December 2006 - Posts
IE 7 and Firefox 2.0 are improved browsers offering improved functionality and security. The new Firefox 3 version offers internal improvements and so far no issues have been encountered in early testing.
Article: Firefox 3.0 Alpha Is for Developers Only
http://www.eweek.com/article2/0,1895,2071031,00.asp
QUOTE: The Mozilla Foundation recently released the first alpha of Firefox 3.0, and when people refer to this release of the browser as a developer version, they aren't kidding. In fact, the only difference that a regular Firefox user will notice between this alpha and the current shipping version of Firefox 2.0 is that the top browser title bar and the About screens use the Firefox 3.0 code name Gran Paradiso instead of Firefox.
FIREFOX 3.0 - SUMMARY OF KEY CHANGES
1. Uses alpha of Gecko 1.9, the forthcoming rendering engine for Mozilla browsers.
2. Uses the Cairo library for all vector graphics rendering.
3. Includes changes to improve page rendering and performanc
4. Use System X Cocoa application environment, making Mac versions easier to develop.
5. Will only run on Windows 2000 and later and on Mac OS X 10.3.9 or later.
DOWNLOAD - Home Page (Windows, Linux, Mac, etc)
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/granparadiso/alpha1/
DOWNLOAD - Windows 2000 or Higher
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/granparadiso/alpha1/win32/en-US/
This new threat is not circulating extensively yet and updating to the latest levels of AV (plus always being careful with suspicious attachments) will help mitigate this new exposure. 
Microsoft Word - Second new vulnerability and exploit
http://www.incidents.org/diary.php?storyid=1925
QUOTE: We received notification from an ISC participant that McAfee has released a dat today for protection against a buffer overflow attack in MS Word. The announcement says "Note: This vulnerability was first found through one of the samples that McAfee analyzed, and this vulnerability differs from the "Microsoft Word 0-Day Vulnerability I" that was published on December 5, 2006.".
McAfee information on Word Exploit II
http://vil.nai.com/vil/content/v_vul27249.htm
QUOTE: A vulnerability exists in Microsoft Word that could allow for arbitrary code execution. This could be exploited successfully if a victim were to open a specially crafted Word document obtained via an email attachment or downloaded from a malicious website.
New Word Exploit II Protection - DAT 4915
http://vil.nai.com/vil/content/v_141056.htm
MSRC Commentary on New Word Exploit
http://blogs.technet.com/msrc/archive/2006/12/10/new-report-of-a-word-zero-day.aspx
QUOTE: We are investigating reports of another new vulnerability in Microsoft Word – initial investigation has shown that this is a different issue to that reported in Microsoft Security Advisory 929433. Our initial investigation has discovered that Word 2000, Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word 2007 is NOT affected by the vulnerability.
Secunia
http://secunia.com/advisories/23205/
FRSirt
http://www.frsirt.com/english/advisories/2006/4920
As noted in F-Secure's Web Log:
http://www.f-secure.com/weblog/archives/archive-122006.html#00001045
QUOTE: The Word vulnerability are detected as Trojan-Downloader.Win32.Cryptic.ec, Trojan-Downloader.Win32.Cryptic.f and Trojan-Downloader.Win32.Tiny.y.
I'm certain as hackers mitigate anti-piracy controls, Microsoft will in turn fix these issues. Naturally, folks are going to experiment with new products, as I had read recently of someone getting Linux to run on the new Zune player. In the case of Vista, software pirates are spoofing a corporate tool that's designed to make the technician's job easier for mass installing this in an enterprise setting.
Hopefully, no one will use pirated copies and the associated activation hacks. They could save a few dollars now, but then when Vista stops working down the road later they may not be able to recover data easily or go through a lot of grief to get things corrected.
Beyond ethical considerations, it is a crime to knowingly install and use pirated software (at least in the countries where this can be prosecuted). Given the inexpensive nature of PCs when compared with the past, folks should always get the real versions of software.
Article: Pirates work around Vista's activation feature
http://www.infoworld.com/article/06/12/08/HNpiratesworkaroundvista_1.html?source=NLC-TB2006-12-08
QUOTE: Windows Vista must be "activated," or authorized by Microsoft, before it will work on a particular machine. To simplify the task of activating many copies of Vista, Microsoft offers corporate users special tools, among them Key Management Service (KMS), which allows a company to run a Microsoft-supplied authorization server on its own network and activate Vista without contacting Microsoft for each copy.
Several critical patches will be available for Windows on December 12, 2006 and it is always important for home users and companies to install these as quickly as possible.
Microsoft Security Updates - December 2006 Advanced Notification
http://www.microsoft.com/technet/security/bulletin/advance.mspx
http://blogs.technet.com/msrc/archive/2006/12/07/december-2006-advanced-notification.aspx
Current Word and WMP vulernabilities are likely not to be patched in this release
(users need to continue being careful with Word and Media Player ASX playlist files)
http://www.incidents.org/diary.php?storyid=1922
http://www.f-secure.com/weblog/archives/archive-122006.html#00001045
QUOTE: On 12 December 2006 Microsoft is planning to release:
• Five Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. Some of these updates will require a restart.
• One Microsoft Security Bulletins affecting Microsoft Visual Studio. The highest Maximum Severity rating for these is Critical. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool. These updates may require a restart.
nmap is an excellent network penetration testing tool that I've used in the past to evaluate security vulnerabilities. A new version release is noted in the link below with other links pointing to the download and informational site pages.
NMap 4.20 released
http://www.incidents.org/diary.php?storyid=1923
QUOTE: Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source (license).
Nmap is ...
- Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
- Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
- Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
- Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
- Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
- Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, and tutorials. Find them in multiple languages here.
- Supported: While Nmap comes with no warranty, it is well supported by the community and we appreciate bug reports and patches. If you encounter a problem, please follow these instructions.
- Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
- Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.
Corporate McAfee's version 8 is our current AV standard at work and during December version 8.5i. I received early copies and have been testing this on 4 PCs (e.g., 3 XP SP2 and 1 W/2000 SP4). So far, I've not encountered issues as it scans thoroughly, starts/stops properly, and does not impact system performance. I'm pleased with the new version and it will also be the one supporting Windows Vista as it's introduced corporately.
McAfee - Corporate Enterprise Version 8.5i released
http://www.mcafee.com/us/about/press/corporate/2006/20061204_192020_k.html
http://phx.corporate-ir.net/phoenix.zhtml?c=104920&p=irol-newsArticle&ID=937398
McAfee - Corporate Enterprise Version 8.5i system requirements from RC1
http://www.mcafee.com/us/enterprise/downloads/beta/beta_mcafee/vse.html
QUOTE: SANTA CLARA, Calif., Dec. 4 /PRNewswire-FirstCall/ -- McAfee, Inc. (NYSE: MFE) today announced the latest release of its Total Protection solution, McAfee(R) Total Protection for Enterprise 2.0. The release further strengthens the threat prevention side of McAfee's security risk management strategy while reducing the complexity, expense and headaches of multiple standalone products. The latest release updates key components including McAfee VirusScan(R) Enterprise, McAfee AntiSpyware(TM) Enterprise and McAfee Policy Enforcer network access control, and adds McAfee SiteAdvisor Enterprise to Total Protection for Enterprise Advanced.
McAfee VirusScan Enterprise 8.5i and McAfee AntiSpyware Enterprise 8.5 provide advanced, proactive protection from viruses, worms, spyware, adware, rootkits, hacker attacks, exploits and more, for desktops and servers. The new technology goes beyond simply offering protection from a database of signatures, using advanced behavioral technology protecting systems from both known and unknown threats.
The key new enhancements include:
* Enhanced behavioral-based protection to stop unknown and sophisticated attacks
* Advanced rootkit detection to stop attackers and spyware from hiding threats
* Improved self-protection to prevent malware or attackers from disabling protection
Some of the listed themes found in this 4 page article include:
1. Two-factor authentication
2. Sandbox connections
3. Encryption and Strong Passwords
4. Special EMAIL and IM controls
5. External SharePoint sites
Article: How Microsoft fights off 100,000 attacks per month
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005756
QUOTE: Microsoft, of course, maintains valuable intellectual property on its internal network, including the source code to all its operating systems and applications. These are constant targets for hackers, and Microsoft tries to protect its most valuable assets with defenses in depth -- they are behind firewalls and on networks segmented with IPSec. In addition, the entire network is monitored for suspicious activity, scanned for malware and so on.
What do I mean by a constant target? Last year, Microsoft IT said it was the target of more than 100,000 intrusion attempts per month. Currently, Microsoft filters out about 9 million spam and virus e-mails a day out of a total 10 million received. Yes, that means that roughly 90% of incoming e-mails are spam.
This cartoon shares some a neat illustration of mobile phone security dangers. Always be cautious with any email, IM, or phone text message.
Mobile Phone Malware - Illustrated in a Cartoon
http://www.f-secure.com/weblog/archives/Anatomy_of_Attack.jpg
Related links
http://www.sciencentral.com/articles/view.php3?article_id=218392878
http://www.f-secure.com/weblog/archives/archive-122006.html#00001046
While this new worm may not be widespread, it features some advanced designs. In particular, the polymorphic encryption feature could make this one difficult for AV vendors to detect.
Allaple.A Internet/LAN worm - Highly polymorphic with Password attacks
http://secunia.com/virus_information/34550/allaple.a/
http://www.f-secure.com/v-descs/allaple_a.shtml
QUOTE: Allaple is a powerful polymorphic LAN and Internet worm. It uses a number of exploits to spread and performs a dictionary attack on network share passwords. The worm copies itself multiple times to a hard drive and also affects HTML files. In addition the worm performs a DoS (Denial of Service) attack on a few websites.
The worm's file is polymorphically encrypted. It means that every copy of the worm is different from each other. The constant part is only the size of the worm's executable file - 57856 bytes. After the worm's file is run it goes through the polymorphic decryptor and then proceeds to the static part of the code that allocates a memory buffer and extracts the main worm's code into it. Then the control is passed directly to the extracted worm's code.
After getting control, the worm creates a few threads. One thread scans for vulnerable computers (on TCP ports 139 and 445) and sends exploits there in order to infect them. The worm also tries to bruteforce network share passwords by performing a dictionary attack on them. The following TCP ports used during the DoS attack: 22, 80, 97, 443
Yesterday, I installed the new version 8 and it's working well on my two PCs at work. Adobe notes security improvements in the new version and I found the user interface much improved over prior versions.
Adobe 8 Reader - Home Page
http://www.adobe.com/products/reader/
Adobe 8 Reader - Reasons to Upgrade
http://www.adobe.com/products/reader/productinfo/reasons_to_upgrade/
Adobe 8 Reader - FAQ
http://www.adobe.com/products/reader/productinfo/faq/
Adobe 8 Reader - User Guide (142 pages - 7MB)
http://www.adobe.com/products/reader/pdfs/reader_user_guide.pdf
Adobe 8 Reader - Security Guide (13 pages - 1MB)
http://www.adobe.com/products/acrobat/pdfs/AdobePDFSecurityGuide.pdf
QUOTE: Adobe Reader 8 offers a new interface, new tools, and more options... Maximize your screen real estate. Reader 8 has a completely redesigned interface, new tools, and a host of new options for viewing information more efficiently. Download free Adobe® Reader® 8 software to more securely view, print, search, sign, verify, and collaborate on PDF documents, online as well as offline, from your home or office.
Adobe 8 Reader - Download Manager version:
(Note: Downloader manager defaults to also installing the Google toolbar, however users can uncheck this prior to downloading to opt out if desired)
ftp://ftp.adobe.com/pub/adobe/reader/win/8.x/8.0/enu/AdbeRdr80_DLM_en_US.exe
12/06/2006 11:32 PM 545,560 AdbeRdr80_DLM_en_US.exe
Adobe 8 Reader - FTP Download link
12/06/2006 09:34 PM 21,822,168 AdbeRdr80_en_US.exe
(full version without Google Toolbar option)
ftp://ftp.adobe.com/pub/adobe/reader/win/8.x/8.0/enu/AdbeRdr80_en_US.exe
Although the scope of this new zero day is limited, users should always avoid unexpected attachments and scan them thoroughly with AV products (and even forwarding the email to www.virustotal.com if there are any suspicions)
Microsoft Security Advisory (929433)
Vulnerability in Microsoft Word Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/929433.mspx
QUOTE: Microsoft is investigating a new report of limited “zero-day” attacks using a vulnerability in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005, and 2006. In order for this attack to be carried out, a user must first open a malicious Word file attached to an e-mail or otherwise provided to them by an attacker. As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources.
More links are noted below:
http://secunia.com/advisories/23232/
http://www.frsirt.com/english/advisories/2006/4866
http://www.f-secure.com/weblog/archives/archive-122006.html#00001042
http://www.incidents.org/diary.php?storyid=1913
I like the idea, but this appeal will most likely go unnoticed. Domain registrars should not allow names that are very close to true financial web sites to be purchased for phishing attacks. Still, I'm not even certain if most users even look at redirected URLs, as sometimes, the HTML looks genuine enough to instill trust and folks end up learning what phishing is all about the hard way
F-Secure's open letter to Domain Registrars
http://www.f-secure.com/weblog/archives/archive-122006.html#00001041
http://www.f-secure.com/weblog/archives/registrars.gif
Cross-scripting is a popular approach used in web based attacks. A new vulnerability using malformed requests have been discovered for Google Search Appliances.
Google Search Appliances - Cross-Site Scripting Vulnerability
http://secunia.com/advisories/23239/
QUOTE: A vulnerability in Google Mini Search Appliance and Google Search Appliance can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerability is caused due to an error within the handling of UTF-7 encoded URIs. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Solution: Filter malicious characters and character sequences in a proxy.
I got a few of these in my morning email that many AV vendors weren't detecting. Always be careful with attachments and new additions to the Stration family emerge almost daily. Submitting a sample to www.virustotal.com can provide a secondary check if you're ever uncertain on a specific attachment.
QUOTE: Sophos has received several reports of this Win32 worm from the wild. Information about W32/Stration-CH can be found at:
http://www.sophos.com/security/analyses/w32strationch.html
TEST RESULTS FROM VIRUSTOTAL.COM
Complete scanning result of "data.log.scr", processed in VirusTotal at
12/05/2006 13:37:55 (CET).
[ file data ]
* name: data.log.scr
* size: 30212
* md5.: 972b5469c3579f249d0b50ec399e81f4
* sha1: 97f2b4c89f93b820193df520ddc4ceba12dfa3f4
[ scan result ]
AntiVir 7.2.0.46/20061205 found [TR/Dldr.Stration.Gen]
Authentium 4.93.8/20061204 found [W32/Warezov.gen4]
Avast 4.7.892.0/20061205 found [Win32:Warezov-QR]
AVG 386/20061205 found [I-Worm/Stration]
BitDefender 7.2/20061205 found [Win32.Warezov.FF@mm]
CAT-QuickHeal 8.00/20061204 found nothing
ClamAV devel-20060426/20061205 found [Worm.Stration.WZ]
DrWeb 4.33/20061205 found [Win32.HLLM.Limar.based]
eSafe 7.0.14.0/20061203 found [suspicious Trojan/Worm]
eTrust-InoculateIT 23.73.76/20061205 found nothing
eTrust-Vet 30.3.3232/20061205 found nothing
Ewido 4.0/20061204 found nothing
F-Prot 3.16f/20061204 found [W32/Warezov.gen4]
F-Prot4 4.2.1.29/20061204 found [W32/Warezov.gen3!W32DL]
Fortinet 2.82.0.0/20061205 found [W32/Stration.DS@mm]
Ikarus T3.1.0.26/20061204 found [Email-Worm.Win32.Warezov.gen]
Kaspersky 4.0.2.24/20061205 found [Email-Worm.Win32.Warezov.fb]
McAfee 4910/20061204 found nothing
Microsoft 1.1804/20061205 found nothing
NOD32v2 1901/20061205 found [Win32/Stration.SV]
Norman 5.80.02/20061205 found [Stration.gen@mm.dropper]
Panda 9.0.0.4/20061205 found nothing
Prevx1 V2/20061205 found nothing
Sophos 4.12.0/20061204 found nothing
Sunbelt 2.2.907.0/20061130 found nothing
TheHacker 6.0.3.129/20061205 found nothing
UNA 1.83/20061204 found nothing
VBA32 3.11.1/20061205 found [Email-Worm.Win32.Warezov.fb]
VirusBuster 4.3.15:9/20061205 found [Trojan.Opnis.Gen.36]
A minor new vulnerability for W/2000 emerged over the weekend.
Microsoft Windows 2000 Print Spooler DoS Vulnerability
http://secunia.com/advisories/23196/
http://www.frsirt.com/english/advisories/2006/4827
QUOTE: The vulnerability is caused due to an error in the handling of RPC requests within the Print Spooler service. This can be exploited to consume almost all available memory via a specially crafted packet, which may result in a system crash. The vulnerability is confirmed on a fully patched Windows 2000 SP4 system. Other versions may also be affected.
Solution: Restrict access to the service or disable the Print Spooler service
Sophos recently commented that Vista users may not be completely safe from the top 3 viruses in the public sector today. Sandi, a fellow Security MVP summarized this issue by stating that, "Windows Vista will not protect you from yourself". Unfortunately, Microsoft must provide Win32 compatibility -- even if it possibly includes computer viruses.
Still users are better protected with Vista, including:
(1) New UAC warning prompts on potential registry updates
(2) A more protective kernel design
(3) Better out-of-the-box security (e.g., improved settings, OneCare, Defender)
(4) Better implementation of limited user accounts
(5) IE 7, a much improved web browser.
No operating system is completely "fool proof". Still with Vista's TWC based improvements, users are probably going to require more than just one click of the mouse to infect themselves, as they are prompted with multiple "Are you sure you want to do this to yourself?" messages along the way
MySpace is one of the most popular sites on the Internet (esp. for younger folks) and everyone should exercise caution as it's a major target for malware writers. The following is a new phishing scheme that uses a Java Script based attack.
JS.QSpace.A - New Javascript exploits MySpace XSS vulnerability
QUOTE: This malicious JavaScript may be downloaded from the Internet. It may also be dropped by another malware. It exploits the XSS vulnerability found in MySpace Web pages. Once exploited, this JavaScript redirects a user to the Web site The phishing URL steals MySpace user account names and passwords.
It contains codes to edit the profile of a stolen MySpace account by downloading and adding a movie file to the stolen profile. The said movie file contains the phishing URL, such that when another MySpace user views the affected profile, this JavaScript is automatically downloaded and executed onto the viewer's profile.
Once the MySpace viewer is affected, this malware attempts to send any of the following messages to contacts of the affected MySpace user profile:
• Hehe that was so funny..
• You better not forget about this..
• better see this one last time lol..
• omg did you see this last nite..
• what else is there to do on a Sunday.?.......
• whos coming to the party tonight.?..
This malicious JavaScript runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
The Internet Storm Center denotes a deceptive attack and hostile site that users should avoid. Some adware and spyware authors create objects that look exactly like Windows system messages to trick users into clicking and potentially installing malware. These are probably some of the more deceptive design approaches.
404dnserror Adware Site
http://www.incidents.org/diary.php?storyid=1903
Copy of Web Page
http://www.incidents.org/images/404dnserror.png
Hopefully no DDoS or other attacks will surface from the warning issued yesterday.
Articles
http://www.foxnews.com/story/0,2933,233477,00.html
http://www.eweek.com/article2/0,1895,2066574,00.asp
http://www.usatoday.com/tech/news/2006-11-30-warning_x.htm
Internet Storm Center Links
http://www.incidents.org/diary.php?storyid=1899
http://www.incidents.org/diary.php?storyid=1900
QUOTE: The U.S. government warned American private financial services on Thursday of an al Qaeda call for a cyber attack against online stock trading and banking Web sites beginning on Friday, a source said. The Department of Homeland Security confirmed an alert had been distributed but said there was no reason to believe the threat was credible.
Financial Services Information Sharing and Analysis Center (FS/ISAC)
http://www.fsisac.com/
More Posts
« Previous page -
Next page »