The purpose of the SEHOP mitigation is to prevent an attacker from being able to make use of the Structured Exception Handler (SEH) overwrite exploitation technique. This exploitation technique was publicly documented by David Litchfield of NGS Software in a research paper that he published in September, 2003[1]. Since this publication, the SEH overwrite technique has become a standard weapon in an attacker’s arsenal. Roughly 20% of the exploits included in the latest version of the Metasploit framework make use of the SEH overwrite technique. SEH overwrites are also commonly used by exploits that target the increasing number of browser-based vulnerabilities[4].

Locate the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\kernel\DisableExceptionChainValidation

Note If you cannot find the DisableExceptionChainValidation registry entry under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\kernel\
subkey, follow these steps to create it:

Right-click kernel, point to New, and then click DWORD Value.

Type DisableExceptionChainValidation, and then press ENTER.

Change the value of the DisableExceptionChainValidation registry entry to 0 to enable it, and then click OK.

Note A value of 1 disables the registry entry. A value of 0 enables it.

The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this by using security mitigation technologies. These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities. These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult to perform as possible. In many instances, a fully-functional exploit that can bypass EMET may never be developed.

EMET is designed to work with any software, regardless of when it was written or by whom it was written. This includes software that is developed by Microsoft and software that is developed by other vendors. However, you should be aware that some software may be incompatible with EMET.

A quick primer on Windows security technologies.

Data Execution Prevention (DEP) keeps programs from running in locations that should contain data -- it makes buffer overflow attacks considerably more difficult.

Address Space Layout Randomization (ASLR) shuffles pieces of programs around so that they're located in unpredictable portions of memory, making it harder for a rogue program to jump some place it shouldn't.

Structured Exception Handler Overwrite Protection (SEHOP) checks chains of interruptions -- exception handlers -- inside Windows to make sure they aren't hijacked, thereby making stack overflows more difficult.

Export Address Table Filtering (EAF) gets in the way of malware "shellcode" as it looks up Windows command locations.

Heap Spray Allocation (HSA) blocks attempts by well-known malware to "spray" itself into memory by pre-allocating favored locations.

Null Page Allocation (NPA) guards against a piece of malware running itself by taking over a "null" page -- a technique that's never been seen in the wild.

Bottom-Up Rand (BUR), new with EMET 2.1, adds a random offset to the base of stacks and heaps, making it harder than heck for hacks to hop in a heap.

YouPorn, a top 100 website, has had its data exposed after it was discovered that one of its public facing servers contained a list of users’ email addresses, passwords and dates of birth. In an odd twist of fate, YouPorn finally found a way to literally screw its users.

According to NakedSecurity.com, the credentials of over 1 million users were found on a public facing server and are now being spread across the web. This is surely a case of where a users’ email is more valuable than the password itself as linking a login to an individual could impose significant personal damage.

YouPorn has shut down the offending server that contained the list of user names and passwords but the damage has already been done as the list is currently being passed around the Internet.

To make things even worse, all the data was stored as plain text, so there is no hiding behind an encrypted email address or password.

So there you have it, one of the largest porn sites on the net just shared over 1 million users’ email address and passwords with the world; so much for the private browsing session.

By DEVLIN BARRETT

WASHINGTON—The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said.

Shawn Henry, who is preparing to leave the FBI after more than two decades with the bureau, said in an interview that the current public and private approach to fending off hackers is "unsustainable.'' Computer criminals are simply too talented and defensive measures too weak to stop them, he said.

His comments weren't directed at specific legislation but came as Congress considers two competing measures designed to buttress the networks for critical U.S. infrastructure, such as electrical-power plants and nuclear reactors. Though few cybersecurity experts disagree on the need for security improvements, business advocates have argued that the new regulations called for in one of the bills aren't likely to better protect computer networks.

Mr. Henry, who is leaving government to take a cybersecurity job with an undisclosed firm in Washington, said companies need to make major changes in the way they use computer networks to avoid further damage to national security and the economy. Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks, he said.....

Two months ago, a new variant of the Flashback Trojan started exploiting a security hole in Java to silently infect Mac OS X machines. Apple has since patched Java, but this was only yesterday. As of today, more than 600,000 Macs are currently infected with the Flashback Trojan, which steals your user names and passwords to popular websites by monitoring your network traffic.

Russian antivirus company Dr. Web first reported today that 550,000 Macs were being controlled by the growing Mac botnet. Later in the day though, Dr. Web malware analyst Sorokin Ivan announced on Twitter (via Ars Technica) that the number of Macs infected with Flashback had increased to over 600,000:

@mikko, at this moment botnet Flashback over 600k, include 274 bots from Cupertino and special for you Mikko - 285 from Finland

As you can see in the screenshot above, Dr. Web says 56.6 percent of the infected Macs are located in the U.S., 19.8 percent are in Canada, and 12.8 percent are in the U.K.

Flashback was initially discovered in September 2011 masquerading as a fake Adobe Flash Player installer. A month later, a variant that disables Mac OS X antivirus signatures updates was spotted in the wild.

In the past few months, Flashback has evolved to exploiting Java vulnerabilities. This means it doesn’t require any user intervention if Java has not been patched on your Mac: all you have to do is visit a malicious website, and the malware will be automatically downloaded and installed.

Another variant spotted last month asks for administrative privileges, but it does not require them. If you give it permission, it will install itself into the Applications folder where it will silently hook itself into Firefox and Safari, and launch whenever you open one of the two browsers. If you don’t give it permission, it will install itself to the user accounts folder, where it can run in a more global manner, launching itself whenever any application is launched, but where it can also more easily detected.

You can grab the new version of Java that patches the security hole in question from Apple here: Java for Mac OS X 10.6 Update 7 and Java for OS X Lion 2012-001. Additionally, F-Secure has instructions on how to remove this malware if you think your Mac may already be infected.

Despite some initial skepticism, a Russian company's claim that over 600,000 Macs have fallen prey to Flashback seem to be holding up.

When news broke last week that drive-by malware exploiting a known Java vulnerability had infected first 300,000 then as many as Dr. Web, a little-known Russian computer security firm. Who were these folks, and how did they come up with the number?

However, Dr. Web’s estimate of the number of infected Macs is holding water: although other security firms haven’t yet produced their own independent estimates of the rates of Flashback infection, plenty of infected machines are being found, and so far most agree Dr. Web’s methodology seems sound. Dr. Web used a “sinkhole” approach, redirecting all traffic intended for Flashback’s command-and-control servers to another system that deciphered the reports from infected machines and pulled out the Macintosh UUIDs—unique identification codes—for analysis. This method is more comprehensive than a simple analysis of IP addresses, since (particular on home networks and organizations’ internal networks) hundreds of machines can conceivably share the same IP number.

Dr. Web has released a simple lookup tool that claims to let folks determine if a particular Mac has been detected as a system infected with Flashback. Users just get their Mac’s UUID (available in the Hardware section of System Information: choose Apple > About this Mac, then More Info to launch System Information). Note that UUIDs are not serial numbers: Dr. Web isn’t asking for users to enter their serial numbers.

If the infection rates published by Dr. Web are accurate, that means the overall infection rate in the Macintosh ecosystem is a bit over one percent—common industry estimates put the number of active Macs in use at about 45 million. F-Secure analysts Mikko Hypponen noted via Twitter that transates to an infection rate over one percent. In theory, that would make Flashback as common on Macs as Conficker was on Windows.

Antivirus developer Intego believes the Flashback malware was created by the same folks who made the MacDefender trojan horse, which published detailed instructions on how to determine if a Mac is infected, as well as background information on how the Flashback malware operates.

A recent version of malicious software called Flashback exploits a security flaw in Java in order to install itself on Macs.

Apple released a Java update on April 3, 2012 that fixes the Java security flaw for systems running OS X v10.7 and Mac OS X v10.6. By default, your Mac automatically checks for software updates every week, but you can change that setting in Software Update preferences. You can also run Software Update at any time to manually check for the latest updates.

Apple is developing software that will detect and remove the Flashback malware.

In addition to the Java vulnerability, the Flashback malware relies on computer servers hosted by the malware authors to perform many of its critical functions. Apple is working with ISPs worldwide to disable this command and control network.

Additional Information
For Macs running Mac OS X v10.5 or earlier, you can better protect yourself from this malware by disabling Java in your web browser(s) preferences.

This Java security update removes the most common variants of the Flashback malware.

This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

Java for OS X Lion 2012-003 delivers Java SE 6 version 1.6.0_31 and supersedes all previous versions of Java for OS X Lion.

This update is recommended for all Mac users with Java installed.

This Java security update removes the most common variants of the Flashback malware.

Flashback infections not waning after all; 650,000 Macs still hijacked


This image charts the number of Flashback bots from April 3 to April 19.


Analysis declaring the demise of the Flashback Mac backdoor has been greatly exaggerated, said researchers with a Russia-based antivirus firm, who on late Friday estimated there are 650,000 unique OS X machines currently infected by the malware.

The estimate by Doctor Web is in stark contrast to analysis provided Wednesday by Symantec, which showed the number of compromised systems had dropped from more than half a million to about 140,000. Following the release of the latest Doctor Web estimate, Symantec updated its post to say company researchers now believe their servers "are receiving limited infection counts" for the malware.

The revised numbers are the result of so-called sinkholes that researchers construct to act as surrogate command and control servers for hijacked machines. To give the Flashback botnet resilience against a takedown of the real command channels, the malware uses the current date, and certain code-embedded parameters, to dynamically generate alternate domain names the infected Macs report to. By registering the domains ahead of the Flashback operators, security researchers are able to create benign control servers that can prevent the bots from receiving harmful commands and can also conduct reconnaissance on the targeted malware.

According to Doctor Web, different sinkholes used by different researchers have returned vastly different statistics about the machines reporting to them. Mac antivirus provider Intego has concurred with those findings, at least in part, it said, because some domain name system lookup services are blocking the IP resolution of some of the domains used by the sinkholes.

"The effect here is that the Macs are still infected, but they will not be able to contact the command and control servers, and especially, cannot be counted by sinkholes," Intego researcher Peter James wrote in a post published on Friday morning.

Both Doctor Web and the update from Symantec went on to say a specific sinkhole at IP address 74.207.249.7 was failing to close TCP connections after being contacted by infected machines.


This screen capture shows a sinkhole at 74.207.249.7 keeping a TCP connection open with an infected machine.
drweb.com
"As the result, bots switch to the standby mode and wait for the server's reply and no longer respond to further commands," Friday's post from Doctor Web stated. "As a consequence, they do not communicate with other command centers, many of which have been registered by information security specialists."

The post estimates that a total of 817,879 bots have been a part of the botnet at one time or another since Doctor Web first started monitoring it on April 4. On Monday, 717,004 unique IP addresses and 595,816 Mac unique user IDs checked in. The number of IP addresses and UUIDs the following day were 714,483 and 582,405. And so, of the estimated infected Macs, "the number is still around 650,000," the post said.

The motives behind the Flashback operators remain murky, but researchers suspect the malware may be involved click fraud scams, since it often alters query results retuned by search engines. The malware first spread by masquerading as an update for Adobe's Flash player, and more recently by exploiting a critical Java vulnerability that Apple was slow to patch. Researchers from Kaspersky have said that starting in late February, tens of thousands of sites running WordPress began pushing the malware, suggesting that attackers may have exploited a vulnerability in the blogging tool to mass infect the sites with exploits. On late Friday, WordPress issued a security update here.

Over the past two weeks, Apple and a variety of third-party software providers have offered free tools to diagnose and cure Flashback infections. As researchers started seeing fewer bots reporting to their sinkholes, they assumed the decline was the result of end users patching and repairing their Macs. Now, those assumptions are open to debate.

Said Intego's James: "The realization now that the actual number of infected Macs is a multiple of the numbers cited recently in the press suggest that as many Macs are disinfected others are being infected."

Oracle Releases New Java Updates - Java SE 7 Update 6, JavaFX 2.2 and JavaFX Scene Builder 1.0
Expands Operating System Support with Full Mac OS X Release, Expanded Linux on ARM Support in Java SE and New Linux Version of JavaFX
Redwood Shores, CA – August 14, 2012
News Facts
Oracle today announced the availability of Java Platform, Standard Edition 7 Update 6 (Java SE 7 Update 6) and JavaFX 2.2, as well as the first release of JavaFX Scene Builder.
With this release, Oracle is providing full availability of Java SE 7 Update 6 on Mac OS X, including the Java Runtime Environment (JRE) and the Java Development Kit (JDK), as well as the JavaFX 2.2 rich client platform and JavaFX Scene Builder.
Consumers will soon be able to download the JRE for Mac OS X from Java.com, just as they do for all other operating systems, and Oracle will provide auto-updates for Mac OS X at the same time as for Windows platforms.
Oracle will highlight these and other Java technology updates at JavaOne 2012, September 30 - October 4, 2012 in the Zone at the Hilton San Francisco Union Square, Hotel Nikko, Parc 55 Wyndham and the Taylor Street Café.

Oracle on Thursday released a patch for the Java 1.7 runtime, plugging a recently discovered security hole that allowed malware to take over any operating system when a user visits a malicious website.

In an update to its "CVE-2012-4681" security alert, Oracle addressed three separate vulnerabilities and one "security-in-depth" issue affecting Java 7.

It was reported on Monday that a new zero-day exploit had been discovered and proven to be effective within the Java 1.7 runtime, which includes the latest Java 7 update, in browsers on any operating system.

According to researchers, the flaw allows malware to breach the security of a Mac or PC by having a user visit a compromised website hosting the attack code. Because Java came bundled with older versions of OS X like Leopard or Snow Leopard, Macs running the legacy software are potentially more vulnerable to the attack than those with the latest 10.8 Mountain Lion.

VirusTotal has been acquired by Google: the company announced the operation on its blog, while trying to assure that the well-known antivirus/antimalware on-line service will continue to operate as usual. Furthermore, by working as a Google subsidiary the company will improve faster than ever.

The VirusTotal blog states that continuous improvement for its services is being challenged by the need to cope with limited resources for growing; a situation that the acquisition by a rich and “long-time partner” like Google will surely change for good.

The acquisition is a good news for users and “a bad news for malware generators”, VirusTotal stated, because thanks to Google “the quality and power of our malware research tools will keep improving” faster and “Google’s infrastructure will ensure that our tools are always ready, right when you need them”.

Being acquired by the Mountain View giant won’t mean the end of the current VirusTotal brand and services, though: the company assures that the existing partnerships with “other” antivirus companies and security experts will be maintained as such.

With no fix available yet, Microsoft has a few words of wisdom for users who don't want to be bit by the newly-discovered bug.

Users of Internet Explorer versions 6 through 9 are grappling with another security flaw without a fix, but Microsoft has a few suggestions to help shore up protection.

Uncovered this past weekend, the security hole could compromise the PCs of IE users who surf to a malicious Web site. Microsoft said it's already aware of attacks that have tried to take advantage of this weakness.

Since no fix is yet available, it's up to users of IE to protect themselves. A new Microsoft Security Advisory offers several recommendations.

To start, the usual advice always applies. Make sure you're running updated antivirus and antispyware software and that you're using a firewall, either a third-party utility or the one built into Windows.

You can also install the Enhanced Mitigation Experience Toolkit from Microsoft. EMET tries to ward off attacks on software holes by putting up a wall of security obstacles that the malware writers must circumvent. EMET can be configured specifically for Internet Explorer as well as other applications.

Another option is to push the Internet and local Intranet security settings in IE to "high." To do this, launch Internet Explorer, click the Tools menu, and then select Internet Options. Click the Security tab and then select the Internet zone. Under the Security level for this zone, move the slider to High. Click the Local Intranet zone and again push the Security level to High.

Users can also set Active Scripting to "prompt" in both the Internet and Local Intranet zones. To do this, again select Internet Options from the Tools menu in IE. Click the Security tab. Click the Internet zone and then select Custom Level. Scroll down to the Scripting section and set Active Scripting to Prompt. Repeat the same steps for the Local Intranet zone.

As Microsoft warns, tweaking these settings could prevent access to certain Web sites.

Even changing the setting to "prompt" will trigger an annoying message anytime you hit a Web site that uses ActiveX controls asking if you want to allow or block the site.

Microsoft's own Windows update sites -- *.windowsupdate.microsoft.com and *.update.microsoft.com -- rely on ActiveX control to install available updates.
You can add sites that you trust to the Trusted sites zone through Internet Options. But this can be time-consuming since you have to add them on an individual basis.

As a result, the easiest option is to just not use Internet Explorer, at least not while this exploit remains in the wild. Individual users can switch to Firefox, Chrome, or another browser. Organizations that have standardized on Internet Explorer face a tougher challenge. So the onus now is on Microsoft to fix this hole as quickly as possible.

You can learn more about the security flaw and possible workarounds through Microsoft's Security Advisory.