Happy New Malware Year

01/15/2013
G DATA Blog

Every holiday season, almost nothing feels better than giving someone you care about the one gift he or she truly wanted. We all are more than happy to enjoy a couple of days off but it seems as if the bad guys were using these days to dig up exploit possibilities and other bugs inside the software we use and to presented the world with their ‘special’ New Year gifts. Let us have a look at how the year started and sum up a couple of threats we saw during the past weeks.

We can determine threats on two major fronts: Ruby on Rails, Java and Microsoft’s Internet Explorer form the first one – all web-related. And then there are flaws in Foxit Reader and Microsoft’s Windows RT, which also got in the line of fire.

1. Java:

Possibly the most important vulnerability of the last weeks is one affecting Oracle’s Java and it has been assigned CVE-2013-0422. This vulnerability is being targeted from hacker tools like the Cool Exploit Kit (CEK), the Black Hole Exploit Kit (BHEK) and several others, which are known to spread lots of malware and were recently being used for several ransomware variants.
The good news is: Oracle has reacted quickly after the public disclosure of the exploit code and has issued an official update to fix the security vulnerability described in CVE-2013-0422. The update was issued on Sunday, 13 January 2013, and the current release is Java version 7 update 11.

Our recommendation

If you did not download the update yet, please do so, as soon as possible.
If you are unsure whether you already have installed the update, you can consult the official Java version check website.

Despite updating Java, we encourage users to evaluate whether they really need Java on their machine. In the web area, most former Java contents have been replaced by Flash or HTML5, which means that a John Doe user would only need Java if he or she uses software that depends on it. Otherwise, there is no real need to stick with this software that causes so much hassle again and yet again.
We definitely recommend disabling Java in the browser! Oracle inserted a new function into Java 7 update 10 which makes it easier...  - So, actually, if users update, they should be able to follow these instructions. If you wish, you can also disable the Java web functions manually, browser-by-browser, with the information we provided when the last big Java 0-Day threat was present.

2. Ruby on Rails:

We also saw the announcement of some vulnerabilities in Ruby on Rails, a popular web application framework which is being used by several websites. The corresponding CVEs are CVE-2013-0156 and CVE-2013-0155. The exploitation of the vulnerability offers possibilities to bypass authentication systems, inject arbitrary SQL code, perform DoS attacks and execute other arbitrary code.
The good thing is: patches are available for these vulnerabilities. However, exploit code has been released for the Metasploit framework package. The availability of exploit code means that there can be an increased risk of attacks against this vulnerability as the good and bad guys can use the published code to detect vulnerable sites. Users running Ruby on Rails should deploy the patches, immediately, of course.

3. IE:

Furthermore, MS Internet Explorer contained a newly discovered vulnerability in versions 8, 7 and 6, as explained here:
web.nvd.nist.gov/view/vuln/detail
Microsoft announced an out-of-band patch for Monday 14 January 2013. The pre-release notes did not exactly state that the vulnerability described in Security Advisory 2794220 is going to be fixed with this patch, but the update released makes us cross out another threat from the list. Keep your eyes open and apply the patch as soon as it is available for your system.

4. Foxit Reader:

Foxit Reader, a quite popular alternative to the Adobe Reader, seems to be vulnerable as well and the Foxit Corporation has not yet issued an update or fix. A flaw in the browser plug-in poses a security risk. An attacker can execute arbitrary code if the user opens a PDF file on the Internet that is available through a very long URL, because this long URL is not handled correctly and causes a stack-based buffer overflow.
According to Foxit’s corporate website, they “boasts over 130 million users”  and, whatever the number of Foxit Reader users is, currently the users’ only option is to disable the web browser plugin. Or they might want to switch to another free PDF reader, such as e.g. the Adobe Reader.

5.  Windows RT:

This is an issue which differs a little bit from the exploits we discussed above, but it is very interesting as well. A jailbreak for MS Windows RT which allows users to run traditional desktop-style applications. The jailbreak manual was published by a person nicknamed clrokr. The given manual is detailed but complex for someone not very mobile-device-savvy. We assumed that someone would create a tool to replicate clrokr's efforts for those users with less knowledge and that is exactly what happened: A programmer nicknamed Netham45 has released his RT Jailbreak tool. Microsoft, according to Softpedia, was not pleased with the Windows RT jailbreak, obviously, but actually “applaud[ed] the ingenuity of the folks who worked this out and the hard work they did to document it.” Speculations suggest that the flaw will be fixed in the next update. Fair enough. However, if jailbreaking Microsoft tablets became a popular way to run pirated applications we are pretty sure we would see more malicious RT related apps, like on the Android OS.

1 + 1 = many possible infections

What really worries us is the possibility to combine a couple of the attacks mentioned over here, resulting in a very effective distributing mechanism for loads of malware.
A huge amount of cyber threats can be blocked by using comprehensive AV products, such as e.g. G DATA Internet Security, but deactivating or uninstalling software (in this case referring to Oracle’s Java) and/or implementing the necessary software and OS updates is a necessity, nonetheless!

So, there goes the New Year tranquility – all countermeasures have to be taken “as soon as possible”, “immediately” and “as soon as available”. And this is only the start of 2013. It appears that the number of disclosed exploits, bugs and vulnerabilities has again risen throughout the season, more than it usually does throughout the rest of the year. Hackers and malware writers seem to have used these passed tranquil moments and turned them into productive holidays for them. If we were supposed to make a wish for the next holiday season, or for any time in the future, we would ask for responsible disclosure of security vulnerabilities.

Welcome back to the fast-moving cyber world and all the best for a secure year 2013!