Computer Security Articles

Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser’s first-ever security update. The Firefox version number bumps up to 4.0.1.

The update fixes 50-odd bugs in total, amusingly including three fixes listed as specific to OS/2. Ironically, the latest official release of the OS/2 port of Firefox, dubbed Warpzilla, hasn’t yet reached version 4 – it’s still back at version 3.6.8.

The release notes for Firefox 4.0.1 are hard to find from the main Mozilla.com page. (Browsing to Firefox.com doesn’t help, as this just redirects to the Mozilla page.) But if you know where to look, you’ll find that two critical security advisories are fixed in the 4.0.1 release.

MFSA2011-12 deals with memory corruption bugs in the browser engine itself; Mozilla experts officially opined that “with enough effort at least some of these could be exploited to run arbitrary code”. MFSA2011-17 deals with “two crashes that could potentially be exploited to run malicious code” in a graphics library called WebGLES, used by Firefox.

Because the 4.0.1 update addresses vulnerabilities that are considered remotely exploitable, we advise you to apply this update without delay.

The previous version, Firefox 3.6, also gets an update, moving to 3.6.17. This update also squashes some critical bugs, including the MFSA2011-12 memory corruption vulnerability affecting Firefox 4.

Two other critical vulnerabilities which don’t affect version 4 are fixed.

MFSA2011-13 deals with various “dangling pointer” bugs (a dangling pointer is a programming mistake in which a memory reference remains in use after the memory it points to has been returned to the operating system for re-use). MFSA2011-15 deals with a privilege escalation bug in the Java Embedding Plugin.

The MFSA2011-15 vulnerability is specific to the Mac OS X version of Firefox. Apple users who imagine themselves invulnerable simply by virtue of their choice of operating system, please take note!

There’s an update to Mozilla’s Thunderbird email client as well. Thunderbird moves to version 3.1.10.

Somewhat confusingly, the Thunderbird release notes don’t list any critical vulnerabilities fixed in this version, but the MFSA2011-12 advisory specifically states that the bugs it covers are “fixed in Thunderbird 3.0.10″.

If you’re a Thunderbird user, we advise you, too, to update as soon as you can.

The WordPress team just released a new version of WordPress (3.1.2) to fix a security issue where contributor-level users were allowed to publish posts. It is a small release, and everyone using WordPress should upgrade to it!

From the WordPress site:

WordPress 3.1.2 is now available and is a security release for all previous WordPress versions.
 
This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts.
 
The issue was discovered by a member of our security team, WordPress developer Andrew Nacin, with Benjamin Balter.
 
We suggest you update to 3.1.2 promptly, especially if you allow users to register as contributors or if you have untrusted users. This release also fixes a few bugs that missed the boat for version 3.1.1.
 
Download 3.1.2 or update automatically from the Dashboard ? Updates menu in your site’s admin area.

So do what they say and upgrade it asap! Download link: http://wordpress.org/download/.

Users of Sony’s PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

* Name
* Address (city, state, zip code)
* Country
* Email address
* Date of birth
* PlayStation Network/Qriocity password and login
* Handle/PSN online ID

In addition, Sony warns that profile information – such as your history of past purchases and billing address, as well as the “secret answers” you may have given Sony for password security may also have been obtained.

As if that wasn’t bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts – and potentially cause a bigger problem for you.

So you should always use unique passwords.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Oh, and you better be sure that you have changed your “secret answers” too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn’t be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account – if you notice that money is missing, you’ll have to go through the rigmarole of claiming the money back from your credit card company.

This security breach is not just a public relations disaster for Sony, it’s a very real danger for its many users.

If you’re a user of Sony’s PlayStation Network now isn’t the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you’re concerned the card is now compromised.

More information can be found in Sony’s blog post.

The Sony PlayStation Network, used by millions of online videogame players around the world, has been offline since Wednesday 20th April.

You can still play games offline, but if you want to connect your PlayStation to play online games, stream movies, or go shopping you’re out of luck.

According to Sony, who have been updating their blog with developments regarding the outage, the company decided to bring the network down after an “external intrusion”.

The company clearly isn’t planning to bring the network back until it is confident that its infrastructure is secure – and although inconvenienced, game players should be grateful that Sony appears to want to make sure it’s done the job properly and that any vulnerabilities are fixed.

Precisely how much longer those game players will have to wait, and whether their trigger-happy fingers and patience will be able to bear it, remains to be seen.

Patrick Seybold, Sony’s Senior Director of Corporate Communications, says:

"Our efforts to resolve this matter involve re-building our system to further strengthen our network infrastructure. Though this task is time-consuming, we decided it was worth the time necessary to provide the system with additional security.."

“Unfortunately, I don’t have an update or timeframe to share at this point in time. As we previously noted, this is a time intensive process and we’re working to get them back online quickly.”

Although Sony is doing a good job on its blog of reassuring players that they are working on securing and bringing back the network, they do not seem to have addressed the issue of whether any personal information (such as credit card details) might have been compromised by whoever attacked the PlayStation network.

The spectre of data loss is a worrying one - let's hope that nothing so sensitive has been lost, and that Sony will be able to share good news that may reassure its customers soon.

A little earlier as announced, Adobe released updated versions of Adobe Acrobat and Reader. These programs were vulnerable to the Flash Player zero-day-vulnerability as well, which was fixed last week already. As the vulnerability is rated critical, users of Acrobat and Reader should download and install the updates as soon as possible.

The updated version for Adobe Reader is available in the Download Center. For Acrobat, the new releases are linked in the refreshed security advisory.

Dirk Knop
Technical Editor
techblog.avira.com

Just a short notice on the now available Adobe Flash Player Update: Version 10.2.159.1 has been released which fixes the critical security vulnerability which allow attackers to infect computers with malware – just with luring victims onto hacked websites, for example. The update is available for Windows, Mac, Linux and Solaris in Adobe’s Download Center. Users and administrators should install the new version immediatly!

Dirk Knop
Technical Editor
techblog.avira.com

About a month ago, we blogged about an Adobe Flash Player vulnerability (CVE-2011-0609) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Over the weekend, a new Adobe Flash Player 0-day (CVE-2011-0611) was reported by Adobe in a recent advisory (APSA11-02).

It all started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained the malicious Flash exploit inside.  Most of the files we have captured with our signature are named:

• Fukushima .doc
• evaluation about Fukushima Nuclear Accident.zip
• 首場政見會後最新民調略升-蔡英文粉絲團~聲援 .doc
• 日志分析.doc

Inside the .doc file a malformed Adobe Flash file is embedded. Once a user opens the document, Flash Player will load the malicious file and exploitation will occur. Unlike the previous vulnerability, a bug in the ActionScript Virtual Machine version 1 is now used in the exploitation process. Another difference is that this is not a result of fuzzing clean files. We won’t disclose any detail on what triggers the vulnerability, for security reasons, obviously.

In order to exploit this vulnerability the attackers packaged the AVM1 code inside an AVM2 based Flash file. The latter is embedded inside the Word document and assigned with setting up the exploitation environment.

Initially the AVM2 code constructs a heap-spray buffer made of a NOP-sled (image below):

Image 1 – NOP-sled

The AVM2 code constructs a Win32 shellcode(constructed in highlighted  ByteArray  “s”):

 
Image 2 – shellcode

It then loads the attack code inside the Flash Player. The AVM1 code that triggers this vulnerability is loaded as a separate SWF file, converted from a hex-encoded embedded string and executed as in the screen dump below:

Image 3 – CVE-2011-0611 attack code

Shellcode details

The shellcode is injected starting at address 0×11111111 and is a fairly standard one.

Its task is to launch the payload while trying to hide the signs of an infection. It does that by dropping a clean Word document which will replace the original, malicious one.

Let’s see, in detail, what the shellcode does once it gets executed:

• Resolves needed APIS’s :
  • LoadLibraryA
  • GetFileSize
  • GetTempPathA
  • TerminateProcess
  • CreateFileA
  • WideCharToMultiByte
  • SetFilePointer
  • ReadFile
  • WriteFile
  • WinExec
  • CloseHandle
  • GetCommandlineA
  • GetModuleFileNameA
  • CreateFileMappingA
  • MapViewOfFile
  • GetLogicalDriveStringsA
  • QueryDosDeviceA
  • ZwQueryVirtualMemory
• Brute-forces its way to the Word document’s file handle by knowing that
  • File size must be > 0×7000
  • It must contain the marker 0×7010 at offset 0×7000
• Retrieves the file path of the Word document file using ZwQueryVirtualMemory and GetLogicalDriveStringsA
• Decrypts a binary from the document, dumps it as %temp%\scvhost.exe (SHA1 adbf24228f0544a90979a9816569e8c7415efbac – detected as Backdoor:Win32/Poison.M) and finally executes it.

Image 4 – Win32 Shellcode fragment

• Decrypts an embedded doc file and saves it as ‘%temp%\AAAA’. This file is the clean Word document we mentioned earlier.
• The freshly dumped doc file is then used to overwrite the initial Word document.
• The new document is launched to hide symptoms of infection.
• Using the utility “taskkill.exe”, it terminates all processes with the name ‘hwp.exe’.

The current WinWord (Microsoft Word) instance is terminated.

We currently detect the malicious Word document and the embedded attack Adobe Flash file as Exploit:SWF/CVE-2011-0611.A. We urge you to read the advisory from Adobe for mitigation details about this vulnerability.As always, we advise you not to open emails from untrusted sources or emails that seem suspicious to you, even if they apparently come from people you know.

Marian Radu, Daniel Radu & Jaime Wong
MMPC

PS: We’d like to thank our colleague Bruce Dang for his contribution to this blog post.

Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsoft Office file. The vulnerability allows an attacker to execute malicious code on a computer and has been spotted in limited targeted attacks. Websense customers are protected against the known samples that use this vulnerability.

Adobe says in their security advisory that Adobe Acrobat Reader X and its new Sandbox feature prevent the attack from exploiting the system when using PDF files. However, since the vulnerability exists in Flash, a machine can be exploited in other formats and applications that support flash, such as Web pages and Office documents.

The vulnerability has only been seen used in very limited targeted attacks. Here is a VirusTotal report (1/43) of one reported attack file.

Adobe hasn't announced when they will release a patched version of Adobe Flash and Adobe Reader/Acrobat but they did say that they won't fix this until June 14 in Adobe Reader X, as the Sandbox feature prevents the attack.

Adobe released a security advisory in which it warns from a zero-day vulnerability within current version of Adobe Flash Player, Reader and Acrobat. Affected are Flash Player 10.2.153.1 and earlier versions for Windows, Mac, Linux and Solaris, the current version integrated in the Chrome web browser, and 10.2.156.12 and earlier versions for Android. The authplay.dll component of current and older version of Adobe Acrobat and Reader are also affected; according to Adobe, the sandbox of Acrobat Reader X prevents from execution of malicious payloads though.

The vulnerability allows attackers to inject malicious code with manipulated documents. Currently targeted attacks are reported by Adobe which use a Word document with a specially prepared Flash Player file (.swf) embedded to infect victims.

The company currently is finalizing a schedule for updated software versions. Until those updates are available, users should take care of which documents they open. Suspicious are documents which are sent without expecting them.

Dirk Knop
Technical Editor

We recently encountered a malware posing as a legitimate font file. Detected as WORM_OTORUN.ASH, the worm is a .DLL file that uses .FON as extension name. To propagate, it drops copies of itself into shared folders in the infected system. While these routines are not entirely new, the occurrence of both instances in a single malware fits the exploit scenario described in the Microsoft OpenType Font Driver Vulnerability (MS10-091).

However, after further analysis, we found that the malware does not contain any exploit code for MS10-091. Instead, it exploits the Windows LNK vulnerability (MS10-046) using shortcut files as its autostart component. Let’s not forget that that particular vulnerability works on any .DLL file. In this case, even though WORM_OTORUN.ASH is disguised as a font file, it still functions as a .DLL file.

WORM_OTORUN.ASH creates two types of .LNK files—shortcut files that point to files saved in local folders (LNK_OTORUN.SM) and shortcut files that point to files saved in shared folders (EXPL_CPLNK.SM). The dropped .LNK files bear enticing file names such as myporno.avi.lnk and pornmovs.lnk to trick users into clicking them.

Successful exploits for MS10-091 and MS10-046 both result in remote code execution so users are strongly advised to patch their systems if they haven’t yet.

Trend Micro product users are protected from this threat through security solutions powered by the Trend Micro™ Smart Protection Network™, which detects and blocks all related malware and malicious URLs. Enterprise users are also protected from possible exploits via Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in.

Additional analysis provided by Alden Baleva and Kathleen Notario

Post from: TrendLabs | Malware Blog – by Trend Micro

Worm Poses as a Font File, Uses LNK Vulnerability to Propagate

On March 14, Adobe released a security advisory (APSA11-01) warning of 0-day attacks affecting Adobe Flash Player (versions earlier than and including 10.2.152.33). These attacks were hidden inside Microsoft Excel documents that were used as a vehicle to deliver the exploit.

The Adobe Flash file embedded inside the Excel file is another carrier for the exploit. It loads shellcode inside memory, performs heap-spraying, and loads a Flash byte stream from memory to exploit the 0-day vulnerability, which is tracked as CVE-2011-0609.

We spent some time analyzing this new 0-day vulnerability. As with previous Flash Player vulnerabilities, this one abuses the bytecode verifier inside Adobe Flash Player. Adobe Flash files can contain ActionScript bytecode for AVM (ActionScript Virtual Machine). For this vulnerability, we’re talking specifically about ActionScript3 and AVM version 2. Ideally, the bytecode should be verified on a per-method basis, before and during the method’s execution inside the just-in-time virtual machine. But in some cases, the verification logic fails. 

In the case of this vulnerability, the verifier failed to recognize a stack inconsistency after a series of operations and control flows. AVM security seems to be mainly dependent on the bytecode verifier and if it fails, the bytecode execution can be abused by the attackers.

We suspect this vulnerability was found using fuzzing technology from clean Flash files, because we found a file on the Internet that looks like it might have been used for the fuzzing. Through differential analysis between the original clean file and the exploit file, we could confirm the vulnerability. 

We found that some of the old Flash Player versions were immune to these specific attack files, but, as the Adobe security advisory implies, it doesn’t necessarily mean that old players don’t have the vulnerability.

Details of the exploitation process.

To reliably exploit the vulnerability, heap-spraying is performed through AVM2. NOP-sleds are sprayed onto memory (image below) along with a Win32 shellcode. 

Figure 1: Heap-spraying technique is used.

After the heap-spraying process, the actual attack code is loaded inside the Flash Player. The SWF file that triggers the vulnerability is converted from a hex-encoded embedded string object and executed as shown in the screen dump below:

Figure 2: A second flash file is loaded into memory.

The loaded SWF file contains a specially-crafted method that will cause the access of theoretically uninitialized memory. We say theoretically because in practice the said memory was initialized by the heap spray code, which enables the attacker to gain control of the execution.

We advise you that, for the time being, you don’t click any suspicious Excel files or hyperlinks. We’ve only seen this attack delivered through Excel files, but there is no reason why this attack cannot also be achieved through bare Flash files. The good news is that our protection products, like Microsoft Security Essentials, detect these files already with multiple signatures:

• 3a3b6d656e3c36e868097dabb4beedafba554eab, the “carrier” Excel file, is detected as Trojan:Win32/Malfws.A 
• 28311cdf8a6ef46b799152d529e3a8d3cf4d1560, another “carrier” Excel file, is detected as Trojan:Win32/Malfws.B 
• fc83b9d55e3e8bdaeb93ac1b75d2617df668c947, the Flash file embedded in the Excel file, is detected as Exploit:Win32/ShellCode.H and/or Exploit:Win32/ShellCode.G 
• 7ec815f076bd6820e2d47a865a3372a74aee5cf0, the Flash file that exploits the vulnerability, is detected as Exploit:SWF/CVE-2011-0609 
• aafe62d6996551891c3ff8e84443d53d605a251c, the main payload, is detected as Backdoor:Win32/Poison.M

Another way to protect Adobe Flash Player from this issue is to use the Enhanced Mitigation Experience Toolkit (EMET). The Microsoft Security Research and Defense blog released a good post today that talks about EMET and other defenses. 

Jeong Wook Oh & Marian Radu

If you perform internal vulnerability scans, be sure that the scanning tool is configured to authenticate to the systems it is examining. Without this crucial step, your visibility into the systems’ security posture is drastically diminished. Here are a few considerations for defining the scanner’s login credentials.

Unauthenticated Vulnerability Scans

An internal vulnerability scanner can usually gather only basic details about the system without authenticating to it. They include:

• The operating system and, in some cases, its version
• Network ports open on the system
• Services listening on the ports, if these details are available without authentication using techniques such as banner-grabbing
• Data “leaked” by the services, such as the listing of open shares and users of Windows hosts that support null-user connections

This information is useful for maintaining an inventory of hosts and services, and can help spot anomalies, such as new systems or services that might introduce risks into the environment. The scanning tool may be able to use these details to identify some vulnerabilities, such as missing security patches and configuration weaknesses; however, the accuracy and thoroughness of this data will be much lower than if the scanner authenticated to the system.

Authenticated Vulnerability Scans

If you provide the scanning tool with valid login credentials, it should be able to authenticate to the scanned systems and obtain detailed information about installed applications, including configuration issues and missing security patches. As the result, authenticated scans findings are more comprehensive and have fewer false positives than anonymous scans.

The manner in which an authenticated scanner collects data differs across operating systems and scanning tools:

• The scanner might use SSH to interactively login to a Linux host to run shell-level commands that would enumerate installed packages and gather other relevant data.
• The scanner examining a Windows host will usually authenticate remotely using Windows domain or local credentials to obtain patch and configuration data from the registry and the file system.
• SNMP can be used to authenticate to network devices, if necessary.
• Scanning tools are also usually able to authenticate to databases, which might use a protocol such as SQL*Net.

For instructions necessary to configure authenticated scans consult your tool’s documentation. Representative details are available from:

• QualysGuard: Getting Started with Trusted Scanning
• Nessus Credential Checks for Unix and Windows (PDF)

Caution With Authenticated Vulnerability Scans

Most scanning tools ask you to supply root/administrator credentials for authenticated scans. This presents an element of risk. A few words of caution when configuring your scanner with login credentials for authenticated scans:

• Create an account dedicated to authenticated scanning, rather than using user accounts used for other purposes.
• Consult the tool’s documentation to see if it’s possible to define more granular account privileges, rather than granting it full administrator rights.
• Avoid authenticating using clear-text protocols, such as telnet.
• Consider man-on-the middle attacks that might expose the scanner’s login credentials. For instance, an attacker might set up an internal SSH server to which the scanner will authenticate and give up the username and password. Using key-based authentication for SSH usually mitigates this risk.
• Keep an eye on the account’s activities to make sure it’s not misused.
• Confirm that scans authenticate to all the hosts you expect the scanner to be able to login to. Don’t assume this works without validating this.

Steve Shead’s article Protecting Scanning Credentials from Malicious Insiders offers additional tips for dealing with the risks of authenticated scans.

— Lenny Zeltser

This time a new security vulnerability has been found and already fixed with an updated version within the alternative PDF reader from Foxit.With providing manipulated PDF files for example via email or web sites, users of outdated versions Foxit PDF Reader can get their PC infected with a Trojan, for example.

The updated version is available via the company’s web site or via the integrated update mechanism – go to the “help” menu and click on “Check for updates”, there choose the new version, click “Add” and then “Install”.

Dirk Knop
Technical Editor

Technical Description

A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers or malicious users to cause a denial of service or take complete control of a vulnerable system. This issue is caused by a heap overflow error in the “BowserWriteErrorLogEntry()” function within the Windows NT SMB Minirdr “mrxsmb.sys” driver when processing malformed Browser Election requests, which could be exploited by remote unauthenticated attackers or local unprivileged users to crash an affected system or potentially execute arbitrary code with elevated privileges.

Affected Products

Microsoft Windows XP Service Pack 3

Microsoft Windows XP Professional x64 Edition Service Pack 2

Microsoft Windows Server 2003 Service Pack 2

Microsoft Windows Server 2003 x64 Edition Service Pack 2

Microsoft Windows Server 2003 SP2 (Itanium)

Microsoft Windows Vista Service Pack 1

Microsoft Windows Vista Service Pack 2

Microsoft Windows Vista x64 Edition Service Pack 1

Microsoft Windows Vista x64 Edition Service Pack 2

Microsoft Windows Server 2008 (32-bit)

Microsoft Windows Server 2008 (32-bit) Service Pack 2

Microsoft Windows Server 2008 (64x)

Microsoft Windows Server 2008 (64x) Service Pack 2

Microsoft Windows Server 2008 (Itanium)

Microsoft Windows Server 2008 (Itanium) Service Pack 2

Microsoft Windows 7 (32-bit)

Microsoft Windows 7 (64x)

Microsoft Windows Server 2008 R2 (64x)

Microsoft Windows Server 2008 R2 (Itanium)

Workaround Solution

Block or filter UDP and TCP ports 137, 138, 139 and 445.

References

http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx

http://seclists.org/fulldisclosure/2011/Feb/285

Common web applications include webmail, online retail sales, online auctions, social networks, wikis as well as many other functions.

I recently…

Internet Software Consortium published today an advisory for the BIND software. For versions 9.7.1-9.7.2-P3, when a server that is authoritative for a domain (i.e. owns the SOA record) process a successful domain transfer operation (IXFR) or a dynamic update, there is a small window of time where this processing combined with a high amount of queries can cause a deadlock, which makes the DNS server stop processing further requests.

Bind is one of the preferred targets for attackers on the Internet. If you have bind installed in your company, please remember the following basic security measures:

Only allow IXFR transfers from known secondary servers of your domain. You don’t want to let people know all the list of public ip address associated with your domain
Keep separated your internal DNS information from your external DNS information. Some DNS provides information about private addresses used inside the corporate network.
Allow recursive requests only from your internal DNS. If you allow recursive requests from the Internet, you are exposed to a distributed denial of service.

To solve the problem, upgrade to BIND 9.7.3. More information athttp://www.isc.org/software/bind/advisories/cve-2011-0414

– Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Multiple security vulnerabilities have been found within the current Java runtime environments, both for client computers and for servers. These allow attackers to infect computers for example with a Trojan just by luring victims into visiting manipulated websites. Oracle now released updated software which users and administrators should install as soon as possible! Security holes in outdated Java versions get exploited very often on the Internet, thus updating minimizes the attack surface for cyber criminals.

In Windows operating systems – currently verified are Windows XP SP3 and Windows Server 2003 SP2 – a new security vulnerability has been found. It allows to take over a Windows PC which has network shares enabled. A patch has not been released yet. Especially in public places the firewall should be configured to block the TCP and UDP ports 138, 139 and 445, respectively, or Windows file sharing should be disabled until a patch is available.

Dirk Knop
Technical Editor

A new vulnerability has been discovered exploiting SMBcomponent of Windows. The attack involves sending of malformed Browser Election requests leading the heap overflow within the mrxsmb.dll driver.The vulnerability is known to be able to cause DoSand fully control of vulnerable machines. Proof of concept code for DoShad been released. There are reports that this exploit only work on local network segment (this hasn’t been verified).
The general practice of block port 138, 139 and 445 should be observed especially with this 0-day.
More information on this exploit
http://www.vupen.com/english/advisories/2011/0394

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

If generating a legacy certificate using the -t option, a vulnerability could be exploited by attackers to gain knowledge of sensitive information. If legacy certificates have been issued using OpenSSH version 5.6/5.7, consider rotating any CA key used. OpenSSH recommend upgrading to version 5.8 available here or apply this patch.

[1] http://www.openssh.com/txt/legacy-cert.adv
———–
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft recently released a security advisory for a certain vulnerability that affects all supported Microsoft Windows systems. The vulnerability specifically involves Internet Explorer and its impact is described to be similar to those of server-side cross-site scripting (XSS) vulnerabilities.

According to the security advisory, the bug is related to how MIME Encapsulation of Aggregate HTML (MHTML) interprets MIME-formatted requests. MHTML is basically the file format used to save entire Web pages, which includes actual page content, format, and others such as images and animations. Although no active attacks leveraging the said vulnerability has been found, the availability of the proof of concept (POC) to the public increases the chances that it will be maliciously used.

In a typical attack scenario, an attacker may convince a user through social engineering techniques to click a specially crafted link that injects a malicious script into the user’s instance of Internet Explorer. This then enables the attacker to execute certain routines such as altering content on the currently displayed site, to collect user information, or to even take action in the displayed site without the consent of the affected user.

The continued exploitation of vulnerabilities in OSs is just one of the Trend Micro threat predictions this year. 2011 is set to bring about growth in exploits for alternative OSs, programs, and Web browsers, combined with tremendous growth in the exploitation of application vulnerabilities.

Microsoft provided workarounds that users may implement while waiting for the patch to be released. Trend Micro, on the other hand, protects users from exploits that may arise through Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in.

Post from: TrendLabs | Malware Blog – by Trend Micro

Vulnerability in MHTML Found

In all currently supported Windows operating systems a security vulnerability in the so-called MHTML handler can lead to information disclosure; speculations in the media indicate possibly even worse things. The cyber criminals just need a manipulated link to trigger the flaw, for example within an email or with a web page. Microsoft released a security advisory about the issue and announces an update to fix the vulnerability.

To secure the own computer, the company also provides a Fix-it tool as workaround which disables the MHTML handler. This will render attacks useless. Thus it is advised to apply the workaround by downloading and executing the Fix-it tool as soon as possible.

Dirk Knop
Technical Editor

Full story: Avira – TechBlog

The VLC developers are really fast! Only two days after a new security vulnerability in the .mkv processing routines became public, a fixed version of the player is available for download. VLC 1.1.7 has the .mkv issue fixed. VLC users should download and install the update immediately!

Dirk Knop
Technical Editor

Full story: Avira – TechBlog

Just a few days after the VLC developers fixed a vulnerability in the popular VLC video player, a new critical security vulnerability in the processing of .mkv files became public. By opening specially crafted .mkv files, the computer can be infected with a Trojan, for example. The files don’t need the .mkv extension necessarily as VLC tries to find the appropriate demultiplexing routines automatically.

A fix is already available in the source code repositories – but a new installation version which isn’t affected by the flaw is not yet ready. Until then, don’t open files from untrusted sources with VLC!

Dirk Knop
Technical Editor

Full story: Avira – TechBlog