Researchers Find Malware in Zip Files

Security researchers have discovered flaws in common file formats,
including .zip, which can be used to sneak malware onto computers by
evading antivirus detection and will present their findings at Blackhat Europe. Read the full article. [CNet]

Google to Release Findings on Fake AV

New research from Google underscores the breadth of fake antivirus operations on the Web. An analysis of 240 million Web pages collected by Google’s malware detection infrastructure over a 13-month period discovered more than 11,000 domains involved in the distribution of rogue antivirus (AV). Read the full article. [eWEEK]

We’ve been saying this for years but there’s a certain desperation today for an SDL-type program at Apple.   The security reality does not match Apple’s marketing/advertising and, as the Pwn2Own exploits show, the company is running around in circles trying to keep hackers at bay.  Apple needs to swallow hard and hire a security chief with experience in running a mandatory Security Development Lifecycle for all Internet-facing software.

Respect The Fuzzer

This image from Charlie Miller’s CanSecWest presentation (credit InfoSec Events) shows how a small home-brewed fuzzing tool found multiple exploitable vulnerabilities in Apple’s Preview, Microsoft’s PowerPoint and OpenOffice.   At the Pwn2Own contest, all the vulnerabilities used in the winning exploits were found via fuzz testing, a technique that provides invalid, unexpected, or random data to the inputs of a program.

Like Apple’s Safari, the open-source Mozilla Firefox browser does not properly implement ASLR, a key anti-exploit mitigation that can limit the damage from hacker attacks.  Nils, the U.K.-based researcher who compromised a Windows machine running Firefox for the second year in a row told me it’s “somewhat trivial” to bypass Firefox’s ASLR implementation because there are some .dll files that does not properly implement the address space layout randomization mitigation.

The Pwn2Own contest is probably the best theoretical situation to show the damage that can be caused by skilled, dedicated attackers.  However, throughout the contest, many researchers say the cash and hardware prizes were not enough to get them to give up “high-value” browser vulnerabilities.  The contest sponsors paid $10,000 for every winning browser vulnerability but researchers say a reliable zero-day browser vulnerability/exploit is valued at ten times that amount.  

For the third year in a row, security researcher Charlie Miller successfully compromised a fully patched MacBook Pro machine with a Safari vulnerability and exploit.  Despite Apple’s best efforts at making it difficult to exploit the Mac OS X, Miller’s exploits show that Safari is still easy pickings because it lacks the mitigations found in Microsoft Windows.  For example, Safari does not implement ASLR properly and does not have a sandbox to limit the damage from a hacker attack.    

The iPhone sandbox has always been held up as a major roadblock to thwart hackers from doing damage on the device.  But, as European researchers Vincenzo Iozzo and Ralf Philipp Weinmann proved, a hacker can hijack a lot of sensitive data without ever leaving the iPhone sandbox.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.