August 2006 - Posts
The Department of Homeland Security has issued a warning to apply the Microsoft security bulletins for August promptly to ensure the safest level of protection.
DHS Recommends Security Patch to Protect Against a Vulnerability Found In Windows Operating Systems
Quote: For Immediate Release
Office of the Press Secretary
August 9, 2006
The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights.
Windows Operating Systems users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch. This vulnerability could impact government systems, private industry and critical infrastructure, as well as individual and home users.
Work continues by the malware writers in developing exploit code that could adversely impact unpatched Windows servers and workstations.
MS06-040 Exploit - Now Publicly available
QUOTE: The current exploit seems to be working on all Windows 2000 systems and Windows XP SP0 and SP1. The good thing is that it doesn't work against Windows XP SP2 or Windows 2003 SP1. The current version doesn't work against Windows 2003 SP0 either, but this doesn't mean that it's safe.
Microsoft's Security team has been very busy during 2006, we're seeing significantly more attacks of Windows, IE and Office.
Microsoft has patched more critical vulnerabilities than 2004 and 2005 combined
QUOTE: August 08, 2006 (IDG News Service) -- Security researcher Jesse D'Aguanno has developed what he bills as the first Trojan horse malware for Research in Motion Ltd.'s (RIM) BlackBerry e-mail device.
The software, which was demonstrated at the Defcon hacker conference over the weekend, appears to be a free tick-tack-toe download. Once downloaded, however, it works with another piece of code, called BBProxy, that can be used to attack vulnerable machines within the corporate network.
D'Aguanno plans to make the BBProxy software, but not the Trojan horse code, available on his company's site within the next few days.
The BlackBerry hack was written to show that while these devices are often not treated with the same concern as PCs, they can be equally dangerous, said D'Aguanno, director of professional services and research at Praetorian Global LLC.
When users think of the BlackBerry's security, they are too focused on protecting the device's data and tend to ignore its networking capabilities. D'Aguanno said. "It's a computer that has constant access to your internal network."
Microsoft has released several important security updates related to Windows, IE, and Office. This month's update is large and it's working well so far on my corporate desktop and laptop plus home systems. I'd encourage everyone to update promptly to stay protected against some of the latest security threats.
New Security Bulletins for August 2006
Today, 08 August 2006, Microsoft is releasing the following security
bulletins for newly discovered vulnerabilities:
• Critical MS06-040 Microsoft Windows Remote Code Execution
• Critical MS06-041 Microsoft Windows Remote Code Execution
• Critical MS06-042 Microsoft Windows Remote Code Execution
• Critical MS06-043 Microsoft Windows Remote Code Execution
• Critical MS06-044 MS Windows 2000 Remote Code Execution
• Important MS06-045 Microsoft Windows Remote Code Execution
• Critical MS06-046 Microsoft Windows Remote Code Execution
• Critical MS06-047 Microsoft Office Applications or Applications
that use Visual Basic for Applications Remote Code Execution
• Critical MS06-048 Microsoft PowerPoint Remote Code Execution
• Important MS06-049 Microsoft Windows Elevation of Privilege
• Important MS06-050 Microsoft Windows Remote Code Execution
• Critical MS06-051 Microsoft Windows Remote Code Execution
The Summary for these new bulletins may be found at the following page:
Trend has published heuristic detectic for the new DOS based WMF exploit which was recently discovered.
TROJ_WMFCRASH.D - New DOS based WMF Exploit
TROJ_WMFCRASH.D - Behavioral Diagram
QUOTE: This Trojan is Trend Micro's detection for a proof-of-concept Windows Metafile (WMF) that takes advantage of a vulnerability affecting systems running Windows XP and Server 2003. The said vulnerability is caused by a page fault in the Application Programming Interface (API) function CreateBrushIndirect, which occurs because of an invalid pointer access.
It is a zero-day exploit that is capable of remote code execution. Zero-day exploits are termed as such because the unpatched vulnerability and its corresponding exploit code are released within the same day. This may pose as a dangerous situation in which a lot of computers may be affected due to the availability of exploit code, and the fact that the vendor has not been given enough time to patch it.
Once this malicious .WMF file is opened, it launches a denial of service (DoS) attack against the legitimate system process EXPLORER.EXE in order to restart or terminate it. The said action may leave an affected user unable to navigate through Windows. After performing the said routine, this Trojan eventually terminates itself.
On July 29, 2006, a new worm MSH/Cibyz.A surfaced which uses Microsoft's new XP SP2 and Vista scripting environment called Powershell. As scripting routines are a collection of Windows command line entries, malware authors can create destructive routines that could delete all files of a certain type, disable security protection, spread to network shares, etc.
I was pleased to discover that Microsoft is better protecting this environment, so that scripts won't run automatically based on out-of-the-box settings. In fact new trust and authorization levels have been established for scripts so that administrators and users are better protected.
Thus, the Powershell commands for this will function only if the user if running in ADMIN mode, clicks on the attachment, and has a setting of Unrestricted (allowing any script to be processed, which is a highly unadvisable setting). Furthermore, even if this is allowed, the user must then define the proper path for the script to run in and "infect themselves".
More can be found in the links noted below:
Windows PowerShell and the PowerShell Worm
Worm:MSH/Cibyz.A - Proof-of-Concept P2P Worm
A “PowerShell Worm” has recently been reported by several antivirus companies and some news organizations. There has been some confusion and concern around the classification of this malicious script as a worm as well as questions about the risk. It is important to note that the PowerShell Worm will not work and cannot infect Windows PowerShell in its default configuration.
This is a proof-of-concept virus whose “Worm” replication mode is just a simple file copy and could have been implemented in any language which supports copying files. The fact that the worm is written in PowerShell rather than another scripting language or even as an executable has actually made it even harder for this virus to spread since the additional security features around PowerShell scripts result in many additional steps for the user to perform before an infection can take place.
A new unpatched vulnerability has been published, that can result in a Denial-of-Service (DoS) attack. Links from Secunia and FrSIRT are noted below.
Microsoft Windows GDI Library WMF Image Handling Remote Denial of Service Vulnerability
Advisory ID : FrSIRT/ADV-2006-3180
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-08-07
Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by attackers to cause a denial of service. This flaw is due to a signedness error in the GDI library (gdi32.dll) when processing malformed WMF images, which could be exploited by attackers to crash an application linked against the vulnerable library (e.g. Internet Explorer) by tricking a user into visiting a malicious web page or opening a specially crafted image.
On Tuesday August 8, 2006, Microsoft will release several planned changes for Windows and Office that should be promptly applied to ensure the best level of security protection.
MS Security - 12 Windows/Office patches on Aug 8th
Microsoft released their Security Bulletin Advance Notification on Thursday afternoon. Next Tuesday appears to be a very active day as there are 12 security bulletins that will be released as well as 2 High Priority (though not security based) updates. In addition, the Malicious Software Removal Tool will have its monthly update.
* Ten Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
* Two Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer. These updates may require a restart
The development of targeted spam email attacks continue for both unpatched and patched Microsoft Office products. Trend has just published information on two new email attacks using Powerpoint and Word exploits
MDropper.BD - New Trojan Horse exploits unpatched Powerpoint vulnerability
This Trojan can arrive as an attachment to spammed email messages. It takes advantage of a yet unknown vulnerabilty in Microsoft Powerpoint to open the legitimate system application Paint.
MDropper.BG - New Trojan Horse exploits Word vulnerability patched by MS06-027
When executed, it exploits a vulnerability in Microsoft Word wherein a specially crafted document can cause the application to restart and open a blank document.
Mozilla development promptly fixed an issue related to Windows media from their important security release earlier this week.Firefox 188.8.131.52 - Stability Release http://www.incidents.org/diary.php?storyid=1539http://www.mozilla.com/firefox/http://www.mozilla.com/firefox/releases/184.108.40.206.htmlFirefox 220.127.116.11 - Recent Security patchhttp://www.mozilla.com/firefox/releases/18.104.22.168.htmlSome tips on FIREFOX AUTOUPDATE SETTINGS
Most folks should autoupdate okay. If you have issues or want to update more expediently, on the Firefox menu bar, select HELP >> CHECK FOR UPDATES
to trigger this process right away.
Below is an approach recommended for the AUTOUPDATE settings. The standard install settings set autoupdate to automatic, where if you're keying information into a webpage and a new release is issued, you could potentially loose data for that session ...TOOLS >> OPTIONS >> ADVANCED >> UPDATE >> Find "Automatically check for updates to" and make sure "Firefox" is checked >> Then Find "When updates are found" and check the option of "Ask me what I want to do" ... Apply and Save this setting
This way Firefox will issue a pop-up message that a new release is available and you can save any work in your already open browser session before applying the update.
I've been following developments posted throughout July, from a security and educational standpoint. Thankfully, H.D. Moore's daily postings have ended, so that vendors can catch up on the patching work associated with these findings. Based on his technical talents, I'm sure we could see a brand new vulnerability posted each day throughout August as well.
The blog will continue to post further new browser vulnerabilities found by others. Also a new testing and discovery tool (Active X fuzzer) has been publicly released that could help folks discover more bugs (although it is a toned down version from what H.D. Moore used that included some unpublished discoveries).
As I personally use all three browsers in a complementary fashion, here's hoping that vendors will quickly respond to all areas that need strengthening. Even though Internet Explorer had significantly more items published, no browser can be considered completely safe.
MoBB Home Page
QUOTE: The Month of Browser bugs is finished! Jericho was kind enough to write up a review of the MoBB project in the OSVDB Blog. Although the MoBB project is complete, this blog will continue to be used to publish new and interesting browser hacks
OSVDB Blog Summary
QUOTE: 31 browser bugs, what’s the final breakdown?
Microsoft Internet Explorer: 25
Apple Safari: 2
QUOTE: Want another month of browser bugs? Yes, he could continue on into August without a problem. The amount of browser bugs is stupid. Apparently, the idea of writing a basic fuzzer is still lost on the authors. The good news, HDM will be releasing the fuzzer he used to find all these to the public. Will an insane rush of browser bugs follow? We can hope!
One of my friends shared this interesting blog entry. The key to good wireless security is the use of WPA encryption plus ensuring you are using up-to-date equipment that supports the latest wireless security standards:
Article: The six dumbest ways to secure a wireless LAN
The article also references this link for better protective advice:
Simple advice for securing your home wireless LAN
More industrial strength Wireless Security
More Posts « Previous page