Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2013
    S M T W T F S
    « Aug   Oct »
  • Email Subscription

  • About Us

    Archive for September 10th, 2013

    Patch-Tuesday_gray Microsoft Outlook, Internet Explorer are two of the four Critical bulletins (plus ten bulletins rated as Important) in today’s Microsoft Patch Tuesday. Particularly troublesome is the Outlook vulnerability, which is exploitable via preview pane. By not applying these updates, vulnerable systems are at risk of malware infection and unwanted data disclosure among others.

    The four critical bulletins all pose serious risks to users and organizations. If not addressed, the vulnerability in Microsoft Outlook can lead to malware execution once users preview a maliciously crafted email message using Outlook. Applying this patch should be a priority, particularly for organizations who are under the constant threat of targeted attacks by way of spear-phishing.

    For the past months or so, Microsoft has consistenly released Critical security bulletins for Internet Explorer. This month is no different, with security patches for ten privately vulnerabilities affecting several IE 6, including a privately reported IE 10 flaw on Windows 8 and RT. Similar to the Outlook vulnerability, an attacker can exploit this to execute a malware.

    What is interesting is the inclusion of security patches for Windows XP, which Microsoft will stop supporting by April next year. For users and organizations still using the platform, it is important to start or at least seriously consider migrating to later versions of Windows to avoid threats similar to the Java 6 zero-day exploit seen two weeks ago, in which no consumer security updates are available for users as Oracle has already halted its support for that version.

    Security updates for SharePoint, which resolved ten vulnerabilities in the software, rounds up the Critical issues for this month. Those bulletins rated Important include vulnerabilities in MS Office, Excel, FrontPage and Windows, that can lead to varied threats, including an attacker gaining administrative access and risk of information leak among others.

    Users are advised to apply these security updates immediately. For IT administrators, applying certain security updates such as the SharePoint might be tricky, as these might need to be tested for any adverse impact on business operations. You may also visit our Trend Micro Threat Encyclopedia page to know more about how Deep Security solution.

    Posted in Exploits, Vulnerabilities | Comments Off on September 2013 Patch Tuesday Resolves Critical Outlook, IE Flaws

    Firefox OS is Mozilla’s foray into the mobile operating system field and promises a more adaptive mobile OS. But as mobile threats, in particular in the Android platform, has gained momentum, the question in everyone’s mind is – how safe is it?

    About a month ago, Telefonica announced that it had launched the Firefox OS – Mozilla’s mobile operating system – in Colombia and Venezuela. Separately, ZTE is also selling Firefox OS devices via their eBay store directly to end users.

    The Firefox OS uses uses a Linux kernel and boots into a Gecko-based runtime engine, which lets users run apps developed entirely using HTML, JavaScript, and other open web technologies.

    Overall, Firefox possesses good app permission management, but core processes (with more privileges) may become a target for exploits. In addition, HTML5 features may become sources of potential vulnerabilities.

    Firefox OS Architecture Overview

    The Firefox OS has to connect web-based applications to the underlying hardware. It does this using an integrated technology stack consisting of the following levels:

    Figure 1. Firefox OS stack

    Gonk consists of the Linux kernel, system libraries, firmware, and device drivers.

    Gecko is the application runtime layer that provides the framework for app execution, and implements the Web APIs used to access features in the mobile device.

    Gaia is the suite of web apps that make up the user experience (apps consist of HTML5, CSS, JavaScript, images, media, and so on).

    The Gecko layer acts as the intermediary between web apps (at the Gaia layer) and the phone. It also enforces permissions and prevents access to unauthorized requests.

    Application security

    Firefox OS also has its own application layer design. There are three kinds of apps: hosted apps, privileged apps and certified apps.

    Hosted apps can be installed from any website, without any further verification. This doesn’t grant the app any additional permissions besides those already exposed to a web site. Privileged apps are allowed to request more permissions, but they must be verified and signed by a Marketplace (i.e., app store). Certified apps, which have the most permissions, can only be pre-installed on the device by the manufacturer.

    Figure 2. B
    There is a B2G process in the Gecko layer that has high privileges running in the background, and every app will run in a content process with low authority. Every request to the device asked by an app needs to pass to B2G process first, and the B2G process will check the permissions of the app.


    Firefox OS also contains extensive sandboxing. Each app runs in its own worker space and it has access only to the Web APIs and the data it is permitted to access, as well as the resources associated with that worker space (Indexed DB databases, cookies, offline storage, and so on).

    In addition, apps communicate only with the B2G process, not with other processes or apps. Apps do not run independently of B2G, nor can apps “open” each other. The only “communication” between apps is indirect, and is mediated by the B2G process.

    Exploiting the B2G process

    The B2G process is a core process of Firefox OS. It is in the Gecko layer in the Firefox OS technology stack. If this process is exploited, an attacker can obtain high-level privileges (like root access.)

    Approximately a month ago, a vulnerability in Firefox 17 was found which could be used to run arbitrary code. We have confirmed that this vulnerability can also cause the B2G process to crash, and that we can also control the IP (Instruction Pointer). This would allow an attacker to run arbitrary code on the device with the privileges of the B2G process.

    Mozilla’s documentation itself states the exploitation of B2G process is a  possible attack point for Firefox OS. This is because that content process can send dirty data to the B2G process.

    HTML5 vulnerabilities

    Because the apps for Firefox OS are built using HTML5 apps, we can expect that the HTML5 vulnerabilities will be used to exploit Firefox OS in the future. Independent research has said that HTML5 features can be used to do memory fills for heap sprays.

    The HTML5 command Uint8ClampedArray can be used to fill memory with high efficiency and easy to write code. It is easy to find a steady address filled with the payload using Uint8ClampedArray. HTML5 Web workers to fill memory quickly in using multiple threads, reducing the amount of time necessary to fill the memory.

    In our previous study of HTML5, we tackled on how this can be abused and can result to various attacks, including spamming, unauthorized bitcoin generation, phishing and a browser-based botnet. Since these HTML5-based attacks will be memory-based, traditional antimalware solutions will be challenging.

    Though the Firefox OS may not enjoy the market of the Android OS, the use of HTML5 is gradually gaining traction among users (Amazon also accepts HTML5 for its apps). Thus, regardless of OS, we can expect that as more apps and sites will use HTML5, such attacks will increase in the future.


    We believe that Firefox OS will face attack like other mobile OS. The most harmful attack may be exploiting the B2G process. And, resources from browser exploitation would be useful for exploiting Firefox OS because it is Gecko based and its apps are written by HTML5. Users, on the other hand, will benefit from understanding the risks involved in using HTML5 and how they can avoid these. For more information, you may refer to our research paper HTML5 Overview: A Look At HTML5 Attack Scenarios.

    Update as of 5:30 PM PDT, September 12, 2013:

    Mozilla has confirmed that this vulnerability is present in Firefox OS, but it has been patched in the update to version 1.1.

    Posted in Mobile, Vulnerabilities | Comments Off on Investigating the Security of the Firefox OS

    While millions of mobile users are anticipating the launch of the new iPhone (5S and 5C), cybercriminals are already making their move to distribute spam that promise to give away the said devices for free, in the guise of a contest.

    We saw samples of spammed messages that attempted to spoof an Apple Store email notification. The said message informs recipients that they won the latest iPhone 5S mobile phones and iPad.

    Figure 1. Fake Apple email

    To get these prizes, they are asked to go to a specific website and disclose their email address and password. This will obviously result in your credentials ending up in the hands of cybercriminals.

    Figure 2. Phishing page

    The content of the message and the sender’s email address are obviously fake. However, its combination of perfect timing plus popular social engineering hook may cause users to fall into the spammers trap. The most important thing to know is:  “if it’s too good to be true, it probably is” .

    Feedback provided by the Smart Protection Network indicates that this mail is particularly effective in targeting Southeast Asian users:

    Figure 3. Most affected countries

    Trend Micro blocks the said email message and blocks access to the phishing site.

    Posted in Spam | Comments Off on iPhone 5S Phishing Mail Arrives In Time for Launch


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice