24
Mar

Exploit Code for New IE Vulnerability Released

Yesterday, I posted an advisory about another vulnerability in Internet Explorer. Now, an exploit code that takes advantage of this vulnerability has been released, as reported in Security Focus and in SANS Internet Storm Center. This is a zero-day exploit.

Microsoft has already posted a Security Advisory on this, and has made several suggestions on how to mitigate this problem while a patch is being prepared.

The best workaround is to disable ActiveScripting in the meanwhile; you also set the browser to prompt the user before running ActiveScripting, if you don’t want to disable it:

1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.

Since this vulnerability allows for a remote code execution, IE users are advised to be careful about browsing, and to apply the suggested mitigation until a patch is released.

23
Mar

Another IE Vulnerability and Another Vista Delay

A new vulnerability in the ubiquitous Web browser Internet Explorer has been discovered. Secunia rates the vulnerability as highly critical, since successful exploitation of this may cause remote code execution. As of now, no patch is available from Microsoft.

Another zero-day exploit in the making? Who knows?

Maybe that’s why they are delaying the release of Vista. They wanted to make sure that the OS will not have any security holes that anyone can exploit. Remember Sasser? Blaster? Slammer?

18
Mar

New IE Zero-Day Exploit

There is currently in the wild an HTML script that exploits an unpatched vulnerability in Microsoft Internet Explorer. The vulnerability is in the way IE handles thousands of script handlers such as onClick on a single Web page. This causes the browser to crash. Other browsers like FireFox are reportedly not affected by this.

Trend Micro’s HTML_SCRIPTACT.A is the detection for pages that exploit this vulnerability, while McAfee’s detection is Exploit-ScriptAction.

Security Focus cites a demonstration page. Try clicking this if you dare.

17
Mar

The First Crossover Virus

First, it was a rumor. It even caused a minor controversy. And finally it was confirmed. Ladies and gentlemen, a virus (specifically a worm) that can jump from a PC to a Windows handheld is now a reality.

On February 28, 2006, a relatively new organization named Mobile Antivirus Research Association (MARA) announced that it has in its possession a virus that can cross over from a PC to a Windows handheld (News.com). Contrary to the usual practice, wherein an antivirus company who has a copy of a new malware shares it with those who don’t, MARA refused to share the code unless interested AV companies join their organization (Security Focus).

And now, at least 3 major AV companies have published their descriptions for the crossover worm: Trend Micro’s WORM_CXOVER.A, Symantec’s MSIL.Cxover.A, and F-Secure’s Cxover.A.

First, it checks the OS version. If it finds itself in a desktop computer, it searches for an open ActiveSync connection to a mobile device. Once found, it copies itself in the mobile device. If it finds itself in the mobile device, it deletes all files and folders found in the My Documents folder.

A more detailed analysis can be found here.

Included in its code is a direct challenge to security experts and AV companies:

The great walls of China that separated the domains between wired and wireless, desktop and handhelds have been reduce to ruble. Vxers are entering a new era of greater vx possibilities with the chance of reaching more systems around the world than ever before. The viruses of the past are nothing compared to what the future holds. 2006 marks the establishment of a New Cyberworld Order with vxers around the world united at the forefront. The time is now to prepare and defend, are you ready?

Are we ready?

15
Mar

Two Microsoft Security Bulletins for March 2006

Microsoft released today two security bulletins, addressing vulnerabilities in Microsoft Windows and Microsoft Office.

Microsoft Security Bulletin MS06-011, Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798), is rated Important. Affected OS are Windows XP Service Pack 1, Windows Server 2003, and Windows Server 2003 for Itanium-based systems. This vulnerability can allow an escalation of user privilege.

Microsoft Security Bulletin MS06-012, Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413), affects users of Office 2000 Service Pack 3, Office XP Service Pack 3, Office 2003 Service Pack 1 or 2, Works Suites, Office X and Office 2004 for Mac. This vulnerability allows remote code execution, and is rated critical.

Users of the said software are advised to update their computers.

14
Mar

A Blogger’s Survival Manual (Updated)

PCIJ is once again on the gunsight of Mike Defensor’s stoogie Jonathan Tiongco, who is hell bent on shutting down PCIJ. PCIJ was slapped a TRO before, courtesy of Tiongco’s wife, and now, Tiongco may be at it again. (Side note: The linked blog entry was numbered 464.) The page that was TROd discussed the life of Tiongco and his rise to infamy.

PCIJ has learned that there was an attempt by Tiongco to file a search warrant against – you guessed it right – PCIJ.

Now, there is jurisprudence about this; what this means is that if it was done before, it can be done again. And with the incessant efforts by Gloria Arroyo and her generals to stifle dissent, bloggers will be next in line after the mainstream news organizations. Bloggers are not yet targets because they do not command yet the attention that news organization gets; the Internet penetration, much less availability of computers at home, is still low. If a computer and an Internet connection is as available as a TV set, Arroyo would have to address the “problem”. I believe Web sites that fits her “destabilizer” label will be targeted, but not yet soon. I hope I am wrong; the Internet is such a free place, and I hope it will remain so.

Anyway, it is better to be prepared. How can we survive? Too pessimistic. How can we mitigate such actions? Here are some suggestions:

  • Get another blog provider. Repost your entries there. But do not link to it. The key is to have it unknown to the casual reader. I know this will mean redundancy and extra effort. WordPress users can use the LiveJournal Cross Poster plugin, if you have a LiveJournal account.
  • Hire a lawyer, or at least know the laws that has bearing on blogging. Make sure your blog entries are not contrary to the law, if you feel like being lawful. After all, you exercise your freedom, you are responsible for that.
  • Try not to disclose your true identity. After all, you cannot be sued if they don’t know who you are. (John Doe? Jane Doe? Duh!)
  • Ask someone/others to repost your problematic/questioned blog entry. (Make sure you give them a copy.)

That’s all I can think of at the moment.

UPDATE: YugaTech had a blog post that addressed this issue: Is your blog safe from the DOJ?

14
Mar

Bad McAfee Pattern Tags Legit Files as Malware

Last Friday, McAfee released DAT pattern 4715. Later, users of McAfee antivirus products reported that some of their files were deleted/quarantined by the McAfee product. Some of the files deleted/quarantined include EXCEL.EXE (which is the main executable file of Microsoft Excel).

If you are a McAfee user and your current DAT is 4715, update immediately to the latest DAT file. McAfee has a tool that will recover quarantined files; you may want to use it. McAfee has also provided a list of files (in PDF) that is wrongly tagged by DAT 4715. Here is McAfee’s press release on DAT 4715.

Sources:

11
Mar

The Money Train that is a Botnet

How easy is it for a newbie to set up his own botnet?

A botnet is a jargon term for a collection of software robots, or bots, which run autonomously. It is used by malicious users to gain control over remote computers, and use these computers for various purposes, like delivering adware for commission, or performing denial of service (DoS) attacks. A user controls these bots using a command and control infrastructure, most notably via Internet Relay Chat (IRC); IRC bots are most common.

To answer the question: very easy. All a knowledgeable user has to do is to download source code from somewhere, make few modifications, and he is set to go! Script kiddies do this all the time, especially if there are new software vulnerabilities to exploit. (More on vulnerability exploits and zero-day exploits in a separate blog post.)

In an interview with a certain hacker, Brian Krebs concluded that script kiddies no longer hack for fun (like defacing Web sites, though some still do); they do so for profit:

the chief distinguishing feature of this generation being that instead of using Web site flaws to deface as many Web sites as possible, these guys are breaking into thousands of home and work PCs and taking them for a virtual joyride, often times all the way to the bank.

The most daring makes sure his actions are known; but those who wanted to earn a profit are more dangerous, since they will try their best to remain hidden. That’s why some bots use rootkits to avoid detection. And why derail the money train?

7
Mar

PC World’s Antivirus Review 2006

PC World has the goods on the best antivirus apps out there.

To quote PC World on their picks:

After the dust finally settled, BitDefender 9 Standard emerged as our Best Buy. It ranked in the top four on every performance measure, and it costs only $30. The $40 McAfee VirusScan 2006–with its relatively good heuristics performance and intuitive interface–came in second.

Trend Micro’s PC-cillin Internet Security Suite 2006, a descendant of our Best Buy in June 2004, finished ninth among the ten products. It performed poorly in the zoo and heuristics tests and is relatively expensive because it’s available only as a full security suite. On the bright side, it had snappy outbreak-response times and offers a stellar user interface.

The three free programs came up short, too: AntiVir placed seventh, Avast ranked eighth, and AVG brought up the rear in tenth. Of course, for people who have no budget for antivirus software, any one of these products provides far more protection than simply forgoing an antivirus utility.

Too bad Trend Micro fared poorly this time; it had stellar reviews before, but it seems it has lagged behind. It really needs better heuristics, contrary to the reason it gave. McAfee is the industry leader in heuristics. PC-Cillin has the best UI, that I agree with; it also has good pattern update schedules and response time is solid.

Take note that only home products are reviewed. I bet that when enterprise products are reviewed, Trend Micro will emerge as the best. It has the best support for enterprise customers, and it has products for all business concerns.

3
Mar

WordPress Database Error 28

Twice today I caught this error message in two blogs:

WordPress database error: [Got error 28 from table handler]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND post_date_gmt < = '2006-03-03 00:31:59' AND (post_status = "publish") AND post_status != "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT 0, 5

I saw this in MLQ3’s blog and in a co-worker’s blog. What’s going on?