norrisa
Member
|
# Posted: 22 Feb 2006 19:13
Reply
Kaspersky update flaw
Antigen users started receiving updates from Kaspersky Antivirus engine on Tuesday. Microsoft and Kaspersky had put the updates on hold after a flawed update.
The problems left people without functional e-mail for as long as 10 hours. The cause was a update to the Kaspersky Antivirus engine, districuted on early Thursday morning. In the afternoon of the same day, Microsoft released the old version to solve the problem.
Halting the update for the Kaspersky engine for several days meant that one engine wasn't refreshed, people are still protected by the other engines and revamps.
New worm targets Apple chat users
Apple and outside analysts said the program, called Leap-A is not a virus. Rather, it requires a user to download the application and execute the resulting file.
The Malicious software called OSX/Oompa-A and the Ooompa Loompa Trojan Horse by other security experts, seems not to spread easily and has recieved low-level threat classifications from McAfee and Symantec.
Leap-A, which appears to affect only the OS X 10.4 platform, spreads primarily via the Apple iChat instant-messaging program. The program forwards itself as a compressed file called "latestpics.tgz" to all the contacts on the infected user's buddy list each time the program starts up.
But it's up to the person to download the file, which shows up as an attachment to a conversation thread. If downloaded, the self-executable file masquerades with an icon typically reserved for image files but does not activate itself unless opened.
"It exhibits the same behavior as a Trojan in that it requires user interaction and a mass mailer in that it's going through the contact list of that particular iChat client," said Dean Turner, senior manager of Symantec Security Response. "And it's a worm because it's replicating on its own once the system has become infected."
A number of security companies--including Symantec, McAfee, Sophos and Intego--have released updated definitions to guard against the threat. Apple directed customers to a safety guide at its site and said it "always advises Macintosh users to only accept files from vendors and Web sites that they know and trust."
Bluetooth worm targets Mac OS X
Just a day after experts warned of what is believed to be the first Trojan in the wild to target Apple Computer's Mac OS X, alerts are being published on a new worm that exploits an 8-month-old vulnerability in the operating system.
The new Inqtana worm spreads through a security flaw in Apple's Bluetooth software, antivirus vendors Symantec and F-Secure said on Friday. Apple provided a fix for the flaw last June with security update 2005-006.
The worm attempts to use Bluetooth to propagate. Once it infects a computer it searches for other Bluetooth-enabled devices and sends itself to those it finds, Symantec said. "It is quite unlikely that Inqtana would be any kind of threat," F-Secure said.
"We have speculated that attackers would turn their attention to other platforms, and two back-to-back examples of malicious code targeting Macintosh OS X this week illustrates this emerging trend," he said. "While this particular worm is not fully functional, the source code could be easily modified by a future attacker to do damage."
The new worm follows the Leap Trojan that was discovered Thursday. Symantec says it believes the two pests were developed on a parallel time line and that Inqtana was not created in response to Leap.
Symantec recommends that Mac OS X users keep antivirus and firewall software, as well as operating systems, up to date. Apple has a safety guide on its Web site.
Mac OS flaw exposes Apple users
The security problem is the third to surface for the operating system in the past week. It exposes Mac users to risks that are more familiar to Windows users: Visiting a malicious Web site using Apple's Safari Web browser could result in a rootkit, a backdoor or other malicious software being installed on the computer without the user noticing anything, experts said.
"This could be really bad," the SANS Internet Storm Center, which tracks network threats, said Tuesday. "Attackers can run shell scripts on your computer remotely just by visiting a malicious Web site."
Apple is developing a patch for the flaw, a company representative told CNET News.com. "We're working on a fix so that this doesn't become something that could affect customers," the representative said, but could not give a delivery date for the update.
Word of the new vulnerability comes after the recent discovery of a Trojan horse and a worm that target Mac users. The operating system had not been in the security crosshairs previously.
The new problem, discovered by Michael Lehn and first reported by Heise Online, lies in the way Mac OS X processes archive files. An attacker could embed malicious code in a ZIP file and host that on a Web site. The file and the embedded code would run when a Mac user visits the site using the Safari browser, experts said.
"Essentially, the operating system is executing commands that come in the metadata for ZIP files," said Alfred Huger, senior director of engineering at Symantec. "That is exacerbated by the problem that Safari will automatically open the file when you encounter it on the Web."
The issue may go beyond archive files, SANS said in updated notes on its Web site. "The attacker doesn't need to send a ZIP archive; the shell script itself can be disguised to practically anything," the note said.
The culprit appears to be the Mac OS Finder, the component of the operating system used to view and organize files, according to the SANS posting. A malicious file can be masked to look innocent--for example, like a JPEG image--yet it will run and execute when opened, SANS said.
This occurs because the operating system assigns an identifying image for the file based on the file extension, but decides which application will handle the file based on file permissions, SANS said. If the file has any executable bits set, it will be run using Terminal, the Unix command line prompt used in Mac OS X, SANS said.
There are no known attacks that take advantage of the flaw, experts said. However, proof-of-concept code that demonstrates the security vulnerability is publicly available online and could be tweaked for use in cyberattacks. "The skill level required to exploit it is very low. Pretty much anyone can do it," Huger said.
In the Windows world, such flaws are often exploited to install spyware or ad-serving software on vulnerable PCs. While such insidious software may be rare for the Mac, there are back doors and rootkits for the operating system, Huger said. "I think you'd likely see those installed with this type of vulnerability," he said.
The vulnerability is rated "extremely critical" by security monitoring company Secunia. Symantec also rates it "fairly high risk," Huger said. "If you have a Mac and use Safari, it is something you should remediate immediately," he said.
Mac OS X users can protect themselves by disabling the "Open safe files after downloading" option in Safari. In addition, users should be cautious when surfing the Web, the Apple representative said. "Apple always advises Mac users to only accept files from vendors and Web sites that they know and trust."
Users of alternative browsers such as Firefox and Camino on the Mac are not exposed to the Web-based attack vector, experts said.
References:
Link
Link
Link
Link
Andrew
|
