Are you a security pirate?
While not of any particular security significance, I do enjoy my low brow humour maybe a little more than the next person.
It has been reported that September 19th is International (talk like a) Pirate Day! Arrr!
If you have any need to don your Security BoFH hat for the remainder of your day to speak with anyone regarding actual significant security matters, I am informing you that you do have the option to do so with a new hook in your voice. Just think of the fun you can have while you speak with the next individual reported to have unleashed a botnet on your internal networks:
"Arrr! Did ya click on that URL sent in IM, Matey!!! Grrr... Now why'd ya go and do that! Now yee'll be walkin' the plank!"
I consider myself to be of the disco bandit pirate variety, and just what kind might you be matey!
W
It has been reported that September 19th is International (talk like a) Pirate Day! Arrr!
If you have any need to don your Security BoFH hat for the remainder of your day to speak with anyone regarding actual significant security matters, I am informing you that you do have the option to do so with a new hook in your voice. Just think of the fun you can have while you speak with the next individual reported to have unleashed a botnet on your internal networks:
"Arrr! Did ya click on that URL sent in IM, Matey!!! Grrr... Now why'd ya go and do that! Now yee'll be walkin' the plank!"
I consider myself to be of the disco bandit pirate variety, and just what kind might you be matey!
W
Keywords:
0 comment(s)
PDF vulnerabilities
Several new Adobe pdf vulnerabilities were recently announced.
The author claims these are basic vulnerabilities in the pdf api or architecture. The author tested his poc's against Acrobat reader and Adobe professional.
The details are available here.
http://michaeldaw.org/
http://www.eweek.com/article2/0,1895,2016606,00.asp
Here is a quick risk assessment.
How widely deployed is the application?
Adobe reader is widely used and deployed. (9)
Are vendor patches available?
No patches currently available (10)
Is mitigation available and if so how complete is the mitigation?
No mitigation is currently available. (10)
Is user participation required?
Yes. The user first has to download or click the link to a pdf. (5)
So some user interaction takes place.
I have not tested the POCs but several people have and their results do not match. Depending on who tested it you may have to click allow.
See this discussion on who tested the pocs and their results.
http://www.networksecurityarchive.org/html/FullDisclosure/2006-09/msg00252.html
Is the vulnerability cross platform?
Yes. Any exploits will still have to run system dependant malware on the end host but there are plenty of malware binaries that could be used. (8)
Is proof of concepts or exploit code available?
The poc for two of the vulnerabilities are publicly available (10)
Overall risk score 8.7 on a scale of 0 ? 10 with 10 being the highests.
This is based on the numbers I assigned.
Your risk might be slightly higher or lower depending on the numbers you would assign and any mitigation factors. In most risk assesments I do I include the value of the system that is vulnerable. In this case that is difficult to do so I have left that out.
The author claims these are basic vulnerabilities in the pdf api or architecture. The author tested his poc's against Acrobat reader and Adobe professional.
The details are available here.
http://michaeldaw.org/
http://www.eweek.com/article2/0,1895,2016606,00.asp
Here is a quick risk assessment.
How widely deployed is the application?
Adobe reader is widely used and deployed. (9)
Are vendor patches available?
No patches currently available (10)
Is mitigation available and if so how complete is the mitigation?
No mitigation is currently available. (10)
Is user participation required?
Yes. The user first has to download or click the link to a pdf. (5)
So some user interaction takes place.
I have not tested the POCs but several people have and their results do not match. Depending on who tested it you may have to click allow.
See this discussion on who tested the pocs and their results.
http://www.networksecurityarchive.org/html/FullDisclosure/2006-09/msg00252.html
Is the vulnerability cross platform?
Yes. Any exploits will still have to run system dependant malware on the end host but there are plenty of malware binaries that could be used. (8)
Is proof of concepts or exploit code available?
The poc for two of the vulnerabilities are publicly available (10)
Overall risk score 8.7 on a scale of 0 ? 10 with 10 being the highests.
This is based on the numbers I assigned.
Your risk might be slightly higher or lower depending on the numbers you would assign and any mitigation factors. In most risk assesments I do I include the value of the system that is vulnerable. In this case that is difficult to do so I have left that out.
Keywords:
0 comment(s)
Yet another MSIE 0-day: VML
We got multiple readers telling us in they noticed reports about a new MSIE 0-day "actively exploited unpatched vulnerability" against VML. VML stands for Vector Markup Language and is basically a XML file delivered to your browser containing a vector drawing. It was submitted to W3C in 1998.
This 0-day apears to be different from last week's 0-day abusing daxctle.ocx (BTW: it's still unpatched).
The CVE candidate number CVE-2006-3866 initially promoted has been rejected, CVE-2006-4868 is the right one.
This was for a sample on the 19th, detection will obviously improve as Virustotal shares samples with the antivirus vendors involved.
The exploits load a truckload of other malware (for profit of course). One of the main domains involved is "insorg.org" but other more adult entertainment related sites are involved in exploiting victims as well.
Since this exploit seems to be rather easy to recreate once there is a sample, there is no end to how and where it can and will be used. We'd not be surprised to see it appear soon in more mainstream public sources of exploits.
Please note that Microsoft claims to be going to release a fix October 10th (in cycle) or earlier depending on customer need. Perhaps it's time to let them hear your need.
Thanks to all who sent in a note about this.
--
Swa Frantzen -- Section 66
0 comment(s)
This 0-day apears to be different from last week's 0-day abusing daxctle.ocx (BTW: it's still unpatched).
The CVE candidate number CVE-2006-3866 initially promoted has been rejected, CVE-2006-4868 is the right one.
Detection:
| Antivirus | Version | Update | Result |
|---|---|---|---|
| AntiVir | 7.2.0.16 | 09.19.2006 | no virus found |
| Authentium | 4.93.8 | 09.19.2006 | no virus found |
| Avast | 4.7.844.0 | 09.19.2006 | no virus found |
| AVG | 386 | 09.19.2006 | no virus found |
| BitDefender | 7.2 | 09.19.2006 | no virus found |
| CAT-QuickHeal | 8.00 | 09.18.2006 | no virus found |
| ClamAV | devel-20060426 | 09.19.2006 | no virus found |
| DrWeb | 4.33 | 09.19.2006 | no virus found |
| eTrust-InoculateIT | 23.72.128 | 09.19.2006 | no virus found |
| eTrust-Vet | 30.3.3086 | 09.19.2006 | no virus found |
| Ewido | 4.0 | 09.19.2006 | no virus found |
| Fortinet | 2.82.0.0 | 09.19.2006 | no virus found |
| F-Prot | 3.16f | 09.19.2006 | no virus found |
| F-Prot | 44.2.1.29 | 09.19.2006 | no virus found |
| Ikarus | 0.2.65.0 | 09.19.2006 | no virus found |
| Kaspersky | 4.0.2.24 | 09.19.2006 | no virus found |
| McAfee | 4855 | 09.19.2006 | no virus found |
| Microsoft | 1.1560 | 09.19.2006 | Exploit:HTML/Levem.C |
| NOD32 | v21.1763 | 09.19.2006 | no virus found |
| Norman | 5.90.23 | 09.19.2006 | no virus found |
| Panda | 9.0.0.4 | 09.19.2006 | no virus found |
| Sophos | 4.09.0 | 09.19.2006 | no virus found |
| Symantec | 8.0 | 09.19.2006 | no virus found |
| TheHacker | 6.0.1.073 | 09.19.2006 | no virus found |
| UNA | 1.83 | 09.19.2006 | no virus found |
| VBA | 323.11.1 | 09.19.2006 | no virus found |
| VirusBuster | 4.3.7:9 | 09.19.2006 | no virus found |
This was for a sample on the 19th, detection will obviously improve as Virustotal shares samples with the antivirus vendors involved.
Solutions:
- Looking into alternate browsers isn't the worst way to spend the next half hour.
One of the easiest ways to make it work might be to use Firefox with a plugin to allow certain sites (such as windowsupdate.com) to transparently use MSIE to get back the ActiveX functionality without bothering the user over the choice and differences. If you do go that road, also add noscript, and a toolbar to block funny sites.
See also the diary on diversity. - There is some posibility to lessen the impact by reducing the rights the user has but it'll only mitigate drive-by shootings at best. The targeted attacker is probably more than happy to get the rights (and access to information) the user has as part of his/her daily tasks.
Less rights are good, even critical to have. But they are not enough to take away all danger.
- Unregister the vgx.dll:
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"To reverse this: run the command without the -u. Ever since the WMF issue around new year we know unregistering DLLs isn't for the faint of heart. Even if Microsoft recommends it. - Also: Restrictive ACL on VGX.DLL, disabling scripting in MSIE (hard to determine how effective that is against content that is basically XML) and reading email in text only are alternate mitigations from Microsoft.
Exploits
There are a number of exploits circulating, they come from multiple domains and currently use javascript to obfuscate the code itself. However the exploit itself does not need javascript it seems.The exploits load a truckload of other malware (for profit of course). One of the main domains involved is "insorg.org" but other more adult entertainment related sites are involved in exploiting victims as well.
Since this exploit seems to be rather easy to recreate once there is a sample, there is no end to how and where it can and will be used. We'd not be surprised to see it appear soon in more mainstream public sources of exploits.
URLs
- US-CERT Vulnerability Note
- Blocking VML using a GPO (use the magic incantations at own risk)
- McAfee
- Symantec
- Trendmicro
Thanks to all who sent in a note about this.
--
Swa Frantzen -- Section 66
0day this, 0day that, I've got the 0day blah's, and Microsoft Office 2000 PPT *DOES NOT*
In today's storm of email announcing vulnerabilities (*Yes, pun intended*), we have received multiple forwards of a new Power Point vulnerability currently focused on the Chinese localization of the Microsoft Office 2000 product. It is unconfirmed at this time whether later versions of Power Point are vulnerable. There has been no notice disclosed regarding active exploit of other localized versions of Power Point, but safe money says that they are. One AV vendor is classifying a discovered variant as "Trojan.PPDropper.E". update: While earlier reports alluded to the possibility that this was a new null day exploit against PowerPoint, an AV vendor contact had written in to provide us with the notice that this
vulnerability as disclosed elsewhere was likely not a zer* day
vulnerability, and that further investigation was under way to confirm that this was addressed by updates in MS06-012.
Let me ask. Do I even have to state the following among this readership? Though it may be up to you to educate others.
* Don't open untrusted, unvetted or otherwise unexpected attachments. * Especially not if they were found on a usb stick that was laying on the ground outside your office!
Personally, I have instructed my parents to stop using the internet altogether, since they seem unable to stop browsing strange websites and opening attachments from strange sources. </sarcasm>
Have I mentioned that I'm tired of using terms that have lost their meaning?
</REALLY /sarcasm>
Handler on Duty (who solemnly swears NEVER to use the term '0day' ever again)
W
Let me ask. Do I even have to state the following among this readership? Though it may be up to you to educate others.
* Don't open untrusted, unvetted or otherwise unexpected attachments. * Especially not if they were found on a usb stick that was laying on the ground outside your office!
Personally, I have instructed my parents to stop using the internet altogether, since they seem unable to stop browsing strange websites and opening attachments from strange sources. </sarcasm>
Have I mentioned that I'm tired of using terms that have lost their meaning?
0day it to the front, uh-uh-uh
0day it to the back, uh-uh-uh
0day to the right, 0day to the left
0day it up, up all night, uh-uh-uh
Handler on Duty (who solemnly swears NEVER to use the term '0day' ever again)
W
Keywords:
0 comment(s)
Rant-of-the-day: on the dangers of orphaned software (the dark side of open source)
Earlier today, one of our readers (who asked not to be identified) alerted us that a number of Linux and BSD distros were releasing new versions of gzip which address several new vulnerabilities (CVE-2006-4334 through 4338). A quick look at the Mitre site shows those vulnerabilities as still 'under review' so there are no details as to what underlying problems are being fixed. I decided to take a look at the "official" site for gzip to see if there was any info there. I first went to www.gnu.org and found info on gzip. They said the "official" site was www.gzip.org, so I went over there for a look. That is when I became very discouraged. The last official version of gzip listed on that site is 1.2.4 (dated Aug 1993, well 1.2.4a is on the FTP server dated Feb 1999) and the latest "beta" listed is 1.3.3, but all of the Linux distros, FreeBSD, even Sunfreeware are on 1.3.5 (I finally found the 1.3.5 source on the alpha.gnu.org FTP server, dated Sep 2002). Looking at the bottom of the page, I see that the page itself hasn't been updated in over 3 years. Is there someplace that one can find the current definitive source for gzip? I don't know. I found a Windows version on Sourceforge. I know there have been vulnerabilities in both gzip and zlib over the last 3 or 4 years and I know that most vendors have patched them, but if there is no authoritative owner for the software, are the vendors patching the same way? Do all the patches actually work? How have the various vendor versions diverged over the last 3+ years? This is the downside of open source software. What happens to it when the original maintainers tire of it, move on to other things, get hit by the proverbial bus,...? I admit that I have not yet tried contacting support@gzip.org or the original authors of this excellent tool to find out if they have passed maintenance on to anyone else. I am reasonably certain that the various vendor versions could be reconciled and an official version could be produced again, but who should/would take ownership of it?
Anyway, from what I can tell from the FreeBSD and Ubuntu bulletins, these issues can result in gzip (or, I believe more accurately, gunzip/gzip -d) crashing, causing high CPU utilization, and possible code execution from a properly crafted .gz file, so you'll probably want to update your gzip as soon as your favorite distro provides the update.
Update: (2006-09-19 20:52 UTC) These vulnerabilities collectively now have Bugtraq ID 20101 and the RedHat notice gives a little more hint at what the various CVE's are about.
----------------------------
Jim Clausing, jclausing /at\ isc dot sans dot org
Anyway, from what I can tell from the FreeBSD and Ubuntu bulletins, these issues can result in gzip (or, I believe more accurately, gunzip/gzip -d) crashing, causing high CPU utilization, and possible code execution from a properly crafted .gz file, so you'll probably want to update your gzip as soon as your favorite distro provides the update.
Update: (2006-09-19 20:52 UTC) These vulnerabilities collectively now have Bugtraq ID 20101 and the RedHat notice gives a little more hint at what the various CVE's are about.
----------------------------
Jim Clausing, jclausing /at\ isc dot sans dot org
Keywords:
0 comment(s)
Malware analysts rejoice! A public submission interface for the CWSandox
The public availability of a submission interface into the CWSandbox is finally at hand.
The CWSandbox has been a somewhat closely held tool in the professional security and AV researcher community for many months now. The CWSandbox results offer near immediate insight into the actions of malicious code execution on win32 based systems which in turn offers you, the affected party some quick intel on what might be happening on your network!
Please be kind and submit samples that you have vetted in some way as malicious. I'm sure this project would not be interested in receiving copies of your %SYSTEM% directory.
You can submit your malicious code samples via the sample web submission form at:
https://luigi.informatik.uni-mannheim.de/submit.php
CWSandbox results containing the sandbox/AV results are emailed to the submitter address.
This sandbox environment currently tracks malicious code variants against only three free/unnamed AV products at the moment. I'm confident that this project would be interested in hearing from commercial AV vendors willing to offer unix based solutions to further their detection effort.
Handler on duty
W
The CWSandbox has been a somewhat closely held tool in the professional security and AV researcher community for many months now. The CWSandbox results offer near immediate insight into the actions of malicious code execution on win32 based systems which in turn offers you, the affected party some quick intel on what might be happening on your network!
Please be kind and submit samples that you have vetted in some way as malicious. I'm sure this project would not be interested in receiving copies of your %SYSTEM% directory.
You can submit your malicious code samples via the sample web submission form at:
https://luigi.informatik.uni-mannheim.de/submit.php
CWSandbox results containing the sandbox/AV results are emailed to the submitter address.
This sandbox environment currently tracks malicious code variants against only three free/unnamed AV products at the moment. I'm confident that this project would be interested in hearing from commercial AV vendors willing to offer unix based solutions to further their detection effort.
Handler on duty
W
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
© 2024 SANS™ Internet Storm Center
Developers: We have an API for you! 
Comments