Computer Security Articles

In case you missed it — and you very well might have considering what time this ball got rolling — Sony has officially flipped the switch on the PlayStation Network, restoring service in a limited capacity as a gradually filling map of the United States. charted the progress of the rollout through the night. The map is now fully green, which means firmware update version 3.61 is now available for download to all U.S. users. In addition to online gameplay, the update brings back video rental playback, Music Unlimited on Qriocity, Netflix/Hulu access, Friends Lists, chat, Trophy comparison and PlayStation Home.

The update is a zippy download and installation as of 9:30 a.m. eastern time today, taking no more than 10 minutes to load into your console and do its thing. We’ll see if that changes as more of the country wakes up and tries to bring PS3s back online. In order to complete the update installation, you’ll need to change your password. Not that you wouldn’t want to, since… you know… your private information was compromised and stuff. That said, the real safeguards built into 3.61 are presumably under the hood, since even the most complex password won’t do you a lick of good if all of your info is stolen from the network servers again.

Sony no doubt wants to put this whole unfortunate affair behind it, but there will very likely need to be an extended healing period before consumer confidence can be restored. “Welcome Back” promotions and the like are all well and good, but only time is going to make this mess go away. Look at Microsoft and the whole “Red Ring of Death” circus; slightly different situation but with a similar reach. Both companies made mistakes before stepping up and doing what needed to be done; like Microsoft, Sony’s got a large enough user base that a return to business as usual is a certainty, even if it does take some time.

After all, that new Call of Duty: Black Ops map pack is going to come to PSN at SOME point.

Microsoft has issued a security patch for Silverlight KB2526954. It fixes several security issues. However, the Microsoft link to KB2526954 is still not live. If you have Microsoft update running, it is ready to install. This is rated as important and will auto install.

Direct download http://go.microsoft.com/fwlink/?LinkID=149156

[1] http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx

– Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Security researchers from around the world are digesting the weekend’s fare at Infiltrate2011, organized by security outfit Immunity. “No policy or high-level presentations, just hardcore thought-provoking technical meat” was promised, and presenters served it up sizzling.

The sessions folded in a variety of topics slicing up current offensive security issues with some defensive interest mixed in. Discussions spread from technical wizardry attacking hardened linux kernels to general network exploration and reconnaisance. Infiltrate2011 itself follows somewhat on the Blackhat/Defcon conference model, but reduces the corporate marketing at those conferences. The peer reviewed set of presentations and research sponsored by one of the best known offensive security/penetration testing groups in the business sets the bar high and undistracted for the level of technical content. The final agenda is listed here.

There are too many interesting sessions from the two days to mention in this space, some are mentioned here. Nico Waisman began the conference with a discussion of strategic surprise, understanding the exploitation domain, and a review of the past couple decades of offensive security research. He discussed the lack of novelty and the sloppiness in many attacks today driven by money and politically motivated interests and compared them against elegant, artistic pursuits of researchers like Solar Designer and others from the 90s. And when the going gets tough, the tough got EIP – Chis Velasek and Ryan Smith carved up exploitation development details for the recent overflow bug in Microsoft’s FTP server reported as “unexploitable” as a limited but usable 0day enabling remote code execution. Tarjei Mandt dished out Windows kernel attack technique details that most likely will be with us for years, and Cesar Cerrudo fired up Windows service protection flaws and attacks that have been present for years and should be present for some time to come. On the mobile side, Bas Albert and Massimiliano Oldani poured over the Android attack surface while Sean Heelan and Agustin Gianni stirred up some tricks in attacking the WebKit browser heap. Instead of the common big corporation names, breaks were sponsored by SADMIND, MS09-050 and LSASS.

Some of the talks were preceded with “we assume that you read and understand our last 80 page paper published on heap exploitation” or similar, leading to the in-depth technical meat you would expect from a quality group.

Not so long ago, Microsoft released a security patch addressing the way Windows x64 operating systems check integrity of the loaded modules. In our recent report (The Evolution of TDL4: Conquering x64) we described a method used by the TDL4 bootkit to load its malicious unsigned driver on 64-bit systems, even though those systems have an enforced kernel-mode code signing policy. The new security update is intended to fix the “feature” (vulnerability) in x64 OS’s (Windows Vista and later) exploited by TDL4.

On unpatched systems there are three BCD (Boot Configuration Data) options that determine the way the OS checks integrity of the kernel-mode modules:

• BcdLibraryBoolean_DisableIntegrityCheck – instructs the system to disable kernel-mode code integrity checks (used for debugging purposes, for instance)
• cdOSLoaderBoolean_WinPEMode – instructs the system to disable kernel-mode code integrity checks (switched on when OS is loaded in preinstallation mode) ? exploited by TDL4
• BcdLibraryBoolean_AllowPrereleaseSignatures – instruct the system to use special prerelease digital certificates to verify digital signatures of kernel-mode modules.

On a patched system only two of these are left: BcdLibraryBoolean_DisableIntegrityCheck and BcdLibraryBoolean_AllowPrereleaseSignatures. BcdOSLoaderBoolean_WinPEMode BCD option is no longer used in the initialization of code integrity policy. The routine BlImgQueryCodeIntegrityBootOptions in winload.exe returns the value that determines code integrity policy. In the figure below the patched BlImgQueryCodeIntegrityBootOptions routine is presented.

Here we notice that BcdOSLoaderBoolean_WinPEMode is no longer used (as it was in the unpatched routine) and therefore TDL4′s trick of substituting kdcom.dll won’t work.

There is one mode module patched in the security update: kdcom.dll. This reinforces the conjecture that the security update specifically addresses TDL4 infection. As we already know, TDL4 replaces the kdcom.dll library with its own malicious component at boot time. The bootkit identifies kdcom.dll by the size of its export directory (it is compared with 0xFA): 

 

In the patched version of kscom.dll, the size of the export directory has been changed. If we look into its export directory (figure below) we notice that an exported symbol KdReserved0 has been added which is not present in unpatched library.

 

This function is added with only one obvious purpose: to increase the size of the export directory and as a result prevent the TDL4 bootkit from replacing it.

The security update won’t necessarily help users who have already been infected with the bootkit as TDL4 blocks the Windows Update service on x86 machines. As a result, infected x86 machines won’t be able to download and install the patch automatically. On an x64 OS things are rather different and the Windows Update Service is not blocked by the bootkit, so the security update can be downloaded and installed.

Although the patch helps with this particular case it doesn’t solve the problem in general. There are other ways of penetrating into kernel-mode address space on x64 operating systems, for instance, as in the case of the Chinese bootkit which is detected as NSIS/TrojanClicker.Agent.BJ (VirusTotal). This uses quite a different approach to load its unsigned driver.

Eugene Rodionov, Malware Researcher
Aleksandr Matrosov, Senior Malware Researcher
 

Adobe is planning to patch the recently disclosed Flash Player vulnerability on Friday for users on Windows, Mac OS X and Linux. The vulnerability is being used in targeted attacks right now that use malicious Word documents.

Adobe said on Wednesday night that it plans to push out the Flash Player patch for Google Chrome today, as part of the Chrome release channel. A separate patch for Adobe Acrobat X for Windows and Mac, Reader X for Mac and Reader 9.x for Windows and Mac on April 25.

The company is planning to wait until June to release a patch for the Flash Player bug in Reader X for Windows because the sandbox in that application prevents exploitation of the vulnerability. The patch for Chrome will be available earlier than the others thanks to Adobe’s relationship with Google.

“During our response to any zero-day vulnerability, Adobe seeks to protect as many users as quickly as possible. As part of our collaboration with Google, Google receives updated builds of Flash Player for integration and testing. Once testing is completed for Google Chrome, the release is pushed via the Chrome auto-update mechanism. Adobe is testing the fix across all supported configurations of Windows, Macintosh, Linux, Solaris and Android (more than 60 platforms/configurations altogether) to ensure the fix works across all supported configurations. Typically, this process takes slightly longer and, in this case, is expected to complete on April 15 for Flash Player for Windows, Macintosh, Linux and Solaris,” the company said in a statement.

When they disclosed the vulnerability earlier this week, Adobe officials warned customers that the vulnerability was already being used in targeted attacks that were leveraging malicious Flash files embedded in Microsoft Word documents. Microsoft security engineers analyzed the attacks and found that the attackers are using a complex exploit routine to build shellcode and then inject the exploit code into the Flash Player.

When Adobe warned customers earlier this week about a newly discovered vulnerability in the Flash Player software, company officials said that there were already attacks underway against the bug. Those attacks are using malicious Flash files buried in Word documents and Microsoft’s security engineers have analyzed the exploits and found some interesting details.

This is the second serious Flash vulnerability in recent weeks that attackers have targeted through the use of malicious Office files. In a previous round of attacks, hackers were going after an earlier Flash zero day with rigged Excel files. This time, Microsoft officials said, not only is the bug different, but so is the attack. Though both attacks use malicious Office files to trick users, the details are dissimilar.

The attack presents to the user via a spam message, often with a subject line referencing the Fukushima nuclear disaster, and carrying a malicious Word document as an attachment.

“Once a user opens the document, Flash Player will load the malicious
file and exploitation will occur. Unlike the previous vulnerability, a
bug in the ActionScript Virtual Machine version 1 is now used in the
exploitation process. Another difference is that this is not a result of
fuzzing clean files. We won’t disclose any detail on what triggers the
vulnerability, for security reasons, obviously,” Marian Radu, Daniel Radu and Jaime Wong of the Microsoft Malware Protection Center wrote in an analysis of the Flash exploit attempts.

“In order to exploit this vulnerability the attackers packaged the
AVM1 code inside an AVM2 based Flash file. The latter is embedded inside
the Word document and assigned with setting up the exploitation
environment. Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled.”

The next step is the construction of the shellcode, which in turn then loads the Flash exploit code inside the Flash Player.

“The AVM1 code that triggers this vulnerability is loaded as a separate
SWF file, converted from a hex-encoded embedded string and executed,” the researchers said.

The shellcode performs some other tasks, as well, including installing a benign Word document on the compromised machine as a way of hiding the original malicious file.

This attack method is essentially the one that the attackers used to compromise RSA last month and steal some data related ot the company’s SecurID product line.

Last month, Adobe had released a security advisory and a product update about a critical flaw affecting Flash Player versions and a vulnerable component, authplay.dll, of Adobe Reader and Acrobat that was exploited in the wild, APSA11-01. The vulnerability that was exploited in the wild in targeted attacks via Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment (CVE-2011-0609).

Yesterday, Adobe has released another security advisory, APSA11-02, alerting users about the same critical flaw affecting Flash Player versions and a vulnerable component, authplay.dll, of Adobe Reader and Acrobat. This vulnerability is currently being exploited in the wild in targeted attacks via Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment.

The vulnerability (CVE-2011-0611) could cause the affected applications to crash and could be used to run arbitrary code. This means that the malicious files could be downloaded or dropped on the affected system.

Adobe currently is finalizing a schedule for releasing updates for the products affected.

Affected software versions

• Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
• Adobe Flash Player 10.2.154.25 and earlier for Chrome users
• Adobe Flash Player 10.2.156.12 and earlier for Android
• The Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by this issue.

ActnS/CVE-2011-0611!exploit is a detection for SWF files capable of exploiting a vulnerability in Adobe Flash Player 10.2.153.1 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.2.154.25 and earlier for Chrome users, Adobe Flash Player 10.2.156.12 and earlier for Android.

This 0-day vulnerability was spotted in-the-wild, and an earlier report indicates that maliciously crafted Microsoft Word (176,144 bytes) arrives via an email limited to its target victims.

The embedded malicious SWF contains ActionScript code that is used to fill the heap with NOP sled.

The screenshot in Figure 1 shows the decoded ActionScript, highlighted on the figure shown is the shell code:

        

                                                                         [Figure 1 - Malicious ActionScript]

 

                                                  

                                                                      [Figure 2 - Sample injected Shell Code]

The payload is embedded on the Microsoft Word file.

Inspecting inside the file, you may notice that even though the file seems to contain another executable, you cannot spot the MZ header or PE header. That’s because it encrypts the file using a simple XOR.  The purpose of this routine is to bypass anti-virus engines that scan embedded executable.

                   

                                                               [Figure 3 - Malicious Executable Embedded]

It will then execute the non-malicious file “Disentangling Industrial Policy and Competition Policy.doc” so that users are unaware that their machine has been compromised.

                                                               

                                                        [Figure 4 - Non Malicious Microsoft Word Document]

Reference:

http://www.adobe.com/support/security/advisories/apsa11-02.html

CA detections related to this attack are W97M/CVE-2011-0611!dropper, ActnS/CVE-2011-0611!exploit, Win32/Smalldoor variant and Win32/Poison variant.

To help protect your machines from being infected, never open any files from untrusted sources. This especially applies while the vulnerability remains unpatched. And of course, always update your CA Security Product signature files!

 

Internet Explorer 9 includes a great new application reputation feature driven by SmartScreen. As described in this Building Reputation blog post by Ryan Colvin, SmartScreen uses file hashes and Authenticode signatures to identify publishers and applications. 

 

Microsoft Security Essentials has included reputation features since its initial release as well, although the reputation features aren’t visible to the user. Like SmartScreen, Microsoft Security Essentials (and its siblings Forefront Endpoint Protection and Windows Intune) uses Authenticode signatures and file hashes for reputation, but instead of identifying programs to the user, it identifies programs to the Microsoft Antimalware Engine. And our engine does some very interesting things.  

 

Microsoft Security Essentials needs to be fast, and the fastest way to scan a file is to actually not scan the file at all – reputation helps it do just that. When Microsoft Security Essentials first encounters a file, it performs a malware scan using all the technologies it needs to determine if the file is malicious. If the file is not malicious (which is hopefully the case), there’s a background check that happens later, using idle cycles to see if the file’s Authenticode signature or hash matches an internal list of trusted publishers and known clean files. If the file is on the list, it will be skipped in future scans, either on access or on demand. 

 

Next, Microsoft Security Essentials uses its internal reputation lists to control what information on unknown files it sends back to Microsoft, or what files it may ask users to submit to Microsoft for further analysis. Under the hood is a sophisticated runtime behavior-monitoring system, which looks for software acting suspiciously, like modifying an autorun.inf file to AutoPlay. The system is hooked up to our Dynamic Signature Service on the Internet, which can deliver detections as needed for fast-moving threats. Because of the need for speed and the fact that legitimate software will sometimes share behaviors with malware, that system will use the reputation lists to bypass files based on reputation. 

 

Finally, the Microsoft Malware Protection Center monitors our Authenticode certificate and file hash lists for malware detections. In the exceedingly rare event of a detection of a file on our lists, we investigate and may adjust our lists or work with vendors and Certificate Authorities as needed. 

 

How can developers get their applications added to the Microsoft Security Essentials reputation lists? The best way is using Authenticode signing on all binary files and download packages. For more information on signing, please see Eric Lawrence’s excellent post Everything you need to know about Authenticode Code Signing.  

 

Authenticode signing is key because it aggregates reputation for all your files, and applies your reputation to brand new files as well. Further, the Microsoft Malware Protection Center uses our telemetry to determine what to add to our reputation lists only.  

 

Authenticode signing doesn’t explicitly say anything about the safety of the signed code, as we in the MMPC know well, but it’s invaluable for determining reputation and separating legitimate code from known publishers from potentially dangerous code. As more code is signed, reputation-based systems like SmartScreen and that in Microsoft Security Essentials get better and better, and hiding malicious software gets harder and harder. So please, help your customers by signing your code and building reputation. 

 

Joe Faulhaber

 

As announced last Friday, Microsoft released 3 Security Bulletins which deal with patches for 4 security vulnerabilities. One of them is rated critical and resides within the DirectShow framework for the Windows Media Player and Windows Media Center. Other security vulnerabilities which allow for remote code execution affect the Remote Desktop Client and Microsoft Groove. Users and administrators should make sure to install the updates soon.

Also, Google released yet another stable version of its Chrome webbrowser, version 10.0.648.127. In this release, 23 security holes get closed by the developers – past week, they already fixed 18 vulnerabilities. This time, 15 of them are rated “high”ly critical, 3 medium and 5 low.Some additional features make the new version even more interesting: A new version of the JavaScript interpreter which is said to be faster, sandboxed Adobe Flash Player in the Windows version of Chrome, and GPU accelerated video playback, to name a few.

The new release is available via automatic update and thus should be installed already. To make sure to use the latest version, click on the Tool symbol in Chrome and click on “About Chrome”.

As the Mozilla developers also rushed out with a new browser version a short time ago too, one could assume that this may have to do with the upcoming Pwn2Own contest at the CanSecWest security conference where hackers can win cash prizes by hacking into a PC – for example via the webbrowser. Anyhow, since the new versions close security vulnerabilities that cyber crooks can abuse to hijack the computer, it is a good idea to install them ASAP!

Dirk Knop
Technical Editor

The Redmond company announced 3 security bulletins for the upcoming Patch Tuesday next week. These are meant to fix at least 4 security vulnerabilities. One flaw which affects Windows from XP to Windows 7 as well as Windows Server 2008 R2 is rated “critical” which means that attackers can smuggle in malware quite easily; a second bulletin deals with at least “important” vulnerabilities in the Windows operating systems. The third bulletin is about Microsoft Office – in Groove 2007 there is an “important” rated flaw to be  fixed.

Users and Administrators should prepare to install those updates as soon as possible upon release next Tuesday.

Dirk Knop
Technical Editor

Microsoft has released an “important, non-security update” ( KB971029) that restricts Autorun entries in the AutoPlay dialog to only CD and DVD drives.

This update is apply for Windows XP/Vista/non-Windows 7.

Applying this update will help in curbing the malwares using the Autorun feature as mentioned in This blog.

We highly recommend the users to visit the below site and apply the patch urgently.
http://support.microsoft.com/?kbid=971029

The Microsoft’s Tuesday patch also contains fixes for vulnerabilities in the Windows Graphics Rendering Engine, as well as CSS exploit in Internet Explorer that could allow an attacker to gain remote code execution.

We request all the users to keep there system latest updated.

Technical Description

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers or malicious users to cause a denial of service or take complete control of a vulnerable system. This issue is caused by a heap overflow error in the “BowserWriteErrorLogEntry()” function within the Windows NT SMB Minirdr “mrxsmb.sys” driver when processing malformed Browser Election requests, which could be exploited by remote unauthenticated attackers or local unprivileged users to crash an affected system or potentially execute arbitrary code with elevated privileges.

Affected Products

Microsoft Windows XP Service Pack 3

Microsoft Windows XP Professional x64 Edition Service Pack 2

Microsoft Windows Server 2003 Service Pack 2

Microsoft Windows Server 2003 x64 Edition Service Pack 2

Microsoft Windows Server 2003 SP2 (Itanium)

Microsoft Windows Vista Service Pack 1

Microsoft Windows Vista Service Pack 2

Microsoft Windows Vista x64 Edition Service Pack 1

Microsoft Windows Vista x64 Edition Service Pack 2

Microsoft Windows Server 2008 (32-bit)

Microsoft Windows Server 2008 (32-bit) Service Pack 2

Microsoft Windows Server 2008 (64x)

Microsoft Windows Server 2008 (64x) Service Pack 2

Microsoft Windows Server 2008 (Itanium)

Microsoft Windows Server 2008 (Itanium) Service Pack 2

Microsoft Windows 7 (32-bit)

Microsoft Windows 7 (64x)

Microsoft Windows Server 2008 R2 (64x)

Microsoft Windows Server 2008 R2 (Itanium)

Workaround Solution

Block or filter UDP and TCP ports 137, 138, 139 and 445.

References

http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx

http://seclists.org/fulldisclosure/2011/Feb/285

Microsoft tried to push an update to their newly released Windows Phone 7 this week and accidentally bricked some Samsung-branded handsets.

Microsoft has since pulled the update, but only for the Samsung Omnia handsets affected by the flaw. Even more embarrassing, the update was intended to improve the updating process and provided no enhancements for users of the phones.

If you have one of the affected devices there are experimental instructions on how to recover your phone.

Microsoft has elected to centrally control the distribution of updates for the Windows Phone 7 platform, which ultimately puts them in a sort of middle ground. After an accident like this one, carriers may begin applying pressure on Microsoft to let them decide if and when handsets receive updates.

Why does this matter? Well, the smartphone landscape is quite diverse when it comes to how much control phone and operating system manufacturers have compared to the carriers.

At one end of the spectrum we have Apple and Research In Motion, the manufacturer of the BlackBerry devices. Both companies centrally control all software and updates they provide for their phones, and no one else produces the handsets. This enables a very rigorous QA process to find defects and allows Apple and RIM to ship fixes and updates to improve security on a more regular basis.

At the other end of the spectrum is the Android platform from Google. While Google produces what you might call a “reference design” OS, it is up to the manufacturers to customize and test it on their devices. There are many different companies producing Android phones for many different carriers.

Not only is the OS somewhat unique per device, but carriers are also producing their own customizations, further diversifying the variants of Android in the field.

This can be a real problem. When you need security updates, you must rely on Google to fix the bug, your device manufacturer to patch their custom OS, and your carrier to decide that they are willing to provide you with the fix. This is a huge security mess.

Microsoft has chosen a path right down the middle. Like Google, they are not producing handsets, but they are trying to create a centrally distributed operating system platform that they control.

From a security perspective this appears to be a solid approach, allowing Microsoft to ensure devices in the field are all able to consume patches when they make them available, but it does come with risk.

Because Microsoft is placing the burden of their software SNAFU on the carriers and manufacturers, I expect we’ll see a backlash against their preferred updating method. This incident could not have come at a worse time for them, as they are trying to enter a very competitive smartphone market in which any bad press could push consumers to better established brands.

For the latest information on the threats facing mobile users, check out our latest threat report.

Creative Commons image of phone brick courtesy of Riekus’s Flickr photostream.

Lots of people have multiple email addresses: one for work, one for personal use, and then one or two that might be called "spam-catcher" addresses — used for low-priority e-commerce transactions, sharing on public Web sites (like comment boards), or communications with people or organizations who you don’t trust with to keep your real email address private.

The problem with these spam-catcher accounts is that they require more maintenance than they’re worth. You have to remember to check them periodically, and when they get overwhelmed with spam, you have to kill them and then sign up for a new one.

On Friday, Microsoft’s Hotmail made it much easier to create and maintain spam-catcher accounts with a new feature called aliases. You simply enter a new email address in a special window, and Hotmail will let you send and receive messages from that alias as if it were your main Hotmail account. When you no longer want the alias, you can shut it off and all emails sent to that alias will stop showing up.

Hotmail will let you create up to five aliases per year, and up to fifteen total.

Hotmail already offered another way to create aliases by adding a "+" to the end of your email address — for instance, "mattrosoff@hotmail+spamcatcher.com". But you have to create special rules to sort the "+" addresses, which is a hassle, and it’s too easy for spammers to guess your real email address simply by stripping off the "+" portion at the end.

Microsoft has been steadily adding features to Hotmail over the last two years in hopes of staving off Google’s Gmail. Hotmail is still the most popular service in the world, with more than 300 million users, and Yahoo’s a close second, but Gmail is coming on strong with close to 200 million users.

(© BusinessInsider)

Here’s some good news for anyone who has been struck by auto-running malware from a USB stick in the past.

Microsoft has rolled-out an “important, non-security update” through Windows Update, changing the behaviour of Autorun when you plug a USB stick into your computer.

Not sure what Autorun is? It’s the technology which causes a program to start automatically when you insert a CD or USB stick into your Windows PC. You may have spotted the Autorun.inf files in the root directory of your USB sticks and on CDs in the past.

It may sound like a neat idea, but a lot of malware (The Conficker worm would be perhaps the most infamous example) has exploited the technology to infect computers via USB sticks in the past.

The more recent versions of Windows, like Windows Vista and Windows 7, have made changes to the way that Autorun operates and this has helped fight the spread of Autorun malware. But older versions of Windows, such as Windows XP, were still often at risk.

In fact, in a blog post published yesterday, Microsoft’s Holly Stewart presented statistics which suggested that “Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7.”

Yesterday, Microsoft rolled out an update via its Windows Update infrastructure, to users running versions prior to Windows 7, which effectively prevents Autorun malware from automatically infecting computers without the user’s permission.

Note, however, that this isn’t the death of Autorun entirely. As Microsoft’s Adam Shostack explains on the MSRC blog, Autorun is still available for “shiny media” such as CDs and DVDs.

Hmm. I guess that will be welcome news for any misguided company which tries to emulate Sony’s disastrous scheme from 2005 where music CDs automatically installed a rootkit as part of their DRM copy protection.

All in all, though, Microsoft has done a good thing here. Autorun was never a necessary technology in my point of view, and its exploitation by malware made it a dangerous liability. Locking it in a windowless room, handing it a service revolver and appealing to its sense of decency is probably the best move that can we make.

As expected, today Microsoft and Adobe published updates for Windows, Internet Explorer, Windows FTP service, Visio, Flash Player, Shockwave Player, Reader, Acrobat and ColdFusion.

Microsoft published 3 critical and 9 important fixes today. The first noteworthy fix is MS11-003 (CVE-2010-3971), a recursive CSS vulnerability, discovered last December in Internet Explorer, that could allow remote code execution (RCE). Considering the vulnerability has been included in the MetaSploit Framework for well over a month and we haven’t seen it active in the wild, SophosLabs has rated it medium.

The second critical fix was for MS11-006, (CVE-2010-3970) a flaw in the graphics rendering engine that could allow RCE when thumbnails of files are viewed in Explorer. While we haven’t seen this successfully exploited in the wild yet, there have been reports that some malware authors have made unsuccessful stabs at it. SophosLabs has provided protection against exploitation as MAL/CVE3970-A and rates this flaw as medium.

The last critical patch is MS11-007 (CVE-2011-0033), which closes a hole that could allow an attacker to create a malicious font and lure a user to view a website using that font to compromise their machine. This bug was privately disclosed, but may be interesting to enterprising criminals. SophosLabs has not seen anyone using this as a method of exploitation, so they have decided to rate it medium as well.

Adobe bulletin APSB11-01 resolves 21 vulnerabilities in Shockwave Player. Adobe has rated this patch as critical and more worryingly all 21 vulnerabilities can lead to code execution. I’ve mentioned this before, but I feel the need to again… Do you really need Shockwave Player on your PC? If not, it’s best to reduce the attack surface of your machines by removing it. If you do require it, you can download the latest version at http://get.adobe.com/shockwave.

Adobe bulletin APSB11-02 fixes 13 vulnerabilities in Flash Player, all of which can lead to code execution. Adobe has rated this patch as critical. Because Flash Player is so widely used and distributed, we recommend updating your Flash Player installations as soon as possible. The latest Flash Player can be downloaded from http://get.adobe.com/flashplayer. Users of Google Chrome should have already received an update patching these vulnerabilities.

Adobe bulletin APSB11-03 addresses 29 vulnerabilities in Adobe’s Reader and Acrobat products. This includes fixes for 23 code execution, 1 elevation of privilege, 3 denial of service and 2 cross-site scripting flaws. Adobe has rated this patch as critical. Similar to Flash, the ubiquity of Adobe’s Reader software requires that you update as soon as possible. Fortunately Adobe Reader includes an auto-update function now. Those of you who need to download it for distribution can get it from http://get.adobe.com/reader.

The last bulletin, APSB11-04, affects Adobe ColdFusion and Adobe has rated it as important. It covers five flaws, two of which are related to cross-site scripting. ColdFusion users can find instructions for applying this hotfix in this technical note.

As always, for SophosLabs analysis of all important vulnerabilities visit our latest vulnerabilities page. Microsoft’s advice on the February 2011 patches can be found on their blog. The Adobe security bulletins can be found on their security page.

Creative Commons image of a Band-Aid courtesy of kevindean’s Flickr photostream. Creative Commons image of Bad Fonts courtesy of twcollins Flickr photostream. Creative Commons image of Adobe product montage courtesy of pcsiteuk’s Flickr photostream.

Here are the February 2011 Black Tuesday patches. Enjoy!

Overview of the February 2011 MicrosoftPatchesand their status.

#
Affected
Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)

clients
servers

MS11-003
Cumulative Security Update for Internet Explorer (Replaces MS10-090 )

Internet Explorer

CVE-2010-3971

CVE-2011-0035

CVE-2011-0036

CVE-2011-0038
KB 2482017
ACTIVELY EXPLOITED.
Severity:Critical

Exploitability: 1,1,1
PATCH NOW!
Critical

MS11-004
Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution

IIS

CVE-2010-3972
KB 2489256
POC Available.
Severity:Important

Exploitability: 1
PATCH NOW!
Critical

MS11-005
DoS Vulnerability in Active Directory (Replaces MS10-068 MS10-101 )

Active Directory

CVE-2011-0040
KB 2478953
None Known.
Severity:Important

Exploitability: 3
Important
Important

MS11-006
Remote Code Execution Vulnerability in Windows Shell Graphics Processing (Replaces MS10-046 )

Windows Shell

CVE-2010-3970
KB 2483185
Exploit Available!
Severity:Critical

Exploitability: 1
PATCH NOW!
Critical

MS11-007
Remote Code Execution Vulnerability in the OpenType Compact Font Format (CFF) Driver (Replaces MS10-091 )

Open Type Compact Font Format Driver

CVE-2011-0033
KB 2485376
None Known.
Severity:Critical

Exploitability: 1
Critical
Critical

MS11-008
Remote Code Execution Vulnerabilities in Microsoft Visio (Replaces MS10-028 MS10-036 )

Visio

CVE-2011-0092

CVE-2011-0093
KB 2451879
None Known.
Severity:Important

Exploitability: 1,1
Critical
Important

MS11-009
Information Disclosure Vulnerability in JScript and VBScript Scripting Engines (Replaces MS10-022 )

VBScript/JScript

CVE-2011-0031
KB 2475792
None Known.
Severity:Important

Exploitability: 3
Important
Important

MS11-010
Privilege Elevation Vulnerability in Windows Client/Server Run-time Subsystem (Replaces MS10-011 )

Client/Server Runtime

CVE-2011-0030
KB 2476687
None Known.
Severity:Important

Exploitability: 1
Important
Important

MS11-011
Privilege Elevation Vulnerabilities in Windows Kernel (Replaces MS10-021 MS10-047 )

Windows Kernel

CVE-2010-4398

CVE-2011-0045
KB 2393802
None Known.
Severity:Important

Exploitability: 1
Important
Important

MS11-012
Privilege Elevation Vulnerabilities in Windows Kernel-Mode Drivers (Replaces MS10-098 )

Windows Kernel-Mode Drivers

CVE-2011-0086

CVE2011-0087

CVE2011-0088

CVE2011-0089

CVE-2011-0090
KB 2479628
None Known.
Severity:Important

Exploitability: 1,1,1,1,1
Important
Important

MS11-013
Privilege Elevation Vulnerabilities in Kerberos (Replaces MS10-014 )

Kerberos

CVE-2011-0043

CVE-2011-0091
KB 2496930
Publically Disclosed.
Severity:Important

Exploitability: 1,1
Important
Important

MS11-014
Privilege Elevation Vulnerability in Local Security Authority Subsystem Service (Replaces MS08-002 )

LSASS

2011-0039
KB 2478960
None Known.
Severity:Important

Exploitability: 1
Important
Important

We will update issues on this page for about a week or so as they evolve.

We appreciate updates

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

We use 4 levels:

PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
Critical: Anything that needs little to become interesting for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
Important: Things where more testing and other measures can help.
Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.

The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

– Joel Esler | http://blog.snort.org | http://blog.joelesler.net

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Aryeh Goretsky posted a blog about a trojan program in a Microsoft catalog update. I thought it might be a little interesting to know how this can happen and why it doesn’t happen more often.
As it turns out, it was once my job to make sure that Microsoft did not release infected software. Initially my … Read More.

Full story: ESET ThreatBlog

Microsoft fixes a security bug in Windows Azure, and offers a new “extra small” cloud computing instance.

Full story: Network World on Security

Microsoft

Microsoft has posted advance notification of what we can expect on February Patch Tuesday next week:

There will be 12 security bulletins. Three are considered critical and nine important. They will cover updates and fixes in Windows, Internet Explorer and Microsoft Office.

Adobe

Adobe has posted a security advisory saying it will fix critical vulnerabilities on Tuesday with updates for:
– Adobe Reader X (10.0) (Windows and Macintosh),
– Adobe Reader 9.4.1 and earlier (Windows, Macintosh and UNIX),
– Adobe Acrobat X (10.0) (Windows and Macintosh), and
– Adobe Acrobat 9.4.1 and earlier (Windows and Macintosh).

A update for  UNIX versions will be available by the week of February 28, Adobe said.

Tom Kelchner

Full story: GFI Labs blog

IT Management used to be simple, you buy a server install the application and use it happily, issues used to be simple like hardware failures, some bug in the application, etc. Now, to keep things running you need to do various activities that require knowledge, special skills and efforts, a typical SMB will find these [...]

Full story: KaffeNews

The Redmond company today announced that it plans to release 12 security bulletins on the upcoming Patch Tuesday. The according updates close 22 security holes within the Windows operating systems, Internet Explorer and Microsoft Office. Of those, 3 bulletins cope with critical rated vulnerabilities and the rest are rated important. Be prepared to test and roll out the updates as soon as possible! 5 of the bulletins deal with vulnerabilities which allow attackers to remotely execute code on affected computers.

According to a blog post in Microsoft’s Security Response Center, the February Patchday updates will fix the MHTML processing vulnerability as well as the thumbnail rendering security hole.

And then there is version 9.0.597.84 of the Google Chrome browser available which fixes 9 security vulnerabilities. One of those is rated critical, 2 high and the last 6 get the rating ‘low’ by the Google developers. As usual, the update is installed automatically in the background. But to be sure to have the latest version already installed and active, go into the Chrome menu and check the ‘About Chrome’ entry. If the update wasn’t installed yet, it will be done by doing so.

Dirk Knop
Technical Editor

Full story: Avira – TechBlog

Next Tuesday, February 8, 2011, Microsoft will release 12 security bulletins and software updates to fix the 22 vulnerabilities described in the bulletins. 3 of the updates have a maximum rating of critical. 11 of the updates, including all 3 critical updates, are for Microsoft Windows, and the 12th is for Visio.

Two of the updates will be for publicly-disclosed bugs: a remote code execution bug in the Windows Graphics engine and a bug in Internet Explorer for which exploit code was released. A vulnerability in the FTP service in IIS 7.0 and 7.5 will also be addressed.

A large number of updates labeled “non-security” will also be released on Patch Tuesday. The are listed as reliability updates and to “resolve issues” whatever that means. Also the usual new version of the Malicious Software Removal Tool and Windows Mail Junk Filter.

Full story: Security Watch

There is a new vulnerability that affects all supported versions of Windows and some unsupported versions. For you techies the “Vulnerability in MHTML Could Allow Information Disclosure” advisory is at https://www.microsoft.com/technet/security/advisory/2501696.mspx. If you are not a techie you might want to take a look and see how much you can understand. By reading the security … Read More.

Full story: ESET ThreatBlog