Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    January 2013
    S M T W T F S
    « Dec   Feb »
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for January, 2013




    Much is being talked about the Oracle fix being incomplete for the recent Java 0-day for CVE-2013-0422. In this post, we would like to take this opportunity to clear a few items around it.

    Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete. There are two issues in this CVE. One is with the findclass method of com.sun.jmx.mbeanserver.MBeanInstantiator class. The other is with invokeWithArguments() method of the java.lang.invoke.MethodHandle class. Oracle has fixed the latter but findclass method can still be used to get a reference to restricted classes. To simplify, the issue in findclass method still leaves a hole that could be used with another new vulnerability.

    We would also like to clarify another point, this time concerning CVE-2012-3174. As opposed to some reports, it is NOT the issue with the Reflection API. The Reflection API issue is fixed as a part of CVE-2013-0422. To quote the National Vulnerabilities Database (NVD) verbatim “NOTE: some parties have mapped CVE-2012-3174 to an issue involving recursive use of the Reflection API, but that issue is already covered as part of CVE-2013-0422.”

    Read the rest of this entry »

     



    Microsoft has recently released a patch to address the zero-day exploit affecting certain versions of Internet Explorer. The said exploit was found to be hosted on the compromised Council on Foreign Relations website. When exploited, this IE vulnerability could allow attackers to execute arbitrary codes thus compromising the security of the systems. In addition, this vulnerability only affected older versions of Internet Explorer (i.e. 6, 7, and 8). Internet Explorer versions 9 and 10 are not affected. Initially, Microsoft has provided workarounds until the patch was released yesterday.

    On the other hand, last week we also received reports of a zero-day exploit which affected Java. The said exploit was used by cybercriminal toolkits such as Blackhole Exploit Kit (BHEK) and Cool Exploit Kit (CEK) respectively. Based on our investigation, the exploit code (detected as JAVA_EXPLOIT.RG) leads to the download of REVETON malware or police ransomware.  In response to this zero-day exploit, Java has issued a software update. Prior to this release, the U.S. Department of Homeland Security has recommended users to disable Java on their web browsers to armor their systems against attacks leveraging this.

    Read the rest of this entry »

     
    Posted in Vulnerabilities | Comments Off



    Cybercriminals today create and use botnets to perpetrate their criminal activities.  Whether it is to send out Blackhole Exploit Kit spam or to use as entry points into organizations, the one constant is that most bots (victim computers) communicate back and forth with command and control (C&C) servers.  Trend Micro’s Global Threat Intelligence, derived from our Smart Protection Network™, monitors C&C servers, infected Bots, and the malicious communication between the two regularly to ensure our customers are protected.

    Today we’re publishing a new global map showing active C&C servers, highlighted by red dots, and bots (victim computers), highlighted by blue dots, to show you where these botnets are located in the world.  If you are using the Chrome or Firefox browsers, you will see some of the dots radiate, showing any systems that are tied together (a unique botnet).  All users can mouse over any of the servers to get a pop-up message that shows the server location, when it was first observed, most affected countries, and the total number of victims we’ve found associated with that server.  Note that the blue dots represent more than one victim in most instances.

    Read the rest of this entry »

     
    Posted in Botnets | Comments Off



    With Java going through another embarrassing zero-day vulnerability recently, it has become a common bit of advice for users to “uninstall Java”.

    In general, this is sound advice. If possible, users should uninstall Java if they don’t need it. Unfortunately, for many users this simply isn’t an option. Many enterprises have custom apps built on the Java platform. Consumers may also need access to Java for banking sites (many of which are Java-based) or software (Minecraft needs Java to run.)

    So, how can you use Java safely? First, the Java threat largely comes from malicious applets that come from malicious websites. If you have Java installed because an application needs it, then you can disable Java in your browser(s) without affecting your user experience.

    It used to be that you would have to do this on a browser-by-browser basis, but that isn’t the case anymore. In the current version of Java, you can do this in the Java Control Panel. Instructions on how to access this can be found here. Applets in webpages will no longer work, but Java apps will continue to run without any problems.

    What if you need Java for a website, like an internal company site or your bank?

    Read the rest of this entry »

     



    During the past two days there has been a lot of activity and concern around vulnerabilities in two different widely used technologies: Java and Ruby on Rails.

    With this post, Trend Micro wants to help people understand the situation, the risks, and how we are protecting our customers. Additionally we want to let customers know what they can do to protect themselves.

    As we noted yesterday, there is a new zero day vulnerability affecting Oracle’s Java. The Java vulnerability situation is very serious. Because this is a zero day situation, there is no patch available from Oracle at this time. The United States Department of Homeland Security today recommended disabling Java entirely until a patch is released.

    The vulnerability under active attack is being targeted from hacker tools like the Black Hole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK) that distribute malware, most notably ransomware like the Reveton variants.

    And while not under active attack, the Ruby on Rails vulnerabilities are also serious. We’ve seen an announcement of two critical vulnerabilities affecting Ruby on Rails in the past couple of days. Unlike the Java situation, patches are available for these vulnerabilities. Also, there are not widespread attacks against these vulnerabilities at this time. However, exploit code has been released in a module for the Metasploit framework. The availability of exploit code does mean there can be an increased risk of attacks against the vulnerability.

    It’s also worrisome to have both a serious server-side vulnerability and an actively-attacked client-side zero vulnerability occurring at the same time. While there is no current evidence of this at this time, it remains possible that attackers could utilize both of these and attack webservers using the Ruby on Rails vulnerability and then place attack code on the compromised server that targets the Java vulnerability.

    This scenario could lend itself particularly well for “watering hole” style attacks like we outlined in our 2013 Targeted Attacks prediction and have seen recently against the current Internet Explorer vulnerability attacked over the holidays.

    Read the rest of this entry »

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice