Chris Mosby at myITforum.com

Looks like there are reports out there of yet another Word vulnerability had its Proof of Concept (POC) code released last night. 

From what I have read, this does require user interaction to exploit and will run under the rights of the user.

Looks like Santa skipped one of my presents, a stress free Christmas..

Here are some links to information that I have been able to gather so far:

FrSIRT
http://www.frsirt.com/english/advisories/2006/4997

SecurityFocus:
http://www.securityfocus.com/bid/21589/info

Symantec (Bloodhound Detection)
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-121412-1329-99

Insecure.org
http://seclists.org/isn/2006/Dec/0052.html

Infoworld
http://www.infoworld.com/article/06/12/13/HNthirdword_1.html

Techworld
http://www.techworld.com/security/news/index.cfm?RSS&NewsID=7577

Bloodhound.Exploit.106 False Positive

On the heels of resolving the Bloodhound.Exploit.104 virus alert last night, I was greeted with a Bloodhound.Exploit.106 alert this morning When our file server was indexed by Sharepoint, the antivirus on the file server quarantined a word document. I believe this detection is a false positive.

Bloodhound.Exploit.106 is a heuristic detection for an Unspecified Vulnerability in Microsoft Word (as described in Microsoft Security Advisory 929433).

The URL I have used in the past to submit files no longer seems to be available. So I enabled the quarantine option to submit the file to Symantec. It was the first time I've used that method of submission. They say the reply time to reporting this false positive is two days. I hope it doesn't take that long.

Roger's Information Security Blog: Bloodhound.Exploit.106 False Positive.

Description:
A vulnerability has been reported in HP Integrated Lights Out (iLO), which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error when using SSH key based authentication and can be exploited to gain unauthorized access.

The vulnerability is reported in iLO firmware version 1.70 through 1.87 and iLO 2 firmware version 1.00 through 1.11 running on Proliant servers.

Solution:
iLO:
Update to firmware version 1.88 or later.

HP Integrated Lights Out Unspecified Security Bypass - Advisories - Secunia.

Today Microsoft released the following Security Bulletin(s).

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:
http://www.microsoft.com/technet/security/Bulletin/ms06-Dec.mspx

Critical Bulletins:
Cumulative Security Update for Internet Explorer (925454)

http://www.microsoft.com/technet/security/Bulletin/ms06-072.mspx

Vulnerability in Visual Studio 2005 Could Allow Remote Code Execution (925674)

http://www.microsoft.com/technet/security/Bulletin/ms06-073.mspx

Vulnerability in Windows Media Format Could Allow Remote Code Execution (923689)

http://www.microsoft.com/technet/security/Bulletin/ms06-078.mspx

Important Bulletins:
Vulnerability in SNMP Could Allow Remote Code Execution (926247)

http://www.microsoft.com/technet/security/Bulletin/ms06-074.mspx

Vulnerability in Windows Could Allow Elevation of Privilege (926255)

http://www.microsoft.com/technet/security/Bulletin/ms06-075.mspx

Cumulative Security Update for Outlook Express (923694))

http://www.microsoft.com/technet/security/Bulletin/ms06-076.mspx

Vulnerability in Remote Installation Service Could Allow Remote Code Execution (926121)

http://www.microsoft.com/technet/security/Bulletin/ms06-077.mspx

Re-Released Bulletins:

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)

http://www.microsoft.com/technet/security/Bulletin/ms06-059.mspx

MS Word, another 0-day for the month.

posted by: Roberto Tayag, 12/12/2006

Another 0-day exploit is currently being investigated by Microsoft, last week we reported about a previous MS Word 0-day. Yesterday, a couple of reports emerged about a new 0-day and according to the MSRC blog this new claim is being investigated by them. We are still acquiring a sample for the appropriate solution and for our analysis, we will update you as soon as we got one.

According to the MSRC blog, in their initial investigation, the 0-day affects the following versions:

• Word 2000
• Word 2002
• Word 2003
• Word Viewer 2003

However, Word 2007 is not affected.

Update (Roberto Tayag, Tue, 12 Dec 2006 01:55:22 PM)

Yes, we have acquired a sample and Trend Micro will be detecting this file as TROJ_MDROPPER.EB. The pattern for this malware has already been submitted and is now under our scrutiny of our QA team. updates will come as soon as the pattern file has been released.

Trend Micro Malware Blog.

Bloodhound.Exploit.105
Risk Level 1: Very Low

Discovered: December 11, 2006

Updated: December 11, 2006 04:16:57 PM GMT

Bloodhound.Exploit.105 is a heuristic detection for the Windows Media Player ASX PlayList File Heap Overflow Vulnerability (as described in Security Focus BID 21247).

Bloodhound.Exploit.105 - Symantec.com.

Two Unpatched Apple QuickTime Vulnerabilities Still Imperil Users	Posted by SGMasood @ 11:14 GMT

You all know the story by now – A week ago MySpace was attacked by the Quickspace worm that abused an alleged "feature" of Apple QuickTime movie files to inject and execute malicious javascript in user profile pages. The malicious code attempted to phish accounts and to offer spyware to an unspecified number of users with obvious hopes of financial gain by the perpetrators. The primary cause that made the attack possible is not a MySpace flaw, but rather an Apple QuickTime feature that is clearly a security vulnerability. QuickTime fails to enforce the same origin policy and to warn the user before loading and executing javascript from external resources – two things that all similar applications are expected to do. For example, Flash allows embedded scripts, but it warns the user when a flash application tries to access an external resource.

We have yet to see Apple acknowledge this as a security issue. On the contrary, it has claimed that this is a legitimate feature. A temporary, trivially evadible, fix was provided by Apple to MySpace that was, controversially, distributed only to MySpace users and only to those MySpace users who use IE. All other users of Apple QuickTime, including MySpace users who use a browser other than IE, are still vulnerable. And, since this fix was given only to MySpace users, other websites are still vulnerable to an attack by a worm similar to Quickspace.

We did some investigation and found that —

1. Apart from the HREF track flaw exploited by the worm, Apple QuickTime is still vulnerable to another similar flaw that has been publicly known for quite some time. This flaw can be exploited in the same way to achieve the exact same results as the first flaw. The second flaw is obscure and it still remains unfixed. We haven't yet seen anyone bringing attention to it or talk about fixing it. Any patch that fixes the first flaw but not the second one is inadequate.

2. MySpace is still vulnerable to both the flaws and nothing prevents another web application worm from exploiting them.

3. We tested a few other social networking sites and all the sites we tested were also vulnerable to web application worms utilizing the two flaws as an attack vector. With no fix available, currently the only feasible workaround for these social networking sites, and also other websites on the Net, is to completely block users from uploading Apple QuickTime content. Though scrubbing javascript from the content before accepting it is a solution, it is complex enough to make it impractical in this case.

Recommendation: Websites should block Apple QuickTime content completely until a patch is available from Apple for both vulnerabilities.

Bottom line: These are security vulnerabilities, not "features".

F-Secure : News from the Lab - December of 2006.

I don’t know how long this has been around, I found Trend Micro’s Malware Blog this morning.  Looks like another good resource.

You can find it here: http://servicecenter.antivirus.com/malwareblog/diary/

New Microsoft Word Zero-Day Reported

Microsoft have announced they are investigating yet another zero-day vulnerability, apparently unrelated to the December 5 Microsoft Security Advisory 929433. According to their investigations, Word 2000, Word 2002, Word 2003 and the Word Viewer 2003 are affected, but Word 2007 is not affected by the vulnerability. They also report that the vulnerability is being exploited on a very limited and targeted basis. Symantec Security Response is monitoring the situation and will respond appropriately once further information is available. As always, standard best practices apply in this situation and caution should be exercised when dealing with unsolicited attachments from both unknown sources, as well as from trusted sources.

Posted by Security Response Alert on December 10, 2006 08:47 PM

Symantec Security Response Weblog: New Microsoft Word Zero-Day Reported.

Exploit-MSWord.b: Is that another Word for 0-day vulnerability ?

Monday December 11, 2006 at 3:06 am CST
Posted by Geok Meng Ong

Trackback

Last Wednesday, Microsoft posted an advisory for a targeted “zero-day” attack using a Microsoft Word vulnerability, and until we get a CVE number, we refer to this as “Microsoft Word 0-Day Vulnerability I”.

In our tracking of this new 0-day vulnerability, I analyzed a Word Document sample for MessageLabs. Just when you would have thought this could be the same 0-day which was most recent, Microsoft confirmed upon our request that we are seeing double trouble — this was really “Microsoft Word 0-Day Vulnerability II”.

I previously wrote about non-executable file formats being a popular vector in recent years; this is a trend that will continue into 2007 and deserves to be given ample consideration in planning for security resources, policies and user education programs.

McAfee Avert Labs released DAT coverage for payload associated with “Microsoft Word 0-Day Vulnerability I” in DAT version 4714 for Downloader-AZQ and Downloader-AZR. The new threat that is exploiting “Microsoft Word 0-Day Vulnerability II” is now covered in DAT version 4715 as Exploit-MSWord.b.

Computer Security Research - McAfee Avert Labs Blog.

Yet another Word vulnerability	Posted by Patrik @ 02:34 GMT

Last week we posted on a new vulnerability in Word. Today, the Microsoft Security Response Center reported on yet another Word vulnerability.

The new vulnerability affects Word 2000, 2002, 2003, and Word Viewer 2003 but not Word 2007. The vulnerability allows a malicious person to automatically execute code on the target machine when a DOC file is opened, so it's very similar to most of the other Word vulnerabilities we've seen during 2006. As it is actively being exploited, although the distribution so far is very limited, and there is no patch available we can only continue to use the same workaround as previously recommended – not to open or save any DOC files from untrusted sources or files that you have unexpectedly received from sources you trust.

F-Secure : News from the Lab - December of 2006.

Another new Word 0-day, information & dat released by McAfee (NEW)

Published: 2006-12-10,
Last Updated: 2006-12-10 22:03:23 UTC by Patrick Nolan (Version: 1)

We received notification from an ISC participant that McAfee has released a dat today for protection against a buffer overflow attack in MS Word. The announcement says "Note: This vulnerability was first found through one of the samples that McAfee analyzed, and this vulnerability differs from the "Microsoft Word 0-Day Vulnerability I" that was published on December 5, 2006.".

Other vendors are expected to follow suit

Exploit-MSWord.b
McAfee "Microsoft Word 0-Day Vulnerability II "

"Vendor Status - Unacknowledged
Vulnerable systems - Windows XP  SP0 - SP2, Windows 2003  SP0 - SP1, Microsoft Word  XP, Microsoft Word  2003"

McAfee has identified PWS-Agent.g as "a password stealing trojan that was most recently installed by Exploit MSWord.b via a 0-day Microsoft Word vulnerability.".

Thanks for the heads up!

eEye Research has a site that's quite useful for tracking 0-days, Zero-Day Tracker

There's a report over at the Microsoft Security Response Center Blog!, see the New Report of A Word Zero Day.
According to the post, "the vulnerability is being exploited on a very, very limited and targeted basis". That is a description that adds further granulization to MS's explanation of "What “very limited, targeted attacks” Means"". And as long as there's no patch forthcoming for this vuln (or the December 5th one), it's starting to sound like using the exploit is going to be "Rewarding, very, very, very rewarding" (see the Citi commercials/video).

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

What “very limited, targeted attacks” Means

Hi, this is Christopher Budd.

We’ve gotten some question from customers about what we mean when we say we’re aware of “very limited, targeted attacks” in a security advisory.  I wanted to take a moment and help give some clarity.

When we talk about “very limited, targeted attacks” we specifically mean this in contrast to attacks that affect a broad number of customers randomly.  Unlike these broad, random attacks, these very limited, targeted attacks are carried out against a very small number of customers (sometimes only one or two even) and are carried out in a very deliberate fashion against a specific organization or organizations.

Where the goal of these broad, random attacks is large in scope, the goal of these very limited, targeted attacks is generally to introduce malicious software on to the systems of the specific organizations that have been targeted. For example, in investigating the issue that we just issued Microsoft Security Advisory 929433 on, part of our investigation showed that the attacks were specifically attempting to introduce malicious software rather than propagate themselves to additional customers. As part of our Software Security Incident Response Process (SSIRP),  we have provided information about this malicious software to our AV partners through partner programs such as those in the Microsoft Security Response Alliance (MSRA) so that they can build signatures to detect the malicious software. The Windows Live OneCare Safety Scanner also contains signatures for this malicious software.

One of our goals when we issue a security advisory is to give you information to help you understand the risks posed by an issue. One thing we know that customers want to know about is what the scope of an attack is. Through our work with partners, with customers, and internal investigations, we’re sometimes able to tell if an attack is a broad, random attack, or if it’s a very limited, targeted attack. When we’re able to do this, we include it in our security sdvisory as another piece of information to help you understand what’s going on, so you can make a better informed risk assessments.

I hope this helps to clarify the statement.  Of course, if an attack is broad, or if an attack is limited, we still treat every issue as a priority and teams continue to actively investigate this issue.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Published Friday, December 08, 2006 12:41 AM by MSRCTEAM

Welcome to the Microsoft Security Response Center Blog! : What very limited, targeted attacks Means

Public Proof of Concept Code for ASX File Format Isssue

Hey everyone this is Alexandra-

 

I wanted to let you know that we’re aware of proof-of-concept code published publicly affecting Windows Media ASX file format. We are currently investigating this report. We are not currently aware of attempts to exploit this vulnerability.

 

The ASX file format is an XML-based media file format which is processed by Windows Media Player.  An attacker could construct a malformed ASX file and use it to cause Media Player to overrun a heap-allocated buffer, potentially leading to remote code execution. 

 

We are also investigating other attack vectors to reach the same vulnerable code.

As part of our investigation, we are working with our MSRA partners to monitor and secure the ecosystem.

Thanks,

Alexandra

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Published Thursday, December 07, 2006 10:42 PM by MSRCTEAM

Welcome to the Microsoft Security Response Center Blog! : Public Proof of Concept Code for ASX File Format Isssue.

Word hole will remain open	Posted by Patrik @ 02:39 GMT

Microsoft just announced the patches that they will release on Tuesday the 12th. And as we feared, the Word vulnerability disclosed earlier this week will not be fixed. Looks like we'll have to not open or save Word files from untrusted sources, or unexpectedly received from trusted sources, for another month. No one sends DOC files in e-mails anyway, right?

The dropped files we have seen used together with the Word vulnerability are detected as Trojan-Downloader.Win32.Cryptic.ec, Trojan-Downloader.Win32.Cryptic.f and Trojan-Downloader.Win32.Tiny.y.

The patches that Microsoft will release are five security patches for Windows where the highest severity rating is Critical. A patch for Visual Studio with a severity rating of Critical will also be released. In addition, 14 non-security related patches will be released.

F-Secure : News from the Lab - December of 2006.