Page 3 of 3 FirstFirst 123
Results 21 to 26 of 26

Thread: 2006 MS Alerts - Q3

  1. #21
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MSIE Zero-Day exploit in use on the Web

    FYI...

    - http://www.eweek.com/article2/0,1759...129TX1K0000614
    September 18, 2006
    "Security researchers at Sunbelt Software have discovered an active malware attack against fully patched versions of Microsoft's Internet Explorer browser. The exploit has been seeded at several porn sites hosted in Russia and is being used to launch drive-by malware downloads that appear to be hijacking Windows machines for use in botnets. eWEEK has confirmed the flaw—and zero-day attacks—and on a fully patched version of Windows XP SP2 running IE 6.0. There are at least three different sites hosting the malicious executables, which are being served up on a rotational basis. According to Eric Sites, vice president of research and development at Florida-based Sunbelt Software, the vulnerability is a buffer overflow in the way the world's most widely used browser handles VML (Vector Markup Language) code. The attack is linked to the WebAttacker, a do-it-yourself malware installation toolkit that is sold at multiple underground Web sites. "Once you click on the site, the exploit opens a denial-of-service box and starts installing spyware," Sites said. He said the exploit can be mitigated by turning off JavaScript in the browser..."
    - http://sunbeltblog.blogspot.com/2006...oit-being.html
    =============================================

    - http://secunia.com/advisories/21989/
    Release Date: 2006-09-19
    Critical: Extremely critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched
    Software: Microsoft Internet Explorer 6.x
    ...Successful exploitation allows execution of arbitrary code.
    NOTE: Reportedly, this is currently being exploited in the wild.
    The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
    Solution:
    Do not visit untrusted web sites.
    Deactivating Active Scripting will prevent exploitation using the currently known exploit..."
    ===========================================

    - http://blog.washingtonpost.com/secur...loit_spel.html
    September 18, 2006; 10:25 PM ET
    "...If past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage... Among the nasty pieces of software an IE user can expect to be whacked with upon visiting one of the sites is the BigBlue keystroke logger, which monitors and captures data from computers including screenshots, keystrokes, web cam and microphone data; it also records instant messaging chat sessions, e-mail information and the Web sites visited by the user. The exploit is also being used to install the incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles that scam artists profit from on a per installation basis, such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue, and the bogus anti-spyware program SpySheriff..."
    ===============================

    - http://www.symantec.com/enterprise/s...ay_exploi.html
    September 19, 2006
    "...We have confirmed that this exploit takes advantage of a bug in VML (Vector Markup Language, which is an XML language used to produce vector graphics) to overflow a buffer and inject shell code. The exploit then downloads and installs multiple Security Risks, such as spyware, on the compromised machine... Although Microsoft has already been informed, at the time of writing there is no patch available for this particular exploit. Mitigating strategies include disabling JavaScript in Internet Explorer and using non-vulnerable browsers..."
    > http://www.symantec.com/enterprise/s...091914-1801-99
    ===============================

    Microsoft Internet Explorer VML stack buffer overflow
    - http://www.kb.cert.org/vuls/id/416092
    Last Updated - 09/19/2006

    ============================================

    - http://blogs.technet.com/msrc/archiv...19/457560.aspx

    Microsoft Security Advisory (925568)
    Vulnerability in Vector Markup Language Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/925568.mspx
    Published: September 19, 2006
    "Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware that this vulnerability is being actively exploited. A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft’s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs...
    Workarounds -
    Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified..."

    (More detail at the MS Advisory URL.)
    ============================================

    - http://www.websense.com/securitylabs....php?BlogID=81
    Sep 20 2006
    "The recently reported VML Internet Explorer "zero-day" exploit now has attack code publicly posted on the web. Although the first version results in a denial of service and not escalated privileges, we expect to see public posts of exploit code that does allows a user to run code without user-interaction. This may result in increased attacks based on the fact that there are no patches available and often "copy-cat" attacks that simply cut and paste P.O.C. code often occur after public release."

    Last edited by AplusWebMaster; 2006-09-20 at 18:22. Reason: Added Websense blog info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #22
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS Desktop Search add-on vulns

    FYI...

    - http://isc.sans.org/diary.php?storyid=1720
    Last Updated: 2006-09-21 16:26:38 UTC
    "...Once again the folks at NISCC have posted info on a beauty. Their NISCC Vulnerability Advisory 693564/NISCC/FOLDERSHARE - Security Implications of the FolderShare Program* details huge vulnerabilities (https tunnel, EFS bypassing, and more) in FolderShare, an "add-in tool for Microsoft Desktop Search" which enables "remote access to files stored on Windows and Mac OS X based computers.".
    MS's KB "Best practices and security issues to consider when you use FolderShare**" is weak, it's only useful recommendation is;
    "you can effectively block outgoing traffic to FolderShare. To permanently block the FolderShare satellite from running in a particular environment, block access to the following host name on port TCP/443: redir1.foldershare.com "..."

    * http://www.uniras.gov.uk/niscc/docs/...5.html?lang=en

    ** http://support.microsoft.com/kb/925077
    Last Review: September 19, 2006
    Revision: 1.1
    "...FolderShare is a Windows Live service and an add-in for Microsoft Desktop Search. If you use FolderShare incorrectly, you might unintentionally disclose information on a network..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation More MSIE VML exploits released!

    FYI...

    More VML exploits released
    - http://www.websense.com/securitylabs...hp?AlertID=632
    September 21, 2006
    "...We are seeing the addition of payload code that includes Trojan Horse Backdoors and code which is designed to steal information from the end-user or their machines (i.e. Crimeware)... In addition, reports out of Australia CERT (see: http://www.auscert.org.au/render.html?it=6771 ) are that attacks are surfacing through emails with URL lures. We have confirmed this to be true and that this is using a modified version of the Web Attacker Toolkit... we have some examples of sites that are distributing the code or are pointing to sites that are distributing the code..."
    ===========================

    Updated:
    Microsoft Security Advisory (925568)
    Vulnerability in Vector Markup Language Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/925568.mspx
    "• September 21, 2006: Advisory updated with new CVE reference, un-register vgx.dll workaround updated, and Outlook Express mitigation added."
    (Use the URL above to review updated detail.)

    Also see: http://www.us-cert.gov/cas/techalerts/TA06-262A.html
    Revised - September 21, 2006
    ===========================

    (InfoCon level to yellow) - MSIE VML exploit spreading
    - http://isc.sans.org/diary.php?storyid=1727
    Last Updated: 2006-09-22 15:09:18 UTC
    "The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes. If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly. Outlook (including outlook 2003) is - as expected - also vulnerable and the email vector is being reported as exploited in the wild as well. Weekends are moreover popular moments in time for the bad guys to build their botnets..."

    (Recommended action and other references available at the ISC URL above.)
    ===========================

    - http://www.techweb.com/article/print...section=700028
    September 22, 2006
    "...Pressure on Microsoft to fix the flaw may be mounting, said other security professionals, who have noticed increased attack activity. "VML attacks have ramped up significantly in the past 24 hours," said Ken Dunham, director of iDefense's rapid response team, in an e-mail to TechWeb. "At least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains to redirect users to a hostile VML exploiting site," Dunham continued. Eric Sites, vice president of research and development at Sunbelt Software, which first reported the vulnerability and exploit earlier this week, also said that attacks were "definitely escalating." In a conversation with a tier 1 support representative at Cox Cable on Friday, Sites said, he was told that the cable operator had several thousand support calls and e-mails backed up, with users reporting a wide variety of complaints, including IE crashes. "That may be a targeted attack," said Sites. Both Dunham and Sites warned of even larger attacks over the weekend. "[Users should] implement a workaround ASAP due to imminent global attacks," said Dunham. "There are a lot more sites using [a VML exploit]," added Sites. Part of their concern is that the exploit may quickly move to e-mail, with spam-style attacks compromising PCs as soon as the recipient views an infected message in an HTML preview pane. Symantec, for example, confirmed Friday that a working exploit against Microsoft Outlook has been written and posted by Immunity Inc. for its CANVAS exploit framework.
    An e-mailed attack is dangerous because it requires no out-of-the-ordinary user action, said Sites. "If you see a message in the Preview Pane or double click it, a well-crafted exploit will crash Outlook. You won't see any error message." As soon as that happens, the attacker can begin loading a user's PC with adware, spyware, and other malicious code, he added..."
    ===========================

    VML exploits with OS version detection
    - http://isc.sans.org/diary.php?storyid=1733
    Last Updated: 2006-09-24 20:46:46 UTC
    "We are seeing samples of the VML exploit that are coded to include browser / OS detection, and are able to trigger working exploits for Win 2000, 2003 and XP. Some reports indicate that client-side anti-virus is not sufficient to protect, some AV apparently only catches the VML exploit code once Internet Explorer writes the temp file to disk, which can be too late. The exploits versions seen so far usually pull and run an EXE file, but adding patterns for new EXE payloads is an arms race the AV vendors can't win. If you have the option, we suggest you use the work around of unregistering the DLL as indicated in our earlier diary entry*."
    * http://isc.sans.org/diary.php?storyid=1727

    Last edited by AplusWebMaster; 2006-09-25 at 03:53. Reason: Added new ISC diary entry 9.24.2006...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MS VML patch is out

    FYI...

    - http://www.f-secure.com/weblog/archi....html#00000980
    "Microsoft has released a patch against the VML vulnerability outside of their normal update cycle. Which is great. The patch is available right now via http://update.microsoft.com . Get it."

    ~or~

    - http://isc.sans.org/diary.php?storyid=1738
    Last Updated: 2006-09-26 19:22:11 UTC ...(Version: 3)...
    "Microsoft has just released an update to address the VML (VGX) issue. The update can currently be found on Microsoft Update and is titled:

    Microsoft Security Bulletin MS06-055
    Vulnerability in Vector Markup Language Could Allow Remote Code Execution (925486)
    > http://www.microsoft.com/technet/sec.../MS06-055.mspx
    Published: September 26, 2006
    Version: 1.0
    "A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer..."

    It is recommended that the patch be applied immediately (after testing) unless a suitable mitigation strategy is in place.
    Update: Also, note that if you applied the ACL mitigation (removing Everyone Read access from the DLL), you will need to undo that before this update will apply successfully..."

    > http://blogs.technet.com/msrc/archiv...26/459194.aspx
    =========================================================

    - http://blogs.technet.com/msrc/archiv...26/459237.aspx
    September 26, 2006
    "...One thing to note, we recommend that you undo any of the previously recommended workarounds involving VGX.DLL before applying this update. Information on how to undo those workarounds is detailed in the bulletin. This is very important because if you do not revoke the VGX.DLL changes, the update could fail to install or deploy..."

    - http://www.f-secure.com/weblog/archi....html#00000980
    ...Updated to add: For those of you that applied the work-around that we suggested, the vgx.dll file will need to be re-registered before applying the Microsoft Update. Otherwise, the update might not find anything to fix.

    Use the command below from Start, Run:

    regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

    .
    Last edited by AplusWebMaster; 2006-09-27 at 13:56. Reason: Added additional MSRC blog note and F-secure blog update...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #25
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Another Day, Another 0-day - PPT vuln

    FYI...

    - http://isc.sans.org/diary.php?storyid=1740
    Last Updated: 2006-09-28 02:09:35 UTC
    "Microsoft confirms yet another powerpoint vulnerability that leads to code execution... McAfee has a writeup* of the exploit they detected against this vulnerability to connect back to... mylostlove1 .6600 .org/[CENSORED] but variants of this will most likely connect to other places... It seems all supported versions of Office are affected. It's interesting to note that Microsoft also lists the Apple versions of Office as vulnerable. Delivery vectors are basically all means to get the file to you, including web, email, thumb drives, CDs..."
    > http://www.microsoft.com/technet/sec...ry/925984.mspx

    * http://www.avertlabs.com/research/blog/?p=95
    =============================================

    - http://secunia.com/advisories/22127/
    Release Date: 2006-09-28
    Critical: Extremely critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched
    Software: Microsoft Office..., Microsoft Powerpoint...
    Original Advisory: Microsoft:
    http://www.microsoft.com/technet/sec...ry/925984.mspx
    Other References: US-CERT VU#231204:
    http://www.kb.cert.org/vuls/id/231204 ..."

    Last edited by AplusWebMaster; 2006-09-28 at 16:52. Reason: Added Secunia Advisory...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation MSIE: WebViewFolderIcon ActiveX exploit

    FYI...

    - http://isc.sans.org/diary.php?storyid=1741
    Last Updated: 2006-09-28 02:08:55 UTC
    "If you remember the month of browser bugs series of exploits back in July, there was a denial of service there that appears to have code execution after all. Coincidence or not, it got publicly released after the out of cycle Microsoft patch for MSIE. So: No, surfing with MSIE is still not safe...
    Defenses:
    > Use an alternate browser (yeah, we sound like a broken record). But diversity really helps make the bad guys' job harder.
    > Disable ActiveX (take care: windowsupdate needs it, so you need to trust those sites)...
    > Keep antivirus signatures up to date.
    > Keep an eye out for a patch from Microsoft..."

    Microsoft Windows WebViewFolderIcon ActiveX integer overflow
    * > http://www.kb.cert.org/vuls/id/753044
    Last Updated - 09/27/2006
    =======================================================

    - http://secunia.com/advisories/22159/
    Release Date: 2006-09-28
    Critical: Extremely critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched
    Software: Microsoft Internet Explorer 6.x ...
    ...The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
    Solution: Only allow trusted websites to run ActiveX controls..."
    ================================================

    Microsoft Security Advisory (926043)
    Vulnerability in Windows Shell Could Allow Remote Code Execution
    - http://www.microsoft.com/technet/sec...ry/926043.mspx
    Published: September 28, 2006
    "Microsoft is investigating new public reports of a vulnerability in supported versions of Microsoft Windows. Customers who are running Windows Server 2003 and Windows Server 2003 Service Pack 1 in their default configurations, with the Enhanced Security Configuration turned on, are not affected. We are also aware of proof of concept code published publicly. We are not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. We will continue to investigate these public reports. The ActiveX control called out in the public reports and in the Proof of Concept code is the Microsoft WebViewFolderIcon ActiveX control (Web View). The vulnerability exists in Windows Shell and is exposed by Web View. We are working on a security update currently scheduled for an October 10 release..."

    (See/use the advisory's URL above for "Mitigating Factors" and "Workarounds".)
    =================================

    WebViewFolderIcon setslice exploit spreading - InfoCon level to yellow
    - http://isc.sans.org/diary.php?storyid=1749
    Last Updated: 2006-09-30 19:35:30 UTC
    "...The WebViewFolderIcon setslice exploit is becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes. If you have not taken measures yet, please consider some emergency fixes to cover the weekend. The exploit is widely known, easy to recreate, and used on more and more websites. The risk of getting hit is increasing significantly and the type of users of the exploit are also not the least dangerous ones. Some of the exploits are believed to be linked to CWS (CoolWebSearch), which is notoriously hard to remove..."
    ("Suggested actions" itemized at the ISC url above.)

    Malicious Code: WebView FolderIcon setSlice Vulnerability
    - http://www.websense.com/securitylabs...hp?AlertID=644
    September 30, 2006
    "Websense Security Labs (TM) has received several reports of the recently released " WebView FolderIcon setSlice" Internet Explorer zero-day code being utilized on the Internet. Like the recently reported VML zero-day, there are professionals at work using the exploit code.
    To date all the sites we have discovered appear to be from the IFRAME Cash folks. This is the same group that we discovered using the WMF exploit back in late December 2005. The fact that they are using the exploit code poses a significant risk due because their ability to attract users to sites via search engines and email spam campaigns. Also they have iframe's embedded on. As of the time of this alert we have more than 600 active sites that have IFRAME cash placed code on them. This does not mean that all sites have the recent zero-day code but it does mean that they have the potential to because they mostly point back to main "hub servers".
    Although in some cases the IFRAME Cash sites are used to download and install Potentially Unwanted Software (PUS), they also have installed Trojan Horses which open backdoors, code which is designed to steal end-user information, and sophisticated rootkits..."

    Last edited by AplusWebMaster; 2006-10-01 at 01:46. Reason: Added ISC and Websense alert info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •