Tag: Security

Security

Vista Speech Command exploitable

Talk about fast! George Ou at zdnet posted an article about this particular gem.

Essentially, a user with the Speech Command feature enabled can browse to a web page which starts a sound file (like just about every mySpace page) containing clearly recorded commands, and the Speech Command feature will execute those commands without any other user interaction. While not every command is enabled through Speech Command, George explains why you should disable Speech Command until there is a fix:

The fact that a website can play a moderate level sound file to
interact in a way with the desktop by activating an idle speech
command system and be able to delete user documents with zero user
interaction is serious by any stretch of the imagination.

Update: Microsoft has confirmed this exploit.

Technorati Tags: , ,

Read More

  • January 31, 2007
  • February 1, 2007
  • sjan
Best Practices

Disclosure of Website Vulnerabilities Illegal?

A discussion on earlier today brought up the question. It seems that Eric McCarty, a student at Purdue University in Dr. Pascal Meunier’s CS390 – Secure Computing, discovered, and reported, a flaw he found on the Physics department website. When that site was hacked two months later (most likely through a different flaw, since the one reported by McCarty was patched) law enforcement came looking for Mr. McCarty. In this particular case McCarty came forward, and was eventually cleared. However, it did change how Dr. Meunier teaches his class. He no longer recommends disclosure, but recommends that one eliminates all evidence of the discovery from their computer and say nothing.

I see this as a particularly disturbing direction in which to move.

Read More

  • January 16, 2007
  • January 25, 2007
  • sjan
Security

MS Word 0-day: Round 3

Yesterday eWeek reported another 0-day exploit for Microsoft Word. While Microsoft has not publicly acknowledged the threat, has issued a bulletin warning of it and a has been released publicly.

From the CERT bulletin:

Data used by Microsoft Word to construct a destination address for a memory copy routine is embedded within a Word document itself. If an attacker constructs a Word document with a specially crafted value used to build this destination address, then that attacker may be able to overwrite arbitrary memory.

According to the eWeek article, currently only BitDefender recognizes the threat. Testing on a fully patched and up-to-date WinXP SP2 I can at least vouch that AVG doesn’t recognize it as a threat yet. Opening the POC in Microsoft Word results in successful execution of the exploit (which in the POC merely crashes Word.) Attempting to open the POC in OpenOffice results in OO reporting an error.

My recommendation: use .

Read More

  • December 15, 2006
  • January 23, 2007
  • sjan
OS X

Apple releases patch for some, not all flaws

On Tuesday Apple released Security Update 2006-007 for OS X which addresses some 31 flaws, including the well-known AirPort issue. The fixes cover both Mac specific and third-party components, including Perl, PHP and OpenSSL among others.

However, ZDNet UK reports that the patches fix none of the vulnerabilities found in the “Month of Kernel Bugs .” (The AirPort vulnerability was actually part of the MoKB, so it would be correct to say that at least one of them were covered by this patch.)

Read More

  • November 30, 2006
  • January 23, 2007
  • sjan
Security

Zero-Day Exploit Alert: WebViewFolderIcon setSlice Vulnerability

This is a Critical exploit, capable of executing code as the user running Internet Explorer. Reports of this in the wild as well as a temporary patch can be found at the Internet Storm Center.
From the eEye Digital Security Alert:

The PoC is an integer overflow-based heap overflow, in the DSA_SetItem function in COMCTL32.DLL. An arithmetic overflow can occur during multiplication to calculate the desired size for a call to ReAlloc, that isn’t reproduced during a subsequent call to memmove, so the allocated size can be smaller than the copy size and result in a heap buffer overflow. …

This vulnerability can result in remote code execution in the context of the logged in user. In order to exploit this an attacker must create a malicious website or leverage a site that allows for custom user content.

While the vulnerability was posted on the Browser Fun Blog on July 18th, the exploit first appeared over the weekend. The Microsoft Security Advisory has details on how to patch manually and how to apply the manual change to group policy.

Affects:

  • Windows 2000 Service Pack 4
  • Windows XP Service Pack 1
  • Windows XP Service Pack 2
  • Windows Server 2003
  • Windows Server 2003 Service Pack 1
  • Windows XP Professional x64 Edition
  • Windows Server 2003 for Itanium-based Systems
  • Windows Server 2003 with SP1 for Itanium-based Systems
  • Windows Server 2003 x64 Edition
Best Practices

Surf carefully

Although it has been said many, many times, be careful how you surf. Make sure your machine is patched, you have anti-virus and spy ware blockers, blah blah blah.

Well, if a picture is worth a thousand words, then maybe this video will shed some light on the subject (sorry – it is an ad for McAfee, which I neither use nor recommend – just my personal preference) .

Browsers

Code for IE exploit posted

Hackers Post Code for New IE Attack

Although the hackers are calling it a 0day exploit, it seems that it isn’t really. It is one of many that can be easily found using the AxMan ActiveX fuzzing engine. It seems that the guys over at xsec.org are trying to take more than reasonable credit for writing code to exploit a known vulnerability.

HD Moore, head of the Metasploit project was quoted in the article as saying:

“This is one of the many exploitable bugs that can be discovered using AxMan and one of the few that I didn’t include in Month of Browser bugs due to the ease of exploitation. I still have three or four left in IE that have similar impact.”

There is also a Secunia Advisory related to this exploit.

Read More

  • September 17, 2006
  • January 23, 2007
  • sjan
Browsers

Security fixes for Firefox

Firefox 1.5.0.7 was released this morning which fixes the following security issues:

MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
MFSA 2006-61 Frame spoofing using document.open()
MFSA 2006-60 RSA Signature Forgery
MFSA 2006-59 Concurrency-related vulnerability
MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
MFSA 2006-57 JavaScript Regular Expression Heap Corruption

Read More

  • September 14, 2006
  • January 23, 2007
  • sjan
Security

Here they come . . .

In the eEye security bulletin for today the news of not just one, but two worms in the wild based on the Server Service vulnerability. If you still haven’t patched do it now, unless you’ve been infected, in which case eEye recommends “to wipe the system clean and rebuild it from the last uninfected backup.”

Security

Patch! Patch! Patch!

As much as this should be ingrained in our computing habits, this still needs to be said: Apply patches when they come out!

The Microsoft Security Bulletin MS06-040 came out on the 8th, and a module to exploit the flaw came shortly after. Tech e-zine eWeek reported that Immunity and Core Security Technologies had both released what they deemed “reliable exploits” for the flaw and declared it wormable on all Windows versions.

Dave Aitel, CEO of Immunity said in an interview with eWeek “A worm is coming. This bug is just too easy to exploit.”

This is a vulnerability that would allow for remote takeover of an unpatched Windows machine. It will be interesting to see how widespread the damage is when (not if) a worm is released.

Patches are available from the bulletin (follow the links) or from Windows Update.