Information Security all in one place!

Posts tagged “HTML

Intuit Quickbooks: Multiple Vulnerabilities


The following vulnerabilites have been discovered and privately reported for the following versions of Intuit Quickbooks products:

Quickbooks 2009 – Quickbooks 2012; in conjunction with Internet Explorer Versions 7-9

Vulnerabilities:

  1. Intuit Help System Protocol URL Heap Corruption and Memory Leak:Image representing Intuit as depicted in Crunc...
  • The vulnerability described in this document can potentially be
    exploited by malicious HTML and/or Javascript to execute arbitrary
    code as the user viewing the malicious content.
  1. Intuit Help System Protocol File Retrieval: 
  • The vulnerability described in this document can be exploited by
    malicious HTML and Javascript to retrieve a file from a ZIP archive to
    which the user viewing the HTML has local or network file system
    access.  The attacker must know or guess the path and file name of the
    target ZIP archive and the target file it contains.  A further
    significant limitation is that files in subdirectories inside of ZIP
    archives have proven inaccessible, based on a sampling of Windows
    ZIPs, Microsoft Office 2007 documents, JARs, and APKs.

No vendor response at the time of public release. More information with be posted has it becomes available.


iOS Safari: Address spoofing vulnerability


Through a vulnerability in WebKit in the mobile version of Safari, an attacker could manipulate the address bar in the browser and lead the user to a malicious site with a fake URL showing above it. The security researcher David Vieira-Kurz has published an advisory which explains the problem. Incorrect handling of the URL when the JavaScript method “window.open()” is used allows an attacker to “own” HTMLand JavaScript code in the new window and, in turn, change the address bar of the window.

Apple Safari icon

The research demonstrated the vulnerability at majorsecurity.net/html5/ios51-demo.html – a “Demo” button opens a new page that loads in apple.com borderless iframe and also displays apple.com in the addressbar, but the page itself has originated from majorsecurity.net. Fraudsters could use the vulnerability for phishing attacks by sending users to pages which appear to be their bank and asking for account data.

More on this story here: http://www.h-online.com/security/news/item/Address-spoofing-vulnerability-in-iOS-s-Safari-1476314.html


Botnet: Cutwail Returns; Overall Spam Increasing


According to M86 Security, the infamous Cutwail botnet (aka PandexMutant and Pushdo) appears to have been reactivated. The security specialists say that in the past few weeks they have registered several waves of HTML emails that were infected with malicious JavaScript and probably originated from Cutwail-infected PCs.

Cutwail had its heyday about five years ago, when it led the botnet activity list with 1.6 million infected computers. However, it lost its top position in the market after hackers intruded into the system and disclosed the names of customers and affiliates.

How a botnet works: 1. A botnet operator sends...

Image via Wikipedia

According to M86 Security, the volume of infected emails was 50 times higher between 23 and 25 January, and three further waves from 6 February were found to be as much as 200 times higher.

Infected emails had subject lines such as “FDIC Suspended Bank Account”, “End of August Statement” and “Scan from Xerox WorkCentre”.

Read More Here: Cutwail botnet back in action


Trojan downloader is a problem for virus scanners


Kaspersky Lab E-Store

The Microsoft Malware Protection Center has found a trojan downloader that does not have any suspicious routines in its initial state and is therefore difficult for virus scanners to detect. Once it has been started, the small Visual Basic program loads a web page for a Tibetan restaurant. The HTML for this site hides shell code that the program then downloads into RAMand executes.

Virus logo.

Although the executable file, which Microsoft has labelled TrojanDownloader:Win32/Poison.A, only produces an error message on a computer not connected to the internet, once the malicious code has been successfully run it copies itself into a system folder and from there begins to keylog.

A modern virus scanner’s behaviour monitoring system should be alerted at this point. The spying functionality that is downloaded once an internet connection is present comes from the free “Poison Ivy” trojan builder tool, which can provide the payload directly as shell code.

Normally, a downloader pulls an executable file from the internet, saves it on the disk, and executes it – activity that should alert a virus scanner’s behaviour monitor. This example once again shows how important it is to install a virus scanner with a behaviour monitor.

Related Atricle – https://blogs.technet.com/b/mmpc/archive/2012/01/24/a-different-breed-of-downloader.aspx?Redirected=true
Kaspersky Internet Security 2011