Chris Mosby at myITforum.com

Two new Internet Explorer vulnerabilities disclosed including PoC (NEW)

Published: 2006-06-30,
Last Updated: 2006-06-30 07:28:33 UTC by Bojan Zdrnja (Version: 3(click to highlight changes))

Two vulnerabilities in Internet Explorer were published yesterday to the Full-Disclosure mailing list along with their associated PoC code.

A critically rated IE vulnerability in the use of HTA applications (CLSID 3050f4d8-98B5-11CF-BB82-00AA00BDCE0B) to trick a user into opening a file by double clicking it. The file has to be accessible through either SMB or, according to the advisory, WebDAV, and can be located on a remote site.  The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon.  The workaround for this appears to be disabling active scripting.

The second vulnerability is related to the handling of the object.documentElement.outerHTML property. The abuse of this property will allow an attacker to retrieve remote content in the context of the web page which is being currently viewed by the user. This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites user is logged into (for example, webmail) and harvest user credentials.  Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs.

Microsoft is investigating both issues and Secunia posted a PoC web page for the second vulnerability that you can find at http://secunia.com/internet_explorer_information_disclosure_vulnerability_test.

Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.

We have not received any reports of these vulnerabilities being actively exploited in the wild. Please let us know if you have more information and we'll update the diary accordingly.

** As another worthy 'Handler tools' mention that is applicable as a general protection tool which has been gaining increased use in the testing of malicious code and reviewing potentially malicious websites is the SandboxIE tool.  Browse safely over to http://www.sandboxie.com.

06/28/06
We have been getting comments about the statement of Firefox being vulnerable. After repeated testing, one of the handlers has confirmed that it is definitely vulnerable. The code found at Secunia will not catch vulnerable versions of Firefox but the original PoC found on FullDisclosure will work on Firefox.

UPDATE 06/30/06
After doing more research on this vulnerability and with great help from our readers (thanks to Dan and another reader) it seems that Mozilla Firefox is not affected by this vulnerability.

The (obvious) reason for this is that Firefox doesn't support the outerHTML property at all (innerHTML property is supported). As this property is not supported, the original context can't get any data from the HTML that was loaded into the <object> tag.

If you test this with the original PoC posted on Full Disclosure, you can notice that Firefox will load the target web page into the object tag, but the alert call (which is in the original context) will not be able to get any data. If you use Internet Explorer 6 this is not the case as the original context script can access data that was loaded into the object tag.

The fact that Firefox displays the target web page has nothing to do with this vulnerability (apart from the fact that it can confuse the user, but that's another story); so in this context it's no different than using an iframe.

Internet Explorer 7 is also not affected by this vulnerability.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

iTunes < 6.0.5 vulnerability & patch released (NEW)

Published: 2006-06-29,
Last Updated: 2006-06-29 21:49:43 UTC by Toby Kohlenberg (Version: 1)

Apple has released an update for iTunes that fixes an integer overflow in the AAC file parsing that can lead to code execution. Y'all want to get this one patched and updated.

http://docs.info.apple.com/article.html?artnum=61798
APPLE-SA-2006-06-29 iTunes 6.0.5

iTunes 6.0.5 is now available and, in addition to its other content,
fixes the following security issue:

CVE-ID:  CVE-2006-1467
Available for:  Mac OS X v10.2.8 or later, Windows XP / 2000
Impact:  An integer overflow in iTunes could cause a denial of
service or lead to the execution of arbitrary code
Description:  The AAC file parsing code in iTunes versions prior
to 6.0.5 contains an integer overflow vulnerability. Parsing a
maliciously-crafted AAC file could cause iTunes to terminate or
potentially execute arbitrary code. iTunes 6.0.5 addresses this
issue by improving the validation checks used when loading AAC
files. Credit to ATmaCA working with TippingPoint and the Zero Day
Initiative for reporting this issue.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Cisco Wireless Access Point Vulnerability Announced (NEW)

Published: 2006-06-29,
Last Updated: 2006-06-29 17:35:11 UTC by Toby Kohlenberg (Version: 1)

Cisco has released a vulnerability disclosure for their Wireless Access Points:

http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml

The vuln is in the web interface for the APs and could allow wiping of the security config and access to the administrative interface without authentication.

To quote Cisco:

A vulnerability exists in the access point web-browser interface when Security > Admin Access is changed from Default Authentication (Global Password) to Local User List Only (Individual Passwords). This results in the access point being re-configured with no security, either Global Password or Individual Passwords, enabled. This allows for open access to the access point via the web-browser interface or via the console port with no validation of user credentials.

The following access points are affected if running Cisco IOS® Software Release 12.3(8)JA or 12.3(8)JA1 and are configured for web-interface management:

• 350 Wireless Access Point and Wireless Bridge
  
• 1100 Wireless Access Point
  
• 1130 Wireless Access Point
  
• 1200 Wireless Access Point
  
• 1240 Wireless Access Point
  
• 1310 Wireless Bridge
  
• 1410 Wireless Access Point

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

OK Symantec this is getting pretty ridiculous.  You have put out an update for these two products every month since 10.1 came out in March of 2006.  Don’t even get me started on your product before that. 

Now this latest “update” is over 400mb and appears to be a whole new CD. We have been trying to get this deployed at our company for over a year, and now it looks like we start testing all over again.

The SAVCE version has gone from 10.1.0.401 to 10.1.4.4000, so it looks like someone has been busy this last month.  My question is, was this product even FINISHED when you first released it??  Looks like Symantec has a long way to go before they have software testing down. 

Come on guys, I used to trust your software and recommend it to others.  Now I am not so sure I would.

For the full release notes on this “update”, go here: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid_p/2006050314483048

Email Blast, From the Past

Tuesday June 27, 2006 at 4:39 pm CST
Posted by Craig Schmugar

A Microsoft Word document was mass-spammed today, which exploits MS01-034.  While this vulnerability was patched nearly 5 years ago, the DOC file can still deliver its payload if users allow Word to run the malicious macro within.  Spammed messages use attachment names such as apple_prices.zip, prices.zip, and sony_prices.zip.  The archive contains a file named my_notebook.doc, which contains a list of notebooks for sale:

• Apple MacBook Pro MA463LL/A 15.4&Prime Notebook PC
• HP Pavilion DV8230US 17&Prime Notebook PC
• Sony VAIO VGN-FS830/W 15.4&Prime Notebook PC

The DOC also file contains a macro, that drops a downloader trojan, that downloads a parasitic virus that is also a downloader. 

The infection trail can be represented like this:

Spammed email message -> ZIP attachment (prices.zip) ->
Malicious DOC file / Macro (my_notebook.doc) -> Dropped EXE file (666inse_1.exe) ->
Downloaded File (zmacro.txt) -> Downloader Files (…)

This is all contributed to the Sality virus author.  Sality is a parasitic infector that utilizes DLL injection, and encryption.  It also contains a dowloader payload to install Adware, remote access trojans, keyloggers, proxy servers, etc; yet another recent case of a parasitic virus delivering spyware.

Detection for the DOC file and dropped downloader trojan (666inse_1.exe) will be contained in the next DAT release as W97M/Dropexe and Generic Downloader.ab respectively.  Existing W32/Sality.t detection (released May 31, 2006) covers the dowloaded Sality virus.

Speaking of old vulnerabilities being targeted by malware, MS03-011 (patched for more than 3 years) is still on the list of top threats being reported by VirusScan Online customers (see Exploit-ByteVerify).  Again, this is exploited by the distributors of spyware in the shape of drive-by downloads.

McAfee Avert Labs Blog » Blog Archive » Email Blast, From the Past.

- http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx

Two new Internet Explorer vulnerabilities disclosed including PoC (NEW)

Published: 2006-06-28,
Last Updated: 2006-06-28 04:06:32 UTC by Bojan Zdrnja (Version: 1)

Two vulnerabilities in Internet Explorer were published yesterday to the Full-Disclosure mailing list along with their associated PoC code.

A critically rated IE vulnerability in the use of HTA applications (CLSID 3050f4d8-98B5-11CF-BB82-00AA00BDCE0B) to trick a user into opening a file by double clicking it. The file has to be accessible through either SMB or, according to the advisory, WebDAV, and can be located on a remote site.  The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon.  The workaround for this appears to be disabling active scripting.

The second vulnerability is related to the handling of the object.documentElement.outerHTML property. The abuse of this property will allow an attacker to retrieve remote content in the context of the web page which is being currently viewed by the user. This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites user is logged into (for example, webmail) and harvest user credentials.  Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs.

Microsoft is investigating both issues and Secunia posted a PoC web page for the second vulnerability that you can find at http://secunia.com/internet_explorer_information_disclosure_vulnerability_test.

Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.

We have not received any reports of these vulnerabilities being actively exploited in the wild. Please let us know if you have more information and we'll update the diary accordingly.

** As another worthy 'Handler tools' mention that is applicable as a general protection tool which has been gaining increased use in the testing of malicious code and reviewing potentially malicious websites is the SandboxIE tool.  Browse safely over to http://www.sandboxie.com.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Word macro trojan dropper and (another) downloader (NEW)

Published: 2006-06-27,
Last Updated: 2006-06-27 22:41:08 UTC by Bojan Zdrnja (Version: 1)

We've seen a lot of new malware being spammed in last couple of hours.

First malware exploits an old vulnerability in Microsoft Word, MS01-034 (http://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx). This vulnerability allows an attacker to execute embedded macros no matter what the user set his Microsoft Word to. Of course, as this is a pretty old vulnerability, only terribly outdated installations will be affected. If you are running any newer version of Microsoft Word, macro settings are on High by default so only macros signed by trusted sources are executed - all other macros are disabled. A user would have to change this setting to Medium (so they get asked) or Low in order to run this macro.The Word document comes in a ZIP file and, once executed, installs a Trojan. Detection on the Word document is pretty good at the moment.
The document pretends to list computer prices:



The other malware is a plain old (and boring?) downloader, but we've seen a large number of e-mails being spammed with it. The downloader uses typical social engineering to trick user into opening the archive. Besides the e-mail telling user there's a nice photo in the attachment, the executable name will be like DC0019.JPG__[lots of _]__JPG.exe.
The executable always seems to be in a ZIP archive, but sometimes it is encrypted (and in this case the password is in the e-mail body) and sometimes it's not.

Once executed, the downloader will install on the system and try to download two files:

http:// 206.204.52.54  /img/util/logo_nav.jpg

which is a Symantec logo (more social engineering) and

http:// 218.239.223.224 /flash/menu.swf

this is a site in Korea and the last time we checked the file was not there.

AV detection is pretty low at the moment and only couple of AV products detected this: Symantec, NOD32, Norman, Trend Micro, Sophos. They either detect it as a downloader or generically (Bloodhound.W32.EP in Symantec's case).

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Excel Issue Scorecard

Published: 2006-06-25,
Last Updated: 2006-06-25 01:00:02 UTC by Kevin Liston (Version: 2(click to highlight changes))

To help clearly identify the issues, exploit code and remedy related to the recently announce Excel vulnerabilities, I offer this humble correlation.  This information comes from Microsoft, Mitre, and vigilant readers sending in tips.  My thanks go to all.

CVE-2006-3059 aka "Excel Repair Mode" http://www.microsoft.com/technet/security/advisory/921365.mspx
Exploited by: Mdropper.G, Booli.A, Flux.E, Booli.B

CVE-2006-3086 aka "Long Hyperlink"   http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Exploited by: Urxcel.A, and three known public exploit code examples

CVE-2006-3014 aka "Shockwave vulnerability"
Exploited by proof of concept code Flemex.A
The workaround is a killbit

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Reminder about MS06-025 (NEW)

Published: 2006-06-25,
Last Updated: 2006-06-25 12:35:54 UTC by Kevin Liston (Version: 2(click to highlight changes))

The original patch from Microsoft caused issues with dialup.  Revised  patch development was discussed by Microsoft.  Exploit code is available that leverages this issue.  This allows an authenticated attacker to execute arbitrary code on Win2kSP4, Windows 2003 and XP SP2 systems (we can't comment on anything earlier because they're no longer supported :-P.)  Previous versions allow unauthenticated attackers to execute arbitrary code, your garden-variety "bad-thing(tm)."

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- http://www.microsoft.com/technet/security/bulletin/ms06-024.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-027.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-028.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-032.mspx

- http://www.microsoft.com/technet/security/advisory/921365.mspx

Yahoo! Login Server Problems (NEW)

Published: 2006-06-21,
Last Updated: 2006-06-21 15:06:36 UTC by Scott Fendley (Version: 2(click to highlight changes))

We have received a number of reports indicating problems with various parts of Yahoo! services (mail, IM, groups). These services all seem to work properly with cached credentials, so we suspect that there is a problem with part of the authentication system.  We have _no_ confirmed information of what is the source of these difficulties, but will continue to monitor and update this diary when more information is available.

Update: One of our readers, Nick, noted a possibility of what is going on. XDisclose released an advisory about Yahoo! vulnerabilities located at http://www.xdisclose.com/XD100001.txt . With so little real concrete evidence, I do not know if this is coincidental or not.

<Disclaimer>  We cannot confirm what is the true source of the authentication failures of this morning.  So do not yell at us if the above is truely coincidental or related to maintenance go awry regarding it, or something else entirely different.   </disclaimer>

ISC Handlers

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Yahoo! Login Server Problems (NEW)

Published: 2006-06-21,
Last Updated: 2006-06-21 13:45:23 UTC by Scott Fendley (Version: 1)

We have received a number of reports indicating problems with various parts of Yahoo! services (mail, IM, groups). These services all seem to work properly with cached credentials, so we suspect that there is a problem with part of the authentication system.  We have _no_ confirmed information of what is the source of these difficulties, but will continue to monitor and update this diary when more information is available.

ISC Handlers

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.