Chris Mosby at myITforum.com

Winamp buffer overflow

Published: 2006-02-25,
Last Updated: 2006-02-25 15:33:14 UTC by Brian Granier (Version: 1)

We have been monitoring a reported flaw with Winamp 5.12 and 5.13. A buffer overflow condition with a playlist containing a long file name can cause the application to crash at best and execute arbitrary code at worst. To date, we are not aware of any POC that uses this vulnerability sucesfully for malicious purposes. This problem is fixed in Winamp 5.2 so users are advised to update. More details about this issue can be found at http://secunia.com/advisories/18848.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Thanks again to Ron for getting the blogs up and running again.

- Web site: http://go.microsoft.com/fwlink/?LinkId=61165

http://go.microsoft.com/fwlink/?LinkId=21131

W32/Feebs again (NEW)

Published: 2006-02-22,
Last Updated: 2006-02-22 10:26:13 UTC by Daniel Wesemann (Version: 1)

Looks like a new variant of W32/Feebs is making the rounds. Fellow handler Bojan has spent quite some time with de-obfuscating the JavaScript and VB code, and we're still looking at what it does besides downloading base64 encoded versions of W32/Feebs. You might want to zapp access to *.coconia.net / *.by.ru / *.kazan.bz / *.t35.com / *.freecoolsite.com / *.nm.ru until the AV vendors have the patterns lined up.

If some of these domains sound vaguely familiar.... http://isc.sans.org/diary.php?storyid=1035

Update 1023 UTC: Looks like it spreads as an email with subject "Secure Message from GMail.com user", and contains a ZIP attachment (data.zip in the sample at hand), which in turn contains a file "Encrypted Html File.hta", which contains the heavily obfuscated Javascript exploit code that triggers the W32/Feebs download from the above sites.

 

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

********************************************************************
Title: Microsoft Security Advisory Notification
Issued: February 21, 2006
********************************************************************

Security Advisories Updated or Released Today
==========================================

* Security Advisory (906267)

  - Title: A COM Object (Msdds.dll) Could Cause Internet Explorer to Unexpectedly Exit    

  - Web site: http://go.microsoft.com/fwlink/?LinkId=51466
  
  - Reason For Update: Advisory updated to direct customers to Security Bulletin MS05-052, "Cumulative Security
    Update for Internet Explorer".

Multiple Exploits Available for MS06-005 and MS06-006 (NEW)

Published: 2006-02-17,
Last Updated: 2006-02-17 13:28:51 UTC by Chris Carboni (Version: 1)

The 'sploit writers have been busy.

In the last 24 hours a total of four exploits have been released - two each for MS06-005 and MS06-006.

MS06-005 - Vulnerability in Windows Media Player Could Allow Remote Code Execution

MS06-006 - Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Australia: First WMF mass mailer ItW (phishing Trojan)

Gadi - February 16, 2006 on 1:59 pm | In Web, Commentary, Virus, Phishing |

The first worm (mass mailer) to (ab)use the WMF 0day is now spreading in Australia.

Our initial reports indicate the worm is not massive, however it steals financial information from users (Phishing Trojan from a known group) it infects and is causing quite a buzz in Australian media. We expect it to break as a full-blown media hype this morning, tops tomorrow morning.

The worm *does* do the said damage, but as we said does not seem to be widely spread. No reports outside of Australia have been received as of yet.

The emails themselves do not contain the payload, but rather a URL to sites that will infect users. Both the sites who did this are now down, I expect the next one to be up soon (or the bad guys will just get a new variant out in a few days). Abusing websites is mostly how WMF is exploited, but no much in the way of emails before today.

(almost) All anti virus vendors do not detect this worm (it’s new), a couple detect it heuristically. (almost) All anti virus vendors detect the attachment regardless because of the WMF exploit detection routines.

Hopefully, all AV companies will detect this soon. I know most will.

“Regular Phishing” as we all know it, asking us for information by means of simple email is alive, kickin` and will still be with us 10 years from now. However, it is slowly decreasing in volume while Phishing Trojan attacks are getting more and more common.

If you are in Australia, you already heard about this for sure.. but not clearly. Otherwise, this is it before the media gets their hands on it.

We will update as necessary when we know more. The Australians have done a good job on this.

Gadi Evron,
ge@linuxbox.org.

.

SecuriTeam Blogs » Australia: First WMF mass mailer ItW (phishing Trojan).

MS06-005 proof of concept exploit released (NEW)

Published: 2006-02-16,
Last Updated: 2006-02-16 04:03:36 UTC by Jason Lam (Version: 1)

The proof of concept exploit for MS06-005 has been released. The exploit craft a malicious BMP file to perform buffer overflow in Media Player. Keeping in mind as Microsoft has pointed out that the exploiting factor can include other graphics file as well (such as .wmp), it's a good idea to get it patched ASAP.

------------
Jason Lam

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Looks like Microsoft fixed that issue with MS06–007 deployment early this morning…

- http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx

Problems with MS patch KB913446 (for the IGMP issue, MS06-007) (NEW)

Published: 2006-02-14,
Last Updated: 2006-02-14 19:58:30 UTC by Jim Clausing (Version: 1)

A number of our readers have written in (and some of the handlers have duplicated the issue) to report that when using Microsoft Update or autoupdate the patch (KB913446) downloads, but fails to install with Error Code: 0x80242006.  The version located here, however, does not appear to have this issue.  Until Microsoft fixes the former, you may want to install that one patch manually.  Our summary of all of the bulletins will be posted shortly.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Information on IE Drag and Drop Issue

Hey – Brian here, As we’re gearing up for release tomorrow I wanted to take a second to discuss a recent posting of a security issue to some mailing lists. Matt Murphy, a well known security researcher posted an alert today regarding a “drag and drop” issue affecting Windows. I actually handled this case and worked with Matt. We’ve been working with Matt for quite some time on this issue, and I want to thank him for working with us.  We’ve had some long Instant Messenger sessions and E-mail threads while we worked together to understand the issue. 

To provide some insight on this issue, it is different from past drag-and-drop issues like MS05-014. For example, the issue fixed by MS05-014 could be exploited by taking a “drag-and-drop” action within IE, like using the scrollbar.  This issue is different. In working with Matt and our internal teams we found this issue has very exact and specific requirements. It is only problematic in specific circumstances that require the user to take a specific action timed very precisely.

The specific configuration consists of having two windows open: one an IE window, and the other a folder to a resource. The specific user action is the user clicking and dragging an object from the IE window over to the folder window. The timing is very exact: when this is happening the windows would flip back and forth visibly at a set interval. The user would have to time it such that they catch the windows as they’re flipping back and forth.

We will update the behavior, but in looking at the severity of the issue and balancing the risk inherent in any fix, we believe a future service pack is the best way to address this issue. Some thoughts on fixing issues in service packs – service pack allow for additional testing, including beta testing, to reduce the risk of quality issues impacting 3rd party applications.  This extra testing is especially important for complicated fixes that require extensive behavior changes.  That said we work hard to make sure that when we resolve issues found in service packs (as opposed to security updates) these are only for issues that are of a reduced severity, and we continually monitor those issues for a change in status.

I hope this provides some additional insight to this issue, and answers some questions. We’ll continue to work with Matt and others that have questions on this as we continue the investigation.

Published Monday, February 13, 2006 10:48 PM by stepto

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Bagle and Olympics	Posted by Katrin @ 17:07 GMT

A new Bagle is spreading in messages related to the Olympic games in Torino. It arrives in messages offering a free ticket for the games or to participate in a lottery to win a free ticket.

We added detection of it as Bagle.FY in update version number 2006-02-13_06.

F-Secure : News from the Lab - February of 2006.

Websense Security Labs(TM) has received reports of a new Internet Explorer "zero-day" vulnerability which could allow the launching of code without consent from the end-user. The vulnerability, which was discovered by Matthew Murphy, is similar to the "drag-and-drop" vulnerability that has been exploited in the past.

As the vulnerability outlines, a specially crafted website would have to dupe a user into dragging and dropping an item from one window to the other. Upon releasing the mouse in the newly focused window the code will run without consent.

Although we believe this vulnerability is not as easy to exploit as some in the past, (see WMF vulnerability) a risk still remains. We have experimented with deception scenarios and believe that users could be duped into following the necessary actions to be exploited.

Our honey clients are currently scanning for malicious websites that are using this vulnerability and have not detected any as of yet. Upon discovery additional information will be provided.

Vulnerability details:

  http://www.securiteam.com/windowsntfocus/5MP0B0UHPA.html

Websense® - Security Labs Alert: New I.E. Zero Day.

Here are some notes from the SecuriTeam bulletin listed above:

Vendor response:
Microsoft was informed of this vulnerability on August 3, 2005. Currently, the company has no plans to issue a security update to correct this vulnerability. Fixes for this issue are scheduled to be included in Service Pack 2 of Windows Server 2003 and Service Pack 3 of Windows XP. Of particular note is that Windows 2000 users will *NOT* receive an update to correct this vulnerability.

Microsoft's internal risk-assessment concluded that this issue was not sufficiently serious to be fixed in a security bulletin. This conclusion appears fundamentally inconsistent with the way related issues were handled by Microsoft. In particular, the drag-and-drop vulnerability patched by MS05-013 received an "Important" rating.

I disagree with the technical conclusion behind Microsoft's decision and I further find the timeframe of delivery and deployment for maintenance releases to be largely unsuitable for security fixes of any significant magnitude. I find the harm this decision could potentially inflict upon down-level users (most importantly, users of Windows 2000) to be unjustified by the technical concern Microsoft has raised to me. Microsoft also rejected a request that it consider the issue for inclusion in a later security update as a "Moderate" risk issue.

Due to Microsoft's noncommittal and generally unimpressive response to the issue, this advisory is being issued to inform users of this vulnerability such that defensive action may be taken as desired.

 Microsoft Anti-Spyware Deleting Norton Anti-Virus

Microsoft's Anti-Spyware program is causing troubles for people who also use Symantec's Norton Anti-Virus software; apparently, a recent update to Microsoft's anti-spyware application flags Norton as a password-stealing program and prompts users to remove it.

According to several different support threads over at Microsoft's user groups forum, the latest definitions file from Microsoft "(version 5805, 5807) detects Symantec Antivirus files as PWS.Bancos.A (Password Stealer)."

When Microsoft Anti-Spyware users remove the flagged Norton file as prompted, Symantec's product gets corrupted and no longer protects the user's machine. The Norton user then has to go through the Windows registry and delete multiple entries (registry editing is always a dicey affair that can quickly hose a system if the user doesn't know what he or she is doing) so that the program can be completely removed and re-installed.

I put in calls to Microsoft and to Symantec on this issue, but am still waiting to hear back from both companies.

Microsoft said it is shipping updates that fix this problem, but judging from the growing number of other threads on this in that forum, this is shaping up to be a pretty big issue for companies that have deployed Microsoft's free anti-spyware product inside their networks. It's a good idea to keep in mind that Microsoft's Anti-Spyware product is in beta mode: The company's product page explicitly says that Microsoft Anti-Spyware should not be deployed in production systems. I'm not apologizing for Redmond in any way; it just seems like too many people ignore warnings about beta products.

Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com).