January 2007 - Posts
SAP is the largest business application and Enterprise Resource Planning (ERP) solution software provider in terms of revenue.
CYBSEC Security Systems has discovered a vulnerability in SAP IGS which when exploited can result in remote code execution with the privileges of the LocalSystem on Windows and SAP System Administrator Account on UNIX systems.
For more information about the vulnerability, read here.
SAP has already released a solution for this and customers that are affected should apply the patch as soon as possible. For more information about the patch read SAP Note 968423.
Link to SAP Internet Graphics Service (IGS) Remote Buffer Overflow
President Bush signed a bill last week making a controversial practice known as "pretexting," a federal offense.
The law specifically forbids the act of misrepresentation, impersonation or deception in order to obtain personal telephone information. Just five months ago, pretexting fell into a gray area of the law.
Source: It's Official: Pretexting Is Illegal - News by InformationWeek
porkythepig has discovered two vulnerabilities in Microsoft Help Workshop, which can be exploited by malicious people to compromise a user's system.
Microsoft Help Workshop Two Buffer Overflow Vulnerabilities
Secunia Advisory:
SA23862
Release Date:
2007-01-22
Critical:
Moderately critical
Impact:
System access
Where:
From remote
Solution Status:
Unpatched
Software:
Microsoft Help Workshop 4.x
Description:
porkythepig has discovered two vulnerabilities in Microsoft Help Workshop, which can be exploited by malicious people to compromise a user's system.
1) A boundary error when processing .CNT files can be exploited to cause a stack-based buffer overflow via a specially crafted .CNT file.
2) A boundary error when processing .HPJ files can be exploited to cause a stack-based buffer overflow via a specially crafted .HPJ file with an overly long string as the HLP value in the OPTIONS section.
Successful exploitation allows execution of arbitrary code.
The vulnerabilities are confirmed in version 4.03.0002. Other versions may also be affected.
Solution:
Do not open untrusted CNT or HPJ files.
Provided and/or discovered by:
porkythepig
Original Advisory:
http://archives.neohapsis.com/archives/bugtraq/2007-01/0426.html
http://archives.neohapsis.com/archives/bugtraq/2007-01/0459.html
Link to Microsoft Help Workshop Two Buffer Overflow Vulnerabilities
We have done further study on the MMS exploit discovered by Collin Mulliner.
The exploit affects most Pocket PC phone edition and Windows Mobile devices that use versions of ArcSoft MMS composer predating August 2006.
Fortunately, most vendors are providing updates that patch the vulnerability, but unfortunately they don't necessarily mention this in their updates. If you are unsure whether your phone vendor is providing the update, we recommend checking the vendors support page and contacting them if they don't have information available.
We have tried the exploit with several devices, and unless the shellcode is crafted for that particular device and MMS application happens to be in correct memory slot, the only result is a crash of the MMS application.
As mentioned previously we added detection for Exploit/MMS.A in the December 30th update for F-Secure Mobile Anti-Virus for Windows Mobile devices. So we decided to shoot a short video clip of the Anti-Virus in action and stopping the corrupted MMS message before user is able to open it.
The video was shot with a QTEK 9100 that has a vulnerable version of the MMS software installed.
On 10/01/07 At 12:04 PM
Link to Further Information on the Pocket PC MMS Exploit
As mentioned below, consider blocking the URL medbod.com to prevent Medbot from downloading new code.
Oh man, there's a lot of spam out there nowadays.
No wonder, too.
The Warezov gang is using variants of Warezov and Medbot/Horst to send out medication and replica spam. The Rustock gang is using Mailbot.AZ and variants to send out stock spam. The Warezov gang is apparently operating from China and the Rustock boys from Russia.
For more background info, read the "Connecting the Warezov domain dots" entry posted two months ago.
Machines infected with Medbot use a client-server architecture. They connect to a central server to get further instructions as well as spam content and address lists. Then they get to the work of actually sending the spam.
The server addresses keep changing. Last week seek21.zootseek.com was used to serve e-mail addresses to the bots. While investigating the case last week, we downloaded some 68 Gigabytes of e-mail addresses from this server.
Another good example of the client-server architecture is the service running at http://seeky.zootseek.com/d/body.html. This URL serves randomized HTML templates for different spam mails.
The URL is live at the moment of this posting. If you access it and reload the page, you'll get a different spam template every time.
And by the way, you might want to block access to all hosts under the domain medbod.com (as it is used by Medbot to download updated bot code).
On 18/01/07 At 01:53 PM
Link to Commercial-grade redundant client-server backend systems - for SPAM
As reported on Donna's SecurityFlash weblog, Agnitum (maker of Outpost Firewall) is rather critical of the firewall included with Windows Vista.
Donna already makes mention in her post of the still-unpatched vulnerabilities in Agnitum's own firewall offerings, but then today I read this on the Virus Bulletin RSS feed:
'Security researchers at Matousec, known to VB readers from their firewall leak tests, have released details of an exploit taking advantage of a weakness in Agnitum's Outpost firewall product.
The attack exploits a weakness in the self-protection system used by Outpost to prevent tampering with its own files. Full details of the exploit are available online for malicious use, and no patch has yet been made available, as the vendor was informed of the problem at the same time as the public disclosure.
It is believed the flaw affects various versions between 3.0.5 and 4.0.1, and can only be exploited from the local system. The release from Matousec is here, with an alert from heise security here'
Vulnerability Summary CVE-2007-0264 Original release date: 1/16/2007 Last revised: 1/17/2007 Source: US-CERT/NIST Overview Buffer overflow in Winzip32.exe in WinZip 9.0 SR-1 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long command line argument. NOTE: this issue may cross privilege boundaries if an application automatically invokes Winzip32.exe for untrusted input filenames, as in the case of a file upload application. NOTE: The provenance...(read more)
Link to National Vulnerability Database (CVE-2007-0264) - Buffer overflow in Winzip32.exe in WinZip 9.0 SR-1
Fellow blogger Harry Waldron posted this info to in an e-mail list, so I hope he won’t mind me using it. Sun Java GIF Image Processing Buffer Overflow Vulnerability http://secunia.com/advisories/23757/ http://www.frsirt.com/english/advisories/2007/0211 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102760-1 http://www.zerodayinitiative.com/advisories/ZDI-07-005.html Rating: Highly critical QUOTE: A vulnerability has been reported in Sun Java Runtime Environment (JRE), which can be exploited...(read more)
Link to Sun Java GIF Image Processing Buffer Overflow Vulnerability
Vulnerable: Real Networks RealPlayer 10.5 RealNetwork RealPlayer is prone to a remote denial-of-service vulnerability because the application fails to handle specially crafted files. Exploiting this issue allows remote attackers to crash the application,...(read more)
Link to RealPlayer MID File Handling Remote Denial of Service Vulnerability
It’s only been a few days since Microsoft released its first update for 2007 and already, the code for MS07-004 exploit has been introduced to the malicious community and is now being exploited in the wild.
MS07-004 is the vulnerability update affecting Vector Markup Language (VML) which replaced the old MS06-055 update. For more information about the said vulnerability click here.
As of now our engineers are creating patterns to detect the vulnerability and we’ll update you with it soon.
The releasing of exploits in the wild by malware authors after a few days from Microsoft’s update has already become a trend and you can be sure that we are always on the watch for these cases. But right now the best defense is always to patch your systems from the latest update from Microsoft, hope you system admins already did and if not, you need to seriously rethink if your in the right field or not. =p
Link to MS07-004 code in the WILD
FTA: In an analysis of threats tracked or identified by FaceTime Security Labs, 1,224 unique threats on greynet applications were reported in the past year, with attacks over peer-to-peer networks increasing by 140 percent over 2005 and multi-channel attacks increasing from 18 percent in 2005 to 29 percent of all attacks in 2006.
A full page of stats and quotes and stuff here. The two things that leap off the page for me are these two findings, from the 2006 "Greynets Survey":
- Four in ten end users (39%) believe they should be allowed to "install the applications they need on their work computers," independent of IT oversight or policy.
- Fifty-three percent of end users report they "tend to disregard" company policies that govern greynet usage, specifically IM and peer-to-peer file sharing.
.....whoops. Link to 2006 Review of IM / P2P Threats
Microsoft is pleased to announce the Fundamental Computer Investigation Guide for Windows , which is now available for downloading. Best Practices and Tools for Computer Investigations If you’re like many of our customers, you’re facing a growing problem...(read more)
Link to Fundamental Computer Investigation Guide for Windows Now Available!
As posted on the F-Secure weblog... you may want to block the below URL as well as the linked list of URL's.
After a relatively short period of inactivity, Warezov has returned with about a dozen new variants in the last 24 hours. Variant KA received its moniker at the end of yesterday with update 2007-01-15_13. There is also a new domain to block: ertikadeswiokinganfujas.com. You'll find a more comprehensive list here.
F-Secure Internet Security 2007's System Control feature still automatically denies these latest variants.
On 16/01/07 At 08:55 AM
Link to Warezov.KA
There's an update for the Acer ActiveX component vulnerability we posted on last week. Details can be found via US-CERT. The patch is named "Acer Preload Security Patch for Windows XP" and can be found here.
On 16/01/07 At 09:02 AM
Link to Acer's Vulnerability Hotfix
I've just recently wrapped up evaluation and testing of several enterprise antispyware applications. Our main products of interest were McAfee's AntiSpyware Enterprise module for VirusScan Enterprise, Webroot's Spy Sweeper Enterprise, and Sunbelt's CounterSpy Enterprise.
In my testing, I found that the McAfee product's detection and removal capabilities left much to be desired... but Spy Sweeper Enterprise and CounterSpy Enterprise seemed rather close in detection and removal accuracy, with Spy Sweeper slightly edging out CounterSpy.
Despite this, we've made the decision to recommend CounterSpy. I found the product to be extremely simple to administer, and as I'm a rather frequent reader of SunbeltBlog, I'm aware that there's a 2.0 release just around the corner which is only going to improve and already impressive product.
I'm interested to hear -- what product (or products) are you using in your environment to manage malicious software? What would you recommend if you had to purchase an application now?
More Posts
Next page »