “shady” website in order to have your PC infected with malware. Help keep your computer safe while surfing the web by:

• Always running antivirus/anti-malware software and keep the virus definitions current. (And pay attention to blocked site warnings!)


• Keeping your operating system and installed third-party software fully patched and up-to-date.


• Removing or disabling Java browser plugins if they're not needed - Java vulnerabilities are often targeted in cyberattacks.


• Exercising caution when clicking shortened or suspicious links and always do a little research before following them.


• Not downloading or openings  files from unknown or untrusted websites (or emails, for that matter).

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Adobe Patches 0-Day Flaws in PDF Reader & Acrobat

Adobe has released an emergency patch to fix two critical vulnerabilities in Adobe Reader & Acrobat 9.5.3, X and XI that cybercriminals are actively exploiting in targeted attacks.

The vulnerabilities in question, CVE-2013-0640, CVE-2013-0641 are the same ones that FireEye researchers spotted early last week.

Users are advised to update Adobe Reader and Acrobat as soon as possible due to the ongoing attacks. The exploit discovered by FireEye is the first to bypass the built-in sandbox security feature in Reader and Acrobat.

How to Update Adobe Reader

To update Adobe Reader, users can:

• Use the program’s built-in update mechanism, which is set to run automatic update checks on a regular schedule by default.


• Check for updates manually by going to Help -> Check for Updates…


• Manually download and apply the update:
  
  
  
  • Windows
  
  
  • Mac OS X
  
  
  • Linux
  
  
  
  

How to Update Adobe Acrobat

To update Adobe Reader, users can:

• Use the program’s built-in update mechanism, which is set to run automatic update checks on a regular schedule by default.


• Check for updates manually by going to Help -> Check for Updates…


• Manually download and apply the update:
  
  
  
  • Windows (Acrobat Standard, Pro & Pro Extended Users)
  
  
  • Mac OS X (Acrobat Pro)
  
  
  
  

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Apple Issues Java Patch & Malware Removal Tool Following Malware Attack

Go ahead and take a moment to check for software updates on your Mac if you haven’t done so already.

Apple did as promised yesterday and released a Java security update & malware removal tool after finding that their own company computers fell victim to a Java-based drive-by-download attack.

According to the security advisory, the update addresses a slew of Java vulnerabilities in Java 1.6.0_37, “the most serious of which may allow an untrusted Java applet to execute arbitrary code outside the Java sandbox.” Users applying the patch will be updated to Java version 1.6.0_41.

Also included in the update is a malware removal tool that Apple says will remove the most common variants of malware: “If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found. This update is available for systems that installed Java 6.”

As previously stated, the update can be applied by selecting 'Software Update' on your Mac's menu bar or fetched from Apple Downloads and applied manually:

• Java for Mac OS X 10.6 Update 12 


• Java for OS X 2013-001 

Have you updated your Mac yet?

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

iPhone Developer Forum Linked to Facebook, Apple Malware Attacks

If you’re like me, you’ve probably been wondering what websites Facebook and Apple employees were surfing prior to the discovery of malware in their company machines.

How else could the rest of us do our best to avoid the same fate? [On that note, do not visit the website I am about to mention as it could still be infected. It is being disclosed as a warning.]

As it turns out, sources close to the Facebook hacking investigation revealed to AllThingsD that iPhoneDevSDK[dot]com, an iPhone developer forum frequented by iOS development teams of we-known companies, was the website likely used to conduct drive-by-download attacks against Facebook and Apple employees.

The malicious code embedded on the iPhoneDevSDK website exploited a zero-day vulnerability within Oracle’s Java browser plugin in order to plant malware on the machines of Facebook (& possibly Apple) employees.

This type of attack is commonly referred to as a “watering hole” attack. Instead of pursuing victims using poisoned emails, attackers inject malicious code into a website frequented by their targeted demographic. In this case, the targeted demographic happened to be the mobile developers for various companies, including Facebook.

That being said, if you or someone you know has recently visited iPhoneDevSDK, you may want to check if Java is installed on your system. If you do, there's a good chance your system has been compromised. Now would be a good time to check out Apple's security patch related to this attack, as they bundled a malware removal tool with it.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Critical Vulnerability Patched in Foxit Reader 5.4.5 - Update Now

If Foxit Reader is your preferred choice to open, view and print PDF files, make sure you’re running the latest version, 5.4.5.

Foxit Software released 5.4.5 following the discovery of a serious vulnerability in the Foxit Reader browser plugin that could allow an attacker to execute arbitrary code on a user’s computer.

A security bulletin posted on the Foxit Software’s website explains, “The vulnerability is caused by a boundary error in the Foxit Reader plugin for web browsers (npFoxitReaderPlugin.dll) when processing a URL and can be exploited to cause a stack-based buffer overflow via an overly long file name in the URL.”

The vulnerability, which was originally found by independent security researcher Andrea Micalizzi, affects Foxit Reader 5.4.4 and earlier.

Users can update to Foxit Reader 5.4.5 by selecting the ‘Check for Updates’ option under the application's Help menu, or by manually downloading and installing the latest update from the Foxit Software website.

Foxit Reader is known to be a safer alternative to Adobe's PDF Reader, which is commonly exploited by attackers. The flaw in Foxit Reader was publicly known for a little more than week before Foxit Software issued the patch.

Do you use Foxit Reader?

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Nasty Trojan Posing as Bogus Java "Update 11" Patch

On the hunt for the latest Java update?

Make sure you download it from a reliable source, like say, java.com and not some random third-party website.

TrendMicro found at least one website peddling malware disguised as a fake “Java Update 11” update.

The threat in question is a nasty Trojan detected as JAVA_DLOADER.NTW that’s delivered as a file named javaupdate11.jar.

The bogus update file, Javaupdate11.jar, contains javaupdate11.class, which downloads and executes two malicious files:

• up1.exe (detected as BKDR_ANDROM.NTW)


• up2.exe (detected as TSPY_KEYLOG.NTW)

Once executed, BKDR_ANDROM.NTW will open a backdoor on the infected system to grant remote access to an attacker.

Users are more likely to notice TSPY_KEYLOG.NTW, though, as it will download ransomware (TROJ_RANSOM.ACV) that will attempt to lock the affected machine and demand payment from the end-user to regain access.

Steer Clear of Fake Java Updates!

It’s important to note that this malware does not exploit any Java-related vulnerabilities: it requires user-interaction to make its way onto a PC. So, you should be safe as long as you:

• Download Java updates directly from Oracle on java.com, or simply use Java’s built-in update mechanism to download and install updates.


• Do not download Java updates from random websites.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Dangers Still Lurk in Java; Vulnerabilities Found in Java 7 Update 11

Java has been under a lot of fire recently, both by the cybercriminals that exploit it and various entities that advise users to disable/uninstall it on their computers.

The trouble began on January 10^th when word hit that the bad guys behind the BlackHole and Nuclear Packs updated their crimeware with new exploits for a zero-day Java vulnerability affecting all versions of Java 7, including Java 7 Update 10.

Users were told to disable the Java browser plugin – or to remove Java altogether – in order to minimize the chances of an attack.

Three days later, Oracle released Java 7 Update 11 to address the vulnerability and beef up security by switching the default Security Level setting from Medium to High to prevent silent drive-by-download attacks:

This affects the conditions under which unsigned (sandboxed) Java web applications can run. Previously, as long as you had the latest secure Java release installed applets and web start applications would continue to run as always. With the “High” setting the user is always warned before any unsigned application is run to prevent silent exploitation.

All is well, right? Well, not so much, since reports of Java 7 Update 11 vulnerabilities have already begun to surface.

Adam Gowdiak of Security Explorations wrote a short post on the Full Disclosure mailing list stating they have “successfully confirmed that a complete Java security bypass can be still gained under the recent version of Java 7 Update 11 [1] (JRE version 1.7.0_11-b21).” Gowdiak went on to say that two new security vulnerabilities were discovered and reported to Oracle along with a working proof-of-concept.

Fortunately, Gowdiak told TheNextWeb that there’s no evidence of these new vulnerabilities being exploited in-the-wild (YET), and that the new security settings in Java 7 Update 11 will prevent some attacks granted the user doesn’t accept the malicious content.

So think twice before allowing unsigned Java applets to run on your system. Or just remove Java from your system.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

(Updated) A Patch Coming for IE Zero-Day Later Today

Update: Microsoft has released the patch, as promised. Users can update via Windows Update or download & apply the patch manually.

Microsoft is planning on releasing an out-of-band update later today to address the zero-day vulnerability in Internet Explorer 6, 7 & 8 (CVE-2012-4792) which could allow attackers to execute malicious code.

This is excellent news considering cybercriminals have been exploiting the bug since December, and researchers wound up bypassing the temporary FixIt solution that Microsoft issued to help users defend themselves against attacks.

When it is released, users can download and apply the patch via Windows Update and other standard distribution channels. If you happened to install the temporary FixIt solution, Microsoft stated that it is not necessary to uninstall it before applying the permanent patch.

Microsoft will be holding a special, live webcast to answer any questions related to this update today, Monday, January 14^th at 1 p.m. PST. You can register for the webcast here.

[via Microsoft]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Shylock Trojan Detects & Avoids Remote Desktop Connections

If you were hoping to study the latest variant of the Shylock Trojan via remote desktop connection, you’re out of luck.

Trusteer researchers discovered that Shylock is now capable of detecting remote desktop environments, which are commonly used by security researchers to analyze malware samples.

Shylock identifies remote desktop environments by “feeding invalid data into a certain routine and then observing the error code returned.” If the error code doesn't match ones expected from a normal desktop, Shylock won’t install.

Trusteer noted that it is possible to use this method to identify other known or proprietary virtual/sandbox environments.

Shylock’s new evasion technique will make it difficult for security researchers to study the malware and antivirus vendors to update detection signatures.

Of course, it is always better for users to take a proactive approach vs. reactive when it comes to malware, especially if its financial data-stealing malware like Shylock.

Being that Shylock often infects PCs via drive-by-download attacks and phishing emails, users are urged to:

• Keep their operating system & third-party software patched and up-to-date.


• Avoid clicking links or downloading files attached to emails from unknown/untrusted sources.


• Always run antivirus that runs real-time scanning.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Time to Update: Oracle Releases Java 7 Update 7 to Address 0-Day Flaws

Update: Security Explorations claims that vulnerabilities exist in the new patch, Oracle confirms their findings... again.

-------

Talk about a quick turnaround!

Oracle has just released Java 7 Update 7, which according to the release notes (and related Oracle Security Alert for CVE-2012-4681) addresses the 0-day vulnerabilities that are actively being exploited by cybercriminals to infect computers with malware.

Due to the severity of the vulnerabilities and reported exploitation of them in the wild, Oracle strongly recommends that users apply the updates ASAP.

Java 7 Update 7 can be downloaded directly from the official Java website: java.com.

Update now!

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

There's More Than One Java 0-Day Being Exploited; Where's Oracle?!

Update: Oracle has released an emergency patch to fix the 0-day vulnerabilities currently being exploited.

-- End Update --

As the minutes tick away, more information about the new Java 0-day vulnerability (CVE-2012-4681) we blogged about a few days ago has surfaced, and it’s not pretty. At all.

More Than One Java Bug Putting Users at Risk

Researchers have discovered that the exploit code that’s been used in targeted attacks wasn’t leveraging just one Java 0-day vulnerability, but two.

“The first bug was used to get a reference to sun.awt.SunToolkit class that is restricted to applets while the second bug invokes the getField public static method on SunToolkit using reflection with a trusted immediate caller bypassing a security check,” Esteban Guillardoy of Immunity Inc. explained in a Tuesday blog entry.

What Does Oracle Have to Say About All This?

So far, Oracle has not commented on the 0-day vulnerability reports currently circulating.

As if their silence wasn’t bad enough, Computer World reports that Oracle has known about the 0-day vulnerabilities for months.

Adam Gowdiak, founder and CEO of Security Explorations, stated that Oracle was notified about the two security holes – along with 12 other flaws – on April 2nd. The company continued to send Java 7 vulnerabilities to Oracle until a total of 29 bugs were reported.

There hasn’t been any explanation as to why Oracle has been dragging its feet to close the security holes, but a status report Security Explorations received on August 23^rd from Oracle stated they were planning on fixing the two vulnerabilities currently being used in attacks in their October Critical Patch Update (CPU), along with 17 other Java 7 flaws that Security Explorations had previously submitted.

Java 0-day Exploit Code Added to BlackHole Exploit Kit

A visit to nearly any internet security website will land you face to face with the same advice:

If you don’t need Java on your PC, uninstall it immediately. If you do need it, at least disable the Java plug-ins on your web browser to minimize the chances of a malware infection.

That advice stems from the fact that the 0-day Java exploit code has been added to the widely-used BlackHole exploit kit.

"So far we have observed over a dozen domains actively attacking systems with this exploit, and the count is increasing rapidly." Atif Mushtaq from FireEye warned in a blog post on Tuesday, "After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands."

That sounds about right. The exploit code isn't reserved just for targeted attacks anymore. All it takes is a visit to a compromised site housing the BlackHole exploit pack.

Again, this Java exploit code does not discriminate against browsers or operating systems – researchers were able to successfully execute attacks against IE, Firefox, Opera, Safari, and Chrome on systems running Windows, OS X, and Ubuntu Linux.

It all depends what cybercriminals have configured the attack to drop on a victim’s machine: Windows-specific malware, or malware targeting a different OS.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.

More Information on OSX/Crisis Trojan Released: What Can It DO?

More details about the newly-discovered Crisis Trojan targeting Apple users have emerged, and let me just say: OSX/Crisis (aka OSX/Morcut) is jam-packed with some extra creepy functionality.

Functionality

After OSX/Crisis has been successfully installed on a machine, it will inject itself into a number of programs to spy on the infected user’s activity.  These applications include popular ones like:

• Skype


• MSN Messenger


• Adium


• Firefox

In addition to tracking all activity within the programs listed above, OSX/Crisis allows an attacker to monitor and/or control the following operations:

• Mouse position


• Location


• Internal Webcam & Microphone


• Clipboard Contents


• Key strokes


• Running applications


• Web addresses


• Screenshots


• Calendar Data & Alerts


• Device Information


• Address Book Contact Information

As you can tell, with OSX/Crisis on your system, you will have no sense of privacy. Everything you do is subject to being recorded – including any audio conversations held via Skype – and all of the data collected by OSX/Crisis will be sent to a remote server controlled by the attackers.

On a side note, Intego Security researchers found that there are sections of the Crisis Trojan’s code that suggests that it was a part of a commercial malware tool called “Remote Control System” (or RCS) that’s geared towards government surveillance and mainly sold in the US and Europe.

RCS, which was created by a company called HackingTeam, usually carries a hefty price tag of €200,000 ($245,664), leading Intego to believe that it’s likely only being used in targeted attacks.

Dr. Web’s write-up of OSX/Crisis, which they identify as BackDoor.DaVinci.1, appears to draw up the same conclusion.

Known Aliases

Although this new Trojan is often referred to as the “Crisis” Trojan, it does have other names:

• OSX/Morcut (Sophos)


• BackDoor.DaVinci.1 (Dr. Web)


• Backdoor:MacOS_X/Flosax.A (Microsoft)

Graham Cluley of Sophos stated that the “Crisis” name is a result of the name appearing within the malware’s code. Instead of adopting the suggested name, Sophos opted to name the Trojan OSX/Morcut.

Dr. Web’s name seems to be derived from the name of the man who started HackingTeam, David Vincenzetti.

Microsoft stated on Facebook that they detect this threat as MacOS_X/Flosax.A.

Detecting & Removing OSX/Crisis

It’s important to note that OSX/Crisis has still NOT been spotted in-the-wild, so the risk of being infected is relatively low. However, Intego, Sophos and Dr. Web all offer antivirus solutions that are capable of detecting and removing the OSX/Crisis in the event that the day where it is actively being spread comes.

For more information on OSX/Crisis, including what versions of OS X it runs on, check out my previous post.

[via Intego][via Sophos][via Dr. Web]

Note: This article was updated on 7/30/12 to add Microsoft's alias for OSX/Crisis.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+

Windows Updates Failing to Install? Try Using Windows Troubleshooter

Recently my home computer running Windows 7 experienced difficulties applying a set of updates, which I wasn’t too thrilled about for a variety of reasons:

1. I was constantly being reminded (by my antivirus software, ESET) that my operating system was out of date.  Yes, thank you, I’m aware.


2. Working for an IT company, I understand the importance of keeping your computer operating system fully patched. The last thing I want is my system to become infected with malware thanks to a vulnerability that would’ve been addressed had Windows Update worked properly.


3. I prefer seeing the green shield icon and message saying there are “no important updates available” versus the red shield saying the updates were not installed.

Searching for a resolution for the Windows Update error code I was getting was no help. Attempting to install the updates one by one didn’t make a difference either, and if anything, the individual attempts lead to more confusion by throwing another error message into the mix: “The expected version of the product was not found on your system.”

At that point I was just annoyed – why was I being prompted to install these updates if they weren’t for software I had on my system? (It was for Microsoft Office 2007, by the way.)

After browsing through a few Microsoft Support threads related to Windows Update issues, I (finally) came across a potential fix for my problem.

Windows Update Troubleshooter to the Rescue!

In the event that you run into a similar situation and Windows Update fails to install any updates from Microsoft, I suggest giving the following a shot:

• Click 'Start'


• Type in ‘Troubleshooting’ and click Enter. (FYI: The option is in the Control Panel -> Under Systems and Security, click ‘Find and fix problems’)


• Click ‘Fix problems with Windows Update’


• Click ‘Next’ and let the troubleshooter do its thing.

After all is said & done with the troubleshooter, try running Windows Update again. That did the trick for me and now my system is fully patched and up-to-date!

Did it work for you too?

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+

Adobe Issues Patch for Flash Player Security Flaw Actively Being Exploited in Targeted Attacks

Take a moment to update Adobe Flash today, folks.

Adobe has released important security updates for Adobe Flash Player to plug an object confusion vulnerability that could allow an attacker to crash the application and take control of the affected system.

Adobe warns that the security flaw is actively being exploited in targeted attacks against Flash Player on Internet Explorer for Windows.  The attacks are email-based and involve tricking the user into clicking on malicious files delivered in email messages.

Although the attacks target Flash Player for Internet Explorer on Windows, Adobe recommends that all Windows, OS X and Linux users update to Flash Player 11.2.202.235, Android  4.x users update to Flash Player 11.1.115.8, and Android 3.x and earlier update to Flash Player 11.1.111.9 since the vulnerability exists in previous Flash Player versions for those platforms as well.

Check What Version of Flash Player You Have

Users can check what version of Flash Player they currently have installed by:

1. Visiting the Adobe Flash Player page, or


2. Right-clicking on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu.

You will have to check the version for each separate browser if you didn’t opt for automatic silent updates (Google Chrome was updated automatically, so no user interaction is required). Keep in mind that the silent updates are only available for Windows at this time.

It is strongly recommended that Windows users update Flash Player immediately.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Latest on Flashback Malware: The Malware’s Purpose, Current Botnet Size & Macs to Get Updates from Oracle

What’s the latest on the Flashback malware story?

The Motivation Behind Flashback Malware

Up until recently, it was only reported how many Macs had been infected with Flashback (aka Flashfake) without any say on what the malware actually did after making its way onto Apple machines.

According to Symantec researchers, Flashback was generating revenue for its authors via click fraud using an ad-clicking component that was loaded into Chrome, Firefox & Safari upon infection.

When the user went to conduct a search on Google, the malware would go to work by stealing clicks from paid Google ads:

Flashback specifically targets search queries made on Google and, depending on the search query, may redirect users to another page of the attacker's choosing, where they receive revenue from the click. (Google never receives the intended ad click.)

The ad click component parses out requests resulting from an ad click on Google Search and determines if it is on a whitelist. If not, it forwards the request to the malicious server in the following form:

http://[FLASHBACK_DOMAIN]/search?q=[QUERY]&ua=[USER AGENT]&al=[LANG]&cv=[VERSION]

Symantec researchers discovered that each hijacked click was valued around $0.08 for the attackers, which quickly added up given the number of infected machines.

Symantec estimated that Flashback was capable of easily earning the attackers upwards of $10,000 per DAY. I know Google can’t be happy about that, especially since the infected Macs can continue to make the cybercrooks money even if they’re not communicating with the command & control servers.

There is a bit of good news, though.

The Flashback Botnet is Shrinking!

Forbes reports that Dr. Web has provided new data indicating that around 100,000 Macs are dropping from the botnet per week, which is likely the result of users applying the system updates from Apple that remove the malware or installing antivirus software.

On top of that, new Flashback infections are said to have tapered off thanks to those same Apple updates patching the Java security hole that contributed to a large number of the infections.

Despite things moving slowly, Dr. Web’s chief executive, Boris Sharov estimates that in a month, it will all be over.

Oracle Will Provide Java Updates Directly to Mac

Malware aside, Ars Technica says that Oracle will begin deploying Java security updates directly to Mac OS X in addition to Windows, Linux and Solaris, allowing Mac users to get the updates directly from the source vs. waiting for Apple.

Oracle has already issued its first release for OS X users, although it's only for the Java Runtime Environment and not the Java browser plug-in or Web Start application.

And as noted by Ars Technica:

Until the Web plugin is available from Oracle, however, Mac users may still be vulnerable to attacks based on Java exploits. Users who don't update to Oracle's version and still rely on Apple's deprecated version, could face a similar security vulnerability. The good news is that Oracle offers automated update tools, so applying patches should be a no-brainer for Lion users and beyond from now on.

Oracle releases 4-6 updates for Java per year and plans on releasing a consumer version of Java SE 7, including the Java Runtime Environment (JRE) for OS X later this year.  (Read the related press release.)

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

Flashback RoundUp: Conflicting Infection Reports, More Zombie Macs, & New Variant Spotted

Phew!

A lot has been going on with the whole Flashback (or “Flashfake”) malware fiasco, so I’ll do my best to sum everything up…

Conflicting Reports on # of Macs Infected with Flashback Malware

For a short period of time, it appeared that things were improving as Symantec had reported that the number of Macs infected with Flashback malware had dropped from 600,000+ to 140,000.

Kaspersky Lab also reported a decrease in the number of infections, stating that only 30,000 Macs were still under the influence of Flashback (aka Flashfake) malware.

However, these numbers didn’t match up with the latest report from Dr. Web, which still reflected an army of zombie Macs that was still over 500,000 machines strong.

Confused? Good, so was the rest of the world, which lead some to question on whether or not  security firms were attempting to scare users into purchasing antivirus software.

So, what’s with the discrepancy?

Apparently, sinkholes setup by Symantec (and other companies) were receiving limited infection counts for Flashback.

Dr. Web reported that a server registered at IP address 74.207.249.7 (and controlled by an unidentified third-party) would communicate with the infected Macs, but never close the TCP connection. This was causing bots to switch to ‘standby’ mode as they wanted for a reply from the server, preventing them from communicating with other command and control servers (or sinkholes setup by various security companies tracking the malware).

That changed the number of infected machines observed by researchers, which ultimately lead to contradicting reports.

Researchers at Intego agreed with Dr. Web’s claims and went on to say that there are likely infected Macs that are not being accounted for and that there was a possibility that more Macs are being infected on a daily basis.

Fueling the fire of uncertainty, Intego also reported that some of the specific domains that Flashback malware attempts to contact resolve to 127.0.0.1 (or localhost), keeping the Mac from reaching the command & control servers and knocking the stats even further off-track.

There’s a New Flashback Variant Out There…

As if that weren’t aggravating enough, Intego also reported yesterday that they’d spotted a new variant of Flashback (Flashback.S) that continues to exploit Java vulnerability CVE-2012-0507, which was patched by Apple around two weeks ago.

Intego warns this latest Flashback variant is actively being distributed in the wild (likely via drive-by-downloads) and does not require a password to be installed.

During installation, Flashback.S will place its files in the user’s home folder, at the following locations:

• ~/Library/LaunchAgents/com.java.update.plist


• ~/.jupdate

Once the installation is complete, Flashback deletes all of the files and folders in  ~/Library/Caches/Java/cache to remove the applet from the infected Mac and avoid detection or sample recovery.

Protect Yourself from Flashback Malware

If you haven’t done so already, I strongly recommend that you:

• Apply all of the security updates issued by Apple to remove common variants of Flashback, patch the Java vulnerabilities exploited by the Flashback malware, and disable Java browser plug-ins if they go unused for an extended period of time (Lion only).


• Consider disabling Java on your machine or toggle Java browser plug-ins as needed.


• Install antivirus software on your Mac. Sophos offers a free Mac antivirus solution, so you really don’t have an excuse for not doing it.


• Keep all software up-to-date and be careful of what files you download or websites you visit. Remember, you don’t have to visit a “shady” site to be infected by malware. Cybercriminals often use compromised sites to deliver malware via drive-by-downloads, including Flashback.

What measures are you taking to protect your Mac?

Apple Releases its Flashback Removal Tool to Mac Users

Make sure you take a moment to update your computer today, Mac users.

Apple has kept its word and released another Java update, this time to remove the most common variants of the Flashback malware.

Aside from that, Apple’s advisory on the Java update for Lion states that it will "configure the Java web plug-in to disable the automatic execution of Java applets" to help thwart future malware attacks. Lion users will be able to re-enable the feature, however if the Java web plug-in goes unused for an extended period of time it will automatically be disabled again.

Meanwhile, the details for the Java update for Snow Leopard (OS X 10.6) recommends that the Java plug-in be disabled manually.

It is recommended that all Mac users who have Java installed on their machines apply the “Java for OS X Lion 2012-003” update.

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.