Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr   Jun »
  • Email Subscription

  • About Us

    Archive for May 30th, 2013

    Last January, we talked about a critical vulnerability in Ruby on Rails (CVE-2013-0156). At the time, we pointed out that there was no known attack, but because its code had been released as part of the Metasploit exploit framework and that this would increase risks of an attack moving forward. It was only a matter of time before this can be used in an attack in the wild. We strongly urged server administrators to patch their Ruby on Rails software to the latest, patched versions.

    At the time, we noted that Trend Micro Deep Security has protected users from the said vulnerability via the following DPI rules:

    • 1005331 Ruby On Rails XML Processor YAML Deserialization DoS
    • 1005328 Ruby On Rails XML Processor YAML Deserialization Code Execution Vulnerability

    These rules allow Deep Security to block network traffic that is related to this vulnerability, preventing any exploitation of the security flaw.

    Fast forward to May 28 this year: an exploit in-the-wild was found targeting the said vulnerability. The vulnerability was used to gain access to the affected systems and make them part of an IRC botnet. (The malicious payload is detected as ELF_MANUST.A.)

    Despite the vulnerability being several months old, it was still exploited very heavily in the past week. The answer is simple: not everyone patches regularly for various reasons. Security administrators have to consider several aspects, such as business continuity. Other factors may include making sure that patches actually work, and delays due to unexpected system behaviors that may occur once updates are implemented. To know more about this, you may read our report Monitoring Vulnerabilities: Are Your Servers Exploit-Proof?.

    This case, however, illustrates the downside of not patching: systems are put at increased risk, particularly if vulnerability shielding solutions are not integrated into existing systems. We will continue to monitor this threat and release updates as needed.

    Posted in Exploits | Comments Off on Trend Micro Deep Security Guards Users from Ruby on Rails Exploit

    The problem of mobile device theft has become sufficiently severe that legislators have decided to file bills discussing it. Last week, US Senator Charles Schumer re-filed Mobile Device Theft Deterrence Act of 2013, which makes modifying a device’s International Mobile Equipment Identity (IMEI) number a crime punishable by up to five years in federal prison. In theory, this is supposed to make it more difficult for stolen devices to be reused and thus less appealing. The CTIA, a trade group representing the wireless industry, has spoken out in support of the bill.

    Having one’s mobile device stolen has real costs. Replacing a phone can cost hundreds of dollars; any data on the device may be either lost or stolen. Enterprises particularly care about the latter problem, an item we discussed in the report Embracing BYOD: Are You Exposing Critical Data?.

    Even if the bill was passed, it’s unclear how much impact it would have, given how many stolen devices end up “exported” abroad. (Stolen goods being “exported” is not limited to electronics; for example, stolen cars have long been exported to places like Albania, Africa, and other less developed parts of the world.)

    The bigger issue is that other solutions to try and “fix” this problem may actually weaken mobile device security, not strengthen it. It’s frequently suggested that “remote kill” systems that would remotely disable stolen devices be included in new devices. However, these are very problematic from a security perspective: it would mean that the capability to remotely administer a device would have to be built into the device: i.e., a backdoor. If the capability to remotely kill a device is built into a product, it has to be assumed that a sufficiently determined attacker can access it and do what they with that capability.

    There’s also the thorny issue of who would hold the keys: both end user and organizations can be socially engineered and end up with a malicious attacker disabling (or just threatening to disable) a device. We’re supposed to make devices more secure over time, not less; a “remote kill” system brings with it very real potential problems. It may be better to focus on locating the device after it has been stolen; this capability is already built into iOS and Windows Phone, but not Android.

    The real solution to the problem of stolen devices may be found by treating it as a police problem and not necessarily a technological one. Any proposed solution to device theft has to take all mobile security problems into consideration; the law of unintended consequences may strike again.

    Using technology to solve a crime problem may only go so far.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Mobile | Comments Off on Mobile Device “Security”: The Problems of Remotely Disabling Stolen Phones

    Since its introduction in late 2012, Windows 8 has proven to be perhaps the most controversial version of Windows in recent memory. Much of the controversy is a direct result of its user interface, which represents a departure from the traditional desktop that’s been in use for many years. This debate has caused the other features of Windows 8 and its ARM-based cousin, Windows RT, to receive far less attention. These other features must be considered in deciding whether to migrate to Windows 8.

    From a security perspective, the picture is mixed. Some features such as improved Unified Extensible Firmware Interface (UEFI) support, enhanced Address Space Layer Randomization (ASLR) support, picture passwords, and Internet Explorer 10 all help improve the new OS’s security. Windows To Go – a way to incorporate a fully managed Windows 8 image on a USB device – is meant to improve BYOD support. Not all these features work as well as one would think, however. For example, the UEFI protection has been bypassed by proof of concept attacks. In addition, the drastically different UI can make things difficult for users. All these needs to be considered by users and organizations making decisions about whether to migrate or not.

    Our new report, Windows 8 and RT: New Beginnings, goes over the new features in Windows 8, paying particular attention to new security features.  The report gives readers a good grasp of these new features and provides the information needed to decide whether to migrate to this new version or not. The full copy of the report may be found by clicking the link here.

    We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.

    Posted in Bad Sites | Comments Off on Windows 8 and Windows RT: An Overview


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice