Newsletter Archives

• A new Fixit for another Internet Explorer 0day

  Posted on March 16, 2010 at 04:34 CDT by woody • Comment in the Forums

  If you’re still using Internet Explorer 6 or 7, and haven’t upgraded to IE 8 or started using a better browser, you need to run over to Microsoft’s Security Advisory 981374 and apply the “Fixit” patch.

  According to SANS Internet Storm Center, Microsoft posted the Fixit a few hours ago.

  The Fixit disables something called the “peer factory” in IE6 and IE7. Apparently there’s working zero-day code running around that takes advantage of the security hole to run “backdoors” – programs that take over your computer, without your knowledge or consent.

  Windows Patches/Security 0day, Fixit, Internet Explorer, KB 981374, peer factory

• New hole in Windows discovered 17 years after it appeared

  Posted on January 21, 2010 at 10:11 CST by woody • Comment in the Forums

  Man, this has been one helluva week for 0day exploits.

  Tavis Ormandy at Google reports that there’s a hole in the way Windows NT and later handle functions that were designed to support 16-bit applications.

  All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to be affected, including but not limited to… Windows 2000, XP, Server 2003, Vista, Server 2008 and Windows 7.

  Travis goes on to say:

  Microsoft was informed about this vulnerability on 12-Jun-2009, and they confirmed receipt of my report on 22-Jun-2009.  Regrettably, no official patch is currently available. As an effective and easy to deploy workaround is available, I have concluded that it is in the best interest of users to go ahead with the publication of this document without an official patch. It should be noted that very few users rely on NT security, the primary audience of this advisory is expected to be domain administrators and security professionals.

  Seven months without a resolution, and he’s gone public. Hard to blame him.

  Yesterday, Microsoft released Security Advisory 979682, acknowledging the hole.

  Windows Patches/Security 0day, Security Advisory 979682, Windows Virtual DOS Machine

• 0day reported in Internet Explorer 6 and 7

  Posted on November 23, 2009 at 08:55 CST by woody • Comment in the Forums

  Of course you use Firefox (or Chrome or Opera), so this shouldn’t concern you too much. But if you use the older versions of Internet Explorer, you should get with the system and start using a different browser.

  Symantec reports that they’ve confirmed a 0day attack vector for IE 6 and IE 7, which was posted earlier on BugTraq.

  The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future… The exploit targets a vulnerability in the way Internet Explorer uses cascading style sheet (CSS) information… the attack requires JavaScript to exploit Internet Explorer.

  The moral of the story? Get Firefox.

  UPDATE: Microsoft has acknowledged the security hole in Security Advisory 977981. The bottom line: get Firefox.

   

  Uncategorized 0day, IE6, IE7, KB 977981

• Your biggest vulnerabilities aren’t what you think

  Posted on September 16, 2009 at 07:32 CDT by woody • Comment in the Forums

  SANS Institute just released a security vulnerability analysis covering real infections and vulnerabilities on 9,000,000 real computers at big companies. Interesting reading, with some surprising conclusions.

  According to SANS:

  Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access… Because the visitors feel safe downloading documents from the trusted sites, they are easily fooled into opening documents and music and video that exploit client-side vulnerabilities… In many cases, the ultimate goal of the attacker is to steal data from the target organizations and also to install back doors through which the attackers can return for further exploitation.

  Other than Conficker/Downadup, no new major worms for OSs were seen in the wild during the reporting period. Even so, the number of attacks against buffer overflow vulnerabilities in Windows tripled from May-June to July-August and constituted over 90% of attacks seen against the Windows operating system.

  World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities, as measured by multiple independent teams discovering the same vulnerabilities at different times. Some vulnerabilities have remained unpatched for as long as two years. There is a corresponding shortage of highly skilled vulnerability researchers working for government and software vendors. So long as that shortage exists, the defenders will be at a significant disadvantage in protecting their systems against zero-day attacks.

  Bottom line: stay cautious. Realize that even big-name Web sites can have infected files (as Graham Cluley explains, even the New York Times site was hit recently). For heaven’s sake, don’t install or run programs that you don’t know. Keep your whole system patched, using a tool like Secunia Personal Software Inspector. And stay away from ActiveX controls, the biggest source of buffer overflow vulnerabilities – which, in my opinion, means, you should be running Firefox (or Chrome or Opera or anything but Internet Explorer).

  Office Patches/Security, Windows Patches/Security 0day, SANS, Secunia PSI

• Two more IE patches released: stick with Firefox, please

  Posted on July 29, 2009 at 07:46 CDT by woody • Comment in the Forums

  As I anticipated a few days ago, Microsoft has just released two Out of band patches and one security advisory for Internet Explorer.

  If you are running the Windows 7 Release Candidate, you’re vulnerable, but the Windows 7 RTM version is clean.

  SANS Storm Center has full details.

  This is another screwed up patch-of-a-patch that didn’t work, only this time there are hundreds – probably thousands – of third-party programs that are affected. Brian Krebs in the Washington Post steps you through the Keystone Kops aspects.

  In spite of what Brian says – and, yes, you should apply the security patches one of these days – you’re safe if you stick with Firefox. Just don’t do anything weird online, like allowing a web page to install a program, OK?

  We remain at MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

  The guys at the Black Hat Conference in Vegas this week are going to have a field day.

  Windows Patches/Security 0day, Internet Explorer

• New 0day in DirectShow

  Posted on May 29, 2009 at 20:24 CDT by woody • Comment in the Forums

  Microsoft has just released information about a newly discovered 0day vulnerability in DirectShow. The bad guys can use it to create a drive-by web page that can take over your system, simply by surfing to the page.

  Security Advisory 971778 says:

  Microsoft is investigating new public reports of a new vulnerability in Microsoft DirectX. The vulnerability could allow remote code execution if user opened a specially crafted QuickTime media file.

  The MS Security Research & Defense site goes on to say:

  The vulnerability is in the DirectShow platform (quartz.dll). While the vulnerability is NOT in IE or other browsers, a browse-and-get-owned attack vector does exist here via the media playback plug-ins of browsers. The attacker could construct a malicious webpage which uses the media playback plug-ins to playback a malicious QuickTime file to reach the vulnerability in Quartz.dll. Please note this type of attack could happen for any browsers, not IE specific.

  There is also a file-based attack vector by opening a malicious QuickTime file via Windows Media Player to trigger the vulnerability.

  Microsoft offers a simple solution – a “Fix It For Me” option in the related Knowledge Base article. It wouldn’t hurt a bit if you went to KB 971778 and clicked the “Fix It” button to, uh, Fix It. The worse that’ll happen? DreamScape won’t run QuickTime files.

  Windows Patches/Security 0day, DreamScape, KB 971778, QuickTime

• New Excel 0day

  Posted on February 25, 2009 at 02:29 CST by woody • Comment in the Forums

  This hasn’t yet hit the main news feeds, but Microsoft just released Security Bulletin 968272, which discusses another 0day that takes advantage of a security hole in all modern versions of Excel, and the Excel Viewer.

  Yes, you read that right. The Excel Viewer is vulnerable too.

  Microsoft’s suggested fix for the moment? “Do not open or save Office files that you receive from un-trusted sources or that are received unexpectedly from trusted sources. This vulnerability could be exploited when a user opens a file.”

  The Security Bulletin goes on to give a lengthy set of manual instructions, which includes editing the Registry, that may or may not fend off the worm. Or you can block opening files from Office 2003 or earlier.

  Oh boy. In other words, bend over and kiss your keester goodbye.

  Symantec has encountered an infected file, Trojan.Mdropper.AC, that’s easy to block. It remains to be seen if the exploit folks are smart and fast enough to morph the Trojan so it isn’t so easy to thwart.

  Today would be a very good day to avoid opening any Excel file that you don’t know well.

  Office Patches/Security 0day, Excel
• Newer Entries »