A Report from the Field (NEW)

Published: 2006-09-29,
Last Updated: 2006-09-29 14:34:55 UTC by Kevin Liston (Version: 1)

Kevin Shea wrote in to report:

Yesterday morning (9/27) when dropping off my son at school, I told his first grade teacher about the VML exploits and patch availability. She said she had computers at home and would call her husband to make sure they were patched.

When my signifigant-other picked him up around 5:30, the teachers were all talking about how her husband checked and found out they were infected with one of the trojans. Their bank accounts had been drained, by electronic withdrawals and money transfers. Since it had occurred the day before, the bank (unknown) was able to reverse the transfers and replace the money in their accounts. They won't even bounce a check.

After receiving the report, I had a few questions and I received a prompt follow-up.  What the thieves did with the money was interesting.  Most of the funds were transferred out using one of those services where you can wire cash to people.  I'm not sure if these were wired to other accounts using the intermediary, of it people actually walked up to a counter to retrieve the funds.  They also used funds in this account to purchase background checks at certain people-search/information-broker companies.  Most likely this is an attempt to gather further identities in a way that won't tip-off the broker.

Thanks for the report Kevin, study hard and get good grades next week at SANS Network Security in Las Vegas!  Don't poke your eye out with the antenna in SEC617

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Microsoft Security Advisory (926043)

Vulnerability in Windows Shell Could Allow Remote Code Execution

Published: September 28, 2006

Microsoft is investigating new public reports of a vulnerability in supported versions of Microsoft Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports.

The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View.

We are working on a security update currently scheduled for an October 10 release.

Customers are encouraged to keep their anti-virus software up to date.

Microsoft encourages users to exercise caution when they open e-mail and links in e-mail from untrusted sources. For more information about Safe Browsing, visit the Trustworthy Computing Web site.

We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, applying software updates and installing antivirus software. Customers can learn more about these steps at the Protect Your PC Web site.

Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country. Services. You can contact Product Support Services in the United States and Canada at no charge using the PC Safety line (1 866-PCSAFETY). Customers outside of the United States and Canada can locate the number for no-charge virus support by visiting the Microsoft Help and Support Web site.

Mitigating Factors:

•	In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.
•	An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
•	By default, Outlook Express 6, Outlook 2002, and Outlook 2003 open HTML e-mail messages in the Restricted sites zone. Additionally, Outlook 2000 opens HTML e-mail messages in the Restricted sites zone if the Outlook E-mail Security Update has been installed. Outlook Express 5.5 Service Pack 2 opens HTML e-mail messages in the Restricted sites zone if Microsoft Security Bulletin MS04-018 has been installed.
•	By default, Internet Explorer on Windows Server 2003 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability because ActiveX and Active Scripting are disabled by default.

Microsoft Security Advisory (926043): Vulnerability in Windows Shell Could Allow Remote Code Execution.

Active Exploitation of a Vulnerability in Microsoft PowerPoint

added September 27, 2006

We are aware of active exploitation of a remote code execution vulnerability in Microsoft PowerPoint. Successful exploitation may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#231204- Microsoft PowerPoint contains an unspecified remote code execution vulnerability
• Microsoft Security Advisory 925984

We recommend the following actions to help mitigate the security risks:

• Do not open attachments from unsolicited email messages.
• Install anti-virus software, and keep its virus signature files up-to-date.
• Save and scan any attachments before opening them.

We strongly encourage users not to open unfamiliar or unexpected email attachments, even if sent by a known and trusted source. Users may wish to read Cyber Security Tip ST04-010 for more information on working with email attachments.

We will continue to monitor this issue and provide additional information as it becomes available.

US-CERT Current Activity.

Critical IE Vulnerability [WebViewFolderIcon - CVE-2006-3730]

Thursday September 28, 2006 at 12:55 pm CST
Posted by Craig Schmugar

Trackback

Once again, in the name of “software security”, exploit code has been posted publicly that targets an unpatched Microsoft Internet Explorer (IE) vulnerability. This has been labeled as a 0-day exploit, but the first public release of this vulnerability happened on July 18, during a well known vulnerability researcher’s “Month of Browser Bugs” bloganza. The original proof of concept code posted to the blog resulted in IE crashing. The code released yesterday and today allows for the execution of arbitrary code.

I contend that a public exploit released 2+ months after the initial 0-day attack can not be considered a 0-day.

Of course in the real world, it doesn’t make much difference. As I write this blog entry, Microsoft hasn’t yet acknowledged this threat, but I suspect that we will see some information soon, only 72+ days after the 0-day attack was made public. Call it a 0-day, or call it a 72nd-day, either way users are still vulnerable.

That said, the odds of being attacked by this threat were extremely low two days ago. Now that exploit code has been served up on a platter for the bad guys to use, we can expect many attacks for some time to come.

Why is it that some vulnerability researchers feel victorious upon the release of a vendor patch, when it comes at the expense of so many innocent victims? Or maybe this really isn’t about making software more secure.

Computer Security Research - McAfee Avert Labs Blog.

Reselling stolen information	Posted by Mikko @ 11:42 GMT

Haxdoor rootkit-equipped backdoors are widely used - in the "Rechnungen" and "Räkningen" spam runs in Germany and Sweden for example.

These changing Haxdoor variants are generated with a toolkit known as "A-311 Death".

The toolkit itself is sold on the Internet by its author, known as "Corpse" or "Korpsov".

Now, people who use such backdoors quickly collect a lot of information from infected computers. Information such as passwords, credit cards, and bank logons. Some of these attackers filter the logs they collect to find juicy information and then use it themselves. Others grep the data for e-mail addresses (to sell them to spammers) and for credit card numbers and bank logins (to sell them to fraudsters).

Then again, others take the easy way out and end up selling the logs as they are, by the megabyte. Here's a screenshot from one forum:

F-Secure : News from the Lab - September of 2006.

- http://www.microsoft.com/technet/security/advisory/925984.mspx

- http://www.microsoft.com/technet/security/advisory/925444.mspx

Setslice Killbit Apps (NEW)

Published: 2006-09-28,
Last Updated: 2006-09-28 16:18:45 UTC by Tom Liston (Version: 2(click to highlight changes))

Well... here we are again...  seems like only last week, I was putting up killbit apps for "daxctle.ocx"... 

(and really, it was 10 days ago... sheesh, how time flies!)

Anyway, I've got two more for you, this time, setting the killbits on a couple versions of webvw.dll, and (as far as we can tell) shutting off access to the stuff that makes IE vulnerable to the "setslice" issue.  Note: we've tested these settings against the Metasploit project's test page, and they work.  Because MS hasn't released any information as of yet, we're sort of flying blind here...  However, that being said, the killbit method is great, because it is completely reversable.

There are two versions of the app, one a standard Windows program, the other a command-line version. 

The standard Windows app will tell you the status of the two killbits (ANDed together, for you programmer-types out there...) and give you the option to change them. (From SET to UN-SET, and vice versa...)

Standard Windows app: WEBVW.DLL_KillBit.exe - 2,560 bytes
MD5: f89b8896ed90f5387a57ed818294fe22

The command-line app will SET the killbits when run with no parameters, and UNSET them when run with any parameter (say "/r").  It will return 0 on success and 1 on failure.

Command line app: WEBVW.DLL_KillBit_cmd.exe - 3,548 bytes
MD5: ebc215850cd06b2de2d8e49428134271

UPDATE: Should anyone need to know, the CLSIDs that these apps are setting the killbit on are:

{844F4806-E8A8-11d2-9652-00C04FC30871} and
{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}

(Thanks to Mark for pointing out that I forgot to put that in the diary entry...)

Tom Liston - ISC Handler
Senior Security Consultant - Intelguardians

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Powerpoint, yet another new vulnerability (NEW)

Published: 2006-09-28,
Last Updated: 2006-09-28 02:09:35 UTC by Swa Frantzen (Version: 1)

Microsoft confirms yet another powerpoint vulnerability that leads to code execution.

References

• Security Advisory 925984
• CVE-2006-4694
• avertlabs blog

Detection

McAfee has a writeup of the exploit they detected against this vulnerability to connect back to http:// mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places.

Affected

It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable.

Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs, ...

Defenses

• Do not to open ... but we all know how easy it is to social engineer people into opening things anyway.
  
• Use the PowerPoint Viewer 2003 (nah, not an option if you have a Mac).
• Filter and/or quarantine powerpoint files in the perimeter (prevent powerpoint email attachments and getting powerpoint files on the web), but it's not easy as it has genuine uses and it has the potential of not needed the ".ppt" file extention.
  
• Keep antivirus signatures up to date.
• Keep an eye out for a patch from Microsoft.
• ...

If you do run into a sample we're interested in obtaining one (to add to our collection ;-) )

--
Swa Frantzen -- Section 66

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

MSIE: One patched, one pops up again (setslice) (NEW)

Published: 2006-09-28,
Last Updated: 2006-09-28 02:08:55 UTC by Swa Frantzen (Version: 1)

If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE.

So: No, surfing with MSIE is still not safe.

References

• CVE-2006-3730
• USCERT note 753044

Defenses

• Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
• Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)
  
• Set the killbit:
  {844F4806-E8A8-11d2-9652-00C04FC30871}
  [unconfirmed at this point it's the right killbit, so proceed with caution]
  
• Keep antivirus signatures up to date.
• Keep an eye out for a patch from Microsoft.
• ...

--
Swa Frantzen -- Section 66

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Microsoft PowerPoint Code Execution Vulnerability

Secunia Advisory:	SA22127
Release Date:	2006-09-28
Critical:	Extremely critical
Impact:	System access
Where:	From remote
Solution Status:	Unpatched
Software:	Microsoft Office 2000 Microsoft Office 2003 Professional Edition Microsoft Office 2003 Small Business Edition Microsoft Office 2003 Standard Edition Microsoft Office 2003 Student and Teacher Edition Microsoft Office 2004 for Mac Microsoft Office X for Mac Microsoft Office XP Microsoft PowerPoint 2000 Microsoft PowerPoint 2002 Microsoft Powerpoint 2003
CVE reference:	CVE-2006-4694 (Secunia mirror)
Description: A vulnerability has been reported in Microsoft PowerPoint, which can be exploited by malicious people to compromise a user's system. The vulnerability is due to an unspecified error when processing PowerPoint documents containing a malformed string. This can be exploited to corrupt system memory and may allow execution of arbitrary code when a malicious PowerPoint document is opened. NOTE: This vulnerability is reportedly being exploited in the wild. Solution: Do not open untrusted Office documents. Provided and/or discovered by: Reported by the vendor. Original Advisory: Microsoft: http://www.microsoft.com/technet/security/advisory/925984.mspx Other References: US-CERT VU#231204: http://www.kb.cert.org/vuls/id/231204
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise. Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Microsoft PowerPoint Code Execution Vulnerability - Advisories - Secunia

Secunia Advisory: SA22159   Release Date: 2006-09-28
Critical:
Extremely critical Impact: System access
Where: From remote
Solution Status: Unpatched
Software:Microsoft Internet Explorer 6.x

CVE reference:CVE-2006-3730 (Secunia mirror)

Description:
H D Moore has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an integer overflow error in the "setSlice()" method in the "WebViewFolderIcon" ActiveX control. This can be exploited to corrupt memory when e.g. visiting a malicious web site.

Successful exploitation allows execution of arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.

Solution:
Only allow trusted websites to run ActiveX controls.

Provided and/or discovered by:
H D Moore

Original Advisory:
H D Moore:
http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html


Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.

Microsoft Internet Explorer \WebViewFolderIcon\ Integer Overflow - Advisories - Secunia

Microsoft Security Advisory (925984)

Vulnerability in PowerPoint Could Allow Remote Code Execution

Published: September 27, 2006

Microsoft is investigating new public reports of limited “zero-day” attacks using a vulnerability in Microsoft PowerPoint 2000, Microsoft PowerPoint 2002, Microsoft Office PowerPoint 2003, Microsoft PowerPoint 2004 for Mac, and Microsoft PowerPoint v. X for Mac.

In order for this attack to be carried out, a user must first open a malicious PowerPoint file attached to an e-mail or otherwise provided to them by an attacker.

As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources. Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.

Microsoft is also actively sharing information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.

Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft Security Advisory (925984): Vulnerability in PowerPoint Could Allow Remote Code Execution.

Public Exploit Code for Microsoft WebViewFolderIcon ActiveX Control Vulnerability

added September 27, 2006

We are aware of publicly available exploit code for a new, unpatched vulnerability in Microsoft Internet Explorer. The exploit code targets a vulnerability in the Microsoft WebViewFolderIcon ActiveX control.

More information about this vulnerability can be found in the following:

• Vulnerability Note VU#753044 - Microsoft Windows WebViewFolderIcon ActiveX integer overflow

Until an update, patch, or more information becomes available, we strongly recommend the following:

• Disable ActiveX as specified in the Securing Your Web Browser document and the Malicious Web Scripts FAQ.
• Do not follow unsolicited links.
• Review the steps described in Microsoft's document to improve the safety of your browser.

We will continue to monitor this issue and provide additional information as it becomes available.

http://www.us-cert.gov/current/

Another Day, Another 0-day

Tuesday September 26, 2006 at 12:25 pm CST
Posted by Craig Schmugar

Trackback

As one zero day gets patched, (Microsoft released an out-of-cycle patch for the recent VML Fill vulnerability) another is found.

Today we discovered an exploit affecting Microsoft PowerPoint (preliminary testing shows Office 2000, Office XP, and Office 2003 are affected).  A single target of this exploit has been identified, so like other recent Microsoft Office 0-day discoveries, it appears that this one is also a targeted attack.

What makes this attack interesting, is the fact that it appears that Microsoft’s antivirus product added detection three days ago.  The only public information on these threats is the boiler plate Malicious Software Encyclopedia entries (which show an incorrect discovery date of Sep 26, when virus definition files from Sep 23 detect):

• Exploit:Win32/Controlppt.W
• Exploit:Win32/Controlppt.X

There isn’t a public advisory from Microsoft; suggesting the Microsoft’s security team knew of this in-the-wild attack but did not make the information public.

For the record, I am not a fan of full disclosure (the concept, not explicitly the mailing list).  I believe that more money has been lost, more data stolen, and more illegal activity around exploits has happened because of full disclosure.  Historically, those with the skills to find vulnerabilities and create exploits are not the ones who write Blaster and Sasser, etc.  Generally, the people who heavily abuse exploit code have “copy & pasted” the work of others.  They customize the payload and release, and in these cases damages would have been significantly reduced if it were not for the availability of exploit details.

That said, if an attack is in the wild, acknowledgment of the attack is not something to conceal.  Non-disclose the nitty-gritty details, but do inform.

– Update Sep 26, 2006 17:00 –
McAfee antivirus coverage for these two exploits was released earlier today in DAT version 4860; detected as Exploit-PPT.d trojan.

This entry was posted on Tuesday, September 26th, 2006 at 12:25 pm and is filed und

Computer Security Research - McAfee Avert Labs Blog.

MS06-055 release.

Hey everyone, Craig Gehre here.  We’re in the process of releasing out of band update MS06-055 to address the VML issue.  At the moment, Windows Update, Microsoft Update, and Autoupdate are live.  We’re in the process of publishing the bulletin, associated packages, and updated content for WSUS, MBSA1.2.1, EST, and MBSA 2.0 to the Microsoft download center and normal locations and those should be up shortly.  Until that time the links might not work in the bulletin until the packages appear on the download center. The WSUSscan.cab for SMS and MBSA 2.0 users is also in process and will be published soon. We’ll provide a follow-on blog post shortly once we get everything up.

We're also re-releasing MS06-049 for Windows 2000 users and will have that information up shortly as well.

-Craig

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Published Tuesday, September 26, 2006 8:26 PM by MSRCTEAM

Welcome to the Microsoft Security Response Center Blog! : MS06-055 release..