October 2006 - Posts

Internet Explorer 7 Window Injection Vulnerability - Advisories - Secunia

Internet Explorer 7 Window Injection Vulnerability

Secunia Advisory: SA22628
Release Date: 2006-10-30

Critical: Moderately critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched

Software: Microsoft Internet Explorer 7.x
CVE reference: CVE-2004-1155 (Secunia mirror)

Description:
A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites.

The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

This is related to:
SA13251

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

The vulnerability has been confirmed on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2.

Solution:
Do not browse untrusted sites while browsing trusted sites.

Provided and/or discovered by:
Originally discovered by:
Secunia Research

Reported in Internet Explorer 7 by:
Per Gravgaard

Other References:
SA13251:
http://secunia.com/advisories/13251/


Internet Explorer 7 Window Injection Vulnerability - Advisories - Secunia.

Posted Tuesday, October 31, 2006 8:35 AM by cmosby | with no comments
Filed under: , , ,

Standing up and taking responsibility! - Blog - Secunia

I am disappointed at seeing another vulnerability left over from IE 6 make it into IE 7, but I can't say that I am surprised. Like it says in this Secunia blog entry, Microsoft needs to take responsibility for their mistakes instead of trying blame it on something else. On Monday 30th October, Secunia published an advisory describing a vulnerability in IE7, which appears to be a legacy from IE6 - and which back in 2004 turned out to affect virtually every single browser on the market. The vulnerability allows a malicious site to change the content of arbitrary pop up windows, see illustration of attack:
Window Injection Vulnerability

In 2004 the organisations behind Firefox, Netscape, Opera, Konqueror, OmniWeb, and Safari all confirmed the "Windows Injection" issue to be avulnerability and subsequently issued fixes for this issue. Get the facts in Secunia Advisories regarding the other browsers:
IE6 users had to change the "Navigate sub-frames across different domains" setting to protect themselves. Today, in IE7 this setting has been enabled by default - that is a good thing - but it doesn't work - that is a bad thing! That in itself qualifies for at least a "security bug". Microsoft writes in their blog that they didn't consider this to be a vulnerability back in 2004 because it potentially could break functionality on websites! Today, in 2006 they still say this isn't a vulnerability - despite the fact that they intended to protect users against this in IE7 by disabling the "Navigate sub-frames across different domains" "functionality" by default. To defend Microsoft in all this,we agree that the newly added and always visible address bar does mitigate this - however, imagine this scenario: * You enter your webbank * You verify the authenticity of the banks SSL certificate * Then you click on a link, which pops up a login dialogue Would you suspect that after you clicked this link from your own trusted webbank that any malicious website which you have running in a different browser window could change the content of the pop-up? Most likely not. Even if the pop up now showed an IP address or my.webbank.com.cn instead of the usual my.webbank.com? Would youreally read the full URL and spot the difference and think "ahh someone is "phishing" me now!"? Well you may if you are really paranoid - most people aren't and they would easily be fooled. If this "functionality" is required, then the setting to allow this dangerous interaction between different windows and pop ups can easily be enabled on a per site basis or for sites which are trusted. We believe that Microsoft ought to take responsibility for the bugs, weaknesses, and vulnerabilities in their browser to ensure that it really protects against phishing and similar scam attacks - isn't this what Microsoft advertises that IE7 does better than it's predecessors? Get the facts in Secunia Advisories: Kind regards, Thomas Kristensen CTO
Posted Tuesday, October 31, 2006 8:30 AM by cmosby | with no comments
Filed under: , , , ,

SANS - Internet Storm Center - Remote DoS released targets Windows Firewall/Internet Connection Sharing (ICS) service component

Handler's Diary October 29th 2006


previous - next

Remote DoS released targets Windows Firewall/Internet Connection Sharing (ICS) service component

Published: 2006-10-29,
Last Updated: 2006-10-30 11:31:29 UTC by Patrick Nolan (Version: 1)

We have received a report that a DoS exploit has been released that targets ipnathlp.dll, which is used by the Windows Firewall/Internet Connection Sharing (ICS) service. We also received a report that the exploit works against a fully patched XP SP2 system (Tyler Reguly of nCircle / blogs.nCircle.com submitted the report, some of his report information is below).

UPDATE Yesterday Tyler completed additional work and posted information at nCircle's blog, see his Microsoft ICS DoS FAQ

Thanks again Tyler.

Original Diary below;

The Windows Firewall/Internet Connection Sharing (ICS) service may be running even though Windows Firewall is disabled.

To determine if your system has the service running, type the following at a command prompt:

sc query sharedaccess

The short name of this service is SharedAccess, the full name is Windows Firewall/Internet Connection Sharing (ICS).

Tyler Reguly reported;

Microsoft Error Message:

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.
 
View What's in this report:

Error signature:
 
szAppName: svchost.exe szAppVer: 5.1.2600.2180
szModName: ipnathlp.dll szModVer 5.1.2600.2180 offset: 0001d45e

UPDATE - 1:16 PM EDST - Tyler reported that only ICS was enabled, "the Firewall was disabled at the time.".

Thanks for the work and followup Tyler!

Other information;

UPDATE - 5:40 PM EDST - According to the MS Windows Compute Cluster Server 2003 Deployment website, "Windows Compute Cluster Server 2003 relies on Internet Connection Sharing (ICS) to provide network address translation between the public and private networks. ICS also provides DHCP service for the private network. ICS is enabled during Compute Cluster Pack setup".

SharedAccess — Windows Firewall/Internet Connection Sharing (ICS).

Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.

Start mode: Auto
Login account: LocalSystem
DLL file: ipnathlp.dll
Dependencies: Netman, winmgmt

msdn Diagram of Internet Connection Sharing and Internet Connection Firewall

Additional information will be added to this Diary as it is developed.
Posted Tuesday, October 31, 2006 8:22 AM by cmosby | with no comments
Filed under: ,

Bloodhound.Exploit.94 - Symantec.com

Bloodhound.Exploit.94

Discovered: October 26, 2006
Updated: October 26, 2006 05:33:24 PM GDT
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


Bloodhound.Exploit.94 is a heuristic detection for detecting web pages attempting to exploit an undocumented Internet Explorer 7 Popup Address Bar Spoofing Weakness.


Protection

  • Virus Definitions (LiveUpdate™ Daily) October 27, 2006
  • Virus Definitions (LiveUpdate™ Weekly) November 1, 2006
  • Virus Definitions (Intelligent Updater) October 27, 2006
  • Virus Definitions (LiveUpdate™ Plus) October 27, 2006

Threat Assesment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: Low



 

Bloodhound.Exploit.94 - Symantec.com.

Posted Thursday, October 26, 2006 1:49 PM by cmosby | with no comments
Filed under: ,

Winamp Lyrics3 and Ultravox Processing Buffer Overflows - Advisories - Secunia

Winamp Lyrics3 and Ultravox Processing Buffer Overflows

Description:
Two vulnerabilities have been reported in Winamp, which can be exploited by malicious people to compromise a user's system.

1) An error in the Ultravox protocol handler during processing of the "ultravox-max-msg" header can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI.

2) An error during the parsing of certain Lyrics3 tags can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI.

The vulnerabilities are reported in versions 2.666 through 5.3.

Solution:
Update to version 5.31.
http://www.winamp.com/player/

Winamp Lyrics3 and Ultravox Processing Buffer Overflows - Advisories - Secunia.

Posted Thursday, October 26, 2006 9:42 AM by cmosby | with no comments
Filed under:

McAfee Avert Labs Blog - W32/Stration - Not This Kid Again!?


W32/Stration - Not This Kid Again!?

Thursday October 26, 2006 at 3:24 am CST
Posted by Geok Meng Ong


Following our blog on W32/Stration last week, this kid has been enjoying having its presence felt. To date, W32/Stration has been hovering at the top three places in prevalance behind W32/Netsky (another “old-school” mass mailer) on Postini’s top viruses tracking on their global email systems.

Today, McAfee Avert Labs discovered a new variant of this mass mailer that was gaining speed in spamming to the Internet from infected machines. When another “security expert” claims that “old school” threats are passé, think again. More details of this new variant at:

http://vil.nai.com/vil/content/v_140655.htm


Computer Security Research - McAfee Avert Labs Blog.

Posted Thursday, October 26, 2006 8:41 AM by cmosby | with no comments
Filed under:

Microsoft Security Bulletin Minor Revisions - Issued: October 25, 2006

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: October 25, 2006

********************************************************************

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

* MS06-056

* MS06-048

Bulletin Information:

=====================

* MS06-056

- http://www.microsoft.com/technet/security/bulletin/ms06-056.mspx

- Reason for Revision: Bulletin updated "Non-Affected Software" for

Microsoft Windows Server 2003 for Itanium-based Systems. "Why is Microsoft Windows Server 2003 for Itanium-based Systems listed in the "on-Affected Software" section?" and "Why does

Microsoft .NET Framework 2.0 does not install on Microsoft Windows Server 2003 for Itanium-based systems?" under the "Frequently Asked Questions (FAQ) Related to This Security

Update" section

- Originally posted: October 10, 2006

- Updated: October 25, 2006

- Bulletin Severity Rating: Moderate

- Version: 1.2

* MS06-048

- http://www.microsoft.com/technet/security/bulletin/ms06-048.mspx

- Reason for Revision: Bulletin updated to provide additional clarity for "Verifying Update Installation" for Office 2004 for Mac and Office v. X for Mac under the "Security Update

Information" section.

- Originally posted: August 8, 2006

- Updated: October 25, 2006

- Bulletin Severity Rating: Critical

- Version: 1.2

********************************************************************

Posted Thursday, October 26, 2006 8:39 AM by cmosby | with no comments
Filed under: ,

SANS Internet Storm Center - MSIE IE7 Popup Address Bar Spoofing Vulnerability

There is a great workaround for this problem here, it is not perfect, but it will make it harder to get fooled.

MSIE IE7 Popup Address Bar Spoofing Vulnerability (NEW)

Published: 2006-10-26,
Last Updated: 2006-10-26 04:49:56 UTC by Johannes Ullrich (Version: 2(click to highlight changes))

 

Secunia (http://secunia.com/advisories/22542/ is reporting a new Microsoft Internet Explorer (MSIE) 7.0 vulnerability. This vulnerability allows a malicious site to spoof the content of the address bar. Instead of the actual URL, the user will see a "fake" URL. We tested the vulnerability and found it to work quite well. As a quick workaround you may want to configure MSIE 7.0 to open new windows in a new tab. In order to do this, Tools -> Internet Options -> Tabs Settings -> When a pop-up is encountered: Always open pop-ups in a new tab.

IE7 Popup Vuln. Demo (click image for full size)

The PoC exploit by Secunia is pushing the real URL off the screen to the left by adding multiple '%A0' characters between the real URL and the string 'www.microsoft.com'. It appears that the new window will only show right-most part of the URL. For tabs, the left most part is shown.

This vulnerability has a lot of potential for phishers or others that attempt to trick the user into trusting the popup window as they trust the site displayed in the main window.
Posted Thursday, October 26, 2006 8:29 AM by cmosby | with no comments
Filed under: , , ,

Internet Explorer 7 Popup Address Bar Spoofing Weakness - Advisories - Secunia

What do you know, another vulnerability left over from IE 6...

Internet Explorer 7 Popup Address Bar Spoofing Weakness
Posted Wednesday, October 25, 2006 11:09 AM by cmosby | with no comments
Filed under: ,

Firefox 2.0: Recommended Add-Ons

I see Rod has been blogging a lot about Firefox 2.0 lately, and I figured I would chime in with a list of my favorite add-ons for Firefox.

I’ll start of with a few “essential” add-ons, the ones that I always load first, as they add even more to Firefox’s security.

  1. NoScript “Extra protection for your Firefox: NoScript allows JavaScript, Java and other executable content only for trusted domains of your choice, e.g. your home-banking web site. This whitelist based preemptive blocking approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality...
    Experts do agree: Firefox is really safer with NoScript ;-)”   Blogger’s Note: I love this add-on, with a lot of malware being loaded though the browser these days, you can’t be too careful. With the ability to whitelist scripts on the Web sites you trust, this sure beats the “all-or-nothing” approach that is still part of IE 7.
  2.  AdBlock Once installed, it's a snap to filter elements at their source-address. Just right-click: Adblock: done. Filters use either the wildcard character (*)
    or full Regular Expression syntax. Hit the status-element and see what has or hasn't been blocked.”  Blogger’s Note: I hate ads on Web pages, they drive me crazy.  Since sometimes those ads can carry infected code, its a good idea to block what you can. You will never see this ability in IE.
  3. Adblock Filterset.G Updater “This is a companion extension to Adblock or Adblock Plus and should be used in conjunction with it. This extension automatically downloads the latest version of Filterset.G every 4-7 days. Filterset.G is an excellent set of filters maintained by G for Adblock that blocks most ads on the Internet. In addition, this extension allows you to define your own set of filters that you can add along with Filterset.G during an update. To report missed ads or problems with the extension visit the support forums http://forum.pierceive.com/.” Blogger’s Note: This makes AdBlock even better by pre-loading sites that are blocked from showing ads.
  4. Flashblock  “Never be annoyed by a Flash animation again! Blocks Flash so it won't get in your way, but if you want to see it, just click on it.” Blogger’s Note: One of these days, someone will make a good Flash virus, with this you are already covered!



Well, that's it for now. More of my favorite Firefox add-ons later.
Posted Wednesday, October 25, 2006 10:07 AM by cmosby | with no comments
Filed under: ,

McAfee Avert Labs Blog - 0-days That Weren’t (Quick or Accurate, Take Your Pick)

0-days That Weren’t (Quick or Accurate, Take Your Pick)

Friday October 20, 2006 at 2:33 am CST
Posted by Craig Schmugar


As timescales compress in computer security, research organizations feel increasing pressure to be first to report on a threat. It’s hard to perform lengthy fact checking in hours time. In the last couple of months we heard about two different 0-day attacks from two different major security vendors, neither of which were 0-day attacks. This week analysis was posted on a “new” anti-virtual-keyboard technique used by a password stealing trojan; only problem is that technique is at least 3 years old. And this week an IE 7 0-day vulnerability turned out to be more than 5 months old.

Of course the irony is that other researchers have to chase the claims, which reduces the amount of time available for fact checking prior to release for the issues they’re trying to report on; so it’s a vicious cycle. Additionally, people who report on such issues are often excited and anxious to spread the news, not to mention the competitive aspect of all of this.

Generally speaking, the largest organizations tend to lean towards lengthy validation cycles, taking a long time to react, while smaller shops may only do a quick check to validate their claims.

Personally I think either extreme is not good and a balance needs to be found. Part of that balance should include going with what you know at the time, allowing for terms like ‘under investigation’ or ‘believed to be’, while reserving absolute statements until after due diligence has been given.

Maybe that’s just me?


Computer Security Research - McAfee Avert Labs Blog.

Posted Friday, October 20, 2006 10:08 AM by cmosby | with no comments
Filed under: ,

SANS Internet Storm Center - New Internet Explorer and an old vulnerability

I had a feeling this would happen. IE 7 looks different on the outside, but how much old code is there underneath?

New Internet Explorer and an old vulnerability

Published: 2006-10-20,
Last Updated: 2006-10-20 02:05:22 UTC by Bojan Zdrnja (Version: 1)

As you probably know by now, Microsoft yesterday released the final version of Internet Explorer 7; if you want to install it on your machine you can download it from http://www.microsoft.com/windows/ie/default.mspx. Microsoft also said that in couple of weeks this will be automatically pushed to all client machines through Windows Update, so if you still haven't tested your mission critical internal web applications with IE7, you better do it now.

Besides news about the final version of IE7, a lot of people are already talking about the first vulnerability for IE7, which was announced yesterday on various security mailing lists. The vulnerability is caused by an error in redirections handling with the "mhtml:" URI handler.

After analyzing this security vulnerability, we have to disappoint you – it's nothing new. Actually, this vulnerability was announced way back in April this year for Internet Explorer 6 (http://secunia.com/advisories/19738). It is still not patched, so besides IE7, this vulnerability can be exploited in a fully patched IE6 installation as well.

So what's going on here, did Microsoft just used old code? Not really. The vulnerability exists in the MSXML ActiveX component which is actually part of Outlook Express (so it is installed on every machine as well).
The exploit uses a "double" redirection trick – it will first create an Msxml2.XMLHTTP ActiveX object which is then used to retrieve a web page from the same server that the original web page is hosted on (one containing the exploit). This web page is actually just a redirection (302) which uses a mhtml: URI. This causes the ActiveX object to retrieve any other web page referenced by the mhtml: URI, which can be referenced from the original web page.

In other words, this exploit can be used by an attacker to possibly retrieve other data that your browser has access to. While stealing information like banking data is possible, our testing showed that only content of the web page can be retrieved by the attacker – they can not steal your credentials and they can not retrieve that data unless you are logged in to your bank account at the same time when you visit the web page hosting the exploit.

It looks like Microsoft once again got caught into "ancient" bugs which were already present on the machine (we do wonder why this hasn't been fixed before though).
One thing worth nothing is that Internet Explorer 7 has a native XMLHTTPRequest object implementation so theoretically it should be possible to disable the ActiveX object, but pages using it would have to be rewritten (hence support for the ActiveX object). Further testing will show if the native support implementation is also vulnerable – we'll post new information as we get it

http://www.isc.sans.org/diary.php?storyid=1797
Posted Friday, October 20, 2006 10:01 AM by cmosby | with no comments
Filed under: , , ,

Symantec Security Response - W32.Rajump - Removal Tool available

Security Response has published a removal tool to clean infections of W32.Rajump. Version 1.0.0 of the tool can be obtained by visiting:

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-101916-4325-99

Posted Friday, October 20, 2006 9:34 AM by cmosby | with no comments
Filed under: , ,

Microsoft Security Bulletin Re-Releases - Issued: October 19, 2006

********************************************************************

Title: Microsoft Security Bulletin Re-Releases

Issued: October 19, 2006

********************************************************************

Summary

=======

The following bulletins have undergone a major revision increment.

Please see the appropriate bulletin for more details.

* MS06-061

Bulletin Information:

=====================

* MS06-061

- http://www.microsoft.com/technet/security/bulletin/ms06-061.mspx

- Reason for Revision: Bulletin Updated: This bulletin has been re-released to re-offer the security update to customers with

Windows 2000 Service Pack 4. The security update previously did not correctly set the kill bit for Microsoft XML Parser

2.6. Additional information has also been included for customers wishing to remove the security update for Microsoft

XML Core Services 4.0 and Microsoft XML Core Services 6.0.

- Originally posted:

- Updated: October 19, 2006

- Bulletin Severity Rating: Critical

- Version: 2.0

********************************************************************

Posted Friday, October 20, 2006 8:48 AM by cmosby | with no comments

Symantec Security Response - Trojan.Linkoptimizer - Updated Removal Tool Available

Security Response has published an updated removal tool to clean infections of Trojan.Linkoptimizer.

Version 1.08 of the tool can be obtained by visiting

http://www.symantec.com/security_response/writeup.jsp?docid=2006-092316-4153-99

Posted Friday, October 20, 2006 8:45 AM by cmosby | with no comments
Filed under: , ,
More Posts Next page »