CyberInsecure.com

Archive for the ‘Microsoft’ Category

New Microsoft Internet Explorer 6 vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. A proof-of-concept code for this vulnerability is already available. The vulnerability could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 and Firefox do not appear to be affected by this issue.

The vulnerability is caused due to an input validation error when handling the “location” or “location.href” property of a window object. The vulnerability was first published in an article in Chinese Security E-zines, called pstzine, two days ago. The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008.

Until a patch is available, IE6 users should disable scripting in the browser. Another option  might be an upgrade to Microsoft Internet Explorer 7 or usage of alternative browser to help mitigate the risk.

Microsoft has released Security Advisory (953818) to address reports of a blended threat that affects Windows users who have installed Apple’s Safari web browser. According to the advisory, by convincing a user to visit a specially crafted website, an attacker may be able to execute arbitrary code on an affected system due to Safari’s default file downloading behavior and the way that Windows Internet Explorer handles the downloaded files.

Nitesh Dhanjani has disclosed around middle of last month a vulnerability in Safari (and the way it interacts with Windows and OSX) that allows a remote malicious user to download several files unknowingly to the user’s default download folder (Desktop for Windows and Downloads for OSX). The attack has been dubbed carpet bombing because of its potential to plant multiple malicious files that can in turn obliterate the user’s PC into a digital mess.

The security researcher has been able to show that Safari doesn’t ask for user permission when downloading resources. He set up a sample malicious Web site that served malicious iFrames. He accessed the site using Safari and found that the browser automatically downloads the files multiple times (hence, carpet bombing), storing copies of these in said folders without first waiting for user commands or showing some dialog box informing the user of what is happening. The report includes a screenshot of the potential danger the automatic download action can cause.

Apple is treating this reported vulnerability not as a security issue, but as another avenue to create an additional enhancement to prevent unwanted downloads.

Microsoft recommends users avoid using Safari until researchers have looked into the browser, and until appropriate updates are provided by either Microsoft or Apple. Users are encouraged to change the download location of files by editing user preferences in Safari.

According to Techworld, an analysis from the Australian company “ThreatFire” reveals that Vista is almost as vulnerable as its predecessors. ThreatFire user base shows that 58,000 PCs running Vista were compromised by at least one piece of malware over the six months to May 2008, equivalent to 27% of all Vista machines probed. Vista made up 12.6% of the 1,513,502 machines running Windows in the user base.

In total, Vista suffered 121,380 instances of malware from its 190,000 user base, a rate of malware detection per system is proportionally lower than that of XP, which saw 1,319,144 malware infections from a user base of 1,297,828 machines, but it indicates a problem that is worse than Microsoft has been admitting to.

Just one week ago, PC Tools revealed that Vista was as likely to be hit with software vulnerabilities as Windows 2000, a claim that was denied by a Microsoft staffer in a blog. As PC Tools makes clear, that malware was detected did not mean harm had been done, simply that Vista’s own security had in some way been circumvented to the degree that its ThreatFire tool stepped in.

PC Tools notices that all systems used in the research pool were at the very least running PC Tool’s ThreatFire and that because the technology is behavioral-based, the data refers to threats that actually executed and triggered behavioral detection on the client machine. In response to alternative research from Microsoft’s Malicious Software Removal Tool, PC Tools highlights that the MSRT is not a comprehensive anti-virus scanner, but a malware removal tool for a limited range of “specific, prevalent malicious software”.

PC Tools also publicized details of some of the malware types it has found on Vista systems during its scans, including three pages of variants based on Trojan.Agent, a few of which were described as serious.

Microsoft released four fixes on Tuesday to close a half dozen security holes, including a vulnerability in the Microsoft Jet database which is currently being exploited by attackers. The most serious of them is a bug in Microsoft’s Jet Database Engine, a component built into Windows XP, Windows Server 2003 and Windows 2000 that works with Visual Basic, Access and multiple third-party applications. Attack code for the vulnerability went public in November, and it is actively being exploited in the wild.

The security vulnerabilities affect various Microsoft Office products, the Jet database engine, and Microsoft’s Malware Protection Engine. Among the most critical flaws, the Microsoft Jet database engine vulnerability allows an attacker to execute code by accessing a database file through Microsoft Word. The company patched both the Jet database flaw and the Word flaw.

Vulnerabilities of the type Microsoft is patching today have been a favorite attack method among attackers, especially in stealthy attacks that seek to steal high-value intellectual property. Trojan horse attacks often use rigged Office files that exploit vulnerabilities in the productivity suite.

Microsoft patched two vulnerabilities in Microsoft Word, including one issue that could be exploited through the Outlook e-mail client because the software uses a component of Word to display rich text format (RTF) and Web (HTML) files in the preview pane. Attacks against Microsoft Office have jumped over the past two years, though most exploits generally require some user interaction, clicking “OK” in a dialog box, for all but the oldest versions of Office.

Microsoft also remedied an issue in the way that its Malware Protection Engine handles file scanning. Malware Protection Engine is used in Windows Live OneCare service and Microsoft Forefront and Antigen products. A specially crafted file could be used to lock up the program or to keep the program from working on incoming files, the company stated in its bulletin.

Microsoft has released Service Pack 3 for Windows XP. Service Pack 3 includes multiple Hotfixes and security updates and is available through Automatic Updates and Windows Update. Users should note that Windows XP SP3 does not include Internet Explorer 7, however it does include updates to both IE 6 and IE 7, and will update whichever version is currently installed.

Users updating to Windows XP Service Pack 3 (SP3) won’t be able to downgrade from Internet Explorer 7 to the older IE6 without uninstalling the service pack. The warning first appeared in a blog written by the Internet Explorer development team. If you choose to install XP SP3, Internet Explorer 7 will remain on your system after the install is complete. Your preferences will be retained. However, you will no longer be able to uninstall IE7. If you go to Control Panel, Add/Remove Programs, the Remove option will be grayed out.

Users who want to retain the ability to downgrade from IE7 to IE6 should uninstall the former before upgrading to XP SP3. Once Windows XP has been updated to SP3, users can then install IE7. That process allows for reverting to IE6 in the future. If Windows XP SP3 has already been installed, the only way to return to IE6 is to first uninstall the service pack. At that point, IE6 can be restored on a PC that’s been updated to IE7.

Users can review the release notes for Service Pack 3 for Windows XP at http://support.microsoft.com/kb/936929 and apply any necessary updates.

Sunbelt issued a warning for several sites that are spelled closely like the real Microsoft owned websites. These URLs could be used in future phishing or targeted attacks, as they closely resemble the true Microsoft naming conventions.
Recent Windows XP SP3 news buzz probably gave attackers an idea how to trick users into installing “necessary updates” or even “latest Service Pack 3″ which are nothing but information stealing trojans if you choose to install them from those fake domains. If you get lucky, your PC might even become a part of some notorious botnet.

Most of the URLs are plural (e.g., microsofts or microsoftes). Please do not attempt to go to these sites, as malware could be automatically and silently installed on vulnerable PCs.

A list of fake Microsoft looking domains and their IP addresses:

70.84.192.228 freeadobes.com
70.84.192.228 updates-microsofts.com
70.84.192.228 updates-microsofts.com
70.84.192.236 free-microsofts.com
70.84.192.236 registry-great.com
70.84.192.236 registrygreat.com
70.84.192.236 registrygreat.net
70.84.192.229 updates-xp.com
70.84.192.229 updatemicrosofts.com
70.84.192.230 microsofts-updates.com
70.84.192.230 updates-all.com
70.84.192.230 updates-microsofts.net
70.84.192.230 update-microsoftes.com
70.84.192.230 update-microsoftes.com
70.84.192.231 www-microsofts.com
70.84.192.232 perfect-uninstall.com
70.84.192.232 uninstall-free.com
70.84.192.233 dellupdates.net
70.84.192.233 updates-os.com
70.84.192.233 updatesmicrosoft.net

Visiting suspicious URLs and performing any actions on websites mentioned in emails from unfamiliar senders will most likely result an attempt to infect your Windows system.

Microsoft has reportedly developed a USB key that allows investigators to extract forensic data from PCs. The tools called “COFEE” (Computer Online Forensic Evidence Extractor) comes in a USB key form factor, and was distributed to a small number of law-enforcement agencies last June. The device includes 150 tools that allow investigators to extract internet history files and “decrypt passwords”. COFEE also allows investigators to upload data for analysis.

The device is used by more than 2,000 officers in at least 15 countries, including Germany and the US. Microsoft supplies the technology to law enforcement agencies without charge. The tool reportedly allows investigators to scan for evidence on site without necessarily having to cart PCs back to a lab.

Computer forensics is a painstaking process carefully designed to make sure data on a suspect computer isn’t changed - simply plugging a device into a computer to extract data seems like a quick and dirty fix. The admissibility of such data in court in debatable even before we get into considering the possibility that the USB key might contain malware.

The extraction and analysis of digital evidence features in the investigation of more on more crimes, not just those specific to computers such as internet fraud and child abuse investigations. UK specialists said they’re struggling to cope with the volume of work from law enforcement clients. There’s a genuine problem here, but we’re not convinced COFEE is the solution.

Ironically, COFEE can not help investigators when Windows Vista is installed on suspect`s PC. COFEE can not decrypt files that were encrypted using BitLocker technology.

Researchers from UK have devised a novel and inexpensive way of cracking Microsoft’s Windows Live Captchas with a success rate of more than 60 percent, a finding that further exposes weaknesses in a key measure designed to keep miscreants from infiltrating free online services. Using custom-written software, a standard desktop computer was able to correctly read the characters more than 60 percent of the time. Microsoft designed it with the goal that automatic scripts should not be more successful than 0.01 percent of the time.

While attacks on Captchas deployed by Microsoft, Google and Yahoo are nothing new, the latest research appears to show new strides in the breaking of such protections. Short for “completely automated public Turing test,” a way of distinguishing between computers and humans, most Captchas require end users to identify the letters depicted in a highly distorted image designed to be unreadable by computer scanners.

In many of the previous attacks, for instance, one against Hotmail that was observed by Websense in February, it was unclear if there was cheap human labor that was reading the Captcha images, and in any event, the scripts were successful no more than 35 percent of the time. Websense observed similar attacks on Gmail that succeed only about 20 percent of the time. A Google software engineer contends the attacks are being carried out in Russian sweatshops.

In January, researchers reported successfully cracking Yahoo’s Captcha. Yahoo updated its Captcha last month to make it more resistant to attack.

The latest attack observed by Websense seems to make similar strides. Scripts obtained by company researchers were able to successfully respond a Captcha challenge in about six seconds, leading them to deduce that the recognition is happening automatically, rather than relying on a human being.

The Newcastle researchers took a decidedly different approach. They figured out a way to isolate each of the eight characters that make up a Hotmail Captcha image. Defeating Microsoft’s so-called segmentation-resistant technology was a major accomplishment. It blends the characters together in an attempt to thwart optical character recognition. Once they were able to segment the image - usually in about 80 milliseconds using a PC with a Core 2 and 2 GB of random access memory - the machine could easily read the individual characters.

Microsoft Windows operating systems are prone to a vulnerability that lets attackers spoof DNS clients. This issue occurs because the software fails to employ properly secure random numbers when creating DNS transaction IDs.

Successfully exploiting this issue allows remote attackers to spoof DNS replies, allowing them to redirect network traffic and to launch man-in-the-middle attacks.

Microsoft has released an advisory along with fixes to address this issue. Currently there are no reports of any working exploits.

List of vulnerable OS versions can be seen below.

(more…)

Microsoft Internet Explorer is vulnerable to a script-injection when handling specially crafted requests to ‘acr_error.htm’ via the ‘res://’ protocol. The file resides in the ‘ieframe.dll’ dynamic-link library. An attacker may leverage this issue to execute arbitrary code in the context of user’s browser.

Successful exploits can allow the attacker to steal cookie-based authentication credentials, obtain potentially sensitive information stored on the victim’s computer, and launch other attacks. An unsuspecting user can be affected by visiting a malicious web or viewing a malicious web document.

Internet Explorer 8 is reported to vulnerable. Internet Explorer 7 is likely vulnerable as well, but this has not been confirmed yet.

No vendor-supplied patches are available at this moment.

http://www.microsoft.com/windows/products/winfamily/ie/ie8/default.mspx

Alexander Klink of Cynops GmbH reported a new vulnerability in Microsoft Office. Remote user can access arbitrary URLs via the target user’s system. A specially crafted S/MIME signed document can be created, that, when opened by the target user, will cause the target user’s system to access arbitrary HTTP URLs specified by the certificate.

When opening a document with a digital signature, Office 2007 attempts to use the additional URLs contained in the certificate to download information relevant for the verification of the certificate. It will automatically send out HTTP requests to any location that is reachable from the client - which might include networks previously unreachable to an attacker.

Results are unnoticed access to both external or internal web servers, which in turn could be attacked using other vectors and - in the simplest case - an “opening confirmation”, which is often undesired by the recipient as well (as it can be used to track who opened which document at what time).

The access is performed by the Microsoft Cryptographic API via the authorityInfoAccess caIssuers extension. A remote user may be able to exploit this to conduct port scanning against arbitrary systems.

Demonstration exploit: http://www.klink.name/security/HTTP_over_Office_2007_PoC.docx
Original advisory: https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
Solution:  No solution was available at the time of this entry.

The vendor was notified on March 18, 2008 and for now this vulnerability remains unpatched.

Juan Pablo Lopez Yacubian reported that Internet Explorer 7 (also in all MS Vista versions) is affected by a URI-spoofing vulnerability.

An attacker may leverage this issue by inserting strings to spoof the source address of a file presented to an unsuspecting user. This may lead to a false sense of trust because the user may be presented with a source address of a trusted site while interacting with the attacker’s malicious site.

To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web document. The following example exploit is available:

http://es.geocities.com/jplopezy/iespoof.html

Reports indicate that unspecified versions of Firefox are also prone to this issue, but that has not been confirmed.

Currently there are no vendor-supplied patches. If you are aware of a patch or more recent information, please comment.