Wiz's Computer and Website Security Blog

This is a follow up to two articles I published earlier this year. They both dealt with an attack against 2Wire brand modems used in Mexico, with the first article titled "Hackers exploit vulnerability in 2Wire modems to steal Mexican bank accounts" and the latter titled "2Wire Modem DNS Poisoning Attack Returns to Mexico." In both of those articles I urged owners of the affected models of these and other brands of modem/router combinations to change the default administrator password, which is blank be default. By creating a personal password the scripted attacks described in these articles will fail, as they rely upon a blank, or known default password to gain access to the configurations pages.

Yesterday I learned about a new means being tested by security cracking professionals and hackers, whereby a 2Wire modem can still be hacked after a personal administrator password has been applied to it! The exploit may already be in the wild, on MySpace, Facebook, or other popular social networking websites, or soon will be. The technique they are using is not brute force, nor a dictionary attack, in fact, it is what I'd call a chance opportunity attack vector. The way it works is by launching a script aimed at your router's GUI configuration page, in your browser, hoping that you have recently logged into the router, in the same browser session. If you have been logged into your router and not closed that browser in the interim, and you happen upon a web page that contains the JavaScript exploit code, your router can be taken over! This happens because having logged in once, and not logged out, you are still authenticated by the router and anything you want to change is only a mouse click, or code string away. No further challenges would appear in most consumer modem/routers or wireless routers. After gaining access to the configuration utility a hacker's code can change your router's administrator password, poison the DNS tables (to redirect you to phishing websites), enable remote administration, download hostile firmware, and anything else the hacker can think of. You wouldn't be any the wiser until you closed that browser, then tried to log in again, only to find that your password was incorrect.

Should this type of attack happen to you and you find yourself locked out of your router, or modem/router configuration page, don't panic yet. The first thing you should do is reset the router to its default state. Most routers have a small hole on the back, where you can insert the tip of a pen, pencil, or hair pin and hold it in for a half minute, or so, then power off, hold it in again, then release the button and power the unit back on. After the device stabilizes you should be back to factory default settings. Close any open browsers to clear any possible hostile sessions and empty your browser's cache, or Temporary Internet Files. Next, open a new browser window and enter the web interface for your router and change the administrator password, disable remote administration and UPnP, then, if at all possible, change the router's IP address. Do not open any other web pages yet; they could have hostile codes embedded without the owner's knowledge.

The last item I mentioned is important because many router or modem attacks have hardcoded IP addresses in the scripts, which will target specific brands of routers. Some will target the address 192.168.1.254, used by 2-wire and certain other routers. If your router will allow you to alter its IP address, do so and save the changes, then log in using the new IP. For instance, if the default IP is 192.168.1.254, change it to something like 192.168.2.253. Be creative here. As long as you change it to a valid LAN IP, in the 192.168 range, it should accept it. When you restart the router, after saving the change, you will probably have to release and renew the computer's IP address, to get a new one from the changed router. To do this open a command prompt. Go to Start > Run and type in CMD then press the Enter key. A black command window should open, with a blinking cursor after a text path ending in a > symbol.

At the blinking cursor type the following commands:

IPCONFIG /RELEASE
press Enter
IPCONFIG /RENEW
press Enter

The last command will show your new computer's IP address as well as the IP of the gateway, which is your router (or modem/router). The gateway IP should be the same as the one you just assigned to your router.

Go back to your browser and try to log into the router again, using the new IP address you assigned to it. You should have to type in your user name and password to get authenticated. Once you are successful and have checked everything that needs checking, close that browser. From henceforth, until all of the major router manufacturers update their firmware to force you to type your old password before changing it, always close all browsers after visiting the router's web interface. Empty your browser's cache before surfing to any other websites, just in case they have been compromised with hostile codes aimed at your router.

If you have visited your online bank, or other financial institution, contact them as soon as possible to put a fraud watch on your account. Then, after securing your (modem) router, log in again to these websites and change you passwords. Hopefully, you will notice the problem with the router before the hackers receive your login details and empty your accounts.

Make it a point to visit your router/modem-router's manufacturer's website to look for new firmware and install it when it becomes available. If you do not know how to do this call your broadband service provider, who supplied the router, and ask them what they are doing to safeguard their routers. They may offer a flash upgrade on demand and may even do it without notifying you first. If that does occur, your personal settings and administrator password may have been reset to default again, along with the IP address you changed. This is typical for firmware updates, but I can't say for sure that you exact model will get reset completely by an upgrade. Just write down everything you know about the router's login and IP address, or save the configuration file after you have everything where you want it, and import it after you flash the firmware. Always verify your settings and make sure you are able to connect to the net, before closing out the router interface. Exit all browser windows afterward and clear the cache/Temporary Internet Files before starting to surf. I have detailed instructions in the extended comments below, for automatically clearing your browser's cache, upon closing all browser windows.

Continue reading "Routers with passwords still vulnerable to hack attacks" »

Posted by Wiz at 1:30 PM | Permalink

On January 13, 2008, I published an article warning owners of certain 2Wire branded DSL modems about a DNS poisoning attack that was ongoing against Mexican banking customers. That attack took advantage of the unfortunate fact that many DSL Internet customers receiving 2Wire modems have not created a unique administrator password to protect their modems from scripted attacks. In the January attacks, spam email messages were sent specifically to Mexican DSL customers, pretending to contain a link to a video that would be of interest to those recipients. Unbeknownst to the recipients, merely opening these messages triggered the running of a script that targeted 2Wire modems with codes that changed the destination URL of the Banamex online bank.

In my January article about this DNS poisoning attack I strongly recommended that all owners of these, and other broadband modems should immediately setup a unique password for the Administrator login to those modems. I also urged them to disable Remote Administration. I should add disabling UPnP to the list of options that will help secure these modems. Apparently, not enough users read and heeded my advice, because I have just learned that a second round of spam attacks has been launched against the very same people, using the same bank in Mexico!

The new round of attacks that is currently underway is again arriving via spammed email messages. This time, though, the email messages are disguised to trick users into thinking that they have received an e-card from Gusanito.com, a popular Mexican eCard Web site. Once a user clicks on the link where the supposed postcard can be viewed, he or she is then directed to a spoofed Gusanito page. That web page loads a couple of Flash controls, including a malicious one that modifies the 2wire modem localhost table. This routine effectively redirects users to a fraudulent site whenever they attempt to access pages related to Banamex.com. Because the spoofed pages so closely resemble the real bank's website, most users wouldn't realize that they were being scammed, until they tried to pay a bill with, or withdraw, money, which they no longer had in their bank accounts.

This DNS poisoning/Phishing technique has a name: "Drive-by Pharming." It is now proving to be a successful attack vector and will certainly be deployed against other 2Wire Modem users in other Countries. I again strongly urge broadband modem users to secure their modems by creating a good, personal Administrator password, plus disabling unnecessary, exploitable services, like remote administration and UPnP. Read my previous article about the exploiting of 2Wire modems and apply the pointers in it to reset and secure your modems.

This new threat was reported by Trend Micro, on their security alert blog. For its part, Trend Micro will detect the malicious .SWF file as SWF_ADHIJACK.D. All related malicious URLs have also been blocked by Trend Micro Web Threat Protection.

Posted by Wiz at 1:12 PM | Permalink

In a recent security alert, found on several high profile security websites, it has been revealed that hackers, in parts unknown, are exploiting vulnerabilities in certain models of the 2Wire brand of DSL modems, to steal bank accounts - in Mexico. These modems are also in use in the US, so don't get smug about this happening in Mexico only. That is probably a test run by the hackers, before hitting the US based modems.

The modus operandi of this attack begins with a spammed email that is rigged with hidden codes that are embedded in an image tag, plus a link to view a hostile video, where another piece of malware will try to install itself (TROJ_QHOST.FX). People who don't have the targeted modem won't be affected directly by these codes - this time. On the other hand, people who do have these modems and have not created a personal password for the modem's administrator login, will have these hidden codes passed directly to it. The codes will poison the DNS entry for banamex.com, which is the largest bank in Mexico. This DNS poisoning will automatically redirect all requests for banamex.com to a look-alike phishing website, where, when people login to their account, that login information will be added to the database owned by the criminals behind this exploit. These people will have their accounts emptied, unless they realize that they've been duped before the hackers get to their money (not likely).

Because this attack involves poisoning the DNS entries for the bank's website, in the modem itself, even typing banamex.com — which is the legitimate, fully-qualified domain name for this bank — leads to the fraudulent site instead. This is the same type of exploit that occurs when spyware poisons a computer's HOSTS file, to redirect specific requests to a hostile address. This exploit occurs invisibly for users of the affected modems who have not changed the default administrator password, which is null (none set). If they have created a personal password this exploit will fail. About 2 million of the affected modems have been shipped to customers in Mexico, all without an administrator password set. It is up to the recipients to create an administrator password.

This is a known, unpatched exploit, that was first reported on August 17, 2007. It is known as an "xslt Cross-site request forgery" (CSRF) vulnerability, which affects 2wire modem/router models 1701HG, 1800HW, and 2071, with 3.17.5, 3.7.1, and 5.29.51 software. It allows remote attackers to create DNS mappings as administrators, and conduct DNS poisoning attacks, via the NAME and ADDR parameters. That demonstrates the importance of changing the default modem password to one that is not easily guessed. If you have one of these modems and have not already created a strong administrator password, do so as soon as possible!

Background
-------------
This is the most popular router in Mexico and the default installation from the ISP has no system password.

Vulnerability
----------------
It is possible to send a request to the router that will modify its configuration.

It does not validate POST, or Referer or Anything, unless the administrator password has been set by the customer

Exploit
----------------
The client PC sends a request to the router with the configuration changes and they are set instantly.

[examples]

Set a password (NewPassword):
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NewPassword&PASSWORD_CONF=NewPassword

Add names to the DNS ( 172.16.32.64 www.example.com):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAM
E=www.example.com&ADDR=172.16.32.64

Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&N
AME=encrypt_enabled&VALUE=0

Set Dynamic DNS
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&I
P_DYNAMIC=TRUE

Also, disable the Firewall, reset the device, etc.

Solution
----------------
To undo the redirect to this phishing website you must reset your 2wire modem to its factory default state. Warning: This will wipe out all saved rules and your login credentials! Have your DSL user name and password ready to input into the modem, after you reset it, or you will not be able to get back onto the Internet.

If your modem has a small hole, with a reset button on the back, or bottom, insert a paper clip or ballpoint pen into the hole, push it against the recessed button and hold it in for about 2 minutes, with the power on. After two minutes let go of the button, wait about ten seconds, then, unplug the power to the modem for another two minutes. Plug it back in and let it stabilize. You will have to input your login credentials to get logged onto the DSL service. To do so, open your browser and go to this address: http://gateway.2wire.net/ . You can also access the modem/router, if has no other routers between it and your computer, by typing in: http://192.168.1.254, where you can input your login credentials.

If your modem does not have a reset button you can reset it electronically, by using this method. Open your web browser and type this address into the address/location bar: http://gateway.2wire.net/management or http://192.168.1.254/mdc . On that page you can perform administrator password creation and reset the modem to it's default state (under Troubleshooting, click on: RESET TO FACTORY SETTINGS).

After you reset the modem to factory settings and input your login credentials, log back onto the management page and click on "Run Setup Wizard, " where you can create a strong administrator password and disable unnecessary features, like remote administration, to prevent this type of exploit from repeating itself.

Sources:
----------------
http://www.securityfocus.com/archive/1/archive/1/476595/100/0/threaded

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4387

http://xforce.iss.net/xforce/xfdb/36044

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389

http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/

Posted by Wiz at 1:51 PM | Permalink

In a release dated December 3, 2007, but I did not become aware of until today, December 19, 2007, Adobe Systems posted an updated version of the Shockwave Flash ActiveX object for Internet Explorer, and the Flash Player plug-in for Firefox and Opera browsers. The new version is currently listed as 9.0.115.0.

Since this is a security upgrade, to block exploits already in the wild, you should update your Flash player or plug-in, both to maintain your PC's security and for compatibility with Flash videos on YouTube and other websites.

One way to update is simply to visit the Flash download page and download it to your computer, then perform an in-place upgrade. Thankfully, this new installer also uninstalls all old versions of Flash, which previous installers did not do. After downloading the Flash setup file, close all of your browsers (Internet Explorer, Firefox and Opera), run the installer until it completes, then open your browser(s).

The second method to update Flash uses this path (assuming that Windows is installed on the C drive and resides inside the "Windows" directory):

C:\WINDOWS\Downloaded Program Files\Shockwave Flash Object. The version number may be displayed on the right, or not, depending on your "view" settings. If not, right-click on that file and select "Update." If nothing happens you probably already have the current version, but, to be sure, right-click on the file and select Properties. The version number will be available from the Properties box. If your version is out of date, accept the download warnings and allow the signed Flash Installer to download and install the new version. Afterward, hit F5 to refresh to folder view and you should see the newer version number, for the flash file (or right-click and view it's "Properties" to see the version).

Failure to update to the current version of Flash player/plug-in may limit your ability to view Flash videos and leave you at risk of exploitation, should you try to view a malware infected Flash presentation.

You can also obtain information about any insecure versions of Flash or other common applications, by running the Secunia Software Inspector, from your browser. See my blog entry from earlier today, for more details about this tool.

Posted by Wiz at 4:03 PM | Permalink

A newly discovered critical vulnerability has been reported by Symantec, the makers of Norton security software products. A design error in an ActiveX control used by Norton AntiVirus could potentially be exploited by a malicious web site. A successful exploit could lead to remote code execution!

Norton has already issued an out-of-cycle patch that can be installed by running Live Update manually. Norton product users who normally run manual LiveUpdate should already have this update. However, to ensure all available updates have been properly installed, run manual LiveUpdate as follows:

Open any installed Norton product from either your Start Menu > Programs, or from the Windows System Tray icon;
Click LiveUpdate;
Run LiveUpdate until all available product updates are downloaded and installed;
A system reboot may be required, depending on the existing patch level of the affected product

The affected products include:
Norton AntiVirus 2005 and 2006
Norton Internet Security 2005 and 2006
Norton System Works 2005 and 2006

Note: The Norton 2007 product line and Symantec enterprise products, including Symantec Client Security and Symantec AntiVirus Corporate Edition are not affected by this issue.

Continue reading "Critical vulnerability found in multiple Norton products! Patch Available Now" »

Posted by Wiz at 12:25 PM | Permalink

Three months ago, in December, 2006, Microsoft was notified about a system vulnerability in the handling of animated cursors, but did nothing about it. Proof of concept code was published demonstrating an exploit vector. This new vulnerability is now being widely exploited to install Trojan malware into fully patched Windows 2000, XP, Server 2003 and Vista systems. All fully patched Windows systems are currently vulnerable.

It is now April 3, 2007, and due to the fact that this unpatched vulnerability is currently being exploited in the wild, Microsoft is going to release an "out-of-cycle" patch for the animated cursor vulnerability, today, April 3, 2007.

If you have automatic Windows Updates turned on you will receive the patch when it is pushed to your geographical/IP location. If you prefer to use manual updates (e.g. dial-up customers), start checking whenever you go online, today. All versions of Windows have a link to Windows Updates, somewhere on the Start Menu and also on every version of Internet Explorer (Tools > Windows Update).

If you are unable to obtain Windows Updates at this time you can temporarily protect your Windows computers by downloading and installing a third party patch from eEye Digital Security. If you do install the official Microsoft patch later, be sure you uninstall the eEye patch.

Continue reading "Critical Vulnerability in Windows Animated Cursors - Patch Today" »

Posted by Wiz at 12:27 PM | Permalink

Secunia is reporting six new critical vulnerabilites discovered recently in Apple QuickTime plug-ins for Windows and Mac computers, which can be exploited by malicious persons or websites to take over a computer.

Secunia Advisory: SA24359
Release Date: 2007-03-06
Last Update: 2007-03-08
Software: Apple QuickTime 7.x

These vulnerabilities are rated a highly critical and can lead to remote system access and take-over if exploited on an unpatched version of QuickTime, on a Windows or Mac computer. Note that just one of these six vulnerabilities does not affect Mac OS X.

Details:
1) An integer overflow error exists in the handling of 3GP video files, on computers running Windows Vista/XP/2000. NOTE: This does not affect QuickTime on Mac OS X.
Impact: Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution

The rest of the vulnerabilities affect computers running Mac OS X v10.3.9 and later or Windows Vista/XP/2000.

2) A boundary error in the handling of MIDI files can be exploited to cause a heap-based buffer overflow.

3) A boundary error in the handling of QuickTime movie files can be exploited to cause a heap-based buffer overflow.

4) An integer overflow exists in the processing of UDTA atom size values in movie files, which can be exploited to corrupt heap memory.

5) A boundary error in the handling of PICT files can be exploited to cause a heap-based buffer overflow.

6) A boundary error in the handling of QTIF files can be exploited to cause a stack-based buffer overflow.

7) An integer overflow exists in the handling of QTIF files.

8) An input validation error exists in the processing of QTIF files. This can be exploited to cause a heap corruption via a specially crafted QTIF file with the "Color Table ID" field set to "0".

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable: http://secunia.com/software_inspector/

Solution:
Apple has issued a patched version of QuickTime. Update to version 7.1.5.

Windows QuickTime Update:
http://www.apple.com/quicktime/download/win.html

Mac OS X QuickTime Update:
http://www.apple.com/quicktime/download/mac.html

Source: http://secunia.com/advisories/24359/

Continue reading "6 New Vulnerabilities found in Apple QuickTime plug-in" »

Posted by Wiz at 2:43 PM | Permalink

On January 1, 2007, Apple Inc. received a documented report about a highly critical vulnerability in it's QuickTime Player software. Since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability. There is publicly available proof-of-concept code that exploits this vulnerability. More information about the vulnerability can be found here.

On January 23, 2007 Apple Inc. issued a patched update to it's QuickTime Player, here, on the Apple website. However, that downloadable update is only for Mac operating systems. Windows users are instructed to use the Apple Software Update Tool to download the appropriate patched version for Windows, which was supposed to have been installed when they installed QuickTime, or iTunes onto their computers. Unfortunately, this is a selectable option that may not have been selected by all users.

The instructions for Windows users who did not choose to install that software update tool is to uninstall QuickTime and download the latest version, then run the update tool to see if they have obtained the latest version. If the version you downloaded is vulnerable you would be at tremendous risk by using it online, so download it, then immediately check for updates. Another thing to know is that the software updater itself had to be updated in January, 2007, so if you already had it installed you had better check to see if it needs to be updated, before trying to download the patched version of QuickTime. If that sounds confusing, remember that Apple computers and products are touted as being simpler to use than PC's and their software.

Another thing, if you obtained the QuickTime Player with iTunes software, you may need to update it as well.

Continue reading "Quicktime vulnerability patch problem for Windows users" »

Posted by Wiz at 5:31 PM | Permalink

Security researchers have identified a pop-up address bar spoofing weakness in Microsoft's newly released Internet Explorer 7 browser. The flaw, first reported by security notification firm Secunia, might
lend itself to phishing attacks and remains currently unpatched.

The details about this flaw are found here.

The security bug creates a means for hackers to display a popup with partially spoofed address bar where a number of special characters have been appended to a URL. Only part of the address bar will be
displayed, creating a possible mechanism to trick users into believing they are visiting a trusted site rather than one controlled by hackers.

The weakness has been confirmed to exist in IE7, running even on a fully patched Windows XP SP2 system. A number of possible workarounds have been suggested, pending a fix from Microsoft. Secunia advises surfers not to follow links from untrusted sources. The SANS Institute's Internet Storm Centre suggests a more sophisticated fix involving configuring IE7 to open a new Windows in a new tab.

"This vulnerability has a lot of potential for phishers or others that attempt to trick the user into trusting the popup window as they trust the site displayed in the main window," The Internet Storm Centre notes.

Last week, Secunia and Microsoft got into a dispute about whether a separate information disclosure vulnerability affected IE7 or Outlook Express.

Secunia has created a test page, so that IE7 users can check their browsers for this vulnerability.

Secunia Advisory: SA22542
Release Date: 2006-10-25
Last Update: 2006-10-27
Critical: Less critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 7.x

Posted by Wiz at 11:57 AM | Permalink

Microsoft Security Advisory 925568:

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

Published: September 19, 2006 | Updated: September 23, 2006

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft�s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

� In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.
� An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
� In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. Instead users would have to either click on a link that would take them to a malicious Web site or open an attachment to be at risk from this vulnerability.
� By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because Binary and Script Behaviors are disabled by default in the Internet zone.

One workaround:

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note The following steps require Administrative privileges. It is recommended that the system be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround however; the recommendation is to restart the system.

To un-register Vgx.dll, follow these steps:

� Click Start, click Run, type

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

and then click OK.

� A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Full Microsoft advisory is here.

Continue reading " Microsoft advisory published on VML zero day exploit" »

Posted by Wiz at 2:27 PM | Permalink

Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the Net, experts have warned.

"Microsoft's initial investigation reveals that this exploit code could allow an attacker to execute memory corruption," the representative said. As a workaround to protect against potential attacks, Microsoft suggests Windows users disable ActiveX and active scripting controls.

The flaw is due to an error in an ActiveX control related to multimedia features and could be exploited by viewing a rigged Web page, Symantec said in an alert sent to users of its DeepSight security intelligence service Thursday. An attacker could commandeer a Windows PC or cause IE to crash, the security company said.

IE versions 5.01 and 6 on all current versions of Windows are affected, the French Security Incident Response Team, or FrSIRT, a security-monitoring company, said in an alert Wednesday. FrSIRT deems the issue "critical," its most serious rating.

Miscreants are using an unpatched security bug in Internet Explorer to install malicious software from rigged Web sites, experts warned Tuesday.

The vulnerability lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or an e-mail message, several security companies said.

"Fully patched Internet Explorer browsers are vulnerable," Ken Dunham, director of the rapid response team at VeriSign's iDefense, said in an e-mailed statement. "This new zero-day attack is trivial to reproduce and has great potential for widespread Web-based attacks in the near future."

Security-monitoring companies Secunia and the French Security Incident Response Team have given the issue their most serious ratings.

Shady adult Web sites are among the first to exploit the IE vulnerability, Eric Sites, vice president of research and development at spyware specialist Sunbelt Software, wrote on a corporate blog. In one case, a malicious Web site used the exploit to install "epic loads of adware," according to Sunbelt.

Microsoft plans to fix the flaw as part of its monthly patching cycle on Oct. 10, the software giant said in a security advisory. The update might be released sooner, "depending on customer needs," Microsoft said. Typically, Microsoft only breaks its patch cycle when attacks are widespread.
========================================

If there was ever a good time to switch to browsing with the Firefox browser, it is now. Also read my posts about running with limited user privileges to protect your computer against all these threats.

Posted by Wiz at 11:10 PM | Permalink

Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.

On August 8, 2006, Microsoft released a dozen patches and fixes for Windows and Office products. One of those patches, MS06-040, fixes a vulnerability in the Windows Server Service, as follows:

Buffer Overrun in Server Service Vulnerability:

There is a remote code execution vulnerability in Server Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

That service is normally found and running on computers running Windows 2000, XP Home and Pro (32 and 64 bit), and Server 2003. If you don't apply the patch either via Windows Updates or by downloading from the aforementioned MS page, and you are not behind a firewall that blocks incoming unsolicited TCP traffic, your computer(s) will be at severe risk of being taken over by hackers or criminals, who will use them for their own nefarious purposes.

This vulnerability and the anticipated attacks to come any day now are similar to the infamous MSBlaster Worm attack of August 11, 2004. People who ignored the advise to apply Windows Updates in July 2004 and were not behind good firewalls had their computers invaded by the MSBlast Worm and many found them rebooting within 60 seconds after entering the Windows desktop (due to a RPC Buffer Overflow condition). The Blaster Worm spread from computer to computer over TCP, the protocol which computers use to communicate over the Internet. This new Server Service vulnerability is also attacked via TCP traffic directed to incoming TCP Ports 139 and 445.

If you haven't already received automatic Windows Updates go the the Windows Update website, using Internet Explorer, and download/install the available updates. If you are unable to obtain Windows Updates because your copy of Windows is pirated, or not legally licensed, at least get yourself behind a firewall as soon as possible. Windows XP has one built in that will stop incoming attacks. ZoneLabs ZoneAlarm is an excellent firewall, available in free and paid versions, and Sunbelt makes the free and paid Sunbelt-Kerio Personal Firewall.

I personally prefer the ZoneAlarm Firewall. Zone Labs offers a complete range of firewall products, from the free ZoneAlarm, to the comprehensive protection of ZoneAlarm Plus, to the ultimate privacy and security tools in ZoneAlarm Pro. Use this link to help you to choose which version of ZoneAlarm is best for you.

If you are on a LAN behind a hardware router/firewall you are protected against unsolicited incoming TCP attacks, but not outgoing, phone-home threats that might sneak onto your computer. Do yourself a favor and get a sotware firewall installed onto all of your computers, whether or not they are behind a router. Routers have vulnerabilites also, some of which are being actively exploited right now. Without a software firewall you may be completely at the mercy of criminal attackers who want to add your computers to their BotNets. They will then use your computer to launch DDoS attacks or for use as spam relays.

I have created a webpage all about firewalls and TCP attacks, at: http://www.wizcrafts.net/ans/firewalls.html which is a child of my FAQs page.

Windows Live OneCare

Microsoft offers Windows Live OneCare, an automatically self-updating PC care service that runs quietly in the background. It helps provide persistent protection against viruses, hackers, and other threats, and helps keep your PC tuned up and your important documents backed up. For more details, see Windows Live OneCare at www.windowsonecare.com.

Details about activating the Windows XP firewall are in my extended comments --->

Continue reading "Vulnerability in Microsoft Windows Exposes XP/2000 Computers to Worm Attacks - Again" »

Posted by Wiz at 2:12 PM | Permalink

Source: http://www.pcworld.com/resource/article/0,aid,126307,pg,1,RSS,RSS,00.asp

W32.Cuebot-K spreads via through AIM and disguises itself as Windows
Genuine Advantage on infected PCs.

Security analysts have detected a new piece of malware that appears to run
as a Microsoft program used to detect unlicensed versions of its operating
system.

The malware has been classified as a worm and spreads through AOL's
Instant Messenger program, said Graham Cluley, senior technology
consultant for Sophos PLC, a security vendor.

Continue reading "Worm Masquerades as Microsoft Antipiracy Program" »

Posted by Wiz at 12:56 PM | Permalink

Here are two reports about unpatched Excel flaws from Secunia.

1: Microsoft Excel Repair Mode Code Execution Vulnerability
http://secunia.com/advisories/20686/

Secunia Advisory: SA20686
Advisory Release Date: 2006-06-16
Last Update: 2006-06-20

Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround

Software:
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel Viewer 2003
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP

CVE reference: CVE-2006-3059

Description:
A vulnerability has been discovered in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a memory corruption error in the "repair mode" functionality used for repairing corrupted documents. This can be exploited via a specially crafted Excel documents.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected.

NOTE: This vulnerability is a so-called 0-day and is already being actively exploited.

Solution:
Don't open untrusted Excel documents.

The vendor has published various workarounds (see vendor advisory).

Provided and/or discovered by:
Discovered in the wild.

Changelog:
2006-06-20: Added additional information from Microsoft. Added CVE reference. Updated "Solution" section by referring to vendor workarounds.

Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/921365.mspx http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx

Secunia Advisory: SA20748
Advisory Release Date: 2006-06-20
Last Update: 2006-06-22

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-3086

Description:
kcope has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched Windows XP SP2 system running Microsoft Excel 2003 SP2. Other versions and products using the vulnerable library may also be affected.

Solution:
Do not open untrusted Microsoft Office documents.

Do not follow links in Microsoft Office documents.

Provided and/or discovered by: kcope

Changelog:
2006-06-22: Added CVE reference. Added link to US-CERT vulnerability note. Added various Windows versions as vulnerable instead of Office products.

Original Advisory:
Microsoft: http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx

Other References:
US-CERT VU#394444: http://www.kb.cert.org/vuls/id/394444

Microsoft has offered some workarounds, which I have listed on this blog page.

Also, see this Microsoft Advisory for the latest information and workarounds.

Posted by Wiz at 12:58 PM | Permalink

Microsoft Security Advisory (921365)
- Title: Vulnerability in Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/921365.mspx
- Revision Note: Advisory Published: June 19, 2006

Microsoft is investigating new public reports of limited �zero-day� attacks using a vulnerability in Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. In order for this attack to be carried out, a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker.

Opening the Excel document out of email will prompt the user to be careful about opening the attachment.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit this vulnerability.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Workarounds listed in extended comments >>>

Continue reading "Workarounds for Excel 'Zero-Day' Flaw" »

Posted by Wiz at 9:50 AM | Permalink

May 22, 2006: Malware writers have created a new worm that installs a new browser and plays screeching music.

The trouble starts with a link apparently sent by a friend in Yahoo's instant messaging program.

Instant messaging security company FaceTime Communications Inc. described the malware, which it called yhoo32.explr, as "insidious" in a security advisory Friday.

When the link is clicked, a worm installs the so-called Safety Browser, a program that leads the user to pages mined with adware and viruses, FaceTime said. The Safety Browser uses an Internet Explorer logo to make it look more legitimate.

Malware spread through instant messaging programs is on the rise. However, FaceTime said this malware appeared to be the first to install a browser without the user's permission.

The bug also hijacks Internet Explorer's home page, directing users to the Safety Browser's Web site.

After it is launched, the worm sends itself to others on the user's instant messaging contact list.

The malware is engineered to overwrite instant messages typed by a user, FaceTime said. The infected message can also be changed on the fly, it noted.

The screeching music, however, is blocked by Microsoft Corp.'s Windows XP Service Pack 2, FaceTime said.

Posted by Wiz at 3:46 PM | Permalink

May 19, 2006
Antivirus companies and the SANS Internet Storm Center (ISC) issued a warning today about sophisticated e-mail attacks that are using a previously unknown hole in Microsoft Word 2003 to infiltrate corporate networks. Symantec raised its Internet threat rating, citing confirmation that attacks using an unknown hole in Microsoft Word are being used to compromise computers on the Internet.

Symantec warned subscribers to its DeepSight Threat Management Service that it had confirmed reports of active exploitation of a hole in Microsoft Word 2003. The attacks use Word document attachments in e-mail messages to trigger the security hole and run code that gives attackers control over vulnerable systems, Symantec said.

Currently, these attacks are coming from China and Taiwan and most are in Chinese but some are showing up in English. All are being targeted at corporate networks at this time, but that may change in the near future. Corporations typically transfer Word documents between departments and divisions, so their employees are not averse to opening .doc attachments.

Microsoft Word and other Office applications are a good target, because they are seen everywhere on corporate computers, and because companies often patch them far less frequently than the Windows operating system itself. It is for this reason the Microsoft introduced Microsoft Update Service (MUS). When you login to the Windows Updates on a Windows 2000 or XP machine you will see a link to try Microsoft Updates. I recommend that if you have Office products on that computer you should install ("Try It") the Microsoft Update Service. It will audit your computer for all Microsoft products that are installed and will make patches available as critical patches, just like it does with Windows Updates.

A word of warning, if your copy of Office is unlicensed or pirated they will eventually find out and deny any further downloads until you obtain a vaild license.

NOTE: In order to exploit this flaw in MS Word the user must be logged on with Administrator level privileges. People who log on and operate as Limited Users are immune to this vulnerability. This applies to spyware and virus acquisions as well. Virtually every known type of malware requires Administrator privileges to infect a PC. By simply running your daily browsing and email activities as a Limited User you mitigate the possibility that you will unknowingly acquire a malware infection from being online.

Caution still must be exercised because it is possible for downloaded viruses and malware to become active if you logon to an administrative account and inadvertantly allow them, or be tricked into allowing them to be installed.

Continue reading "E-mail attacks target unpatched Word hole" »

Posted by Wiz at 1:47 PM | Permalink

The new version of Quicktime, v. 7.1, is available for both Microsoft Windows and Mac systems, and is downloadable here. Apple said the older versions contain security holes that attackers could use to break into both Windows and Mac machines running the software.

On May 11 Apple Computers released a patched version of it's Quicktime media player, fixing vulnerabilities affecting both the Mac and Windows versions of the player. A total of 43 serious flaws were patched with the release of Quicktime 7.1 (read about them in the extended comments). The company's Security Update 2006-003 patches 31 flaws in the Mac OS X, most of them serious enough to cause "arbitrary code execution attacks." Quicktime security release 7.1 also corrects 12 code execution and denial-of-service flaws.

The QuickTime bugs can allow a malicious hacker to launch successful attacks using different vectors; a specially crafted JPEG image; rigged QuickTime movies; specially created Flash, MPEG4 or H.264 movies; or maliciously crafted FlashPiX or BMP images.

The Mac OS X update also fixes code execution vulnerabilities in AppKit, ImageIO, BOM, CFNetwork, ClamAV, CoreFoundation, Finder, FTPServer, FlashPlayer, LaunchServices, libcurl, Preview, QuickDraw and QuickTime Streaming Server.

If you are looking for the Standalone version of QuickTime that does not include Apple iTunes you can download the newest version (with this latest security patch included) from this Apple link.

Continue reading "Serious New Flaws in Apple Quicktime | 7.1 Patch Details" »

Posted by Wiz at 10:19 PM | Permalink