January 2006 - Posts
Microsoft has released a preview of the IE 7 beta for public testing
http://news.zdnet.com/2100-3513_22-6033116.html
http://www.microsoft.com/windows/ie/ie7/default.mspx
QUOTE: Microsoft took the wraps off Internet Explorer 7 Tuesday, releasing the new "preview" version of its Web browser to the general public for testing.
The program, still a work in progress, is available for download from the Internet Explorer section of Microsoft's corporate Web site, the company said. The company, which began limited testing in July, had promised to deliver a public beta by the end of March.
"The big update is that it's public," said Margaret Cobb, group product manager for Internet Explorer at Microsoft. "All previous releases were limited."
The latest version works only with Windows XP Service Pack 2 and includes many of the features Microsoft has been touting for months. Among them are new security and privacy protection capabilities such as mechanisms designed to combat phishing attacks, spyware and other threats.
The new CME-024 worm called Nyxem, MyWife, Blackmal, Blackworm, etc., has already hit a few PCs where the clock was incorrectly set on the wrong day of the month. Hopefully, there will not be many impacts associated with this new destructive threat on February 3rd.
Blackworm -- First damage reports in for incorrect PC clock settings
QUOTE: The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. We've already received first reports from users who've had files on their system overwritten by the worm.
When Nyxem activates, it will overwrite all DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you're taking daily automatic backups you might end up backing up the corrupted files over good files. The number of machines that have been hit by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd - most of them in India, Turkey and Peru.
Please be careful if you use WinAmp as a media player on your system. A new exploit has surfaced for an unpatched vulnerability that is rated as a critical risk by security firms. The vendor will most likely patch this soon and the patch should be applied expediently.
Winamp Computer Name Handling Buffer Overflow Vulnerability
http://secunia.com/advisories/18649/
DESCRIPTION: The vulnerability is caused due to a boundary error during the handling of filenames including a computer name. This can be exploited to cause a buffer overflow via a specially crafted playlist containing a filename starting with an overly long computer name (about 1040 bytes). Successful exploitation allows execution of arbitrary code on a user's system when e.g. a malicious website is visited. The vulnerability has been confirmed in version 5.12. Other versions may also be affected.
Nullsoft Winamp Player PLS Handling Remote Buffer Overflow Vulnerability
http://www.frsirt.com/english/advisories/2006/0361
Advisory ID : FrSIRT/ADV-2006-0361
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-29
Technical Description: A vulnerability has been identified in Winamp, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a buffer overflow error when processing a specially crafted playlist (".pls" file) containing a malformed "File1" tag, which could be exploited by remote attackers to execute arbitrary commands and take complete control of an affected system without any user-interaction via a specially crafted web page.
Exploits: An exploit is publicly available.
Affected Products: Nullsoft Winamp version 5.12 and prior
Solution: The FrSIRT is not aware of any official supplied patch for this issue.
Recommendation: Use Winamp for offline media only or access only highly trusted sites until a patch is issued. It is likely that Nullsoft will quickly supply a patch, but until then use Winamp cautiously.
A new proof-of-concept exploit has been published which could be turned into a more harmful attack by malicious individuals.
Advisory ID : FrSIRT/ADV-2006-0243
CVE ID : CVE-2006-0272
Rated as : High Risk
The exploit code can be viewed at FrSIRT's site as noted below Please only view the source code if interested and do not test with it:
http://www.frsirt.com/english/
2006-01-26 : Oracle Database Server 9i/10g XML Database Component Buffer Overflow Exploit
A critical vulnerability has been discovered that is currently unpatched. Oracle will most likely address this quickly and so far there are no reports of this being exploited in the wild.
Oracle Products PL/SQL Gateway Security Bypass Vulnerability
http://secunia.com/advisories/18621/
Critical: Highly critical
Impact: Security Bypass
Solution Status: Unpatched
Software:
Oracle Application Server 10g
Oracle Database 8.x
Oracle HTTP Server 8.x
Oracle HTTP Server 9.x
Oracle9i Application Server
Oracle9i Database Enterprise Edition
Oracle9i Database Standard Edition
DESCRIPTION: A vulnerability has been identified in various Oracle products, which could be exploited by remote attackers to bypass security restrictions and gain unauthorized access to a vulnerable system. This flaw is due to an input validation error in the PL/SQL Gateway component that does not properly handle malformed HTTP requests, which could be exploited by remote unauthenticated attackers to bypass the "PLSQLExclusion" list and gain access to "excluded" packages and procedures that will allow the compromise of the back-end database server.
Oracle PL/SQL Gateway Exclusion List Security Bypass Vulnerability
http://www.frsirt.com/english/advisories/2006/0338
Advisory ID : FrSIRT/ADV-2006-0338
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-01-25
Solution: The FrSIRT is not aware of any official supplied patch for this issue.
Workaround: Administrators can filter malicious characters and character sequences in a proxy or firewall with URL filtering capabilities.
Kaspersky is now reporting over 1,000,000 PCs are infected 
quote: We've just issued an alert for Nyxem.e, due to the number of reports we've been receiving for the past few days but also because of its destructive payload which activates on 3rd of every month. According to our data, the outbreak seems to be more or less localized. We are still receiving reports from countries such as the US and Germany, but the number of reports from (eg.) Russia is becoming very small.
With the public Nyxem.e counter having well passed 1,000,000 hits at the moment, there is no doubt that some people will have unpleasant surprises on 3rd of February. If you do not have an antivirus installed, you can use the Kaspersky free online scanner to check for a Nyxem.e infection before it's too late.
Recently, Bagle celebrated it's 2nd anniversary and over 400 different variants have emerged. Another round of new variants appear to be seeded in the wild, and we'll most likely see the email and downloader versions.
Trend - Bagle.BU
Sophos Troj/BagleDl-BJ
Kaspersky
F-Secure
During January 1986, the first computer virus was found in the wild, which could automatically spread from PC to PC. Today, we encounter 20-30 new variants per day with innovation in their social engineering approach and their overall sophistication. Users always need to employ the best technical defenses, stay up-to-date on all security patches, and "think before they click" any URL or email attachment.
PC viruses hit 20 year milestone
http://news.bbc.co.uk/2/hi/technology/4630910.stm
It was during the opening weeks of 1986 that the first PC virus, called Brain, was discovered in the wild. Though it achieved fame because it was the first of its type, the virus was not widespread as it could only travel by hitching a ride on floppy disks swapped between users. Brain was known as a "boot-sector" virus because of the area on a floppy disk it hid on. By concealing itself in this region, the virus could ensure that it would be installed every time that floppy disk was used on another computer.
There are now over 600,000 users who have been infected with this new virus. It contains a DESTRUCTIVE payload that will be executed on the 3rd day of the month.
Some of the email messages and attachments use inappropriate languge, and this new destructive threat can be avoided. As a best practice, email and websites of this nature should always be avoided. Still, it is a "network walker" and can spread to PCs that openly share folders or hard drives, so that one copy of this in an organization could be dangerous.
Nyxem.E - Information Storm Center - Latest Information
Nyxem.E - Information Storm Center - Contains several AV Vendor links
Nyxem.E - Fortinet provides an EXCELLENT analysis
File Deletion Dangers -- On the 3rd of the month it will attempt to delete a lot of documents off the user's disks, including Office documents (*.doc, *.xls, *.ppt, *.pps), PDF files, .zip and .rar archives among others.
HTT File Modification -- The virus will modify the Desktop.htt configuration file which controls how Active Desktop is displayed to user systems. The change is to launch a copy of the virus as C:\WinZip_Tmp.exe whenever Windows loads the Active Desktop (Windows start up). The virus appends JavaScript code to Desktop.htt
Active X Dangers -- The code uses an ActiveX control to reference the file "WinZip_Tmp.exe". Additionally, the virus will modify the "desktop.ini" configuration file to point to an infectious "Temp.htt" HTML file to launch the virus. The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed." The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy
This entry below in December caused some recent confusion, with the official MSNM 8 beta, which has been released by Microsoft:
Virkel.F: Spoofed as an MSN Messenger beta 8 download
During December, virus writers used a social engineering scheme to trick users into loading a virus onto their PCs. The Virkel.F offered a new "leaked" MSNM version 8 which did not exist at the time. Users who clicked on the URL link in the message would download a virus rather than the MSNM 8 beta. Most likely this hostile website has been shutdown and copies of the Virkel.F worm do not exist in the wild.
Microsoft has now released MSNM beta 8. It is now safe to download and test MSNM 8, as long as you obtain this directly from Microsoft. As with any software update, users should confirm that their invitations are directly from Microsoft. Please be careful and ensure you are downloading from Microsoft's site, rather than the spoofed URL used by this virus. "Think before you click." Always be careful with URLs in email messages, as they can be just as dangerous as email attachments.
CERT provides a maintained list of TCP/IP ports that have Known Vulnerabilities and Exploits associated with them. A Firewall system will block these malicious attacks and make an individual's presence more stealth-like on the Internet.
All home users should employ this safeguard and there are even some of the free versions provide excellent protection. For example, I've been using free version of Zone Alarm for several years. Also, XP SP2's Firewall provides basic incoming protection and integrates very well with Windows.
http://www.us-cert.gov/current/services_ports.html
As noted in the following advisory, a third “new and improved” version of the WMF exploit was published on January 15, 2006. Thankfully, Microsoft has provided MS06-001 protection in the emergency release during early January.
The new link for Exploit “C” can be found in the general FrSIRT advisory. The exploit link could be potentially harmful, if you import this code into your browser environment, so please be careful.
http://www.frsirt.com/english/advisories/2005/3086
Recently, a number of media articles have surfaced that claim Symantec is using "Rootkit techniques" by hiding key control folders from the Operating System. There are some concerns, as this non-conventional approach can create install/uninstall issues or it could be manipulated by virus writers to hide malicious malware.
The key reason this is NOT a rootkit, is that Symantec is not directly doing anything malicious with this approach. Symantec is trying to lock down and protect the SAV infrastructure, so that there might be less risk associated with users accidently discovering and manipulating the installed AV environment. The Symantec approach uses only one element of a "rootkit" like techique by hiding control files from the Operating System.
To be a TRUE rootkit, there should be a malicious attribute in the design. Sometimes when "it quacks like a duck" you may not need to get the orange sauce out right away. A true rootkit hides malicious routines from the Operating System in a highly stealth-like manner and it is far more sophisticated than steatlh-like viruses or worms. Thankfully, AV products are adding additional routines to their scanning engines to begin detecting this worst class of malware better.
At first, even the Sony XCP based approach rootkit may not been considered a rootkit. They were trying to lock down digital music rights, rather than the classical rootkit design, which is to "load highly stealth-like malware and phone home to the bad guys".
However, if a non-convential approach like the Sony XCP controls creates "accidental" instead of "malicious" issues, than it's indeed time to get the orange sauce out. The Sony rootkit like approach was a botched technical control, where the consequences weren't tested or properly planned for, before it was placed on musical CDs.
Thus when innocent customers played CDs on their PCs, they were impacted by a bad technical glitch in the software controls. Some folks lost CD-ROM capabilities when trying to uninstall the DRM controls or through other technical glitches. Even the Sony XCP controls may be on the borderline of being a true rootkit, as in retrospect I'm sure Sony BMG didn't intend for their customers to be impacted in this nature.
The rootkit designation does not apply in the case of Symantec taking steps to further protect their AV environment, so that virus writers won't manipulate this environment to hide malware. The original findings were beneficial. Symantec is now addressing potential issues before they go occur, so that history does not repeat itself, as in the case of Sony's DRM controls.
Some of the security sites below are trying to set the record straight. I also hope for more well researched and accurate reporting of security and technical matters in 2006.
eWeek: Symantec Caught in Norton 'Rootkit' Flap
http://www.eweek.com/article2/0,1895,1910077,00.asp
QUOTE: Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers. The anti-virus vendor acknowledged that it was hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.
Kapersky: No rootkit in Kaspersky Anti-Virus
http://www.viruslist.com/en/weblog?calendar=2006-01
QUOTE: We believe that this technology is not a rootkit and we do not believe hackers and/or malware can exploit it because:
1. If a KAV product is active, the streams are hidden and no processes (including system) have access to them.
2. If the product is disabled, the streams will be visible if viewed using the appropriate tools (standard for working with NTFS streams)
3. If a stream is re-written with some (possibly malicious) data or code (for example after rebooting in Safe Mode), when the system is next re-started, KAV will read the stream and not recognize the format. KAV will then begin to rebuild the checksum database - thus it will destroy the alien code/data.
To sum up: I think that the ”rootkit” problem is being over hyped. It is up to all of us in the security industry and press to be careful about how we use terms. Ordinary users, who can't analyze the situation themselves, shouldn't be misinformed.
Other Links
F-Secure: Cloaking without malicious intent
F-Secure: The "Symantec rootkit"
The following links pertain to the Sarbanes-Oxley Act of 2002 based on research. I updated an older posting with more current links, as I'll need this for a key project at work next week. These links provide information on SOX regulations and it's impact on IT and security reporting concerns.
The Sarbanes-Oxley Act was signed into law on 30th July 2002, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".
Sarbanes-Oxley Act - General Information
Sarbanes-Oxley - Key Links
http://www.sarbanes-oxley.com/
http://www.pcaob.com/standards.php
http://www.soxtoolkit.com/
http://www.entrust.com/governance/sox.htm
http://www.auditnet.org/sarbox.htm
http://www.sarbanes-oxley-101.com/
Sarbanes-Oxley - Free Forums
http://www.sarbanes-oxley-forum.com/
Sarbanes-Oxley - Full Text of Law
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf
Sarbanes-Oxley - AICPA links & Summary
http://www.aicpa.org/sarbanes/index.asp
http://www.aicpa.org/info/sarbanes_oxley_summary.htm
http://www.sarbanes-oxley-101.com/sarbanes-oxley-TOC.htm
Sarbanes-Oxley - Key Compliance Sections
http://www.sarbanes-oxley-101.com/sarbanes-oxley-compliance.htm
http://www.sarbanes-oxley-101.com/sarbanes-oxley-faq.htm
http://www.sarbanes-oxley-101.com/SOX-302.htm
http://www.sarbanes-oxley-101.com/SOX-404.htm
http://www.sarbanes-oxley-101.com/SOX-409.htm
http://www.sarbanes-oxley-101.com/SOX-902.htm
Information Technology - Critical Success Factors
Using IT successfully to comply with Section 404 means intergrating IT into your Sarbanes-Oxley program by:
1. Making IT an active participant in the company's program management office for Sarbanes-Oxley compliance;
2. Organizing IT resources and establishing an IT internal control program;
3. Providing IT representation on the steering committee;
4. Identifying, documenting and evaluating IT-related COSO requirements, IT processes and application controls
5. Application Controls: data validation, e-checks and output reconciliations, segregation of duties, protection of sensitive data;
6. General Application Controls: application development, testing, change control, database management, and application level security;
7. General Computer Controls: hardware/software configuration and management, performance and capacity management, security, data center operations, database administration;
8. Employing Best Practices: tools, approaches and internal control specialists as required.
SOX Information Technology - Key Links
http://www.cioinsight.com/article2/0,3959,1217378,00.asp
http://www2.cio.com/analyst/report2271.html
http://www.eweek.com/article2/0,4149,1527933,00.asp
http://www.nwfusion.com/news/2004/0730pwc.html
This one may be spreading and uses 5 malicious websites that were reported to be still working. 
Feebs - New email/downloader virus http://www.incidents.org/diary.php?storyid=1035
http://secunia.com/virus_information/26130/feebdl-a/
http://www.sophos.com/virusinfo/analyses/trojfeebdla.html DESCRIPTION: Please avoid all attachments labeled as
message.zip. This new zipped HTA-based virus is undetectable by many AV vendors currently.
All Windows and Mac users who have Quick Time installed should update to the latest versions of this software:
Apple Quick Time Advisory Information
http://www.incidents.org/diary.php?storyid=1033
http://secunia.com/advisories/18370/
http://www.frsirt.com/english/advisories/2006/0128
Apple Quick Time Advisory Downloads
http://www.apple.com/quicktime/download/standalone.html
DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system
In sharing with some users in one of the forums, the question was asked regarding whether Wine or CrossOver Office are impacted (i.e., as they provide an emulation environment to run Windows applications in Linux). In researching this there may indeed be impacts and it's important to apply any associated updates:
Wine Potential WMF "SETABORTPROC" Vulnerability
http://secunia.com/advisories/18323/
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=346197
While hopefully everyone has installed MS06-001, Microsoft has just released two more critical security patches, as part of their normal "Patch Tuesday" updates. I've updated both of my work PCs and in early testing, no issues so far
Microsoft Security Bulletins - January 2006
http://www.microsoft.com/technet/security/bulletin/ms06-jan.mspx
Microsoft Security Bulletin MS06-001
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Overview: This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Security Bulletin MS06-002
Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)
http://www.microsoft.com/technet/security/bulletin/ms06-002.mspx
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Overview: An attacker who successfully exploited this vulnerability could take control of an affected system. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Microsoft Security Bulletin MS06-003
Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)
http://www.microsoft.com/technet/security/bulletin/ms06-003.mspx
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Overview: This update resolves a newly-discovered, privately-reported vulnerability that could allow an attacker to run arbitrary code on the system. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. On vulnerable versions of Outlook, Office Language Interface Packs, Office MultiLanguage Packs or Office Multilingual User Interface Packs, if a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of the client workstation.
More Posts
Next page »