CyberInsecure.com

Archive for the ‘Windows’ Category

Fraunhofer SIT has presented a method for discovering the BitLocker drive encryption PIN under Windows. The method even works where TPM is used to protect the boot process. An attacker with access to the target computer simply boots from a USB flash drive and replaces the BitLocker bootloader with a substitute bootloader which mimics the BitLocker PIN query process but saves the PINs entered by the user to disk in unencrypted form.

Although the BitLocker boot process carries out an integrity check on the system, and thereby the Windows installation, it does not check the bootloader itself – not that the actual attack described even gets as far as the Windows boot process. Consequently, according to the Fraunhofer SIT report, even if a Trusted Computing Module (TPM) is fitted, it fails to protect against such an attack.

Once the substitute bootloader has saved the victim’s PIN to the hard drive, it rewrites the original bootloader to the MBR and restarts the system. The victim may indeed wonder why their computer is restarting, but then we’ve all seen computers suddenly decide to abort a boot and restart.

To get hold of the saved PIN, the attacker needs to gain access to the target computer for a second time, to once more boot up from a USB flash drive and then access the hard drive. The computer can then be rebooted and the PIN thus obtained used to open up BitLocker, allowing access to the protected Windows system.

The technique could be used to obtain data in targeted acts of industrial espionage. SIT is nonetheless keen to stress that, “Despite the security vulnerability, BitLocker is a good solution for hard drive encryption, as it offers good protection against the most common threat to sensitive data on a hard drive – loss or theft of the computer.”

A similar attack on system encryption using TrueCrypt was presented at Black Hat in July. Austrian security specialist Peter Kleissner used his Stoned bootkit to nobble the boot process in order to inject spyware onto the system and read off data. His method does not, however, work where TPM is in place, since the MBR hash no longer matches the stored version. The advantage of Kleissner’s method is that it only requires one-time access to the victim’s computer.

Credit: H-online.com Security

Miscreants have developed a ransomware package that blocks internet access in a bid to force infected users into paying up by sending a text message to a premium rate SMS number, lining the pocket of cybercrooks in the process.

The malware comes bundled in a package called uFast Download Manager and targets potential marks in Russia. Users of infected machines are told (via a Russian language message) that they need to send a text message in order to obtain an activation code for the product, which (ironically) poses as a software package designed to increase download speeds. Victims are told that internet access has been blocked in the meantime because of supposed violations of a licensing agreement.

The ploy is a variant on previous ransomware packages that encrypt and block access to document files. One strain of ransomware detected in January 2008 locks up Windows machines, seeking payment via SMS. That threat wasn’t specific to Russia and didn’t affect a net connection as such but is otherwise very similar to the latest attack.

CA, which detects the threat as RansomSMS-AH, explains how the malware works in greater depth in a blog posting featuring screenshots culled from infected machines.

English translation:

Internet access is blocked due to violation of the
license agreement schedules of uFast Download Manager
You must activate your copy

Get a registration code by sending an SMS with the following
code fw0004199 to number 7122

In response you will receive an activation message.

Enter the activation message received from the SMS response ________

The anti-virus vendor has developed an activation code generator that allows victims to get online again - providing they can download the utility through an uninfected machine first, of course.

CA ISBU activation code generator for this particular ransomware can be found here. It can create activation code only for ransomware detected by CA as Win32/RansomSMS.AH.

Credit: The Register, CA Community Blogs

Exploit code for a critical (remotely exploitable) vulnerability in Microsoft’s Internet Explorer 7 browser has been released on the Internet, prompting a new round “upgrade now!” warnings from computer security experts. The vulnerability could be used in malware attacks to take complete control of a Windows machine running IE 6 or IE 7, according to an advisory issued over the  weekend.

The vulnerability could be exploited by attackers to compromise a vulnerable system. This issue is caused by a dangling pointer in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the “getElementsByTagName()” method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page.

The vulnerability was confirmed on fully patched Windows XP SP3 systems with Internet Explorer 6 and 7. For IE users unable (or unwilling) to upgrade to IE 8, you can disable Active Scripting in the Internet and Local intranet security zones.

Security researchers at Symantec have tested the published exploit and warned that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into Web sites, infecting potential visitors. For an attacker to launch a successful attack, they must lure victims to their malicious Web page or a Web site they have compromised. In both cases, the attack requires JavaScript to exploit Internet Explorer.

Microsoft has issued an advisory with mitigation guidance, it can be found here.

Credit: ZDNet.com Security Blogs

A bug in Microsoft’s Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said.

The documents stored in Adobe’s PDF format display the internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches.

Google searches such as this one expose almost 4 million documents residing on users’ C drives alone. Combined with searches for other common drives, the technique exposes more than 50 million files that display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used.

“If they have those kind of PDFs, somebody can use search engines to find out user names or do more reconnaissance on the operating systems used,” he told The Register. “That actually invades the privacy of a user.”

The potentially sensitive data is included in PDFs that have been printed using Internet Explorer. The full path location is appended to its contents as soon as the Microsoft browser is used to print the document. Although the data isn’t always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines.

The only way to remove the path is erase the text in an editor and save the document.

All versions of IE suffer from the bug. A Microsoft spokeswoman said company engineers are working to reproduce the reported behavior. “We can confirm that this is not a vulnerability,” she wrote in an email. Adobe representatives didn’t reply to requests for comment.

Credit: The Register

The latest version of Microsoft’s Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe. The flaw in IE 8 can be exploited to introduce XSS, or cross-site scripting, errors on webpages that are otherwise safe. Microsoft was notified of the vulnerability a few months ago.

Ironically, the flaw resides in a protection added by Microsoft developers to IE 8 that’s designed to prevent XSS attacks against sites. The feature works by rewriting vulnerable pages using a technique known as output encoding so that harmful characters and values are replaced with safer ones. A Google spokesman confirmed there is a “significant flaw” in the IE 8 feature but declined to provide specifics.

It’s not clear how the protections can cause XSS vulnerabilities in websites that are otherwise safe. Michael Coates - a senior application security engineer at Aspect Security who has closely studied the feature but was unaware of the vulnerability - speculates it may be possible to cause IE 8 to rewrite pages in such a way that the new values trigger an attack on a clean site.

“If the attacker can figure out a flaw in the way IE 8 is actually doing that output encoding and then create a specific string the attacker will know will be transformed into an actual attack, they could use that to input a value … that actually results in an attack firing on the page,” he said. “This could be a way to introduce an attack into a page that didn’t have a vulnerability otherwise.”

XSS attacks are a way of manipulating a site’s URL to inject malicious code or content into a trusted webpage. Many security watchers have come to view the IE 8 protections as Microsoft’s answer to NoScript, a popular extension that helps prevent XSS and other types of attacks against users of the Firefox browser.

When Microsoft introduced the protections, it also created a way for webmasters to override the feature (by adding the response header “X-XSS-Protection: 0″). A review of the top 50 most visited websites shows that only web properties owned by Google have actually opted to do so. The small number of sites blocking the protection calls into question how widespread the vulnerability is.

In addition to potentially introducing serious vulnerabilities into webpages, the XSS protections can bring other undesirable results. That’s because its engine frequently flags perfectly acceptable characters as potentially harmful. An examples of such a false positive is here.

David Ross, a senior software security engineer for Microsoft, has said developers designing the feature aimed to strike strike a pragmatic balance between protecting users and not breaking the web.

“We needed to find a way to make the filtering automatic and painless and thus provide maximum benefit to users,” he wrote. “In summary, the XSS Filter will prove its worth by raising the bar and mitigating the types of XSS most commonly found across the web today, by default;, for users of Internet Explorer 8.”

Credit: The Register

Microsoft has helped discover a flaw in the Google Chome Frame plug-in for Internet Explorer users.

The plug-in allows suitably coded web pages to be displayed in Internet Explorer using the Google Chrome rendering engine. Redmond warned that the plug-in made IE less secure as soon as it became available back in September, an argument bolstered by the discovery of a cross-origin bypass flaw in the add-in

Successfully exploiting the flaw creates a means for hackers to bypass security controls though not to go all the way and drop malware onto vulnerable systems.

Microsoft and security researcher Lostmon are jointly credited with discovering the vulnerability in Google’s browser add-on.

Google acknowledged the flaw and urged users to update to version 4.0.245.1 of Google Chrome Frame. All users should be updated automatically to the latest version of the software, which also tackles a number of performance and stability glitches. Chief among these are problems handling iFrames, as explained in Google’s security advisory at http://googlechromereleases.blogspot.com/2009/11/google-chrome-frame-update-bug-fixes.html

Credit: The Register

Trojan attacks are likely in the wake of the Windows 7 product activation system cracks developed last week, less than a month after the release of Microsoft’s latest operating system.

The RemoveWAT (and the similar ChewWGA) utility allow a prospective Windows 7 user to bypass the Windows Genuine Advantage registration procedure. Both hacks circumvent product activation without the need to have OEM keys, unlike earlier hacks on pre-release code.

Security firm Sunbelt Software warns that Trojans posing as Win 7 cracks are very likely to follow.

“RemoveWAT and Chew-WGA… join the grimy world of cracks and key-gens – oft-Trojanised applications that defeat activation passwords or other security on legitimate software,” writes Sunbelt researcher Tom Kelchner.

“Trojanized versions of RemoveWAT and Chew-WGA soon will be available on websites and file-sharing networks near you. Look for them (or maybe we should say ‘look out for them’),” he added.

The release of the Win 7 cracking tools last week came as little surprise to security watchers.

Richard Kirk, European director at application vulnerability firm Fortify, noted that similar types of cracks arrived shortly after the release of Windows Vista in January 2007, and were solved when Microsoft issued an update. “Similar utilities for Windows XP also started appearing in the summer of 2005, shortly after the Windows Genuine Advantage system was made mandatory in July of that year,” he added.

Credit: The Register

As part of its scheduled batch of patches for November, Microsoft today issued six security bulletins with fixes for a total of 15 vulnerabilities affecting its Windows and Office product lines. Four of the six bulletins include patches for Windows and Windows Server and two affect Microsoft Office products (Excel and Word).

Three of the six bulletins are rated “critical,” meaning they can be used to launch remote code execution or worm attacks without any user action. One of the Windows vulnerabilities could expose users to drive-by malware attacks via the browser, Microsoft warned.

Microsoft is urging Windows users to pay special attention to MS09-065, a “critical” bulletin that patches three documented vulnerabilities in Windows Kernel-Mode drivers. Microsoft expects to see functional exploit code for this flaw very soon.

This Patch Tuesday also brings:

MS09-063 (Maximum severity rating of Critical): Resolves one privately reported vulnerability in Windows, which could allow remote code execution if an affected Windows system receives a specially crafted packet. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

MS09-064 (Maximum severity rating of Critical): Patches one privately reported vulnerability in Windows, which could allow remote code execution if an attacker sent a specially crafted network message to a computer running the License Logging Server. An attacker who successfully exploited this vulnerability could take complete control of the system.

MS09-066 (Maximum severity rating of Important): This update resolves one privately reported vulnerability in Windows, which could allow denial of service if stack space was exhausted during execution of certain types of LDAP or LDAPS requests.

MS09-067 (Maximum severity rating of Important): This update resolves eight privately reported vulnerabilities in Office, which could allow remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user.

MS09-068 (Maximum severity rating of Important): This update resolves one privately reported vulnerability in Office, which could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Microsoft also reissued MS09-045 and MS09-051 to address detection and minor problem issues.

On the MSRC blog, Microsoft is offering charts explaining the severity and exploitability of each vulnerability and visual guidance on how to properly prioritize and deploy the updates.

The company’s Security Research & Defense Blog offers a technical breakdown of some of the more serious vulnerabilities at http://blogs.technet.com/srd.

Credit: ZDNet.com Security Blogs

A recently conducted test by malware researchers reveals that eight out of ten malware samples used in the test, successfully bypassed Windows 7’s default UAC (user access control) settings. The findings were also confirmed by a separate test done by another company, with an emphasis on how one of the most popular scareware variants bypassed the UAC’s default settings as well.

On October 22nd, researchers settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. They configured it to follow the system defaults for User Account Control (UAC) and did not load any anti-virus software. They grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft’s claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.

The findings are in fact not surprising, since the main problem with Windows 7’s UAC lies in the over-expectation of the average end user. Just like free antivirus software relying entirely on signatures based scanning only, the over-expectation of Windows 7’s UAC may in fact fool a large number of users that third-party security software is not a necessity.

Just like end users, enterprises already migrating to Windows 7 face the same security issues. In response to feedback that users were forced to respond to too many prompts in Windows Vista, the new operating system introduces a new approach to User Account Control (UAC), providing a four-position “slider” feature to control how often UAC pop-ups occur. While these changes to Windows 7’s UAC benefit the home user market, enterprises must recognize that the new slider feature can only be applied to users logged in as administrators and may increase security risks.

Further, Windows 7 introduces no new features to solve the application compatibility issues experienced by standard users in previous versions of the operating system. “The most secure configuration option for enterprises that deploy Windows 7 remains running end-users as standard users, with administrator rights removed,” said Eric Voskuil, CTO, BeyondTrust.

Credit: ZDNet.com Security Blogs

A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account.

News reports say $479,247 vanished from a bank account belonging to the Cumberland County Redevelopment Authority after it was hit by Clampi. The trojan gets installed by tricking users into clicking on a file attached to email and then lies in wait for the victim to log in to online financial websites. The authority has so far been able to recover $109,467 of the stolen loot.

The theft is part of a rash of online heists that have stolen millions of dollars from businesses and non-profit organizations. While circumstances are different in each case, they all point to a single point of failure: Each theft relied on the successful compromise of a Windows-based system.

It was this undeniable fact that led Brian Krebs - author of the Security Fix blog which over the past month has published a series of articles detailing high-stakes bank thefts - to recommend Windows machines no longer be used by those who choose to do their banking online.

“I do not offer this recommendation lightly,” he wrote. “But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection.”

Indeed, the Clampi variant that hit the Cumberland redevelopment authority reportedly was able to succeed even though employees used an automated clearing house token that generated a different eight-digit access code every minute or so. Redevelopment authority officials didn’t return calls seeking comment.

Credit: The Register