Smokey's Security Weblog

veritas odium parit

Microsoft Security Advisory (954462): Rise in SQL Injection Attacks Exploiting Unverified User Data Input

Published: June 24, 2008 | Updated: June 25, 2008

Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.

Mitigating Factors:

This vulnerability is not exploitable in Web applications that follow generally accepted best practices for secure Web application development by verifying user data input.

Purpose of Advisory: To assist administrators with identifying and correcting vulnerable ASP and ASP.NET Web application code which does not follow best practices for secure Web application development.

Advisory Status: Microsoft Security Advisory and associated tools were released.

Recommendation: Review the suggested actions and configure as appropriate. It is also suggested that server administrators evaluate the effectiveness of the discussed tools and utilize them as needed.

This advisory discusses the following software: Microsoft ASP and ASP.NET technologies.

Suggested Actions

Microsoft has identified several tools to assist administrators. These tools cover detection, defense, and identifying possible coding which may be exploited by an attacker.

• Detection – HP Scrawlr

Hewlett Packard has developed a free scanner which can identify whether sites are susceptible to SQL injection. This tool and support for its use can be found at Finding SQL Injection with Scrawlr at the HP Security Center.

Detailed description:
The tool will be a black-box analysis tool (i.e. no source code required). The user will input a starting URL, and the tool will:

• Recursively crawl that URL for hyperlinks in order to build up a site tree.

• Test all discovered links for verbose SQL injection by sending HTTP requests containing SQL injection attack strings in querystring parameters.

• Examine the HTTP responses from the server for SQL error messages that would indicate a SQL injection vulnerability.

• Report any pages found to be vulnerable to the user, along with the associated input field(s). For example, the tool might report that the fields “username” and “password” on page “foo.asp” are vulnerable.

• Defense – UrlScan version 3.0 Beta

UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from reaching the Web application on the server. UrlScan 3.0 will install on IIS 5.1 and later, including IIS 7.0. UrlScan 3.0 can be found at URLScan Tool 3.0 Beta.

Detailed Description:
UrlScan version 3.0 is a tool that will allow you to implement many different rules to better protect Web applications on servers from SQL injection attacks. These features include:

• The ability to implement deny rules applied independently to a URL, query string, all headers, a particular header, or any combination of these.

• A global DenyQueryString section that lets you add deny rules for query strings, with the option of checking un-escaped version of the query string as well.

• The ability to use escape sequences in the deny rules to deny CRLF and other non-printable character sequences in configuration.

• Multiple UrlScan instances can be installed as site filters, each with its own configuration and logging options (urlscan.ini).

• Configuration (urlscan.ini) change notifications will be propagated to worker processes without having to recycle them. Log settings are an exception to this.

• Enhanced logging to give descriptive configuration errors.

• Identifying – Microsoft Source Code Analyzer for SQL Injection

A SQL Source Code Analysis Tool has been developed. This tool can be used to detect ASP code susceptible to SQL injection attacks. This tool can be found in Microsoft Knowledge Base Article 954476.

Detailed Description:

The Microsoft Source Code Analyzer for SQL Injection is a standalone tool customers can run on their own ASP source code. In addition to the tool itself, there is documentation included on ways to fix the problems it finds in the code it analyzes. Some key features of this tool are:

• Scans ASP source code for code that can lead to SQL Injection vulnerabilities.

• Generates an output that displays the coding issue.

• This tool only identifies vulnerabilities in classic ASP code. It does not work on ASP.NET code.

Full Advisory/source: Microsoft TechNet

Note: these SQL Injection Attacks have to be considered as extremely dangerous.
Smokey

Advertisements

June 29, 2008 Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , | Leave a comment

Microsoft Vice President confirms Windows 7 ship date: January 2010

Microsoft will ship Windows 7 sometime in or near Jan. 2010, according to a letter company senior vice president Bill Veghte sent to Microsoft customers Tuesday.

The letter, sent to enterprise and business customers, will eventually be publicly posted on Microsoft’s Web site.
In the letter sent to “Windows Customers” and titled “An Update on the Windows Roadmap,” Veghte said “our plan is to deliver Windows 7 approximately three years after the January 2007 general availability launch date of Windows Vista.”

Veghte wrote, “You have told us you want a more regular, predictable Windows release schedule” and he said that was the impetus for setting the 2010 the ship date.

Source: NetworkWorld

June 28, 2008 Posted by | Friends, News | , , , | Leave a comment

Protect yourself against the Criminal Rackets of Wimbledon crooks!

Computer users should be aware of the importance of scanning all web traffic for malware following the discovery that webpages on the Association of Tennis Professionals (ATP) website have been infected with malicious code.

Pages on the ATP website are just some of the thousands on the internet to have been injected with a malicious script called Mal/Badsrc, according to Sophos experts. The script downloads another malicious script triggering an infection process which ultimately infects the victim with spyware.

Web security experts at Sophos note that by infecting pages on the website the hackers may capitalise on excitement surrounding Wimbledon 2008, one of the four grand slams in the tennis calendar making up part of the ATP tour, as tennis fans will be likely to visit the website keen to find out the latest news.

“The hackers responsible for this attack don’t care what sites they infect, so long as there is a stream of potential victims likely to surf across the net, straight into their trap. The ATP website is just one of many sites to have been exploited by hackers trying to steal information from innocent internet users,” said Fraser Howard, principal virus researcher at Sophos. “With the Wimbledon tournament taking place at the moment, the ATP website will be receiving a spike in visitors – but any tennis fan visiting the infected pages on the site risks being served straight into a crook’s criminal racket.”

Source: SecurityPark

June 28, 2008 Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , | Leave a comment

Hackers hijack critical Internet organization sites of IANA and ICANN

June 27, 2008 (Computerworld) Turkish hackers yesterday defaced the official sites of the international organizations that oversee the Internet’s critical routing infrastructure and regulate domain names, researchers said today.

A group calling itself “NetDevilz” claimed responsibility for the hack, which Thursday morning temporarily redirected visitors to the sites for IANA (Internet Assigned Numbers Authority) and ICANN (Internet Corporation for Assigned Names and Numbers).

Users who tried to reach iana.com, iana-servers.com, icann.com and icann.net were shunted to an illegitimate site, said researchers at zone-h.org, a group that collects evidence of site attacks, including page defacements and redirects. According to a screen capture of the defacement snapped by zone-h.org, the bogus site simply displayed a taunting message: “You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us?”

The hackers redirected IANA and ICANN traffic to the same IP address that they used last week when they broke into Photobucket Inc.’s image-sharing site and pushed its users to a server operated by Atspace.com, a German hosting service, said Bulgarian security researcher Dancho Danchev in a blog post today.

A spokesman for ICANN contacted Friday morning wasn’t aware of the hack, and declined comment until he found find out more.

Source / full article: ComputerWorld Security

June 28, 2008 Posted by | Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , | Leave a comment

IE6 zero-day cross-site scripting bug reported

Security researchers are warning users about an unpatched cross-site scripting bug in Internet Explorer 6 (IE6) that could be used by hackers to capture keystrokes and steal other information.

At BlueHat, researcher Manuel Caballero, who has worked for Microsoft as an independent penetration tester, said he had found a way to capture every browser action, including keystrokes used to type passwords. In a videotaped interview that Microsoft conducted during BlueHat, Caballero said that the combination of Flash and any browser, not just IE, could be hacked with a malicious script to give attackers full access to the browser.

The vulnerability is caused due to an input validation error when handling the ‘location’ or ‘location.href’ property of a window object. This can be exploited by a malicious website to open a trusted site and execute arbitrary script code in a user’s browser session in context of the trusted site.

IE7, the current version of Microsoft’s browser, does not contain the vulnerability, both Secunia and McAfee said. Until Microsoft produces a patch for the older browser, users should update to IE7, they added.

Sources: ComputerWorld, Secunia, McAfee

June 27, 2008 Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , | Leave a comment

F-Secure Rescue CD 3.00 released

F-Secure announcement: Rescue CD 3.00 released

About:

Rescue CD scans the computer and renames all files containing malware to .virus file extension.

Rescue CD will by default scan:

– all hard drives in the computer
– all USB drives attached to the computer
– Windows FAT and NTFS drives

Notes:

Virus definition databases are updated automatically if the computer has an internet connection.
Virus definition databases can be updated manually by using a USB drive.
The Rescue CD Guide (pdf) has step by step instructions how to use the CD.
Rescue CD is localized to English only..

The release package including an ISO image, the manual and release notes.

Source/more info/download: F-Secure

June 22, 2008 Posted by | Uncategorized | , , , , , | 1 Comment

Security researcher keeps “Carpet Bomb” attack alive, despite patch

Author: Nathan McFeters / ZDNet

Security researcher Billy Rios posted an article today about the Apple Safari “Carpet Bomb” attack, discussing a new issue that, despite the patch which prevented a “blended” remote command execution attack when Safari was used in conjunction with IE on a Windows system, keeps the “Carpet Bomb” attack alive and well.

Rios mentioned on his blog that when Safari is used on a system that also has Firefox 2/3 installed, could lead to providing an attacker the opportunity to steal arbitrary files from the filesystem. Rios stated that he would not go into further details at this time, as the issue is not fixed by the current Safari patch; however, he did mention that Firefox 3 is vulnerable, but has some protections that help mitigate the issue.

Source/more: ZDNet

June 22, 2008 Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , , | Leave a comment

HijackThis & OTL (formerly OTListIt2) Log Analysis and Malware Removal & Cleaning

What are HijackThis and OTL (formerly OTListIt2)

HijackThis is a free utility which quickly scans your Windows computer to find settings that may have been changed by spyware, malware or other unwanted programs. HijackThis creates a report, or log file, with the results of the scan.

OTL is a very sophisticated Log/Report Tool, doing the same as HijackThis and a lot more. You can see it as the successor of HJT.

IMPORTANT: HijackThis/OTL does not determine what is good or bad.
Do not make any changes to your computer settings using HijackThis and/or OTL unless instructed by a member of the HJT/OTL Analyzers/Malware Hunters group of Smokey’s Security Forums.

Procedures before submitting a HJT or OTL log to Smokey’s Security Forums

– Please register on the forum… Here, it is for free.

– Before submitting a HJT/OTL log to Smokey’s Security Forums, we ask that you follow this procedure first as described… Here.

– At the moment you have followed all instructions post your HJT or OTL log on the forum… Here. German – Deutsch customers can post here.
Then please wait for your log to be answered. Answers, help and support will be given by full qualified HJT/OTL Log Analyzers/Malware Hunters. The offered HJT/OTL services are for free also.

See ya, 😉

Starbuck
Team Leader HJT/OTL Analyzers/Malware Hunters

Update 2009-12-11: from now on, Smokey’s Security Forums will only accept OTL logs, HJT logs will not be accepted anymore.

Update 2010-14-03: Guests allowed to post on Smokey’s for Log Analysis and Malware Removal help

June 22, 2008 Posted by | Advisories, Bundleware, Friends, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , | Leave a comment

Apple Safari for Windows Multiple Highly Critical Vulnerabilities reported

Some highly critical vulnerabilities and a security issue have been reported in Apple Safari for Windows prior to v3.1.2, which can be exploited by malicious people to disclose sensitive information or to compromise a user’s system.  It concern a boundary error within the handling of BMP and GIF images and a security issue due to Safari automatically launching downloaded executable files from sites in a Internet Explorer 7 zone with the “Launching applications and unsafe files” option set to “Enable”, or sites in the Internet Explorer 6 “Local intranet” or “Trusted sites” zone.

Please update asap to Apple Safari Windows v3.1.2 for patching mentioned issues.

Sources: Secunia, Apple, US-CERT

June 21, 2008 Posted by | Advisories, Alerts, Friends, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , | Leave a comment

Highly critical vulnerability reported in Mozilla Firefox versions 2.0.x and 3.x

Only five hours after the official release of Firefox 3.0 on June 17th, already the first highly critical vulnerability in Firefox 3 (as well as prior versions of Firefox 2.0.x) was reported by Zero Day Initiative.

It concern a code execution vulnerability, caused due to an unspecified error and can be exploited to execute arbitrary code e.g. when a user visits a specially crafted web page. Because this vulnerability is not patched till yet we advise not following untrusted links nor browse untrusted web sites. Take care of yourself!

Sources: Zero Day Initiative, DVLabs and Secunia

June 21, 2008 Posted by | Advisories, Alerts, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , | Leave a comment

Release Candidate versions of Vista SP1 will expire on June 30 – Uninstall Now!

By Anthony Mann [MSFT]:

“I want to remind everyone who installed the Release Candidate Vista SP1 that you must uninstall any RC builds (any build less than 6.0.6001.18000) before they expire on June 30. After this date, the kernel will stop with an END_OF_NT_EVALUATION_PERIOD error message an hour after the machine has booted. If you do wait until after June 30, just reboot your PC and start the uninstall process right away.”

Source / full advisory: Microsoft TechNet

June 14, 2008 Posted by | Advisories, Alerts, Friends, News, Uncategorized | , , , , , , | 1 Comment

Microsoft Security Bulletin Advance Notification for June 2008

Microsoft Security Bulletin Advance Notification issued: June 5, 2008
Microsoft Security Bulletins to be issued: June 10, 2008

This is an advance notification of security bulletins that Microsoft is intending to release on June 10, 2008.

This bulletin advance notification will be replaced with the June bulletin summary on June 10, 2008. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification.

Executive Summaries

This advance notification provides the software subject as the bulletin identifier, because the official Microsoft Security Bulletin numbers are not issued until release. The bulletin summary that replaces this advance notification will have the proper Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the bulletin identifier. The security bulletins for this month are as follows, in order of severity:

Critical (3)

Bulletin Identifier Bluetooth Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows

Bulletin Identifier Internet Explorer Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows, Internet Explorer

Bulletin Identifier DirectX Bulletin
Maximum Severity Rating: Critical
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows

Important (3)

Bulletin Identifier WINS Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Elevation of Privilege
Affected Software: Microsoft Windows

Bulletin Identifier Active Directory Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service
Affected Software: Microsoft Windows

Bulletin Identifier PGM Bulletin
Maximum Severity Rating: Important
Impact of Vulnerability: Denial of Service
Affected Software: Microsoft Windows

Moderate (1)

Bulletin Identifier Kill Bit Bulletin
Maximum Severity Rating: Moderate
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows

Microsoft Windows Malicious Software Removal Tool

Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS

For information about non-security releases on Windows Update and Microsoft update, please see:

Microsoft Knowledge Base Article 894199: Description of Software Update Services and Windows Server Update Services changes in content for 2008. Includes all Windows content.

New, Revised, and Released Updates for Microsoft Products Other Than Microsoft Windows.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Full Bulletin: Microsoft TechNet

June 7, 2008 Posted by | Advisories, Alerts, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , | Leave a comment

Free installation and troubleshooting support for XP SP3 from Microsoft

There is now free installation and troubleshooting support for XP SP3. This may be a real help to those who need interactive help solving the problem.

Microsoft Help and Support:

Free unlimited installation and compatibility support is available for Windows XP, but only for Service Pack 3 (SP3). This support for SP3 is valid until April 14, 2009. For more information about this policy, visit the Windows XP Support Lifecycle page located at http://support.microsoft.com/lifecycle/?p1=3223. Chat and e-mail support is available only in the United States and Canada. For all other Windows XP issues, visit the Help and Support site at http://support.microsoft.com/oas/default.aspx?gprid=1173, and then choose your product.

Link Microsoft Windows XP Service Pack 3 (All Languages) Help and Support Site: http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid=522131

June 1, 2008 Posted by | Advisories, Friends, News, Recommended External Security Related Links | , , , , , , | Leave a comment