Tuesday, October 9, 2007

October Patch Tuesday

Microsoft announced there would be 7 advisories on this Patch Tuesday, but we only got 6. It makes you wonder what they held back and why.

That aside, there are a couple of things to know about today's advisories and patches. Here's the breakdown:

  • MS07-055 -- Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution

    The first thing I thought when seeing this is, "how many people have the Kodak Image Viewer installed?" It turns out, a lot. It was installed on all Windows 2000 machines and is still installed on Windows XP machines that were upgraded from Windows 2000.

    This vulnerability is very similar to other extremely critical image handling vulnerabilities that have wreaked havoc on Windows operating systems lately. If you even browse to a folder with a malicious image on a vulnerable machine, the malicious image will be able to execute code on your system. So this impacts anything that displays images from Windows Explorer thumbnails and previews to Internet Explorer and Outlook.

    Microsoft does mention that if you have installed Office 2003, the Kodak Image Viewer may have been replaced by a different image viewer.

    This is a potentially extremely serious vulnerability, but at this time the details for how to exploit it are almost non-existent and there are no exploits in the wild.

  • MS07-056 -- Security Update for Outlook Express and Windows Mail

    This relates to how a URL that starts with nntp:// can be used to point a user to a malicious news server (potentially without user interaction if the URL is used as an image source) that overflows memory and potentially executes arbitrary code.

    The malicious news server must be custom and has to know how to overflow the handler. There are no examples and no exploits in the wild, but there's enough information for someone to create an exploit without undue difficulty. This is definitely a critical issue.

  • MS07-057 -- Cumulative Security Update for Internet Explorer

    This is actually three separate vulnerabilities in JavaScript on Internet Explorer from version 5 through 7. All Windows operating systems including Vista are affected. Two of the vulnerabilities use JavaScript tricks to make a person think they've navigated to a particular website when in fact they haven't. This could be exploited by phishers to trick people into thinking they're legitimately at their bank's website (or paypal, or ebay, etc.). There are several publicly available demonstrations showing how to exploit this. Patch immediately.

    The other issue in this update is a heap overflow caused when a script starts several download attempts of the same file and then frees the memory for those download attempts.

    To alleviate both of these issues, consider using FireFox instead of Internet Explorer and consider trying the NoScript plugin to FireFox.

  • MS07-058 -- Vulnerability in RPC Could Allow Denial of Service

    This vulnerability reminds me a bit of the old ping of death. A specially crafted windows file-sharing authentication message will cause a computer to spontaneously reboot. Microsoft recommends that people firewall UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. If you have a gateway firewall, it should block these ports by default. If not, you should strongly consider installing a personal firewall such as ZoneAlarm.

  • MS07-059 -- Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site

    If you use SharePoint, you should be aware that an authenticated user could increase their privileges through a cross-site scripting (XSS) vulnerability. We don't view this as a critical vulnerability.

  • MS07-060 -- Vulnerability in Microsoft Word Could Allow Remote Code Execution

    This incorporates 4 separate vulnerabilities in Word for Windows and for Mac that could be exploited by a malicious Word document. The most serious of these issues is a recurrence of an older vulnerability that most security products have some degree of protection for already.

For the moment, the risks are not terribly high, except for potentially harder to detect phishing attacks. However, exploits for the other vulnerabilities could appear at any time, so users are encouraged to update their systems as soon as possible.

Tuesday, September 11, 2007

September Patch Tuesday relatively minor

Today's Microsoft patch tuesday is one of the mildest in memory (excluding the month that Microsoft skipped patch tuesday altogether, despite a number exploits and known vulnerabilities). Of the four vulnerabilities, the MSN Messenger vulnerability is, in our view, the most serious. Microsoft has only rated it as important because not all versions of MSN Messenger are vulnerable and because users are prompted to upgrade their client when they log on to the MSN Messenger network. Here's the breakdown of each vulnerability:

  • MS07-051 -- Vulnerability in Microsoft Agent Could Allow Remote Code Execution

    This was the only patch today that Microsoft rated as Critical. Microsoft Agent is the same technology as the Microsoft Office paper clip that used to annoy you. Microsoft touts it as a way to spice up web pages with interactive personalities. However, this is not the first vulnerability in Microsoft Agent, and those who visit web pages that use the agent may be at risk. Microsoft recommends disabling the agent by setting the kill bit on the following CLSIDs:
    • D45FD31B-5C6E-11D1-9EC1-00C04FD7081F

    • F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5

    • 4BAC124B-78C8-11D1-B9A8-00C04FD97575

    • D45FD31D-5C6E-11D1-9EC1-00C04FD7081F

    • D45FD31E-5C6E-11D1-9EC1-00C04FD7081F

  • MS07-052 -- Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution

    This vulnerability is rated Important by Microsoft. Only those with Visual Studio are at risk of exploitation of this flaw. If you aren't using Crystal Reports, Microsoft recommends you uninstall it to minimize your exposure to this flaw.

  • MS07-053 -- Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege

    This is rated Important by Microsoft. Any computer from Windows 2000 through Windows Server 20003 that runs Windows Services for UNIX is susceptible to a local privilege escalation. As this is not remotely exploitable, the eSoft Threat Prevention Team as not analyzed it in depth.

  • MS07-054 -- Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution

    This vulnerability is a bit more severe than Microsoft would like you to believe. They have rated this vulnerability as Important, but the eSoft Threat Prevention Team believes it ranks as Critical.

    MSN Messenger 6.2, 7.0, 7.5 and Windows Live Messenger 8.0 are all vulnerable. Detailed instructions on exploiting this vulnerability have been released. In order for an attacker to exploit the vulnerability, they must convince their target to accept either a webcam or video chat invitation. If you disable webcam and video chats in MSN Messenger, you are not vulnerable.

    The good news with this one is that Windows Live Messenger 8.1, released in January of this year, and users of MSN Messenger 7.0.0820, released "recently" are already protected from this vulnerability. Also, users of Microsoft's messenger products should be prompted to upgrade when they log in to their accounts.

    Microsoft recommends blocking Microsoft Messenger traffic until all machines on your network are updated with the latest version of Messenger.

As usual, patch your systems as soon as you can.

Note from the sponsor: eSoft's Intrusion Prevention Softpak can be configured to block all MSN traffic at the gateway. It also blocks websites that use Microsoft Agent as a precaution against the many vulnerabilities in that software.

Tuesday, July 17, 2007

Threat Level Raised

We're raising the threat level in response to the Adobe vulnerability. At this point, the Threat Level is in a cautionary area. We'll raise it again if we start seeing wide-spread exploitation.

Adobe Flash Browser Plugin High Risk Vulnerability

Yesterday, Adobe announced a vulnerability in its flash player that could be exploited to run arbitrary code. This vulnerability is cross browser and cross platform and the vulnerable software is installed by default on all recent copies of Windows and OS X.

All users who allow flash content in their browsers are at risk.

This morning we saw the first proof-of-concept exploit, which we fully expect to be the tip of the iceberg. Its likely that we'll see mass exploitation in the next few days..

To protect yourself, the best thing to do is to upgrade your flash plugin to or later. If you use FireFox, the NoScript plugin will prevent flash content from running unless you specifically trust the source or grant it temporary permission. NoScript can be annoying, but its an extremely valuable tool in combatting malicious websites.

And, of course, make sure you're running gateway and desktop antivirus and intrusion prevention products that are up-to-date.

We'll keep you posted as we see more.

Note from the sponsor: eSoft's Gateway AntiVirus and Intrusion Prevention Softpaks provide full protection for this vulnerability and provided that protection starting shortly after the announcement of the vulnerability and well before any exploits became public.

Thursday, July 12, 2007

Patch Tuesday and Browser 0-days

After a small pause, Threat Center Live is back. We've been very busy at Threat Center building up our honeypots, honeymonkeys, and other systems for finding live malware and exploits in the wild. We've also been busy tracking down and writing signatures for a variety of vulnerabilities. Here's a rundown of the latest news:

The first (as far as I am aware) cross *browser* exploit has been discovered. It affects Windows machines with both Internet Explorer and Firefox installed and uses a trick to cause Internet Explorer (and presumably Outlook, Outlook Express, and other programs that use the same engine as IE) to launch firefox and pass arbitrary javascript code to it in a trusted context -- meaning that applications can be launched without any user interaction. There are some good demonstrations of the exploit here and here, and with these examples I think we can expect malicious exploits as early as today. Note that this is a vulnerability with firefox, but it can only be exploited if someone is using IE despite having firefox installed.

Next in the security roundup from the last couple of days is Microsoft's July Patch Tuesday. This is the first patch tuesday in quite awhile in which there were no fixes for Internet Explorer, Outlook, or Outlook Express. However, our series of patches for Microsoft Office products remains uninterrupted. Here's the breakdown of what you need to know:

  • MS07-036 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

    3 vulnerabilities in Excel can allow a malicious Excel file to execute arbitrary code. Although no proof-of-concept exploits have been released to the public, the eSoft Threat Prevention Team was able to reconstruct an exploit from the information in Microsoft's advisory. We believe this is a serious threat. As always, do not open unsolicited file attachments and keep your antivirus signatures up-to-date. eSoft products have zero day protection for this vulnerability when and if exploits start to circulate.

  • MS07-037 -- Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution

    Malformed Microsoft Publisher files opened with Publisher 2007 can cause arbitrary code to be executed on a host computer. We recommend blocking .pub files at the gateway to protect against this threat.

  • MS07-038 -- Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
    It appears that this vulnerability could allow an attacker to see what services are running on a machine even if those services are firewalled. The vulnerability involves the encapsulation of IPv6 packets inside IPv4 packets. This kind of traffic cannot be blocked at the firewall as it is legitimate traffic. If you don't use IPv6, then you should follow the directions in Microsoft's advisory to disable Teredo. They offer three different ways to block this traffic, the easiest of which is to use the Vista Firewall to block Teredo packets in and out of a machine.

  • MS07-039 -- Vulnerability in Windows Active Directory Could Allow Remote Code Execution

    Few organizations will allow LDAP access to their Active Directory service through the firewall, so this threat shouldn't be too large for most installations. However, there's always those organizations with non-standard setups and the insider threat. At this point we don't have enough information to give this a full analysis. No public exploits exist.

  • MS07-040 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution

    This is in fact three vulnerabilities. Most intrusion prevention systems should have protected against the null-byte vulnerability already in a more generic form. The other two vulnerabilities are a bit more ambiguous as to what programs are vulnerable and how they could be exploited. We're keeping a close eye on this one as a variety of applications use the .NET framework and this could impact many of them.

  • MS07-041 -- Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution

    This is in fact a rehash of an older known vulnerability in IIS 5.1 on WinXP SP2. It was previously thought to be only a denial of service issue. Many intrusion prevention systems likely already catch attempts to exploit this vulnerability. The exploit is a specially crafted URL, but as the affected software is very outdated there are probably very few vulnerable installations and therefore a low likelihood of someone developing a working exploit that does more than denial of service.

As usual, follow best security practices and patch your systems as soon as possible.

Note from the sponsor: eSoft's Intrusion Prevention and Gateway AntiVirus Softpaks provide protection against all known exploits of the above vulnerabilities and for some of the vlnerabilities, all theoretical exploit vectors.

Tuesday, May 8, 2007

Microsoft's May Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Of the announced issues, here are the ones you should be most concerned about:
  • MS07-024 and MS07-025 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

    4 vulnerabilities affecting mostly Microsoft Word, but also all other applications in the Office suite could be used to compromise your computer if you were to open a malicious Office document. Important to note is that Microsoft Word Viewer and Microsoft Office on the Mac are also vulnerable. It almost goes without saying that you should never open office documents from untrusted sources. And remember, those e-mail forwards from your good friend didn't start with your friend and should be looked at with just as much suspicion as if they came from a total stranger.

  • MS07-026 -- Vulnerabilities in Exchange Server Could Allow Remote Code Execution
    If you run Exchange Server to handle your mail, you need to update it now. There are four separate issues including two Denial of Service (specially crafted e-mail will cause the mail server service to hang or quit), one "information leakage" and one remote code execution.

    The first concern is the remote code execution. This vulnerability relates to malformed MIME-encoded attachments.

    We aren't aware of any exploits at this time and details are still scarce, but that could change very quickly.

    The second concern is the "information leakage." E-mails sent with attached HTML files can cause problems for people using Outlook Web Access -- Microsoft's web-based e-mail reader. Essentially, a malicious script could be run in a trusted context and used to steal login credentials, e-mails, and more. This is a cross-site scripting vulnerability and has been shown in similar cases to be a pretty serious breach of security even though it doesn't allow remote code execution.

  • MS07-027 and MS07-028 -- Internet Explorer Multiple (Six) Remote Code Execution Vulnerabilities

    This is the bread and butter of these Patch Tuesdays: Internet Explorer issues. And despite IE7's enhanced security, it is vulnerable to most of these issues as well. As usual, ActiveX objects are the culprit. Microsoft wanted to allow website designers to be able to write full Windows applications and have them run inside Internet Explorer to create a "rich" web experience. Unfortunately, in doing this, Microsoft made two mistakes: every software component on Microsoft systems can be accessed by a web site. This means that software that wasn't intended to be run in Internet Explorer can be and in many of these cases there are exploitable bugs in the software.

    The usual way to deal with this is to explicitly disable specific ActiveX objects by using their "kill bits." Microsoft has a Knowledge Base article with instructions. Also, you can use the Group Policy Editor to set the kill bits on your entire domain. Here are the recommended "kills" from this batch up updates:

    D4FE6227-1288-11D0-9097-00AA004254A0msdauth.dllWindows Media component
    17E3A1C3-EA8A-4970-AF29-7F54610B1D4CCAPICOMProvides encryption capabilities to programmers.

    Note that there are vulnerabilities being patched here that cannot be addressed by setting these kill bits, so your best bet is to upgrade as soon as possible. But still create policies in the Group Policy Editor in case an unpatched machine finds its way onto your network.

  • MS07-029 -- Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution

    We first mentioned this flaw -- and the exploits circulating in the wild -- on April 13th. The flaw has received a lot of press, but isn't a concern for most people. Only Microsoft-based DNS servers running on the Internet without any kind of firewall on them or between them and the Internet are susceptible to an external attack. And if a worm taking advantage of this exploit got into a local network, it would likely not be able to compromise more than one machine. Despite that disclaimer, its a serious bug that could allow someone to take full control of one of your servers, so this patch is here none too soon. For mitigation details, see our post from above referenced post.

Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And as always, make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from all known exploits of today's announced vulnerabilities.

Wednesday, April 25, 2007

How To Spot A Scam

Spotting a scam isn't always easy. More than anything, it helps to view e-mails, phone calls, and people at your front door with a critical, skeptical eye. If you're skeptical, you'll look for holes, and in 19/20 scams you'll find them without too much searching.

In this blog post I'll walk you through two recent examples of scams that have targeted me. The first one I'll talk about made it through my spam filter this morning.
Scam One

Here's the e-mail:

Let's start with the red flags:

I will need a few moments of your time to cover all related lottery-type information from procuring your prize to any related taxes.

Any time someone wants information for tax purposes, they want your social security number. This should cause alarm bells to ring. Loudly.

Then there's this line in the e-mail: 9/3/2006 0:19

This appears to be an IP address and a date and time. I believe this line is there to lend some kind of credibility to the e-mail, but the year says 2006 and the time is 19 minutes after midnight. Clearly something odd is going on.

Seeing that date lead me to look at the date of the e-mail, which is "April 25, 2007 4:14:23 AM MDT" -- and this is another red flag. A quick Google search tells us that North Aurora, Illinois (where this company is supposedly located) is in the Central time zone, so this e-mail went out at 5:14am Illinois time, which is a bit earlier than their own stated office hours:

P.S. For your convenience, we are available 8:30 AM to 4:00 PM Central Standard Time, Monday to Friday

As long as we're looking at the e-mail headers, let's take a look at the From address: cedwardsb -at- prize-claim-center.com. But the e-mail says its from "Michelle Ruland." Shouldn't that from address look more like mruland -at- prize-claim-center.com? Or micheller -at- prize-claim-center.com? It's another red flag.

By now its obvious that this is a scam, but as a final check, let's take a look at their website. We never click links in e-mails (and nor should you), but with proper protections in place, it can be okay to type a URL into your address bar. Instead of going to the referenced page used supposedly for unsubscribing from their list, let's check the site's home page:

...it's blank. No website there.

As a final note, there are a lot of these "claim your prize" type of e-mails out there. If you entered a drawing for a prize somewhere, you almost certainly gave your phone and mailing address. If you put your e-mail address on there as well, it will likely be used for spam and it will not be used to contact you about the prize. Finally, if you really did win, there would be specifics about when you filled out the form, where, what it was for, and what you won.

Scam Two

I received a phone call at home. The caller said he was with Discover card and wanted to confirm some charges on my account. I haven't used my Discover card in a long time -- in fact, I shredded it -- but even so, this sounded important and the caller rattled off a discover card number that was supposed to be mine. Then the caller asked me to confirm my identity by giving him my social security number. Whoa there! I've never had a fraud department ask for that information before. So although I was convinced that it was Discover calling, my skepticism kicked in and I asked if I could call him back. He gave me the real 800 number for Discover Card, which I confirmed after I got off the phone by going to their website. When I called Discover, they had no record of any charges on my account for several years and they confirmed what I already knew: it wasn't Discover who had contacted me. For good measure, I officially canceled the card on that call.

The big lesson here is again skepticism. Even very convincing, helpful, and friendly callers to your house who seem to know who you are and maybe other details about you, should not be trusted. If anyone, ever, calls you and then asks, for any reason, for details about you -- your address, mother's maiden name, social security number, etc. -- ask if you can call them back. Get their number, but then don't use the number they give you, instead look up the number on the Internet or in the phone book. Prudence will save you a world of headaches. Also, never trust Caller ID. Just because your phone says Discover Card Fraud Department is calling, doesn't make it so. That information is easy to fake.


Phishing scams are getting better. Phishers are able to reproduce their target websites much better now so all the broken links that used to be a dead giveaway are happening less frequently. If you get an e-mail ostensibly from your bank, paypal, ebay, or any official institution, don't follow the links in the e-mail. Use your own bookmarks or enter the official site into your URL bar directly. Do this every time. What you lose in convenience, you more than make up for in security and identity protection.

Combatting Fraud

From the FTC website:

If a scam artist has contacted you or if you've been defrauded, contact the FTC at www.ftc.gov or 1-877-FTC-HELP. We gather evidence, identify fraud trends and alert law enforcement throughout the U.S., Canada, and abroad. By reporting your experience, you can prevent others from becoming victims and help put an end to fraud.

Here are e-mail addresses for forwarding scams, spam, phishing, and more (this has been compiled from different sources but most notably from the Internet Storm Center:

uce -at- ftc.gov

spamarchive.org is interested in any spam, but send it as an RFC822 attachment to submitautomated -at- spamarchive.org.

Child pornography
children -at- interpol.int
gmail -at- cybertip.ca
Do not send child porn e-mails to spamarchive.org or redistribute anywhere besides the above two addresses.

Nigerian/419 scams
419.fcd -at- usss.treas.gov.

OEM software
netpiracy -at- siia.net
piracy -at- microsoft.com

reportphishing -at- antiphishing.org
phish -at- ists.dartmouth.edu
spam -at- mailpolice.com
phishing-report -at- us-cert.gov
phish -at- phishtank.com (but you have to register at phishtank.com first)
Also: postmaster -at- corp.mailsecurity.net.au, spoof -at- millersmiles.co.uk, and report -at- reportphish.org, but send the mail as an RFC822 attachment.

webcomplaints -at- ora.fda.gov
drugs -at- interpol.int

Pyramid scams
fraud -at- uspis.gov

steve.govin -at- rolex.com
expert -at- lpconline.com

Stock/pump and dump
enforcement -at- sec.gov

alctob -at- ttb.treas.gov

Submit to Threat Center, Jotti, and Virus Total. Also, you can forward to av -at- annex.esoft.com.

Note: If you have updates or additions to the above list of e-mail addresses and websites, please post them in the comments.

Monday, April 23, 2007

Patched Apple Flaws and New Quicktime Flaw Impacts Windows and Mac

Apple's been in the crosshairs recently. Last week they released their fourth security update of the year fixing 25 separate security issues. Several of the fixes are related to file format flaws announced in the Month of Apple Bugs in January. Others allow local privilege escalation.

Possibly the most serious issue is with the RPC runtime (libinfo) library used by services such as NFS. Mu Security has provided some very specific details on the flaw and for machines that are running NFS, the information may be enough for an attacker to create an exploit.

Although we haven't seen any exploits for any of these vulnerabilities, all Mac users should update before exploits start hitting the 'net.

On a related note, security researcher Dino Dai Zovi won a $10,000 bounty when he found a flaw and wrote an exploit to hack into a fully patched Mac laptop. We now know that the flaw he found was actually in the Quicktime application and can be exploited in various browsers and on various operating systems including both OS X and Windows. Exploitation of this flaw requires the user to browse to a malicious website. There is no fix for the flaw at this time, but disabling Java in your browser should protect you. If you don't regularly use Java Applets when browsing websites (I can't remember the last time I came across a website that required it) you should go to your preferences or options and disable it right now.

Wednesday, April 18, 2007

PHP Applications and Vulnerabilities

Every day we sift through an avalanche of newly found vulnerabilities in PHP applications and they all come down to improper sanitization of user-supplied input. Until our Universities are teaching secure coding techniques in Computer Science 101, we'll be in this situation for a long time. But that's a rant for another day.

Here's an example list of vulnerability announcements of PHP application over the last 24 hours:

• EclipseBB Phpbb_Root_Path Remote File Include Vulnerability
• Extreme PHPBB2 Remote File Inclusion
• Zomplog File.PHP Directory Traversal Vulnerability
• Joomla Template Module Index.PHP Remote File Include Vulnerability
• Gizzar Index.php Remote File Include Vulnerability
• Joomla/Mambo JoomlaPack Module MosConfig_Absolute_Path Remote File Include Vulnerability
• Cabron Connector InclusionService.PHP Remote File Include Vulnerability
• Wabbit PHP Gallery v0.9 Cross Site Scripting
• ActionPoll Script (actionpoll.php) Remote File Include
• LS simple guestbook - arbitrary code execution
• MyBlog <= 0.9.8 Remote Command Execution Exploit
• my little forum 1.7 Remote File Include Vulnerability
• PHP Nuke <= SQL Injections and Bypass SQL Injection Protection vulnerabilities
• Directory traversal vulnerability in Kai Content Management System (K-CMS)
• Directory traversal vulnerability in Monkey CMS 0.0.3
• Cross-site scripting (XSS) vulnerability in OpenConcept Back-End CMS 0.4.7
• PHP remote file inclusion vulnerability in chat.php in MySpeach 1.9
• Multiple PHP remote file inclusion vulnerabilities in CNStats 2.9
• ... and more!

Remote file inclusion, remote code execution, SQL injection, directory traversal, and cross site scripting vulnerabilities are running amok in PHP programs.

Ed Finkler at CERIAS took the time to sort through the NIST vulnerability data and come up with the top 20 offending PHP programs by score and by volume of advisories. This is skewed, of course, because programs not being prodded could be just as vulnerable, but less visible. Just the same, it's pretty interesting. Here are the top 5 by number of entries:
  1. MyBulletinBoard
  2. phpBB
  3. phpMyAdmin
  4. WordPress
  5. PHPNuke

The top 20 is even more enlightening if you happen to use some of those products (like VBulletin, Jupiter CMS, Joomla, and TikiWiki).

Anyone running this kind of software should be doing frequent scans of their files to make sure they haven't changed without their knowledge, frequent downloads of their website to make sure people haven't added code, and should make sure that their web server is isolated from sensitive parts of their network.

Note from the sponsor:eSoft's Intrusion Prevention Softpak has generic and specific detections for a number of common PHP vulnerabilities.

Triage For Oracle Critical Patch Updates

tri•age (from dictionary.com)


1.    the process of sorting victims, as of a battle or disaster, to determine medical priority in order to increase the number of survivors.

2.     the determination of priorities for action in an emergency.

As always, our focus at Threat Center is on remotely exploitable vulnerabilities. Our interest in privilege escalations and local attacks takes a back seat to vulnerabilities where an anonymous attacker could compromise your business.

Yesterday was Oracle's quarterly "Critical Patch Update" or CPU. This round they released 36 new security issues across the following products:
  • Oracle Database

  • Oracle Secure Enterprise Search

  • Oracle Application Server

  • Oracle Collaboration Suite

  • Oracle E-Business Suite

  • Oracle Enterprise Manager

  • Oracle PeopleSoft Enterprise

In other words, just about every Oracle product is affected. The Suites listed above include numerous programs such as the Oracle Portal, Oracle Streams, Oracle iSupport, Oracle iStore, Oracle Applications Manager, Oracle Agent, and more. For details on all of the patches, view Oracle's security advisory. For a quick triage of the updates, read on below.

Oracle Database

DB01 Core RDBMS Authentication Bypass on Windows
This flaw was reported to Oracle in 2002. Exploiting this flaw is trivial and can be done remotely by an unauthenticated attacker... but you probably aren't affected.

This flaw is specific to Oracle databases running on Windows machines that have "Simple File Sharing" enabled. Simple File Sharing allows a user to share files with anyone without the hassle of managing usernames and passwords. All users are authenticated as Guest regardless of the username or password they provide. If Oracle is configured to use OS-based authentication on a machine with Simple File Sharing enabled, then every attempt to authenticate against the database as any user will be successful. Hopefully if you're running Oracle Database on a Windows machine you aren't also doing any kind of file sharing, and especially not the free-for-all file sharing that is "Simple File Sharing."

David Litchfield has a paper with the full details.

DB05 Authentication Component Logon Trigger Bypass
This is a flaw that requires login credentials and usually wouldn't merit a mention, but it could allow users to bypass logon triggers. These are frequently used to control access by time of day, IP, and other factors or to add extra audit trails, etc. Many of the fixed flaws in this batch that do require a user to first log in may be more dangerous if the user first takes advantage of this logon trigger bypass flaw.

Oracle Enterprise Manager

EM01 Oracle Agent Authentication Bypass

A person can connect to the Oracle Agent and shut it down without authentication.

Oracle Application Server

AS04 and AS05 Oracle Portal Component Flaws
Two flaws in Oracle Portal can be remotely exploited over HTTP to gain access to the system. Authentication is not required and one of them is rated as easy to exploit. This involves some kind of parameter tampering, but we don't have more details at this time.

Oracle E-Business Suite

APSS02 Oracle iProcurement and APPS03 Oracle Report Manager
The vulnerable pages for both of these components are blocked by default by the URL firewall and are therefore not of high concern.

APPS05 and APPS06 Oracle iStore Parameter Tampering Issues
While these two bugs both require authenticated users, an anonymous user can self-register and get an account that way. Once they have an account, the attacker can get unauthorized access to information such as order information for other users. It isn't clear, but this may include access to credit card data. Because of this possibility, and the fact that Oracle says the exploit is of low complexity, we're rating this as a serious vulnerability. If you use the Oracle iStore, upgrade your software right away.

And that's it for the vulnerabilities that look serious to us. For the less serious vulnerabilities where authenticated users are able to gain elevated privileges, there are some exploits in the wild, so if you have strict trust settings, you will want to get going on installing these patches.

Of course we recommend installing all of the patches as soon as possible. If you need time to test the patches before installing, then start with the ones listed above.

Note from the sponsor: Many of the flaws that are fixed in this month's Oracle CPU center around SQL Injection and Cross Site Scripting. eSoft's Intrusion Prevention Softpak provides generic protection for many of these types of attacks. To prevent these types of attacks in the future, refer to eSoft's newest whitepaper, 10 Tips to Better Security.

Monday, April 16, 2007

Microsoft DNS Server Exploits Abound

Over the weekend a number of exploits turned up that make it easy to exploit the recently announced flaw in RPC found on Microsoft DNS Servers.

Those using best practices to firewall inbound connections to ports not explicitly needed should be protected. People who have Windows servers at colocation facilities or who use ISPs to host services where the ISPs don't have gateway firewalls setup are at risk.

Among the circulating exploits are an exploit module for Metasploit.

We're also beginning to see variants on established worms, in particular the Rinbot/Nirbot worm, taking advantage of this exploit. This behavior means that unprotected machines will likely be found soon, so please make sure you are following all of the suggestions in the Microsoft Advisory as well as following firewall best practices.

Note from the sponsor: the new worms are detected and stopped by the Gateway AntiVirus Softpak, while attempts to exploit the DNS RPC flaw are detected and stopped by the Intrusion Prevention Softpak. The InstaGate firewall is also instrumental in defending against this vulnerability.

Friday, April 13, 2007

New Microsoft DNS Server Exploit

There is an exploit in the wild, although not yet public, that takes advantage of a flaw in RPC on Windows DNS Server. Microsoft has issued a security advisory with some recommendations on how to protect your computers while waiting for a patch from Microsoft.

Here is a list of affected operating systems:

  • Windows 2000 Server Service Pack 4

  • Windows Server 2003 Service Pack 1

  • Windows Server 2003 Service Pack 2

The best advise from Microsoft on this issue at the moment is to disable RPC capability for DNS servers by changing a registry value. From Microsoft's advisory:

  1. On the start menu click 'Run' and then type 'Regedit' and then press enter.
  2. Navigate to the following registry location:

  3. On the 'Edit' menu select 'New' and then click 'DWORD Value'

  4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.

  5. Double click on the newly created value and change the value's data to '4' (without the quotes).

  6. Restart the DNS service for the change to take effect.

And you should make sure you are blocking all unsolicited traffic on ports over 1024. In fact, you should block all unsolicited incoming traffic period. Use personal firewalls on individual machines and gateway firewalls between your machines and the Internet.

TCL Episode 7 - April 13th, 2007

The seventh episode of Threat Center Live is now online. You can subscribe to the feed via iTunes, via your favorite pod catching software, or you can listen to this episode directly using the link at the bottom of this post.

This episode covers the following threats and security news:

Microsoft Patch Tuesday: Client/Server Runtime Subsystem, UPnP, MS Agent, and Content Management Server. Also: new Word exploits and windows help files. Apple's Airport Base Station, Oracle, Winamp, eIQ Networks Enterprise Security Analyzer, Kaspersky ANti-Virus, Symantec's Enterprise Security Manager, MIT's Kerberos package, including the telnet daemon, various Cisco wireless products, and a new version of the "storm worm."


Thursday, April 12, 2007

New Worm, More Social Engineering

The Internet Storm Center is reporting a new worm making the rounds. It may be a variant of the "Storm Worm" (we use the word worm loosely here) and it is being detected as Nuwar/Zhelatin.

It's worthy of note chiefly because of the social engineering tricks it is using. The subjects of the e-mails include:

"Worm Alert!"
"Worm Detected"
"Virus Alert"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Dream of You"
"Virus Activity Detected!"

And the e-mail tries to trick users into opening the encrypted zip attachment (the password is displayed inside an image) by convincing them that the attachment will protect them from the worm. It's a true trojan horse pretending to be a gift. Be suspicious of e-mail gifts.

This worm is also of note because of the encrypted zip. This is not new ground and is in fact an old trick. A number of virus scanners have the option of blocking encrypted zip files, but most gateway devices will not block encrypted zip files due to the high number of false positives and legitimate encrypted zip files. Your desktop antivirus solution is the best thing to protect you here. That and common sense.

Note from the sponsor: eSoft's Desktop AV and Intrusion Prevention Softpaks protect customers from this threat.

Tuesday, April 10, 2007

Apple Airport Base Station Vulnerability

Versions of Apple's Airport Base Station -- Apple's wireless access point product -- with 802.11n capabilities are vulnerable to a flaw that could allow unauthenticated wireless users to inject traffic into the network. Apple has released a firmware update to fix the problem.

802.11n is an emerging standard for wireless communications that is much faster than other commercially available wireless protocols. Apple is pushing 802.11n in order to wirelessly push movies to TVs through their Apple TV product.

Note that if you haven't updated the firmware on your base station in awhile (six months or more) you probably aren't vulnerable.

Microsoft's April Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Today Microsoft released 5 advisories that impact all of their operating systems. Of highest concern are those that can be exploited remotely, and of these, there were three. Here's the summary:

  • MS07-018 -- Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution

    Microsoft's Content Management Server, which allows users to "quickly deploy scalable, reliable and dynamic personalized e-business web sites," can be compromised via a "crafted HTTP request." Users of MCMS are advised to make their sites Read Only until they apply the related patch.

  • MS07-019 -- Vulnerability in Universal Plug and Play Could Allow Remote Code Execution

    Universal Plug and Play is a technology intended to make it easy for computers and devices to interact with limited manual configuration. It's frequently used to configure port forwarding on routers, and peer-to-peer networking of PCs.

    This bug affects all versions of Microsoft Windows XP through Service Pack 2. The built-in firewall on XP SP2 will restrict attacks to the local network segment. A properly configured firewall between the vulnerable computer and the Internet will stop attacks exploiting this vulnerability. To make sure your firewall prevents these attacks, check your settings and see if UDP port 1900 and TCP port 2869 are blocked.

    Update: although Microsoft's advisory says only XP is affected, reports are coming in saying that Windows 2000 is affected as well.

  • MS07-020 -- Vulnerability in Microsoft Agent Could Allow Remote Code Execution

    Remember that annoying animated paper clip that used to show up when you opened a Microsoft Office document? That's the Microsoft Agent and its still around. It can be used by any application or web site to provide an interactive question and answer dialog. Unfortunately, it can also be used by a malicious website to run arbitrary code on a user's system.

    Internet Explorer 7 is not affected. All operating systems with Internet Explorer 6 or below are vulnerable. To workaround the vulnerability, disable the Microsoft User Agent by following the instructions in the advisory. Or install the patch or update to IE 7.

  • MS07-021 -- Vulnerabilities in CSRSS Could Allow Remote Code Execution

    CSRSS is the Windows Client/Server Run-time Subsystem (winsrv.dll). It's a core part of the operating system on all versions of Windows from 2000 through Vista. This vulnerability has had exploits in the wild since December 2006. Luckily, most of the exploits for this are local privilege escalation exploits, meaning that a piece of malicious software can use this vulnerability to gain full control of a system. However, Microsoft says that there are remote exploitation vectors that are exploitable by malicious websites. Although more details on this attack vector are net yet public, it is likely that it won't be long before we see code that remotely exploits this vulnerability. We'll keep an eye out for this.

    Also in this advisory are another local privilege escalation and a denial of service involving the Client/Server Run-time subsystem.

  • It should be mentioned that the recent MS07-017 advisory (the ANI file format vulnerability) was supposed to be announced today, but was announced and released a week early due to widespread exploitation.

Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from remote exploitation of the vulnerabilities announced today.

Monday, April 9, 2007

ThreatLevel Returned to Normal

Microsoft's release of an out-of-schedule patch for the .ANI bug has helped the threat abate. While malicious .ANI files are still being seen actively in the wild, the available patch and widespread antivirus signature coverage has caused us to lower the Threat Level to more normal levels of awareness.

Microsoft Patch Tuesday is tomorrow. Let's hope there are no big surprises.

Tuesday, April 3, 2007

TCL Episode 6 - April 3rd, 2007

The sixth episode of Threat Center Live is now online. You can subscribe to the feed via iTunes, via your favorite pod catching software, or you can listen to this episode directly using the link at the bottom of this post.

This episode covers the following threats and security news:

Animated Cursor files, Cisco VOIP, Brightstor ARCserve, and OpenOffice.

Apologies for lower sound quality and the scratchy voice on this one.


Sunday, April 1, 2007

Raised ThreatLevel Due To Widespread 0-day ANI Exploit

The ANI vulnerability is going from serious to very serious. The Threat Center Threat Level has been raised and will remain raised until the threat subsides or official patches are available.

Variants on the ANI exploit are circulating very fast and already one worm has been detected that takes advantage of this exploit to infect web pages (.htm, .html, .aspx, .php, .jsp, etc.) and executable files.

There is no workaround for this vulnerability, but both the Zero-day Emergency Response Team (ZERT) and eEye Security have released unofficial patches that can be used to reduce the risk for machines while we wait for an official patch from Microsoft. Note that we have not tested these patches thoroughly and are not endorsing them.

Update: Microsoft's blog says that they plan to release an emergency patch to fix this vulnerability on Tuesday, April 3rd. Stay tuned.

Note from the sponsor: eSoft's Gateway Anti-Virus and Intrusion Prevention products protect customers from this vulnerability. However, laptops infected with a worm while not being protected by an eSoft Gateway could potentially infect the network. Please be sure to virus scan any laptop computers before allowing them to connect to your local network.

Thursday, March 29, 2007

Microsoft ANI Exploit Circulating

Microsoft's animated cursor files, which normally end with the extension ANI, are being used to take over Microsoft Windows systems. The vulnerability was not known until it was found being actively exploited in the Wild. It is being delivered via e-mail and websites and simply previewing a message with an attached file or visiting a malicious or compromised website will cause arbitrary code to be run on the system.

This is extremely serious.

Other points to note:

The file does not have to have a .ANI extension. If the file has a .JPEG extension, the exploit still works. Several exploit implementations already are using this technique to bypass filters.

All versions of Windows from 95 through Vista and all versions of Internet Explorer and Outlook and Outlook Express are vulnerable.

Windows Explorer, when not in "classic" mode, will cause the code embedded in the ANI file to be run when you browse to the containing directory.

Putting a malicious ANI file on the desktop in Windows Vista reportedly causes the machine to enter into an infinite crash and reboot cycle.

Note from the sponsor: Customers of eSoft's Gateway Antivirus are protected from this exploit.

Monday, March 26, 2007

Windows Meeting Space in Vista

From the National Vulnerability Database:

DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port.

In other words, if you're running Vista and using Meeting Space, use extreme caution. At this time, there are no known workarounds, but I expect firewalling port 5722 when you aren't using it would go a long ways toward mitigating the problem.

Tuesday, March 20, 2007

TCL Episode 5 - March 20th, 2007

The fifth episode of Threat Center Live is now online. You can subscribe to the feed via iTunes, via your favorite pod catching software, or you can listen to this episode directly using the link at the bottom of this post.

This episode covers the following threats and security news:

Windows 2003 SP2, IE7 URL Spoofing, Apple update, WarFTP, Trend Micro, Cisco XSS, OpenBSD IPv6, Allaple worm, Month of Myspace Bugs.


Sunday, March 18, 2007

Google Search Reveals Thousands of Hacked Websites

This week HD Moore released a more generic version of an exploit for the PHP programming language. 100's if not 1000's of PHP driven web applications are affected. If you run a PHP v4 driven web application, check to be sure that there is no code that unserializes POST or COOKIE data.

In the exploit announcement, HD Moore pointed out a Google search looking for hacked installations of the PHP forums system, phpBB. This is one of the applications vulnerable to the released exploit. A search for web pages with "Powered by phpBB" and "hacked by" returns a list of about 515,000 hacked websites. All of these websites, many of which belong to non-profit organizations, are likely trusted by visiting users. This trust could easily be abused by the hackers to deliver malware, steal passwords, identities, and more.

Friday, March 16, 2007

Cisco XSS

From Cisco's Security Responses blog:

A cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products has been independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt. The vulnerability would allow an attacker to execute arbitrary scripting code in a user's web browser if the attacker is successful in enticing the user to follow a specially crafted, malicious URL.

We recommend that you avoid clicking links in e-mails and instead navigate manually to the referred website. I know this is a hardship and an annoyance, but threat trends lately lean heavily towards a combination of social engineering and malicious URLs. It's very possible for a malicious person to send you an e-mail purporting to be from Cisco or Amazon or Paypal with the sole purpose of getting you to click a link that will allow the attacker to steal your personal data or install malicious software on your computer.

Thursday, March 15, 2007

Core Security Team finds bug in OpenBSD

OpenBSD is considered one of the most secure operating systems. This is because of the approach taken to writing it where every bit of code is audited before it is released. It is only the second severe bug in the history of OpenBSD. But this bug is a big deal. The Core Security team educated the OpenBSD team on how crashes in the kernel can be exploited.

Basically, the OpenBSD team insisted that the worst that could happen was that the system would crash. The Core team insisted that they shouldn't make that assumption, then took up the challenge and worked up a proof-of-concept exploit.

Here's the summary: a malformed IPv6 packet can be sent to an OpenBSD system causing arbitrary code to run on that system.

The fix: disallow IPv6 traffic using a firewall in front of the OpenBSD system or the firewall rules on the system itself. And better than either of those solutions is to update your kernel, which requires applying a patch.

In my opinion, IPv6 implementations on all operating systems have not undergone the kind of testing as IPv4 implementations and are therefore a security risk. If you don't specifically use IPv6, you should seriously consider blocking it at your firewall.

Sunday, March 11, 2007

TCL Episode 4 - March 11th, 2007

The fourth episode of Threat Center Live is now online. You can subscribe to the feed via iTunes, via your favorite pod catching software, or you can listen to this episode directly using the link at the bottom of this post.

This episode covers the following threats and security news:

Daylight Savings Time problems, Wordpress, Apple Quicktime, Microsoft Patch Tuesday, Microsoft OneCare, GnuPG, Kaspersky, and PHP.


Thursday, March 8, 2007

March Patch Tuesday Magic

*Poof*! MS Patch Tuesday has disappeared. Microsoft's security response center blog has this to say:


This is Christopher Budd and it’s the Thursday before the Second Tuesday for March 2007.

As we do each month at this time, we’ve posted our Advance Notification for the upcoming security bulletin release.

For the month of March 2007, we will not be releasing any new security updates on March 13, 2007.

I'm flabbergasted. Perhaps they should look again at the SANS list of unpatched vulnerabilities or the eEye zero-day tracker. There are bugs that need fixing, folks, and hackers aren't taking the month off.

[Note: the original title of this post was mistakenly "April Patch Tuesday Magic."]

Wednesday, March 7, 2007

Dangers of Microsoft OneCare

Its been a bad week for Microsoft (if only I had a nickel for every time I've said that) OneCare. OneCare is Microsoft's antivirus product and its been hit with two high profile pieces of bad news. First, in a recent roundup of antivirus software, Microsoft scored the lowest overall with a detection rate of only 82% of the tested malware. For comparison, here's a sampling of some of the other big names and their detection percentage:
  • AVK.......99%
  • Avira.......98%
  • Kaspersky.......97%
  • F-Secure.......97%
  • AVG.......96%
  • Symantec.......96%
  • Norman.......93%
  • Mcafee.......91%

A short time ago OneCare was embarrassed when the VirusBulletin group refused to certify it.

And now PC Magazine is reporting this:

If you get a virus in an email message received by Outlook, OneCare's next virus sweep may quarantine or delete your entire email store. If you receive a virus via Outlook Express OneCare may quarantine or delete the entire folder containing the virus.


Make sure you have a good gateway antivirus solution and are only using OneCare as part of a suite of antivirus tools.

[Note from the sponsor: eSoft's Gateway Antivirus Softpak and Desktop Antivirus together provide businesses full antivirus protection.]

Tuesday, March 6, 2007

Podcast Beginnings - TCL 3/2/07

Threat Center Live was launched as a video podcast. We haven't released any videos yet (we're getting there), but today we're going to start with the audio podcasts. The March 2nd podcast is attached to this post. It's a 5 minute update on the latest threats that should concern network administrators and power users. Actually, they should concern everybody, but I think we can realistically assume that your average computer user's eyes will glaze over when you tell them there's a new Oracle exploit making the rounds.

Here's the summary of this episode: Solaris worm, MS Office vulnerabilities, Security Software Gone Wild (Trend Micro, Microsoft, Cisco, Sourcefire, Secunia, Symantec, and Kaspersky), Oracle, Firefox, Internet Explorer, and a new storm worm variant.

You can subscribe to the podcasts via iTunes or using a feedburner link on the right side of the blog.


QuickTime Security Fixes

Apple has released updates to its QuickTime software that include security fixes for both the Windows and Mac versions. We consider this critical as the number of people running QuickTime software is large. Here's a summary of the issues (full details can be found on Apple's site):

  • Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution (OS: Windows Vista/XP/2000)

  • Viewing a maliciously-crafted MIDI file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)

  • Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)

  • Viewing a maliciously-crafted PICT file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)

  • Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)

Monday, March 5, 2007


Yet Another Paypal Phishing Attempt.

Paypal continues to be the darling of phishers with another phishing attempt released today worth reporting on. Phishtank's February stats show 2,511 phishing attempts against paypal in the month of February... making it the most targeted website of February. Other top targets include eBay, Bank of America, Fifth Third Bank, and Barclays Bank.

This attempt appears to pass login credentials through the phishing site to paypal and to accurately report successful and failed logins. The site also does a good job of looking like Paypal.

The e-mail subject is "PayPal Account Possible Fraud - Notification." It goes on to say, "You have received this email because your account has been used from different locations by you or someone else." It also says, "we require you to confirm your banking details." (Emphasis added; this is where you should be suspecting funny business.) Finally it warns that the user has 48 hours to follow up or their account will be suspended. Here's an image of the original mail:

As always, use extreme skepticism whenever being asked for account information of any kind.

Sunday, March 4, 2007

New Warezov Virus

F-Secure is reporting a new Warezov variant that spreads with a clever bit of social engineering. Here's an excerpt from the e-mail being sent:

Our robot has fixed an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have patches at the moment. We recommend you to install a firewall module and it will stop e-mail sending. Otherwise your account will be blocked until you do not eliminate malfunction.

If you receive an e-mail like this, do not open the attachment. Get the full details from the F-Secure blog.

Wordpress Backdoored

Version 2.1.1 of Wordpress has been backdoored. That is to say, a hacker got into a wordpress.org server and modified some files to give them full access to any web server running that version of Wordpress. Check to see if you're running 2.1.1 and if you are, upgrade to 2.1.2 right away. For more information, see the full disclosure at wordpress.org.

[Note from the sponsor: eSoft's Intrusion Prevention Softpak protects users from the hacked version of Wordpress.]

Thursday, March 1, 2007

Solaris Telnet Worm

A couple of weeks ago in our first blog post we mentioned a vulnerability in Sun's telnet service that would easily allow a hacker to gain full control of a system running an unpatched version of telnet. A couple of days ago we were made aware of a worm exploiting this vulnerability. We're not worried for the following reasons:

1) We expect the number of people still running publicly available telnet servers to be quite low. And the number of people running publicly available telnet servers on the Solaris platform even lower.

2) Solaris administrators tend to be more aware of security patches than your typical Windows user, so with two weeks between Sun's patch release and the worm, we expect most vulnerable systems are updated.

3) Most IPS systems should have signatures for the exploit by now.

The media has got wind of the story and is starting to make some noise about the big bad worm. So far it seems to be pretty harmless:

DShield.org collects firewall logs from about 20,000 firewalls around the world. They crunch this data and plot charts that are pretty interesting. Port 23 is the telnet service and this is the chart as of this morning:

As you can see, the number of target machines (machines that have been scanned for an open telnet service) has increased quite a lot, but the number of source machines (machines attempting the scans and possibly infected with a worm) has held steady at about 500 per day, with the exception of a quick spike right after the vulnerability was announced and before the worm (or worms) hit the scene.

But just in case we're wrong and one of these worm takes off, we'll repeat ourselves: firewall port 23, disable the telnet service (use ssh instead), and patch your machines.

[Note from the sponsor: eSoft's Intrusion Prevention Softpak has protected customers from the Solaris telnet exploit since the announcement of the exploit.]

Tuesday, February 27, 2007

Bad Week For Symantec

Symantec's having a tough week. First an ActiveX component developed by SupportSoft that Symantec uses in its products was found to have multiple vulnerabilities that could allow an attacker to compromise a user's computer by way of a malicious website. Affected Symantec products: Norton AntiVirus, Norton Internet Security, System Works, and Automated Support Assistant. To their credit, they are protecting their antivirus customers by releasing virus signatures that attempt to catch exploits of the flaws.

As if that weren't bad enough, the SEC has announced that Symantec's servers were hacked by a small trading company called Blue Bottle, who used their access to the servers to get advance notice of press releases and then trade Symantec stock with that insider knowledge. It's just never good when a security company's own servers are hacked. In addition to Symantec, 11 other US firms, including Real Networks were compromised giving Blue Bottle over $2.7m in profits.

Yahoo Ditches SPF?

This blows my mind. Yahoo has no Sender Policy Framework DNS record. I believe that they did have it for awhile (someone correct me if I'm wrong). This means that people can once again spoof Yahoo e-mail addresses when sending spam and fraudulent e-mails.

Here's how SPF is defined on Wikipedia:

In computing, Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.

SPF is an admittedly imperfect technology, but it's simple to implement and can drastically cut down on spam and fraudulent e-mails. Of the major e-mail providers, Microsoft; Google; AOL; and Yahoo, only Yahoo doesn't have a SPF record.

So why would Yahoo ignore this? Yahoo is pushing for a different solution to the problem of forged e-mails called DomainKeys. Here's the definition on Wikipedia:

DomainKeys is an e-mail authentication system (developed at Yahoo!) designed to verify the DNS domain of an E-mail sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail (DKIM).

Yahoo's scheme also has flaws, but could also work well if widely deployed, although few sites currently use it. Now here's the rub: the two schemes are not mutually exclusive. That is, you could implement both SPF and DomainKeys with no problem. So why hasn't Yahoo implemented SPF?

Well, their own mail servers will reject mail pretending to be from yahoo.com but originating from another location. So their users are protected from the spoofing of yahoo.com e-mail addresses. Yahoo hopes other people are bothered by spoofed yahoo.com e-mails in order to force people to adopt Yahoo's DomainKeys technology.

This is a dirty trick. DomainKeys is a good idea, but it is more difficult to implement and adds a large burden to mail servers for both incoming and outgoing mail. SPF is light weight and easy to implement. And more importantly, they can coexist.

So what's the deal, Yahoo? Why not enable DomainKeys and SPF on your domain?

For more information on Sender Policy Framework, visit the OpenSPF site. And if you manage a domain, be sure to use the wizard to help you determine what your SPF record should be and how to add it to your domain.

Friday, February 23, 2007

Critical Firefox Update

The Mozilla folks have released a new version of Firefox,, that fixes several security flaws. Among the flaws is a widely publicized and easily exploited flaw that allows the theft of cookies from other websites. The theft of these cookies could allow a malicious person to login to websites that you visit such as online banking websites. We recommend you upgrade as soon as possible. To see your version of Firefox, enter "about:" into the URL bar (without the quotes).

To update Firefox, go to the "Help->Check for updates..." menu or follow this link.

[Note from the sponsor: eSoft's Intrusion Prevention Softpak protects users from exploits of the mentioned flaw.]

Thursday, February 22, 2007

Wells Fargo Phishing Alert

A new phishing scam targeting Wells Fargo customers is just hitting inboxes. The e-mail is titled "Update your Wells Fargo Account" and contains a link to http://www.wellsfargo.com.update.fr.nf. If you follow that link, you will be redirected to www.accent.dp.ua.

The site looks like this in Firefox:

If you receive e-mail from your bank, never click on links within the e-mail or call phone numbers in the e-mail. Instead, use independent means to lookup the phone number or navigate to the website. Never enter your social security number. And if something looks at all suspicious, don't do fill out any forms.

Google Desktop Compromise Demonstration

Watchfire has put together a really nice demonstration on the dangers of cross site scripting and in particular on some Google Desktop vulnerabilities:


Lowered ThreatLevel, New Word 0-day, and More Security Program Flaws

Just a quick note that eSoft has lowered the Threat Level back to normal levels after expected exploits for flaws disclosed on last week's patch Tuesday failed to materialize. If exploits appear, the Threat Level will be reraised.

In other news, Microsoft is warning of a new flaw in Microsoft Word that is being exploited in the wild on a limited, targeted basis. Few details are available at this time, but it leaves us wondering how long until this flaw will be fixed. Microsoft's recent track record at fixing flaws in Word that have exploits in the wild is very, very bad with the average response time being around 2 months.

Finally, we continue to be amused by the discovery of flaws in programs that are intended to enhance security. Trend Micro's ServerProtect web interface has a very easily exploited authorization bypass vulnerability. An attacker would only need to supply a cookie with a special name to get access to the web interface. We recommend you block external access to TCP port 14942, the default port for ServerProtect.

Of less consequence is a local privilege escalation in Cisco's Secure Services 4.x, Security Agent (CSA) 5.x, and Trust Agent 1.x/2.x. Secure services? Apparently not. Better go update.

[Note from the sponsor: eSoft's Intrusion Prevention Softpak protects users from the flaw in Trend Micro's ServerProtect product.]

Tuesday, February 13, 2007

Network Security Nightmare Week

What a week for computer security! The eSoft Threat Level has been raised from low yellow to solid orange due to a number of threats of concern to network administrators that are considered extremely critical. Here's an overview of the major threats Threat Center is tracking:

First there's the telnet vulnerability in Solaris 10 and 11. This is at the moment an unpatched vulnerability that will allow anyone to telnet into a Solaris system as root without any kind of authentication. Even scarier, the exploit doesn't require any special tools but can be accomplished with a standard telnet client. If you're running Solaris and have telnet enabled, turn on SSH, turn off telnet, and make sure it never starts up again. And while you're at it, block incoming TCP port 23 at your firewall to avoid all telnet traffic.

It always gets our attention when security products meant to protect you put you at risk. This week we've had a trifecta of these issues. Early in the week we became aware of a vulnerability in Trend Micro's antivirus engine where scanning a malicious UPX-encoded executable file could compromise a system. Now we learn that Microsoft's antivirus engine has its own vulnerability where a malicious PDF file being scanned could compromise a system. Exploits of the vulnerabilities will give the exploiter Administrator privileges. Finally, Cisco IOS IPS has a series of issues that could allow a hacker to take down your IPS box. This is the most recent in a series of Cisco issues that, luckily, we still haven't seen public exploits for. Don't hold your breath though.

Today is Patch Tuesday and in addition to announcing the antivirus scanner bug above, Microsoft has fixed a number of known vulnerabilities, and several unknown ones. The best news is that the growing handful of Microsoft Office vulnerabilities with exploits in the wild have finally been fixed. We've been waiting months for these fixes. Unfortunately, we have new things to worry about.

First, let's talk about Internet Explorer. The HTML Help ActiveX control has a fresh vulnerability. This isn't the first time Microsoft has recommended disabling the HTML Help ActiveX control in Internet Explorer due to security problems and if you didn't do it last time, you might want to do it this time. If you have a group policy editor, you can disable it on a bunch of machines. If you have an Intrusion Prevention System, check to see if there are rules to detect and stop this ActiveX component.

Microsoft Data Access Components in Internet Explorer also have a fresh vulnerability. Like the HTML Help ActiveX control, I'm having deja vu on this one. You'll have to think a little bit longer before deciding to block due to its widespread use in rich content internet applications, but if you can't enforce an immediate update of all of your site's computers, then block it and worry about consequences later. Better to have some annoyed users because of your policy than because their computer is mysteriously slow due to its raging malware infection.

Finally, we have one of the scariest batch of ActiveX Internet Explorer bugs I've ever seen. There are two "COM Object Instantiation" vulnerabilities that will allow an attacker to exploit any ActiveX object (DLL, OCX, etc.) that wasn't specifically intended to be used in Internet Explorer. And because these vulnerabilities were reported to Microsoft by H.D. Moore, founder of the Metasploit project, we expect proof-of-concept exploits to be published any time now. For some reason that I don't quite understand, Microsoft is recommending the blocking of a handful of ActiveX objects in particular. Apparently these are especially susceptible to the exploit. To find the CLSIDs to block, dig into the FAQ section of the MS07-016 security bulletin.

Microsoft released three separate patches for issues involving MFC (a framework for developers used in many Windows applications), OLE (object linking and embedding -- have you ever put an Excel document in the middle of a Word document? that's OLE), and RichEdit. Although it sounds like it may have wider implications, Microsoft is currently telling us that the attack vectors for these problems all center around RTF files with embedded content. Go pester your antivirus vendor and see if they'll add support for blocking RTF files with embedded content. And while you're at it, you may want to start blocking RTF files at your mail gateway.

Of the Patch Tuesday vulnerabilities, I've saved the scariest for last. MS07-016 also fixes a problem where a malicious FTP server could compromise a computer. Now, on the face of it, this doesn't sound too bad, but consider that almost every Windows application that accesses files via FTP uses the wininet library to do it, and this is the library with the vulnerability. Now consider the fact that Outlook and Outlook Express will automatically fetch files off of a FTP server if an e-mail references them. If an HTML e-mail is spammed out and it has html like <img src="ftp://badserver/somefile.gif" /&rt; in it, then the badserver can take control of the computer. Microsoft recommends that you only view e-mails as text until you've patched your system. The good news is that there isn't a public exploit available at this time. The bad news is that this affects all versions of Internet Explorer from 5 through 7, Outlook, Outlook Express, and all versions of Windows. And exploits will be here soon. The guys at iDefense who discovered this in May of 2006 have given enough details for people to figure it out.

This is my first post to the ThreatCenter Live blog and its far longer than I expect the average post to be, but we've got quite a lot of news to share. The eSoft Threat Level will remain at its elevated position for a few days to raise awareness of these issues. Assuming no exploits start hitting and being widely used in the next few days (which very well may happen with the ftp vulnerability in particular), we will lower the threat level back down.

[Note from the sponsor: eSoft's Intrusion Prevention, Gateway AntiVirus, and Gateway AntiSpyware Softpaks together protect users from all of the above mentioned vulnerabilities except for the Cisco IOS IPS issue.]