The Security Pub

Random Thoughts About Security

Category Archives: Security Alert

SQL Injection Attack Compromises 380,000 URLs

A massive SQL injection attack campaign has been spotted by Websense researchers, and the number of unique URLs affected by it has risen from 28,000 when first detected yesterday, to 380,000 when the researchers last checked.

The injected script redirects users that have landed on various infected pages to the domain in the script, which then redirects them further to a website simulating an anti-malware check and peddling a rogue AV solution.

Both sites are currently offline, say the researchers, but the attackers have started using other domains for redirection, and will likely keep changing them up.

The researchers also noted that some iTunes URLs have been injected with the script, but that Apple has done a good job in securing the site against this kind of attacks.

“The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn’t execute on the user’s computer,” they explained.

Facebook will close all accounts today….

The latest scam to hit Facebook users is a slight variation of the survey scams that target them daily. In an announcement supposedly coming from Mark Zuckerberg saying that Facebook will close down all accounts:


According to Graham Cluley the offered link triggers the application permission dialog of a rogue application named “Update your Acc Urgent”, which will supposedly allow the user to keep his or hers account.

A click on the “Allow” button adds the application to the user’s profile, and allows it to – among other things – to post status messages or other content on the user’s Wall – which it does immediately by posting the same message the user fell for.

In the meantime, the user is taken to a Facebook page containing the following explanation (which is horribly written):

[box type="info"]Facebook active account verification process. Facebook is recently becoming very overpopulated, There have been many members complaining that Facebook is becoming very slow.Record shows that the reason is that there are too many non active Facebook members And on the other site too many new Facebook members. We need each and every user to verify their account with our new verification process to see if Members are active or not, Once you have visited this verification. You have 15 minutes to verify your account.If you are active please verify to show that you are active .On failing to do so, The user will be deleted without hesitation to create more space. Sorry for the trouble! Regards CEO,Founder of Facebook Mark Zuckerberg[/box]

A pop-up also appears in which the user is offered a number of surveys from which to choose, and the filling of one of them will supposedly prove that the user’s account is active and prevent its deletion.

Of course, this action has nothing to do with keeping your Facebook account active, and everything to do with keeping the scammers’ pockets filled with money, as they get paid for every completed survey. Users who have fallen for the scam are advised to delete the application and any messages it may have posted on their Wall.

New Adobe PDF Zero-Day Vulnerability

Adobe announced yesterday a security advisory regarding a recently discovered zero-day vulnerability that has already been exploited in the wild. The affected applications are  Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

[box type="warning"]A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. Adobe is aware of public exploit code for this vulnerability.

Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.

Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.

Users may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.[/box]

Hijacking Microsoft's Help and Support

A security researcher has warned of a vulnerability in older versions of the Windows operating system that allows attackers to take full control of a PC.  The flaw resides in the Windows Help and Support Center, a feature that provides users with online technical support. Malicious hackers can exploit the weakness of Windows by embedding commands in web addresses that activate the feature’s remote assistance tool, which allows administrators to execute commands over the internet. The exploit works in XP and Server 2003 versions of Windows and possibly others.

Check out the article – [The Register]

SECLISTS Article

US-CERT Vulnerability Note

Mass Infection of IIS/ASP Sites

Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script.  A quick Google today indicates that there are currently 111,000 sites still infected.  It appears that this  is only impacting websites hosted on Windows servers.  The situation is being investigated.

More information can be found here.

http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html

http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html