Smokey's Security Weblog

veritas odium parit

[UPDATED / SOLVED] Be aware: malware removal program ComboFix probably infected with Sality virus

According to Marcos, employee of security solutions vendor ESET, the well-known malware cleaning/removal program ComboFix created by sUBs is infected with the Sality virus. It seems that the current installer ComboFix contains an infected file, namely iexplore.exe

I haven’t checked the issue, however have to assume that ComboFix is indeed infected with the Sality virus, especially because other security vendors have confirmed the infection.

Please don’t download and use ComboFix until the author, sUBs, remedies the issue.

UPDATE 1: Infection is confirmed by a reliable source.

UPDATE 2: To be 100% sure I checked the issue by myself, ComboFix is indeed infected by Sality.

UPDATE 3: Added a temporary Google Drive downloadlink to obtain most recent CLEAN ComboFix.exe

Data of this clean version:

Combofix.exe
Version 13.1.28.1
Copyright sUBs
5.028.179 bytes

MD5 CHECKSUM: 0F6D28A70471051C4C7785335ACBA626

SHA256 CHECKSUM:

hex: 361548f74415a41f00d5345b3e3c489b3282b302c0c51266880eda586db01a12
HEX: 361548F74415A41F00D5345B3E3C489B3282B302C0C51266880EDA586DB01A12
h:e:x: 36:15:48:f7:44:15:a4:1f:00:d5:34:5b:3e:3c:48:9b:32:82:b3:02:c0:c5:12:66:88:0e:da:58:6d:b0:1a:12
base64: NhVI90QVpB8A1TRbPjxImzKCswLAxRJmiA7aWG2wGhI=

Download: removed

UPDATE  4 / FINAL UPDATE / 2013-01-30 22:00: problem infected ComboFix solved, clean ComboFix.exe is now live again, and available to download from its normal Bleeping Computer downloadlink here.

Because the problem is now solved I have removed the temporary downloadlink clean ComboFix.exe

January 29, 2013 Posted by | Advisories, Alerts, Anti-Virus, Malware, Vulnerabilities | , , , , , , | 4 Comments

Windows 8 Acronis True Image 2013 customers misguided by Acronis GmbH: software is unusable

It’s just ‘great’, you are relying on a well-known company selling Backup & Recovery software, Acronis GmbH. On their website they are promising potential customers that their Acronis True Image 2013 software is fully compatible with Windows 8, so you are buying or upgrading a previous version of the software in full faith and trust, assuming that Acronis will save you in case an disaster will happen with your PC and you will be able to boot from a recovery image in case of an disaster.

Well better forget efforts to restore the Acronis image, Acronis will let you down without mercy, your Windows 8 system will tell you: “Selected boot image did not authenticate. Press ‘Enter’ to continue”. So now you have a serious problem…

Cause of the failure message is Secure Boot, a Windows 8 Anti-Rootkit feature that will prevent the PC from booting an unrecognised operating system. Unpleasant side effect: it will also blocking Linux-based recovery environments, such as Acronis Start Up manager.

Despite the fact that Acronis is informed about the issue, they still sell Acronis True Image 2013 as being Windows 8 Compatible. I call this product sale scam. My advise to Windows 8 users: don’t buy the Acronis crap, on your Windows 8 PC it’s a useless piece of emergency software.

January 17, 2013 Posted by | Advisories, Alerts | , , , , , , , , , | 1 Comment

Microsoft Security Bulletin MS13-008 – Out-Of-Band Critical Security Update for Internet Explorer (2799329)

Published: Monday, January 14, 2013 by Microsoft

Version: 1.0
General Information
Executive Summary

This security update resolves one publicly disclosed vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8 on Windows servers. Internet Explorer 9 and Internet Explorer 10 are not affected. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 2794220.

Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Known Issues. None

Affected and Non-Affected Software: see the Security Bulletin.

Some Frequently Asked Questions (FAQ) Related to This Security Update, for all FAQ’s see the Security Bulletin.

Is this update, MS13-008, a cumulative security update for Internet Explorer?
No. This security update, MS13-008, only addresses the vulnerability described in this bulletin.

Do I need to install the last cumulative security update for Internet Explorer, MS12-077?
Yes. In all cases MS13-008 protects customers from the vulnerability discussed in this bulletin. However, customers who have not installed the latest cumulative security update for Internet Explorer may experience compatibility issues after installing the MS13-008 update.

Customers need to ensure that the latest cumulative security update for Internet Explorer, MS12-077, is installed to avoid compatibility issues.

If I applied the automated Microsoft Fix it solution for Internet Explorer in Microsoft Security Advisory 2794220, do I need to undo the workaround before applying this update?
Customers who implemented the Microsoft Fix it solution, “MSHTML Shim Workaround,” in Microsoft Security Advisory 2794220, do not need to undo the Microsoft Fix it solution before applying this update.

However, since the workaround is no longer needed, customers may wish to undo the workaround after installing this update. See the vulnerability workarounds in this bulletin for more information on how to undo this workaround.

Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.

Where are the hashes of the security updates?
The SHA1 and SHA2 hashes of the security updates can be used to verify the authenticity of downloaded security update packages. For the hash information pertaining to this update, see Microsoft Knowledge Base Article 2799329.

How are Server Core installations affected by the vulnerability addressed in this bulletin?
The vulnerability addressed by this update does not affect supported editions of Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 as indicated in the Non-Affected Software table, when installed using the Server Core installation option.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

January 14, 2013 Posted by | Advisories, Alerts, Downloads, Vulnerabilities | , , , , , , , , , | Leave a comment

Microsoft Advance Notification for Out-Of-Band Security Update to Address Security Advisory 2794220

Microsoft Security Response Center – MSRCTeam | 13 Jan 2013 3:00 PM

Today, we are providing Advance Notification to customers that at approximately 10 a.m. PST on Monday, January 14, 2013, we will release an out-of-band security update to fully address the issue described in Security Advisory 2794220. While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future. The bulletin has a severity rating of Critical, and it addresses CVE-2012-4792. Internet Explorer 9-10 are not affected by this issue and as always, we encourage customers to upgrade to the latest browser version.

We recommend that you install this update as soon as it is available. This update for Internet Explorer 6-8 will be made available through Windows Update and our other standard distribution channels. If you have automatic updates enabled on your PC, you won’t need to take any action. If you applied the Fix it released in Security Advisory 2794220, you won’t need to uninstall it before applying the security update.

January 14, 2013 Posted by | Advisories, Alerts, Vulnerabilities | , , , , , , , | Leave a comment