October Patch Tuesday

Microsoft announced there would be 7 advisories on this Patch Tuesday, but we only got 6. It makes you wonder what they held back and why.

That aside, there are a couple of things to know about today's advisories and patches. Here's the breakdown:

• MS07-055 -- Vulnerability in Kodak Image Viewer Could Allow Remote Code Execution
  
  The first thing I thought when seeing this is, "how many people have the Kodak Image Viewer installed?" It turns out, a lot. It was installed on all Windows 2000 machines and is still installed on Windows XP machines that were upgraded from Windows 2000.
  
  This vulnerability is very similar to other extremely critical image handling vulnerabilities that have wreaked havoc on Windows operating systems lately. If you even browse to a folder with a malicious image on a vulnerable machine, the malicious image will be able to execute code on your system. So this impacts anything that displays images from Windows Explorer thumbnails and previews to Internet Explorer and Outlook.
  
  Microsoft does mention that if you have installed Office 2003, the Kodak Image Viewer may have been replaced by a different image viewer.
  
  This is a potentially extremely serious vulnerability, but at this time the details for how to exploit it are almost non-existent and there are no exploits in the wild.


• MS07-056 -- Security Update for Outlook Express and Windows Mail
  
  This relates to how a URL that starts with nntp:// can be used to point a user to a malicious news server (potentially without user interaction if the URL is used as an image source) that overflows memory and potentially executes arbitrary code.
  
  The malicious news server must be custom and has to know how to overflow the handler. There are no examples and no exploits in the wild, but there's enough information for someone to create an exploit without undue difficulty. This is definitely a critical issue.


• MS07-057 -- Cumulative Security Update for Internet Explorer
  
  This is actually three separate vulnerabilities in JavaScript on Internet Explorer from version 5 through 7. All Windows operating systems including Vista are affected. Two of the vulnerabilities use JavaScript tricks to make a person think they've navigated to a particular website when in fact they haven't. This could be exploited by phishers to trick people into thinking they're legitimately at their bank's website (or paypal, or ebay, etc.). There are several publicly available demonstrations showing how to exploit this. Patch immediately.
  
  The other issue in this update is a heap overflow caused when a script starts several download attempts of the same file and then frees the memory for those download attempts.
  
  To alleviate both of these issues, consider using FireFox instead of Internet Explorer and consider trying the NoScript plugin to FireFox.


• MS07-058 -- Vulnerability in RPC Could Allow Denial of Service
  
  This vulnerability reminds me a bit of the old ping of death. A specially crafted windows file-sharing authentication message will cause a computer to spontaneously reboot. Microsoft recommends that people firewall UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. If you have a gateway firewall, it should block these ports by default. If not, you should strongly consider installing a personal firewall such as ZoneAlarm.


• MS07-059 -- Vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007 Could Result in Elevation of Privilege Within the SharePoint Site
  
  If you use SharePoint, you should be aware that an authenticated user could increase their privileges through a cross-site scripting (XSS) vulnerability. We don't view this as a critical vulnerability.


• MS07-060 -- Vulnerability in Microsoft Word Could Allow Remote Code Execution
  
  This incorporates 4 separate vulnerabilities in Word for Windows and for Mac that could be exploited by a malicious Word document. The most serious of these issues is a recurrence of an older vulnerability that most security products have some degree of protection for already.

For the moment, the risks are not terribly high, except for potentially harder to detect phishing attacks. However, exploits for the other vulnerabilities could appear at any time, so users are encouraged to update their systems as soon as possible.

September Patch Tuesday relatively minor

Today's Microsoft patch tuesday is one of the mildest in memory (excluding the month that Microsoft skipped patch tuesday altogether, despite a number exploits and known vulnerabilities). Of the four vulnerabilities, the MSN Messenger vulnerability is, in our view, the most serious. Microsoft has only rated it as important because not all versions of MSN Messenger are vulnerable and because users are prompted to upgrade their client when they log on to the MSN Messenger network. Here's the breakdown of each vulnerability:

• MS07-051 -- Vulnerability in Microsoft Agent Could Allow Remote Code Execution
  
  This was the only patch today that Microsoft rated as Critical. Microsoft Agent is the same technology as the Microsoft Office paper clip that used to annoy you. Microsoft touts it as a way to spice up web pages with interactive personalities. However, this is not the first vulnerability in Microsoft Agent, and those who visit web pages that use the agent may be at risk. Microsoft recommends disabling the agent by setting the kill bit on the following CLSIDs:
  
  • D45FD31B-5C6E-11D1-9EC1-00C04FD7081F
  
  
  • F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5
  
  
  • 4BAC124B-78C8-11D1-B9A8-00C04FD97575
  
  
  • D45FD31D-5C6E-11D1-9EC1-00C04FD7081F
  
  
  • D45FD31E-5C6E-11D1-9EC1-00C04FD7081F


• MS07-052 -- Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution
  
  This vulnerability is rated Important by Microsoft. Only those with Visual Studio are at risk of exploitation of this flaw. If you aren't using Crystal Reports, Microsoft recommends you uninstall it to minimize your exposure to this flaw.


• MS07-053 -- Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege
  
  This is rated Important by Microsoft. Any computer from Windows 2000 through Windows Server 20003 that runs Windows Services for UNIX is susceptible to a local privilege escalation. As this is not remotely exploitable, the eSoft Threat Prevention Team as not analyzed it in depth.


• MS07-054 -- Vulnerability in MSN Messenger and Windows Live Messenger Could Allow Remote Code Execution
  
  This vulnerability is a bit more severe than Microsoft would like you to believe. They have rated this vulnerability as Important, but the eSoft Threat Prevention Team believes it ranks as Critical.
  
  MSN Messenger 6.2, 7.0, 7.5 and Windows Live Messenger 8.0 are all vulnerable. Detailed instructions on exploiting this vulnerability have been released. In order for an attacker to exploit the vulnerability, they must convince their target to accept either a webcam or video chat invitation. If you disable webcam and video chats in MSN Messenger, you are not vulnerable.
  
  The good news with this one is that Windows Live Messenger 8.1, released in January of this year, and users of MSN Messenger 7.0.0820, released "recently" are already protected from this vulnerability. Also, users of Microsoft's messenger products should be prompted to upgrade when they log in to their accounts.
  
  Microsoft recommends blocking Microsoft Messenger traffic until all machines on your network are updated with the latest version of Messenger.

As usual, patch your systems as soon as you can.

Note from the sponsor: eSoft's Intrusion Prevention Softpak can be configured to block all MSN traffic at the gateway. It also blocks websites that use Microsoft Agent as a precaution against the many vulnerabilities in that software.

Patch Tuesday and Browser 0-days

After a small pause, Threat Center Live is back. We've been very busy at Threat Center building up our honeypots, honeymonkeys, and other systems for finding live malware and exploits in the wild. We've also been busy tracking down and writing signatures for a variety of vulnerabilities. Here's a rundown of the latest news:

The first (as far as I am aware) cross *browser* exploit has been discovered. It affects Windows machines with both Internet Explorer and Firefox installed and uses a trick to cause Internet Explorer (and presumably Outlook, Outlook Express, and other programs that use the same engine as IE) to launch firefox and pass arbitrary javascript code to it in a trusted context -- meaning that applications can be launched without any user interaction. There are some good demonstrations of the exploit here and here, and with these examples I think we can expect malicious exploits as early as today. Note that this is a vulnerability with firefox, but it can only be exploited if someone is using IE despite having firefox installed.

Next in the security roundup from the last couple of days is Microsoft's July Patch Tuesday. This is the first patch tuesday in quite awhile in which there were no fixes for Internet Explorer, Outlook, or Outlook Express. However, our series of patches for Microsoft Office products remains uninterrupted. Here's the breakdown of what you need to know:

• MS07-036 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  
  3 vulnerabilities in Excel can allow a malicious Excel file to execute arbitrary code. Although no proof-of-concept exploits have been released to the public, the eSoft Threat Prevention Team was able to reconstruct an exploit from the information in Microsoft's advisory. We believe this is a serious threat. As always, do not open unsolicited file attachments and keep your antivirus signatures up-to-date. eSoft products have zero day protection for this vulnerability when and if exploits start to circulate.


• MS07-037 -- Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution
  
  Malformed Microsoft Publisher files opened with Publisher 2007 can cause arbitrary code to be executed on a host computer. We recommend blocking .pub files at the gateway to protect against this threat.


• MS07-038 -- Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
  It appears that this vulnerability could allow an attacker to see what services are running on a machine even if those services are firewalled. The vulnerability involves the encapsulation of IPv6 packets inside IPv4 packets. This kind of traffic cannot be blocked at the firewall as it is legitimate traffic. If you don't use IPv6, then you should follow the directions in Microsoft's advisory to disable Teredo. They offer three different ways to block this traffic, the easiest of which is to use the Vista Firewall to block Teredo packets in and out of a machine.


• MS07-039 -- Vulnerability in Windows Active Directory Could Allow Remote Code Execution
  
  Few organizations will allow LDAP access to their Active Directory service through the firewall, so this threat shouldn't be too large for most installations. However, there's always those organizations with non-standard setups and the insider threat. At this point we don't have enough information to give this a full analysis. No public exploits exist.


• MS07-040 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution
  
  This is in fact three vulnerabilities. Most intrusion prevention systems should have protected against the null-byte vulnerability already in a more generic form. The other two vulnerabilities are a bit more ambiguous as to what programs are vulnerable and how they could be exploited. We're keeping a close eye on this one as a variety of applications use the .NET framework and this could impact many of them.
  
  
• MS07-041 -- Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution
  
  This is in fact a rehash of an older known vulnerability in IIS 5.1 on WinXP SP2. It was previously thought to be only a denial of service issue. Many intrusion prevention systems likely already catch attempts to exploit this vulnerability. The exploit is a specially crafted URL, but as the affected software is very outdated there are probably very few vulnerable installations and therefore a low likelihood of someone developing a working exploit that does more than denial of service.

As usual, follow best security practices and patch your systems as soon as possible.

Note from the sponsor: eSoft's Intrusion Prevention and Gateway AntiVirus Softpaks provide protection against all known exploits of the above vulnerabilities and for some of the vlnerabilities, all theoretical exploit vectors.

Microsoft's May Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Of the announced issues, here are the ones you should be most concerned about:

• MS07-024 and MS07-025 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  
  4 vulnerabilities affecting mostly Microsoft Word, but also all other applications in the Office suite could be used to compromise your computer if you were to open a malicious Office document. Important to note is that Microsoft Word Viewer and Microsoft Office on the Mac are also vulnerable. It almost goes without saying that you should never open office documents from untrusted sources. And remember, those e-mail forwards from your good friend didn't start with your friend and should be looked at with just as much suspicion as if they came from a total stranger.


• MS07-026 -- Vulnerabilities in Exchange Server Could Allow Remote Code Execution
  If you run Exchange Server to handle your mail, you need to update it now. There are four separate issues including two Denial of Service (specially crafted e-mail will cause the mail server service to hang or quit), one "information leakage" and one remote code execution.
  
  The first concern is the remote code execution. This vulnerability relates to malformed MIME-encoded attachments.
  
  We aren't aware of any exploits at this time and details are still scarce, but that could change very quickly.
  
  The second concern is the "information leakage." E-mails sent with attached HTML files can cause problems for people using Outlook Web Access -- Microsoft's web-based e-mail reader. Essentially, a malicious script could be run in a trusted context and used to steal login credentials, e-mails, and more. This is a cross-site scripting vulnerability and has been shown in similar cases to be a pretty serious breach of security even though it doesn't allow remote code execution.


• MS07-027 and MS07-028 -- Internet Explorer Multiple (Six) Remote Code Execution Vulnerabilities
  
  This is the bread and butter of these Patch Tuesdays: Internet Explorer issues. And despite IE7's enhanced security, it is vulnerable to most of these issues as well. As usual, ActiveX objects are the culprit. Microsoft wanted to allow website designers to be able to write full Windows applications and have them run inside Internet Explorer to create a "rich" web experience. Unfortunately, in doing this, Microsoft made two mistakes: every software component on Microsoft systems can be accessed by a web site. This means that software that wasn't intended to be run in Internet Explorer can be and in many of these cases there are exploitable bugs in the software.
  
  The usual way to deal with this is to explicitly disable specific ActiveX objects by using their "kill bits." Microsoft has a Knowledge Base article with instructions. Also, you can use the Group Policy Editor to set the kill bits on your entire domain. Here are the recommended "kills" from this batch up updates:
  
  

  CLSID	DLL	Comments
  D4FE6227-1288-11D0-9097-00AA004254A0	msdauth.dll	Windows Media component
  BE4191FB-59EF-4825-AEFC-109727951E42	chtskdic.dll
  17E3A1C3-EA8A-4970-AF29-7F54610B1D4C	CAPICOM	Provides encryption capabilities to programmers.
  FBAB033B-CDD0-4C5E-81AB-AEA575CD1338	CAPICOM

  
  
  Note that there are vulnerabilities being patched here that cannot be addressed by setting these kill bits, so your best bet is to upgrade as soon as possible. But still create policies in the Group Policy Editor in case an unpatched machine finds its way onto your network.


• MS07-029 -- Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution
  
  We first mentioned this flaw -- and the exploits circulating in the wild -- on April 13th. The flaw has received a lot of press, but isn't a concern for most people. Only Microsoft-based DNS servers running on the Internet without any kind of firewall on them or between them and the Internet are susceptible to an external attack. And if a worm taking advantage of this exploit got into a local network, it would likely not be able to compromise more than one machine. Despite that disclaimer, its a serious bug that could allow someone to take full control of one of your servers, so this patch is here none too soon. For mitigation details, see our post from above referenced post.

Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And as always, make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from all known exploits of today's announced vulnerabilities.

Patched Apple Flaws and New Quicktime Flaw Impacts Windows and Mac

Apple's been in the crosshairs recently. Last week they released their fourth security update of the year fixing 25 separate security issues. Several of the fixes are related to file format flaws announced in the Month of Apple Bugs in January. Others allow local privilege escalation.

Possibly the most serious issue is with the RPC runtime (libinfo) library used by services such as NFS. Mu Security has provided some very specific details on the flaw and for machines that are running NFS, the information may be enough for an attacker to create an exploit.

Although we haven't seen any exploits for any of these vulnerabilities, all Mac users should update before exploits start hitting the 'net.

On a related note, security researcher Dino Dai Zovi won a $10,000 bounty when he found a flaw and wrote an exploit to hack into a fully patched Mac laptop. We now know that the flaw he found was actually in the Quicktime application and can be exploited in various browsers and on various operating systems including both OS X and Windows. Exploitation of this flaw requires the user to browse to a malicious website. There is no fix for the flaw at this time, but disabling Java in your browser should protect you. If you don't regularly use Java Applets when browsing websites (I can't remember the last time I came across a website that required it) you should go to your preferences or options and disable it right now.

Microsoft DNS Server Exploits Abound

Over the weekend a number of exploits turned up that make it easy to exploit the recently announced flaw in RPC found on Microsoft DNS Servers.

Those using best practices to firewall inbound connections to ports not explicitly needed should be protected. People who have Windows servers at colocation facilities or who use ISPs to host services where the ISPs don't have gateway firewalls setup are at risk.

Among the circulating exploits are an exploit module for Metasploit.

We're also beginning to see variants on established worms, in particular the Rinbot/Nirbot worm, taking advantage of this exploit. This behavior means that unprotected machines will likely be found soon, so please make sure you are following all of the suggestions in the Microsoft Advisory as well as following firewall best practices.

Note from the sponsor: the new worms are detected and stopped by the Gateway AntiVirus Softpak, while attempts to exploit the DNS RPC flaw are detected and stopped by the Intrusion Prevention Softpak. The InstaGate firewall is also instrumental in defending against this vulnerability.

New Microsoft DNS Server Exploit

There is an exploit in the wild, although not yet public, that takes advantage of a flaw in RPC on Windows DNS Server. Microsoft has issued a security advisory with some recommendations on how to protect your computers while waiting for a patch from Microsoft.

Here is a list of affected operating systems:

• Windows 2000 Server Service Pack 4


• Windows Server 2003 Service Pack 1


• Windows Server 2003 Service Pack 2

The best advise from Microsoft on this issue at the moment is to disable RPC capability for DNS servers by changing a registry value. From Microsoft's advisory:

1. On the start menu click 'Run' and then type 'Regedit' and then press enter.
2. Navigate to the following registry location:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters



3. On the 'Edit' menu select 'New' and then click 'DWORD Value'


4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.


5. Double click on the newly created value and change the value's data to '4' (without the quotes).


6. Restart the DNS service for the change to take effect.

And you should make sure you are blocking all unsolicited traffic on ports over 1024. In fact, you should block all unsolicited incoming traffic period. Use personal firewalls on individual machines and gateway firewalls between your machines and the Internet.

Microsoft's April Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Today Microsoft released 5 advisories that impact all of their operating systems. Of highest concern are those that can be exploited remotely, and of these, there were three. Here's the summary:

• MS07-018 -- Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution
  
  Microsoft's Content Management Server, which allows users to "quickly deploy scalable, reliable and dynamic personalized e-business web sites," can be compromised via a "crafted HTTP request." Users of MCMS are advised to make their sites Read Only until they apply the related patch.


• MS07-019 -- Vulnerability in Universal Plug and Play Could Allow Remote Code Execution
  
  Universal Plug and Play is a technology intended to make it easy for computers and devices to interact with limited manual configuration. It's frequently used to configure port forwarding on routers, and peer-to-peer networking of PCs.
  
  This bug affects all versions of Microsoft Windows XP through Service Pack 2. The built-in firewall on XP SP2 will restrict attacks to the local network segment. A properly configured firewall between the vulnerable computer and the Internet will stop attacks exploiting this vulnerability. To make sure your firewall prevents these attacks, check your settings and see if UDP port 1900 and TCP port 2869 are blocked.
  
  Update: although Microsoft's advisory says only XP is affected, reports are coming in saying that Windows 2000 is affected as well.


• MS07-020 -- Vulnerability in Microsoft Agent Could Allow Remote Code Execution
  
  Remember that annoying animated paper clip that used to show up when you opened a Microsoft Office document? That's the Microsoft Agent and its still around. It can be used by any application or web site to provide an interactive question and answer dialog. Unfortunately, it can also be used by a malicious website to run arbitrary code on a user's system.
  
  Internet Explorer 7 is not affected. All operating systems with Internet Explorer 6 or below are vulnerable. To workaround the vulnerability, disable the Microsoft User Agent by following the instructions in the advisory. Or install the patch or update to IE 7.


• MS07-021 -- Vulnerabilities in CSRSS Could Allow Remote Code Execution
  
  CSRSS is the Windows Client/Server Run-time Subsystem (winsrv.dll). It's a core part of the operating system on all versions of Windows from 2000 through Vista. This vulnerability has had exploits in the wild since December 2006. Luckily, most of the exploits for this are local privilege escalation exploits, meaning that a piece of malicious software can use this vulnerability to gain full control of a system. However, Microsoft says that there are remote exploitation vectors that are exploitable by malicious websites. Although more details on this attack vector are net yet public, it is likely that it won't be long before we see code that remotely exploits this vulnerability. We'll keep an eye out for this.
  
  Also in this advisory are another local privilege escalation and a denial of service involving the Client/Server Run-time subsystem.


• It should be mentioned that the recent MS07-017 advisory (the ANI file format vulnerability) was supposed to be announced today, but was announced and released a week early due to widespread exploitation.

Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from remote exploitation of the vulnerabilities announced today.

Raised ThreatLevel Due To Widespread 0-day ANI Exploit

The ANI vulnerability is going from serious to very serious. The Threat Center Threat Level has been raised and will remain raised until the threat subsides or official patches are available.

Variants on the ANI exploit are circulating very fast and already one worm has been detected that takes advantage of this exploit to infect web pages (.htm, .html, .aspx, .php, .jsp, etc.) and executable files.

There is no workaround for this vulnerability, but both the Zero-day Emergency Response Team (ZERT) and eEye Security have released unofficial patches that can be used to reduce the risk for machines while we wait for an official patch from Microsoft. Note that we have not tested these patches thoroughly and are not endorsing them.



Update: Microsoft's blog says that they plan to release an emergency patch to fix this vulnerability on Tuesday, April 3rd. Stay tuned.



Note from the sponsor: eSoft's Gateway Anti-Virus and Intrusion Prevention products protect customers from this vulnerability. However, laptops infected with a worm while not being protected by an eSoft Gateway could potentially infect the network. Please be sure to virus scan any laptop computers before allowing them to connect to your local network.

Microsoft ANI Exploit Circulating

Microsoft's animated cursor files, which normally end with the extension ANI, are being used to take over Microsoft Windows systems. The vulnerability was not known until it was found being actively exploited in the Wild. It is being delivered via e-mail and websites and simply previewing a message with an attached file or visiting a malicious or compromised website will cause arbitrary code to be run on the system.

This is extremely serious.

Other points to note:

The file does not have to have a .ANI extension. If the file has a .JPEG extension, the exploit still works. Several exploit implementations already are using this technique to bypass filters.

All versions of Windows from 95 through Vista and all versions of Internet Explorer and Outlook and Outlook Express are vulnerable.

Windows Explorer, when not in "classic" mode, will cause the code embedded in the ANI file to be run when you browse to the containing directory.

Putting a malicious ANI file on the desktop in Windows Vista reportedly causes the machine to enter into an infinite crash and reboot cycle.


Note from the sponsor: Customers of eSoft's Gateway Antivirus are protected from this exploit.

Windows Meeting Space in Vista

From the National Vulnerability Database:

DFSR.exe in Windows Meeting Space in Microsoft Windows Vista remains available for remote connections on TCP port 5722 after Windows Meeting Space is closed, which allows remote attackers to have an unknown impact by connecting to this port.

In other words, if you're running Vista and using Meeting Space, use extreme caution. At this time, there are no known workarounds, but I expect firewalling port 5722 when you aren't using it would go a long ways toward mitigating the problem.

March Patch Tuesday Magic

*Poof*! MS Patch Tuesday has disappeared. Microsoft's security response center blog has this to say:

Hello,

This is Christopher Budd and it’s the Thursday before the Second Tuesday for March 2007.

As we do each month at this time, we’ve posted our Advance Notification for the upcoming security bulletin release.

For the month of March 2007, we will not be releasing any new security updates on March 13, 2007.

I'm flabbergasted. Perhaps they should look again at the SANS list of unpatched vulnerabilities or the eEye zero-day tracker. There are bugs that need fixing, folks, and hackers aren't taking the month off.

[Note: the original title of this post was mistakenly "April Patch Tuesday Magic."]

Dangers of Microsoft OneCare

Its been a bad week for Microsoft (if only I had a nickel for every time I've said that) OneCare. OneCare is Microsoft's antivirus product and its been hit with two high profile pieces of bad news. First, in a recent roundup of antivirus software, Microsoft scored the lowest overall with a detection rate of only 82% of the tested malware. For comparison, here's a sampling of some of the other big names and their detection percentage:

• AVK.......99%
• Avira.......98%
• Kaspersky.......97%
• F-Secure.......97%
• AVG.......96%
• Symantec.......96%
• Norman.......93%
• Mcafee.......91%

A short time ago OneCare was embarrassed when the VirusBulletin group refused to certify it.

And now PC Magazine is reporting this:

If you get a virus in an email message received by Outlook, OneCare's next virus sweep may quarantine or delete your entire email store. If you receive a virus via Outlook Express OneCare may quarantine or delete the entire folder containing the virus.

Oops.

Make sure you have a good gateway antivirus solution and are only using OneCare as part of a suite of antivirus tools.

[Note from the sponsor: eSoft's Gateway Antivirus Softpak and Desktop Antivirus together provide businesses full antivirus protection.]

QuickTime Security Fixes

Apple has released updates to its QuickTime software that include security fixes for both the Windows and Mac versions. We consider this critical as the number of people running QuickTime software is large. Here's a summary of the issues (full details can be found on Apple's site):

• Viewing a maliciously-crafted 3GP file may lead to an application crash or arbitrary code execution (OS: Windows Vista/XP/2000)


• Viewing a maliciously-crafted MIDI file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)


• Viewing a maliciously-crafted Quicktime movie file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)


• Viewing a maliciously-crafted PICT file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)


• Opening a maliciously-crafted QTIF file may lead to an application crash or arbitrary code execution (OS: Mac OS X and Windows Vista/XP/2000)

Lowered ThreatLevel, New Word 0-day, and More Security Program Flaws

Just a quick note that eSoft has lowered the Threat Level back to normal levels after expected exploits for flaws disclosed on last week's patch Tuesday failed to materialize. If exploits appear, the Threat Level will be reraised.

In other news, Microsoft is warning of a new flaw in Microsoft Word that is being exploited in the wild on a limited, targeted basis. Few details are available at this time, but it leaves us wondering how long until this flaw will be fixed. Microsoft's recent track record at fixing flaws in Word that have exploits in the wild is very, very bad with the average response time being around 2 months.

Finally, we continue to be amused by the discovery of flaws in programs that are intended to enhance security. Trend Micro's ServerProtect web interface has a very easily exploited authorization bypass vulnerability. An attacker would only need to supply a cookie with a special name to get access to the web interface. We recommend you block external access to TCP port 14942, the default port for ServerProtect.

Of less consequence is a local privilege escalation in Cisco's Secure Services 4.x, Security Agent (CSA) 5.x, and Trust Agent 1.x/2.x. Secure services? Apparently not. Better go update.

[Note from the sponsor: eSoft's Intrusion Prevention Softpak protects users from the flaw in Trend Micro's ServerProtect product.]

Network Security Nightmare Week

What a week for computer security! The eSoft Threat Level has been raised from low yellow to solid orange due to a number of threats of concern to network administrators that are considered extremely critical. Here's an overview of the major threats Threat Center is tracking:

First there's the telnet vulnerability in Solaris 10 and 11. This is at the moment an unpatched vulnerability that will allow anyone to telnet into a Solaris system as root without any kind of authentication. Even scarier, the exploit doesn't require any special tools but can be accomplished with a standard telnet client. If you're running Solaris and have telnet enabled, turn on SSH, turn off telnet, and make sure it never starts up again. And while you're at it, block incoming TCP port 23 at your firewall to avoid all telnet traffic.

It always gets our attention when security products meant to protect you put you at risk. This week we've had a trifecta of these issues. Early in the week we became aware of a vulnerability in Trend Micro's antivirus engine where scanning a malicious UPX-encoded executable file could compromise a system. Now we learn that Microsoft's antivirus engine has its own vulnerability where a malicious PDF file being scanned could compromise a system. Exploits of the vulnerabilities will give the exploiter Administrator privileges. Finally, Cisco IOS IPS has a series of issues that could allow a hacker to take down your IPS box. This is the most recent in a series of Cisco issues that, luckily, we still haven't seen public exploits for. Don't hold your breath though.

Today is Patch Tuesday and in addition to announcing the antivirus scanner bug above, Microsoft has fixed a number of known vulnerabilities, and several unknown ones. The best news is that the growing handful of Microsoft Office vulnerabilities with exploits in the wild have finally been fixed. We've been waiting months for these fixes. Unfortunately, we have new things to worry about.

First, let's talk about Internet Explorer. The HTML Help ActiveX control has a fresh vulnerability. This isn't the first time Microsoft has recommended disabling the HTML Help ActiveX control in Internet Explorer due to security problems and if you didn't do it last time, you might want to do it this time. If you have a group policy editor, you can disable it on a bunch of machines. If you have an Intrusion Prevention System, check to see if there are rules to detect and stop this ActiveX component.

Microsoft Data Access Components in Internet Explorer also have a fresh vulnerability. Like the HTML Help ActiveX control, I'm having deja vu on this one. You'll have to think a little bit longer before deciding to block due to its widespread use in rich content internet applications, but if you can't enforce an immediate update of all of your site's computers, then block it and worry about consequences later. Better to have some annoyed users because of your policy than because their computer is mysteriously slow due to its raging malware infection.

Finally, we have one of the scariest batch of ActiveX Internet Explorer bugs I've ever seen. There are two "COM Object Instantiation" vulnerabilities that will allow an attacker to exploit any ActiveX object (DLL, OCX, etc.) that wasn't specifically intended to be used in Internet Explorer. And because these vulnerabilities were reported to Microsoft by H.D. Moore, founder of the Metasploit project, we expect proof-of-concept exploits to be published any time now. For some reason that I don't quite understand, Microsoft is recommending the blocking of a handful of ActiveX objects in particular. Apparently these are especially susceptible to the exploit. To find the CLSIDs to block, dig into the FAQ section of the MS07-016 security bulletin.

Microsoft released three separate patches for issues involving MFC (a framework for developers used in many Windows applications), OLE (object linking and embedding -- have you ever put an Excel document in the middle of a Word document? that's OLE), and RichEdit. Although it sounds like it may have wider implications, Microsoft is currently telling us that the attack vectors for these problems all center around RTF files with embedded content. Go pester your antivirus vendor and see if they'll add support for blocking RTF files with embedded content. And while you're at it, you may want to start blocking RTF files at your mail gateway.

Of the Patch Tuesday vulnerabilities, I've saved the scariest for last. MS07-016 also fixes a problem where a malicious FTP server could compromise a computer. Now, on the face of it, this doesn't sound too bad, but consider that almost every Windows application that accesses files via FTP uses the wininet library to do it, and this is the library with the vulnerability. Now consider the fact that Outlook and Outlook Express will automatically fetch files off of a FTP server if an e-mail references them. If an HTML e-mail is spammed out and it has html like <img src="ftp://badserver/somefile.gif" /&rt; in it, then the badserver can take control of the computer. Microsoft recommends that you only view e-mails as text until you've patched your system. The good news is that there isn't a public exploit available at this time. The bad news is that this affects all versions of Internet Explorer from 5 through 7, Outlook, Outlook Express, and all versions of Windows. And exploits will be here soon. The guys at iDefense who discovered this in May of 2006 have given enough details for people to figure it out.

This is my first post to the ThreatCenter Live blog and its far longer than I expect the average post to be, but we've got quite a lot of news to share. The eSoft Threat Level will remain at its elevated position for a few days to raise awareness of these issues. Assuming no exploits start hitting and being widely used in the next few days (which very well may happen with the ftp vulnerability in particular), we will lower the threat level back down.

[Note from the sponsor: eSoft's Intrusion Prevention, Gateway AntiVirus, and Gateway AntiSpyware Softpaks together protect users from all of the above mentioned vulnerabilities except for the Cisco IOS IPS issue.]