This week's security events include news of Apple patching its Java vulnerabilities, the United States and China topping a cybercrime list compiled by SecureWorks, a new class of browser attacks called "clickjacking" and warning of a new Trojan that could be used to steal banking-related information.
Apple patches Java bugs
Apple has issued a giant patch release that fixes numerous Java vulnerabilities in the Mac OS X operating system, some of which have been around for months. Two of these vulnerabilities specific to Leopard were considered critical, and could allow hackers to run arbitrary code by means of a malicious Java applet. Obviously, the attacker will first have to get a victim to view a Web site containing the applet with a Java-enabled browser.
US and China tops cybercrime list
Security provider SecureWorks have released a report showing the United States and China topping a list which ranks the number of attacks launched on other computers via the Internet. The US has 20.6 million attacks attempted from within its own borders, while China was the runner-up with 7.7 million such attempts. Computers in universities, data centers, and companies are infected, apparently unnoticed by administrators.
"On the other hand, we have found that many of the Chinese hackers will compromise large networks within their own country and use them as bots to attack other organizations," continued [Don] Jackson. "For example, entire university networks in China will belong to local hacker groups." (Don Jackson is the Director of Threat Intelligence for SecureWorks.)
Jackson also noted that the findings show, among other things, the ineffectiveness of simply blocking incoming communications from foreign IP addresses to defend against attacks. This is due to hackers hijacking computers outside their borders from which to attack their victims.
New Trojan goes for banking data
A new Trojan horse software is gaining popularity with fraudsters. Called Limbo, the malware integrates itself with a Web browser using a technique called HTML injection. By manipulating a page's layout, it does its work by attempting to ask for confidential information that is never actually requested.
A user could be at a real bank site, for example, and be requested by the Trojan for password or other confidential data. The only clue? That a user is being asked to provide information that has never been asked before.
You can read more about the Limbo Trojan from this PC World article.
Researchers warn of new clickjacking attack
Security researchers have warned of a new class of browser vulnerabilities dubbed as "clickjacking". Users of every major platform are apparently at risk from this new attack method.
Multiple types of flaws have been identified at this point, though details are sketchy for now as the researchers have deliberately kept a number of details confidential.
One of two researchers who discussed this bug at OWASP ApSec 2008 earlier in the week, Robert Hansen noted in an interview with Network World that clickjacking is similar to cross-site request forgery, sometimes known as CRSF or "sidejacking." However, clickjacking is different enough that current generations of anti-CRSF measures are essentially worthless.
How does clickjacking work? Following is an excerpt from Network World:
"Think of any button on any Web site, internal or external, that you can get to appear between the browser walls," Grossman said in an e-mail on Friday. "Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to."
It is not necessary for hackers to compromise a legitimate site in order to conduct a clickjacking attack underneath it. As such, the only way that this problem can be fixed in a meaningful way would be by browser vendors. At the moment, the security researchers who found this vulnerability are in contact with all the major vendors of browsers.