16th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 16th week of 2010. I am Jay Johnson and these are the headlines:

New Trojan poses as Google Chrome extension (pause)
Microsoft prepare to fix IE 8 flaw that makes safe sites unsafe while
New variant of Zbot or Zeus Trojan has been discovered (pause)
Chinese e-commerce giant Alibaba gets hit by a website attack and Finally
Cracking Microsoft Office encryption in minutes

And now for this week's newswire details
Spammed messages attempt to dupe prospective marks into trying an add-on that helps you better organize your documents received in your email. Interested parties are pointed towards a counterfeit Google Chrome Extensions page, which offers a malware executable. More observant punters will notice that the download is offered in an .exe file and not a .crx Google Chrome extension. Such markers are easily missed, however. The Trojan horse malware on offer blocks access to Google and Yahoo WebPages. Attempts to reach these sites on infected machines are hijacked and redirected to counterfeit sites. Such trickery is commonly a prelude to either phishing attacks or a technique by the hackers behind the trick to gain affiliate income from scareware slingers or other undesirables. The appearance of the attack shows that cybercrooks have begun targeting Google Chrome users, something that only tends to happen when a product or service becomes widely used among end users and is therefore a compliment of sorts to the success of Google's browser technology.

(pause)
Microsoft will release an update intended to rid Internet Explorer 8 of a vulnerability that can enable serious security attacks against websites that are otherwise safe. The change, which will be introduced in June, will be the third time in six months that Microsoft has tweaked a feature used to filter out XSS, or cross-site scripting filter, attacks against websites. The filter, which Microsoft introduced with the release of IE 8, is designed to strip out malicious commands that exploit the vulnerabilities, which plague many websites. The new XSS filter could be exploited to introduce XSS attacks on sites that otherwise weren't vulnerable. Microsoft has twice made changes to the feature, once in January and again in March, but last week, researchers at the Black Hat Security Conference in Barcelona showed the filter still injected threats into sites that included Google, Wikipedia, Twitter and even Microsoft's own Bing. Features like Microsoft's XSS filter, or a similar protection offered in the No-Script add-on for Firefox, is designed to prevent such attacks.

(pause)
A new variant of the Zbot or Zeus Trojan has been discovered, prompting one security specialist to call for improvements in malware protection. Attackers have begun exploiting a design flaw in Adobe Systems PDF format to spread the Zeus botnet, only days after the publication of a proof-of-concept exploit for the flaw. Researcher said they had discovered e-mails claiming to originate from Royal Mail with PDF attachments exploiting the flaw. The attachment attempts to run an executable file that installs the Zeus Trojan on a user's system. Zeus attempts to steal banking information by logging a user's keystrokes. It also attempts to make a user's system part of the Zeus botnet.

(pause)
Chinese e-commerce giant Alibaba Group announced Monday that one of its websites was hacked on Friday and Saturday and the police were investigating. Servers of Alibaba's foreign wholesale marketplace, Aliexpress, in Hangzhou, east China's Zhejiang Province, and in the United States were hacked constantly on April 16 and 17, said Wu Hao, head of public relations at Alibaba Group. The website was still in the testing phase, hosted the sale of Chinese goods in bulk to American buyers. The company did not say where the attacks originated but they believed the hackers might come from overseas trade protectionist groups or Alibaba's rivals.

(pause)
An implementation flaw allows attackers to bypass the encryption mechanism used for Microsoft Office documents. Although this isn't news, having been made public in 2005, no officially acknowledged attack or tool for exploiting the vulnerability has existed until now. This probably explains why Microsoft has never fixed the problem with an update for older versions of Office. French crypto expert Eric Filiol in his presentation at the recent Black Hat security conference emphasized that the situation has now changed. He says his tool can decrypt a document within a few minutes. Filiol said he began working on the statistical analysis of the RC4 algorithm used in Office back in 1994. The expert explained why he has only now published his results he was employed by the French military at the time. Everything he did was classified. Now he is free to speak about it. Microsoft's implementation of RC4 has the following flaw the keys are not automatically replaced when a new version of an existing Word document or Excel spreadsheet is generated. By comparing two such file versions that are encoded using the same key, Filiol's software which the French crypto expert doesn't intend to publish can determine the plain text within minutes.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.