CyberInsecure.com

Archive for the ‘Vista’ Category

Apple released earlier QuickTime 7.5, which fixes a number of security bugs. The update is highly critical and it patches at least five code execution vulnerabilities in Windows XP, Windows Vista and Mac OS X. It fixes multiple buffer overflows, memory corruption issues and URI handling flaws that could allow malicious hackers to launch exploits with QuickTime movie or image files.

Apple’s security improvements include fixes for:

CVE-2008-1581 (for Windows Vista and Windows XP SP2): An issue in QuickTime’s handling of PixData structures when processing a PICT image may result in a heap buffer overflow. Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect systems running Mac OS X.

CVE-2008-1582 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A memory corruption issue exists in QuickTime’s handling of AAC-encoded media content. Opening a maliciously crafted media file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of media files.

CVE-2008-1583 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A heap buffer overflow exists in QuickTime’s handling of PICT images. Opening a maliciously crafted PICT image file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CVE-2008-1584 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): An issue in QuickTime’s handling of Indeo video codec content may result in a stack buffer overflow. Viewing a maliciously crafted movie file with Indeo video codec content may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by not rendering Indeo video codec content.

CVE-2008-1585 (for Mac OS X v10.3.9, Mac OS X v10.4.9 - v10.4.11, Mac OS X v10.5 or later, Windows Vista, XP SP2): A URL handling issue exists in QuickTime’s handling of file: URLs. This may allow arbitrary applications and files to be launched when a user plays maliciously crafted QuickTime content in QuickTime Player. This update addresses the issue by revealing files in Finder or Windows Explorer rather than launching them.

According to Techworld, an analysis from the Australian company “ThreatFire” reveals that Vista is almost as vulnerable as its predecessors. ThreatFire user base shows that 58,000 PCs running Vista were compromised by at least one piece of malware over the six months to May 2008, equivalent to 27% of all Vista machines probed. Vista made up 12.6% of the 1,513,502 machines running Windows in the user base.

In total, Vista suffered 121,380 instances of malware from its 190,000 user base, a rate of malware detection per system is proportionally lower than that of XP, which saw 1,319,144 malware infections from a user base of 1,297,828 machines, but it indicates a problem that is worse than Microsoft has been admitting to.

Just one week ago, PC Tools revealed that Vista was as likely to be hit with software vulnerabilities as Windows 2000, a claim that was denied by a Microsoft staffer in a blog. As PC Tools makes clear, that malware was detected did not mean harm had been done, simply that Vista’s own security had in some way been circumvented to the degree that its ThreatFire tool stepped in.

PC Tools notices that all systems used in the research pool were at the very least running PC Tool’s ThreatFire and that because the technology is behavioral-based, the data refers to threats that actually executed and triggered behavioral detection on the client machine. In response to alternative research from Microsoft’s Malicious Software Removal Tool, PC Tools highlights that the MSRT is not a comprehensive anti-virus scanner, but a malware removal tool for a limited range of “specific, prevalent malicious software”.

PC Tools also publicized details of some of the malware types it has found on Vista systems during its scans, including three pages of variants based on Trojan.Agent, a few of which were described as serious.

Microsoft released four fixes on Tuesday to close a half dozen security holes, including a vulnerability in the Microsoft Jet database which is currently being exploited by attackers. The most serious of them is a bug in Microsoft’s Jet Database Engine, a component built into Windows XP, Windows Server 2003 and Windows 2000 that works with Visual Basic, Access and multiple third-party applications. Attack code for the vulnerability went public in November, and it is actively being exploited in the wild.

The security vulnerabilities affect various Microsoft Office products, the Jet database engine, and Microsoft’s Malware Protection Engine. Among the most critical flaws, the Microsoft Jet database engine vulnerability allows an attacker to execute code by accessing a database file through Microsoft Word. The company patched both the Jet database flaw and the Word flaw.

Vulnerabilities of the type Microsoft is patching today have been a favorite attack method among attackers, especially in stealthy attacks that seek to steal high-value intellectual property. Trojan horse attacks often use rigged Office files that exploit vulnerabilities in the productivity suite.

Microsoft patched two vulnerabilities in Microsoft Word, including one issue that could be exploited through the Outlook e-mail client because the software uses a component of Word to display rich text format (RTF) and Web (HTML) files in the preview pane. Attacks against Microsoft Office have jumped over the past two years, though most exploits generally require some user interaction, clicking “OK” in a dialog box, for all but the oldest versions of Office.

Microsoft also remedied an issue in the way that its Malware Protection Engine handles file scanning. Malware Protection Engine is used in Windows Live OneCare service and Microsoft Forefront and Antigen products. A specially crafted file could be used to lock up the program or to keep the program from working on incoming files, the company stated in its bulletin.

The latest independent Virus Bulletin tests looked at 37 different Vista-based security programs to see which could manage to reach the level of threat detection required for ‘VB100′ Certification. Out of 37 tested, 17 failed the tests, including big name products from McAfee, Sophos, and Trend Micro. The New test of anti-malware products running on the platform has found that many don’t work as well as they should.

VB100 sets an incredibly high detection bar of 100 percent of a subset of malware defined by a malware collection known as the ‘WildList.’ Programs must also, using default settings, avoid false positives - false flagging files as malware infected when they are in fact innocent.

While McAfee, Sophos and Trend detected 99.99 percent of the WildList, Doctor Web reached only 95.21 percent, and Security Coverage PC Live managed a hopeless 84.35 percent. Microsoft’s own oft-criticized Windows Live OneCare and Forefront Client Security both hit the VB100 100 percent mark.

“It is disappointing to see so many products tripping up over threats that are not even new - computer users should be getting a better service from their AV vendors than this,” said Virus Bulletin tester-in-chief John Hawes.

With the SP1 upgrade promising a raft of improvements to performance and functionality of the platform, we are likely to see a significant upturn in the number of people installing it on their desktops and it is therefore imperative that anti-malware vendors are able to provide solid protection on the platform.

Three programs were so problematic that they couldn’t, for a variety of reasons, be made to run properly, and were ditched from the full tests, while some working products struggled to run in a stable fashion on Vista. The tests were done before the SP1 update appeared.

Juan Pablo Lopez Yacubian reported that Internet Explorer 7 (also in all MS Vista versions) is affected by a URI-spoofing vulnerability.

An attacker may leverage this issue by inserting strings to spoof the source address of a file presented to an unsuspecting user. This may lead to a false sense of trust because the user may be presented with a source address of a trusted site while interacting with the attacker’s malicious site.

To exploit this issue, an attacker must entice an unsuspecting user to view a maliciously crafted web document. The following example exploit is available:

http://es.geocities.com/jplopezy/iespoof.html

Reports indicate that unspecified versions of Firefox are also prone to this issue, but that has not been confirmed.

Currently there are no vendor-supplied patches. If you are aware of a patch or more recent information, please comment.

Microsoft has released a service update for all versions of its Windows Vista operating system. It supposed to improve the stability, security and performance of the software.
The update, or service pack, includes some fixes released before now and adds many new ones as well.

Microsoft has warned that the update could clash with some security software and other programs customers may have installed on their machine. Those using Vista can download the update directly from Microsoft or wait for it to be automatically installed on their machine in mid-April. Advice about drivers and prequisites is provided on the Vista blog and in support articles.

Third-party software companies got mixed reactions to SP1. While it will open up access to the built-in search functionality for third-party desktop search apps, it has already raised problems for some third-party security software vendors whose utilities have been disrupted by the update.

On the security front, the service pack enables single sign-on for authenticated wired networks, which should streamline the end user experience in enterprise environments, in addition to many other updates.

While most users are likely to find Vista SP1 benign (if not beneficial), some organizations, such as large corporate IT departments, may wish to wait a while before deploying this software update. To do so, administrators should download the Windows Service Pack Blocker Tool, which will prevent the service pack from being installed. This tool creates a registry key entry that can be later removed by the administrator, and can be run remotely across a network.

Vista SP1 is being released initially in only five languages - English, French, Spanish, German, and Japanese. Another 31 will follow in mid-April when the software starts being pumped out to those that have their PCs automatically updated.

Microsoft recommends that Vista users go to Windows Update to get the service pack rather than use its download service. The version available via Windows Update is only 65 MB in size (compared to 434MB via download) and can diagnose driver problems before installation.

Troubleshooting for those who would like to install the SP1:

1. Windows Vista Service Pack 1 is not available for installation from Windows Update and is not offered by Automatic Updates

2. Uninstall any previous SP releases