Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

February 2006 - Posts

New IE exploit targets older unpatched builds

FrSIRT is reporting a brand new IE exploit targeted to XP SP0 (Gold) that appears to be patched in XP SP1 or higher, as well as W/2000 SP4.  Still, there might be some folks running "Gold" (and especially W/2000 SP3 in the corporate world) ... More can be found at FrSIRT's site 

Microsoft Internet Explorer "IsComponentInstalled()" Remote Stack Overflow Exploit

Date : 28/02/2006
Rated as : Critical
Note
: This vulnerability has reportedly been fixed in Windows XP SP1 and Windows 2000 SP4

# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.

Snow.A - File infector virus impacts *.EXE files
Please be careful with all EXE files in email or other sources. So far this new PE based virus is low-risk.

Snow.A - File infector virus impacts *.EXE files
http://vil.nai.com/vil/content/v_138727.htm

This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.

W32/Snow.a bears the following characteristics:

1. infects PE executable files
2. infected files grow in length by about 243 kilobytes
3. drops and install WinPcap network drivers
4. drops and auto-starts a copy of itself
5. when an infected file is run, the virus searches for other files to infect on both local and network drives
6. flood network with spoofed arp packets (arp poisoning)
Haxdoor - Advanced Rootkit design

This article by F-Secure describes one of the most advanced root kit design.  With kernel mode networking API hooks it even has the potential to compromise SSL based security.

http://www.f-secure.com/weblog/archives/archive-022006.html#00000821

QUOTE:  Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of bizarre.  We took a careful look at Backdoor.Win32.Haxdoor.gh (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted.

 

Bagle.DW - Disguised as Software Cracking program

This new downloader version of Bagle pretends to be a software cracking program, but it attempts to download malicious content from the Internet.

Bagle.DW - Disguised as Software Cracking program
http://vil.nai.com/vil/content/v_138710.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.dv.html

W32/Bagle.dw is a trojan downloader that attempts to download and execute files from various compromised websites. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.

At the time of writing this description, McAfee AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site. W32/Bagle.dw that was mass spammed on February 25th, 2006.

Macromedia ShockWave Player ActiveX Installer Buffer Overflow

  A new vulnerability has been discovered for Macromedia's Shockwave player that occurs only during install processing. Never install any software by email as virus writers may try to exploit this new vulnerability.  Always install software directly from the vendors web site.

Macromedia ShockWave Player ActiveX Installer Buffer Overflow
http://secunia.com/advisories/19009/

Description: The vulnerability is caused due to a boundary error in the Installer ActiveX control. This can be exploited to cause a stack-based buffer overflow via overly long values passed in two specific parameters to the control. Successful exploitation allows arbitrary code execution, but requires that the user is e.g. tricked into visiting a malicious web site that prompts the user to install Shockwave Player. The vulnerability has been reported in versions 10.1.0.11 and prior.

Workaround: The vendor has reported that the vulnerability occurs only during the installation process, and no action needs to be taken by current users.

Solution: Only install ShockWave Player directly from the vendor's web site.

Linux/UNIX - New version of Mare worm circulating

 

 

UNIX_MARE.F Reported by Trend Micro


ELF_MARE.E Reported by Trend Micro

 

This executable Linux file (ELF) propagates by taking advantage of the XML-RPC for PHP Remote Code vulnerability.
Apple Mac OS System X - Critical Vulnerability and published Exploit

  Apple will most likely patch this vulnerability soon and Mac users should look for any System X updates.  Just as in the Windows environment, everyone needs to be careful of any suspicious email attachments, email URL links, or unfamiliar websites. 

Apple Mac OS X Metadata Handling Remote Shell Execution Vulnerability
http://www.frsirt.com/english/advisories/2006/0671
http://secunia.com/advisories/18963/

Description: The vulnerability is caused due to an error in the processing of file association meta data in ZIP archives (stored in the "__MACOSX" folder) and mail messages (defined via the AppleDouble MIME format). This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive or in a mail attachment. This can also be exploited automatically via the Safari browser when visiting a malicious web site.

Exploit: One exploit has been published and the code can be reviewed at the FrSIRT site

Patches: None published so far

Workarounds: Do not open files in archives or mail attachments originating from untrusted sources. The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari.

Microsoft Security updates for February 2006 - New Media Player exploits emerge
  Below are some new exploits MS06-05 and MS06-06 that emerged shortly after Microsoft's "Patch Tuesday" updates on Valentines Day.  Where malicious code is easy to develop by the bad guys, the timeframe for reverse engineering is moving from hours and days instead of a couple of weeks.  Please update your systems promptly if you haven't had a chance to do this yet.

FOUR NEW EXPLOITS FROM FEBRUARY UPDATES - from FrSIRT's website:

2006-02-17 : Microsoft Windows Media Player 10 Plugin Remote Code Execution Exploit (MS06-006)
 
2006-02-17 : Microsoft Windows Media Player 9 Plugin Remote Code Execution Exploit (MS06-006)
 
2006-02-16 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005) #2
 
2006-02-15 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005)



  Microsoft Security Bulletin Summary for February, 2006
http://www.microsoft.com/technet/security/bulletin/ms06-feb.mspx
MS06-005 proof of concept exploit released

MS06-005 proof of concept exploit released
http://www.incidents.org/diary.php?storyid=1126

QUOTE: The proof of concept exploit for MS06-005 has been released. The exploit craft a malicious BMP file to perform buffer  overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it's a good idea to get it patched ASAP.

New Bagle Virus - Olympic-themed variant

  The social engineering approach used by this latest version of the Bagle virus continues to prove that “if it's too good to be true, then it's not.  It's always beneficial to avoid opening any suspicious attachment or URL link.

New Bagle Virus - Olympic-themed variant
http://www.f-secure.com/weblog/archives/archive-022006.html#00000809
http://vil.nai.com/vil/content/v_138528.htm

Example
http://vil.nai.com/images/138528b.JPG

Windows ACL Privilege Escalation - New Exploit Developed

System administrators should review this exposure carefully if they are using older versions of XP.  Moving to XP SP2 is beneficial as it offers a number of security improvements.  Companies should test their applications to ensure they are compliant as the stricter levels of security could create issues for poorly written applications.  Still, upgrading to SP2 is worthwhile and goes smoothly in most cases. 

Microsoft Windows Service ACLs Local Privilege Escalation Vulnerability
http://www.frsirt.com/english/advisories/2006/0417

Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to obtain elevated privileges. This flaw is due to insecure default access controls where the "Authenticated Users" group is granted permissions to modify Simple Service Discovery Protocol (SSDP) and Universal Plug and Play Device Host (UPnP) service configurations, which could be exploited by local unprivileged attackers to change the default binary that is associated with an affected service and execute malicious programs with elevated privileges.

Solution: Upgrade to Microsoft Windows XP SP2 or Microsoft Windows Server 2003 SP1, or change the default ACLs:

http://www.microsoft.com/technet/security/advisory/914457.mspx

Sun Java - Security Release for critical vulnerabilities

  Users with Sun Java installed should update their systems to protect their brower and PC environment from malicious websites that could affect security controls.

Sun Java Runtime Environment Sandbox Security Bypass Vulnerabilities
http://www.frsirt.com/english/advisories/2006/0467

Advisory ID : FrSIRT/ADV-2006-0467
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-02-08

Technical Description: Seven vulnerabilities were identified in Sun Java JRE (Java Runtime Environment), which could be exploited by malicious web sites to compromise a vulnerable system. These flaws are due to errors in the "reflection" APIs, which could be exploited by attackers to read, write, and execute arbitrary files by convincing a user to visit a specially crafted web page containing a malicious applet.

Affected Products
JDK 5.0 Update 4 and prior
JRE 5.0 Update 4 and prior
SDK 1.4.2_09 and prior
JRE 1.4.2_09 and prior
SDK 1.3.1_16 and prior
JRE 1.3.1_16 and prior

Solution:

JDK and JRE 5.x - Upgrade to JDK and JRE 5.0 Update 6 :
http://java.sun.com/j2se/1.5.0/download.jsp

SDK and JRE 1.4.x - Upgrade to SDK and JRE 1.4.2_10 :
http://java.sun.com/j2se/1.4.2/download.html

SDK and JRE 1.3.x - Upgrade to SDK and JRE 1.3.1_17 :
http://java.sun.com/j2se/1.3/download.html

Reference
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

Safer Internet Day 2006

The following are links related to "Safer Internet Day" which is designated as February 7th.  This is a good initiative in promoting security awareness for home users.  While it's target audience is families in Europe, this site provides good advice for all family users.

Europe's Internet safety information resource
http://www.saferinternet.org/ww/en/pub/insafe/index.htm

Internet Safety Home Page
http://www.saferinternet.org/ww/en/pub/insafe/safety.htm

QUOTE: Safer Internet Day will take place on 7 February 2006. Among the host of events taking place, Insafe, the EU network for internet safety awareness, will organise a global “blogathon”.

'Safer Internet Day', the initiative is designed to raise awareness of cyber threats. The target audience in this case, however, isn't the corporate IT-type, but users, specifically targeting parents and children. This year's Safer Internet Day attempts to ride on the coattails of success of blogging and will distribute its message using exactly the same vehicle.

Activities
Blogging
Chat
Instant Messaging
Mobiles
Online gaming
Online shopping 
 
Issues
Cyberbullying
Gambling
Gaming
Hate speech / racism
Privacy
Phishing
Spam
Spyware
Virus
 
Useful Info
SAFT guide for parents
Council of Europe Handbook
To surf in safe waters
Insafe newsletter

CAIDA - An Excellent Analysis of Blackworm's Impact

This is some of the best documentation I've seen in providing a comprehensive analysis for a major new virus.  The link below from CAIDA is chockful of charts, graphs, and facts.  I'm glad that actual damages for the payload triggered on February 3rd were significantly less than predicted.  

CAIDA -- The Nyxem Email Virus: Analysis and Inferences
http://www.caida.org/analysis/security/blackworm/

Microsoft HTML Workshop product - New unpatched vulnerability and POC exploit

This development tool is part of an SDK that can help Client/Server or web developers in authoring help screens for applications.  This unpatched exploit is rated moderately critical and an exploit has been published.

Microsoft HTML Help Workshop "hhp" File Handling Buffer Overflow Issue
http://secunia.com/advisories/18740/
http://www.frsirt.com/english/advisories/2006/0446

Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date
: 2006-02-06

Exploits: POC exploit published at FrSIRT's site

Affected Products: Microsoft HTML Help Workshop version 4.74.8702.0 and prior

Solution:  Do not open untrusted ".hhp" files, as an there are no officially supplied patch for this issue yet.

Technical Description: A vulnerability has been identified in Microsoft HTML Help Workshop, which could be exploited by attackers to execute arbitrary commands. This flaw is due to a buffer overflow error when processing a specially crafted ".hhp" file containing an overly long "Contents file" field, which could be exploited by remote attakers to compromise a vulnerable system by convincing a user to open a malicious ".hhp" file.

The Family PC -- How to stay safe on the Internet

  As parents, we have concerns on Internet safety for all of our family members.  This morning I spent some time gathering some of the best published resources out there.  Most of these are non-technical and easy-to-understand.

Security is a two part process.  Part one is the technical protection associated with anti-virus software, firewalls, Windows Updates, Anti-Spyware, etc.  Part two is in the human behavior aspects, where security can be seen as SEC-U-R-IT-Y.  The "U-R-IT" part means that "You are it".  While the bad guys are the source of the problem, so is ignoring the risk.  For example, if you ignore speed limit signs or bad drivers on the highway, you'll soon run into trouble.  It's the same way with computer security.

The best advice I have for parents is "To Teach your Children well". Spend quality time with family members teaching them to avoid email/IM attachments and URLs, recognizing spam (there are no free lunches out there), and most importantly the bad people on the Internet (e.g., predators - which thankfully law enforcement is on the lookout for).  The knowledge of Internet risks and how to avoid them is as important as the technical safeguards we employ on our family PCs.

Below are some resources that might help:

SEARCH ENGINES -- There are numerous resources that can be found using Google, MSN, or other search engines:

http://www.google.com/search?&q=how+to+stay+safe+on+Internet
http://search.msn.com/results.aspx?q=how+to+stay+safe+on+Internet

GREAT FAMILY PROTECTION LINKS -- I particularly liked these sites for children and the principles also apply to all users:

http://www.staysafe.org/
http://www.sass.ca/safe.htm
http://www.safekids.com/
http://www.safeteens.com/safeteens.htm
http://www.bettybookmark.com/i/internetsafety.htm
http://www.staysafeonline.info/
http://www.chaminade.org/MIS/WebSafety/30ways.htm
http://www.dhs.gov/dhspublic/display?theme=76&content=336
http://familyinternet.about.com/cs/internetsafety1/a/aa8safesteps.htm
http://www.wiredsafety.org/
http://www.bbc.co.uk/cumbria/features/2004/03/internet_safety/index.shtml
http://www.bcentral.co.uk/technology/security/stay-safe-online.mspx
http://www.haltabuse.org/resources/online.shtml
http://www.hubbardtwppd.org/Homeland/online.htm

SAFETY QUIZ -- Below is a 10 question Internet safety quiz that your family members can take in just a couple of minutes:

http://www.iol.ie/~dromore/safety/quiz/quiz.htm

OTHER GREAT RESOURCES - I've always liked the work done by MS "at home", CERT, and Kim Komando:

http://www.microsoft.com/athome/security/default.mspx
http://www.cert.org/tech_tips/home_networks.html
http://www.komando.com/

British Government - Virus Protection Guidelines

This is an older Best Practices guideline I found while researching that was issued a few years ago.  Most of this is still relevant today.

TEXT -- HOW TO PROTECT YOURSELF AND YOUR COMPANY FROM COMPUTER VIRUSES

PDF -- HOW TO PROTECT YOURSELF AND YOUR COMPANY FROM COMPUTER VIRUSES

Internet Storm Center Article: Recovering LOST files from a hardrive

Backups are always beneficial and as CD media is inexpensive, I usually make double copies which are tested in another PC. 

The Blackworm (CME-24) payload included capabilities to delete several types of documents and files.  Usually, the best “undelete“ tools or services aren't free and these links can provide starting points.

Internet Storm Center Article: Recovering LOST files from a hardrive
http://www.incidents.org/diary.php?storyid=1096

QUOTE: First if at all possible TURN off the computer and put the infected drive on another system that is not infected. If for one reason or another you can not you should cosider one of the cdrom or floppy based recovery systems and an extra drive. You should preform recovery to a different filesystem then the one being recovered from other wise you risk overwriting some files as you recover others.  Be aware some companies offer demos that identifies "lost" files but doesn't save the files it finds.

Blackworm (CME 24) - Some Damage, but not as widespread as predicted

It may also take a couple of days for damage to show up and to collect any meaningful statistics.  Our local news reported that some folks got hit in our metropolitan area of 250,000 residents.  It was reported that one local PC company was charging $100 to repair systems, so this had an impact on home users. 

So far, in monitoring news sources, the overall damage was less than anticipated.  I've always been an advocate of security awareness, as it's important to know how malicious individuals can attack.  If there were over-exaggerations by the media it was helpful, as folks took got extra measures in preparation, updating and backing up their data.    

Below is a cut/paste of Google News headlines, which is good news so far:
 
GOOGLE NEWS HEADLINES - February 3, 2006

Weekend Will Tell Kama Sutra Tale
InformationWeek, NY - 2 hours ago
Because most still-infected computers belong to home
users, the real scale of any data loss caused by the
Kama Sutra worm may not be known until early next week
...
 
All quiet on the Nyxem front
VNUNet.com, Netherlands - 2 hours ago
Anti-virus companies are seeing very damage from the
Nyxem.E worm that was scheduled to start overwriting
data on infected systems earlier today. ...
 
Researchers fear confusion on worm name
Seattle Post Intelligencer - 3 hours ago
By ANICK JESDANUN. NEW YORK -- Friday's
file-destroying worm goes by "Mywife" at Microsoft
Corp. and McAfee Inc., "Blackmal" at Symantec Corp.
and CA Inc. ...
 
Experts: 'Hype' May Have Mitigated Worm
Houston Chronicle, United States - 4 hours ago
By ANICK JESDANUN AP Internet Writer. — Companies
and individuals heeded this week's warning _ some may
call it "hype" _ about ...
 
Was the Kama Sutra worm overhyped?
CNET News.com, CA - 4 hours ago
The Kama Sutra worm, like so many other virus scares,
reminds us and other bloggers of the Y2K mania, albeit
on a smaller scale. ...
 
Worm Attack Fizzles Out
Red Herring, CA - 4 hours ago
A computer worm dubbed Kama Sutra and other names
infected thousands of machines but failed to cause any
significant loss of data. ...
 
 Kama Sutra worm hits home
CNN - 9 hours ago
By Marsha Walton. ATLANTA, Georgia (CNN) -- Many
computer users around the globe apparently heeded the
warnings about a worm with ...
 
Kama Sutra virus causes little damage
Boston Globe, United States - 9 hours ago
A man is seen in front of a display of computers in an
undated file photo. A computer virus that was designed
to start its malicious ...
 
Kama Sutra assumes damp squid position
Inquirer, UK - 9 hours ago
THE MUCH HYPED Kama Sutra worm tipped to wreak a trail
of destruction in its wake appears to have instead has
raised hardly a whimper never mind a scream. ...
 
Update 4: File-Destroying Worm Causes Little Damage
Forbes - 10 hours ago
By ANICK JESDANUN , 02.03.2006, 09:26 AM. A
file-destroying computer worm set to activate Friday
caused relatively little damage ...
 
File-destroying worm causes little damage
BusinessWeek - 11 hours ago
FEB. 3 8:43 AM ET A file-destroying computer worm set
to activate Friday caused relatively little damage
during the business day ...
 
Kama Sutra worm threat goes soft
CNET News.com, CA - 11 hours ago
The Kama Sutra worm, designed to begin deleting files
on infected computers this morning, has caused
virtually no damage, according to antivirus firms. ...

 
Feared computer worm not so scary in Asia
CTV.ca, Canada - 11 hours ago
Computer users on this side of the continent must be
crossing their fingers as they boot up, but there have
been no reports of any damage from a malicious worm
...
 
Asia Escapes File-Destroying Worm
CBS News - 11 hours ago
(CBS/AP) A computer worm expected to begin corrupting
files in infected machines around the world Friday
caused no major damage in the Asian financial centers
...
 
Computer worm doesn't bite in Hong Kong, Tokyo
USA Today - 11 hours ago
By Sylvia ***, Associated Press. HONG KONG — A
computer worm expected to begin corrupting files in
infected machines around the ...
 
Free Removal Tools Released as 'Blackworm' Approaches
PC Magazine - 12 hours ago
With the clock ticking on a Feb. 3 D-Day for the
activation of the destructive 'Blackworm' worm
payload, anti-virus vendors are ...
 
 'Limited' damage from Nyxem virus
BBC News, UK - 13 hours ago
The Windows virus was set to start deleting popular
file types on 3 February and was known to have
infected more than 300,000 machines. ...
 
Kama Sutra virus fizzles in Japan, Hong Kong
CBC News, Canada - 13 hours ago
Computer security firms were bracing for a computer
virus on Friday expected to corrupt files on thousands
of computers. But early ...
 
Humanity survives Kama Sutra apocalypse
Register, UK - 14 hours ago
Security watchers reckon the Kama Sutra worm, which is
programed to overwrite files on infected Windows PCs
today, will have a damaging but not catastrophic ...
 
File-destroying worm causes no major damage so far in
Hong Kong ...
Calgary Sun, Canada - 15 hours ago
By SYLVIA ***. HONG KONG (AP) - A computer worm
expected to begin corrupting files in infected
machines around the world Friday has ...
 
Kama Sutra quiet so far
NEWS.com.au, Australia - 20 hours ago
AUSTRALIAN IT security professionals have so far
reported few problems from the so-called Kama Sutra
worm, which was due to begin overwriting files on
infected ... 

Mozilla Firefox - New 1.5.0.1 release addresses several security issues

   All users should update to the latest version of Mozilla Firefox, as several recently discovered security issues have been addressed by this latest release. 

http://secunia.com/advisories/18700/ 

Summary of Security Issues Fixed

Description:  Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user's system.

1) Some errors in the JavaScript engine where certain temporary variables are not properly protected may be exploited to execute arbitrary code via a user-defined method triggering garbage collection.

2) An error in the dynamic style handling can be exploited to reference freed memory by changing the style of an element from "position:relative" to "position:static".

3) An error in the "QueryInterface" method of the Location and Navigator objects can be exploited to cause a memory corruption.

4) An input validation error in the processing of the attribute name when calling "XULDocument.persist()" can be exploited to inject arbitrary XML and JavaScript code in "localstore.rdf", which will be executed with the permissions of the browser the next time the browser starts up again.

5) Some integer overflows in the E4X, SVG, and Canvas functionalities may be exploited to execute arbitrary code.

6) A boundary error in the "nsExpatDriver::ParseBuffer()" function in the XML parser may be exploited to disclose data on the heap.

7) The internal "AnyName" object of the E4X functionality is not properly protected. This can be exploited to create a communication channel between two windows or frames having different domains.

Solution: 

Update to version 1.5.0.1.
http://www.mozilla.com/firefox/

Additional CVE References

CVE-2005-4134
CVE-2006-0292
CVS-2006-0293
CVE-2006-0294
CVE-2006-0295
CVE-2006-0296
CVE-2006-0297
CVE-2006-0298
CVE-2006-0299

More Posts Next page »