February 2006 - Posts
FrSIRT is reporting a brand new IE exploit targeted to XP SP0 (Gold) that appears to be patched in XP SP1 or higher, as well as W/2000 SP4. Still, there might be some folks running "Gold" (and especially W/2000 SP3 in the corporate world) ... More can be found at FrSIRT's site
Microsoft Internet Explorer "IsComponentInstalled()" Remote Stack Overflow Exploit
Date : 28/02/2006
Rated as : Critical
Note : This vulnerability has reportedly been fixed in Windows XP SP1 and Windows 2000 SP4
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
Please be careful with all EXE files in email or other sources. So far this new PE based virus is low-risk.
Snow.A - File infector virus impacts *.EXE files
This detection is for a Win32 parasitic virus variant that infects Windows portable executable (PE) files.
W32/Snow.a bears the following characteristics:
1. infects PE executable files
2. infected files grow in length by about 243 kilobytes
3. drops and install WinPcap network drivers
4. drops and auto-starts a copy of itself
5. when an infected file is run, the virus searches for other files to infect on both local and network drives
6. flood network with spoofed arp packets (arp poisoning)
This article by F-Secure describes one of the most advanced root kit design. With kernel mode networking API hooks it even has the potential to compromise SSL based security.
QUOTE: Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of bizarre. We took a careful look at Backdoor.Win32.Haxdoor.gh (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted.
This new downloader version of Bagle pretends to be a software cracking program, but it attempts to download malicious content from the Internet.
Bagle.DW - Disguised as Software Cracking program
W32/Bagle.dw is a trojan downloader that attempts to download and execute files from various compromised websites. As the website being communicated is normally controlled by the malware author, any files being downloaded can be remotely modified and the behavior of these new binaries altered - possibly with every user infection.
At the time of writing this description, McAfee AVERT did not see the downloading of any files as they may have been moved or deleted at the remote site. W32/Bagle.dw that was mass spammed on February 25th, 2006.
A new vulnerability has been discovered for Macromedia's
Shockwave player that occurs only during install processing. Never install any
software by email as virus writers may try to exploit this new vulnerability.
Always install software directly from the vendors web site.
Macromedia ShockWave Player ActiveX Installer Buffer
Description: The vulnerability is caused due to a boundary
error in the Installer ActiveX control. This can be exploited to cause a
stack-based buffer overflow via overly long values passed in two specific
parameters to the control. Successful exploitation allows arbitrary code
execution, but requires that the user is e.g.
tricked into visiting a malicious web site that prompts the user to install
Shockwave Player. The vulnerability has been reported in
versions 10.1.0.11 and prior.
Workaround: The vendor has reported that the vulnerability
occurs only during the installation process, and no action needs to be taken by
Solution: Only install ShockWave Player directly from the
vendor's web site.
This executable Linux file (ELF) propagates by
taking advantage of the XML-RPC for PHP Remote Code
Apple will most likely patch this vulnerability soon and Mac users
should look for any System X updates. Just as in the Windows environment,
everyone needs to be careful of any suspicious email attachments, email URL
links, or unfamiliar websites.
Apple Mac OS X Metadata Handling Remote Shell Execution
Description: The vulnerability is caused due to an error in
the processing of file association meta data in ZIP archives (stored in the
"__MACOSX" folder) and mail messages (defined via the AppleDouble MIME format).
This can be exploited to trick users into executing a malicious shell script
renamed to a safe file extension stored in a ZIP archive or in a mail
attachment. This can also be exploited automatically via the Safari browser when
visiting a malicious web site.
Exploit: One exploit has been
published and the code can be reviewed at the FrSIRT site
Patches: None published so
Workarounds: Do not open files
in archives or mail attachments originating from untrusted sources. The
vulnerability can be mitigated by disabling the "Open safe files after
downloading" option in Safari.
Below are some new exploits MS06-05 and MS06-06 that emerged shortly after Microsoft's "Patch Tuesday" updates on Valentines Day. Where malicious code is easy to develop by the bad guys, the timeframe for reverse engineering is moving from hours and days instead of a couple of weeks. Please update your systems promptly if you haven't had a chance to do this yet.FOUR NEW EXPLOITS FROM FEBRUARY UPDATES - from FrSIRT's website:2006-02-17 : Microsoft Windows Media Player 10 Plugin Remote Code Execution Exploit (MS06-006)
2006-02-17 : Microsoft Windows Media Player 9 Plugin Remote Code Execution Exploit (MS06-006)
2006-02-16 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005) #2
2006-02-15 : Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005) Microsoft Security Bulletin Summary for February, 2006
MS06-005 proof of concept exploit released
QUOTE: The proof of concept exploit for MS06-005 has been released. The exploit craft a malicious BMP file to perform buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it's a good idea to get it patched ASAP.
The social engineering approach used by this latest version of the Bagle virus continues to prove that “if it's too good to be true, then it's not. It's always beneficial to avoid opening any suspicious attachment or URL link.
New Bagle Virus - Olympic-themed variant
System administrators should review this exposure
carefully if they are using older versions of XP. Moving to XP SP2 is
beneficial as it offers a number of security improvements. Companies should
test their applications to ensure they are compliant as the stricter levels of
security could create issues for poorly written applications. Still, upgrading
to SP2 is worthwhile and goes smoothly in most cases.
Microsoft Windows Service ACLs Local Privilege Escalation
Technical Description: A vulnerability has been identified
in Microsoft Windows, which could be exploited by malicious users to obtain
elevated privileges. This flaw is due to insecure
default access controls where the "Authenticated Users" group is granted
permissions to modify Simple Service Discovery Protocol (SSDP) and Universal
Plug and Play Device Host (UPnP) service configurations, which
could be exploited by local unprivileged attackers to change the default binary
that is associated with an affected service and execute malicious programs with
Solution: Upgrade to Microsoft Windows XP SP2 or Microsoft Windows
Server 2003 SP1, or change the default ACLs:
Users with Sun Java installed should update their systems to
protect their brower and PC environment from malicious websites that could
affect security controls.
Sun Java Runtime Environment Sandbox Security
Advisory ID : FrSIRT/ADV-2006-0467
as : Critical
Remotely Exploitable :
Locally Exploitable : Yes
Date : 2006-02-08
Technical Description: Seven vulnerabilities were identified
in Sun Java JRE (Java Runtime Environment), which could be exploited by malicious web sites to compromise a
vulnerable system. These flaws are due to errors in the "reflection" APIs, which
could be exploited by attackers to read, write, and execute arbitrary files by
convincing a user to visit a specially crafted web page containing a malicious
JDK 5.0 Update 4 and prior
JRE 5.0 Update 4 and
SDK 1.4.2_09 and prior
JRE 1.4.2_09 and prior
SDK 1.3.1_16 and
JRE 1.3.1_16 and prior
JDK and JRE 5.x - Upgrade to JDK and JRE 5.0
Update 6 :
SDK and JRE 1.4.x - Upgrade to SDK and JRE
SDK and JRE 1.3.x - Upgrade to SDK and JRE
The following are links related to "Safer Internet
Day" which is designated as February 7th. This is a good initiative in promoting security awareness for home
users. While it's target audience is families in Europe, this site provides good advice for all family users.
Europe's Internet safety information resource
Internet Safety Home Page
QUOTE: Safer Internet Day will take place on 7 February 2006. Among the host of events taking place, Insafe, the EU network for internet safety awareness, will organise a global “blogathon”.
'Safer Internet Day', the
initiative is designed to raise awareness of cyber threats. The target audience
in this case, however, isn't the corporate IT-type, but users, specifically
targeting parents and children. This year's Safer Internet Day attempts to ride
on the coattails of success of blogging and will distribute its message using
exactly the same vehicle.
speech / racism
Council of Europe Handbook
To surf in safe waters
This is some of the best documentation I've seen in
providing a comprehensive analysis for a major new virus. The link below from
CAIDA is chockful of charts, graphs, and facts. I'm glad that actual damages
for the payload triggered on February 3rd were significantly less than
CAIDA -- The Nyxem Email Virus: Analysis and
This development tool is part of an SDK that can help
Client/Server or web developers in authoring help screens for applications.
This unpatched exploit is rated moderately critical and an exploit has been
Microsoft HTML Help Workshop "hhp" File Handling
Buffer Overflow Issue
Rated as : Moderate Risk
Remotely Exploitable :
Locally Exploitable : Yes
Release Date : 2006-02-06
Exploits: POC exploit published at FrSIRT's
Affected Products: Microsoft HTML Help Workshop version
4.74.8702.0 and prior
Solution: Do not open untrusted
".hhp" files, as an there are no officially supplied patch for
this issue yet.
Technical Description: A vulnerability has been identified
in Microsoft HTML Help Workshop, which could be exploited by attackers to execute arbitrary
commands. This flaw is due to a buffer overflow error when
processing a specially crafted ".hhp" file containing an overly long "Contents
file" field, which could be exploited by remote attakers to compromise a
vulnerable system by convincing a user to open a malicious ".hhp" file.
As parents, we
have concerns on Internet safety for all of our family members. This morning I
spent some time gathering some of the best published resources out there. Most
of these are non-technical and easy-to-understand.
Security is a two part process.
Part one is the technical protection
associated with anti-virus software, firewalls, Windows Updates, Anti-Spyware,
etc. Part two is in the human
behavior aspects, where security can be seen as SEC-U-R-IT-Y.
The "U-R-IT" part means that "You are it". While the bad guys are the source
of the problem, so is ignoring the risk. For example, if you ignore speed
limit signs or bad drivers on the highway, you'll soon run into trouble. It's the same way
with computer security.
The best advice I have for parents is "To Teach
your Children well". Spend quality time with family
members teaching them to avoid email/IM attachments and URLs, recognizing spam
(there are no free lunches out there), and most importantly the bad people on
the Internet (e.g., predators - which thankfully law enforcement is on the
lookout for). The knowledge of Internet risks and how to avoid them is as
important as the technical safeguards we employ on our family PCs.
Below are some resources that might
SEARCH ENGINES -- There are numerous resources that can be found using Google, MSN, or
other search engines:
GREAT FAMILY PROTECTION LINKS
-- I particularly liked these sites for children and the principles also apply to all users:
SAFETY QUIZ -- Below is a 10 question Internet safety quiz that your family
members can take in just a couple of minutes:
OTHER GREAT RESOURCES
- I've always liked the work done by MS "at home", CERT,
and Kim Komando:
This is an older Best Practices guideline I found
while researching that was issued a few years ago. Most of this is still
TEXT -- HOW TO PROTECT YOURSELF AND YOUR COMPANY FROM COMPUTER
PDF -- HOW TO PROTECT YOURSELF AND YOUR COMPANY FROM COMPUTER
Backups are always beneficial and as CD media is
inexpensive, I usually make double copies which are tested in another PC.
The Blackworm (CME-24) payload included capabilities
to delete several types of documents and files. Usually, the best “undelete“
tools or services aren't free and these links can provide starting
Internet Storm Center Article: Recovering LOST
files from a hardrive
QUOTE: First if at all possible TURN off the
computer and put the infected drive on another system that is not
infected. If for one reason or another you can not you should cosider
one of the cdrom or floppy based recovery systems and an extra
drive. You should preform recovery to a different filesystem then the one being
recovered from other wise you risk overwriting some files as you recover
others. Be aware some companies offer demos that identifies "lost" files but
doesn't save the files it finds.
It may also take a couple of days for damage to show
up and to collect any meaningful statistics. Our local news reported that some
folks got hit in our metropolitan area of 250,000 residents. It was reported
that one local PC company was charging $100 to repair systems, so this had an
impact on home users.
So far, in monitoring news sources, the overall
damage was less than anticipated. I've always been an advocate of security
awareness, as it's important to know how malicious individuals can attack. If
there were over-exaggerations by the media it was helpful, as folks took got
extra measures in preparation, updating and backing up their data.
Below is a cut/paste of Google News headlines, which
is good news so far:
NEWS HEADLINES - February 3, 2006
Weekend Will Tell Kama Sutra
InformationWeek, NY - 2 hours ago
Because most still-infected
computers belong to home
users, the real scale of any data loss caused by
Kama Sutra worm may not be known until early next week
All quiet on the Nyxem front
VNUNet.com, Netherlands - 2 hours
Anti-virus companies are seeing very damage from the
Nyxem.E worm that
was scheduled to start overwriting
data on infected systems earlier today.
Researchers fear confusion on worm name
Intelligencer - 3 hours ago
By ANICK JESDANUN. NEW YORK --
file-destroying worm goes by "Mywife" at Microsoft
McAfee Inc., "Blackmal" at Symantec Corp.
and CA Inc. ...
'Hype' May Have Mitigated Worm
Houston Chronicle, United States - 4 hours
By ANICK JESDANUN AP Internet Writer. â€” Companies
heeded this week's warning _ some may
call it "hype" _ about ...
the Kama Sutra worm overhyped?
CNET News.com, CA - 4 hours ago
Sutra worm, like so many other virus scares,
reminds us and other bloggers of
the Y2K mania, albeit
on a smaller scale. ...
Worm Attack Fizzles
Red Herring, CA - 4 hours ago
A computer worm dubbed Kama Sutra and
infected thousands of machines but failed to cause
significant loss of data. ...
Kama Sutra worm hits home
- 9 hours ago
By Marsha Walton. ATLANTA, Georgia (CNN) -- Many
users around the globe apparently heeded the
warnings about a worm with ...
Kama Sutra virus causes little damage
Boston Globe, United States -
9 hours ago
A man is seen in front of a display of computers in an
file photo. A computer virus that was designed
to start its malicious ...
Kama Sutra assumes damp squid position
Inquirer, UK - 9 hours
THE MUCH HYPED Kama Sutra worm tipped to wreak a trail
in its wake appears to have instead has
raised hardly a whimper never mind a
Update 4: File-Destroying Worm Causes Little
Forbes - 10 hours ago
By ANICK JESDANUN , 02.03.2006, 09:26 AM.
file-destroying computer worm set to activate Friday
little damage ...
File-destroying worm causes little
BusinessWeek - 11 hours ago
FEB. 3 8:43 AM ET A file-destroying
computer worm set
to activate Friday caused relatively little
during the business day ...
Kama Sutra worm threat goes
CNET News.com, CA - 11 hours ago
The Kama Sutra worm, designed to
begin deleting files
on infected computers this morning, has
virtually no damage, according to antivirus firms. ...
Feared computer worm not so scary in
CTV.ca, Canada - 11 hours ago
Computer users on this side of the
continent must be
crossing their fingers as they boot up, but there
been no reports of any damage from a malicious worm
Escapes File-Destroying Worm
CBS News - 11 hours ago
(CBS/AP) A computer
worm expected to begin corrupting
files in infected machines around the world
caused no major damage in the Asian financial centers
Computer worm doesn't bite in Hong Kong, Tokyo
USA Today - 11 hours
By Sylvia ***, Associated Press. HONG KONG â€” A
expected to begin corrupting files in
infected machines around the ...
Free Removal Tools Released as 'Blackworm' Approaches
PC Magazine -
12 hours ago
With the clock ticking on a Feb. 3 D-Day for the
of the destructive 'Blackworm' worm
payload, anti-virus vendors are ...
'Limited' damage from Nyxem virus
BBC News, UK - 13 hours
The Windows virus was set to start deleting popular
file types on 3
February and was known to have
infected more than 300,000 machines. ...
Kama Sutra virus fizzles in Japan, Hong Kong
CBC News, Canada - 13
Computer security firms were bracing for a computer
Friday expected to corrupt files on thousands
of computers. But early ...
Humanity survives Kama Sutra apocalypse
Register, UK - 14 hours
Security watchers reckon the Kama Sutra worm, which is
overwrite files on infected Windows PCs
today, will have a damaging but not
File-destroying worm causes no major damage so far
Hong Kong ...
Calgary Sun, Canada - 15 hours ago
By SYLVIA ***. HONG
KONG (AP) - A computer worm
expected to begin corrupting files in
machines around the world Friday has ...
Kama Sutra quiet
NEWS.com.au, Australia - 20 hours ago
AUSTRALIAN IT security
professionals have so far
reported few problems from the so-called Kama
worm, which was due to begin overwriting files on
All users should update to the latest version of Mozilla Firefox, as several recently discovered security issues have been addressed by this latest release.
Summary of Security Issues Fixed
Description: Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, potentially disclose sensitive information, and potentially compromise a user's system.
2) An error in the dynamic style handling can be exploited to reference freed memory by changing the style of an element from "position:relative" to "position:static".
3) An error in the "QueryInterface" method of the Location and Navigator objects can be exploited to cause a memory corruption.
5) Some integer overflows in the E4X, SVG, and Canvas functionalities may be exploited to execute arbitrary code.
6) A boundary error in the "nsExpatDriver::ParseBuffer()" function in the XML parser may be exploited to disclose data on the heap.
7) The internal "AnyName" object of the E4X functionality is not properly protected. This can be exploited to create a communication channel between two windows or frames having different domains.
Update to version 184.108.40.206.
Additional CVE References
More Posts Next page »