There is currently in the wild an HTML script that exploits an unpatched vulnerability in Microsoft Internet Explorer. The vulnerability is in the way IE handles thousands of script handlers such as onClick on a single Web page. This causes the browser to crash. Other browsers like FireFox are reportedly not affected by this.

Trend Micro’s HTML_SCRIPTACT.A is the detection for pages that exploit this vulnerability, while McAfee’s detection is Exploit-ScriptAction.

Security Focus cites a demonstration page. Try clicking this if you dare.

First, it was a rumor. It even caused a minor controversy. And finally it was confirmed. Ladies and gentlemen, a virus (specifically a worm) that can jump from a PC to a Windows handheld is now a reality.

On February 28, 2006, a relatively new organization named Mobile Antivirus Research Association (MARA) announced that it has in its possession a virus that can cross over from a PC to a Windows handheld (News.com). Contrary to the usual practice, wherein an antivirus company who has a copy of a new malware shares it with those who don’t, MARA refused to share the code unless interested AV companies join their organization (Security Focus).

And now, at least 3 major AV companies have published their descriptions for the crossover worm: Trend Micro’s WORM_CXOVER.A, Symantec’s MSIL.Cxover.A, and F-Secure’s Cxover.A.

First, it checks the OS version. If it finds itself in a desktop computer, it searches for an open ActiveSync connection to a mobile device. Once found, it copies itself in the mobile device. If it finds itself in the mobile device, it deletes all files and folders found in the My Documents folder.

A more detailed analysis can be found here.

Included in its code is a direct challenge to security experts and AV companies:

The great walls of China that separated the domains between wired and wireless, desktop and handhelds have been reduce to ruble. Vxers are entering a new era of greater vx possibilities with the chance of reaching more systems around the world than ever before. The viruses of the past are nothing compared to what the future holds. 2006 marks the establishment of a New Cyberworld Order with vxers around the world united at the forefront. The time is now to prepare and defend, are you ready?

Are we ready?

Microsoft released today two security bulletins, addressing vulnerabilities in Microsoft Windows and Microsoft Office.

Microsoft Security Bulletin MS06-011, Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798), is rated Important. Affected OS are Windows XP Service Pack 1, Windows Server 2003, and Windows Server 2003 for Itanium-based systems. This vulnerability can allow an escalation of user privilege.

Microsoft Security Bulletin MS06-012, Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413), affects users of Office 2000 Service Pack 3, Office XP Service Pack 3, Office 2003 Service Pack 1 or 2, Works Suites, Office X and Office 2004 for Mac. This vulnerability allows remote code execution, and is rated critical.

Users of the said software are advised to update their computers.

PCIJ is once again on the gunsight of Mike Defensor’s stoogie Jonathan Tiongco, who is hell bent on shutting down PCIJ. PCIJ was slapped a TRO before, courtesy of Tiongco’s wife, and now, Tiongco may be at it again. (Side note: The linked blog entry was numbered 464.) The page that was TROd discussed the life of Tiongco and his rise to infamy.

PCIJ has learned that there was an attempt by Tiongco to file a search warrant against – you guessed it right – PCIJ.

Now, there is jurisprudence about this; what this means is that if it was done before, it can be done again. And with the incessant efforts by Gloria Arroyo and her generals to stifle dissent, bloggers will be next in line after the mainstream news organizations. Bloggers are not yet targets because they do not command yet the attention that news organization gets; the Internet penetration, much less availability of computers at home, is still low. If a computer and an Internet connection is as available as a TV set, Arroyo would have to address the “problem”. I believe Web sites that fits her “destabilizer” label will be targeted, but not yet soon. I hope I am wrong; the Internet is such a free place, and I hope it will remain so.

Anyway, it is better to be prepared. How can we survive? Too pessimistic. How can we mitigate such actions? Here are some suggestions:

• Get another blog provider. Repost your entries there. But do not link to it. The key is to have it unknown to the casual reader. I know this will mean redundancy and extra effort. WordPress users can use the LiveJournal Cross Poster plugin, if you have a LiveJournal account.
• Hire a lawyer, or at least know the laws that has bearing on blogging. Make sure your blog entries are not contrary to the law, if you feel like being lawful. After all, you exercise your freedom, you are responsible for that.
• Try not to disclose your true identity. After all, you cannot be sued if they don’t know who you are. (John Doe? Jane Doe? Duh!)
• Ask someone/others to repost your problematic/questioned blog entry. (Make sure you give them a copy.)

That’s all I can think of at the moment.

UPDATE: YugaTech had a blog post that addressed this issue: Is your blog safe from the DOJ?

Last Friday, McAfee released DAT pattern 4715. Later, users of McAfee antivirus products reported that some of their files were deleted/quarantined by the McAfee product. Some of the files deleted/quarantined include EXCEL.EXE (which is the main executable file of Microsoft Excel).

If you are a McAfee user and your current DAT is 4715, update immediately to the latest DAT file. McAfee has a tool that will recover quarantined files; you may want to use it. McAfee has also provided a list of files (in PDF) that is wrongly tagged by DAT 4715. Here is McAfee’s press release on DAT 4715.

Sources:

• McAfee/NAI rolls bad pattern
• McAfee 4715 DAT False Positive Deletion Reports Follow-up

How easy is it for a newbie to set up his own botnet?

A botnet is a jargon term for a collection of software robots, or bots, which run autonomously. It is used by malicious users to gain control over remote computers, and use these computers for various purposes, like delivering adware for commission, or performing denial of service (DoS) attacks. A user controls these bots using a command and control infrastructure, most notably via Internet Relay Chat (IRC); IRC bots are most common.

To answer the question: very easy. All a knowledgeable user has to do is to download source code from somewhere, make few modifications, and he is set to go! Script kiddies do this all the time, especially if there are new software vulnerabilities to exploit. (More on vulnerability exploits and zero-day exploits in a separate blog post.)

In an interview with a certain hacker, Brian Krebs concluded that script kiddies no longer hack for fun (like defacing Web sites, though some still do); they do so for profit:

the chief distinguishing feature of this generation being that instead of using Web site flaws to deface as many Web sites as possible, these guys are breaking into thousands of home and work PCs and taking them for a virtual joyride, often times all the way to the bank.

The most daring makes sure his actions are known; but those who wanted to earn a profit are more dangerous, since they will try their best to remain hidden. That’s why some bots use rootkits to avoid detection. And why derail the money train?