VMware source code stolen, impact unclear

VMware ESX source code has been stolen and posted online, but the company says its virtualization platform doesn't necessarily pose an increased risk to customers.

The stolen code amounts to a single file from sometime around 2003 or 2004, the company says in a blog post.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," according to the blog written by Iain Mulholland, director of the company's Security Response Center.

The code was stolen from a Chinese company called China Electronics Import & Export Corporation (CEIEC) during a March breach, according to a posting on the Kaspersky Threat Post blog.

The code along with internal VMware emails were posted online three days ago.

VMware didn't respond immediately to a request for more information about the impact of the breach on customers.

Eric Chiu, president of virtualization security firm Hytrust, says it's hard to say what VMware customers should do because there's not enough detail about how the exposed code is being used in current products.

In general, though, customers should review the security for virtual environments to address the fact that a compromised hypervisor exposes multiple virtual machines.

While the incident is reminiscent of the breach last year of RSA source code, the circumstances differ. An RSA partner was breached and that breach was used to send a malware-laced email to an RSA staffer who opened it.

In VMware's case, the CEIEC network was hacked and finding the source code was fortuitous.

This is what VMware posted in a blog: "Yesterday, April 23, 2012, our security team became aware of the public posting of a single file from the VMware ESX source code and the possibility that more files may be posted in the future. The posted code and associated commentary dates to the 2003 to 2004 timeframe.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers. VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available."

Speed your browser by changing your DNS

Most people use the default DNS settings provided by their ISP, and while they are usually sufficient for most purposes, there are plenty of free options out there, like OpenDNS and Google DNS. Namebench is a free app that checks to see whether your current settings are optimized and, if not, which free option is best for you. Here's how to use it:

Download and install Namebench.

Fire it up and choose your settings. Keep the top two boxes checked. If you're concerned about network censorship, check the third box, and if you want to help the developers, check the last box. You can tweak the rest if you're outside U.S. or want to experiment with different browsers.

Click Start Benchmark and wait while Namebench runs its tests. It should take several minutes. A browser tab should pop open when Namebench is done and give you a list of DNS servers and how much faster they are than the one you're currently using, unless yours are already the fastest possible.

Namebench does not change your settings, but it's generally pretty easy to do it yourself. Check with the instructions you got from your ISP to set up your modem and/or router and just substitute the DNS addresses you received from Namebench for the addresses given by your ISP. It's best to do this with your router, as it will assign that DNS address for all the devices attached to it.

That's it! This can dramatically improve your browsing speed, and it's fairly easy to work through.

Chinese websites 'defaced in Anonymous attack'

The Anonymous hacking group claims to have defaced almost 500 websites in China.

Targets hit in the mass defacement included government sites, its official agencies, trade groups and many others.

A message put on the hacked sites said the attack was carried out to protest against the Chinese government's strict control of its citizens.

It urged Chinese people to join Anonymous and stage their own protests against the regime.


Attack pattern

The announcement about the defacements was made via an Anonymous China account that was established in March. A list of the 485 sites affected was put on the Pastebin website. Separate Pastebin messages posted email addresses and other personal details stolen when sites were penetrated.

Sites defaced had the same message posted to them that chided the nation's government for its repressive policies.

It read: "Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall."

China has one of the most comprehensive web surveillance systems in the world, known as the Great Firewall of China, that reinforces its broader social controls. The system polices where Chinese people can go online and tries to restrict what they can talk about.

On defaced pages, the Anonymous attackers also posted links to advice that could help people avoid official scrutiny of what they do and say online. Much of the advice was in English so it is unclear how much help it would be.

There has been no official confirmation of the defacements. News wires reported that government officials had denied any had taken place.

However, many of the sites listed are now offline and a few others displayed a hacked page for a long time rather than their own homepage.

Unpatched Java Vulnerability Exploited – Macs Infected With Flashback Malware

A Java vulnerability that hasn't yet been patched by Apple is being exploited by cybercriminals to infect Mac computers with a new variant of the Flashback malware, according to security researchers from antivirus firm F-Secure.

Flashback is a computer Trojan horse for Mac OS that first appeared in September 2011. The first variant was distributed as a fake Flash Player installer, but the malware has been changed significantly since then, both in terms of functionality and distribution methods.

Back in February, several antivirus companies reported that a new Flashback version was being distributed through Java exploits, which meant that the infection process no longer required user interaction.

The Java vulnerabilities targeted by the February exploits dated back to 2009 and 2011, so users with up-to-date Java installations were protected.

However, that's no longer the case with the latest variant of the malware, Flashback.K, which is being distributed by exploiting an unpatched Java vulnerability, security researchers from F-Secure said in a blog post Monday.

Oracle released a fix for the targeted vulnerability, which is identified as CVE-2012-0507, back in February and it was included in an update for the Windows version of Java.

However, since Apple distributes a self-compiled version of Java for Macs, it ports Oracle's patches to it according to its own schedule, which can be months behind the one for Java on Windows.

Security experts have long warned that this delay in delivering Java patches on Mac OS could be used by malware writers to their advantage, and the new Flashback.K malware confirms that they were right.

After being dropped and executed on the system via the CVE-2012-0507 exploit, the new Trojan horse prompts a dialog window that asks the user for their administrative password.

Regardless of whether the user inputs the password or not, the malware still infects the system, F-Secure said in its description of the malware. The Trojan's purpose is to inject itself into the Safari process and modify the contents of certain Web pages.

There are rumors that a new exploit for a different unpatched Java vulnerability is currently being sold on the underground market and could be used to target Mac users in a similar way in the future, the F-Secure researchers said.

"If you haven't already disabled your Java client, please do so before this thing really become an outbreak," they said. The antivirus company provides instructions on how to do this.

Apple stopped including Java by default in Mac OS X starting with version 10.7 (Lion). However, if Lion users encounter a Web page that requires Java, they are prompted to download and install the runtime and might later forget that they have it on their computers.