|
Sharing Security Developments, and Best Practices for corporate and home users
June 2006 - Posts
-
Users should always be careful to avoid processing files or URLs in the Instant Messaging environment. This new IM threat disguises itself like the new WGA process Microsoft is using to ensure the Windows OS has the proper license control keys.
Cuebot-K IM Worm - Hides as a Windows Genuine Advantage (WGA) Service
http://secunia.com/virus_information/30450/cuebot-k/
http://www.sophos.com/security/analyses/w32cuebotk.html
W32/Cuebot-K is a instant messaging worm and backdoor for the Windows platform. W32/Cuebot-K spreads via AOL Instant Messenger. The file wgavn.exe is registered as a new system driver service named "wgavn", with a display name of "Windows Genuine Advantage Validation Notification" and a startup type of automatic, so that it is started automatically during system startup.
|
-
-
It's important to stay up-to-date on all software products. New vulnerabilities were recently discovered for Open Office 2.0 and all users should move to the latest release
New Open Office Vulnerabilities - Security release v2.0.3 available
http://www.incidents.org/diary.php?storyid=1454
http://www.openoffice.org/security/bulletin-20060629.html
Security Bulletin 2006-06-29 -- OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor's patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.
|
-
 According to media reports, the laptop was stolen from the home, sold for $100, and had not been booted up beyond the password prompt (as it was password protected under XP or 2000). Thankfully, this appears to be more of a random burglary, than someone looking to conduct indentity theft on a massive scale.
Still, when we put on our security hats, we know that much more could be possible. Let's hope for a good outcome on this 
Stolen Laptop with info on 26 million Veteran's recovered
http://www.gcn.com/online/vol1_no1/41204-1.html
QUOTE: The Veterans Affairs Department said today that law enforcement officials had recovered the stolen laptop containing the personal data of more than 26 million veterans, and that initially it looks as though the data has not been accessed
The FBI said in a statement that a preliminary review of the equipment by the computer forensics team has determined that the database remains intact and has not been accessed since the laptop was stolen
|
-
-
 These are rated as a "moderate risk" and proof-of-concept exploits have been developed.
New IE unpatched OuterHTML and HTA vulnerabilities
http://secunia.com/advisories/20825/
http://www.incidents.org/diary.php?storyid=1448
http://www.frsirt.com/english/advisories/2006/2553
1) An error in the handling of redirections can be exploited to access documents served from another web site via the "object.documentElement.outerHTML" property.
2) An error in the handling of file shares can be exploited to trick a user into executing a malicious HTA application via directory traversal attacks in the filename. Successful exploitation requires some user interaction.
The vulnerabilities have been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
Solution:
1) Disable Active Scripting support.
2) Filter Windows file sharing traffic.
ISC Testing Note: Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.
|
-
Below is an updated list of recommendations, shared in the Sarbanes-Oxley forums ... To me, the cornerstones for success include: Planning, Training, and Commitment ... Wishing all those companies who must adapt these standards, the upmost success 
SOME GENERAL RECOMMENDATIONS FOR SOX IMPLEMENTATION
1. Set up a Project Plan for meeting SOX compliancy requirements (Research and explore what is needed prior to doing anything). Good planning will pay dividends for establishing this process.
2. Get training right away. The core team and especially the leader of the process should invest a week or so in training. Consider attending a formal seminar away from work where you can focus and interact with other participants. This will create a good foundation for what's required.
3. Perform an inventory of all your IT applications. Identify all of your financial systems and look for any indirect relationships.
4. In conjunction with the inventory, examine the workflow and human factors surrounding financial processing.
5. After the inventory, perform a Risk Management study on all your financial applications (looking at possibilities that someone could either accidently or alter financial records)
6. Look at ways of strengthening the Financial process and implement new controls (e.g., versioning, change management, and security)
7. Evaluate random sampling controls and requirements for your financial applications to setup a testing/sampling program on controls each quarter or month, depending on the needs.
8. Evaluate the SOX 404 standards for best practices associated with IT control improvements. Set up a plan to implement and improve standards. Evaluate the COBIT 4.0 standards for IT controls over financial applications (note that COBIT 3.0 is the minimal acceptance level)
9. Work closely with both internal and external auditors and gain their approvals for the work that will be done.
10. Setup an e-Library (electronic documentation library) to include all your SOX documents, test plans, communications, etc.
11. Make sure you obtain senior management support for the process. It is an important aspect for implementing change. They must also support the additional work, human resources, and costs that will be needed to gain compliancy.
12. After the initial process is implemented, continue to improve the SOX controls and keep up-to-date with changes in business and legal requirements.
|
-
The ISC has a good summary today of in-the-wild and POC exploits associated with the 3 areas of risk. These are not prevelent in the wild and staying up-to-date on AV protection will help. Most importantly, avoid all untrusted documents or URLs in email.
http://www.incidents.org/diary.php?storyid=1444
QUOTE: To help clearly identify the issues, exploit code and remedy related to the recently announce Excel vulnerabilities, I offer this humble correlation. This information comes from Microsoft, Mitre, and vigilant readers sending in tips. My thanks go to all.
CVE-2006-3059 aka "Excel Repair Mode"
http://www.microsoft.com/technet/security/advisory/921365.mspx
Exploited by: Mdropper.G, Booli.A, Flux.E, Booli.B
CVE-2006-3086 aka "Long Hyperlink"
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Exploited by: Urxcel.A, and three known public exploit code examples
CVE-2006-3014 aka "Shockwave vulnerability"
Exploited by proof of concept code Flemex.A ... The workaround is a killbit
|
-
FrSIRT noted developments for MS06-025 and revised their status from "Green" to "Yellow" overnight. The MS06-025 exploit impacts W/2000 users but not XP SP2 users. Hopefully, there won't be in-the-wild attacks as they are anticipating with the exploit code publicly released
Everyone should be on the latest security patches and avoid continue to avoid untrusted Excel documents until Microsoft patches these vulnerabilities.
Microsoft Windows Exploits Out - FrSIRT CTL™ Raised to Level 2
http://www.frsirt.com/english/threats/
Microsoft Windows Routing and Remote Access Code Execution Issues (MS06-025)
http://www.frsirt.com/english/advisories/2006/2323
Quote: Two remote code execution exploits that take advantage of vulnerabilities affecting Windows have been publicly released.
The first code targets a critical Windows Remote Access Connection Manager vulnerability (MS06-025) addressed last week. Microsoft Windows 2000 systems are primarily at risk from this exploit.
The second code exploits the recently disclosed Windows / Excel memory corruption (0day) and opens a command shell on port 4444 when a specially crafted link is clicked. Comments
FrSIRT Current Threat Level has been raised to ELEVATED (Level 2/4) ... We should expect to see active exploitation of these vulnerabilities in the wild within a few hours. Published : 2006.06.22 - 11:12:55 UTC
|
-
This new threat uses advanced techniques to hide it's presence on an infected system.
Mailbot.AZ - manipulates NTFS ADS and includes kernel mode root kit
http://www.f-secure.com/weblog/archives/archive-062006.html#00000907
QUOTE:
Let's take Mailbot.AZ (aka Rustock.A) as an example. There's only a single component lying on the disk, and that is a kernel-mode driver. It's stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one.
We've just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.
Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named "services.exe". The payload is a Spamtool with backdoor capabilities
|
-
Only trained IT professionals testing their own networks should use these tools. nmap which was purposely excluded and would be on this list as well. Each tool should be carefully assessed before using them in network penetration tests. Still it's beneficial to test with the some of the same tools that are used by the hacker community to ensure technical defenses are in place at all points.
http://SecTools.Org/
http://www.incidents.org/diary.php?storyid=1438
|
-
-
I've been using Opera as one of my complementary browsers for a number of years. Whilte they enjoy a good security track record, a day after the release, a new proof-of-concept vulnerability has surfaced which can trigger a denial of service attack (i.e., this is a minor security risk where the browser might hang for an extraordinary length of time).
Opera 9 - New Denial of Service POC vulnerability
http://www.incidents.org/diary.php?storyid=1436
QUOTE: Well, it didn't take long. Yesterday, Opera 9 came out, today there is a proof of concept for a long href denial of service exploit. No word on when a patch will be available
|
-
http://www.opera.com/index.dml
http://www.opera.com/pressreleases/en/2006/06/20/
http://www.opera.com/download/
QUOTE: Opera Software today released Opera 9, its newest Web browser for PCs. You can download it free in more than 25 languages for Windows, Mac, Linux and other platforms from www.opera.com. Opera 9 enhances the way you access, share and use online content by including innovative widgets - fun, small and useful Web programs - and support for BitTorrent™, the popular file distribution technology. Even while adding these improvements, Opera 9 maintains the security and speed millions of Opera fans have come to expect.
Secure browsing is still the single most important attribute of any Web browser. Opera has a long track record of keeping you safe while online. By introducing the security bar to prevent scams like phishing and strengthening Opera 9's pop-up blocker to weed out annoying or potentially malicious pop-ups, Opera gives you new options for safe browsing.
|
-
 A new vulnerability has surfaced with a proof-of-concept exploit. So far, there are no documented reports of this being exploited in-the-wild. Users should remain cautious with an untrusted email attachment, just in case this is spammed by email later. Microsoft is working on patches for Excel as noted in their blog entries.
Microsoft Information
http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Microsoft Office Long Link Buffer Overflow Vulnerability
http://secunia.com/advisories/20748/
http://www.frsirt.com/english/advisories/2006/2431
QUOTE: The vulnerability is caused due to a boundary error in hlink.dll within the handling of Hyperlinks in e.g. Excel documents. This can be exploited to cause a stack-based buffer overflow by tricking a user into clicking a specially crafted Hyperlink in a malicious Excel document. The vulnerability has been confirmed in Microsoft Excel 2003 SP2 (fully updated). Other versions and Office products may also be affected.
|
-
-
This new virus is not widespread in the wild and all .NET users should stay up-to-date on virus protection.
http://secunia.com/virus_information/30015/msil.kolilo/
MSIL.Kolilo is a polymorphic virus that infects .exe files under the Microsoft .NET Framework. This virus only executes on systems where Microsoft .NET framework is installed. The said installation is a component of the Windows operating system used to manage and provide pre-coded requirements to programs made specifically for the Windows platform.
|
-
It's important to avoid all suscipious email messages as a new virus has appeared and uses the World Cup Soccer tournament as a social engineering approach.
Sixem email virus - World Cup Soccer theme
http://secunia.com/virus_information/30033/sixem.a
W32.Sixem.A@mm is a mass-mailing worm that sends email messages regarding the World Cup.
|
-
So far, results have been good for the large number of security updates. MS06-025 may impact some users who are using older connectivity software as noted in the links below.
MS06-025 Security Patch - May impact dial up scripting
http://www.incidents.org/diary.php?storyid=1423
http://blogs.technet.com/msrc/archive/2006/06/17/436882.aspx
http://support.microsoft.com/kb/911280
QUOTE: So far there’ve been no issues with a vast majority of the updates, but one issue we are tracking has to do with MS06-025, very specifically related to dial up users that use dial up scripting, a very old piece of functionality not widely in use anymore. (Users using dial up for Internet or Remote Access Services who do not use dial-up scripting or terminal windows are unaffected.
|
-
Windows XP SP1 will no longer be supported by Microsoft after October 10, 2006. It is important to move to Service Pack 2 which can be downloaded from Microsoft's web site. Dial up users can obtain the CD by ordering it from Microsoft. While the CD is free, there is a shipping & handling charge.
IT Professionals should help get their friends and family who may not be aware of this issue to this more secure version of Windows.
Order Windows XP Service Pack 2 on CD
QUOTE: Thank you for your interest in the Windows XP Service Pack 2 CD. This CD includes the same Service Pack 2 software that is available for download from Microsoft Update.
Note: A shipping and handling charge will be assessed on your order.
Share This CD with a Friend -- After you have installed Service Pack 2, Microsoft encourages you to give this CD to a friend or family member using Windows XP.
|
-
 This FAQ provides a good summary related to the new 0 Day vulnerability which is being exploited in spam email. Avoid all untrusted Excel spreadsheets found in email messages and keep you anti-virus software up-to-date until Microsoft has a security patch to address this new issue. So far, this new threat is not prevelant in the wild.
Securiteam Blogs -- FAQ on Execel 0 Day Vulnerability
http://blogs.securiteam.com/index.php/archives/451
Good Security Resource to Bookmark
http://www.securiteam.com/
|
-
Dr. Jesper Johansson's article in the July 2006 edition of TechNet Magazine is EXCELLENT in highlighting the importance of security education for users as part of the "process".
Article: Help Wanted—Need "People" People
QUOTE: Empower People -- I firmly believe that writing off people is wrong. People are incredibly smart when you get right down to it. They have learned some extremely complicated things, like walking, talking, reading, even driving cars without crashing into things all that often. There is no reason to believe they could not be taught to make more intelligent security decisions. I am not saying they should become security experts; only that they need to learn that sending a blank, signed check to an unknown recipient is probably not a good idea.
|
-
Over a year ago, Microsoft introduced a valuable service to home users and others who may be less protected than corporate users. During each "Patch Tuesday" release this tool is updated to clean some of the most prominent threats impacting Windows.
Windows Malicious Software Removal Tool -- Removing a lot of malware
QUOTE: The MSRT has removed 16 million instances of malicious software from 5.7 million unique Windows computers over the past 15 months. On average, the tool removes at least one instance of malware from every 311 computers it runs on.
|
-
-
Users should be cautious with all unusual attachments from unexpected or suspicious email, including Excel documents where a new attack has recently surfaced. Microsoft is working on this issue as noted in the MSRC blog.
Mdropper.J - Zero Day Excel based Exploit
http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx
http://secunia.com/advisories/20686/
http://www.frsirt.com/english/advisories/2006/2361
Mdropper.J - Links related to New Trojan Horse
http://www.frsirt.com/english/virus/2006/04533
http://www.symantec.com/avcenter/venc/data/trojan.mdropper.j.html
QUOTE: Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker. (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources.
Technical Description: A vulnerability has been identified in Microsoft Excel, which could be exploited by attackers to take complete control of an affected system. This flaw is due to an unspecified error when processing a specially crafted document, which could be exploited by attackers to execute arbitrary commands by convincing a user to open a malicious file.
Affected Products: Microsoft Excel 2000-2003, Office 2000-2003
Zero Day Excel based Exploit: This 0day vulnerability is currently being exploited in the wild by Trojan.Mdropper.J
|
-
All users should patch their systems expediently, as some of these exploits could be crafted into viruses
Microsoft June Security Updates - New Exploits Surfacing
http://www.incidents.org/diary.php?storyid=1415
After yesterday's patchday, we start to receive a number of reports about newly released exploits for vulnerabilities announced on Tuesday. Here a quick lists of what we have seen so far:
MS06-024: Windows Media Player -- Exploit released by penetration testing vendor to customers.
MS06-025: RRAS -- Exploit released by penetration testing vendor to customers.
MS06-027: Word remote code execution -- Exploit available before release of patch.
MS06-030: SMB Priviledge Escalation -- Two exploits released to the public.
MS06-032: IP Source Routing Exploit -- DoS exploits released privately (trivial exploit)
|
-
-
As shared by the Internet Storm Center, always avoid clicking on URLs in suspicious email messages.
E-mails with malicious links targeting Australia
http://www.incidents.org/diary.php?storyid=1417
We've received couple of reports about e-mails being spammed which contain browser exploits. What's interesting about this is that they are targeting Australia.
The URL contains an obfuscated JavaScript. The JavaScript code will check which browser the user is running and will redirect him to the appropriate exploit, served by a CGI script. The JavaScript will also detect if a user is running Service Pack 2, and append that information as a CGI parameter as well.
The following Internet Explorer vulnerabilities are exploited: MS03-011, MS06-006, MS06-014. And one Mozilla FireFox vulnerability is exploited as well: MFSA2005-50
For FireFox user, there is good add-on tool for preventing malicious Javascripts. The add-on tool called "NoScript". You can find more information following site :
https://addons.mozilla.org/firefox/722/
| Quote: |
TEXT OF MALICIOUS EMAIL MESSAGE
"People starting panic withdrawals, some of the accounts were reported closed due to technical reasons, many ATMs are not operating. Does it seem that one of the Australia's greatest goes bankrupt? The full story could be found here: <URL> Well, hope that isn't true... Anyway You'd rather check your balance..." |
|
-
 The June updates required over 20MB of downloading to accomplish all the Windows, IE, and Office patches. There are several critical updates including a patch to Word where a zero day exploit had surfaced in the past couple of weeks.
Microsoft Security Bulletin Summary for June, 2006
http://www.microsoft.com/technet/security/bulletin/ms06-jun.mspx
|
-
More Posts Next page »
|
|
|