CyberInsecure.com

Archive for the ‘Software’ Category

Microsoft warns that an unpatched Word vulnerability has become the subject of targeted attacks. Successful attacks may allow arbitrary malicious code to run in the context of the user running the application. Failed attack attempts may result in a crash.

The flaw creates a mechanism for hackers to inject hostile code onto vulnerable systems. Redmond has published workarounds as a stop-gap measure while its researchers investigate the flaw in greater depth.

According to Microsoft, there are limited, targeted attacks attempting to use the reported vulnerability. The vulnerability has appeared in a number of samples on malware. A widening number of anti-virus firms have issued signature updates to defend against the threat. Symantec, acting on samples sent to it by handlers at the Institute’s Internet Storm Centre (SANS), was the first to publish an advisory. It is detected as Trojan.Mdropper by Symantec.

The timing of the arrival of the exploit means Microsoft had insufficient time to respond before its regular Patch Tuesday update, a factor that’s unlikely to be a coincidence. The flaw is still under investigation and will probably be withheld until a fix is unavailable. At this point it is unclear who the attack is targeting, though it is safe to assume the vulnerability will be eventually exploited by Chinese hackers.

Vulnerable:

Microsoft Word 2003 and Microsoft Office 2003 SP1 (leads to a crash)
Microsoft Word 2002 SP3
Microsoft Word 2000 (leads to a crash)
Microsoft Office XP

More information can be found in Microsoft Security Advisory 953635.

No further details can be provided at this time. In-the-wild samples of code exploiting this issue were already supplied to Symantec by SANS.

Deficiencies in the Domain Name System (DNS) protocol may leave affected systems vulnerable to DNS cache poisoning attacks. If an attacker can successfully conduct a cache poisoning attack, they may be able to cause a nameserver’s clients to contact the incorrect, and possibly malicious, hosts for particular services. This may allow an attacker to obtain sensitive information or mislead users into believing they are visiting a legitimate website.

Microsoft Corp. today patched nine vulnerabilities in Windows, Exchange, SQL Server and the company’s DNS server and client software. All nine flaws were rated “important” by Microsoft, the second-highest threat rating in the company’s four-step scoring system.

One of the Microsoft fixes for Windows DNS was part of a group of patches issued today by software vendors to plug a multiplatform hole. Microsoft patched its iterations of DNS in MS08-037, the security bulletin that called out two DNS bugs in every supported version of Windows except Vista.

Microsoft also issued MS08-039 (two-patch update to Exchange 2003 and 2007) and MS08-040 (four-patch update for Microsoft’s SQL Server software, including the database components bundled with Windows) today. Both are important to patch as soon as possible.

The fix for the DNS cache poisoning vulnerability, which was reported to Microsoft by Dan Kaminsky, a noted researcher and director of penetration testing at Seattle-based IOActive Inc, is part of a larger, coordinated rollout today. The Internet Software Consortium (ISC) has also updated its popular open-source BIND DNS software, which vendors like Red Hat Inc. and Sun Microsystems Inc. will be pushing to their users today.

The Microsoft Office Snapshot Viewer ActiveX control contains a vulnerability, which can allow a remote, unauthenticated attacker to download arbitrary files to arbitrary locations.

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could download arbitrary files to a vulnerable system within the security context of the user running IE. These files could contain code that could be executed through other means. The user may click the file inadvertently, or the file may be placed in a sensitive location, such as the Windows Startup folder where it will automatically execute the next time the user logs onto the system.

The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.

Currently there is no practical solution to this problem. Microsoft Security Advisory 955179 has issued the following workarounds:

Disable the Microsoft Snapshot Viewer ActiveX control in Internet Explorer

Upgrade to Internet Explorer 7

Do not run Windows with administrator privileges

Disable ActiveX

Sony’s USA PlayStation website, a website with a very large number of daily visitors according to Alexa, had been the victim of an SQL injection attack. Sony PlayStation’s site is another high trafficked web site that fall victim into the continuing waves of massive botnets (ASProx botnet for example) SQL injections.

The purpose of this wave of attacks seems to be to dupe users into installing the same fake anti-virus software SophosLabs discovered on .MOBI websites earlier this week. Numerous malicious websites making use of the unusual .MOBI top level domain attempted to load a script ‘AD.JS’ located in root of each site. This in turn attempted to load another website - a fake anti-virus install site. The site pretends to do an online virus scan:

A bogus warning message then displayed, saying that one or more of the following have been detected:

Trojan.Bakloma.A
Win32.Gattman.A
Trojan.Zapchas.F
JS.Blackworm.A
Trojan.Tibs.E
Win32.Netsky.P@mm
Trojan.Winsys
Trackware.Adctech2006
Downloader.TrafficSector
Adware.Roings

If you have seen/installed this software on your PC, consider running a trusted anti-virus as soon as possible, since your machine is infected.

After this, the user is encouraged to download and run an executable (installer.exe). This malware is detected as Mal/Packer by Sophos. If the installer was run, it installs more malicious files (Troj/FakeAV-AA) on the victim machine.

Visiting the affected PlayStation site runs a script that pretends to perform the same online security scan of your computer, and presents a bogus warning message you can see on the image above. Users frightened by the fake ‘warnings’ might rush to spend money on useless software.

The fact that the Sony PlayStation site has been attacked in this way suggests that someone with malicious intent could place other harmful malware there and infect a very high number of Sony PlayStation website visitors.

Sony PlayStation’s site hasnt been targeted by hackers, it’s been targeted automatically in between the rest of thousands of other pages that were SQL injected with a malicious coldwop.com domain (yet another SQL injection attack by Chinese hackers). There are no reports of hacked Sony PlayStation’s database or customers private details, the flaw in Sony’s website only allowed injection of redirection code that loads a script from malicious site.

Mozilla have released Firefox 2.0.0.15 which according to the release notes fixes 12 security vulnerabilities.

Here is a list of fixes in Firefox 2.0.0.15 from their website, some of them are critical so if you are running Firefox 2, you should update as soon as possible.

MFSA 2008-33 Crash and remote code execution in block reflow

MFSA 2008-32 Remote site run as local file via Windows URL shortcut

MFSA 2008-31 Peer-trusted certs can use alt names to spoof

MFSA 2008-30 File location URL in directory listings not escaped properly

MFSA 2008-29 Faulty .properties file results in uninitialized memory being used

MFSA 2008-28 Arbitrary socket connections with Java LiveConnect on Mac OS X

MFSA 2008-27 Arbitrary file upload via originalTarget and DOM Range

MFSA 2008-25 Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()

MFSA 2008-24 Chrome script loading from fastload file

MFSA 2008-23 Signed JAR tampering

MFSA 2008-22 XSS through JavaScript same-origin violation

MFSA 2008-21 Crashes with evidence of memory corruption (rv:1.8.1.15)

You can get the latest version of Firefox 2 here. If you are already Firefox 2 user, you can also click “Check for updates…” under “Help” menu.

Seamonkey was also updated to version 1.1.10 and included fixes for the same issues plus one additional critical vulnerability, so if you use it, it should also be updated.

Apple has shipped a new Mac OS X update that addresses 25 documented vulnerabilities that could lead to arbitrary code execution attacks. Apple fixes in this 2008-004 Security Update code execution flaws in Launch Services, SMB File Server, System Configuration, VPN and WebKit.

Fixes for six highly critical Ruby, a popular open-source scripting language, vulnerabilities are also included. The update also installs a Tomcat patch that addresses nine vulnerabilities, the most serious of which may lead to a cross-site scripting attack.

Here is the list of vulnerabilities from Apple’s security bulletin:

Alias Manager (CVE-2008-2308): A memory corruption issue exists in the handling of AFP volume mount information in an alias data structure. Resolving an alias containing maliciously crafted volume mount information may lead to an unexpected application termination or arbitrary code execution. This issue only affects Intel-based systems running Mac OS X 10.5.1 or earlier.

CoreTypes (CVE-2008-2309): This update adds .xht and .xhtm files to the system’s list of content types that will be flagged as potentially unsafe under certain circumstances, such as when they are downloaded from a web page. While these content types are not automatically launched, if manually opened they could lead to the execution of a malicious payload.

c++filt (CVE-2008-2310): A format string issue exists in c++filt, which is a debugging tool used to demangle C++ and Java symbols. Passing a maliciously crafted string to c++filt may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems prior to Mac OS X 10.5.

Dock (CVE-2008-2314): When the system is set to require a password to wake from sleep or screen saver, and Exposé hot corners are set, a person with physical access may be able to access the system without entering a password. This issue does not affect systems prior to Mac OS X 10.5.

Launch Services (CVE-2008-2311): A race condition exists in the download validation of symbolic links, when the target of the link changes during the narrow time window of validation. If the “Open ’safe’ files” preference is enabled in Safari, visiting a maliciously crafted website may cause a file to be opened on the user’s system, resulting in arbitrary code execution. This issue does not affect systems running Mac OS X 10.5 or later.

Net-SNMP (CVE-2008-0960): An issue exists in Net-SNMP’s SNMPv3 authentication, which may allow maliciously crafted packets to bypass the authentication check. Additional information is available from US-CERT.

Ruby: Multiple memory corruption issues exist in Ruby’s handling of strings and arrays, the most serious of which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of strings and arrays. Also, if WEBRick is running, a remote attacker may be able to access files protected by WEBrick’s :NondisclosureName option.

SMB File Server (CVE-2008-1105): A heap buffer overflow exists in the handling of SMB packets. Sending malicious SMB packets to a SMB server, or connecting to a malicious SMB server, may lead to an unexpected application termination or arbitrary code execution.

System Configuration (CVE-2008-2313): A local user may be able to populate the User Template directory with files that will become part of the home directory when a new user is created. This could allow arbitrary code execution with the privileges of the new user. This issue does not affect systems running Mac OS X 10.5 or later.

Tomcat: Tomcat version 4.x is bundled on Mac OS X v10.4.11 systems. Tomcat on Mac OS X v10.4.11 is updated to version 4.1.37 to address several vulnerabilities, the most serious of which may lead to a cross-site scripting attack. Further information is available via the Tomcat site.

VPN (CVE-2007-6276): A divide by zero issue exists in the virtual private network daemon’s handling of load balancing information. Processing a maliciously crafted UDP packet may lead to an unexpected application termination. This issue does not lead to arbitrary code execution.

WebKit (CVE-2008-2307): A memory corruption issue exists in WebKit’s handling of JavaScript arrays. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. Along with this fix, the version of Safari for Mac OS X v10.5.4 is updated to 3.1.2.

Updates can be retrieved and installed using Mac OS X’s integrated update feature.

New Microsoft Internet Explorer 6 vulnerability may allow a remote, unauthenticated attacker to execute arbitrary script in the context of another domain. A proof-of-concept code for this vulnerability is already available. The vulnerability could allow an attacker to take a variety of actions, including stealing cookies, hijacking a web session, or stealing authentication credentials. At this time, Internet Explorer 7 and Firefox do not appear to be affected by this issue.

The vulnerability is caused due to an input validation error when handling the “location” or “location.href” property of a window object. The vulnerability was first published in an article in Chinese Security E-zines, called pstzine, two days ago. The issue is very similar to the “Ghost Page” issues in IE, which was originally raised by security researchers, Manuel Caballero and Fukami at Microsoft Bluehat 2008.

Until a patch is available, IE6 users should disable scripting in the browser. Another option  might be an upgrade to Microsoft Internet Explorer 7 or usage of alternative browser to help mitigate the risk.

Security researchers from SecureMac has discovered multiple variants of a new Trojan horse in the wild that affects Mac OS X 10.4 and 10.5. The Trojan horse is currently being distributed from a hacker website, where discussion has taken place on distributing the Trojan horse through iChat, Apple’s instant messaging and video chat software, and Limewire.

SecureMac, a Mac-specific anti-virus vendor, researchers discovered the Trojan in June 19. The Trojan, AppleScript.THT, was classified as a “critical” threat. SecureMac’s warning came one day after an anonymous reader disclosed a few details of the ARDAgent vulnerability on Slashdot.org, and on the same day that rival security vendor Intego provided more information about the bug.

The malware exploits a recently publicized vulnerability in the Apple Remote Desktop Agent (ARDAgent), part of Tiger’s and Leopard’s Remote Management component. Composed as a compiled AppleScript, or in another variant, script bundled into an application, the Trojan leverages the ARDAgent bug to gain full control of the victimized Mac.

The Trojan horse runs hidden on the system, and allows a malicious user complete remote access to the system, can transmit system and user passwords, and can avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan horse can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.

The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items.

Like any Trojan horse, AppleScript.THT does not spread on its own but relies on user interaction, such as downloading and launching, to infect a machine. Trojans can also be silently introduced on a computer if it’s injected after a successful attack using another vulnerability, such as a browser bug.

Users can protect themselves by removing ARDAgent from its normal location, which is System/Library/CoreServices/RemoteManagement, and archiving the application. MacScan 2.5.2 (a software by SecureMac) can also protect your system against this threat if you got the latest Spyware Definitions update (2008011), dated June 19th. SecureMac recommends that users download files only from trusted sources and sites.

Code execution vulnerability found in latest Firefox 3.0 could allow an attacker to execute arbitrary code, permitting the attacker to completely take over the vulnerable process, potentially allowing the machine running the process to be completely controlled by the attacker. The flaw found in Firefox 3.0 is considered a high-severity risk and affects earlier versions of Firefox 2, including the latest 2.0.0.14.

Several hours after the official release, an unnamed researcher has sold a critical code execution vulnerability to TippingPoint’s Zero Day Initiative (ZDI), a company that buys exclusive rights to software vulnerability data. The vulnerability puts Firefox 3.0 users at risk of PC takeover and malware infection attacks.

Technical details are kept unrevealed until Mozilla’s security team develops a patch. TippingPoint researchers continue to study the flaw to see if user-interaction required for successful exploitation, such as clicking on a link or visiting a malicious web page.

Until there is a patch, Firefox users should avoid clicking on links that arrive via e-mail or in IM messages from unknown or suspicious sources. At this point, there are no reports of this issue being exploited.

Mozilla Corp. launched a new Firefox version, 3.0, on June 17. This is a major update to the open-source browser that adds a new search tool, anti-hacking protection and revamped bookmarking. The first major revision of Firefox since late 2006, Firefox 3.0 was posted to Mozilla’s servers at 1 p.m. Eastern time.

Firefox 3.0 first entered public testing with an Alpha 1 release in December 2006. The first of several beta versions was released in November 2007. The browser moved to release candidate stage last month. The third and final release candidate hit Mozilla’s servers less than a week ago.

The updated browser features a redesigned address bar that can be used to search for previously-visited pages using keywords or characters in either the URL or the page title. It also has a Google-powered anti-malware blocker that warns users before they reach a site hosting malicious code, as well as an enhanced tool for handling bookmarks and keeping track of the user’s browsing history. The browser’s performance has also been improved, and its memory leaks has been fixed.

According to the most recent data from Net Applications Inc., Firefox accounted for 18.4% of all browsers used in May, ranking it second behind IE (73.8%) and ahead of Apple Inc.’s Safari (6.3%).

As of 3:30 p.m. Eastern time today, Mozilla’s download servers were available and offering the final version of the open-source browser’s latest update. Within minutes of Firefox 3.0’s official launch at 1 p.m. Eastern time, Mozilla’s servers were overwhelmed by the traffic.

As part of the launch promotion, Mozilla had urged users to help set a single-day download record. No such record currently exists, Mozilla had admitted late last month in a FAQ, but it was pursuing one nonetheless. “This is the first record attempt of its kind, so there is no set number. We’d really like to outdo the number of Firefox 2 downloads on its launch day, which was 1.6 million,” Mozilla said in the FAQ.

After a blackout of more than an hour caused by users trying to download the final release of Firefox 3.0, Mozilla Corp. has restored service to its servers and Firefox 3.0 can now be downloaded from Mozilla’s site.