Tag Archives: microsoft

Severe IE vulnerability threatens Windows XP users

0
Posted by Tech Paranoia on March 1, 2010 – 10:02 am
Filed under Security, Software
Tagged as , , ,

News of a newly discovered bug in VBScript and Windows Help files in Internet Explorer that could allow a remote attacker to run an arbitrary command has reached Microsoft on Friday and they immediately sat down to investigate the matter.

After two days, they confirmed that this vulnerability “could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box”, but that there has been no news about attacks exploiting it so far.

Maurycy Prodeus, the security analyst that discovered the vulnerability, says that Windows XP SP3 running IE 8,7 or 6 are vulnerable, and Microsoft assures that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue.

Microsoft is yet to confirm when the fix will be released, but Computerworld reports that Prodeus himself offered a temporary solution: blocking TCP port 445. “However, it is worth to note that blocking this port doesn’t solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim’s machine at known path location using some third-party browser plug-ins,” he said.

Source: Help Net Security

http://www.net-security.org/secworld.php?id=8935

Microsoft to drop support for Vista SP0 and XP SP2

0
Posted by Tech Paranoia on March 1, 2010 – 9:59 am
Filed under Software
Tagged as , , ,

Microsoft has stated that it will drop support for Windows Vista (Service Pack 0) on April 13th, 2010 and Windows XP (Service Pack 2) on July 13th. If you are still running these versi0ns, it is time to update.

Microsoft takes down 277 Waledac infected websites

0
Posted by Tech Paranoia on February 26, 2010 – 10:35 am
Filed under Security
Tagged as , ,

Microsoft has taken down 277 internet domains that it believed was being used to run the Waledac botnet.

In what it called ‘Operation b49′ that was the ‘result of months of investigation and the innovative application of a tried and true legal strategy’, according to Microsoft’s associate general counsel Tim Cranton, a federal judge granted a temporary restraining order that quickly and effectively cut off traffic to Waledac at the ‘.com’ or domain registry level.

Cranton said: “Microsoft has since been taking additional technical countermeasures to downgrade much of the remaining peer-to-peer command and control communication within the botnet, and we will continue to work with the security community to mitigate and respond to this botnet.

“Three days into the effort, Operation b49 has effectively shut down connections to the vast majority of Waledac-infected computers, and our goal is to make that disruption permanent. But the operation hasn’t cleaned the infected computers and is not a silver bullet for undoing all the damage we believe Waledac has caused. Although the zombies are now largely out of the bot-herders’ control, they are still infected with the original malware.”

Source: SC Magazine UK

Microsoft: Emergency IE Patch Coming

0
Posted by Tech Paranoia on January 19, 2010 – 9:02 am
Filed under Patches, exploit
Tagged as , , , , ,

Microsoft has started dropping broad hints that an emergency patch for Internet Explorer will be released very soon to counter targeted attacks and the publication of exploit code for a “browse and you’re owned” vulnerability in its flagship Web browser.

The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend.

The decision to ship the IE patch outside of Microsoft’s scheduled Patch Tuesday releases follows the release of exploit code into the Metasploit attack tool.

The Metasploit code only works against Internet Explorer 6 but there are claims in the security research community that the vulnerability has been successfully exploited on IE7 (Windows Vista) as well as IE6 and on Windows XP.

The vulnerability was discovered during zero-day attacks against several big-name U.S. companies, including Google, Adobe and Juniper Networks. During those attacks, data-stealing malware exploited the flaw against systems running IE6 on Windows XP.

Microsoft says the ongoing attacks remain “targeted to a very limited number of corporations” and are only effective against Internet Explorer 6. However, with the exploit code now in Metasploit, malware purveyors could begin tinkering with exploits geared to newer versions of the browser.

Now, Microsoft is imploring its customers to upgrade immediately to IE 8. A special guidance page has been published to offer information on how to mitigate this vulnerability and avoid attacks.

Microsoft’s Security Research & Defense team has created and released a one-click “Fix It” tool to allow users to enable DEP (Data Execution Prevention) on older versions of the browser. DEP, a crucial anti-exploit mitigation, is enabled by default on IE8 only.

Source: ThreatPost

Hack of Adobe Conducted Via Zero-Day IE Flaw

0
Posted by Tech Paranoia on January 14, 2010 – 2:22 pm
Filed under Hacks, Zero Day, exploit
Tagged as , , , , ,

The recent hack attack on Adobe occurred through exploitation of a zero-day vulnerability that affects all versions of Internet Explorer, according to a security researcher with a leading anti-virus firm.

Microsoft learned about the vulnerability only Wednesday evening and is planning to release an announcement about the vulnerability later today, said the researcher, who asked not to be identified because he’s not authorized to speak with the press.

The vulnerability, for which there is currently no patch, is a memory corruption flaw that causes the browser to internally misfire in a way that allows the hacker to inject malware on the user’s computer.

“It’s pretty targeted so the reality is that it’s only currently being used against these targeted companies,” the researcher said. He couldn’t say how many of the other 33 companies hit in the hack attack were breached in this way.

Zero day vulnerabilities are security flaws in software for which there is currently no patch. Researchers discovered a memory corruption flaw in IE in December, which Microsoft patched on Dec. 9. The researcher, however, said the one that affected Adobe is believed to be a new and different one.

Google announced on Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network, and that the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists.

Minutes later, Adobe acknowledged in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

Neither Google nor Adobe provided details about how the hacks occurred.

Full article at: Threat Level

Microsoft warning to XP users: Update Flash Player Now

2
Posted by Tech Paranoia on January 13, 2010 – 10:00 am
Filed under Software, exploit
Tagged as , , ,

Microsoft has shipped a security advisory with an urgent message for Windows XP users: Update your Flash Player immediately.

The Adobe Flash Player 6 that ships by default in Windows XP is vulnerable to multiple code execution vulnerabilities that could lead to PC takeover attacks, according to the advisory.

Here’s the warning:

Microsoft is aware of reports of vulnerabilities in Adobe Flash Player 6 provided in Windows XP. We are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time but recommend that users install the latest version of Flash Player provided by Adobe.

The Adobe Flash Player 6 was provided with Windows XP and contains multiple vulnerabilities that could allow remote code execution if a user views a specially crafted Web page. Adobe has addressed these vulnerabilities in newer versions of Adobe Flash Player. Microsoft recommends that users of Windows XP with Adobe Flash Player 6 installed update to the most current version of Flash Player available from Adobe.

This issue affects Windows XP Service Pack 2 and Windows XP Service Pack 3. The warning is also applicable to users running Windows XP Professional x64 Edition Service Pack 2.

Adobe discontinued support for Adobe Flash Player 6 in 2006. The latest version of Adobe Flash Player is 10.0.42.34.

Adobe Flash Player is among the most commonly exploited desktop applications so it’s important for all Windows XP users to heed this warning from Microsoft.

Source: ThreatPost

Only one patch expected from Microsoft next Patch Tuesday

0
Posted by Tech Paranoia on January 8, 2010 – 11:00 am
Filed under Patches
Tagged as , ,

Microsoft is only planning to release one bulletin on its first Patch Tuesday of 2010 and will not address an existing vulnerability in SMB that could allow a denial-of-service attack.

In an advance notification, Microsoft Security Response Center security program manager Jerry Bryant said that one bulletin addressing a single vulnerability in Windows will be released. This will address a remote code execution vulnerability that is only in Windows 2000, and may require a restart.

He said that the vulnerability is critical on Windows 2000 and low for all other platforms, although the Exploitability Index rating for this issue will not be high which lowers the overall risk.

Bryant said: “I also want to proactively point out that we will not be addressing security advisory 977544 (vulnerability in SMB that could allow denial-of-service attack). We are still working on an update for the issue at this time.

Source: SC Magazine UK

MS now dismisses IIS zero-day bug reports

0
Posted by Tech Paranoia on December 30, 2009 – 10:00 am
Filed under exploit
Tagged as , ,

Microsoft has dismissed reports that there’s an unpatched critical flaw in the latest version of its webserver software.

The software giant accepts there is an “inconsistency” in how IIS 6 handles semicolons in URLs . But it denies that this lends itself to hacking attacks, contrary to claims by security researchers shortly before Xmas. Redmond said fears that the bug allows hackers to circumvent content filtering software in order to upload and execute code on an IIS server are misplaced.

This scenario would only work if IIS web servers were set up to allow both “write” and “execute” privileges from the same directory, something that would make a system vulnerable in the first place and isn’t established even in default configurations, Microsoft states. The software giant has promised to make changes to purge the inconsistent behaviour from IIS 6.

Microsoft’s nothing-to-worry-about-please-move-along advisory, which helpfully provides links to best practice web server security guidelines, can be found here.

Source: The Register

Microsoft confirms IIS hole

0
Posted by Tech Paranoia on December 29, 2009 – 10:00 am
Filed under Software
Tagged as , ,

Microsoft has confirmed the security hole in its IIS web server, but hasn’t disclosed which versions of the product are affected. According to the finder of the “semi-colon bug”, versions up to and including version 6 are vulnerable. The hole allows attackers, for instance, to camouflage executable ASP files as harmless JPEG files and upload malicious code to a server.

Microsoft’s Security Response Center (MSRC) says it is investigating the vulnerability and has so far not found evidence of any attackers actively exploiting the hole to compromise a server. According to the vendor, the required conditions present an obstacle for successful attacks: Attackers must have authenticated themselves on a server and possess read as well as upload privileges to a directory which, in turn, must allow the execution of code.

Although these conditions are not present in any standard installation, opinions about the risk levels vary considerably. Security firm Secunia considers the vulnerability a moderate threat. The Internet Storm Center has rated the problem critical and recommends that affected users take additional security precautions until a patch becomes available. An 8 basic rules plan compiled by the ISC is to assist with this task. In its first response to the vulnerability, Microsoft also suggested several links to instructions on how to ensure server security.

Source: The H Online

Microsoft IIS vuln leaves users open to remote attack

0
Posted by Tech Paranoia on December 24, 2009 – 8:02 pm
Filed under Zero Day
Tagged as , ,

A researcher has identified a vulnerability in the most recent version of Microsoft’s Internet Information Services that allows attackers to execute malicious code on machines running the popular webserver.

The bug stems from the way IIS parses file names with colons or semicolons in them, according to researcher Soroush Dalili. Many web applications are configured to reject uploads that contain executable files, such as active server pages, which often carry the extension “.asp.” By appending “;.jpg” or other benign file extensions to a malicious file, attackers can bypass such filters and potentially trick a server into running the malware.

There appears to be some disagreement over the severity of the bug, which Dalili said affects all versions of IIS. While he rated it “highly critical,” vulnerability tracker Secunia classified it as “less critical,” which is only the second notch on its five-tier severity rating scale.

“Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as ‘.asp,’ ‘.cer,’ ‘.asa’ and so on,” Dalili wrote. “Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.”

Secunia didn’t explain how it arrived at its assessment, but it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6.

A Microsoft spokeswoman said company researchers are investigating the report. They are not aware of attacks targeting the reported vulnerability, she said.

In the absence of any official guidance, webmasters who want to workaround the potential problem should make sure that upload directories don’t have execute permissions. And web developers should ensure their applications never accept the user’s input as a file name.

Source: The Register