October Patch Tuesday

Microsoft announced there would be 7 advisories on this Patch Tuesday, but we only got 6. It makes you wonder what they held back and why.

That aside, there are a couple of things to know about today's advisories and patches. Here's the breakdown:

• MS07-055 -- Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution
  
  The first thing I thought when seeing this is, "how many people have the Kodak Image Viewer installed?" It turns out, a lot. It was installed on all Windows 2000 machines and is still installed on Windows XP machines that were upgraded from Windows 2000.
  
  This vulnerability is very similar to other extremely critical image handling vulnerabilities that have wreaked havoc on Windows operating systems lately. If you even browse to a folder with a malicious image on a vulnerable machine, the malicious image will be able to execute code on your system. So this impacts anything that displays images from Windows Explorer thumbnails and previews to Internet Explorer and Outlook.
  
  Microsoft does mention that if you have installed Office 2003, the Kodak Image Viewer may have been replaced by a different image viewer.
  
  This is a potentially extremely serious vulnerability, but at this time the details for how to exploit it are almost non-existent and there are no exploits in the wild.


• MS07-056 -- Security Update for Outlook Express and Windows Mail
  
  This relates to how a URL that starts with nntp:// can be used to point a user to a malicious news server (potentially without user interaction if the URL is used as an image source) that overflows memory and potentially executes arbitrary code.
  
  The malicious news server must be custom and has to know how to overflow the handler. There are no examples and no exploits in the wild, but there's enough information for someone to create an exploit without undue difficulty. This is definitely a critical issue.


• MS07-057 -- Cumulative Security Update for Internet Explorer
  
  This is actually three separate vulnerabilities in JavaScript on Internet Explorer from version 5 through 7. All Windows operating systems including Vista are affected. Two of the vulnerabilities use JavaScript tricks to make a person think they've navigated to a particular website when in fact they haven't. This could be exploited by phishers to trick people into thinking they're legitimately at their bank's website (or paypal, or ebay, etc.). There are several publicly available demonstrations showing how to exploit this. Patch immediately.
  
  The other issue in this update is a heap overflow caused when a script starts several download attempts of the same file and then frees the memory for those download attempts.
  
  To alleviate both of these issues, consider using FireFox instead of Internet Explorer and consider trying the NoScript plugin to FireFox.


• MS07-058 -- Vulnerability in RPC Could Allow Denial of Service
  
  This vulnerability reminds me a bit of the old ping of death. A specially crafted windows file-sharing authentication message will cause a computer to spontaneously reboot. Microsoft recommends that people firewall UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. If you have a gateway firewall, it should block these ports by default. If not, you should strongly consider installing a personal firewall such as ZoneAlarm.


• MS07-059 -- Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site
  
  If you use SharePoint, you should be aware that an authenticated user could increase their privileges through a cross-site scripting (XSS) vulnerability. We don't view this as a critical vulnerability.


• MS07-060 -- Vulnerability in Microsoft Word Could Allow Remote Code Execution
  
  This incorporates 4 separate vulnerabilities in Word for Windows and for Mac that could be exploited by a malicious Word document. The most serious of these issues is a recurrence of an older vulnerability that most security products have some degree of protection for already.

For the moment, the risks are not terribly high, except for potentially harder to detect phishing attacks. However, exploits for the other vulnerabilities could appear at any time, so users are encouraged to update their systems as soon as possible.

September Patch Tuesday relatively minor

Today's Microsoft patch tuesday is one of the mildest in memory (excluding the month that Microsoft skipped patch tuesday altogether, despite a number exploits and known vulnerabilities). Of the four vulnerabilities, the MSN Messenger vulnerability is, in our view, the most serious. Microsoft has only rated it as important because not all versions of MSN Messenger are vulnerable and because users are prompted to upgrade their client when they log on to the MSN Messenger network. Here's the breakdown of each vulnerability:

• MS07-051 -- Vulnerability in Microsoft Agent Could Allow Remote Code Execution
  
  This was the only patch today that Microsoft rated as Critical. Microsoft Agent is the same technology as the Microsoft Office paper clip that used to annoy you. Microsoft touts it as a way to spice up web pages with interactive personalities. However, this is not the first vulnerability in Microsoft Agent, and those who visit web pages that use the agent may be at risk. Microsoft recommends disabling the agent by setting the kill bit on the following CLSIDs:
  
  • D45FD31B-5C6E-11D1-9EC1-00C04FD7081F
  
  
  • F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5
  
  
  • 4BAC124B-78C8-11D1-B9A8-00C04FD97575
  
  
  • D45FD31D-5C6E-11D1-9EC1-00C04FD7081F
  
  
  • D45FD31E-5C6E-11D1-9EC1-00C04FD7081F


• MS07-052 -- Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution
  
  This vulnerability is rated Important by Microsoft. Only those with Visual Studio are at risk of exploitation of this flaw. If you aren't using Crystal Reports, Microsoft recommends you uninstall it to minimize your exposure to this flaw.


• MS07-053 -- Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege
  
  This is rated Important by Microsoft. Any computer from Windows 2000 through Windows Server 20003 that runs Windows Services for UNIX is susceptible to a local privilege escalation. As this is not remotely exploitable, the eSoft Threat Prevention Team as not analyzed it in depth.


• MS07-054 -- Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution
  
  This vulnerability is a bit more severe than Microsoft would like you to believe. They have rated this vulnerability as Important, but the eSoft Threat Prevention Team believes it ranks as Critical.
  
  MSN Messenger 6.2, 7.0, 7.5 and Windows Live Messenger 8.0 are all vulnerable. Detailed instructions on exploiting this vulnerability have been released. In order for an attacker to exploit the vulnerability, they must convince their target to accept either a webcam or video chat invitation. If you disable webcam and video chats in MSN Messenger, you are not vulnerable.
  
  The good news with this one is that Windows Live Messenger 8.1, released in January of this year, and users of MSN Messenger 7.0.0820, released "recently" are already protected from this vulnerability. Also, users of Microsoft's messenger products should be prompted to upgrade when they log in to their accounts.
  
  Microsoft recommends blocking Microsoft Messenger traffic until all machines on your network are updated with the latest version of Messenger.

As usual, patch your systems as soon as you can.

Note from the sponsor: eSoft's Intrusion Prevention Softpak can be configured to block all MSN traffic at the gateway. It also blocks websites that use Microsoft Agent as a precaution against the many vulnerabilities in that software.

Threat Level Raised

We're raising the threat level in response to the Adobe vulnerability. At this point, the Threat Level is in a cautionary area. We'll raise it again if we start seeing wide-spread exploitation.

Adobe Flash Browser Plugin High Risk Vulnerability

Yesterday, Adobe announced a vulnerability in its flash player that could be exploited to run arbitrary code. This vulnerability is cross browser and cross platform and the vulnerable software is installed by default on all recent copies of Windows and OS X.

All users who allow flash content in their browsers are at risk.

This morning we saw the first proof-of-concept exploit, which we fully expect to be the tip of the iceberg. Its likely that we'll see mass exploitation in the next few days..

To protect yourself, the best thing to do is to upgrade your flash plugin to 9.0.47.0 or later. If you use FireFox, the NoScript plugin will prevent flash content from running unless you specifically trust the source or grant it temporary permission. NoScript can be annoying, but its an extremely valuable tool in combatting malicious websites.

And, of course, make sure you're running gateway and desktop antivirus and intrusion prevention products that are up-to-date.

We'll keep you posted as we see more.

Note from the sponsor: eSoft's Gateway AntiVirus and Intrusion Prevention Softpaks provide full protection for this vulnerability and provided that protection starting shortly after the announcement of the vulnerability and well before any exploits became public.

Patch Tuesday and Browser 0-days

After a small pause, Threat Center Live is back. We've been very busy at Threat Center building up our honeypots, honeymonkeys, and other systems for finding live malware and exploits in the wild. We've also been busy tracking down and writing signatures for a variety of vulnerabilities. Here's a rundown of the latest news:

The first (as far as I am aware) cross *browser* exploit has been discovered. It affects Windows machines with both Internet Explorer and Firefox installed and uses a trick to cause Internet Explorer (and presumably Outlook, Outlook Express, and other programs that use the same engine as IE) to launch firefox and pass arbitrary javascript code to it in a trusted context -- meaning that applications can be launched without any user interaction. There are some good demonstrations of the exploit here and here, and with these examples I think we can expect malicious exploits as early as today. Note that this is a vulnerability with firefox, but it can only be exploited if someone is using IE despite having firefox installed.

Next in the security roundup from the last couple of days is Microsoft's July Patch Tuesday. This is the first patch tuesday in quite awhile in which there were no fixes for Internet Explorer, Outlook, or Outlook Express. However, our series of patches for Microsoft Office products remains uninterrupted. Here's the breakdown of what you need to know:

• MS07-036 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  
  3 vulnerabilities in Excel can allow a malicious Excel file to execute arbitrary code. Although no proof-of-concept exploits have been released to the public, the eSoft Threat Prevention Team was able to reconstruct an exploit from the information in Microsoft's advisory. We believe this is a serious threat. As always, do not open unsolicited file attachments and keep your antivirus signatures up-to-date. eSoft products have zero day protection for this vulnerability when and if exploits start to circulate.


• MS07-037 -- Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution
  
  Malformed Microsoft Publisher files opened with Publisher 2007 can cause arbitrary code to be executed on a host computer. We recommend blocking .pub files at the gateway to protect against this threat.


• MS07-038 -- Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
  It appears that this vulnerability could allow an attacker to see what services are running on a machine even if those services are firewalled. The vulnerability involves the encapsulation of IPv6 packets inside IPv4 packets. This kind of traffic cannot be blocked at the firewall as it is legitimate traffic. If you don't use IPv6, then you should follow the directions in Microsoft's advisory to disable Teredo. They offer three different ways to block this traffic, the easiest of which is to use the Vista Firewall to block Teredo packets in and out of a machine.


• MS07-039 -- Vulnerability in Windows Active Directory Could Allow Remote Code Execution
  
  Few organizations will allow LDAP access to their Active Directory service through the firewall, so this threat shouldn't be too large for most installations. However, there's always those organizations with non-standard setups and the insider threat. At this point we don't have enough information to give this a full analysis. No public exploits exist.


• MS07-040 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution
  
  This is in fact three vulnerabilities. Most intrusion prevention systems should have protected against the null-byte vulnerability already in a more generic form. The other two vulnerabilities are a bit more ambiguous as to what programs are vulnerable and how they could be exploited. We're keeping a close eye on this one as a variety of applications use the .NET framework and this could impact many of them.
  
  
• MS07-041 -- Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution
  
  This is in fact a rehash of an older known vulnerability in IIS 5.1 on WinXP SP2. It was previously thought to be only a denial of service issue. Many intrusion prevention systems likely already catch attempts to exploit this vulnerability. The exploit is a specially crafted URL, but as the affected software is very outdated there are probably very few vulnerable installations and therefore a low likelihood of someone developing a working exploit that does more than denial of service.

As usual, follow best security practices and patch your systems as soon as possible.

Note from the sponsor: eSoft's Intrusion Prevention and Gateway AntiVirus Softpaks provide protection against all known exploits of the above vulnerabilities and for some of the vlnerabilities, all theoretical exploit vectors.

Microsoft's May Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Of the announced issues, here are the ones you should be most concerned about:

• MS07-024 and MS07-025 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  
  4 vulnerabilities affecting mostly Microsoft Word, but also all other applications in the Office suite could be used to compromise your computer if you were to open a malicious Office document. Important to note is that Microsoft Word Viewer and Microsoft Office on the Mac are also vulnerable. It almost goes without saying that you should never open office documents from untrusted sources. And remember, those e-mail forwards from your good friend didn't start with your friend and should be looked at with just as much suspicion as if they came from a total stranger.


• MS07-026 -- Vulnerabilities in Exchange Server Could Allow Remote Code Execution
  If you run Exchange Server to handle your mail, you need to update it now. There are four separate issues including two Denial of Service (specially crafted e-mail will cause the mail server service to hang or quit), one "information leakage" and one remote code execution.
  
  The first concern is the remote code execution. This vulnerability relates to malformed MIME-encoded attachments.
  
  We aren't aware of any exploits at this time and details are still scarce, but that could change very quickly.
  
  The second concern is the "information leakage." E-mails sent with attached HTML files can cause problems for people using Outlook Web Access -- Microsoft's web-based e-mail reader. Essentially, a malicious script could be run in a trusted context and used to steal login credentials, e-mails, and more. This is a cross-site scripting vulnerability and has been shown in similar cases to be a pretty serious breach of security even though it doesn't allow remote code execution.


• MS07-027 and MS07-028 -- Internet Explorer Multiple (Six) Remote Code Execution Vulnerabilities
  
  This is the bread and butter of these Patch Tuesdays: Internet Explorer issues. And despite IE7's enhanced security, it is vulnerable to most of these issues as well. As usual, ActiveX objects are the culprit. Microsoft wanted to allow website designers to be able to write full Windows applications and have them run inside Internet Explorer to create a "rich" web experience. Unfortunately, in doing this, Microsoft made two mistakes: every software component on Microsoft systems can be accessed by a web site. This means that software that wasn't intended to be run in Internet Explorer can be and in many of these cases there are exploitable bugs in the software.
  
  The usual way to deal with this is to explicitly disable specific ActiveX objects by using their "kill bits." Microsoft has a Knowledge Base article with instructions. Also, you can use the Group Policy Editor to set the kill bits on your entire domain. Here are the recommended "kills" from this batch up updates:
  
  

  CLSID	DLL	Comments
  D4FE6227-1288-11D0-9097-00AA004254A0	msdauth.dll	Windows Media component
  BE4191FB-59EF-4825-AEFC-109727951E42	chtskdic.dll
  17E3A1C3-EA8A-4970-AF29-7F54610B1D4C	CAPICOM	Provides encryption capabilities to programmers.
  FBAB033B-CDD0-4C5E-81AB-AEA575CD1338	CAPICOM

  
  
  Note that there are vulnerabilities being patched here that cannot be addressed by setting these kill bits, so your best bet is to upgrade as soon as possible. But still create policies in the Group Policy Editor in case an unpatched machine finds its way onto your network.


• MS07-029 -- Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution
  
  We first mentioned this flaw -- and the exploits circulating in the wild -- on April 13th. The flaw has received a lot of press, but isn't a concern for most people. Only Microsoft-based DNS servers running on the Internet without any kind of firewall on them or between them and the Internet are susceptible to an external attack. And if a worm taking advantage of this exploit got into a local network, it would likely not be able to compromise more than one machine. Despite that disclaimer, its a serious bug that could allow someone to take full control of one of your servers, so this patch is here none too soon. For mitigation details, see our post from above referenced post.

Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And as always, make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from all known exploits of today's announced vulnerabilities.

How To Spot A Scam

Spotting a scam isn't always easy. More than anything, it helps to view e-mails, phone calls, and people at your front door with a critical, skeptical eye. If you're skeptical, you'll look for holes, and in 19/20 scams you'll find them without too much searching.

In this blog post I'll walk you through two recent examples of scams that have targeted me. The first one I'll talk about made it through my spam filter this morning.
Scam One

Here's the e-mail:


Let's start with the red flags:

I will need a few moments of your time to cover all related lottery-type information from procuring your prize to any related taxes.

Any time someone wants information for tax purposes, they want your social security number. This should cause alarm bells to ring. Loudly.

Then there's this line in the e-mail:

44.71.188.154 9/3/2006 0:19

This appears to be an IP address and a date and time. I believe this line is there to lend some kind of credibility to the e-mail, but the year says 2006 and the time is 19 minutes after midnight. Clearly something odd is going on.

Seeing that date lead me to look at the date of the e-mail, which is "April 25, 2007 4:14:23 AM MDT" -- and this is another red flag. A quick Google search tells us that North Aurora, Illinois (where this company is supposedly located) is in the Central time zone, so this e-mail went out at 5:14am Illinois time, which is a bit earlier than their own stated office hours:

P.S. For your convenience, we are available 8:30 AM to 4:00 PM Central Standard Time, Monday to Friday

As long as we're looking at the e-mail headers, let's take a look at the From address: cedwardsb -at- prize-claim-center.com. But the e-mail says its from "Michelle Ruland." Shouldn't that from address look more like mruland -at- prize-claim-center.com? Or micheller -at- prize-claim-center.com? It's another red flag.

By now its obvious that this is a scam, but as a final check, let's take a look at their website. We never click links in e-mails (and nor should you), but with proper protections in place, it can be okay to type a URL into your address bar. Instead of going to the referenced page used supposedly for unsubscribing from their list, let's check the site's home page:



...it's blank. No website there.

As a final note, there are a lot of these "claim your prize" type of e-mails out there. If you entered a drawing for a prize somewhere, you almost certainly gave your phone and mailing address. If you put your e-mail address on there as well, it will likely be used for spam and it will not be used to contact you about the prize. Finally, if you really did win, there would be specifics about when you filled out the form, where, what it was for, and what you won.

Scam Two

I received a phone call at home. The caller said he was with Discover card and wanted to confirm some charges on my account. I haven't used my Discover card in a long time -- in fact, I shredded it -- but even so, this sounded important and the caller rattled off a discover card number that was supposed to be mine. Then the caller asked me to confirm my identity by giving him my social security number. Whoa there! I've never had a fraud department ask for that information before. So although I was convinced that it was Discover calling, my skepticism kicked in and I asked if I could call him back. He gave me the real 800 number for Discover Card, which I confirmed after I got off the phone by going to their website. When I called Discover, they had no record of any charges on my account for several years and they confirmed what I already knew: it wasn't Discover who had contacted me. For good measure, I officially canceled the card on that call.

The big lesson here is again skepticism. Even very convincing, helpful, and friendly callers to your house who seem to know who you are and maybe other details about you, should not be trusted. If anyone, ever, calls you and then asks, for any reason, for details about you -- your address, mother's maiden name, social security number, etc. -- ask if you can call them back. Get their number, but then don't use the number they give you, instead look up the number on the Internet or in the phone book. Prudence will save you a world of headaches. Also, never trust Caller ID. Just because your phone says Discover Card Fraud Department is calling, doesn't make it so. That information is easy to fake.

Phishing

Phishing scams are getting better. Phishers are able to reproduce their target websites much better now so all the broken links that used to be a dead giveaway are happening less frequently. If you get an e-mail ostensibly from your bank, paypal, ebay, or any official institution, don't follow the links in the e-mail. Use your own bookmarks or enter the official site into your URL bar directly. Do this every time. What you lose in convenience, you more than make up for in security and identity protection.

Combatting Fraud

From the FTC website:

If a scam artist has contacted you or if you've been defrauded, contact the FTC at www.ftc.gov or 1-877-FTC-HELP. We gather evidence, identify fraud trends and alert law enforcement throughout the U.S., Canada, and abroad. By reporting your experience, you can prevent others from becoming victims and help put an end to fraud.

Here are e-mail addresses for forwarding scams, spam, phishing, and more (this has been compiled from different sources but most notably from the Internet Storm Center:

Spam

uce -at- ftc.gov

spamarchive.org is interested in any spam, but send it as an RFC822 attachment to submitautomated -at- spamarchive.org.

Child pornography

children -at- interpol.int

gmail -at- cybertip.ca

Do not send child porn e-mails to spamarchive.org or redistribute anywhere besides the above two addresses.

Nigerian/419 scams

419.fcd -at- usss.treas.gov.

OEM software

netpiracy -at- siia.net

piracy -at- microsoft.com

Phishing

reportphishing -at- antiphishing.org

phish -at- ists.dartmouth.edu

spam -at- mailpolice.com

phishing-report -at- us-cert.gov

phish -at- phishtank.com (but you have to register at phishtank.com first)

Also: postmaster -at- corp.mailsecurity.net.au, spoof -at- millersmiles.co.uk, and report -at- reportphish.org, but send the mail as an RFC822 attachment.

Pills

webcomplaints -at- ora.fda.gov

drugs -at- interpol.int

Pyramid scams

fraud -at- uspis.gov

Rolex/replicas

steve.govin -at- rolex.com

expert -at- lpconline.com

Stock/pump and dump

enforcement -at- sec.gov

Tobacco

alctob -at- ttb.treas.gov

Viruses

Submit to Threat Center, Jotti, and Virus Total. Also, you can forward to av -at- annex.esoft.com.

Note: If you have updates or additions to the above list of e-mail addresses and websites, please post them in the comments.