Thursday, March 29, 2007

Microsoft ANI Exploit Circulating

Microsoft's animated cursor files, which normally end with the extension ANI, are being used to take over Microsoft Windows systems. The vulnerability was not known until it was found being actively exploited in the Wild. It is being delivered via e-mail and websites and simply previewing a message with an attached file or visiting a malicious or compromised website will cause arbitrary code to be run on the system.

This is extremely serious.

Other points to note:

The file does not have to have a .ANI extension. If the file has a .JPEG extension, the exploit still works. Several exploit implementations already are using this technique to bypass filters.

All versions of Windows from 95 through Vista and all versions of Internet Explorer and Outlook and Outlook Express are vulnerable.

Windows Explorer, when not in "classic" mode, will cause the code embedded in the ANI file to be run when you browse to the containing directory.

Putting a malicious ANI file on the desktop in Windows Vista reportedly causes the machine to enter into an infinite crash and reboot cycle.

Note from the sponsor: Customers of eSoft's Gateway Antivirus are protected from this exploit.

Monday, March 26, 2007

Windows Meeting Space in Vista

From the National Vulnerability Database:

DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port.

In other words, if you're running Vista and using Meeting Space, use extreme caution. At this time, there are no known workarounds, but I expect firewalling port 5722 when you aren't using it would go a long ways toward mitigating the problem.

Tuesday, March 20, 2007

TCL Episode 5 - March 20th, 2007

The fifth episode of Threat Center Live is now online. You can subscribe to the feed via iTunes, via your favorite pod catching software, or you can listen to this episode directly using the link at the bottom of this post.

This episode covers the following threats and security news:

Windows 2003 SP2, IE7 URL Spoofing, Apple update, WarFTP, Trend Micro, Cisco XSS, OpenBSD IPv6, Allaple worm, Month of Myspace Bugs.


Sunday, March 18, 2007

Google Search Reveals Thousands of Hacked Websites

This week HD Moore released a more generic version of an exploit for the PHP programming language. 100's if not 1000's of PHP driven web applications are affected. If you run a PHP v4 driven web application, check to be sure that there is no code that unserializes POST or COOKIE data.

In the exploit announcement, HD Moore pointed out a Google search looking for hacked installations of the PHP forums system, phpBB. This is one of the applications vulnerable to the released exploit. A search for web pages with "Powered by phpBB" and "hacked by" returns a list of about 515,000 hacked websites. All of these websites, many of which belong to non-profit organizations, are likely trusted by visiting users. This trust could easily be abused by the hackers to deliver malware, steal passwords, identities, and more.

Friday, March 16, 2007

Cisco XSS

From Cisco's Security Responses blog:

A cross-site scripting (XSS) vulnerability in the online help system distributed with several Cisco products has been independently reported to Cisco by Erwin Paternotte from Fox-IT and by Cassio Goldschmidt. The vulnerability would allow an attacker to execute arbitrary scripting code in a user's web browser if the attacker is successful in enticing the user to follow a specially crafted, malicious URL.

We recommend that you avoid clicking links in e-mails and instead navigate manually to the referred website. I know this is a hardship and an annoyance, but threat trends lately lean heavily towards a combination of social engineering and malicious URLs. It's very possible for a malicious person to send you an e-mail purporting to be from Cisco or Amazon or Paypal with the sole purpose of getting you to click a link that will allow the attacker to steal your personal data or install malicious software on your computer.

Thursday, March 15, 2007

Core Security Team finds bug in OpenBSD

OpenBSD is considered one of the most secure operating systems. This is because of the approach taken to writing it where every bit of code is audited before it is released. It is only the second severe bug in the history of OpenBSD. But this bug is a big deal. The Core Security team educated the OpenBSD team on how crashes in the kernel can be exploited.

Basically, the OpenBSD team insisted that the worst that could happen was that the system would crash. The Core team insisted that they shouldn't make that assumption, then took up the challenge and worked up a proof-of-concept exploit.

Here's the summary: a malformed IPv6 packet can be sent to an OpenBSD system causing arbitrary code to run on that system.

The fix: disallow IPv6 traffic using a firewall in front of the OpenBSD system or the firewall rules on the system itself. And better than either of those solutions is to update your kernel, which requires applying a patch.

In my opinion, IPv6 implementations on all operating systems have not undergone the kind of testing as IPv4 implementations and are therefore a security risk. If you don't specifically use IPv6, you should seriously consider blocking it at your firewall.

Sunday, March 11, 2007

TCL Episode 4 - March 11th, 2007

The fourth episode of Threat Center Live is now online. You can subscribe to the feed via iTunes, via your favorite pod catching software, or you can listen to this episode directly using the link at the bottom of this post.

This episode covers the following threats and security news:

Daylight Savings Time problems, Wordpress, Apple Quicktime, Microsoft Patch Tuesday, Microsoft OneCare, GnuPG, Kaspersky, and PHP.


Thursday, March 8, 2007

March Patch Tuesday Magic

*Poof*! MS Patch Tuesday has disappeared. Microsoft's security response center blog has this to say:


This is Christopher Budd and it’s the Thursday before the Second Tuesday for March 2007.

As we do each month at this time, we’ve posted our Advance Notification for the upcoming security bulletin release.

For the month of March 2007, we will not be releasing any new security updates on March 13, 2007.

I'm flabbergasted. Perhaps they should look again at the SANS list of unpatched vulnerabilities or the eEye zero-day tracker. There are bugs that need fixing, folks, and hackers aren't taking the month off.

[Note: the original title of this post was mistakenly "April Patch Tuesday Magic."]

Wednesday, March 7, 2007

Dangers of Microsoft OneCare

Its been a bad week for Microsoft (if only I had a nickel for every time I've said that) OneCare. OneCare is Microsoft's antivirus product and its been hit with two high profile pieces of bad news. First, in a recent roundup of antivirus software, Microsoft scored the lowest overall with a detection rate of only 82% of the tested malware. For comparison, here's a sampling of some of the other big names and their detection percentage:
  • AVK.......99%
  • Avira.......98%
  • Kaspersky.......97%
  • F-Secure.......97%
  • AVG.......96%
  • Symantec.......96%
  • Norman.......93%
  • Mcafee.......91%

A short time ago OneCare was embarrassed when the VirusBulletin group refused to certify it.

And now PC Magazine is reporting this:

If you get a virus in an email message received by Outlook, OneCare's next virus sweep may quarantine or delete your entire email store. If you receive a virus via Outlook Express OneCare may quarantine or delete the entire folder containing the virus.


Make sure you have a good gateway antivirus solution and are only using OneCare as part of a suite of antivirus tools.

[Note from the sponsor: eSoft's Gateway Antivirus Softpak and Desktop Antivirus together provide businesses full antivirus protection.]

Tuesday, March 6, 2007

Podcast Beginnings - TCL 3/2/07

Threat Center Live was launched as a video podcast. We haven't released any videos yet (we're getting there), but today we're going to start with the audio podcasts. The March 2nd podcast is attached to this post. It's a 5 minute update on the latest threats that should concern network administrators and power users. Actually, they should concern everybody, but I think we can realistically assume that your average computer user's eyes will glaze over when you tell them there's a new Oracle exploit making the rounds.

Here's the summary of this episode: Solaris worm, MS Office vulnerabilities, Security Software Gone Wild (Trend Micro, Microsoft, Cisco, Sourcefire, Secunia, Symantec, and Kaspersky), Oracle, Firefox, Internet Explorer, and a new storm worm variant.

You can subscribe to the podcasts via iTunes or using a feedburner link on the right side of the blog.


QuickTime Security Fixes

Apple has released updates to its QuickTime software that include security fixes for both the Windows and Mac versions. We consider this critical as the number of people running QuickTime software is large. Here's a summary of the issues (full details can be found on Apple's site):

  • Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution (OS: Windows Vista/XP/2000)

  • Viewing a maliciously-crafted MIDI file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)

  • Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)

  • Viewing a maliciously-crafted PICT file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)

  • Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)

Monday, March 5, 2007


Yet Another Paypal Phishing Attempt.

Paypal continues to be the darling of phishers with another phishing attempt released today worth reporting on. Phishtank's February stats show 2,511 phishing attempts against paypal in the month of February... making it the most targeted website of February. Other top targets include eBay, Bank of America, Fifth Third Bank, and Barclays Bank.

This attempt appears to pass login credentials through the phishing site to paypal and to accurately report successful and failed logins. The site also does a good job of looking like Paypal.

The e-mail subject is "PayPal Account Possible Fraud - Notification." It goes on to say, "You have received this email because your account has been used from different locations by you or someone else." It also says, "we require you to confirm your banking details." (Emphasis added; this is where you should be suspecting funny business.) Finally it warns that the user has 48 hours to follow up or their account will be suspended. Here's an image of the original mail:

As always, use extreme skepticism whenever being asked for account information of any kind.

Sunday, March 4, 2007

New Warezov Virus

F-Secure is reporting a new Warezov variant that spreads with a clever bit of social engineering. Here's an excerpt from the e-mail being sent:

Our robot has fixed an abnormal activity from your IP address on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have patches at the moment. We recommend you to install a firewall module and it will stop e-mail sending. Otherwise your account will be blocked until you do not eliminate malfunction.

If you receive an e-mail like this, do not open the attachment. Get the full details from the F-Secure blog.

Wordpress Backdoored

Version 2.1.1 of Wordpress has been backdoored. That is to say, a hacker got into a server and modified some files to give them full access to any web server running that version of Wordpress. Check to see if you're running 2.1.1 and if you are, upgrade to 2.1.2 right away. For more information, see the full disclosure at

[Note from the sponsor: eSoft's Intrusion Prevention Softpak protects users from the hacked version of Wordpress.]

Thursday, March 1, 2007

Solaris Telnet Worm

A couple of weeks ago in our first blog post we mentioned a vulnerability in Sun's telnet service that would easily allow a hacker to gain full control of a system running an unpatched version of telnet. A couple of days ago we were made aware of a worm exploiting this vulnerability. We're not worried for the following reasons:

1) We expect the number of people still running publicly available telnet servers to be quite low. And the number of people running publicly available telnet servers on the Solaris platform even lower.

2) Solaris administrators tend to be more aware of security patches than your typical Windows user, so with two weeks between Sun's patch release and the worm, we expect most vulnerable systems are updated.

3) Most IPS systems should have signatures for the exploit by now.

The media has got wind of the story and is starting to make some noise about the big bad worm. So far it seems to be pretty harmless: collects firewall logs from about 20,000 firewalls around the world. They crunch this data and plot charts that are pretty interesting. Port 23 is the telnet service and this is the chart as of this morning:

As you can see, the number of target machines (machines that have been scanned for an open telnet service) has increased quite a lot, but the number of source machines (machines attempting the scans and possibly infected with a worm) has held steady at about 500 per day, with the exception of a quick spike right after the vulnerability was announced and before the worm (or worms) hit the scene.

But just in case we're wrong and one of these worm takes off, we'll repeat ourselves: firewall port 23, disable the telnet service (use ssh instead), and patch your machines.

[Note from the sponsor: eSoft's Intrusion Prevention Softpak has protected customers from the Solaris telnet exploit since the announcement of the exploit.]