IE vuln posts copy text to web (!)
FYI...
- http://www.theinquirer.net/?article=29856
23 February 2006
"A WARNING RECEIVED highlights what appears to be a real Explorer danger that text copied onto the clipboard can be seen on the web. Some people who should, appear to know all about this, while it was news to others we contacted.
So try this:
1) Copy any text by ctrl+c
2) Click the Link:
http://www.sourcecodesworld.com/special/clipboard.asp
("...The best way to solve this problem is to use Firefox...")
3) You will see the text you copied on the Screen which was accessed by this web page.
The advice is do not keep sensitive data (like passwords, credit card numbers, PIN etc.) in the clipboard while surfing the web. It is extremely easy to extract the text stored in the clipboard.
To fix this it is simple, do the following in your browser:
Tools->Internet Options->Security->Custom Level scroll down to "Scripting"
Disable "Allow paste operation via script"
Hit OK and you should be good to go.
To verify, repeat step 1 & 2 and you will see the link can not see your clipboard.
Good luck."
:eek:
Winamp buffer overflow vuln - update available
FYI...
- http://isc.sans.org/diary.php?storyid=1149
Last Updated: 2006-02-25 15:33:14 UTC
"We have been monitoring a reported flaw with Winamp 5.12 and 5.13. A buffer overflow condition with a playlist containing a long file name can cause the application to crash at best and execute arbitrary code at worst. To date, we are not aware of any POC that uses this vulnerability sucesfully for malicious purposes. This problem is fixed in Winamp 5.2 so users are advised to update..."
- http://secunia.com/advisories/18848
Release Date: 2006-02-16
Last Update: 2006-02-23
Critical: Highly critical
Impact: DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: Winamp 5.x...
...The vulnerability has been reported in versions 5.12 and 5.13. Prior versions may also be affected.
Solution:
Update to version 5.2 ..."
Winamp 5.2 Player Download
>>> http://www.winamp.com/player/
Version History
- http://www.winamp.com/player/version_history.php
:eek:
New IM Worms Delete Files, Hijack PCs
FYI...
- http://www.techweb.com/article/print...section=700028
March 07, 2006
"An anti-virus vendor warned Tuesday that two new worms spreading on Microsoft's and America Online's instant messaging networks delete files and leave systems open to hijacking. Symantec posted alerts for the "Hotmatom" and "Maniccum" worms, and ranked both as a level "2" threat. The Cupertino, Calif.-based security company uses a 1 through 5 scale to label worms, viruses, and Trojans. Hotmatom, said Symantec, is a Spanish-language worm transmitted over Microsoft's MSN instant messaging network. A message arrives, seemingly from a trusted IM contact, that claims a "very dangerous virus" (virus muy peligroso) has been detected, and offers a link to a free patch. Clicking on the link, however, actually installs the worm. Once on a PC, Hotmatom* deletes files at the root level of the A:/ and C:/ drives, then assigns those deleted filenames to copies of itself. It also appends text to any future Microsoft Hotmail e-mail messages sent by that computer; the text, which can be in either Spanish or English, includes links to the same malicious code. Maniccum**, meanwhile, propagates via both America Online's AIM and MSN's networks, and if installed, opens a backdoor on that PC and tries to disable security programs, including anti-virus and firewall software. The backdoor, which accepts commands from the attacker via IRC, can be used to access files, update the worm, upload more malicious code, send additional AIM and/or MSN messages, and launch denial-of-service (DoS) attacks, said Symantec."
* http://www.symantec.com/avcenter/ven....hotmatom.html
** http://www.symantec.com/avcenter/ven....maniccum.html
:confused: :eek:
New IM Worms Delete Files, Hijack PCs
Even with all that stuff from Symantec:
- http://www.sarc.com/
...currently, the "ThreatCon Level is 1 - The ThreatCon is being maintained at Level 1. DeepSight TMS is not currently reporting any anomalous or notable activity" (... in spite of the "level '2' threat" on both items named).
...so, it makes you wonder whether the right hand knows what the left is doing at times.
'Suffices to say, use caution with IM while these uglies are out and about at AOL and MSN.
;) :confused:
Fraudulent Nokia site hosting Crimeware Keylogger
FYI...
- http://www.websensesecuritylabs.com/...hp?AlertID=441
March 09, 2006
"Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code's filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.
Other Details:
The main_80.scr file is an SFX self-extracting executable file that contains four files:
* download.exe
* winlogin.exe
* server.exe
* error.jpg
When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files. These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
* Modifies or creates files and stores in system32 directory
* Kerne0110.exe is a copy of winlogin.exe
* Rundll32.exe is a copy of download.exe
* gg.bat is created
* _2dll.dll is created
* microsoftie0110.dll is created
* msabc.dll is created
* pKerme123.dll is created
* RegistryInfo.dll is created
* Verifies installation of lineage..."
(Screenshot available at the URL above.)
:eek:
McAfee/NAI rolls bad pattern
FYI...
- http://isc.sans.org/diary.php?storyid=1179
Last Updated: 2006-03-11 01:29:45 UTC
"NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products. Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.
If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:
* How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak"?
* Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming? Where exactly do these patterns come from? Is the previous pattern version available there as well?"
-------------------------------------------------
EDIT/ADD:
RE: False positives from 4715 DAT file of 3.10.2006:
- http://vil.nai.com/vil/content/v_138884.htm
"...Users who have moved detected files to quarantine should restore them to their original location. Windows users who have had files deleted should restore files from backup or use System Restore.
Virusscan Online users can restore the falsely detected file from the Manage Quarantined Files by clicking on the Restore button as shown..."
>>> (See URL above for complete info and screenshots.)
Also see:
- http://isc.sans.org/diary.php?storyid=1184
Last Updated: 2006-03-12 18:58:01 UTC
--------------------------------------------------
More...
- http://vil.nai.com/vil/content/v_138884.htm
W95/CTX ...
"... Update March 12, 2006 - 15:28 PDT --
A complete list of files, which are known to trigger this incorrect identification, can be downloaded here*."
* http://vil.nai.com/images/CTX_file_list.pdf
EDIT/ADD:
- http://isc.sans.org/diary.php?compare=1&storyid=1184
"...Update: 02:43 UTC 2006-03-13 - McAfee has release a list of (supposedly) all the files affected by DAT 4715. It includes some other interesting ones in addition to excel.exe, like setup.exe, uninstall.exe, shutdown.exe, and reg.exe to name just a few, but is clearly incomplete since it doesn't include any of the Oracle binaries that have been reported to be affected by some of our readers..."
---------------------------------------------
FYI... re: http://isc.sans.org/diary.php?compare=1&storyid=1184
"...McAfee has developed a tool that will restore files that were quarantined by DAT 4715..."
- http://vil.nai.com/vil/content/v_138884.htm
"...Update March 13, 2006 - 17:45 PDT --
Tools for recovering quarantine files due to this incorrect identification can be found here*..."
McAfee W95/CTX Quarantine File Restore Utility
* http://vil.nai.com/vil/stinger/ctxundo.asp
:(
"Acts of terrorism..." trojan
FYI...
- http://isc.sans.org/diary.php?storyid=1181
Last Updated: 2006-03-11 19:54:39 UTC
"Don't open zips you get in the mail. Today's gem claims to be video about new acts of terrorism. Attached to the email was a 47KB zip file news.zip. Inside news.zip is news.exe. But its a trojan, of course. Only about half of the av scanners recognized it. Those that did identified it as a trojan downloader of some sort.
TEXT of the virus message:
From: BBC World News [mailto:news@info.bbc.com]
Sent: Fri 3/10/2006 7:24 PM
To: Smith, Donald
Subject: New acts of terrorism in New York and London
Today FBI and SCOTLAND YARD has informed on set of new acts of terrorism in New York and London. On a communique was lost more than two thousand person and about ten thousand have received the wounds which were much of them are in a grave condition.Police and MI5 identified an Al-Qaeda cell that had carried out extensive research and video-recorded reconnaissance missions in preparation for the attack. You can learn the detailed information in the attached file."
:mad:
Apple Mac OS X security patch bundle 2006-002
Once again...
Apple Mac OS X security patch bundle 2006-002
- http://isc.sans.org/diary.php?storyid=1188
Last Updated: 2006-03-13 23:44:56 UTC
"Apple released some more security patches today for Mac OS X in a bundle called 2006-002*.
* CoreTypes: CVE-2006-0400
Fix for an XSS scripting vulnerability in archives by flagging the documents as unsafe.
* Mail: CVE-2006-0396
Fix for a vulnerability allowing arbitrary code execution by clicking on crafted email messages
* Safari, LaunchServices, CoreTypes: CVE-2006-0397, CVE-2006-0398, CVE-2006-0399
Additional checks on top of those in the previous update.
* Various non security rated regression fixes in a.o. apache_mod_php (still based on PHP 4.4.1, not on the latest 4.4.2) and rsync..."
* http://docs.info.apple.com/article.html?artnum=303453
------------------------------------------------
- http://secunia.com/advisories/19129/
Release Date: 2006-03-14
Critical: Extremely critical
Impact: Security Bypass, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X...
Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) Under certain circumstances, it is possible for JavaScript to bypass the same-origin policy via specially crafted archives.
2) A boundary error in Mail can be exploited to cause a buffer overflow via a specially crafted email. This allows execution of arbitrary code on a user's system if a specially crafted attachment is double-clicked.
3) An error in Safari / LaunchServices can cause a malicious application to appear as a safe file type. This may cause a malicious file to be executed automatically when visiting a malicious web site...
Solution:
Apply Security Update 2006-002 ( http://docs.info.apple.com/article.html?artnum=303453 ).
.