September 2006 - Posts
When using Internet Explorer, please be careful with email links and in web surfing as a brand new vulnerability with fully working exploits just surfaced today. I've not read reports of this being in the wild yet, but this is most likely just a matter of time.
Secunia - Extremely Critcal Rating
FRSIRT - Critical Rating
|A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to crash a vulnerable browser or potentially take complete control of an affected system. This flaw is due to a buffer overflow error when processing a "WebViewFolderIcon" object with a specially crafted "setSlice()" method, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a specially crafted Web page. A fully functional exploit has been publicly released.|
MoBB July 18th post
Microsoft has just released a very important out-of-cycle update for IE 5 and 6 users. All Windows users should check for updates.
MS06-055: Internet Explorer Patch released out-of-cycle
While I have IE 7 installed on all my XP PCs, I definitely unregistered VGX.dll on my W/2000 home PC. After a few days of testing all is well (i.e., as the VGX.dll never became a widely used standard). In addition to AV protection and safe browsing practices, I'd also recommend unregistering the dll just in case a VML exploit might be present at a website you might visit.
Instructions can be found in the link below,
You may need to expand these sections: General Information >>> Suggested Actions >>> Workarounds
|To un-register Vgx.dll, follow these steps: |
1. Click Start
2. Click Run
3. cut/paste this string
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
4. Click OK.
5. A dialog box appears to confirm that the un-registration process has succeeded.
6. Click OK to close the dialog box.
7. Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered (as shared earlier this should be rare)
8. To undo this change, re-register Vgx.dll by following steps 1-7 above -- except cut/paste the following string for step 3:
regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”
While the ZERT patch probably works in most configurations, there are some issues reported and it's best to wait for an official solution from Microsoft.
I'd recommend that users temporarily unregister the DLL and that should provide protection. The VGX.dll associated with this new risk is not widely used in applications, so testing should be performed if this is rolled out corporately.
1. Unregister the vulnerable DLL
2. Keeping AV protection updated
3. Stay away from dangerous or untrusted sites and email
QUOTE: There's an unsupported third party patch for the VML vulnerability available at ZERT. We haven't tested it, so we can't recommend it. But it's good to know something is available if this VML thingy really gets out of hand (which it hasn't yet). YMMV - This patch might not work with everyone. See discussion at PC Doctor Guides.
Problems with ZERT VML patch
QUOTE: I'm getting reports of problems with the ZERT VML/vgx.dll patch on some systems. It returns the following error message: "There was an error while trying to patch the DLL!"
Possible Fix if ZERT VML patch fails
QUOTE: I've been playing with the ZERT VML patch and I think I've found a workaround for anyone having problems patching the vgx.dll file - and that's to unregister the DLL, run the patch and then reregister it. This solution seems to offer the best of both worlds.
This occurred a couple of days ago and users should always avoid replying to bank related email message directly (call them directly if you're unsure).
Barclay's Phishing attack - Panda issues Orange Alert
ORANGE ALERT: PandaLabs warns about BarcPhish, a large-scale phishing attack targeting Barclays Bank clients and involving 61 variants of spoofed emails. Given the number of variants detected, there are an estimated several million emails in circulation. 64% of phishing messages detected by PandaLabs over the last few hours target Barclay's clients. The number of phishing messages normally detected by PandaLabs has increased 30% due to the magnitude of this attack
The Mozilla foundation has released 220.127.116.11 to patch security issues. Autoupdate should install this for most users automatically.
Mozilla Firefox 18.104.22.168 -- Release Notes
Mozilla Firefox 22.214.171.124 -- Security Changes
Mozilla Firefox 126.96.36.199 -- Download Site
(if autoupdate is not enabled)
Mozilla Firefox 188.8.131.52 -- Secunia Information
QUOTE: Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct man-in-the-middle, spoofing, and cross-site scripting attacks, and potentially compromise a user's system.
2) The auto-update mechanism uses SSL to communicate securely. The problem is that users may have accepted an unverifiable self-signed certificate when visiting a web site, which will allow an attacker to redirect the update check to a malicious web site in a man-in-the-middle attack.
3) Some time-dependent errors during text display can be exploited to corrupt memory. Successful exploitation may allow execution of arbitrary code.
4) An error exists within the verification of certain signatures in the bundled Network Security Services (NSS) library.
5) An error in the cross-domain handling can be exploited to inject arbitrary HTML and script code in a sub-frame of another web site via a "[window].frames[index].document.open()" call.
6) An error exists due to blocked popups opened from the status bar via the "blocked popups" functionality being opened in an incorrect context in certain situations. This may be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary web site.
7) Some unspecified memory corruption errors may be exploited to execute arbitrary code
Microsoft Internet Explorer "daxctle.ocx" KeyFrame Buffer Overflow Vulnerability
|A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to crash a vulnerable browser or take complete control of an affected system. This flaw is due to a memory corruption error when processing a specially crafted argument passed to the "KeyFrame()" method of a "DirectAnimation.PathControl" (daxctle.ocx) ActiveX object, which could be exploited by attackers to cause a denial of service or execute arbitrary commands by convincing a user to visit a malicious Web page. |
FrSIRT confirmed this vulnerability on a fully patched Windows XP SP2 system. Exploit code is publicly available.
Microsoft will be discontinuing update support for Windows XP SP1 and SP1a effective October 10, 2006. They will then only support Windows XP SP2 unless an extension is granted. It's my understanding that October may be the last update. Users on SP1 or SP1a may have only 2 months to move to SP2 (so that they are ready for the November updates). SP2 works great in my corporate experiences and on my home systems. However, it requires good testing of your client/server and web apps as you have a different version of IE 6.
Scroll down to End of Support for Windows XP (note that Windows XP Embedded has to do with special Mobile computing platforms)
This tool is widely used in the browser environment and updates should be performed to the latest version.
Adobe Flash Player - Important Security Update http://secunia.com/advisories/21865/ http://www.frsirt.com/english/advisories/2006/3573 http://www.adobe.com/support/security/bulletins/apsb06-11.html http://www.microsoft.com/technet/security/advisory/925143.mspx
|Multiple vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions or compromise a user's system. |
1) A boundary error during the handling of strings dynamically generated at runtime can be exploited to cause a buffer overflow via an overly long string.
Successful exploitation allows execution of arbitrary code when e.g. visiting a malicious website.
2) An unspecified error allows bypassing the "allowScriptAccess" option.
Microsoft has just issued it's latest security updates for Windows and Office. So far these are working well in my early testing
. Microsoft Security Bulletins - September 2006 http://www.microsoft.com/technet/security/Bulletin/ms06-Sep.mspx MS06-054: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729) http://www.microsoft.com/technet/security/Bulletin/ms06-054.mspx MS06-052: Vulnerability in Pragmatic General Multicast (PGM) Could Allow Remote Code Execution (919007) http://www.microsoft.com/technet/security/Bulletin/ms06-052.mspx MS06-053: Vulnerability in Indexing Service Could Allow Cross-Site Scripting (920685) http://www.microsoft.com/technet/security/Bulletin/ms06-053.mspx Re-Released Bulletins
: MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (921883) http://www.microsoft.com/technet/security/Bulletin/ms06-040.mspx MS06-042: Cumulative Security Update for Internet Explorer (918899) http://www.microsoft.com/technet/security/Bulletin/ms06-042.mspx
This new Java script based malware agent is low-risk and most folks should be patched. It includes an exploit for a vulnerability patched by Microsoft during early 2006.
MS06-006: Downloader.EEAZ - Uses Media Player Exploit
MS06-006: Downloader.EEAZ - Behavioral Diagram
(MS06-006) Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564)
This vulnerability is rated at low-risk and so far I'm not aware of any exploits of this in the wild. A patch is most likely forthcoming and please be careful with all RSS feeds if you have the Sage extension implemented.
Firefox Sage Extension RSS Feed Script Insertion Vulnerability
Advisory ID : FrSIRT/ADV-2006-3553
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-09-11
A vulnerability has been identified in Sage (extension for Firefox), which could be exploited by attackers to execute arbitrary scripting code. This flaw is due to an input validation error when processing RSS feeds containing malformed data, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
Solution: Do not add RSS feeds from untrusted sources
Virus Hoaxes are mainly an email nuisance, but they can also create confusion and detract users from real threats that are present in email or at websites.
Virus Hoaxes - New variant of Olympic Torch hoax
QUOTE: PLEASE INFORM EVERYONE -- Emails with pictures of Osama Bin-Laden hanged are being sent and the moment that you open these emails your computer will crash and you will not be able to fix it! If you get an email along the lines of "Osama Bin Laden Captured" or "Osama Hanged" don't open the attachment. This e-mail is being distributed through countries around the globe, but mainly in the US and Israel.
Be considerate & send this warning to whomever you know. PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS:
You should be alert during the next days: Do not open any message with an attached filed called "Invitation" regardless of who sent it. It is a virus that opens an Olympic Torch which "burns" the whole hard disc C of your computer. This virus will be received from someone who has your e-mail address in his/her contact list, that is why you should send this e-mail to all your contacts.
It is better to receive this message 25 times than to receive the virus and open it. If you receive a mail called "invitation", though sent by a friend, do not open it and shut down your computer immediately. This is the worst virus announced by CNN, it has been classified by Microsoft as the most destructive virus ever.
This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.
Two Windows and one Office Update are scheduled for September 13, 2006. Home and corporate users should quickly implement these latest protective patches.
Microsoft Security Updates Preview - September 2006
The security improvements since the 2002 TWC announcement have been positive. IE 7 and later Vista should represent more continuous improvement in this area. They won't be perfect, as "code is code", but MS quality continues to improve as security is being designed into it, rather than retrofitted.
Article - Microsoft exec gives his company a B+ on security
This new malware threat continues to document the advanced approaches cybercrooks are using. This is a highly targeted attack in Brazil, but still the capture of screen info in an "AVI movie" is creative and as Panda notes this could be used in other targeted attacks.
Banbra.DCY Trojan opens new door to online fraud by capturing data in video files
QUOTE: A new Trojan, called Banbra.DCY, has opened a new door for cyber-crooks to steal users’ confidential data: video captures. Banbra.DCY has been specifically designed to target users of certain banks in Brazil that use “virtual keyboards” (clients don’t use their computer keyboards to enter their details, but click on a graphic keyboard on their screens) to carry out online operations.
When the user connects to certain online banking websites, the Trojan captures a screenshot of the area around the mouse pointer, and saves it to a video file with .avi format. These files are then sent to malicious users -without the target user knowing- in order to use them for all types of online fraud activities.
Traditional keyloggers and other Trojans designed to steal this type of data usually capture keystrokes entered by users, saving the data obtained to a text file. However, this forced attackers to make an effort to obtain the data they were looking for (login details, passwords, etc.). In this case, since Banbra.DCY records actions on video, cyber-crooks can easily identify what information is entered in what section of the form, making these attacks simpler than ever
There are 600+ threads in this detailed post describing an upgrade from Windows 98 SE to Windows 2000 Professional for a laptop system.
This thread informative and even has a few humorous moments
This new vulnerability only affects Word 2000 and is being exploited in-the-wild. Stay up-to-date on AV protection and avoid all suspicious Word documents found in email.
Symantec - MDropper.Q Trojan Description
Microsoft Word 2000 Document Handling Client-Side Command Execution Vulnerability
QUOTE: A vulnerability has been identified in Microsoft Word 2000, which could be exploited by attackers to take complete control of an affected system. This flaw is due to a memory corruption error when handling a malformed document, which could be exploited by attackers to execute arbitrary commands by tricking a user into opening a specially crafted Word document. This zero-day vulnerability is currently being exploited in the wild by Trojan.Mdropper.Q.
Microsoft Word 2000 Unspecified Code Execution Vulnerability
Secunia Advisory: SA21735
Release Date: 2006-09-05
Rating: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Microsoft Office 2000, Word 2000
Exploits: The vulnerability is being actively exploited.
Discovered by: Discovered in the wild as a 0-day.
A vulnerability has been reported in Microsoft Word 2000, which can be exploited by malicious people to compromise a user's system.
More Posts Next page »