CyberInsecure.com

Archive for the ‘Microsoft’ Category

Microsoft has released Service Pack 3 for Windows XP. Service Pack 3 includes multiple Hotfixes and security updates and is available through Automatic Updates and Windows Update. Users should note that Windows XP SP3 does not include Internet Explorer 7, however it does include updates to both IE 6 and IE 7, and will update whichever version is currently installed.

Users updating to Windows XP Service Pack 3 (SP3) won’t be able to downgrade from Internet Explorer 7 to the older IE6 without uninstalling the service pack. The warning first appeared in a blog written by the Internet Explorer development team. If you choose to install XP SP3, Internet Explorer 7 will remain on your system after the install is complete. Your preferences will be retained. However, you will no longer be able to uninstall IE7. If you go to Control Panel, Add/Remove Programs, the Remove option will be grayed out.

Users who want to retain the ability to downgrade from IE7 to IE6 should uninstall the former before upgrading to XP SP3. Once Windows XP has been updated to SP3, users can then install IE7. That process allows for reverting to IE6 in the future. If Windows XP SP3 has already been installed, the only way to return to IE6 is to first uninstall the service pack. At that point, IE6 can be restored on a PC that’s been updated to IE7.

Users can review the release notes for Service Pack 3 for Windows XP at http://support.microsoft.com/kb/936929 and apply any necessary updates.

Sunbelt issued a warning for several sites that are spelled closely like the real Microsoft owned websites. These URLs could be used in future phishing or targeted attacks, as they closely resemble the true Microsoft naming conventions.
Recent Windows XP SP3 news buzz probably gave attackers an idea how to trick users into installing “necessary updates” or even “latest Service Pack 3″ which are nothing but information stealing trojans if you choose to install them from those fake domains. If you get lucky, your PC might even become a part of some notorious botnet.

Most of the URLs are plural (e.g., microsofts or microsoftes). Please do not attempt to go to these sites, as malware could be automatically and silently installed on vulnerable PCs.

A list of fake Microsoft looking domains and their IP addresses:

70.84.192.228 freeadobes.com
70.84.192.228 updates-microsofts.com
70.84.192.228 updates-microsofts.com
70.84.192.236 free-microsofts.com
70.84.192.236 registry-great.com
70.84.192.236 registrygreat.com
70.84.192.236 registrygreat.net
70.84.192.229 updates-xp.com
70.84.192.229 updatemicrosofts.com
70.84.192.230 microsofts-updates.com
70.84.192.230 updates-all.com
70.84.192.230 updates-microsofts.net
70.84.192.230 update-microsoftes.com
70.84.192.230 update-microsoftes.com
70.84.192.231 www-microsofts.com
70.84.192.232 perfect-uninstall.com
70.84.192.232 uninstall-free.com
70.84.192.233 dellupdates.net
70.84.192.233 updates-os.com
70.84.192.233 updatesmicrosoft.net

Visiting suspicious URLs and performing any actions on websites mentioned in emails from unfamiliar senders will most likely result an attempt to infect your Windows system.

Microsoft has reportedly developed a USB key that allows investigators to extract forensic data from PCs. The tools called “COFEE” (Computer Online Forensic Evidence Extractor) comes in a USB key form factor, and was distributed to a small number of law-enforcement agencies last June. The device includes 150 tools that allow investigators to extract internet history files and “decrypt passwords”. COFEE also allows investigators to upload data for analysis.

The device is used by more than 2,000 officers in at least 15 countries, including Germany and the US. Microsoft supplies the technology to law enforcement agencies without charge. The tool reportedly allows investigators to scan for evidence on site without necessarily having to cart PCs back to a lab.

Computer forensics is a painstaking process carefully designed to make sure data on a suspect computer isn’t changed - simply plugging a device into a computer to extract data seems like a quick and dirty fix. The admissibility of such data in court in debatable even before we get into considering the possibility that the USB key might contain malware.

The extraction and analysis of digital evidence features in the investigation of more on more crimes, not just those specific to computers such as internet fraud and child abuse investigations. UK specialists said they’re struggling to cope with the volume of work from law enforcement clients. There’s a genuine problem here, but we’re not convinced COFEE is the solution.

Ironically, COFEE can not help investigators when Windows Vista is installed on suspect`s PC. COFEE can not decrypt files that were encrypted using BitLocker technology.

Researchers from UK have devised a novel and inexpensive way of cracking Microsoft’s Windows Live Captchas with a success rate of more than 60 percent, a finding that further exposes weaknesses in a key measure designed to keep miscreants from infiltrating free online services. Using custom-written software, a standard desktop computer was able to correctly read the characters more than 60 percent of the time. Microsoft designed it with the goal that automatic scripts should not be more successful than 0.01 percent of the time.

While attacks on Captchas deployed by Microsoft, Google and Yahoo are nothing new, the latest research appears to show new strides in the breaking of such protections. Short for “completely automated public Turing test,” a way of distinguishing between computers and humans, most Captchas require end users to identify the letters depicted in a highly distorted image designed to be unreadable by computer scanners.

In many of the previous attacks, for instance, one against Hotmail that was observed by Websense in February, it was unclear if there was cheap human labor that was reading the Captcha images, and in any event, the scripts were successful no more than 35 percent of the time. Websense observed similar attacks on Gmail that succeed only about 20 percent of the time. A Google software engineer contends the attacks are being carried out in Russian sweatshops.

In January, researchers reported successfully cracking Yahoo’s Captcha. Yahoo updated its Captcha last month to make it more resistant to attack.

The latest attack observed by Websense seems to make similar strides. Scripts obtained by company researchers were able to successfully respond a Captcha challenge in about six seconds, leading them to deduce that the recognition is happening automatically, rather than relying on a human being.

The Newcastle researchers took a decidedly different approach. They figured out a way to isolate each of the eight characters that make up a Hotmail Captcha image. Defeating Microsoft’s so-called segmentation-resistant technology was a major accomplishment. It blends the characters together in an attempt to thwart optical character recognition. Once they were able to segment the image - usually in about 80 milliseconds using a PC with a Core 2 and 2 GB of random access memory - the machine could easily read the individual characters.

Microsoft Windows operating systems are prone to a vulnerability that lets attackers spoof DNS clients. This issue occurs because the software fails to employ properly secure random numbers when creating DNS transaction IDs.

Successfully exploiting this issue allows remote attackers to spoof DNS replies, allowing them to redirect network traffic and to launch man-in-the-middle attacks.

Microsoft has released an advisory along with fixes to address this issue. Currently there are no reports of any working exploits.

List of vulnerable OS versions can be seen below.

(more…)

Microsoft Internet Explorer is vulnerable to a script-injection when handling specially crafted requests to ‘acr_error.htm’ via the ‘res://’ protocol. The file resides in the ‘ieframe.dll’ dynamic-link library. An attacker may leverage this issue to execute arbitrary code in the context of user’s browser.

Successful exploits can allow the attacker to steal cookie-based authentication credentials, obtain potentially sensitive information stored on the victim’s computer, and launch other attacks. An unsuspecting user can be affected by visiting a malicious web or viewing a malicious web document.

Internet Explorer 8 is reported to vulnerable. Internet Explorer 7 is likely vulnerable as well, but this has not been confirmed yet.

No vendor-supplied patches are available at this moment.

http://www.microsoft.com/windows/products/winfamily/ie/ie8/default.mspx

Alexander Klink of Cynops GmbH reported a new vulnerability in Microsoft Office. Remote user can access arbitrary URLs via the target user’s system. A specially crafted S/MIME signed document can be created, that, when opened by the target user, will cause the target user’s system to access arbitrary HTTP URLs specified by the certificate.

When opening a document with a digital signature, Office 2007 attempts to use the additional URLs contained in the certificate to download information relevant for the verification of the certificate. It will automatically send out HTTP requests to any location that is reachable from the client - which might include networks previously unreachable to an attacker.

Results are unnoticed access to both external or internal web servers, which in turn could be attacked using other vectors and - in the simplest case - an “opening confirmation”, which is often undesired by the recipient as well (as it can be used to track who opened which document at what time).

The access is performed by the Microsoft Cryptographic API via the authorityInfoAccess caIssuers extension. A remote user may be able to exploit this to conduct port scanning against arbitrary systems.

Demonstration exploit: http://www.klink.name/security/HTTP_over_Office_2007_PoC.docx
Original advisory: https://www.cynops.de/advisories/AKLINK-SA-2008-004.txt
Solution:  No solution was available at the time of this entry.

The vendor was notified on March 18, 2008 and for now this vulnerability remains unpatched.

Juan Pablo Lopez Yacubian reported that Internet Explorer 7 (also in all MS Vista versions) is affected by a URI-spoofing vulnerability.

An attacker may leverage this issue by inserting strings to spoof the source address of a file presented to an unsuspecting user. This may lead to a false sense of trust because the user may be presented with a source address of a trusted site while interacting with the attacker’s malicious site.

To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web document. The following example exploit is available:

http://es.geocities.com/jplopezy/iespoof.html

Reports indicate that unspecified versions of Firefox are also prone to this issue, but that has not been confirmed.

Currently there are no vendor-supplied patches. If you are aware of a patch or more recent information, please comment.

Computer security specialists have been aware for two years that unusual features are contained inside a standard Windows software “driver” used for security and encryption functions. The driver, called ADVAPI.DLL, enables and controls a range of security functions. If you use Windows, you will find it in the C:Windowssystem directory of your computer.

ADVAPI.DLL works closely with Microsoft Internet Explorer, but will only run cryptographic functions that the US governments allows Microsoft to export. That information is bad enough news, from a European point of view. Now, it turns out that ADVAPI will run special programs inserted and controlled by NSA. As yet, no-one knows what these programs are, or what they do.

Recently, Microsoft programmers mistake has revealed that special access codes prepared by the US National Security Agency have been secretly built into Windows. The NSA access system is built into every version of the Windows operating system now in use, except early releases of Windows 95 (and its predecessors).

The result of having the secret key inside your Windows operating system is that it is tremendously easier for the NSA to load unauthorized security services on all copies of Microsoft Windows, and once these security services are loaded, they can effectively compromise your entire operating system. The NSA key is contained inside all versions of Windows from Windows 95 OSR2 onwards.

The first discovery of the new NSA access system was made two years ago by British researcher Dr Nicko van Someren. But it was only a few weeks ago when a second researcher rediscovered the access system. With it, he found the evidence linking it to NSA.
(more…)

Microsoft has released a security advisory on a vulnerability in the Microsoft Jet Database Engine that can be exploited through Microsoft Word. In several recent attacks, exploits were crafted to attack an MS Jet Database vulnerability through Word.  The Word docs are coded to reference Access database files regardless of extension (which allows attackers to circumvent content filters looking for specific email attachment extensions).

This is a code execution vulnerability caused by a buffer overrun in msjet40.dll, the Microsoft Jet Database Engine. An attacker can exploit this vulnerability by convincing a user to open a Word file that is constructed to load the specially crafted database file using msjet40.dll. In another slightly different scenario, the user receives an email message with 2 attachments (one of which is a Word document). Email client saves the attachments to the same directory and when the user opens the Word document, it in turn opens an Access database containing the exploit code. In another scenario the attackers have archived both the database and Word document in a ZIP file, but the principle is the same.

If the version of Msjet40.dll is lower than 4.0.9505.0, you have a vulnerable version of the Microsoft Jet Database Engine.
Operating systems vulnerable to these attacks: Microsoft Word 2000 SP3, Microsoft Word 2002 SP3, Microsoft Word 2003 SP2, Microsoft Word 2003 SP3, Microsoft Word 2007, and Microsoft Word 2007 SP1 on Microsoft Windows 2000, Windows XP, Windows Server 2003 SP1.

System that are not vulnerable: Windows Server 2003 SP2, Windows Vista and Windows Vista SP1. Those systems include a version of the Microsoft Jet Database Engine that is not vulnerable to this issue.

Recommendation: Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a specially crafted Word file.

http://www.microsoft.com/technet/security/advisory/950627.mspx