July 2009 - Posts

Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution – UPDATE – SANS Internet Storm Center

Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution
Published: 2009-07-13,
Last Updated: 2009-07-15 02:21:05 UTC
by Adrien de Beaupre (Version: 10)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6778&rss'; digg_title = 'Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

Update1: The vulnerability is being actively exploited on web sites. More to follow.

Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven't seen it used or mentioned in public as of yet (this has changed, we are seeing active exploit pages). Which may tend to indicate it has been used in targeted rather than broad based attacks. At the moment there is no patch, there is a workaround, and it can be automated for enterprise deployment. The specific CLSIDs to set the killbit for are:

{0002E541-0000-0000-C000-000000000046}
{0002E559-0000-0000-C000-000000000046}

Start working on this on ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d.

Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx

KB article: http://support.microsoft.com/kb/973472

SRD blog: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

MSRC blog: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx

There is a long list of affected products:

  • Microsoft Office XP Service Pack 3;
  • Microsoft Office 2003 Service Pack 3;
  • Microsoft Office XP Web Components Service Pack 3;
  • Microsoft Office Web Components 2003 Service Pack 3;
  • Microsoft Office 2003 Web Components for the  2007 Microsoft Office system Service Pack 1;
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3;
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3;
  • Microsoft Internet Security and Acceleration Server 2006;
  • Internet Security and Acceleration Server 2006 Supportability Update;
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1; and
  • Microsoft Office Small Business Accounting 2006.

For information on how to prevent ActiveX controls from running check out this Microsoft KB article on modifying the registry. This article describes how to deploy using Active Directory. If you have administrative privileges on a single system and are running Internet Explorer, you can click on this 'fixit' link to set the killbit and mitigate the vulnerability on a home computer for example.

Update1: The vulnerability is being actively exploited on web sites. More to follow.

Update2: One other obvious mitigation step is to use an alternate web browser (as in other than IE) that does not make use of ActiveX.

Update3: We have raised the Infocon to yellow for 24 hours due to the active exploitation of this vulnerability.

Update4: We will be updating our existing diary post of domains to block with domains that are hosting this exploit as well.  You can see that diary entry at the following url.   http://isc.sans.org/diary.html?storyid=6739 (newly added domains are in yellow) - AndreL

Update5: Attack vectors used to exploit this vulnerability.

  1. The now known public attempts to exploit the vulnerability, attackers just modify the code with a fresh download and payload to slightly modified malware.
  2. A .cn domain using a heavily obfuscated version of the exploit - which may become an attack kit (think MPACK)and is similar to recent DirectShow attacks.
  3. A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML.  This one was particularly nasty, it was specifically crafted for the target - with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim's domain/IP range would not reach with the server.

Update6: This blog has additional information, with examples of code that may have been used in this attack. hxxp://safelab.spaces.live.com/blog/cns!A6B213403DBD59AF!1463.entry (obscured on purpose, some AV products will trigger accessing the page. Another example is here: hxxp://xeye.us/blog/2009/07/one-0day/

One part of a signature looking for the exploit would be ActiveXObject("OWC10.Spreadsheet"), which could also be used for legitimate web applications trying to open a spreadsheet.

Update7: attempt at snort sigs (until something better comes along):

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS 0day Excel ActiveX1 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778"; flow:from_server, established; content:"0002E559-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECTs+[^>]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E559-0000-0000-C000-000000000046/si";  classtype:attempted-user; sid:1000099; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS 0day Excel ActiveX2 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778"; flow:from_server, established; content:"0002E541-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECTs+[^>]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E541-0000-0000-C000-000000000046/si"; classtype:attempted-user; sid:1000101; rev:1;)

Update8: Metasploit have released a module exploiting the vulnerability.

Update9: Matt Hrynkow and John Silvestri have submitted .ADM files for use in Active Directory GPO templates for setting the ActiveX killbits for last week's and this weeks vulnerabilities. Here is the one for The MS Office Web Object 973472 CVE-2009-1136.

--Start here--

CLASS MACHINE
 
CATEGORY "Windows Components"
 
    CATEGORY "Internet Explorer"
        POLICY "Internet Explorer - ActiveX Compatibility Disable for Microsoft Office Web Components"
            #if version >= 3
            EXPLAIN !!EXPLAIN1
            #endif
            KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{011B3619-FE63-4814-8A84-15A194CE9CE3}"
            VALUENAME "Compatibility Flags"
            VALUEON NUMERIC 1024
            VALUEOFF NUMERIC 0
            ACTIONLISTON
                KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E541-0000-0000-C000-000000000046}"
                VALUENAME "Compatibility Flags" VALUE NUMERIC  1024
                KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E559-0000-0000-C000-000000000046}"
                VALUENAME "Compatibility Flags" VALUE NUMERIC  1024
            END ACTIONLISTON
            ACTIONLISTOFF
                KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E541-0000-0000-C000-000000000046}"
                VALUENAME "Compatibility Flags" VALUE NUMERIC  0
                KEYNAME "SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{0002E559-0000-0000-C000-000000000046}"
                VALUENAME "Compatibility Flags" VALUE NUMERIC  0
            END ACTIONLISTOFF
        END POLICY ;Internet Explorer - ActiveX Compatibility Disable for OWC10_and_OWC11

    END CATEGORY ;Internet Explorer
END CATEGORY ;Windows Components

CLASS USER
[Strings]
EXPLAIN1 =Enable this policy to implement workaround documented for Microsoft Security Advisory (973472)nnnhttp://www.microsoft.com/technet/security/advisory/973472.mspxnhttp://isc.sans.org/diary.html?storyid=6778n
--End here--

Update10: This MSDN blog has 32 and 64 bit versions of the Active Directory GPO ADM files and .reg files that should mitigate this vulnerability: http://blogs.msdn.com/askie/archive/2009/07/14/group-policy-adm-template-to-implement-the-workaround-from-security-advisory-973472.aspx The one posted above in Update9 apparently only works on 32 bit, and is missing the backslashes. Thanks Jim and Brian for letting us know.

If you see exploit code for this vulnerability, or have knowledge of it being used in an attack please let us know via our contact page.

Thanks to all who have contributed to this diary!

Cheers,
Adrien de Beaupré
EWA-Canada.com

Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.

Keywords: activex clsid killbits excel Microsoft vulnerability office web objects
Posted Friday, July 31, 2009 12:08 PM by cmosby | with no comments
Filed under: , , , , , ,

Koobface - Come Out, Come Out, Wherever You Are - Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Wednesday, July 22, 2009

Koobface - Come Out, Come Out, Wherever You Are

UPDATE2: New binaries are hosted at web.reg .md/1/pdrv.exe; web.reg .md/1/pp.10.exe and at web.reg .md/1/fb.49.exe.

UPDATE: The Koobface gang is upgrading the command and control infrastructure in response to the positive ROI out of the takedown activities. This of course doesn't mean that enough evidence on "who's who" behind Koobface and a huge percentage of the currently active malware campaigns targeting Web 2.0 properties hasn't been gathered already.

Especially now that it's apparent we know each other's names. A recent Koobface update includes the following message: (thanks to TrendMicro for pinging me) : 

We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software.

The ROI of several abuse notices during the weekend, quick response from China's CERT which took care of 61.235.117.71 (thanks Patrick!), and Oc3 Networks & Web Solutions Llc abuse team which took care of the Koobface activity at 98.143.159.138 -- cgpay-re-230609 .com still responds to the IP -- looks pretty positive and managed to increase the opportunity cost for the Koobface gang since it caused them some troubles during the weekend.

With Koobface worm's Twitter campaign currently in a stand by mode due to the publicity it attracted, as well as the fact that the central redirection points used in the campaign are down, let's assess the current Koobface hosting infrastructure, with an emphasis on UKSERVERS-MNT (AS42831) which stopped responding to abuse notifications as of Sunday.

How did the Koobface gang/fan club responded to the downtime anyway? By introducing several new domains, and parking them at 78.110.175.15 - UKSERVERS-MNT (AS42831), whose abuse department remains unreachable ever since.

Following the first abuse notice sent to UKSERVERS-MNT the company temporarily closed the account (78.110.175.15) of the "customer", then brought it back online. Asked why, they responded that the "customer" claimed he's been compromised and that he needs to clean up the mess and secure the server.  In reality that means "give us some time to smoothly update DNS records and migrate operations now that all of our command and control locations are offline".

Since they presumed I don't take lying personally, half an hour later I checked again and the Koobface command and control servers were operational again. The company forwarded the responsibility to the customer and said they closed down the account.

However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active - zaebalinax .com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax .com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for the time being.

Upon execution the Koobface binary phones back to upr0306 .com/achcheck.php; upr0306 .com/ld/gen.php (78.110.175.15) and attempts to download upload.octopus-multimedia .be/1/pdrv.exe; upload.octopus-multimedia .be/1/pp.10.exe.

UKSERVERS-MNT (AS42831) is also known with its connections to gumblar.cn malware campaigns, as well as having hosted a domain (supernerd.org) part of a Photobucket malvertising campaign.

Related posts:
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.
Posted Friday, July 31, 2009 11:53 AM by cmosby | with no comments
Filed under: , ,

Next-Generation Flash Vulnerability – Symantec Security Blogs

Next-Generation Flash Vulnerability

Patrick Fitzgerald's picture
Patrick Fitzgerald
July 22nd, 2009
Filed under: , , , , ,

Recently we came into possession of an Adobe Acrobat PDF file that upon opening drops and executes a malicious binary. It was quite clear that this PDF was exploiting some vulnerability in order to drop its payload. And, during the analysis it soon became apparent that this vulnerability was not one we had seen in the wild before. What was even more surprising was that this vulnerability affects Adobe Flash—not Adobe Reader as we initially suspected.

An issue in Adobe Flash is more serious. Most vulnerabilities are confined to one technology; for example, a vulnerability may affect a particular browser or a particular operating system, but it is rare for a vulnerability to span multiple platforms and products. This is not the case with Flash. Flash exists in all popular browsers and is also available in PDF documents. It is also largely operating system independent; therefore, the threat posed by this issue is not to be taken lightly. Flash has become an integral part of the modern browsing experience—becoming so ubiquitous that most users don’t even notice it.

Thomas Ptacek of Matasano Security summed up just how serious Flash vulnerabilities are: “Why do you care about Flash exploits? Because in the field, any one of them wins a commanding majority of browser installs for an attacker.” (The full blog post is here: This New Vulnerability: Dowd’s Inhuman Flash Exploit.) The large user base of Flash presents attackers with a huge target audience and will certainly be too much for them to resist.

Ptacek made the comment above when describing an article that Mark Dowd, research engineer with IBM ISS, published in April 2008 (Application-Specific Attacks: Leveraging the ActionScript Virtual Machine). This article detailed how he created a reliable exploit that took advantage of a very subtle memory corruption issue in Adobe Flash Player version 9.0.115.0. He gives a detailed account of how he overcame the many obstacles put in place by the Flash developers. This was quite an achievement. Whether it was intentional or not, this paper gave the reader a certain sense of security since it proved just how difficult it was to reliably exploit this issue and once the patch was available we could all put that nasty incident behind us. As expected, there were many people who were very happy to pick up Dowd’s research and use it for their own purposes. Since the release of Dowd’s paper we have seen widespread attempts to exploit Flash in the wild, but invariably they would all eventually use the exploit Dowd discovered. That is, until now.

The authors of the exploit have managed to take a bug and turn it into a reliable exploit using a heap spray technique. Typically an attacker would entice a user to visit a malicious website or send a malicious PDF via email. Once the unsuspecting user visits the website or opens the PDF this exploit will allow further malware to be dropped onto the victim’s machine. The malicious PDF files are detected as Trojan.Pidief.G and the dropped files as Trojan Horse.

We are in contact with the Adobe PSIRT team in relation to this issue. We urge our customers to ensure their antivirus definitions are up to date. Like the vulnerability Dowd discovered, it’s likely that we will see many attacks over the coming months that will attempt to exploit this vulnerability. As always, keep an eye out for the official patch from Adobe and ensure all products are up to date. As an extra safety measure, Vista users should avail of the UAC (User Account Control) feature as this will help mitigate a successful compromise.

In this exploitation the PDF exploiting the vulnerability includes multiple Flash streams (FWS). One of these is used to dynamically create the shellcode and uses a heap spray technique to increase the chances of success of the exploit. In this attack the heap is loaded with 64 MB of data. Here is a snapshot of what the heap looks like:

imagebrowser image

After the first step the attacker needs to somehow redirect execution to the heap in order to arrive at the malicious shellcode. This is where the vulnerability mentioned earlier comes in. Flash fails to sanitize instructions in a specific scenario here. The end function doesn’t expect the incorrectly constructed object and inadvertently passes execution onto the heap.

Because of the actions taken by the attacker, execution will point to a region in the section prepared by the heap spray earlier. Execution will continue in the heap, which will ultimately result in the execution of the attacker supplied shell code.

Testing shows that the vulnerability is exploitable on Windows XP and Vista, but the dropped executables do not run on Vista if UAC is enabled. Also, because this vulnerability affects Flash, any software that uses Flash is potentially vulnerable to this issue.

(Words: Patrick Fitzgerald      Analysis: Ka Chun Leung, Takashi Katsuki, Kevin Savage, Piotr Krysiuk)

Posted Friday, July 31, 2009 10:54 AM by cmosby | with no comments
Filed under: , , , , ,

New KOOBFACE Upgrade Makes It Takedown-Proof – TrendLabs Malware Blog

Jul22
7:51 am (UTC-7)   |   by Jonell Baltazar (Advanced Threats Researcher)

Early this week, the KOOBFACE Command and Control (C&C) servers issued a new command to its downloader component. This new command identifies a list of IP addresses to be used by the downloader component as Web or relay proxies to retrieve subsequent commands and components.

In the old KOOBFACE architecture (see Figure 1), the downloader directly connects to an available C&C to receive commands. However, the new command seen early this week actually changes the KOOBFACE botnet architecture to something more like the diagram in Figure 2.


Click for larger view Click for larger view

This new command acts a redundancy layer to the old architecture and probably as a response to KOOBFACE domain takedowns. The upgraded KOOBFACE architecture makes it possible for the KOOBFACE botnet to survive even if all of its C&C domains are shut down given that the list of IP addresses (KOOBFACE zombies) can also host updated KOOBFACE commands and components.

KOOBFACE made waves in social networking sites by using infected users’ profiles to infect other users and therefore propagate. We have chronicled its activities in the following blog posts:

Posted Friday, July 31, 2009 9:01 AM by cmosby | with no comments
Filed under: , , , ,

Malware Is Their Business…and Business Is Good! – McAfee Avert Labs Blog

Malware Is Their Business…and Business Is Good!

Wednesday July 22, 2009 at 9:05 am CST
Posted by David Marcus


I cribbed the title from Megadeth–I admit it. However, when looking at this year’s growth in malware it seems disturbingly appropriate. Global economic downturn or not, malware production continues at a record-setting pace because this is how many cybercriminals make their money. (Malware long ago stopped being about fun and bragging.)

We at Avert Labs have seen almost as much unique malware in the first half of 2009 as we did in ALL of 2008. This is quite something when you consider that in 2008 we saw the greatest ever growth in malware:

Unique Malware Growth

For you math and data junkies that comes out to an average of 200,000 unique pieces monthly or more than 6,000 daily. Yep–that was over 6,000 on a daily basis. Bear in mind these are malware we consider unique (something we had to write a driver for) and does not count all the other malware we detect generically or heuristically, but we will save that discussion for another post. When you add in the generic and heuristic detections the number becomes truly mind boggling.

Even when compared to the first half of 2008, the growth is almost three times what it was. The sheer growth is even challenging Moore’s Law a bit.

Half Year Malware Comparison

Our latest whitepaper, Financial Fraud and Internet Banking: Threats and Countermeasures, explains how much of this malware can be used to scam and steal from users. The new whitepaper was written by one of our French researchers, François Paget. It can be found here.

There are many reasons why malware continues to grow, but it is mainly a criminal’s game at this point. Malware steals data. The people who write and distribute malware are criminals. Pretty plain and simple to me. The tools and code are readily available and that will certainly not change, but (and this is important) it is also definitely NOT doomsday. Staying educated and updated goes a long way toward safe computing.

Posted Friday, July 31, 2009 8:38 AM by cmosby | with no comments
Filed under: ,

Could Sexy Space be the Birth of the SMS Botnet? – Symantec Security Blogs

Could Sexy Space be the Birth of the SMS Botnet?

Irfan Asrar's picture
Irfan Asrar
July 13th, 2009
Filed under: , , , , ,

Experts predicted that there would be a rise in the number of mobile threats in 2009 and it seems the creators of SymbOS.Exy.A and SymbOS.Exy.B are out to prove the predication right. They have resurfaced again with yet another signed Symbian malware, SymbOS.Exy.C.

New Certificate

imagebrowser image

Previous certificates used with SymbOS.Exy.A/B

imagebrowser image imagebrowser image imagebrowser image

Circulating with the name of “Sexy Space”, SymbOS.Exy.C is very similar to the original SymbOS.Exy.A threat. Not only does it reuse some of the same code that was used in the original threat, it’s even using the same method of propagation.

It appears that the creators of the SymbOS.Exy.A/B threats have found the perfect loop-hole for distribution and have decided to stick to it for SymbOS.Exy.C: good old-fashioned social engineering mixed with SMS spam. Going by names such as “Sexy View” or “Sexy Girl” and now “Sexy Space” the threat propagates through suggestive SMS messages which direct message recipients to download the threat from an external URL.

imagebrowser image imagebrowser image imagebrowser image

Taking advantage of signed secured status, the malware attempts to hide its traces by running under the process name of “AcsServer.exe”, a slight variation on the name of a legitimate application. It also installs itself in the hidden c:\sysbin folder, in addition to dropping another file “kel.sisx” (also Symbian signed) in the path C:\data\. The threat has the ability to access content to which unsigned or self-signed legitimate applications do not have access. The following hex dump shows the logging capabilities of the malware (note the “mr.log” name used in both the threats)

SymbOS.Exy.A

imagebrowser image

SymbOS.Exy.C

imagebrowser image

When active, SymbOS.Exy.C also has a defense mechanism; it looks for any of the following programs:

  • App.Manager
  • Task Spy
  • Y-Tasks
  • ActiveFile

It ends them if they are found, making it difficult for the user to attempt to manually end the threat. Just as the previous versions, it also attempts to make a silent HTTP connection to a malicious server, sending back information on phone type (if it’s unable to establish the model information, it responds back with Nokia 3250), IMEI, and IMSI. We are currently investigating the possible use of this information, such as whether it downloads additional files.

Even though for the most part SymbOS.Exy.A/B was targeting mobile phone users in China,

imagebrowser image

SymbOS.Exy.C is now being circulated in English, and was reported to have been discovered in the Middle East. Thank you globalization.

imagebrowser image

The threat does provide a language selection prompt on installation that offers the option to use UK English as the default language for the application.

imagebrowser image

What this threat currently does – gather information from the phone and send it to predetermined addresses in addition to spamming other phones (SMS) and propagating – is not solely what interests us. A more interesting question to ask is: what could future versions of this threat potentially do using these trusted privileges? Could this be the birth of the SMS Botnet?

Posted Thursday, July 30, 2009 2:32 PM by cmosby | with no comments
Filed under: ,

New set of Bait files – F-Secure Weblog

<<< Wednesday, July 22, 2009 >>>
 
New set of Bait files Posted by Mikko @ 12:32 GMT | postCount('00001735'); Comments (2)

Three weeks ago we posted a series of screenshots of bait document files used in targeted attacks. These are files that have been used to infect specific individuals in different organizations in order to gain access to their computer.

All the documents shown below contained exploits that installed backdoors. Targets of these attacks are not known.

targeted attack


targeted attack


targeted attack


targeted attack


targeted attack


targeted attack


targeted attack


targeted attack


targeted attack

Again, this was just a quick sampling; we get a lot of these.

We'll be blogging more tomorrow about a change in the hostnames used in these attacks.

PS. Feel free to leave suggestions for translations for the non-english documents in the comments section.

Posted Thursday, July 30, 2009 10:51 AM by cmosby | with no comments
Filed under: , ,

Koobface on the tweet – Viruslist.com - Analyst's Diary

Koobface on the tweet

  Marco      July 14, 2009 | 16:32  GMT

comments (1) 

We are currently witnessing a new wave of Koobface messages flooding twitter. The message that is mostly used right now is: "My home video :) <URL>"


The link in infected tweets points to a site with a little javascript.





The script calls a php-script on a server which uses an ID to return an IP address leading to the video site. This means the IP address is different for every request.

Interestingly, the guys behind this attack are clearly out to maximize their ROI: if you're using Mac or Linux, you end up getting redirected to an adult site.

Twitter is saying it may block infected accounts. We're doing our part as well - our users are already protected from the malicious file:





And we've also added protection against the malicious tweet itself, which will be detected as Net-Worm.Win32.Koobface.aqy as updates are rolled out to our users.

Posted Thursday, July 30, 2009 9:08 AM by cmosby | with no comments
Filed under: , ,

Remotely Exploitable Hole in HTC's Bluetooth – F-Secure Weblog

<<< Tuesday, July 14, 2009 >>>
 
Remotely Exploitable Hole in HTC's Bluetooth Posted by Response @ 15:11 GMT | postCount('00001728'); Comments

An interesting vulnerability in the Windows Mobile 6 OBEX FTP service was disclosed back in January.

The author of that research, Alberto Moreno Tablado, recently contacted us to let us know there's an update.

From Tablado:

The vulnerability was first disclosed on January 2009 as a whole Microsoft Bluetooth Stack issue in Windows Mobile 6. However, further investigations proved that the issue is in a 3rd party driver installed by HTC. Microsoft states that the OBEX FTP server driver affected is a 3rd party driver installed by HTC on its devices running Windows Mobile, so the vulnerability only affects to this vendor specifically and other vendors' Windows Mobile devices are not affected.

Furthermore, in January it appeared that vulnerable devices needed to be paired with their attackers. Tablado now states that more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and MAC address spoofing, can be used in order to avoid this [requirement].

OBEX directory traversal display, screenshot from seguridadmobile.com

The following devices are reported as vulnerable:

  •  HTC devices running Windows Mobile 6 Professional
  •  HTC devices running Windows Mobile 6 Standard
  •  HTC devices running Windows Mobile 6.1 Professional
  •  HTC devices running Windows Mobile 6.1 Standard

Full details can be found on Seguridad Mobile's website.

Our thanks goes to Mr. Tablado for the update on his very interesting research.

Posted Thursday, July 30, 2009 8:34 AM by cmosby | with no comments
Filed under: ,

Rumors of Emma Watson's Death Leading to Rogue AV Sites – Websense Alerts

Rumors of Emma Watson's Death Leading to Rogue AV Sites

Date:07.27.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ ThreatSeeker™ Network has discovered that a rumor claiming that the actress Emma Watson, made famous by the Harry Potter series of movies, died on the scene of a fatal car collision is spreading rogue AV sites on the Internet. The rumor itself is spreading rapidly through social networks such as Twitter.

The attackers have targeted the Google search engine via the Search Engine Optimization (SEO) poisoning technique: when a user searches for terms related to Emma Watson's death, the fake AV sites are returned as high as the fifth result on Google.

With the recent release of the latest movie in the series, Harry Potter and the Half-Blood Prince, malware authors are attempting to capitalize on people's curiosity.

Search results from Google:

Screenshot of the rogue AV site:

Websense® Messaging and Websense Web Security customers are protected against this attack.

Posted Thursday, July 30, 2009 8:27 AM by cmosby | with no comments
Filed under: , , ,

MS released two OOB bulletins and an advisory – SANS Internet Storm Center

MS released two OOB bulletins and an advisory

Published: 2009-07-28,
Last Updated: 2009-07-28 22:58:20 UTC
by Adrien de Beaupre (Version: 2)

0 comment(s) Facebookacebook witter

Microsoft has released two Out of Band (OOB) bulletins and one advisory. The security advisory (973882) relates to issues discovered in Microsoft’s Active Template Library (ATL), which is included in Visual Studio. The first bulletin (MS09-035) describes how ATL is used, and some of the code within it that can lead to memory corruption information disclosure, and creation of object instances disregarding set security policy. A number of third party software packages will also have to be updated to reflect this change. The second bulletin (MS09-034) is a defense in depth mitigation for potential bypass of ActiveX killbits, commonly used to mitigate other vulnerabilities. Apply this patch ASAP. The impact of a user viewing an evil web page is arbitrary code execution. Related CVE entries are:

ATL Uninitialized Object Vulnerability - CVE-2009-0901
ATL COM Initialization Vulnerability - CVE-2009-2493
ATL Null String Vulnerability - CVE-2009-2495

Memory Corruption Vulnerability - CVE-2009-1917
HTML Objects Memory Corruption Vulnerability - CVE-2009-1918
Uninitialized Memory Corruption Vulnerability - CVE-2009-1919

Microsoft's investigation into MSvidctrl(MS09-032) apparently found the underlying issue in the ATL library, which is addressed in the bulletin and patches. More information will be available tomorrow at BlackHat . Here is a teaser advanced preview of the IE ActiveX killbit bypass being presented tomorrow: http://www.hustlelabs.com/bh2009preview/

Microsoft had provided advance notification of these releases 24 July 2009. We covered it here.

References:
http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx
http://www.microsoft.com/technet/security/advisory/973882.mspx
http://www.microsoft.com/technet/security/bulletin/MS09-034.mspx
http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx
http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx

Cheers,
Adrien de Beaupré
EWA-Canada.com

Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.

Posted Tuesday, July 28, 2009 6:06 PM by cmosby | with no comments
Filed under: , , , , , , ,

YYAMCCBA (Yet Another Massive Credit Card Breach Alas) – SANS Internet Storm Center

YYAMCCBA
Published: 2009-07-28,
Last Updated: 2009-07-28 13:12:47 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6871&rss'; digg_title = 'YYAMCCBA'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

Yes Yet Another Massive Credit Card Breach Alas, this time Network Solutions. They appear to still be in the process of investigating and customer notification. More information available from them here. The breach happened some time before 12 March 2009, and was discovered some time after 08 June 2009. Thousands of merchants and almost 600,000 credit cards may be affected.

If you have additional comments or information please contact us!

Cheers,
Adrien de Beaupré
EWA-Canada.com

Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.

Posted Tuesday, July 28, 2009 9:18 AM by cmosby | with no comments
Filed under: , , ,

Advance Notification for July 2009 Out-of-Band Releases - The Microsoft Security Response Center (MSRC)

Advance Notification for July 2009 Out-of-Band Releases

We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009. 

While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:

1.       One Security Bulletin for Visual Studio

2.       One Security Bulletin for Internet Explorer

While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported.

 

Customers who are up to date on their security updates are protected from known attacks related to this Out of Band release.

We’ll be holding two webcasts to give you details and take your questions:

·         Webcast: July 28, 2009 1:00 p.m. Pacific Time

·         Encore Webcast: July 28, 2009 4:00 p.m. Pacific Time

A reminder that this information is subject to change and that when we do release the security bulletins, we’ll let you know through the MSRC weblog.

Thanks,

 

Mike Reavey

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Posted Monday, July 27, 2009 8:26 AM by cmosby | with no comments
Filed under: , , , , , , , , ,

Microsoft Security Bulletin Advance Notification for July 2009 – Out of Band release July 28th 2009

An out of band release, this can’t be good and should be jumped on ASAP when it comes out

 

Microsoft Security Bulletin Advance Notification for July 2009

Published: July 24, 2009

Microsoft Security Bulletin Advance Notification issued: July 24, 2009
Microsoft Security Bulletins to be issued: July 28, 2009

This is an advance notification of two out-of-band security bulletins that Microsoft is intending to release on July 28, 2009. One bulletin will be for the Microsoft Visual Studio product line; application developers should be aware of updates available affecting certain types of applications. The second bulletin contains defense-in-depth changes to Internet Explorer to address attack vectors related to the Visual Studio bulletin, as well as fixes for unrelated vulnerabilities that are rated Critical. Customers who are up to date on their security updates are protected from known attacks related to this out-of-band release.

This bulletin advance notification will be replaced with an update to the Microsoft Security Bulletin Summary for July 2009 on July 28, 2009. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.

Microsoft is hosting two webcasts to address customer questions on these bulletins on July 28, 2009, at 1:00 PM Pacific Time (US & Canada) and at 4:00 PM Pacific Time (US & Canada). Register now for the July 28, 1:00 PM Webcast and the July 28, 4:00 PM Webcast. Afterwards, these webcasts are available on-demand. For more information, see Microsoft Security Bulletin Summaries and Webcasts.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security, high-priority updates that are being released on the same day as the monthly security updates. Please see the section, Other Information.

Bulletin Information


Executive Summaries

This advance notification provides the software subject as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier.

The following table summarizes the security bulletins for this month in order of severity.

For details on affected software, see the next section, Affected Software.

Bulletin ID
Maximum Severity Rating and Vulnerability Impact
Restart Requirement
Affected Software

Internet Explorer

Critical
Remote Code Execution

Requires restart

Microsoft Windows, Internet Explorer

Visual Studio

Moderate
Remote Code Execution

Requires restart

Visual Studio

Top of sectionTop of section


Affected Software

This advance notification provides the software subject as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier.

How do I use these tables?

Use these tables to learn about the security updates that you may need to install. You should review each software program or component listed to see whether any security updates are required. If a software program or component is listed, then the severity rating of the security update is also listed.

Note You may have to install several security updates for a single vulnerability. Review the whole column for each bulletin identifier that is listed to verify the updates that you have to install, based on the programs or components that you have installed on your system.


Windows Operating System and Components

Microsoft Windows 2000

Bulletin Identifier

Internet Explorer

Aggregate Severity Rating

Critical

Microsoft Windows 2000 Service Pack 4

Internet Explorer 5.01 Service Pack 4
(Critical)
Internet Explorer 6 Service Pack 1
(Critical)

Windows XP

Bulletin Identifier

Internet Explorer

Aggregate Severity Rating

Critical

Windows XP Service Pack 2 and Windows XP Service Pack 3

Internet Explorer 6
(Critical)
Internet Explorer 7
(Critical)
Internet Explorer 8
(Critical)

Windows XP Professional x64 Edition Service Pack 2

Internet Explorer 6
(Critical)
Internet Explorer 7
(Critical)
Internet Explorer 8
(Critical)

Windows Server 2003

Bulletin Identifier

Internet Explorer

Aggregate Severity Rating

Moderate

Windows Server 2003 Service Pack 2

Internet Explorer 6
(Moderate)
Internet Explorer 7
(Moderate)
Internet Explorer 8
(Moderate)

Windows Server 2003 x64 Edition Service Pack 2

Internet Explorer 6
(Moderate)
Internet Explorer 7
(Moderate)
Internet Explorer 8
(Moderate)

Windows Server 2003 with SP2 for Itanium-based Systems

Internet Explorer 6
(Moderate)
Internet Explorer 7
(Moderate)

Windows Vista

Bulletin Identifier

Internet Explorer

Aggregate Severity Rating

Critical

Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2

Internet Explorer 7
(Critical)
Internet Explorer 8
(Critical)

Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2

Internet Explorer 7
(Critical)
Internet Explorer 8
(Critical)

Windows Server 2008

Bulletin Identifier

Internet Explorer

Aggregate Severity Rating

Moderate

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Internet Explorer 7*
(Moderate)
Internet Explorer 8*
(Moderate)

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Internet Explorer 7*
(Moderate)
Internet Explorer 8*
(Moderate)

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Internet Explorer 7
(Moderate)
Internet Explorer 8
(Moderate)

*Windows Server 2008 server core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 if Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Top of sectionTop of section


Microsoft Developer Tools and Software

Microsoft Visual Studio

Bulletin Identifier

Visual Studio

Aggregate Severity Rating

Moderate

Microsoft Visual Studio .NET 2003

Microsoft Visual Studio .NET 2003 Service Pack 1
(Moderate)

Microsoft Visual Studio 2005

Microsoft Visual Studio 2005 Service Pack 1
(Moderate)
Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools
(Moderate)

Microsoft Visual Studio 2008

Microsoft Visual Studio 2008
(Moderate)
Microsoft Visual Studio 2008 Service Pack 1
(Moderate)

Microsoft Visual C++

Bulletin Identifier

Visual Studio

Aggregate Severity Rating

Moderate

Microsoft Visual C++ 2005

Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package
(Moderate)

Microsoft Visual C++ 2008

Microsoft Visual C++ 2008 Redistributable Package
(Moderate)
Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package
(Moderate)

Top of sectionTop of section

Top of sectionTop of section


Detection and Deployment Tools and Guidance

Security Central

Manage the software and security updates you need to deploy to the servers, desktop, and mobile computers in your organization. For more information see the TechNet Update Management Center. The TechNet Security Center provides additional information about security in Microsoft products. Consumers can visit Security At Home, where this information is also available by clicking “Latest Security Updates”.

Security updates are available from Microsoft Update, and Windows Update. Security updates are also available at the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update".

Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, “MS07-036”), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.

Note Starting August 1, 2009, Microsoft will discontinue support for Office Update and the Office Update Inventory Tool. To continue getting the latest updates for Microsoft Office products, use Microsoft Update. For more information, see About Microsoft Office Update: Frequently Asked Questions.

Detection and Deployment Guidance

Microsoft has provided detection and deployment guidance for this month’s security updates. This guidance will also help IT professionals understand how they can use various tools to help deploy the security update, such as Windows Update, Microsoft Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), and the Extended Security Update Inventory Tool (ESUIT). For more information, see Microsoft Knowledge Base Article 910723.

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.

Windows Server Update Services

By using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 to Windows 2000 and later operating systems.

For more information about how to deploy this security update using Windows Server Update Services, visit Windows Server Update Services.

Systems Management Server

Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. The next release of SMS, System Center Configuration Manager 2007, is now available; see also System Center Configuration Manager 2007. For more information about how administrators can use SMS 2003 to deploy security updates, see SMS 2003 Security Patch Management. SMS 2.0 users can also use the Software Updates Services Feature Pack to help deploy security updates. For information about SMS, visit Microsoft Systems Management Server.

Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, see Deploying Software Updates Using the SMS Software Distribution Feature. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.

Update Compatibility Evaluator and Application Compatibility Toolkit

Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit 5.0.

The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Microsoft Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment.

Top of sectionTop of section

Posted Saturday, July 25, 2009 9:03 AM by cmosby | with no comments
Filed under: , , , , , , , ,

New Wave Of Web Attacks Exploits Office – McAfee Avert Labs Blog

New Wave Of Web Attacks Exploits Office

Monday July 13, 2009 at 10:41 pm CST
Posted by Haowei Ren


Today, Microsoft released a security advisory on active attacks in the wild using a vulnerability in Microsoft Office Web Components. Computers installed with Microsoft Office features that uses vulnerable versions of the Microsoft Office Web Components could be infected with malware when browsing upon malicious websites in Internet Explorer.

From our investigation, Exploit-CVE2009-1136, a new 0-day exploit was added into web exploit toolkits that widely released Exploit-MSDirectShow.b on hijacked websites in China just the previous week.  Since the start of this new wave of attacks, new trojans installed by Exploit-CVE2009-1136 has been detected by Artemis technology which also allow us to get a global view of the spread of this new threat.

In one of the new trojan samples used by Exploit-CVE2009-1136, we first saw Artemis queries coming from China at 11:53 GMT on July 13th, 2009. We didn’t have automatic protection for this at this point, but various systems analyzing the threat details soon mark this as malicious.

By now, this sample has spread to many other Internet users in China, and is now queried and blocked by Artemis more than 328 times at more than 145 unique IP addresses (ISP , not end point).

artemis img

Besides China, we only saw Artemis queries coming from Virus Total (Spain) and fellow malware researchers in the UK and Germany in small numbers.

We will post more information as we receive it.

Posted Friday, July 24, 2009 1:36 PM by cmosby | with no comments
Filed under: , , , , ,
More Posts Next page »