Tag Archives: exploit

Microsoft: Emergency IE Patch Coming

0
Posted by Tech Paranoia on January 19, 2010 – 9:02 am
Filed under Patches, exploit
Tagged as , , , , ,

Microsoft has started dropping broad hints that an emergency patch for Internet Explorer will be released very soon to counter targeted attacks and the publication of exploit code for a “browse and you’re owned” vulnerability in its flagship Web browser.

The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend.

The decision to ship the IE patch outside of Microsoft’s scheduled Patch Tuesday releases follows the release of exploit code into the Metasploit attack tool.

The Metasploit code only works against Internet Explorer 6 but there are claims in the security research community that the vulnerability has been successfully exploited on IE7 (Windows Vista) as well as IE6 and on Windows XP.

The vulnerability was discovered during zero-day attacks against several big-name U.S. companies, including Google, Adobe and Juniper Networks. During those attacks, data-stealing malware exploited the flaw against systems running IE6 on Windows XP.

Microsoft says the ongoing attacks remain “targeted to a very limited number of corporations” and are only effective against Internet Explorer 6. However, with the exploit code now in Metasploit, malware purveyors could begin tinkering with exploits geared to newer versions of the browser.

Now, Microsoft is imploring its customers to upgrade immediately to IE 8. A special guidance page has been published to offer information on how to mitigate this vulnerability and avoid attacks.

Microsoft’s Security Research & Defense team has created and released a one-click “Fix It” tool to allow users to enable DEP (Data Execution Prevention) on older versions of the browser. DEP, a crucial anti-exploit mitigation, is enabled by default on IE8 only.

Source: ThreatPost

Hack of Adobe Conducted Via Zero-Day IE Flaw

0
Posted by Tech Paranoia on January 14, 2010 – 2:22 pm
Filed under Hacks, Zero Day, exploit
Tagged as , , , , ,

The recent hack attack on Adobe occurred through exploitation of a zero-day vulnerability that affects all versions of Internet Explorer, according to a security researcher with a leading anti-virus firm.

Microsoft learned about the vulnerability only Wednesday evening and is planning to release an announcement about the vulnerability later today, said the researcher, who asked not to be identified because he’s not authorized to speak with the press.

The vulnerability, for which there is currently no patch, is a memory corruption flaw that causes the browser to internally misfire in a way that allows the hacker to inject malware on the user’s computer.

“It’s pretty targeted so the reality is that it’s only currently being used against these targeted companies,” the researcher said. He couldn’t say how many of the other 33 companies hit in the hack attack were breached in this way.

Zero day vulnerabilities are security flaws in software for which there is currently no patch. Researchers discovered a memory corruption flaw in IE in December, which Microsoft patched on Dec. 9. The researcher, however, said the one that affected Adobe is believed to be a new and different one.

Google announced on Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network, and that the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists.

Minutes later, Adobe acknowledged in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

Neither Google nor Adobe provided details about how the hacks occurred.

Full article at: Threat Level

Adobe releases patch for critical Acrobat and Reader flaw

0
Posted by Tech Paranoia on January 13, 2010 – 12:00 pm
Filed under Patches, Software
Tagged as , ,

Adobe has released a patch for multiple vulnerabilities in its Acrobat and Reader products. This patch addresses the widely used exploit that was released into the wild last month. Exploiting these vulnerabilities may allow an attacker to execute code or perform a denial of service attack.

Adobe Security Bulletin

Mac OS X vulnerability left unpatched for months

1
Posted by Tech Paranoia on January 12, 2010 – 3:00 pm
Filed under exploit
Tagged as ,

New information about a security hole in Mac OS X ,which has been known for about seven months, could finally force Apple to fix the problem. The hole is a new instance of the flawed implementation of the dtoa (double to ascii) C function for converting floating point numbers into strings. During conversion, a flaw in the array index can allow some memory areas to be overwritten. Since the flaw originated in a C library file it found its way into a number of operating systems and applications.

By adding certain formatting characters to print functions, attackers can exploit the vulnerability to provoke a heap overflow, inject arbitrary code in a system, and execute it there. Publicly known since last June, the hole was rated (extremely) critical and has been fixed by several browser vendors, such as Opera, Google and the Mozilla Foundation. OpenBSD, FreeBSD and NetBSD also contained the hole, but have now been updated to close it.

According to Maksymilian Arciemowicz, who discovered the vulnerability, the dtoa flaw does exist in Mac OS X 10.5.x and 10.6.x, but it can’t be exploited via normal print functions such as printf. However, the strtod (string to double) libc function also uses the vulnerable dtoa code and can, in turn, be exploited via printf. Arciemowicz has released a short demo program which provokes the flaw – although it only causes the application to crash. However, according to Arciemowicz, it is not difficult to manipulate the ESI and EDI registers in such a way that injected code can be executed. Users apparently only need to visit a specially crafted web page to fall victim to the attack.

Why Apple hasn’t closed the known hole in dtoa is an open question. Arciemowicz speculates that the previous absence of a proof-of-concept exploit led Apple to believe the hole can’t be exploited. He said that other affected vendors usually respond promptly after being informed about vulnerabilities.

A similar misinterpretation of a hole in Java already caused considerable trouble for Apple last year. It was probably only an exploit published by security specialist Landon Fuller that eventually made Apple release an updated version of Java to close the hole.

Source: H Online

Frustrated bug hunters to expose a flaw a day for a month

0
Posted by Tech Paranoia on January 12, 2010 – 2:00 pm
Filed under Software, exploit
Tagged as , ,

A Russian security firm has pledged to release details of previously undisclosed flaws in enterprise applications it has discovered every day for the remainder of January.

Intevydis intends to publish advisories on zero-day vulnerabilities in products such as Zeus Web Server, MySQL, Lotus Domino and Informix and Novell eDirectory between 11 January and 1 February, security blogger Brian Krebs reports.

As an opener, Intevydis published a crash bug in Sun Directory Server 7.0, along with exploit code. The final line-up of zero-days is still being finalised, but the MySQL buffer overflows and IBM DB2 root vulnerability flaws on the provisional menu sound much tastier than Intevydis’s somewhat bland opener. Advisories are due to be published on the Intevydis blog here.

Intevydis said it launched its campaign after becoming more and more disillusioned with foot-dragging by vendors when confronted by security flaws in their products. “After working with the vendors long enough, we’ve come to conclusion that, to put it simply, it is a waste of time,” Evgeny Legerov, a founder of Intevydis told Krebs. “Now, we do not contact with vendors and do not support so-called ‘responsible disclosure’ policy.”

Only one software vendor, Zeus, reportedly worked with Intevydis in developing a patch to be released at the same time as an upcoming advisory from the Russian security firm. Intevydis’s stance is likely to reboot the long running debate about the responsible disclosure of security vulnerabilities.

Full article at: The Register

Researcher Rates Mac OS X Vulnerability ‘High’

2
Posted by Tech Paranoia on January 11, 2010 – 1:00 pm
Filed under Software
Tagged as , ,

Proof of concept exploit code was posted last week by a security researcher at SecurityReason to demonstrate a vulnerability in versions 10.5 and 10.6 of Apple’s Mac OS X operating system.

The vulnerability is a potential buffer overflow error arising from the use of the strtod function Mac OS X’s underlying Unix code. It was first reported by researcher Maksymilian Arciemowicz last June.

SecurityReason’s advisory describes a flaw in the libc/gdtoa code in OpenBSD, NetBSD, FreeBSD, and MacOS X, as well as Google Chrome, Mozilla Firefox and other Mozilla software, Opera, KDE, and K-Meleon.

SecurityReason’s advisory rates the vulnerability’s risk as “high” and claims that the flaw can be exploited by a remote attacker.

A spokesperson for SecurityReason wasn’t immediately available to characterize the likelihood that this vulnerability could be exploited.

The vulnerability was addressed in FreeBSD and NetBSD last last summer.

And shortly thereafter Google and Mozilla, among other vendors, did the same.

But Apple apparently has not yet updated its software to incorporate the fix.

Apple did not immediately respond to a request for comment.

Source: DarkReading

Adobe Reader vuln hit with unusually advanced attack

0
Posted by Tech Paranoia on January 5, 2010 – 12:00 pm
Filed under exploit
Tagged as , ,

With more than a week until Adobe is scheduled to patch a critical vulnerability in its Reader and Acrobat applications, online thugs are targeting it with an unusually sophisticated attack.

The PDF file uses what’s known as egg-hunting shellcode to compress the first phase of the malicious payload into 38 bytes, a tiny size that’s designed to thwart anti-virus detection. As a result, just four of the 41 major AV programs detect the attack more than six days after the exploit surfaced, according to this analysis from Virus Total.

The shellcode then loads an obfuscated binary file contained in the PDF file that installs PoisonIvy, a backdoor client used to maintain control over infected PCs.

“Not only was this a very interesting example of a malicious PDF document carrying a sophisticated ‘war head,’ but it also showed the length attackers are willing to go to in order to make their malware as hard to detect as possible, not only for the AV vendors, but also for victims,” wrote Bojan Zdrnja, a Sans handler who analyzed the exploit.

The PDF was distributed through email that was specifically targeted at an unnamed organization, Zdrnja, who is a senior information security consultant with Infigo, said in an interview with The Register. Based on the metadata found in the PDF, it originated in China and was produced on December 29.

Just to make the attack even harder for end users to detect, the obfuscated binary runs a third executable program that does nothing more than open a benign file called baby.pdf on the infected machine. Zdrnja believes this is done to deflect attention and prevent users from figuring out their PC has just been compromised.

Source: The Register

MS now dismisses IIS zero-day bug reports

0
Posted by Tech Paranoia on December 30, 2009 – 10:00 am
Filed under exploit
Tagged as , ,

Microsoft has dismissed reports that there’s an unpatched critical flaw in the latest version of its webserver software.

The software giant accepts there is an “inconsistency” in how IIS 6 handles semicolons in URLs . But it denies that this lends itself to hacking attacks, contrary to claims by security researchers shortly before Xmas. Redmond said fears that the bug allows hackers to circumvent content filtering software in order to upload and execute code on an IIS server are misplaced.

This scenario would only work if IIS web servers were set up to allow both “write” and “execute” privileges from the same directory, something that would make a system vulnerable in the first place and isn’t established even in default configurations, Microsoft states. The software giant has promised to make changes to purge the inconsistent behaviour from IIS 6.

Microsoft’s nothing-to-worry-about-please-move-along advisory, which helpfully provides links to best practice web server security guidelines, can be found here.

Source: The Register

Microsoft confirms IIS hole

0
Posted by Tech Paranoia on December 29, 2009 – 10:00 am
Filed under Software
Tagged as , ,

Microsoft has confirmed the security hole in its IIS web server, but hasn’t disclosed which versions of the product are affected. According to the finder of the “semi-colon bug”, versions up to and including version 6 are vulnerable. The hole allows attackers, for instance, to camouflage executable ASP files as harmless JPEG files and upload malicious code to a server.

Microsoft’s Security Response Center (MSRC) says it is investigating the vulnerability and has so far not found evidence of any attackers actively exploiting the hole to compromise a server. According to the vendor, the required conditions present an obstacle for successful attacks: Attackers must have authenticated themselves on a server and possess read as well as upload privileges to a directory which, in turn, must allow the execution of code.

Although these conditions are not present in any standard installation, opinions about the risk levels vary considerably. Security firm Secunia considers the vulnerability a moderate threat. The Internet Storm Center has rated the problem critical and recommends that affected users take additional security precautions until a patch becomes available. An 8 basic rules plan compiled by the ISC is to assist with this task. In its first response to the vulnerability, Microsoft also suggested several links to instructions on how to ensure server security.

Source: The H Online

Microsoft IIS vuln leaves users open to remote attack

0
Posted by Tech Paranoia on December 24, 2009 – 8:02 pm
Filed under Zero Day
Tagged as , ,

A researcher has identified a vulnerability in the most recent version of Microsoft’s Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver.

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension “.asp.” By appending “;.jpg” or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it “highly critical,” vulnerability tracker Secunia classified it as “less critical,” which is only the second notch on its five-tier severity rating scale.

“Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as ‘.asp,’ ‘.cer,’ ‘.asa’ and so on,” Dalili wrote. “Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.”

Secunia didn’t explain how it arrived at its assessment, but it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6.

A Microsoft spokeswoman said company researchers are investigating the report. They are not aware of attacks targeting the reported vulnerability, she said.

In the absence of any official guidance, webmasters who want to workaround the potential problem should make sure that upload directories don’t have execute permissions. And web developers should ensure their applications never accept the user’s input as a file name.

Source: The Register