http://www.informationweek.com/news/security/attacks/231602232 By Mathew J. Schwartz InformationWeek September 27, 2011 A security firm warned Monday that the website for downloading the popular MySQL open source relational database was infecting PCs via drive-by downloads. Browsers that visited MySQL.com Monday were immediately injected with a JavaScript executable, which generated an iFrame that redirected to a website hosting the Black Hole crimeware exploit kit. "It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge," according to a blog post written by Wayne Huang, CEO of security firm Armorize, which discovered the attack. "The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection," he said. By later on Monday, Oracle--which owns MySQL--had apparently disabled the attack. Black Hole, a copy of which can be rented for about $1,500 per year, is one of the most widely used crimeware toolkits, which are designed to automate the process of exploiting PCs and harvesting financial data. "The blackhole exploit pack supports a wide variety of exploits, so the actual exploit you get served depends on the platform you use for browsing," said Huang. "The [executable] is run by exploiting the browser with javascript / flash actionscript / PDF jscript / java exploit / etc." Furthermore, it can apparently bypass many attack mitigation technologies, including data execution prevention (DEP). "Many exploits have the ability to turn DEP off so they'd still work on Win7," he said. [...] _____________________________________________________________ FINAL CALL to register #HITB2011KUL - Asia's premier deep-knowledge network security event now in it's 9th year! http://conference.hitb.org/hitbsecconf2011kul/Received on Tue Sep 27 2011 - 22:27:37 PDT
This archive was generated by hypermail 2.2.0 : Tue Sep 27 2011 - 22:30:05 PDT