CyberInsecure.com

Archive for September, 2008

WinZip Computing released WinZip 11.2 SR-1 on September 25 with a critical update to all installations of WinZip 11. The release addresses a security vulnerability that exists in one of the modules shipped with WinZip 11. This component is not a WinZip module but rather a Microsoft module that WinZip Computing shipped for the convenience of our Windows 2000 customers.

Distribution files for WinZip versions 11.1 and 11.2 included an earlier gdiplus.dll which was placed in the WinZip program folder for Windows 2000 systems only. Other operating systems are not affected by these installations. Upgrading to WinZip 11.2 SR-1 or WinZip 12.0 on Windows 2000 systems will replace the earlier gdiplus.dll with a newer version that is not subject to the security vulnerability.

Versions of WinZip prior to 11.0 (10.0 or earlier) are not affected by this security vulnerability. Upgrading to WinZip 11.2 SR-1 (Build 8261) or WinZip 12.0 will remove the earlier gdiplus.dll from the WinZip program folder on Windows XP or Vista systems. On Windows XP or Vista, it is possible to delete the file from the WinZip folder (if it exists).

WinZip 11.2 SR-1 can be downloaded and installed over existing WinZip 11 installation. In order to preserve your existing WinZip registration information, do not uninstall your current WinZip 11 before installing this new version of WinZip 11.

Users should review the WinZip 11.2 SR-1 release notes and apply any necessary updates to help mitigate the risks.

Security researchers from F-Secure have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date. The AutoRun-NOX worm extends the standard VXer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows system that operate below the radar of anti-virus packages.

Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode. Typically, a special driver is used to do this. Worm.Win32.AutoRun.nox has a payload that restores the original function pointers back to the kernel’s System Service Table (SST). The usual motivation for malware to do this is to remove any SST hooks installed by security software or other malware that might affect its successful operation.

As noted, normally a special driver or the physical memory device is used to get access to kernel-mode memory to restore the pointers. AutoRun.nox is different — it uses “GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758)” to do the job. For malware, its rather unique to see such a technique being used.

The worm uses a long-standing Windows vulnerability, patched by Microsoft in April 2007, involving a GDI privilege elevation flaw. If the attack using the vulnerability fails, the worm falls back to plan B - using the more common (but less elegant) driver method.

After remapping the memory, the malware will initialize a CPalette object. It will then search for the palette object in the shared kernel memory structure. Since the memory is now writable, it can be altered to include a pointer to a special function that will remove any existing SST hooks. Finally, a call to GetNearestPaletteIndex will indirectly cause the function to be executed. Afterwards, the palette object is restored leaving no trace of the attack.

If attacking this vulnerability fails, the worm goes back to the tried-and-true “special driver” method. The driver is detected by us as Rootkit:W32/Agent.UG. Either way, if the attack is successful, the machine is compromised as the attacker can access the kernel and execute code, or cause a denial of service. This attack will only work on unpatched machines running without the latest updates. Microsoft ranks this vulnerability as Important and recommends that users apply the update immediately.

In a breach notification letter sent to the New Hampshire State Attorney General, PSS World Medical states that the company “recently became aware of an incident involving unauthorized access” to company’s career board website. The unauthorized access resulted in the exposure of personal information belonging to job applicants and others that may have posted their information on the site. No additional details were disclosed by PSS World Medical.

The event may have resulted in unauthorized access to certain personal information such as name, address, date of birth, driver’s license number and Social Security number of certain individuals who posted their information to the career board website. While personal information may have been accessed, there is no evidence that any information has been obtained or misused.

Concerned users can call toll-free at (866) 371-2502, Monday through Friday, between 9:00 AM -5:00PM Eastern. Free credit monitoring will be provided to the affected persons, although it is not clear for how long.

Washington state’s top law enforcement official has filed suit against a man accused of bombarding end users with misleading messages designed to trick them into buying software to fix PC problems that don’t exist.

The complaint, filed in Washington state court by Attorney General Rob McKenna’s office, names James Reed McCreary IV of The Woodlands, Texas, and two of his companies, Branch Software and Alpha Red. They stand accused of pushing a software package called Registry Cleaner XP by sending end users messages falsely claiming their PCs have corrupted or damaged registry settings that must be repaired immediately. The software sells for $40.

In many cases, the warnings are delivered using Windows Messenger Service, a network administration utility for delivering system-wide messages to end users. The popup windows claim to be generated by the “Local System” and warn of a “critical error” related to the end user’s registry. The messages were directed to a wide swath of internet protocol addresses, and in many cases were sent over and over, causing hundreds of windows to open that the user has to close individually.

The prevalence of so-called scareware has reached epidemic proportions. Programs frequently mimic real security features within the Windows operating system to fool people into believing their PC has been infected with malware. In many cases, it’s just about impossible to remove the software once it’s been installed.

“Through alarmist language seemingly delivered by a trusted source, defendants misrepresent the extent to which installing the software is necessary for repair of the computer for proper operation,” the complaint argues. The error messages, which appear on machines free of any problems, “induces the consumers to purchase defendants’ product, which must be used in order to ‘repair’ the ‘errors.’”

Microsoft referred the case to McKenna’s office and has been helpful in assisting the AG’s consumer protection high-tech unit to enforce laws against scareware mongers. Over the past three years, Microsoft has brought 17 lawsuits under Washington’s Computer Spyware Act and the state’s attorney general has filed seven.

A number listed as belonging to McCreary had been disconnected. No one answered a phone listed in this WHOIS listing as belonging to Branch Software.

The Los Alamos National Laboratory (LANL), world’s most sensitive and sophisticated research institution, is marred by cybersecurity weaknesses that compromise the way information on its unclassified network is protected. The venerable LANL was ground zero for the Manhattan Project and also the birth place for the hydrogen bomb.

According to an audit by the US Government Accountability Office (GAO), the New Mexico-based LANL recently began implementing measures to shore up information security. But vulnerabilities remain on its unclassified network, which contains sensitive information involving controlled nukes, export control, and personal details of lab employees. Physical security was also found to be lacking at the facility, one of only three US National Nuclear Security Administration (NNSA) labs.

“A successful physical or cyber attack on NNSA sites containing nuclear weapons, the material used in nuclear weapons, or information pertaining to the people who design and maintain the US nuclear deterrent could have devastating consequences for this site, its surrounding communities, and the nation’s security, the report (PDF) warns. “Because of these risks, NNSA sites need effective physical and cyber security programs.”

This isn’t the first time security at LANL has been found to be lacking. In 2006, a drug raid on a private residence uncovered classified documents and information that had been improperly removed from the lab by a contract employee. An investigation into the incident later revealed a “serious breakdown in core laboratory physical and cyber security controls” contributed to the breach.

A security evaluation earlier this year by investigators from the Department of Energy concluded there were “significant weaknesses” in LANL’s security program. The recent report issued 52 recommendations for improvement. Among other things, they are aimed at “ensuring that LANL’s risk assessment for its unclassified network evaluates all known vulnerabilities and is revised periodically.”

Last week’s GAO report identified several critical areas inside LANL where physical and cyber security were flawed. They included the identifying and authenticating of users, the encryption of sensitive information and the monitoring and auditing of compliance with established security policies. The GAO also faulted policies for granting access to LANL’s unclassified network by foreign nationals, some from countries considered “sensitive.”

A breach in Sonoma State University exposed about 600 former computer science students who have had their Social Security numbers on an internal department Web server. Though acknowledging the risk of identification theft, university officials said they were not aware of any criminal or inappropriate activity linked to the slip-up, which was discovered Sept. 2.

A former student accessed the roster of names and Social Security numbers through a networking site opened about six months earlier for people previously enrolled in computer science classes, SSU spokeswoman Susan Kashak said.

The Web site was closed to anyone but certain students, and the roster, though stored on the department server, was not directly linked to the site, university officials said.

The student apparently found the data using a Web crawler to search for odds and ends, they said. “Somehow that data inadvertently got accessible from the Web page,” officials said. “There were no links to it so you would ‘Click here to a list of alums’ or anything like that.“

There were no indications anyone else saw the list or accessed the data for ulterior purposes. It was expunged as soon as the student who found it brought to officials’ attention.

The file contained only names and Social Security numbers, so no other personal, confidential information was compromised, officials said. Affected students have nonetheless been advised to check their credit reports to make sure their information is not being used.

The security breach pales compared with a 2005 episode in which hackers gained access to seven campus workstations, exposing the names and Social Security numbers of 61,709 people who had applied to, attended or graduated from SSU from 1995 to 2002, the university said. Faculty data from 1999 to 2005 also was compromised in the hacking incident, though it did not appear any of the personal information was accessed or abused.

The Social Security numbers at issue this fall were improperly stored on a department server outside the management of SSU’s central information technology system and kept against university policy. Current rules prevent anyone on campus from having computer files with Social Security numbers absent specific permission. They used to be used to identify students before student identification numbers came into use, however.

A recent assessment of SSU’s information systems called for improved oversight of the independently managed computers and servers such as that containing the compromised data.

Next-generation VoIP sniffer was released on Saturday at Toorcon in San Diego by Jason Ostrom of VoIP Hopper. The tool, that might be used for attacks, should help raise awareness of the type of vulnerabilities businesses face as they adopt unified communications (UC) technology.

According to Jason, the tool, UCSniff, has two settings. One is a learning mode, sniffing all the IP traffic then mapping telephone extensions to specific addresses. By default, it is capturing all the calls and saving them to wave files.

The other setting is targeting conversations. After learning the IP addresses of the phone system, someone using UCSniff can listen to all the VoIP, or voice over Internet Protocol, conversations made by a specific user., say the CEO. That’s user mode. A second mode, conversation mode, allows someone to monitor calls made exclusively between two extensions, say only when the CEO calls the CFO.

“So it’s like dynamic ARP poisoning,” Ostrom explained, referring to Address Resolution Protocol spoofing. “The tool, on the fly, figures out how to do the ARP poisoning for you so you’re not intercepting the traffic of phones that you do not want to intercept.”

The flaw, if any, is within the structure of the system and not specific to any platform, such as that of Cisco Systems. There are two other tools and combined, the tools can allow one to create a man-in-the-middle attack on VoIP networks in an enterprise.

Some of the pieces are already available on the Internet. However, UCSniff “brings together what is lacking, what is needed to be the most effective and secure VoIP security assessment tool available.”

Mozilla released Firefox 3.0.3 with fix for a problem where users were unable to retrieve saved passwords or save new passwords. For some users, ever since upgrading, the new Firefox did not remember passwords or asked if passwords should be saved, even with preferences set to “Remember passwords for sites” and without exceptions in the “exeptions” box. It happened for every site that requires a password.

Just a day after it released Firefox 3.0.2 to fix 11 vulnerabilities, Mozilla Corp. said that an overlooked password bug requires a fast-track update it hopes to launch next week. Late Wednesday, Mike Beltzner, Mozilla’s director of Firefox, said that the bug, which prevents some users from accessing their browser-saved passwords, means another update is necessary. “While this doesn’t affect all Firefox users, it is a significant regression and has triggered a fast-release Firefox 3.0.3 which will contain a single fix,” Beltzner said in a message to the mozilla.dev.planning group.

The bug popped up in Firefox 3.0.2, which Mozilla released Tuesday, after developers added a fix to make the browser’s password manager work on international domain name (IDN) sites. IDN sites are those that have non-ASCII characters in their URLs, such as addresses with Arabic, Hebrew or Chinese characters, or ones with non-English diacritical marks.

According to Beltzner, users who have saved passwords on IDN sites or some non-English domains will be unable to access those passwords or save any new passwords after updating to Firefox 3.0.2. “There is no permanent data loss, the saved data is just inaccessible,” Beltzner noted.

A fix for the password regression bug is already available through Firefox update mechanism.

Researchers are beginning to raise an alarm for what looks like a new browser security threat that affects all major desktop platforms: Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery are Robert Hansen and Jeremiah Grossman who have released droplets of information to highlight the severity of this issue.

The issue with clickjacking has nothing to do with JavaScript. When a user visits a malicious website, the attacker is able to take control of the links that the browser visits. It’s a fundamental flaw with the way browsers works and cannot be fixed with a simple patch. With this exploit, malicious web page can make visitors click on any link, any button, or anything on the page without user’s permission and even without user seeing it happening. The average end user would have no idea what’s going on during a Clickjack attack.

For example, Ebay would be vulnerable to this since it is possible to embed javascript into the web page, although, javascript is not required to exploit this. The exploit requires DHTML and forbidding frames (using framebusting code) will prevent cross-domain clickjacking, but an attacker can still force users to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait.

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment. The latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

In the meantime, a fix would be disabling browser scripting and plugins. Another fix would be using NoScript add-on for Firefox. In its default configuration it can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous). For 100% protection by NoScript, one must check the “Forbid <IFRAME>” option under “Plugins”.

A security hole in Adobe Systems Inc software, used to distribute movies and TV shows over the Internet, is giving users free access to record and copy from Amazon.com Inc’s video streaming service. The flaw rests in Adobe’s Flash video servers that are connected to the company’s players installed in nearly all of the world’s Web-connected computers.

The problem exposes online video content to the rampant piracy that plagued the music industry during the Napster era and is undermining efforts by retailers, movie studios and television networks to cash in on a huge Web audience. “It’s a fundamental flaw in the Adobe design. This was designed stupidly,” said Bruce Schneier, a security expert who is also the chief security technology officer at British Telecom.

The software doesn’t encrypt online content, but only orders sent to a video player such as start and stop play. To boost download speeds, Adobe dropped a stringent security feature that protects the connection between the Adobe software and its players.

The free demo version of Replay Media Catcher allows anyone to watch 75 percent of anything recorded and 100 percent of YouTube videos. For $39, a user can watch everything recorded. Tvadfree.com explains step-by-step how to use the video stream catching software.

Amazon.com’s Adobe-powered Video On Demand service allows viewers to watch the first two minutes of a movie or TV show for free. It charges up to $3.99 to rent a movie for 24 hours and up to $14.99 to download a movie permanently. Amazon starts to stream the entire movie during the free preview — even though it pauses the video on the Web browser after the first two minutes — so that users can start watching the rest of the video right away once they pay. However, even if a user doesn’t pay, the stream still sends the movie to the video catching software, but not the browser.

Amazon’s Video On Demand is the Web retailer’s answer to declining sales of packaged movies and TV shows and the growth in demand for digital content that can be viewed and stored on the Internet.

One possible solution would be to protect the video with a digital rights management (DRM) system. A Seattle-based company called Widevine Technologies has a DRM system that can encrypt online videos using Flash.

Adobe said it issued a security bulletin earlier this month about how best to protect online content and called on its customers to couple its software security with a feature that verifies the validity of its video player.

An Amazon spokesman said content on the company’s Video On Demand service, which offers as many as 40,000 movies and TV shows on its Web site, cannot be pirated using video stream catching software.

Credit: Reuters@Yahoo News