Latest Alerts from SANS Institute

The following alert updates and recommendations are being passed on to users. These highlight PDFs, Kindle Touch Quicktime, Java and WordPress Plugins.

Title: Use of XML Templates To Embed Malware In PDFs Description: The Sourcefire VRT has received multiple reports of malicious PDFs being distributed in the wild that embed their malicious content inside of an XML tempalte within the PDF. After extensive testing across thousands of PDF files, both malicious and benign, the VRT has determined that the number of legitimate uses of this functionality in the field today is so low that detection of such documents generically is a useful way to detect new malware variants. As always, users are highly encouraged to keep their PDF parsing applications up-to-date at all times.

Title: Remote Root Exploit in Kindle Touch Description: The built-in browser for the Kindle Touch integrates support for the Netscape Plugin API, a modern cross-browser scripting language. Unfortunately, it is implemented in such a way that it allows injection of commands into the browser with root privileges.  While the API is poorly documented, and few public details about exploitation currently exist in the wild, exploits will be trivial to write and should be presumed to exist at this point.

Title: Arbitrary Remote File Upload in WordPress Invit0r Plugin Description: The WordPress Invit0r plugin, which can be used to invite Yahoo contacts to visit your blog, has an arbitrary remote file include vulnerability. While it has been pulled from the official WordPress plugins site, multiple public exploits exist and are being actively used in the wild. While this particular plugin is not especially notable, it highlights the ongoing challenge of securing WordPress and other CMS systems, and the dangers created by such sites being exploited and used to host malware.

Title: Apple QuickTime Heap Based Buffer Overflow Vulnerability Vendor: Apple Description: Heap-based buffer overflow in Apple QuickTime before 7.7.2 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted text track in a movie file.

Title: Apple QuickTime TeXML Buffer Overflow Vulnerability Vendor: Apple Description: Multiple stack-based buffer overflows in Apple QuickTime before 7.7.2 on Windows allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted TeXML file.

Title: Oracle Java SE Remote Code Execution Vulnerability / Blackhole Exploit Kit Vendor: Oracle Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.



Bandwith-Burning Malware Among Biggest Consumer Threats

A new malware report indicates Android malware samples grew three-fold last quarter and that one in every 140 devices connected to mobile networks was infected at some point.

Closer to home, about 14 percent of household networks were hit by malware this spring, with a 50 percent increase in high-level bots, Trojans and backdoors.

Among the biggest threats to consumers was the ZeroAccess botnet, which grew to more than 1.2 million super nodes resulting in ad-click fraud that at one point burned through bandwidth equivalent to 45 monthly movie downloads per subscriber.

In recent months, the ZeroAccess botnet has updated its command and control protocol and grown to infect more computers while connecting to over one million computers globally. The concern with ZeroAccess is that it is using the subscriber’s bandwidth maliciously which will cost them money as they exceed bandwidth caps. And, once the computer is compromised, it can also spread additional malware or launch new attacks.

The ZeroAccess/Sirefef bot earlier this year modified its command-and-control protocol to evade detection and quietly distribute fraud-laced malware.

The bot tries to circumvent these by simulating normal human browsing behavior. This involves using a relatively low click rate and responding to redirects, cookies and scripting as would a regular browser. Despite this low profile, the bot operates 24 hour a day, seven days a week, so the bandwidth utilization for all that browsing adds up over time.

On the mobile front, most malware involved “trojanized” apps that steal information about the phone or send SMS messages. However, a banking Trojan that intercepts access tokens and two spyware applications also made the Top 20 list.

Researchers noted that Apple took a second hit to its security reputation with the “Find and Call” malware that targeted both iPhone and Android devices.

First Flashback infected the Mac and now it appears that an iPhone app called ‘Find and Call’ uploads the users contact list to a remote server. The server then sends e-mail and text-message spam to the victim’s contacts. The messages are in Russian and encourage the recipient to download the app.

The app has since been taken down from the Apple Store.

Flashback, the Trojan that exploited a Java vulnerability to infect thousands of Mac OS X systems worldwide last spring, infected 10 percent of homes that owned at least one Mac, during the month of April 2012.

Microsoft Office 2013 part 2

Giving Office the Metro feel

Office 2013 is a traditional Win32 desktop application, although it’s joined by a pair of Windows 8 Metro-style companion applications in the shape of new OneNote and Lync versions. Even so, it’s definitely got the Metro look-and-feel, with a near chromeless user interface, even on Windows 7.

The ribbon is still a key component of the Office user interface, although ribbon tabs now get new all-caps titles and elements have flatter, more Metro-like icons. Microsoft has chosen to automatically collapse the ribbon on some screens — a 1,200-by-900-resolution notebook has the ribbon on by default, for example, whereas it’s collapsed on a 1,366-by-768 tablet. You’ll find much of the UI now optimized for 16:9 screens, with sidebars where earlier versions of Office used dialogue boxes (although it’s possible to detach sidebars).

There are also new Metro format icons for the Office applications, all of which use the same metaphor of an open file folder stamped with the application’s initial letter. Oddly, while most icons keep the familiar colors, Outlook drops the yellow for blue (with yellow overlays for incoming email). It’s an unusual choice, and makes the new Outlook icon easy to confuse with Word’s.

A touch Office

Touch is finally a first-class citizen in Office 2013. The new Metro user interface takes advantage of the touch features built into Windows 8, and while most of Office still comprises desktop applications, it’s as easy to use on a tablet as a traditional PC or notebook. Microsoft has actually given Office 2013 two subtly different user interface modes, with a single button to switch between the two (a button we were surprised to find wasn’t a default part of the Quick Access Toolbar, although it’s very easy to add it). Tap the Touch mode button, and UI elements move slightly apart, making them easier to touch. Buttons get bigger, and there are additional cues that build on the Windows 8 touch features.

Touch mode also adds additional touch controls to applications — for example, in Outlook 2013, message controls are added to the left of the screen, where they’re easily accessible with a thumb. With Touch mode Microsoft is trying to make it easier for touch users to work with a traditional desktop application. It’s not entirely successful, but it’s certainly a lot more usable than earlier versions of Office on touch devices. In practice you’re still more likely to use Office with a keyboard and a mouse or trackpad, than purely as a touch application. However, reaching out to touch the screen could prove a useful way to interact with a document, as an adjunct to the familiar desktop tools.

Skype – Changes to improve service could alter privacy

Skype, the online phone service long favored by users to bypass traditional phone companies and ensure private conversations, is undergoing changes. One of the features, to be able to communicate beyond the reach of governments, has made this an important tool for political dissidents.

Unfortunately, it has also attracted the attention of criminals. If you are a Skype user, you may have noticed some outages over the past year, as the network has grown to become one of the largest communications companies. To solve those problems, Skype is now going to direct all communications through centralized servers. In the past, communications had been direct, from computer to computer but this has created quality and service issues. Now that they are using centralized servers, the online chats and possibly voice and video calls may be available to governments, depending on the laws in place for each country.

It should be pointed out that surveillance of the audio and video feeds remains impractical — even when courts issue warrants, according to industry officials with direct knowledge of the matter. But that barrier could eventually vanish.

The changes to online chats, which are written messages conveyed almost instantaneously between users, result in part from technical upgrades to Skype that were instituted to address outages and other stability issues since Microsoft bought the company last year. Officials of the United States and other countries have long pushed to expand their access to newer forms of communications to resolve an issue that the FBI calls the “going dark” problem.

Hacker groups and privacy experts have been speculating for months that Skype had changed its architecture to make it easier for governments to monitor, and many blamed Microsoft, which has an elaborate operation for complying with legal government requests in countries around the world.

Microsoft has approached the issue with tremendous sensitivity and a canny awareness of what the issues would be. The company has a long track record of working successfully with law enforcement here and internationally.

Authorities had for years complained that Skype’s encryption and other features made tracking drug lords, pedophiles and terrorists more difficult. Jihadis recommended the service on online forums. Police listening to traditional wiretaps occasionally would hear wary suspects say to one another, “Hey, let’s talk on Skype.”

Skype was slow to clarify the situation, issuing a statement recently that said, “As was true before the Microsoft acquisition, Skype cooperates with law enforcement agencies as is legally required and technically feasible.” Changes allowing police surveillance of online chats had been made since late last year. In the United States, such requests require a court order, though in other nations rules vary. Skype has more than 600 million users, with some in nearly every nation in the world. Political dissidents relied on it extensively during the Arab Spring to communicate with journalists, human rights workers and each other, in part because of its reputation for security.

Skype’s resistance to government monitoring, part of the company ethos when European engineers founded it in 2003, resulted from both uncommonly strong encryption and a key technical feature: Skype calls connected computers directly rather than routing data through central servers, as many other Internet-based communication systems do. That makes it more difficult for law enforcement to intercept the call. The authorities long have been able to wiretap Skype calls to traditional phones.

The company created a law-enforcement compliance team not long after eBay bought the company in 2005, putting it squarely under the auspices of U.S. law. The company was later sold to private investors before Microsoft bought it in May 2011 for $8.5 billion.

Industry officials said the resulting push for the creation of so-called “supernodes,” which routed some data through centralized servers, made greater cooperation with law enforcement authorities possible. The access to personal information and online chats, which are kept in Skype’s systems for 30 days, remains short of what some law enforcement officials have requested.

Hackers in recent years have demonstrated that it was possible to penetrate Skype, but it’s not clear how often this happened. Microsoft won a patent in June 2011 for “legal intercept” of Skype and similar Internet-based voice and video systems. It is also possible, experts say, to monitor Skype chats as well as voice and video by hacking into a user’s computer, doing an end run around encryptions. If someone wants to compromise a Skype communication, all they have to do is hack the endpoint — the person’s computer or tablet or mobile phone, which is very easy to do.

Some industry officials, however, say Skype loses some competitive edge in the increasingly crowded world of Internet-based communications systems if users no longer see it as more private than rival services.


Microsoft Office 2013 Part 1

If there’s a new Windows, then surely a new Office can’t be far behind. With Windows 8 almost out the door, it’s about time for Office 2013 to show its face. We’ve seen snippets of it in conference presentations and at the Surface launch, and we’ve heard rumors of its features, Microsoft unveiled the first public beta of its new Office. This you can be sure of – it’s clear that Microsoft is making another of its big bets on the cloud, with Office 365 users getting far more from Office 2013 than users who buy the boxed product.

Microsoft has stated that Office 2013 will only be available for Windows 7 and 8, so you won’t be able to upgrade if you’re using Windows XP or Vista.

Office and the cloud

Microsoft is offering four different preview releases of Office 2013, with the three business subscriptions all built around its Office 365 and SkyDrive services. They’re also all subscription services that use a new version of Microsoft’s Click-to-run tools to install applications from the cloud (and to keep them up to date). All the subscriptions allow users to install Office on five machines — and Microsoft has said that this will be across multiple platforms, including Mac OS. There’s also 20GB of additional SkyDrive storage for subscribers.

The Click-to-run-based Office On Demand streams the Office applications to PCs, so you can quickly get up and running with the core functions installed first, while the rest of the application installs in the background. For example, you can stream in a copy of PowerPoint and start a presentation, without having to wait for a full download. Installs are linked to user accounts, so you can also quickly deauthorize a PC from the Office 365 web portal and temporarily install on a friend’s or a co-worker’s machine just to do one thing and then move on. Once you close a streamed application, it’s gone — and because it runs in an application virtualization sandbox there’s no trace of it, or of your files.

The four preview plans are Office 365 Home Premium Preview, Office 365 Small Business Premium Preview, Office 365 ProPlus Preview, and Office 365 Enterprise Preview. Consumers with the Home Premium plan will get the core Office applications (Word, PowerPoint, Excel, Outlook, OneNote, Access and Publisher), while the Small Business Premium plan adds access to the Office 365 cloud services, including Exchange, SharePoint and Lync for up to 10 users. The ProPlus option adds support for up to 25 users, and also includes the InfoPath and Lync applications. Similarly, the Enterprise plan adds more complex Exchange support with archiving and compliance tools.

All of the plans get access to a new version of Microsoft’s Office Web Apps, so you can edit files anywhere. Files are also automatically synced to SkyDrive when you save them, giving you a cloud backup. Business subscriptions get access to Office 365 SharePoint.


New Sharing Features from Dropbox

You may have seen a recent email from DropBox about new restrictions for sharing folders. In the past, if you shared a folder with someone else, they could, in turn, share it with a third party. This made it difficult to trust sharing folders with groups of people you did no have complete confidence in to not share this folder with other people outside your group. Now, it appears, DropBox has addressed this issue and will allow you to set the security on shared folders to prevent users from allowing others to gain access.

This feature will be available through a check-box labeled ‘Allow members to invite other people’ within the shared folder options. You can limit sharing with existing shared folders as well as any shared folders you create in the future. If you’re not currently
the owner of your shared folder, the current owner can transfer ownership to you by following the steps at

Members will still be able to create links to files within the shared folder.

Some Users May Lose Internet Access Monday

Efforts to eliminate a high-profile Trojan may cause some Internet users to lose connectivity on Monday. And, getting systems back up and running may be far more difficult than the preventative measures themselves.

The Federal Bureau of Investigation will be shutting down servers used by operators leveraging the DNSChanger Trojan, and when that happens, people with infected systems will lose access to the Internet. About 64,000 users in the USA are still infected.

A DNSChanger Trojan literally changes the infected computer’s DNS settings. When a user opens up a browser and enters a web address, good DNS settings will take you to the proper website. But if you’ve got malicious DNS settings, the criminal can point you to whatever server they want. So it can be used in a lot of nasty and malicious ways. The FBI has taken control of a lot of these malicious servers, and on July 9th, they are going to shut down all of these servers. That means if you open up your browser and you are infected with this malware, you won’t be able to get to the Internet because it won’t be able to resolve your DNS to the correct addresses or anything else.

That translates to users not only losing web and email access but also connectivity to resources that will restore their services without on-premise support.

If you would like to check you computer, you can use this free resouce to check your system before the 9th –