July 2009 - Posts
CERT is charged with providing response support and defense against cyber attacks for the US Government. These tips and techniques provide valuable safeguards for a safer Internet experience. IE and Firefox protection are discussed in-depth.
CERT - Excellent advice on how to secure your browser
http://www.us-cert.gov/reading_room/securing_browser/
QUOTE: This paper will help you configure your web browser for safer internet surfing. It is written for home computer users, students, small business workers, and any other person who works with limited Information Technology (IT) support and broadband (cable modem, DSL) or dial-up connectivity. Although the information in this document may be applicable to users with formal IT support as well, organizational IT policies should supersede these recommendations. If you are responsible for IT policies for your organization, please consider implementing these recommendations as part of your policy.
Please be prepared to install these updates as applicable on July 28th. Most folks will do so automatically and this notification lets us know these updates are coming.
Microsoft Special Out-of-Band Patch Tuesday targeted for 07/28/2009
http://isc.sans.org/diary.html?storyid=6859
http://blogs.technet.com/msrc/archive/2009/07/24/advance-notification-for-july-2009-out-of-band-releases.aspx
http://www.microsoft.com/technet/security/bulletin/ms09-jul-ans.mspx
QUOTE: While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported.
Polymorphism is a technique used to create unique variants from the same malware agent. for example, through random number generators and other techniques, each wave of attacks can be slightly different.
This approach is designed to trick AV scanning engines and sometimes slightly different AV signatures must be added. AV detection is very complex and a must have on every PC and Server.
The 22 samples and graphs in this article reflect the difficulty AV vendors have in keeping up on a daily basis. It's why we must also update our PCs as well.
AV-Test - 22 million malware samples in June due to Polymorphism
http://www.avertlabs.com/research/blog/index.php/2009/07/24/counting-badness/
QUOTE: AV-Test counts unique binaries. Unique means different cryptographic hashes. So the same Trojan, obfuscated with 10 different packers results in 10 unique binaries. This is often due to the impact of server-side polymorphism, where you get a unique binary every time you download a file
AV-Test’s count has come close to 22,000,000 samples in June. We are now seeing a major increase in the monthly growth, topping one million new samples each month in AV-Test’s count. And this time it’s not only samples (the same piece of malware packed over and over again) but also actual new malware.
So keep your machine updated, not just AV and the OS but all applications. Watch out where you surf. (SiteAdvisor may help you there.) And take care what links or attachments you trust in emails and all other forms of messages. All this will help you enjoy the summer!
Always be careful with sites that you join and how they use your email account. Also, avoid sharing it publicly as it could be potentially misused.
On social Web, beware of address book mining
http://www.msnbc.msn.com/id/32088728/ns/business-consumer_news/
QUOTE: When you join a new Web site, how often do you read the terms and conditions before you click the accept button? Most people probably answer never or rarely. And that’s understandable. Many just want to get on the site. Who wants read a document that goes on and on in language that only a lawyer could understand? That can be a big mistake. You never know what could be tucked in there. When you go to a new site, make sure you know what you are allowing them to do with your personal information.
So far, only a handful of sites have been discovered, but there's a potential for these new SWF exploits to spread further. Keep AV protection updated and avoid all suspicious attachments (PDFs in this case) and avoid usual websites as well.
New attacks exploit vulnerability in fully-patched Adobe Flash
http://www.theregister.co.uk/2009/07/22/adobe_flash_attacks_go_wild/
QUOTE: Although the exploit can be triggered using malicious PDF files opened by Adobe's Reader application, a more common technique uses a 1.1 kilobyte Adobe Flash file to target the vulnerability, says Paul Royal, principal researcher for Purewire, a company that protects web users against malicious sites. At the moment, the number of attacks is small, but that's likely to change.
"So far, I've seen just a handful of websites offering this zero-day exploit, although the number will obviously increase the minute that a public proof of concept version of the weaponized vulnerability gets published," Royal tells The Register. "Once this thing hits Milw0rm you'll see thousands of sites."
Adding to the urgency, none of the major anti-virus engines were detecting the poisoned SWF files at time of writing. What's more, some of the sites serving the malicious, one-frame movie are legitimate websites that have been compromised, making it difficult for people to protect themselves against the attack.
Google Chrome was recently updated to fix security vulnerabilities and users will be automatically updated
Google Chrome 2 - Recent Security release
http://isc.sans.org/diary.html?storyid=6832
QUOTE: On Thursday, July 16, Google Chrome 2.0.172.37 was released, it fixed what Google calls a Critical severity vulnerability, Memory corruption in the browser process, and a High severity vulnerability, Heap overflow with Javascript regular expressions. They report the vulnerabilities were identified by the "Google Chrome security team".
Trend documents that several website in India were impacted by recent SQL injection attacks.
New SQL Injection attacks on India websites
http://blog.trendmicro.com/massive-sql-injection-ensues/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?vname=TROJ_AGENT.HOZZ
QUOTE: With the growing concern with numerous vulnerabilities, just this afternoon, Trend Micro Research Project Manager, Ivan Macalintal, stumbled on a somewhat regional fallout of this SQL injection in India threading through numerous compromised government, tourism, popular media, and other sites.
A buffer overflow vulnerability has been discovered and FF users should look for a patch soon. A proof-of-concept exploit has been developed and so far no known attacks in the wild have been documented. Some mitigation techniques include: Noscript, AV protection, and safe practices
Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability
http://isc.sans.org/diary.html?storyid=6829
http://www.securityfocus.com/bid/35707/discuss
QUOTE: Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available.
As an exploit has been recently created, it's important for all users to update to the later versions. Most folks will autoupdate and they should accept these changes right away
Firefox 3.51 released to correct critical JS vulnerability
http://isc.sans.org/diary.html?storyid=6817
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
http://en-us.www.mozilla.com/en-US/firefox/3.5/releasenotes/
http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
QUOTE: If you are a Firefox 3.5 user, update now. And remember, if you applied the work around by disabling the JIT in about:config, remember to turn it back on!
Firefox users should be on the lookout for an update soon, as noted in the Mozilla blog:
Firefox 3.5 - Critical JavaScript POC Exploit developed
http://isc.sans.org/diary.html?storyid=6796
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761
QUOTE: The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. An update does not currently exist. So far there are no reports of sites on the internet being first to use the hole for active infections and exploitation of Windows PCs. Since the published exploit uses PC heap spraying under JavaScript, disabling JavaScript should act as a stop gap. When the exploit was tested with Windows 7 RC1, after a short time, the browser displayed a dialogue offering to abort the script.
WORKAROUNDS
1. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine (see Mozilla link above)
2. No Script is also a good security add-on that will alert users whether JS is present on a site by site basis:
http://noscript.net/
With active DirectShow and other attacks in the wild, it is beneficial for all corporate and home users to apply these protective updates promptly.
QUOTE: The full July Security Bulletin is available at the following Web page:
http://www.microsoft.com/technet/security/bulletin/MS09-Jul.mspx.
ISC has 2 PATCH NOW recommendations
http://isc.sans.org/diary.html?storyid=6790
==================================
New Security Bulletins - July 2009
==================================
Microsoft is releasing the following six new security bulletins for July 2009:
----------------------------------
Bulletin ID: MS09-028
Bulletin Title: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
Max Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows 2000, Windows XP, Windows Server 2003
----------------------------------
Bulletin ID: MS09-029
Bulletin Title: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
Max Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: Requires restart
Affected Software: Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008
----------------------------------
Bulletin ID: MS09-030
Bulletin Title: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (969516)
Max Severity Rating: Important
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Office Publisher 2007
----------------------------------
Bulletin ID: MS09-031
Bulletin Title: Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
Max Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Microsoft Internet Security and Acceleration Server 2006
----------------------------------
Bulletin ID: MS09-032
Bulletin Title: Cumulative Security Update of ActiveX Kill Bits (973346)
Max Severity Rating: Critical
Vulnerability Impact: Remote Code Execution
Restart Requirement: May require restart
Affected Software: Microsoft Windows XP, Windows Server 2003
----------------------------------
Bulletin ID: MS09-033
Bulletin Title: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)
Max Severity Rating: Important
Vulnerability Impact: Elevation of Privilege
Restart Requirement: Requires restart
Affected Software: Virtual PC 2004, Virtual PC 2007, Virtual Server 2005
The ISC is highlighting these zero-day attacks with a rare "Yellow Status" condition for 24 hours, as more active use in-the-wild may be occurring. AV protection is emerging and users should stay be careful in accessing unusual websites presented to them in searches, email, IM, or other sources until this is patched.
Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
http://isc.sans.org/diary.html?storyid=6778
http://isc.sans.org/diary.html?storyid=6787
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1361617,00.html
http://www.sophos.com/blogs/gc/g/2009/07/13/day-vulnerability-microsoft-owc-discovered/
http://www.sophos.com/blogs/sophoslabs/v/post/5320
QUOTE: Attack vectors used to exploit this vulnerability
1.The now known public attempts to exploit the vulnerability, attackers just modify the code with a fresh download and payload to slightly modified malware.
2.A .cn domain using a heavily obfuscated version of the exploit - which may become an attack kit (think MPACK)and is similar to recent DirectShow attacks.
3.A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML. This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.
IE zero-day domains to avoid
http://isc.sans.org/diary.html?storyid=6739
Microsoft Advisory 973472
http://www.microsoft.com/technet/security/advisory/973472.mspx
Exploit-CVE2009-1136 -- McAfee protection emerging (DAT 5676)
http://vil.nai.com/vil/content/v_179225.htm
AV products use sophisticated pattern matching, MD5 hash totals, and other techniques to detect hundreds of thousands of different viruses. As they can only use about 100 bytes of information per virus signature, sometimes letigimate software will fall into a matching pattern and it will be detected as a false positive.
False positives can occur occasionally with any AV product and when viruses are detected users should pay close attention and record the name of any viruses found as noted in the MSNBC article. Sometimes a later search at the AV companies website may highlight any false positives detected. If it's a true malware incident, noting the virus name might be valuable to knowing whether any information was transmitted from the compromised PC.
Computer Associates apologize for False Positive
http://isc.sans.org/diary.html?storyid=6775
http://www.msnbc.msn.com/id/31853138/ns/technology_and_science-security/
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=212102
QUOTE: Antivirus software cuts two ways. It's great at blocking known viruses, but it can sometimes misfire, mistakenly flagging clean files as malicious. That sends a computer into a tailspin trying to clean up stuff that's supposed to be on there. The problem can crash a computer, and fixing it can be a bear. An example emerged this week when users of antivirus CA Inc. watched as their machines warned of an infection and started quarantining files that turned out to be legitimate.
Recent evaluations of DDos attacks note that there is NO EVIDENCE that North Korea has launched a cyberwar against the United States. A sophisticated botnet is launching these denial-of-service attacks where websites are so overwhelmed with traffic, users cannot properly connect.
Recent DDos attacks on US and South Korea government web sites
http://sunbeltblog.blogspot.com/2009/07/ddos-global-hysteria.html
http://isc.sans.org/diary.html?storyid=6757
QUOTE: I know of not a shred of evidence that this bot is from North Korea. It would take considerable research to ascertain the original source (the relevant IPs to the malicious code are in several places — Florida and Germany). What happened here is trivial stuff in the security world: A bot got on between 60,000 to 100,000 PCs, and started launching DDoS attacks.
New Koobface variants are sending malicious URLs to Twitter users. AV protection has emerged for many products since these attacks surfaced on Friday and users should avoid unusual URLs in social networking systems, email, instant messaging, or any other environment. Twitter has been deactivating infected accounts to gain better control from these attacks.
Twitter Security Alert on Koobface
http://status.twitter.com/post/138789881/koobface-malware-attack
http://blog.trendmicro.com/koobface-increases-twitter-activity/
QUOTE: Some users’ PCs have been infected with a variant of the Koobface malware. This malware sends bogus tweets when the user logs into Twitter. We are currently suspending all accounts that we detect sending such bogus tweets. If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC.
What is Koobface
http://en.wikipedia.org/wiki/Koobface
QUOTE: Koobface, an anagram of Facebook ("face" and "book" change order and "koob" is "book" in reverse), is a computer worm that targets the users of the social networking websites Facebook, MySpace [1], hi5, Bebo, Friendster and Twitter. Koobface ultimately attempts, upon successful infection, to gather sensitive information from the victims such as credit card numbers.
Please be careful in website visitations, as this new exploit has been injected into numerous websites. Many of the affected sites appear to be located in China (CN domain suffix). However, this actively working exploit could circulate even more extensively. AV vendors are establishing protection and one manual workaround is to set a kill bit is noted below:
0-day in Microsoft DirectShow (msvidctl.dll) used in drive-by attacks
http://isc.sans.org/diary.html?storyid=6733
http://www.avertlabs.com/research/blog/index.php/2009/07/06/new-attacks-against-internet-explorer/
http://www.f-secure.com/weblog/archives/00001716.html
http://sunbeltblog.blogspot.com/2009/07/microsoft-directshow-zero-day.html
QUOTE: A 0-day exploit within the msVidCtl component of Microsoft DirectShow is actively being exploited through drive-by attacks using thousands of newly compromised web sites, according to CSIS. The code has been published in the public domain via a number of Chinese web sites.
WORKAROUNDS FROM SITE LINKS ABOVE
1. Please keep a watchful eye on your AV and IDS/IPS vendors updates to ensure coverage as early as possible on this exploit as it is likely to be widely deployed with the code being available.
2. A valid work around for the attack vector is available which set's the kill bit on the vulnerable DLL:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400
3. Use another browser besides Internet Explorer until this vulnerability is patched.
UPDATES on ISSUES as of 7/6/2009 -- The specific issue centers around an expired engine file 5100 is present on an older version of corporate McAfee (VS 8.0). While DATs previously worked on these expired products, the engine was 18 months past end-of-life. As a result, some very serious false positives emerged which deleted device drivers or critical Windows Files creating BSODs on servers/PCs. McAfee has resolved this issue for now with DAT 5666 or higher. Corporations should ensure they are always on the latest engines, DATs, and product versions to avoid false positives and ensure the best protection possible.
MORE ON THIS ISSUE
https://kc.mcafee.com/corporate/index?page=content&id=KB66225
1. McAfee corrected the false positives with DAT 5666 even with the expired engine issue
2. A better solution is that users should upgrade to engine 5300 as engine 5100 has expired.
* * *
For McAfee users, I'm sure also AVERT Labs is correcting this issue. Still, it's worthwhile to monitor developments, as I'm staying on DAT 5663 on my corporate PC until this issue is resolved.
McAfee DAT 5664 - False Positives may affect Compaq/HP drivers
http://community.mcafee.com/showthread.php?t=231901
http://www.theregister.co.uk/2009/07/03/mcafee_false_positive_glitch/
QUOTE: IT admins across the globe are letting out a collective groan after servers and PCs running McAfee VirusScan were brought down when the anti-virus program attack their core system files. In some cases, this caused the machines to display the dreaded blue screen of death. Details are still coming in, but forums here and here show that it's affecting McAfee customers in Germany, Italy, and elsewhere. A UK-based Reg reader, who asked to remain anonymous because he was not authorized by his employer to speak to the press, said the glitch simultaneously leveled half of a customer's 140 machines after they updated the latest virus signature file.
Based on anecdotes, the glitch appears to be caused when older VirusScan engines install DAT 5664, which McAfee seems to have pushed out in the past 24 hours. Affected systems then begin identifying a wide variety of legitimate - and frequently crucial - system files as malware. Files belonging to Microsoft Internet Explorer, drivers for Compaq computers, and even the McAfee-associated McScript.exe were being identified as a trojan called PWS!hv.aq, according to the posts and interviews.
Malicious emails are being spammed related to the themes of: Independence Day, the Fourth of July and fireworks shows. Please avoid related email messages/attachments, special website links, and You-Tube links.
July 4th based Malware circulating
http://isc.sans.org/diary.html?storyid=6727
http://securitylabs.websense.com/content/Alerts/3431.aspx
http://www.eset.com/threat-center/blog/?p=1244
http://www.symantec.com/connect/blogs/waledac-july-campaign
Waldac.DU Information
http://blog.trendmicro.com/waledac-celebrates-independence-day-too/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_WALEDAC.DU
QUOTE: The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine.
Web ADMINS should ensure the HTML text editor is secured as it may be automatically installed by default on some versions of Cold Fusion studio.
Large # of Cold Fusion web sites compromised in past 24 hours
http://isc.sans.org/diary.html?storyid=6715
QUOTE: There have been a high number of Cold Fusion web sites being compromised in last 24 hours. It appears that the attackers are exploiting web sites which have older installations of some Cold Fusion applications. These applications have vulnerable installations of FCKEditor, which is a very popular HTML text editor, or CKFinder, which is an Ajax file manager.
The vulnerable installations allow the attackers to upload ASP or Cold Fusion shells which further allow them to take complete control over the server. It appears that there are two attack vectors (both using vulnerable FCKEditor installations though) that the attackers are exploiting.
How to disable the HTML editor to improve safety
http://www.codfusion.com/blog/post.cfm/cf8-and-fckeditor-security-threat
Security research testing of the Twitter API will be conducted during the month of July. The stated goal is to bring awareness to the need for strengthening security in this very popular and flexible social network messaging facility.
MOTB Daily Findings published here
http://www.twitpwn.com/
Security Researcher Aviv Raff shares mission statement
http://aviv.raffon.net/2009/06/15/MonthOfTwitterBugs.aspx
QUOTE: Today, three years after the “Month of Browser Bugs”, I’ve decided to declare July 2009 as “Month of Twitter Bugs” (MoTB). I’m doing so in order to raise the awareness of the Twitter API issue I recently blogged about. MoTB could have been easily converted to any other “Month of Web2.0 service bugs”, and I hope that Twitter and other Web2.0 API providers will work closely with their API consumers to develop more secure products.
Below is the 1st documented vulnerability related to shortened URLs that may be shared in these micro-blog messages:
MoTB #01: Multiple vulnerabilities in bit.ly service
http://www.twitpwn.com/2009/07/motb-01-multiple-vulnerabilities-in.html
QUOTE: "bit.ly allows users to shorten, share, and track links (URLs). Reducing the URL length makes sharing easier. bit.ly can be accessed through our website, bookmarklets and a robust and open API. bit.ly is also integrated into several popular third-party tools such as Tweetdeck."
bit.ly has a large user base (who doesn't click bit.ly links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs...
More Posts
Next page »