[Unpatched] Malware DNS poisoning and Windows 2003 vulnerabilities
Pivx Labs sent out a security information regarding the Malware DNS poisoning that was reported by SANS Internet Storm Center on April 4, 2005 and Windows 2003 vulnerabilities which was reported by Japanese security researcher Eiji James Yoshida last October 8, 2003.
Below are the short and important descriptions of the above:
Malware DNS poisoning:
SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found at http://isc.sans.org/presentations/dnspoisoning.php
The ISC report also highlights the fact that Windows NT4 and Windows 2000 DNS servers are insecure by default against DNS cache poisoning attacks and recommend that you immediately implement the mitigations outlined in Knowledge Base article 241352 which can be found at http://support.microsoft.com/?kbid=241352
The vulnerabilities which are exploited on the malware advertising sites to automatically install malware and spyware include, but are not limited to, the codeBase vulnerability, Windows Media Player command execution and HTML Application Content-Type execution.
Windows 2003 vulnerabilities
Japanese security researcher Eiji James Yoshida reported several vulnerabilities affecting Windows Server 2003 last October 8, 2003. These vulnerabilities had the impact of arbitrary command execution from within an Internet site without user interaction and lead to several related security vulnerabilities such as Shell Drag'n'Drop and FTP commandline arguments injection from 2004. Eiji provided Proof of Concept exploit code in 2003 which can still be found at http://www.securityfocus.com/bid/7826/exploit/
Microsoft has now patched these security vulnerabilities with the release of Service Pack 1 for Windows Server 2003 as Eiji notes in his followup post to Bugtraq at http://www.securityfocus.com/archive/1/394826/2005-03-27/2005-04-02/0
As per PivX Labs, they've verified that the FTP exploit is not limited to Windows Server 2003 but also affects Windows XP, including Service Pack 2 with all patches. They plan to verify what other versions of Windows are affected. They also mentioned in the mailing list “As such, this vulnerability remains unpatched for the majority of Windows users and should be addressed by a standalone patch. PivX Labs has also verified that all of the above vulnerabilities, used both in the DNS cache poisoning attacks and the Windows Server 2003 vulnerabilities which were left unpatched for 18 months, were protected against in advance by Qwik-Fix Pro and Pre>Empt from PivX Solutions without prior knowledge of their existance. You can download a trial version of Qwik-Fix Pro at http://www.pivx.com/qwikfix.asp”