Chris Mosby at myITforum.com

Microsoft Security Advisory for MHTML via Internet Explorer (MS2501696/CVE-2011-0096)

Published: 2011-01-27,
Last Updated: 2011-01-28 18:47:54 UTC
by Robert Danford (Version: 1)
0 comment(s)

www.microsoft.com/technet/security/advisory/2501696.mspx

Information on this vulnerability first started surfacing on Full-Disclosure on 1/15/2011.The vulnerability exists in all supported versions of MS Windows except for 2008 with server core. Other installed applications (Adobe Reader, etc) may be leveraged locally via Internet Explorer (including Outlook, etc.)

There appears to be a myriad of ways it can be leveraged and a lot of thought and creativity is being poured into that. So now would be a good time to: test and consider the registry workaround (see advisory); to review group policies for zone settings for Internet Explorer; and to review detection options for email gateways and proxies/NIDS/etc.

From the advisory:

"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user."

A release date for a fix has not been posted yet.

Relevant/Interesting Links:

Enhanced Security Configuration
http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx

MHTML Info
http://msdn.microsoft.com/en-us/library/aa767916(v=vs.85).aspx

Server Core
http://technet.microsoft.com/en-us/library/ee441255(WS.10).aspx

CVE-2011-0096
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0096

Advisory
http://www.microsoft.com/technet/security/advisory/2501696.mspx

If you come across any attacks targeting this vulnerability, please upload any details you have (pcap, samples, urls, etc)
via our contact form and we'll review them, share with the community (if you permit us), and post updates to the diary.

We have frequently reported on rogue Facebook applications - these appear with such regularity that it nearly does not make sense anymore to alert you individually about every enticing message used. New ones are popping up like mushrooms every day...actually even faster than mushrooms.

Here is a selection of some of the scam messages active right now:

* My total facebook views are: 4367 Find out your total profile views @ http://goo.gl/*****
* My 1st Status was: 'hmmm... let's see what i can do here'. This was posted on 10/04/2009 Find your 1st Status @ http://bit.ly/*****
* AMAZING ! I've just seen who STALKS me on Facebook! You can TOO! http://apps.facebook.com/*********
* Check if a friend has deleted you http://apps.facebook.com/lamaratr/
* OMG some guy just attacked Jeremy Kyle - http://bit.ly/********
* OMG Teenage mom jailed after uploading this disgusting photo of her baby: http://bit.ly/*****
* I can t believe this! I received 50 free Farm Cash, thank you Jules ! guys install the application FAST -> http://bit.ly/****** <3 <3 <3
* Cheerleaders Banned Straight After This Routine - Too Hot! http://apps.facebook.com/**********





These rogue Facebook apps are expanding fast and we have seen them with many different topics and also in different languages. Below you can see an example of the German version of the “girl killed herself, after her dad posted this to her wall” scam.



The method is nearly always the same. As soon as you grant the application the requested permissions it will start posting the same enticing message to your profile wall, making it appear in all your friend’s update feeds. This explains why it spreads so fast. Meanwhile you are asked to complete an online survey before you can see the promised image or video.

Some of them are quite successful. The statistics from the link shortener show click-through rates of a few thousands up to a few hundred thousand users per campaign with each of them potentially earning the creator a small commission for each completed survey.

Newer versions now even contain a link to a privacy policy and terms of service, in which the developer clearly states what they will do and what the application is all about:

IT WON’T TELL YOU WHO STALKS YOU THE MOST, IT IS AGAINST FACEBOOK’S TOS AND NOT ALLWOED TECHNICALLY, INSTEAD IT WILL PRINT YOUR RANDOM FRIEND.

By pressing Allow you are agreeing to:

1. Post to my wall. The application will make one wall post with attachments informing your friends about itself and its whereabouts.
2. Data access. The application might do wall posts on your account’s wall any time.
3. Advertisements. By entering the application you might receive advertisement messages which are not obligatory for you to click on.

Fair enough, this is exactly the behaviour that we noticed. Although I have to confess that I was a bit puzzled when I read the following extract from their privacy policy:

The Way We Use Information: We do not use your private information in any way or form.

This does sound nice but is hard to believe, given the fact that they said before that they might send you advertisements.

Let’s hope that it does not get worse in the future, and is not impacted by the opening up of access to Facebook for third party application developers. They can now ask for permissions to access a user’s phone number or postal address. This means that applications can now access all your private data including email, postal address,and phone number if you allow the app to do so. You still have to manually grant the permissions, so it is that little click that matters.

Therefore you should be even more vigilant when installing applications on Facebook and also about the information that you make available in the first place. Read carefully what data it will access and　consider whether a given application really needs to access the requested information, like your phone number, in order to display a fortune cookie message. If you are in doubt, then do not install the application as it’s most likely just another scam.

Update:
After a weekend of testing the Facebook team announced that they will put this new feature on hold and are making changes to help ensure that users only share this information when they intend to do so.

Yet another rogue anti-virus
Share |
Published: 2011-01-18,
Last Updated: 2011-01-18 00:32:51 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)

Remember four years ago when the "Fake Codec" scam managed to infect even large corporations? The bad guys still try this approach every now and then, but their most successful "invention" to date is clearly the fake anti-virus. We've been covering it repeatedly for the past two, three years now, and still is going strong. If an attack vector stays the same for years, it can only mean one thing: It is netting the bad guys enough money that they don't feel the urge to innovate.

The following popped up earlier today when some readers surfed to a perfectly OK web site that had apparently been hacked and "amended". The site that seems to start the dive down the FakeAV rabbit hole at the moment is (dontclick!) baullka-dot-com/red.php . The goodies then come from 91.216.122.x which is known to provide unsolicited anti-virus "help". Another netblock involved - 188.229.88.x and 188.229.92.x - seems to be a recent addition to the FakeAV universe.

I'm including a couple screenshots below, it never hurts to know what the current incarnation of FakeAV looks like ... *especially* since their current EXE registers with a mere 6/43 on the Virustotal scale.

Stay safe!

January 2011 Microsoft Black Tuesday Summary