Conficker has been somewhat of a catalyst to help unify a large group of professional and academic whitehats
Conficker is the name applied to a sequence of malicious software. It initially exploited a flaw in Microsoft software, but has undergone significant evolution since then (versions A through E thus far).
Nearly from its inception, Conficker demonstrated just how effective a random scanning worm can take advantage of the huge worldwide pool of poorly managed and unpatched internet-accessible computers. Even on those occasions when patches are diligently produced, widely publicized, and auto-disseminated by operating system and application manufactures, Conficker demonstrates that millions of Internet-accessible machines may remain permanently vulnerable.
In some cases, even security-conscious environments may elect to forgo automated software patching, choosing to trade off vulnerability exposure for some perceived notion of platform stability.
Another lesson of Conficker is the ability of malware to manipulate the current facilities through which internet name space is governed. Dynamic domain generation algorithms (DGAs), along with fast flux (domain name lookups that translate to hundreds or thousands of potential IP addresses), are increasingly adopted by malware perpetrators as a retort to the growing efficiency with which whitehats were able to behead whole botnets by quickly identifying and removing their command and control sites and redirecting all bot client links.
While not an original concept, Conficker's DGA produced a new and unique struggle between Conficker's authors and the whitehat community, who fought for control of the daily sets of domains used as Conficker's internet rendezvous points.
Yet another lesson from the study of Conficker is the ominous sophistication with which modern malware is able to terminate, disable, reconfigure, or blackhole native OS and third-party security services..
Today's malware truly poses a comprehensive challenge to our legacy host-based security products, including Microsoft's own anti-malware and host recovery technologies. Conficker offers a nice illustration of the degree to which security vendors are challenged to not just hunt for malicious logic, but to defend their own availability, integrity, and the network connectivity vital to providing them a continual flow of the latest malware threat intelligence.
To address this concern, we may eventually need new OS services specifically designed to help third-party security applications maintain their foothold within the host.
Showing posts with label Microsoft Patches. Show all posts
Showing posts with label Microsoft Patches. Show all posts
Sunday, February 13, 2011
Thursday, January 13, 2011
Windows UAC Malware Threat
The exploit allows an attacker to impersonate the system account
A new zero-day attack against Windows, capable of bypassing the User Access Control (UAC) protections introduced in Windows Vista and designed to prevent malware from gaining administrative access without user authorisation, has been discovered in the wild.
The proof-of-concept implementation of the infection technique, known as Troj/EUDPoC-A, was posted to a Chinese educational forum before being discovered by anti-virus researchers from various security firms.
Chester Weisniewski, of anti-virus vendor Sophos, warns that the technique used by the Trojan enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system, and does so without triggering the User Access Control protections introduced by Microsoft to prevent exactly that occurring. The flaw currently exists in all versions of Windows.
Pls ensure your system is up to date with latest patches and your anti-virus with latest virus definitions.
A new zero-day attack against Windows, capable of bypassing the User Access Control (UAC) protections introduced in Windows Vista and designed to prevent malware from gaining administrative access without user authorisation, has been discovered in the wild.
The proof-of-concept implementation of the infection technique, known as Troj/EUDPoC-A, was posted to a Chinese educational forum before being discovered by anti-virus researchers from various security firms.
Chester Weisniewski, of anti-virus vendor Sophos, warns that the technique used by the Trojan enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system, and does so without triggering the User Access Control protections introduced by Microsoft to prevent exactly that occurring. The flaw currently exists in all versions of Windows.
Pls ensure your system is up to date with latest patches and your anti-virus with latest virus definitions.
Sunday, August 8, 2010
Unpatched kernel-level vuln affects all Windows versions
No reports of the vulnerability being exploited in the wild
Researchers have identified a kernel-level vulnerability in Windows that allows attackers to gain escalated privileges and may also allow them to remotely execute malicious code. All versions of the Microsoft OS are affected, including the heavily fortified Windows 7.
The buffer overflow, which was originally reported here, can be exploited to escalate privileges or crash vulnerable machines, IT research company Vupen said. The flaw may also allow attackers to execute arbitrary code with kernel privileges.
The bug resides in the “CreateDIBPalette()” function of a device driver known as “Win32k.sys.” It is exploited by pasting a large number of color values into an improperly allocated buffer, potentially allowing attackers to sneak in malicious payloads, vulnerability tracking service Secunia warned.
Refer here to read more details.
Thursday, July 22, 2010
Vulnerability Discovered in Patched Windows 2000, XP
PowerZip version 7.2 Build 4010 has been identified as an attack medium for the vulnerability's exploitation
Secunia, an Internet security company, reports that another critical flaw has been found in Microsoft Windows. This time the flaw discovered in wholly patched Windows XP and Windows 2000, which hackers could exploit to execute harmful assaults.
Marking the flaw with a "moderately critical" label, Secunia says that it is due to a boundary error within the CFrameWnd class's "UpdateFrameTitleForDocument()" feature inside mfc42.dll. Moreover, the flaw helped in the creation of a heap overflow by passing of a very lengthy string of title to the attack prone feature.
If exploited, the flaw is capable of letting attackers execute malware assaults. The assaults helped in compromising end-users' PCs and grabbing sensitive data via social engineering tactics. Secunia disclosed that the flaw surely existed within wholly patched Windows XP SP2/SP3 and Windows 2000 Professional SP4 versions.
Since a patch isn't yet available to plug the hole, Secunia advises not to access software that allow the passage of user-regulated input onto the attack prone feature.
Notably, Microsoft states that it knows about the security flaw and is working to fix it.
Monday, July 19, 2010
Microsoft Security Bulletin MS10-042 - Critical
25,000 PCs Affected By Microsoft Zero-Day Vulnerability
Hackers have attacked 25,000 PCs affected by the Windows Help and Support Center zero-day vulnerability, patched yesterday. According to a post on the Microsoft Malware Protection Centre (MMPC) blog, the attacks on infected systems accelerated significantly after the company announced that it would be patching the vulnerability in this month's MS10-042 bulletin.
Writing on the MMPC blog, Holly Stewart wrote: “Early on, we saw attackers incorporate code to single out Windows XP targets, but more recently the attackers have been less discriminant, attempting this attack on a variety of operating systems.”
She said that the hackers had primarily targeted computers in Portugal and Russia, but that the UK had seen the most number of increased attacks on computer systems running Windows XP.
Writing on the MMPC blog, Holly Stewart wrote: “Early on, we saw attackers incorporate code to single out Windows XP targets, but more recently the attackers have been less discriminant, attempting this attack on a variety of operating systems.”
She said that the hackers had primarily targeted computers in Portugal and Russia, but that the UK had seen the most number of increased attacks on computer systems running Windows XP.
"Although Portugal has remained one of the most targeted areas, attacks on Russian systems have surpassed it over the past few weeks. Russia has now seen more than ten times the number of attack attempts per computer in comparison to the global average." she wrote
"The UK, in particular, was one of the regions in which we witnessed a surge in attack attempts over this past weekend."
"The UK, in particular, was one of the regions in which we witnessed a surge in attack attempts over this past weekend."
Monday, June 21, 2010
Windows HCP Flaw - No Patch available yet
If you are running Windows XP or Windows Server 2003, you must update your registry — or someone could run software or commands on your computer as if they were you.
Anyone running Windows XP or Windows Server 2003 needs to update their registry ASAP.
A critical bug in the Help and Support center was made public recently and Microsoft has neither a fix nor an estimate as to when a fix might be available. Worse still, sample code to exploit the bug is readily available, along with a detailed explanation of the flaw, making it especially easy for bad guys to exploit the vulnerability.
The problem has to do with the way HCP:// links are processed. Normal website links, of course, use HTTP, HCP links are used by the Help and Support Center (helpctr.exe).
Microsoft's Security Advisory (2219475) warns "This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser ... "
If the bug is exploited, a bad guy can run software or commands on your computer, as if they were you. The last phrase is important but hasn't been stressed in the articles I've seen on the subject.
Refer here for more details on how to fix this vulnerability until patch is available from Microsoft.
Anyone running Windows XP or Windows Server 2003 needs to update their registry ASAP.
A critical bug in the Help and Support center was made public recently and Microsoft has neither a fix nor an estimate as to when a fix might be available. Worse still, sample code to exploit the bug is readily available, along with a detailed explanation of the flaw, making it especially easy for bad guys to exploit the vulnerability.
The problem has to do with the way HCP:// links are processed. Normal website links, of course, use HTTP, HCP links are used by the Help and Support Center (helpctr.exe).
Microsoft's Security Advisory (2219475) warns "This vulnerability could allow remote code execution if a user views a specially crafted Web page using a Web browser ... "
If the bug is exploited, a bad guy can run software or commands on your computer, as if they were you. The last phrase is important but hasn't been stressed in the articles I've seen on the subject.
Refer here for more details on how to fix this vulnerability until patch is available from Microsoft.
Thursday, January 21, 2010
Risk of IE 0-day vulnerability - Don't Panic
IE Vulnerability: Going Out of Band
Roger Halbheer and Microsoft would like to ensure if everybody have notice that Microsoft have just released a Security Advisory 979352 – Going out of Band. Extract from his post:
Quoting the blog:
Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6.
[…]
Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.
Symantec explains, "there's a hole in Internet Explorer which a cybercriminal can take advantage of by creating a malicious threat that targets anyone who is using the vulnerable browser and is not protected".
Linked to the attacks on Google, although those were of a more targeted nature than consumers will ever experience, the cyber crims have created a new Trojan that exploits the vulnerability, something that has led to the French and German governments and specially Australian Government advising not to use Internet Explorer.
Please follow the following recommendations:
1) Deploy the Security Update as soon as it is out
2) Upgrade to Internet Explorer 8 asap
Roger Halbheer and Microsoft would like to ensure if everybody have notice that Microsoft have just released a Security Advisory 979352 – Going out of Band. Extract from his post:
Quoting the blog:
Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6.
[…]
Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.
Symantec explains, "there's a hole in Internet Explorer which a cybercriminal can take advantage of by creating a malicious threat that targets anyone who is using the vulnerable browser and is not protected".
Linked to the attacks on Google, although those were of a more targeted nature than consumers will ever experience, the cyber crims have created a new Trojan that exploits the vulnerability, something that has led to the French and German governments and specially Australian Government advising not to use Internet Explorer.
Please follow the following recommendations:
1) Deploy the Security Update as soon as it is out
2) Upgrade to Internet Explorer 8 asap
Wednesday, September 23, 2009
New Web-based attacks target Windows Media holes
Browsing without new patch could be hazardous
Three separate browser vulnerabilities make you susceptible to drive-by exploits from otherwise-trustworthy Web sites. These threats affect you even if you never use Windows Media Player or Internet Explorer, so you should definitely apply this week's Windows patches. This month's security patches for Windows are a reminder that even the sites we trust can be sources of malware infections.
Microsoft security bulletin MS09-047 (973812) patches a hole that allows infected, downloaded media files to gain complete control of your system.More and more sites — even popular ones such as Facebook — have unknowingly hosted malicious banner ads, which is one way these media files can infect you.
Microsoft's Security Research & Defense blog predicts that this vulnerability will likely be targeted by such exploits within the next 30 days.Vista and Windows 7 have some protection against these attacks, but you should download and install MS09-047 immediately to stymie them completely, especially if you use XP.If, for some reason, you can't install this patch, remember that even sites you think of as trustworthy might serve a malicious banner ad from a third-party ad host.
The safest course of action is for you to apply this patch and use a browser other than IE, such as Firefox, Chrome, or Opera.
Monday, September 21, 2009
Hackers exploit FTP flaw in Microsoft's IIS
Sites running the FTP service on Microsoft's Internet Information Services (IIS) Web software may be vulnerable to attacks.
Microsoft says FTP service versions 5 and 6 are affected, but claims version 7.5 is unaffected on Vista and Windows Server 2008.
Webmasters take note: if you use Microsoft's FTP service, attackers could plant code on your servers or launch a denial-of-service (DoS) attack against your site.According to Microsoft, a newly discovered set of FTP flaws allows an attacker to install unauthorized software on an Internet Information Services (IIS) server or to crash the box.The vulnerable versions of the FTP service shipped on several flavors of Windows and Windows Server over the years.
Microsoft says the latest version of the FTP service, 7.5, is safe on Vista and Windows Server 2008.The remote-execution vulnerability, which was first described on the Milw0rm security site on Aug. 31, could allow an attacker to run malicious code. Modern versions of Windows have a feature called /GS (a buffer security check) that protects them from remote-code execution, but earlier versions do not.The newly announced vulnerabilities include a buffer-overflow flaw, which could lead to a DoS attack against any of the affected versions of Windows.
Buffer-overflow attacks use an anonymous account that has both read and write permissions. The threat, however, isn't limited only to anonymous users.
Microsoft has updated security advisory 975191 to discuss all the known unpatched FTP exploits in IIS.
Microsoft says FTP service versions 5 and 6 are affected, but claims version 7.5 is unaffected on Vista and Windows Server 2008.
Webmasters take note: if you use Microsoft's FTP service, attackers could plant code on your servers or launch a denial-of-service (DoS) attack against your site.According to Microsoft, a newly discovered set of FTP flaws allows an attacker to install unauthorized software on an Internet Information Services (IIS) server or to crash the box.The vulnerable versions of the FTP service shipped on several flavors of Windows and Windows Server over the years.
Microsoft says the latest version of the FTP service, 7.5, is safe on Vista and Windows Server 2008.The remote-execution vulnerability, which was first described on the Milw0rm security site on Aug. 31, could allow an attacker to run malicious code. Modern versions of Windows have a feature called /GS (a buffer security check) that protects them from remote-code execution, but earlier versions do not.The newly announced vulnerabilities include a buffer-overflow flaw, which could lead to a DoS attack against any of the affected versions of Windows.
Buffer-overflow attacks use an anonymous account that has both read and write permissions. The threat, however, isn't limited only to anonymous users.
Microsoft has updated security advisory 975191 to discuss all the known unpatched FTP exploits in IIS.
Thursday, May 28, 2009
An easier way to fully patch a rebuilt system
Create a do-it-yourself Windows update CD
Many people asked for a way to slipstream XP Service Pack 3 into their installation media or for an easier way to fully patch a rebuilt system. The most obvious method is to build your own SP3 slipstream media. The Lifehacker site offers a good how-to page that describes the process step by step. An alternative is to create a patch CD. There are several options for doing this, one of which is presented on the PatchMate site.
The Windows Updates Downloader site and AutoPatcher — a resources provide alternative approaches to the same end. Any of these sites will help you do what Microsoft is failing to do: give us a way to update our Windows installation media so we can legally and easily reinstall our operating systems on the same hardware when the machines become sluggish or need a refresh.
Many people asked for a way to slipstream XP Service Pack 3 into their installation media or for an easier way to fully patch a rebuilt system. The most obvious method is to build your own SP3 slipstream media. The Lifehacker site offers a good how-to page that describes the process step by step. An alternative is to create a patch CD. There are several options for doing this, one of which is presented on the PatchMate site.
The Windows Updates Downloader site and AutoPatcher — a resources provide alternative approaches to the same end. Any of these sites will help you do what Microsoft is failing to do: give us a way to update our Windows installation media so we can legally and easily reinstall our operating systems on the same hardware when the machines become sluggish or need a refresh.
Saturday, April 11, 2009
Five 'Critical' Patches Planned for Tuesday
Microsoft's April Patch Tuesday promises a fuller slate with eight security bulletins
After some comparatively light patch rollouts in past months, Microsoft's April Patch Tuesday promises a fuller slate with eight security bulletins. Five are rated "critical" and two "important," with one rare "moderate" patch.
This month's round of security updates may have the most girth of any since October. The rollout is expected to include hotfixes for Windows programs and services, DirectX, and ubiquitous Microsoft applications such as Internet Explorer (IE), Excel and Word. All of the critical items have remote code execution implications. The important items are designed to stop two instances of elevation-of-privilege incursions. Finally, the moderate patch protects against denial-of-service attacks.
The first critical bulletin is described as a Windows fix and affects Windows 2000, XP and Windows Server 2003. Meanwhile, the second critical Windows patch touches on all supported Windows client and server OSes.
All of the eight patches may require restarts.
After some comparatively light patch rollouts in past months, Microsoft's April Patch Tuesday promises a fuller slate with eight security bulletins. Five are rated "critical" and two "important," with one rare "moderate" patch.
This month's round of security updates may have the most girth of any since October. The rollout is expected to include hotfixes for Windows programs and services, DirectX, and ubiquitous Microsoft applications such as Internet Explorer (IE), Excel and Word. All of the critical items have remote code execution implications. The important items are designed to stop two instances of elevation-of-privilege incursions. Finally, the moderate patch protects against denial-of-service attacks.
The first critical bulletin is described as a Windows fix and affects Windows 2000, XP and Windows Server 2003. Meanwhile, the second critical Windows patch touches on all supported Windows client and server OSes.
All of the eight patches may require restarts.
Monday, April 6, 2009
Don't open or save, Powerpoint files from un-trusted sources
Microsoft warns of Zero Day Powerpoint
Microsoft issued a security advisory Thursday, warning users about a zero-day attack exploiting a critical vulnerability in Microsoft Office PowerPoint that could allow remote hackers to launch arbitrary code on their PCs. Microsoft confirmed in its advisory that exploit code was being used in the wild, but added that so far the flaw appears to be used in "limited and targeted attacks."
The error affects numerous versions of Microsoft Office PowerPoint, including PowerPoint 2000, PowerPoint XP, PowerPoint 2003 and Microsoft Office PowerPoint 2004 for Mac. However, later versions, including Microsoft Office PowerPoint 2007 and Microsoft Office PowerPoint for Mac 2008, are not affected.
Specifically, the vulnerability results from a memory glitch that occurs when parsing a specially crafted PowerPoint file, which then opens the door for remote attackers to launch malicious code. Users can become infected by opening a maliciously crafted PowerPoint attachment in an e-mail, which would subsequently download a Trojan onto their systems. Attackers could also launch an attack after enticing their victims to visit a Web site laden with malicious code, typically with an infected link embedded in e-mail or IM.
Once the vulnerability was exploited, the attacker could run code with the same access privileges as an authenticated user, or take complete control of the affected machine to steal, alter or delete sensitive information.
Microsoft said it was initiating its security incident response procedure and is enlisting the help of other security partners to remedy the error with a fix that could be included in a regular monthly update bundle or an out-of-band patch.
However, while no security updates have been released, there are some mitigating measures users can take to protect themselves from an exploit. Microsoft warns that users should not open or save Office files received from unfamiliar sources. Suggested workarounds also include using Microsoft Office Isolated Conversion Environment when opening files from unknown or untrusted sources, as well as using the File Block policy to impede opening of Office 2003 and earlier documents.
Microsoft issued a security advisory Thursday, warning users about a zero-day attack exploiting a critical vulnerability in Microsoft Office PowerPoint that could allow remote hackers to launch arbitrary code on their PCs. Microsoft confirmed in its advisory that exploit code was being used in the wild, but added that so far the flaw appears to be used in "limited and targeted attacks."
The error affects numerous versions of Microsoft Office PowerPoint, including PowerPoint 2000, PowerPoint XP, PowerPoint 2003 and Microsoft Office PowerPoint 2004 for Mac. However, later versions, including Microsoft Office PowerPoint 2007 and Microsoft Office PowerPoint for Mac 2008, are not affected.
Specifically, the vulnerability results from a memory glitch that occurs when parsing a specially crafted PowerPoint file, which then opens the door for remote attackers to launch malicious code. Users can become infected by opening a maliciously crafted PowerPoint attachment in an e-mail, which would subsequently download a Trojan onto their systems. Attackers could also launch an attack after enticing their victims to visit a Web site laden with malicious code, typically with an infected link embedded in e-mail or IM.
Once the vulnerability was exploited, the attacker could run code with the same access privileges as an authenticated user, or take complete control of the affected machine to steal, alter or delete sensitive information.
Microsoft said it was initiating its security incident response procedure and is enlisting the help of other security partners to remedy the error with a fix that could be included in a regular monthly update bundle or an out-of-band patch.
However, while no security updates have been released, there are some mitigating measures users can take to protect themselves from an exploit. Microsoft warns that users should not open or save Office files received from unfamiliar sources. Suggested workarounds also include using Microsoft Office Isolated Conversion Environment when opening files from unknown or untrusted sources, as well as using the File Block policy to impede opening of Office 2003 and earlier documents.
Wednesday, March 18, 2009
MS09-008. Does the patch work?
If successful attack has already taken place before applying the patch, applying the patch will not fix the issue...
This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. The web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled.
As a part of the solution to this vulnerability, Microsoft creates two new values in the registry under the key HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Once created these values in the registry, if anyone tries to launch a “man-in-the-middle” attack it won’t success, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.
However, in the case of MS09-008 patch it doesn’t work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn’t solve the problem and the “man-in-the-middle” attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is “isatap” instead of “wpad isatap”, so the queries to WPAD are not being blocked.
In case a successful attack has already taken place before applying the patch, your traffic can be being redirected to a malicious proxy. Then, even if you apply the patch, the issue is not completely solved, and the malicious proxy will stay there “sniffing” all your traffic.
To solve this, it is only needed to add in the registry to the value GlobalQueryBlockList the data wpad and restart the DNS service. Microsoft guys have blogged about this and how to resolve this, you can find more information here.
This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. The web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled.
As a part of the solution to this vulnerability, Microsoft creates two new values in the registry under the key HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
Once created these values in the registry, if anyone tries to launch a “man-in-the-middle” attack it won’t success, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.
However, in the case of MS09-008 patch it doesn’t work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn’t solve the problem and the “man-in-the-middle” attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is “isatap” instead of “wpad isatap”, so the queries to WPAD are not being blocked.
In case a successful attack has already taken place before applying the patch, your traffic can be being redirected to a malicious proxy. Then, even if you apply the patch, the issue is not completely solved, and the malicious proxy will stay there “sniffing” all your traffic.
To solve this, it is only needed to add in the registry to the value GlobalQueryBlockList the data wpad and restart the DNS service. Microsoft guys have blogged about this and how to resolve this, you can find more information here.
Friday, March 13, 2009
XP SP3 and Server 2003 SP2 may need repatching
If you installed XP Service Pack 3 or Windows Server SP2 after September 2008, you need to reapply an important security update.
In addition, if Windows Update offers your XP or Server 2003 system Microsoft's security bulletin MS08-067 patch, you should install it — even if you've previously done so. You may be wondering why my lead topic today is MS08-067, a patch from 2008. Well, I'm wondering, too.
People who installed MS08-067 when it first came out last summer — and then installed either the XP SP3 or 2003 SP2 service pack — may not know that systems were reverted back to a vulnerable version of gdiplus.dll. Service packs aren't supposed to do that. They're supposed to be smart enough to retain the patched versions of all system files.
Last month, however, I found that some XP machines I'd updated to SP3 post-September had the pre-update version of gdiplus.dll. On three of the systems, my third-party patching tool from Shavlik flagged this file as out-of-date. It offered the patch to me when I performed a manual scan.
I thought it odd at the time, but I believed that the problem was with Shavlik's tool, not Microsoft's. When I reviewed the patch information on Shavlik's forum, though, I found a forum post from last November by a commenter named Fordhami indicating that Microsoft knew of this issue back then. Interestingly, I'd installed XP SP2 on several XP SP3 workstations and then reinstalled XP SP3, only to find that the machines were properly patched. I searched for gdiplus.dll on those systems and found three files in locations similar to the following path:
C:\Windows \ WinSxS \ x86_Microsoft.Windows.GdiPlus_hashnumber
The version of all three files was 5.1.3102.5581. This indicated that the machine was patched. You may want to search for that file and see what version you have. Don't worry about any gdiplus.dll files located elsewhere on your system. The important one is found in the WinSxS folder.
Friday, March 6, 2009
Conflicker Worm - Microsoft's fault or not?
AutoRun patch a long time coming for XP users
Nearly 18 months after it was discovered, Microsoft has finally fixed a hole in the AutoRun function of older Windows versions that allowed viruses to spread via external storage devices.
While it's good to know Microsoft is finally listening to the complaints of the Windows community, the company's delay in applying important patches put our systems at risk unnecessarily.
The more noise customers make, the more likely the problems will be rectified. Most recently, the Conficker worm has been spreading across networks, often entering systems via USB flash drives and other removable media. Shamefully, Microsoft could have — and should have — prevented this massive infection from happening in the first place.
In October 2007, Nick Brown documented in his blog how viruses and worms were entering his network via USB memory sticks. Fast-forward to one year ago. Will Dormann and US-CERT (the United States Computer Emergency Readiness Team) published information on Mar. 20, 2008, confirming that Microsoft's AutoRun advice didn't block threats.
In July 2008, Microsoft released security bulletin MS08-038. The patch in this bulletin made it possible for users to control AutoRun properly, but only on Windows Vista and Server 2008.
So what happened to the equivalent patch for Windows 2000, XP, and Server 2003? In May 2008, Microsoft had in fact released a patch for these systems, which is described in Knowledge Base article 953252. However, as described in a Jan. 22, 2009, Computerworld article, US-CERT found that the fix for XP/2000/2003 had to be applied manually. Furthermore, Microsoft was not making the patch available automatically via any Windows Update service.
It wasn't until Feb. 24 of this year that Microsoft distributed this patch via Windows Update to XP, 2000, and 2003. This is described in the company's security advisory 967940.
Many home and business PC users rarely deploy patches that aren't available through Windows Update, Microsoft Update, or WSUS (Windows Software Update Services). Add to this the confusing and conflicting information about the AutoRun patch, and it's no wonder the Conficker worm, which exploits AutoRun functionality, made the inroads that it did.
You may be wondering why it took Microsoft so long to distribute for XP/2000/2003 users the fix that permits AutoRun to be properly disabled. One clue may be found in the file versions listed in KB article 967715. The Windows Server 2003 files are dated Feb. 10, 2009. Typically, Microsoft doesn't release a fix for one platform if it's still developing a fix for another platform. This is done to avoid putting one set of customers at risk while protecting others.
That's usually a valid reason to wait before distributing patches. But when you open up the files described in the earlier KB article 953252, you find that all the files in that hotfix date back to mid-2008.
Why did it take an admonition from CERT to convince Microsoft to add this vital fix to Automatic Updates for those versions of Windows? To make things even more confusing, the way Microsoft released the XP/2000/2003 fix at the end of February caused many people to think it was an out-of-cycle security patch.
For home users, I'm not yet ready to pull the fire alarm and tell everyone to disable AutoRun. But I do urge you to be very leery of plugging USB flash drives into your system if you're unsure whether they've been used on other computers. Large organizations, however, should consider disabling AutoRun on their networked PCs, considering how hard it's been to stomp out the Conficker worm and others.
So do you think if this patch had been pushed to all Windows users sooner, much of Conficker's pain might have been avoided?
Nearly 18 months after it was discovered, Microsoft has finally fixed a hole in the AutoRun function of older Windows versions that allowed viruses to spread via external storage devices.
While it's good to know Microsoft is finally listening to the complaints of the Windows community, the company's delay in applying important patches put our systems at risk unnecessarily.
The more noise customers make, the more likely the problems will be rectified. Most recently, the Conficker worm has been spreading across networks, often entering systems via USB flash drives and other removable media. Shamefully, Microsoft could have — and should have — prevented this massive infection from happening in the first place.
In October 2007, Nick Brown documented in his blog how viruses and worms were entering his network via USB memory sticks. Fast-forward to one year ago. Will Dormann and US-CERT (the United States Computer Emergency Readiness Team) published information on Mar. 20, 2008, confirming that Microsoft's AutoRun advice didn't block threats.
In July 2008, Microsoft released security bulletin MS08-038. The patch in this bulletin made it possible for users to control AutoRun properly, but only on Windows Vista and Server 2008.
So what happened to the equivalent patch for Windows 2000, XP, and Server 2003? In May 2008, Microsoft had in fact released a patch for these systems, which is described in Knowledge Base article 953252. However, as described in a Jan. 22, 2009, Computerworld article, US-CERT found that the fix for XP/2000/2003 had to be applied manually. Furthermore, Microsoft was not making the patch available automatically via any Windows Update service.
It wasn't until Feb. 24 of this year that Microsoft distributed this patch via Windows Update to XP, 2000, and 2003. This is described in the company's security advisory 967940.
Many home and business PC users rarely deploy patches that aren't available through Windows Update, Microsoft Update, or WSUS (Windows Software Update Services). Add to this the confusing and conflicting information about the AutoRun patch, and it's no wonder the Conficker worm, which exploits AutoRun functionality, made the inroads that it did.
You may be wondering why it took Microsoft so long to distribute for XP/2000/2003 users the fix that permits AutoRun to be properly disabled. One clue may be found in the file versions listed in KB article 967715. The Windows Server 2003 files are dated Feb. 10, 2009. Typically, Microsoft doesn't release a fix for one platform if it's still developing a fix for another platform. This is done to avoid putting one set of customers at risk while protecting others.
That's usually a valid reason to wait before distributing patches. But when you open up the files described in the earlier KB article 953252, you find that all the files in that hotfix date back to mid-2008.
Why did it take an admonition from CERT to convince Microsoft to add this vital fix to Automatic Updates for those versions of Windows? To make things even more confusing, the way Microsoft released the XP/2000/2003 fix at the end of February caused many people to think it was an out-of-cycle security patch.
For home users, I'm not yet ready to pull the fire alarm and tell everyone to disable AutoRun. But I do urge you to be very leery of plugging USB flash drives into your system if you're unsure whether they've been used on other computers. Large organizations, however, should consider disabling AutoRun on their networked PCs, considering how hard it's been to stomp out the Conficker worm and others.
So do you think if this patch had been pushed to all Windows users sooner, much of Conficker's pain might have been avoided?
Friday, February 20, 2009
Malware crooks were quick to develop MS09-002 exploit
MS09-002 Exploit in the wild uses MSWord Lure
An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild. Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code.
The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.
Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.
The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.
For those who have not patched their machines, I suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.
The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075 McAfee Anti-Virus.
An exploit found to be targeting a recently patched vulnerability for Internet Explorer 7 was discovered in-the-wild. Malware crooks were quick to develop a working exploit for the vulnerability in Internet Explorer 7, which was part of the February Microsoft patch release. Microsoft rated this vulnerability critical with the possibility of a consistent exploit code.
The attack, delivered in the form of a maliciously crafted document, is sent out to unsuspecting users. This word document contains an embedded ActiveX control which upon opening, connects to a website hosting the MS09-002 exploit.
Malware authors are always working to create new and improved ways to evade detection and control compromised machines. This time, malware authors introduced obfuscation (base64 encoding) possibly to evade easy analysis and detection.
The ActiveX control facilitates connection to the malicious website to launch and execute the MS09-002 exploit.
For those who have not patched their machines, I suggest you install the MS09-002 patch immediately. It will just be a matter of time before different variants of this exploit start circulating in the wild and become incorporated into various Do-It-Yourself web attack toolkits.
The malicious word document is detected with the current DATS as Exploit-MSWord.k and the Internet Explorer 7 exploit is detected as Exploit-XMLhttp.d / Exploit-CVE2009-0075 McAfee Anti-Virus.
Tuesday, February 17, 2009
ActiveX kill-bit patch zaps Visual Basic apps
Deactivating kill bits wipes out some programs
One of the updates released by Microsoft this week causes some applications using Visual Basic controls to failThe short-term solution is to remove the update, but be sure to reinstall it once your VB apps have been corrected.
If your organization's line-of-business programs use Visual Basic for Applications (VBA) controls, one of this month's Windows patches may cause your programs to misfire. The patch that's the focus of this Microsoft Security Advisory includes an ActiveX kill bit that also affects some custom VBA controls. The update is described in KB 960715.
Terry Seiberlich reports that two of his company's applications — the Office Tools Professional business-management program and Sage Software's ACT contact manager/CRM app — were affected by this ActiveX kill bit. I've been unable to determine whether the problem is present in ACT itself or only in applications that use these VBA controls and also plug into ACT.
Any applications relying on msflxgrd.ocx may also be affected. For example, if one of your line-of-business apps uses the Microsoft Access database program, you may wish to contact the program's vendor prior to installing this patch.
You may need to wait for your vendors to give you the thumbs-up before you install this kill bit. If the update has already been installed on your PC, and you need to remove it, click Start (Start, Run in XP), type appwiz.cpl, and press Enter. In Windows XP, make sure Show updates is checked at the top of the Add or Remove Programs window. In Vista, click View installed updates in the top-left pane. Look for Security Update for Windows (KB960715), as shown below:
One of the updates released by Microsoft this week causes some applications using Visual Basic controls to failThe short-term solution is to remove the update, but be sure to reinstall it once your VB apps have been corrected.
If your organization's line-of-business programs use Visual Basic for Applications (VBA) controls, one of this month's Windows patches may cause your programs to misfire. The patch that's the focus of this Microsoft Security Advisory includes an ActiveX kill bit that also affects some custom VBA controls. The update is described in KB 960715.
Terry Seiberlich reports that two of his company's applications — the Office Tools Professional business-management program and Sage Software's ACT contact manager/CRM app — were affected by this ActiveX kill bit. I've been unable to determine whether the problem is present in ACT itself or only in applications that use these VBA controls and also plug into ACT.
Any applications relying on msflxgrd.ocx may also be affected. For example, if one of your line-of-business apps uses the Microsoft Access database program, you may wish to contact the program's vendor prior to installing this patch.
You may need to wait for your vendors to give you the thumbs-up before you install this kill bit. If the update has already been installed on your PC, and you need to remove it, click Start (Start, Run in XP), type appwiz.cpl, and press Enter. In Windows XP, make sure Show updates is checked at the top of the Add or Remove Programs window. In Vista, click View installed updates in the top-left pane. Look for Security Update for Windows (KB960715), as shown below:
Subscribe to:
Posts (Atom)