Internet Explorer 7 Window Injection Vulnerability

Secunia Advisory: SA22628
Release Date: 2006-10-30

Critical: Moderately critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched

Software: Microsoft Internet Explorer 7.x
CVE reference: CVE-2004-1155 (Secunia mirror)

Description:
A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites.

The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

This is related to:
SA13251

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

The vulnerability has been confirmed on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2.

Solution:
Do not browse untrusted sites while browsing trusted sites.

Provided and/or discovered by:
Originally discovered by:
Secunia Research

Reported in Internet Explorer 7 by:
Per Gravgaard

Other References:
SA13251:
http://secunia.com/advisories/13251/

Internet Explorer 7 Window Injection Vulnerability - Advisories - Secunia.

• Firefox - fixed after 2 months
• Netscape - fixed after 6 months
• Opera - fixed after 2 months
• Konqueror - fixed within days
• Omniweb - fixed after 11 months
• Safari - fixed after 1 month

• Internet Explorer 7
• Internet Explorer 6 and earlier

Handler's Diary October 29th 2006

Bloodhound.Exploit.94

Discovered: October 26, 2006

Updated: October 26, 2006 05:33:24 PM GDT

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Bloodhound.Exploit.94 is a heuristic detection for detecting web pages attempting to exploit an undocumented Internet Explorer 7 Popup Address Bar Spoofing Weakness.

Protection

• Virus Definitions (LiveUpdate™ Daily) October 27, 2006
• Virus Definitions (LiveUpdate™ Weekly) November 1, 2006
• Virus Definitions (Intelligent Updater) October 27, 2006
• Virus Definitions (LiveUpdate™ Plus) October 27, 2006

Threat Assesment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low

 

Bloodhound.Exploit.94 - Symantec.com.

Winamp Lyrics3 and Ultravox Processing Buffer Overflows

Description:
Two vulnerabilities have been reported in Winamp, which can be exploited by malicious people to compromise a user's system.

1) An error in the Ultravox protocol handler during processing of the "ultravox-max-msg" header can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI.

2) An error during the parsing of certain Lyrics3 tags can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI.

The vulnerabilities are reported in versions 2.666 through 5.3.

Solution:
Update to version 5.31.
http://www.winamp.com/player/

Winamp Lyrics3 and Ultravox Processing Buffer Overflows - Advisories - Secunia.

W32/Stration - Not This Kid Again!?

Thursday October 26, 2006 at 3:24 am CST
Posted by Geok Meng Ong

Trackback

Following our blog on W32/Stration last week, this kid has been enjoying having its presence felt. To date, W32/Stration has been hovering at the top three places in prevalance behind W32/Netsky (another “old-school” mass mailer) on Postini’s top viruses tracking on their global email systems.

Today, McAfee Avert Labs discovered a new variant of this mass mailer that was gaining speed in spamming to the Internet from infected machines. When another “security expert” claims that “old school” threats are passé, think again. More details of this new variant at:

http://vil.nai.com/vil/content/v_140655.htm

Computer Security Research - McAfee Avert Labs Blog.

- http://www.microsoft.com/technet/security/bulletin/ms06-056.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-048.mspx

MSIE IE7 Popup Address Bar Spoofing Vulnerability (NEW)

Secunia (http://secunia.com/advisories/22542/ is reporting a new Microsoft Internet Explorer (MSIE) 7.0 vulnerability. This vulnerability allows a malicious site to spoof the content of the address bar. Instead of the actual URL, the user will see a "fake" URL. We tested the vulnerability and found it to work quite well. As a quick workaround you may want to configure MSIE 7.0 to open new windows in a new tab. In order to do this, Tools -> Internet Options -> Tabs Settings -> When a pop-up is encountered: Always open pop-ups in a new tab.

(click image for full size)

The PoC exploit by Secunia is pushing the real URL off the screen to the left by adding multiple '%A0' characters between the real URL and the string 'www.microsoft.com'. It appears that the new window will only show right-most part of the URL. For tabs, the left most part is shown.

This vulnerability has a lot of potential for phishers or others that attempt to trick the user into trusting the popup window as they trust the site displayed in the main window.

I see Rod has been blogging a lot about Firefox 2.0 lately, and I figured I would chime in with a list of my favorite add-ons for Firefox.

I’ll start of with a few “essential” add-ons, the ones that I always load first, as they add even more to Firefox’s security.

1. NoScript “Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site. This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality...
   Experts do agree: Firefox is really safer with NoScript ;-)”   Blogger’s Note: I love this add-on, with a lot of malware being loaded though the browser these days, you can’t be too careful. With the ability to whitelist scripts on the Web sites you trust, this sure beats the “all-or-nothing” approach that is still part of IE 7.
2.  AdBlock “Once installed, it's a snap to filter elements at their source-address. Just right-click: Adblock: done. Filters use either the wildcard character (*)
   or full Regular Expression syntax. Hit the status-element and see what has or hasn't been blocked.”  Blogger’s Note: I hate ads on Web pages, they drive me crazy.  Since sometimes those ads can carry infected code, its a good idea to block what you can. You will never see this ability in IE.
3. Adblock Filterset.G Updater “This is a companion extension to Adblock or Adblock Plus and should be used in conjunction with it. This extension automatically downloads the latest version of Filterset.G every 4-7 days. Filterset.G is an excellent set of filters maintained by G for Adblock that blocks most ads on the Internet. In addition, this extension allows you to define your own set of filters that you can add along with Filterset.G during an update. To report missed ads or problems with the extension visit the support forums http://forum.pierceive.com/.” Blogger’s Note: This makes AdBlock even better by pre-loading sites that are blocked from showing ads.
4. Flashblock  “Never be annoyed by a Flash animation again! Blocks Flash so it won't get in your way, but if you want to see it, just click on it.” Blogger’s Note: One of these days, someone will make a good Flash virus, with this you are already covered!

0-days That Weren’t (Quick or Accurate, Take Your Pick)

Friday October 20, 2006 at 2:33 am CST
Posted by Craig Schmugar

Trackback

As timescales compress in computer security, research organizations feel increasing pressure to be first to report on a threat. It’s hard to perform lengthy fact checking in hours time. In the last couple of months we heard about two different 0-day attacks from two different major security vendors, neither of which were 0-day attacks. This week analysis was posted on a “new” anti-virtual-keyboard technique used by a password stealing trojan; only problem is that technique is at least 3 years old. And this week an IE 7 0-day vulnerability turned out to be more than 5 months old.

Of course the irony is that other researchers have to chase the claims, which reduces the amount of time available for fact checking prior to release for the issues they’re trying to report on; so it’s a vicious cycle. Additionally, people who report on such issues are often excited and anxious to spread the news, not to mention the competitive aspect of all of this.

Generally speaking, the largest organizations tend to lean towards lengthy validation cycles, taking a long time to react, while smaller shops may only do a quick check to validate their claims.

Personally I think either extreme is not good and a balance needs to be found. Part of that balance should include going with what you know at the time, allowing for terms like ‘under investigation’ or ‘believed to be’, while reserving absolute statements until after due diligence has been given.

Maybe that’s just me?

Computer Security Research - McAfee Avert Labs Blog.

New Internet Explorer and an old vulnerability

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-101916-4325-99

- http://www.microsoft.com/technet/security/bulletin/ms06-061.mspx

http://www.symantec.com/security_response/writeup.jsp?docid=2006-092316-4153-99

Just in case you missed it, I have been out for a few days trying to recover from the ailment of the week…

- http://www.microsoft.com/technet/security/advisory/917021.mspx

Gromozon Evolution: From Spaghetti to Lasagna

Since we last talked about Trojan.Linkoptimizer (a.k.a. Gromozon) and the Italian Spaghetti saga, there have been some significant developments. What we had originally dubbed "spaghetti threats" now look much more like multi-layered "lasagna threats". Several new features and improvements were integrated into the latest incarnation of this Trojan by the authors, who are probably getting paid well for all of their efforts.

How do users get infected with Linkoptimizer/Gromozon variants? We noticed that the complicated distribution scheme of Trojan.Linkoptimizer (shown in Figure 1) introduced a few significant changes, compared to the original scheme of the previous blog article. Here are the new things that we noticed:

- New distribution domains were added to the list because gromozon.com gained too much bad publicity! (Check out our updated Trojan.Linkoptimizer writeup for a list of the dangerous domains.)
- New obfuscated JavaScript with recent exploits are now used to install the Trojan. (Linkoptimizer just couldn’t ignore the latest Internet Explorer exploits for VML and WebFolderIcon components.)
- The downloaded file is no longer named www.google.com and is created from a random list (e.g. www.free.com, www.super.com, www.auto.com).

Figure 1

Read the rest of the post at the link below.

Symantec Security Response Weblog: Gromozon Evolution: From Spaghetti to Lasagna.

W32/Stration - The new “old” kid in town

Thursday October 19, 2006 at 9:24 am CST
Posted by Vinoo Thomas

Trackback

Today’s mass mailers are often seeded from thousands of zombie drones connected to botnets. Time on a botnet can be bought, for the right price, to launch the next mass mailer variant. Then when these zombies are instructed to download and execute a worm, a mini outbreak can be created when thousands of machines over the internet simultaneously start mailing copies of the worm. However, these artificial outbreaks die by themselves when antivirus vendors come out with updated detection for the worm.

By using enticing subjects and message bodies and spoofing the ‘from’ address to appear from trusted sources, mass mailers have traditionally depended on social engineering techniques to get a victim into executing a malware attachment. Given that mass mailers seem out of vogue these days with malware authors focusing on more effective infection vectors like operating system or browser vulnerabilities, it’s nostalgic when we see a new “old” kid in town.

W32/Stration is a mass mailer that has been around since August this year and is one of the few active and evolving mass mailers in recent times. Very typical of the mass mailing variety, W32/Stration harvests email addresses from an infected machine and mails a copy of itself using some convincing message bodies.

A sample spoofed email message is as follows:

“Our firewall determined the e-mails containing worm copies are being sent from your computer. Nowadays it happens from many computers, because this is a new virus type (Network Worms). Using the new bug in the Windows, these viruses infect the computer unnoticeably. After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail addresses. Please install updates for worm elimination and your computer restoring.”

Leaving out the poor grammar, such a dire message appearing to come from the administrator of your company could be stunningly effective in getting uninformed users to take the bait.

W32/Stration uses a self updating mechanism to keep itself going. Infected machines connect to a hard coded url in the body of the worm to download possibly a newer version of the worm and execute it. This ensures that worm remains undetected for an extended period of time and ensures a longer shelf life in the wild.

The author seems to be investing considerable time and effort into unleashing newer variants of W32/Stration on to the internet. But it’s surprising that no lucrative payloads like adware or password stealing trojans have been seeded onto infected machines. One can only wonder about the objective behind developing and releasing newer variants of this worm. Is the current wave being used to build a massive pool of infected computers for a larger scale of attack on the internet? Sadly, the motive behind unleashing this worm is still unknown at the time of writing this blog. McAfee Avert Labs continues to keep a close eye on future developments of W32/Stration.

Computer Security Research - McAfee Avert Labs Blog.

War-E-Zov	Posted by Mikko @ 06:35 GMT

Another day, another Warezov. This time it's Warezov.DG being spammed out.

And they have a new domain too: this new variant is downloading additional components from hertionkadesinpoion.com.

So the full list of domains used by past Warezov variants is:

  sadujadesion.com
  yuhadefunjinsa.com
  jaxedunnjsatunheri.com
  gadesunheranwui.com
  vertionkdaseliplim.com
  ertinmdesachlion.com
  vedasetionkderun.com
  hertionkadesinpoion.com

We still don't know if these mean something in some language. Anybody?

F-Secure : News from the Lab - October of 2006.

http://www.symantec.com/security_response/writeup.jsp?docid=2006-101715-5901-99

Cisco Security Advisory: Default Password in Wireless Location Appliance

MS06-061

Java Trojan/Bot (NEW)

New UrSnif/Haxdoor Variant (NEW)

Thank you for ordering from our internet shop. If you paid with a 
credit card, the charge on your statement will be from name of our shop.

This email is to confirm the receipt of your order. Please do not reply 
as this email was sent from our automated confirmation system.

Date : 08 Oct 2006 - 12:40
Order ID : 37679041

Payment by Credit card

Product : Quantity : Price
WJM-PSP - Sony VAIO SZ370 C2D T7200 : 1 : 2,449.99

Subtotal : 2,449.99
Shipping : 32.88
TOTAL : 2,482.87

Your Order Summary located in the attachment file ( self-extracting 
archive with "37679041.pdf" file ).

PDF (Portable Document Format) files are created by Adobe Acrobat 
software and can be viewed with Adobe Acrobat Reader. If you do not 
already have this viewer configured on a local drive, you may download 
it for free from Adobe's Web site.

We will ship your order from the warehouse nearest to you that has your 
items in stock (NY, TN, UT & CA). We strive to ship all orders the same 
day, but please allow 24hrs for processing.

You will receive another email with tracking information soon.

We hope you enjoy your order!  Thank you for shopping with us!

PoC published for MS Office 2003 PowerPoint

Hey everyone this is Alexandra Huft,

I wanted to let you know that we’ve been made aware of proof of concept code published publicly affecting Microsoft Office 2003 PowerPoint. We are currently investigating this report. The reported proof of concept may allow an attacker to execute code on a user’s machine by convincing them to open a specially-crafted PowerPoint file. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time.

As part of our investigation, we are working with our MSRA partners to monitor and secure the ecosystem.

Thanks,

Alexandra

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Welcome to the Microsoft Security Response Center Blog! : PoC published for MS Office 2003 PowerPoint.

- http://www.microsoft.com/technet/security/bulletin/ms06-063.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-062.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-061.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-060.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-056.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-048.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-038.mspx

Delays on Windows Update & the Death of SUS (NEW)

Published: 2006-10-10,
Last Updated: 2006-10-10 19:59:48 UTC by John Bambenek (Version: 1)

Windows Update is currently experiencing delays and not serving up all those happy patches. The MSRC is reporting some delays with getting the patches up.  If you need them immediately you can download directly from the bulletins. ISC Reader Jim McCormick found that by clearing out C:\WINDOWS\SoftwareDistribution\DataStore and C:\WINDOWS\SoftwareDistribution\Download he was able to take care of business. Choice is yours.  You could also always wait. :)

Alan Mercer sent in a reminder that Microsoft is discontinuing support for SUS on Dec. 6th, 2006. Because this is before the December patch cycle, it seems that November will be the last patch cycle that SUS will be supported. With the holidays coming up, it's time to think about upgrading to WSUS.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- http://www.microsoft.com/technet/security/advisory/926043.mspx

- http://www.microsoft.com/technet/security/advisory/925984.mspx

- http://www.microsoft.com/technet/security/advisory/925059.mspx

Microsoft patch tuesday - October 2006 STATUS (NEW)

Published: 2006-10-10,
Last Updated: 2006-10-10 19:23:42 UTC by John Bambenek (Version: 2(click to highlight changes))

Overview of the October 2006 Microsoft patches and their status.

IMPORTANT NOTE: There will be no more support for Windows XP Service Pack 1, after this month no patches will be released in support of that version.

Additional note: The reason for distinguishing between private and public disclosure is that potentially the "bad guys" have had more time to work on the vulnerabilities when the disclosure was public. In theory, and I realize that this is potential, private disclosure means the clock starts now for the "bad guys" to develop exploits. It has some impact on the severity of the problem in my opinion.

#	Affected	Known Problems	Known Exploits	Microsoft rating	ISC rating(*)
clients	servers
MS06-056	ASP.NET cross-site scripting CVE-2006-3436	Information Disclosure KB 922770	No known exploits, privately reported to MS	Moderate	Less Urgent	Important
MS06-057	WebFolderView ActiveX (setSlice) CVE-2006-4960	Remote code exe