Posts Tagged ‘vulnerability’

Microsoft Patches PatchGuard Hack

Microsoft is definitely not happy that a security software vendor has bypassed the kernel protection software in Windows Vista, PatchGuard, and said that it would not be wise to continue because Microsoft will close any flaws discovered, making any software dependent on it, obsolete, and this, says Microsoft, could make users of such software unprotected and dealing with more problems because of such attempted access. Sounds like they are trying to draw a line in the sand.

“Microsoft is aware of public reports of ways to subvert the kernel in Windows Vista and has addressed them in current builds; however, we have not received any other reports of ways to subvert the kernel in existing builds of Vista,” said Adrien Robinson, director of Microsoft’s Security Technology Unit.

“If a vulnerability is discovered in Kernel Patch Protection, Microsoft will issue a security update as part of the standard Microsoft Security Response Center process.” Source: eWeek

Security vendors have been beating up this topic for a long time now, and Microsoft recently agreed to provide APIs that they could use to access the kernel, but the security vendors are worried about the timeliness of receiving the APIs. Authentium’s work around was to take advantage of part of the kernel that allowed the os to support older hardware. This is NOT the last we’ll hear about this subject.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 28, 2006 at 5:01 am

Categories: Ramblings, Windows Vista   Tags: , ,

Microsoft Addresses IE7 Address Vulnerability

Microsoft has addressed reports of a vulnerability in Internet Explorer 7 that could possibly lead people to believe a website is safe, when it could actually be a malicious website looking to exploit browsers. The security site Secunia posted a vulnerability in IE7 address bar, here yesterday.

A weakness has been discovered in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.

The problem is that it’s possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL. This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions. Source: Secunia

They have posted a test page to let you know if you are vulnerable or not, here. Microsoft’s response is posted here, but they pretty much say all they can, you can actually see the whole address if you click on the popup and scroll left or right, and they recommend turning on the Microsoft Phishing Filter, to help block phishing sites who might try to exploit this vulnerability.

Now, our general guidance as far as things you can do to help protect yourself against phishing attacks can help protect here. Specifically that you should never enter personal information into a website unless you’ve verified the server?s name by using SSL. We talk about this on our website here.

The other thing I wanted to mention is that in IE 7, the Microsoft Phishing Filter can help protect should any phishing sites attempt to exploit this issue in a couple of ways.

First, the Phishing Filter’s browser-based heuristics can help to protect you. These heuristics analyze Web pages in real time and then can warn you about suspicious characteristics if it finds any on the page. If someone attempts to use this issue in a phishing site, the Phishing Filter’s heuristics may detect that site as such and warn you.

Another way the Phishing Filter can help protect you is through our online service. If a site that attempts to exploit this issue is reported to us and confirmed to be a phishing site, we will add it to the Microsoft Phishing Filter?s online service and it will be flagged as a phishing site when viewed in IE7. Source: Microsoft Security Response Center Blog

The phishing filter should definitely help, although it did appear to slow my machine down when I first looked at it, so I may turn it back on and let it run some more to see if it actually gets any faster.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - October 26, 2006 at 1:31 pm

Categories: IE7, Security   Tags: , ,

VML Exploit Patched by Microsoft

Microsoft noted on their blog that they might release the patch to fix the VML exploit early, if it met all the tests and requirments, so apparently, it already has. Thanks Sunbeltblog.

A security issue has been identified in the way Vector Markup Language (VML) is handled that could allow an attacker to compromise a computer running Microsoft Windows and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Check Windows Update to get it.

Added: Just saw this post from a technet blog, “OUT OF BAND” Security Bulletin has been released – Microsoft Security Bulletin MS06-055,

On Tuesday September 26th 2006, the Microsoft Security Response Center (MSRC) released one (1) new Security Bulletin. This Security Bulletin Release is in addition to our regularly scheduled monthly security bulletin release for September 2006. A release of this type is often referred to as ?Out of Band?.

A remote code execution vulnerability exists in the Vector Markup Language (VML) implementation in Microsoft Windows. An attacker could exploit the vulnerability by constructing a specially crafted Web page or HTML e-mail that could potentially allow remote code execution if a user visited the Web page or viewed the message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

And this post from the Microsoft Security Response Center Blog,

Hey everyone, Craig Gehre here. We’re in the process of releasing out of band update MS06-055 to address the VML issue. At the moment, Windows Update, Microsoft Update, and Autoupdate are live. We’re in the process of publishing the bulletin, associated packages, and updated content for WSUS, MBSA1.2.1, EST, and MBSA 2.0 to the Microsoft download center and normal locations and those should be up shortly. Until that time the links might not work in the bulletin until the packages appear on the download center. The WSUSscan.cab for SMS and MBSA 2.0 users is also in process and will be published soon. We?ll provide a follow-on blog post shortly once we get everything up.

We’re also re-releasing MS06-049 for Windows 2000 users and will have that information up shortly as well.

Anyway, finally, I know they want to test this stuff thoroughly, but sometimes you just gotta rush stuff, especially when you have unsuspecting users on the line.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 26, 2006 at 5:29 pm

Categories: Internet Explorer, Microsoft News, Security, Windows XP   Tags: ,

IE7 Immune to VML Exploit

In testing on a couple different blogs, IE7 has proven to be immune to the vml exploit currently making the rounds. Ed Bott says Vista passes one security test,

Now, it’s important to note that the developers of IE7 clearly had no idea that this vulnerability existed in IE6. But their development process managed to block this particular exploit right out of the box, and the additional layers of security provided important clues that this page was potentially dangerous.

Sandi Hardmeier at Spyware Sucks says Important – IE VML Vulnerability – IE7 is immune and as a matter of fact says it has been immune to almost all the other vulnerabilities that have come out since its realease.

And the IE team says, “…With the exception of a very short list of issues we’re aware of and working on, we think the product is done…. Depending on your feedback, we may post another release candidate. We?re still on track to ship the final IE7 release in the 4th calendar quarter.”

Sounds like this may be as good of a time as any to read the release notes and upgrade to IE7, but be warned, there are still some software issues with other programs.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - at 2:08 am

Categories: IE7, Internet Explorer, Security, Virus Info   Tags: , ,

MSIE VML Exploit Spreading

The Internet Storm center, Sans.org, has raised the Infocon level to yellow for the exploit I posted about here, Vulnerability in Vector Markup Language Could Allow Remote Code Execution. I recommend you update your anti virus software and possible even unregister the offending dll, Vgx.dll, instructions are in this post.

The VML exploit is now becoming more widespread, so we changed the InfoCon level to yellow to emphasize the need to consider fixes.

If you have not taken measures yet, please consider some emergency fixes to cover the weekend (especially for those laptops surfing the web from home; they might be at high risk). The exploit is widely known, easy to recreate, and used in more and more mainstream websites. The risk of getting hit is increasing significantly.

Outlook (including outlook 2003) is – as expected – also vulnerable and the email vector is being reported as exploited in the wild as well.

Weekends are moreover popular moments in time for the bad guys to build their botnets.

Ken Dunham from iDefense says,

We have seen a significant increase in attacks over the last 24 hours and “[at] least one domain hosts provider has suffered a large-scale attack leading to index file modifications on over 500 domains”. Those domains pointed visitors to a VML exploit. We’re happy to note they join us in recommending “implementing a workaround ASAP” and see the upcoming weekend as a factor in it.

The group, known as ZERT (Zero Day Emergency Response Team) has released a patch saying that Microsoft has to fix its patching cycle, and I agree on that part, having to wait two weeks for a patch to fix an exploit that is just now taking off is ridiculous, I understand they have to test it and such, but surely they can speed the process up so we can all be safer online.

A high-profile group of computer security professionals scattered around the globe has created a third-party patch for the critical VML vulnerability as part of a broader effort to provide an emergency response system for zero-day malware attacks.

The patch, which was created and tested by a roster of reverse engineering gurus and virus research experts, is available from the ZERT Web site for Windows 2000 SP4, Windows XP (SP1 and SP2), Windows Server 2003 (SP1 and R2 inclusive).

“Something has to be done about Microsoft’s patching cycle. In some ways, it works. But, in other ways, it fails us,” says Joe Stewart, a senior security researcher with SecureWorks, in Atlanta. Source: eWeek.com

Not sure about using a third party patch, and I know I won’t be installing it on any computers for other people, I will stick to keeping the anti virus updated everyday and teaching good internet practices.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 22, 2006 at 6:17 pm

Categories: Internet Explorer, Microsoft News, Security   Tags: ,

Vulnerability in Vector Markup Language Could Allow Remote Code Execution

Microsoft released a security advisory yesterday, Microsoft Security Advisory (925568) Vulnerability in Vector Markup Language Could Allow Remote Code Execution. This involves the file Vgx.dll, which implements Vector Markup Language within Microsoft Windows. This vulnerability affects the following software:

Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1 and Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 with SP1 for Itanium-based Systems Edition

Microsoft Windows Server 2003 x64 Edition

Someone who exploited this vulnerability could take complete control of the system just by getting the user to visit a website or open an attachment in email. It is even possible to use the vml exploit with a banner on a website, which opens up many avenues for attack.

Microsoft has confirmed new public reports of a vulnerability in the Microsoft Windows implementation of Vector Markup Language (VML) Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user’s system. Microsoft is aware that this vulnerability is being actively exploited.

A security update to address this vulnerability is now being finalized through testing to ensure quality and application compatibility Microsoft?s goal is to release the update on Tuesday, October 10, 2006, or sooner depending on customer needs.

Customers are encouraged to keep their anti-virus software up to date. Customers can also visit Windows Live OneCare Safety Center and are encouraged to use the Complete Scan option to check for and remove malicious software that take advantage of this vulnerability. We will continue to investigate these public reports.

Until the patch is released, Microsoft says you can protect your system using the following four methods:

Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP Service Pack 2; Windows Server 2003 and Windows Server 2003 Service Pack 1

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered.

Modify the Access Control List on Vgx.dll to be more restrictive

Impact of Workaround: Applications and Web sites that render VML may no longer display or function correctly.

Configure Internet Explorer 6 for Microsoft Windows XP Service Pack 2 to disable Binary and Script Behaviors in the Internet and Local Intranet security zone.

Impact of Workaround: Disabling binary and script behaviors in the Internet and Local intranet security zones may cause some Web sites that rely on VML to not function correctly.

Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector.

I recommend you update your anti-virus software, or, better yet, tell it to update automatically when you login to the system, so it checks everyday for updates. Microsoft said users of Windows Live OneCare and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems. You can visit Windows Live OneCare Safety Center to check for and remove malicious software looking to exploit this vulnerability.

Sunbelt discovered the zero day exploit in the wild.

1 comment - What do you think?  Posted by Jimmy Daniels - September 20, 2006 at 3:52 pm

Categories: Internet Explorer, Malware, Microsoft News, Security   Tags: ,

Microsoft Patches Vulnerability in Microsoft Publisher

Microsoft has released the monthly set of security updates, including one fixing a critical office flaw, Vulnerability in Microsoft Publisher Could Allow Remote Code Execution (910729). Users could be exploited when opening a malicious publisher document, which would give the attackers free reign on their computer. This bug has been rated critical for Publisher 2000 users, and important for Publisher 2002 and 2003 versions.

This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 13, 2006 at 2:37 am

Categories: Microsoft News, Office News, Security   Tags:

Security Update for the Windows Meta File Vulnerability Available

Apparently, or accidentally as zdnet reported, Microsoft has released a patch to fix the WMF vulnerability in Windows, here is the bulletin Microsoft Security Bulletin MS06-001 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919). The date on this page is from yesterday, so, even if it got released by accident, it looks like they were going to release it early anyway.

This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

We do too. Good move releasing this earlier than you first stated Microsoft, but still probably too late for some users.

From the Common Vulnerabilities and Exposures website, “The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on unionseek.com.”

Note: This release says it is not critical for windows 98 or Windows ME users, noting that although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. They will be releasing a patch for these operating systems later.

On the News.com website, they quoted Microsoft saying;

The software maker said Thursday it will deliver two updates on Tuesday, Jan. 10, as part of its scheduled monthly bulletin of security patches.

In response to customer pressure, the software maker on Thursday delivered a fix for a Windows flaw that lies in the way Windows renders Windows Meta File images. The flaw that has become a conduit for several attacks.

Next week, Microsoft plans to provide two additional security updates: one for Windows, and one for Microsoft Office and e-mail server software Exchange, the company said in a notice on its Web site.

Both updates will fix at least one flaw that the software maker deems critical, according to the notice. Microsoft rates as critical any security threat that could allow a malicious Internet worm to spread without any action required on the part of the user.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - January 6, 2006 at 12:00 pm

Categories: Microsoft News, Tech News, Windows XP   Tags: , ,

Temporary Fix for the WMF Exploit

Since Microsoft has decided to wait until Tuesday to release it’s patch for the latest Windows exploit, the WMF security flaw, F-Secure has posted on their site about a fix released by the author of Interactive Disassembler and probably one of the best low level Windows experts in the world, Ilfak Guilfanov. The fix is here.

Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system (all pictures and thumbnails continue to work normally).

The fix works by injecting itself to all processes loading USER32.DLL. It patches the Escape() function in GDI32.DLL, revoking WMF’s SETABORT escape sequence that is the root of the problem.

This flaw has already spawned dozens of attacks from a MSN Messenger worm to spam that tries to get users to click on malicious web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

“We have seen dozens of different attacks using this vulnerability since Dec. 27,” Hypponen said. “One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks.”

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the U.S. Department of State. The malicious e-mail tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user’s system and allow sensitive files to be viewed.

A chief researcher at F-Secure said,

“We are still far away from a massive virus,” he said. “Most people get attacked by this if they (search for something on the Internet) and get a million results. They may click on a link that goes to a malicious Web site or one that has been hacked, and then get infected.”

In an article from News.com posted today, an antivirus specialist stated that over a million pc’s have been compromised,

More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs.

“I’m sure it’s just a matter of days until the first (self-propagating) WMF worm will appear,” he said. “A patch is urgently needed.”

So, with Microsoft waiting until Tuesday, attackers are going to have about a week with no worries to try to take advantage of this. So far, most of the attacks have involved installing spyware and adware to display pop up advertising on the infected pc’s.

Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. “Microsoft’s goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins,” the company said.

To protect Windows users, Microsoft shouldn’t wait, but release the patch now, several critics said.

“The flaw is actively exploited on multiple sites, and antivirus provides only limited protection,” said Johannes Ullrich, the chief research officer at the SANS Institute. “Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch.”

Once again, we see a large company not really caring about the users and all they are doing is creating even more ill will.

Added: One of the F-Secure researches stated that one of their test machines became infected after downloading an infected file using the Wget command line tool, without even executing it.

It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine. This all happens in realtime as Google Desktop contains a file system filter and will index new files in realtime.

2 comments - What do you think?  Posted by Jimmy Daniels - January 4, 2006 at 11:39 am

Categories: Microsoft News, Spyware Info, Tech News, Virus Info   Tags: , , , , , ,

New IE Flaw Affects Windows XP Sp2

eEye Digital Security has warned that a flaw with Internet Explorer could enable a remote attack on computers running Windows XP SP2. This is the intital reporting stage, so they have released no info to the public, they do not release info until the vendor issues an advisory or releases a patch.

The flaw, which also affects systems running Windows XP, is found in the default installations of Microsoft’s IE, according to an advisory released by the security company on Thursday.

“The flaw is not wormable but allows for the remote execution (of code) with some level of end-user intervention,” said Mike Puterbaugh, eEye’s senior director of product marketing.

No one should be at risk, YET, unless someone has also discovered the vulnerability and released a virus or some other kind of exploit. Read more here.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 16, 2005 at 12:03 pm

Categories: Windows XP   Tags: , ,

« Previous PageNext Page »