December 22, 2024
Subscribe RSS Feed

XSS, XFS, Open Redirect Vulnerabilities Found on About.com

Posted on February 3, 2015 by in Security

About.com, the online resource website visited by tens of millions of users each month, is plagued by several types of potentially dangerous vulnerabilities, a researcher revealed on Monday.

According to Wang Jing, a PhD student at the Nanyang Technological University in Singapore, a large majority of the pages on About.com are vulnerable to cross-site scripting (XSS) and cross-frame scripting (XFS/iFrame injection) attacks.

The expert tested close to 95,000 About.com links with a script he developed and determined that at least 99.88% of them are vulnerable. The search field on the website’s homepage is also plagued by an XSS flaw which, according to Jing, means that all the domains related to about.com are vulnerable to XSS attacks.

In order to exploit XSS vulnerabilities, an attacker needs to convince the victim to click on a specially crafted link. XSS attacks can be used to alter the appearance of a website, access potentially sensitive information, and spy on users.

XFS attacks can be used to steal data from websites accessed by the victim. For the attack to work, a malicious actor must get the user to access a Web page he controls. Such vulnerabilities can also be exploited for distributed denial-of-service (DDoS) attacks, the expert noted.

Jing has also identified open redirect bugs on several About.com pages. The vulnerabilities can be leveraged to trick users into visiting phishing and other malicious websites by presenting them with a link that apparently points to an about.com page.

“The vulnerabilities can be attacked without user login. Tests were performed on Microsoft IE (10.0.9200.16750) of Windows 8, Mozilla Firefox (34.0) & Google Chromium 39.0.2171.65-0 ubuntu0.14.04.1.1064 (64-bit) of Ubuntu (14.04),Apple Safari 6.1.6 of Mac OS X Lion 10.7,” the researcher said in a blog post.

About.com was notified of the existence of the vulnerabilities back in October 2014, but so far the company hasn’t done anything to address them, the researcher said. About.com hasn’t responded to SecurityWeek’s requests for comment.

Poof-of-concept (PoC) videos for the XSS vulnerability on the About.com homepage and the open redirect flaw have been published by the researcher. 

Subscribe to the SecurityWeek Email Briefing

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

New RAT Hijacks COM Objects for Persistence, Stealthiness

Posted on October 31, 2014 by in Security

Researchers have uncovered a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection.

The RAT, dubbed “COMpfun,” has been analyzed by experts from G DATA Software’s SecurityLabs. When it comes to functionality, the malware is not out of the ordinary. It can be used to log keystrokes, take screenshots, download and upload files, execute code, and for other specific tasks.

The threat can run on both 32 and 64-bit versions of Microsoft Windows (up to Windows 8), and it relies on HTTPS and RSA encryption to communicate with its command and control (C&C) server.

What makes COMpfun interesting is the fact that it injects itself into the processes running on compromised systems by hijacking legitimate Component Object Model (COM) objects.

COM allows developers to manipulate and control the objects of other applications. Each of these objects has a unique identifier called CLSID.

When it’s installed on a system, the RAT creates two files, after which it creates two registry entries to define COM objects with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. These IDs are already assigned to two Microsoft libraries that are used by several applications, including the Web browser. However, by defining objects with the same CLSIDs, the originals are replaced with the new ones.

Once this is done, the malicious libraries are loaded into processes instead of the legitimate Microsoft libraries. This ensures not only that the RAT is persistent, but it also makes it more difficult to detect.

“As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns,” G DATA researcher Paul Rascagnères wrote in a blog post.

 

Many antiviruses monitor systems for DLL injections, but since COMpfun doesn’t rely on DLL injections, some security solutions might miss the threat. Rascagnères has warned that any type of malware could leverage this technique to become stealthy.

COMpfun is not the only RAT that abuses COM. Back in August, G DATA detailed IcoScript, a piece of malware that leveraged COM to control Internet Explorer. By taking control of the Web browser, cybercriminals have been able to carry out various actions, such as accessing websites, entering credentials, pressing buttons on pages, and exfiltrating data.

In the case of IcoScript, cybercriminals leveraged the technique to access Yahoo Mail accounts and use them for C&C communications. Researchers noted at the time that the attackers could have used other webmail services as well, such as Gmail.

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

The future of Microsoft depends upon Windows being free of cost

Posted on October 13, 2014 by in Microsoft Windows

Keep in mind the days when you would head out to the shop to pick up the most recent model of Windows, on DVD, for something like $130? Or if you were unlucky adequate to not get upgrade pricing, possibly also $239? Those days may appear in the far-off past, however in truth Microsoft is still billing for upgrades in between major variations even as of Windows 8.1.Yet this isn’t really going to be the future of Microsoft; the days of billing for upgrades are over and the business is being slowly backed right into a corner by the style of free upgrades on mobile as well as Apple completely taking out OS upgrade pricing on Mac. Consumers just aren’t willing to spend for upgrades any longer, as an alternative, they anticipate them to be free for the majority of the life time of a device.

The worth of OS upgrades has actually been entirely shed in a time where we’re useded to getting complimentary updates to cell phones as long as they can continuously deal with the software program. Why does this same design not apply to the PC yet? Microsoft has taken on cost-free upgrades for Windows Phone already, so why not for the COMPUTER?

Microsoft has remained peaceful on what its prepare for Windows rates in future, yet did make it free of cost for customers to update from Windows 8 to 8.1 as well as we understand the upgrade from 8 to 10 will be free, however will this proceed? The company lately revealed Windows 10 however didn’t detail whether it would be an additional free upgrade or otherwise; nevertheless, it probably should be a totally free upgrade for a lot of Windows customers.

It requires to decouple the business and consumer markets if Microsoft wishes to preserve it’s iron hold on the future COMPUTER market. It’s entirely sensible to expect businesses to pay to authorized software– even if just to get extended updates as well as assistance– yet expecting completion individual to care sufficient to invest over $100 to update every 2 years is absurd.

For lots of consumers, Windows upgrades are straight tied to when they change their COMPUTER’s. Why else would certainly numerous individuals not also bother to update from XP? Their PC’s are flawlessly efficient in running Windows 7, however why would they wish to pay $130 merely to obtain the most up to date software application? Change could be tough and instead of troubling to pay and also upgrade for a new permit, these customers have actually chosen to remain on unsupported versions due to the fact that it ‘works’ fine.

Making Windows complimentary has a variety of tangible perks for Microsoft; not just does it urge customers to update frequently (and takes out mostly all barriers to doing so), it suggests that users are more likely to make use of the most up to date version of Microsoft products and connected services. It additionally means that Microsoft could eliminate all the perplexing and also needless SKU options and concentrate on 2 markets: consumer and venture.

Envision Windows 10 was made free of cost for all users from Vista as well as up– the install base would rapidly move to the latest variation (similar to OS X users, or iOS users flock to the latest release), suggesting less heritage support for Microsoft and the capacity to promote bigger numbers. The firm might simply have a different version and a demand for those using Windows in company situations.

Because it’s cost-free for numerous residence users to obtain the most recent model of Windows, it seems likely that these exact same users would be much more about to spend for associated services using registration as an alternative, like OneDrive or Office365, which would certainly total up to a lot a lot more repeating profits for the company.

I anticipate that Microsoft has actually already pertained to this same, unpreventable verdict and will certainly make Windows 10 complimentary for those utilizing Windows 7 as well as up. It’s most likely a tough choice for the company– Windows is a $5 Billion a year business– yet it’s a crucial one, that it has to make in order to stay appropriate.

As less and fewer PC’s are sold each year, the business should look for various other methods to generate income by offering assisting solutions on a longer term basis as opposed to attempting to persuade individuals to dip the money on an upgrade every three years.

Consumers simply aren’t purchasing brand-new computers any longer as they last longer or change to depending phones as well as tablet computers, so Microsoft has to seek brand-new means of obtaining revenue, beyond Windows. Windows will become the conduit for consumers to acquire Microsoft solutions.

The days of paid Windows upgrades have fulfilled their end, even if Microsoft hasn’t already confessed it.

Photo credit history: Getty Images

There are a few slots left for our UX Style program. Get your own today.

Keep in mind the days when you would certainly move out to the shop to select up the most current variation of Windows, on DVD, for something like $130? Those days could appear in the remote past, yet in truth Microsoft is still charging for upgrades between significant models also as of Windows 8.1.

Microsoft has taken on free of cost upgrades for Windows Phone already, so why not for the PC?

For several consumers, Windows upgrades are directly linked to when they replace their COMPUTER’s. Their COMPUTER’s are completely capable of running Windows 7, yet why would certainly they wish to pay $130 simply to obtain the most recent software?

  • By Owen Williams, thenextweb.com
  • View First

 

Intel, HP make for the finish of days — Windows XP’s, which is

Posted on December 4, 2013 by in Blog

As the sun sets on support for Windows XP nears, Hewlett-Packard and Intel executives say they’re looking to new horizons.
In case you’ve been living under a rock, support for Windows XP ends on April 8, 2014.
And Microsoft has a message for you: “If your organization has not started the migration to a modern desktop, you are late,” the company says on its Support Ends Web page.
That has HP and Intel, not surprisingly, giddy with the prospects of upgrades to new hardware.
Here’s what Meg Whitman, HP’s CEO, said earlier this week during the company’s earnings conference call, responding to an analyst’s question.
“So, we’re leading…the migration off of XP. And we actually — I think, Microsoft would probably tell you — we’re among the leaders in terms of spearheading that migration. We’ve been on this for well over a year, and it’s actually going pretty well,” she said.
And Intel’s general manager of the PC Client Group, Kirk Skaugen, speaking the week before, isn’t exactly rueing the day, either.
“Remember, Windows XP [support] end of life is in April so we have confidence that the business refresh which typically comes with a hardware upgrade is heading our way…whether they move to Windows 7 or Windows 8.1 that’s a big change for business,” he said during the company’s investor meeting.”
The operating-system-that-won’t-die has been around since 2001. It got a new lease on life when its successor, Vista, was declared a disaster back in 2006.
There are still plenty of XP users out there, according to an unscientific poll CNET conduced in June.
New November data from Net Applications shows XP stubbornly holding onto a 31 percent desktop market share.
So, you have to wonder, how many of those polled earlier by CNET want to keep utilizing XP? Chances exist are over a limited.
Are they as giddy at the prospects as HP and Intel? We’ll find out on April 8.
New information shows XP carrying about to a big percentage of desktops. Photo by: ( Net Applications)

Netbook computers are dead by Windows 8

Posted on September 12, 2012 by in Blog

 

Netbook computers are formally dead, and Home windows 8 drawn the trigger

by Kaira Chacos, digitaltrends.com
September seventh 2012

Pills might have left netbook computers bloody and beaten, however it was Home windows 8 that did the dirty work of extinguishing the small laptops permanently.

Researchers crowded round the small, lifeless husk lounging shattered in the pub before them. The morning sun glistened off a cracked 10-inch display damaged chips and transistors littered the floor like a lot of spent pennies. Sounds of revelry echoed from somewhere far because the townsfolk celebrated a vibrant future filled with pills, phablets and easily charging phones, not aware from the dying within their midst.

One investigator kneeled lower and depressed the gadget’s energy button. Three seconds later, a blue screen of death of dying gradually faded to black around the damaged screen.

“It’s official,” the guy stated. “The netbook computer is dead.”

“I think we all know who accounts for this,” certainly one of his co-workers responded. “I’ll start carrying pills lower towards the station for questioning.”

“Not so quick,” the very first investigator stated. He gradually was. “Bring me Home windows 8.”

The finish of the era

Netbook computers have been receiving existence support for some time now. Previously year, Dell and Toshiba formally bowed from the market, while Lenovo’s S-series netbook computers have been receiving-again, off-again, but mostly off-again. (They’re presently available included in a restricted-time offer, probably to drum up curiosity about their new, full-sized S-series choices.) In May, the Canalys research firm introduced that netbook computer sales dropped for that sixth consecutive quarter, by an astonishing 34 percent in comparison to the year before.

Two companies remained in keeping with the very first ultra-portable form factor through all of the disaster and gloom: Acer and Asus. But no more. Both companies intend on tugging the plug on netbook computers, DigiTimes reviews.

Acer has yet to formally read the report, but nonetheless, Asus’ withdrawal signifies the dying blow. Asus created the very first computer to hold the netbook computer title — the initial Eee PC — and ongoing delivering netbook computers faithfully since. So far, that’s.

What motivated Asus to snuff out its very own offspring? The muse appears straightforward initially: Asus Boss Jerry Shen told DigiTimes that the organization “plans to possess its Transformer tablet Computers fill the ten-inch mobile phone market, changing its netbook computer products.”

Just like any good murder mystery, however, things aren’t as easy as they appear.

Pills: Perp or patsy?

An upswing of pills left netbook computers bruised, battered and spinning. It’s difficult to ignore the truth that netbook computer sales began their gargantuan nose dive virtually the precise moment the original iPad was introduced this year. Netbook computers are slow and frumpy pills are responsive and sexy. To complicate matters, Home windows never really fit well on the 10-inch screen, while tablet os’s specified for around tinier shows. Frankly, it’s no shocker the mainstream has diverted its attention from netbook computers to pay attention to pills.

The netbook computer form factor still holds some value in certain niche uses. For example, business vacationers with heavy workloads often lean towards portable Computers with physical keyboards. This Feb, Asus marketing Vice president Kevin Huang told PCWorld that “Asus produced the netbook computer category, and i believe netbook computers today still supply the most cost-effective computing product solution maintenance certain user segments–i.e., the K-12 education market.”

An effective investigator perks his ears up when someone shows an abrupt alternation in behavior. Why did Asus change its tune so significantly in this small amount of time?

The DigiTimes report states it had been because of “a sharp drop sought after in emerging marketplaces,” among the last bastions of netbook computer growth. I only say hogwash: Home windows 8 drove the ultimate nail in to the netbook’s coffin.

Home windows 8: Microsoft kills the netbook computer

Producers battled to earn money with netbook computers in the very best of occasions despite low-finish processors along with a small, low-resolution screen, it’s hard to earn money on the PC which will only cost $200 to $350 at retail.

Actually, screen resolutions might be one of the leading factors within the dying from the netbook computer. Most notebook computers stay with a 1024 x 600 display Home windows 8 requires 1024 x 768 at least. You’ll need a full 1366 x 768 resolution (seen of all mainstream laptops in dimensions as much as 15.6-inches) to make use of the operating system’s snap feature.

Display costs have a large slice of a laptop’s overall component costs. Producers who’ve been in a position to draw some slim profits from netbook computers could be in over their heads when they add greater-cost, greater-resolution shows to goad Home windows 8 into focusing on the pint-sized PCs… and it is not even counting the price of improving to touchscreens to make the most of Home windows 8′s finger-friendly features, something pills sport automatically.

Heaping on much more expense, certification costs for Home windows RT are rumored to become $50 to $100, with respect to the version, without any low-cost same as the Home windows 7 Starter edition available on a lot of netbook computers being offered. Compare that towards the cost from the open-source Android Operating System that forces a lot of pills: $. To become fair, several producers pay Microsoft a certification fee for every Android device they create to prevent possible patent lawsuit — but Asus isn’t one of these.

Meanwhile, all of the spiritual successors to netbook computers yield greater margins for producers: Ultrabooks, tablet-notebook hybrid cars, and low-cost ultrathin laptops. Producers won’t ever have the ability to create make money from sheer netbook computer sales volumes again. Trading in Home windows 8 and it is greater-costing display needs just doesn’t seem sensible.

Considering evidence, the reason is obvious: pills and shifting consumer desires might have left netbook computers inside a critical condition, however it was Home windows 8 that wiped out the netbook computer off permanently. Moore’s law is really a cruel mistress indeed.

Situation CLOSED!

Original Page: http://world wide web.digitaltrends.com/computing/netbook computers-are-formally-dead-and-home windows-8-drawn-the-trigger/