Smokey's Security Weblog

veritas odium parit

Microsoft released emergency out-of-band update fixing IE zero day vulnerability

Today Microsoft have released an emergency out-of-band update (2965111) to fix a zero day publicly disclosed vulnerability in Internet Explorer (Microsoft Security Advisory 2963983). The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.

This security update is rated Critical for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 6 (IE 6), Internet Explorer 7 (IE 7), Internet Explorer 8 (IE 8), Internet Explorer 9 (IE 9), Internet Explorer 10 (IE 10), and Internet Explorer 11 (IE 11) on affected Windows servers.

More info about the fix here: MS14-021 :Security update for Internet Explorer: May 1, 2014 The advance notification of the update lists Windows XP as among the affected platforms, indicating that it will be among the platforms patched, in spite of its support period ending weeks ago.

Users with Automatic Updates enabled do not have to do anything, although running Windows Update will apply the fix immediately.

Advertisements

May 1, 2014 Posted by | Alerts, News, Vulnerabilities | , , , , , , , , , | Leave a comment

Microsoft pulls faulty patch MS10-025, plans re-release

Read for you on CNet – InSecurity Complex:

April 23, 2010 12:35 PM PDT

A critical vulnerability affecting Microsoft Windows 2000 Server will remain unfixed until Microsoft re-releases a patch for it, the company said on Friday.

A patch for the hole, which could allow an attacker to take control of a system running Windows Media Services, was released during Patch Tuesday last week. However, Microsoft pulled the patch this week because it failed to work.

“We pulled the update because it was determined that it did not address the underlying vulnerability,” Microsoft said in a statement. “We cannot give a specific day yet, but we are planning to re-release the update next week. That is our first priority right now. After that, we will be able to investigate the issue further.”

Jerry Bryant, group manager of response communications for the Microsoft Security Response Center, notified customers in a blog post on Wednesday that the security update for MS10-025 was being withdrawn.

April 23, 2010 Posted by | Uncategorized | , , , , , , , | Leave a comment

0-Day Extremely Critical Vulnerability in Internet Explorer Could Allow Remote Code Execution

Microsoft Security Advisory (979352)
Vulnerability in Internet Explorer Could Allow Remote Code Execution

Published: January 14, 2010 | Updated: January 15, 2010
Version: 1.1

Executive Summary

Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.

Microsoft continues to encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.

Mitigating Factors:

• Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Affected Software

Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 8 for Windows Server 2003 Service Pack 2, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 in Windows 7 for 32-bit Systems
Internet Explorer 8 in Windows 7 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems

Non-Affected Software

Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4

Revisions

• V1.0 (January 14, 2010): Advisory published
• V1.1 (January 15, 2010): Revised Executive Summary to reflect invesigation of limited targeted attacks. Added Data Execution Protection (DEP) information to Mitigating Factors section. Updated “How does configuring the Internet zone security setting to High protect me from this vulnerability?” in the Frequently Asked Questions section.

Related:

The Microsoft Security Response Center (MSRC) – Security Advisory 979352 Released
The Microsoft Security Response Center (MSRC) – Advisory 979352 Updated

This is a serious vulnerability, and should be rated as ‘extremely critical’

January 15, 2010 Posted by | Advisories, Alerts, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , | Leave a comment

Outbreak of the polymorphic worm Downadup aka Conficker aka Kido

Posted Jan 15, 2009

– Revision v1.00, Jan 16, 2009: The number of Downadup infections are skyrocketing based on F-Secure’s calculations. From an estimated 2.4 million infected machines to over 9 (nine) million during the last four days…
– Revision v1.01, Jan 16, 2009: Blog post updated for reason of actual occurances.
– Revision v1.02, Jan 17, 2009: Added worm symptoms and a link to the infection calculations performed by F-Secure.
– Revision v1.03, Jan 17, 2009: Added effective protection measures against the worm.
– Revision v1.04, Jan 23, 2009: Worm/malware removal/disinfection tools updated.
– Revision v1.05, Feb 08, 2009: OpenDNS/Kasperky Lab tracking and blocking services added.

The Downadup worm that exploits a months-old Windows bug/vulnerability has infected more than a million PCs in the past 24 hours, a security company said today. Aliases of the worm are Worm.Conficker [PCTools], W32.Downadup [Symantec], Net-Worm.Win32.Kido.ih [Kaspersky Lab], W32/Conficker.worm [McAfee], W32/Confick-A [Sophos], Worm:Win32/Conficker.A [Microsoft], Worm.Win32.Conficker [Ikarus]

Early Wednesday the in Finland-based security firm F-Secure Corp. estimated that 3.5 million PCs have been compromised by the “Downadup” worm, an increase of more than 1.1 million since Tuesday.

“[And] we still consider this to be a conservative estimate,” said Sean Sullivan, a researcher at F-Secure, in an entry to the company’s Security Lab blog. Yesterday, F-Secure said the worm had infected an estimated 2.4 million machines.

The worm, which several security companies have described as surging dramatically during the past few days, exploits a bug in the Windows Server service used by all supported versions of Microsoft Corp.’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.

The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.

The neat thing about Downadup is the way it “phones home”. As Mikko Hyppönen, chief research officer at anti-virus company F-Secure explains:

It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day. It concern hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org. This makes it impossible and/or impractical to shut them all down — most of them are never registered in the first place. The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines.

Anybody can register one of the unused domains and gain access to all of the infected machines. Pretty dumb. However, everyone will sit by and watch the infections happen, because nobody can interfere: unauthorised use of a PC may even be illegal. It’s like watching a small child wandering onto a motorway….

Downadup can also spread by using an autorun file on a USB memory stick, so if you autorun thumb drives on an unpatched machine, you could be vulnerable.

Almost all the infections are of Windows XP machines and, as Microsoft notes, plenty of corporate customers (who are usually not using AutoUpdate) have been caught. F-Secure says:

“A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.”

Either way, security experts are anxiously awaiting the attackers’ next move. They suspect a massive botnet is in the works, but so far the attackers haven’t completely tipped their hand. The mere infection of so many machines that could then be controlled by a third party indicates it is indeed a botnet-in-progress, according to Damballa, a computer security company devoted to disrupting botnets. “It’s a close call. If it has the potential for a remote, malicious third party to do whatever they want, that makes it a botnet,” says Paul Royal, chief scientist for the antibotnet company.

“Whoever is behind this is not ready to deploy his or her code just yet. Maybe they first need to figure out how to get their botnet controller to scale to handle [millions of] nodes,” Stewart, director of malware research for SecureWorks, notes.

One thing that is certain: The worm is spreading like wildfire, and its creators appear to be trying to beat the clock and infect as many machines as they can that haven’t yet patched for the Windows bug/vulnerability. The perpetrators have been cranking out new variants of the worm to evade detection, and, so far, its main mission has been pushing rogue antivirus software.

According to Damballa, Confickr/Downadup spreads fast like a Slammer, but this one has a command and control channel: “It propagates like a worm and can act like a bot. Perhaps it’s representative of a hybrid that may represent a new class of malware” rather than the social networking or email lures of old.

Urgent advice: users are strongly recommended to ensure their antivirus databases are up to date. A patch for the windows bug/vulnerability is available from Microsoft: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx It concern Microsoft Security Bulletin MS08-067 – Critical / Vulnerability in Server Service Could Allow Remote Code Execution (958644). Complete and effective protection measures against the worm at the end of this post.

Sources/references of this outbreak alert and background information:

Kaspersky Lab
Guardian.co.uk
Microsoft
ThreatExpert
F-Secure
Symantec
NetworkWorld
DarkReading

Symptoms of the worm:

http://www.bitdefender.fr/VIRUS-1000462-fr–Win32.Worm.Downadup.Gen.html
http://www.ca.com/gb/securityadvisor/virusinfo/virus.aspx?id=76852

Removal and disinfection tools:

Kaspersky Lab – http://support.kaspersky.com/faq/?qid=208279973
Symantec – http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

List of domains that are currently distributing the Downadup worm and its variants: http://www.f-secure.com/weblog/archives/downadup_domain_blocklist.txt

Complete/effective protection measures against the worm, apply all 3 measures:

1. Apply Microsoft patch MS08-067: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
2. Provide the administrator account of the computer with a strong password (brute force dictionary attack against administrator password is used): http://www.safepasswd.com/
3. Completely disable the AutoRun function, this is a brutal but highly effective hack: http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

Free Support, Help and Assistance if your PC is infected by this worm and/or any other piece of malware: http://www.smokey-services.eu/forums/index.php/board,5.0.html

Update Feb 08, 2009: OpenDNS/Kasperky Lab offer free tracking and blocking services.

January 15, 2009 Posted by | Advisories, Alerts, Anti-Virus, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , , , , , , , , , , , | 6 Comments

Microsoft Security Advisory (953818): Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform

Published by Microsoft: May 30, 2008

Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.

Mitigating Factors:

• Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

More: Microsoft TechNet

Apple, please fix your homework in a proper and decent way asap!

Added: May 31, 2008

For reason of the information provided in the original advisory provided by Nitesh Dhanjani on May 15, 2008 this blended thread have to be considered as being Highly Critical.

Excerpt original advisory:

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

3. [Undisclosed]. The third issue I reported to Apple is a high risk vulnerability in Safari that can be used to remotely steal local files from the user’s file system.

Remarkable and not  understandable: Apple let Nitesh Dhanjani know that they will fix only 1 of the issues he reported.

My advice: as long Apple haven’t fixed all the three issues mentioned in the original advisory, for security reasons don’t use Apple’s Safari (anymore).

May 31, 2008 Posted by | Advisories, Alerts, Downloads, Malware, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , , , , | Leave a comment

Critical Vulnerabilities in GDI Could Allow Remote Code Execution (KB948590)

Microsoft Security Bulletin MS08-021 – Critical
Published: April 8, 2008 | Updated: April 11, 2008

Bulletin revisions

V1.0 (April 8, 2008): Bulletin published.
V1.1 (April 9, 2008): Bulletin updated to add a Known Issues link to Microsoft Knowledge Base Article 948590, to add a Known Issues section to the FAQ, to update the uninstall registry path, and to update the Acknowledgments.
V1.2 (April 11, 2008): Bulletin updated to remove a reference to unsupported software in the Vulnerability FAQs.

Executive Summary

This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

This is a critical security update for Microsoft Windows 2000 Service Pack 4, and all supported releases of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
This security update addresses the vulnerability by modifying the way that GDI handles integer calculations and string parameters. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation

Microsoft recommends that customers apply the update immediately

Affected software

– Microsoft Windows 2000 Service Pack 4
– Windows XP Service Pack 2
– Windows XP Professional x64 Edition and Windows XP Professional x64 Edition SP2
– Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
– Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
– Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems
– Windows Vista and Windows Vista Service Pack 1
– Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
– Windows Server 2008 for 32-bit Systems
– Windows Server 2008 for x64-based Systems
– Windows Server 2008 for Itanium-based Systems

Source: Microsoft

April 12, 2008 Posted by | Advisories, Alerts, Downloads, Friends, Malware, Recommended External Security Related Links | , , , , , , | 1 Comment