Threat Level Raised

We're raising the threat level in response to the Adobe vulnerability. At this point, the Threat Level is in a cautionary area. We'll raise it again if we start seeing wide-spread exploitation.

Adobe Flash Browser Plugin High Risk Vulnerability

Yesterday, Adobe announced a vulnerability in its flash player that could be exploited to run arbitrary code. This vulnerability is cross browser and cross platform and the vulnerable software is installed by default on all recent copies of Windows and OS X.

All users who allow flash content in their browsers are at risk.

This morning we saw the first proof-of-concept exploit, which we fully expect to be the tip of the iceberg. Its likely that we'll see mass exploitation in the next few days..

To protect yourself, the best thing to do is to upgrade your flash plugin to 9.0.47.0 or later. If you use FireFox, the NoScript plugin will prevent flash content from running unless you specifically trust the source or grant it temporary permission. NoScript can be annoying, but its an extremely valuable tool in combatting malicious websites.

And, of course, make sure you're running gateway and desktop antivirus and intrusion prevention products that are up-to-date.

We'll keep you posted as we see more.

Note from the sponsor: eSoft's Gateway AntiVirus and Intrusion Prevention Softpaks provide full protection for this vulnerability and provided that protection starting shortly after the announcement of the vulnerability and well before any exploits became public.

Patch Tuesday and Browser 0-days

After a small pause, Threat Center Live is back. We've been very busy at Threat Center building up our honeypots, honeymonkeys, and other systems for finding live malware and exploits in the wild. We've also been busy tracking down and writing signatures for a variety of vulnerabilities. Here's a rundown of the latest news:

The first (as far as I am aware) cross *browser* exploit has been discovered. It affects Windows machines with both Internet Explorer and Firefox installed and uses a trick to cause Internet Explorer (and presumably Outlook, Outlook Express, and other programs that use the same engine as IE) to launch firefox and pass arbitrary javascript code to it in a trusted context -- meaning that applications can be launched without any user interaction. There are some good demonstrations of the exploit here and here, and with these examples I think we can expect malicious exploits as early as today. Note that this is a vulnerability with firefox, but it can only be exploited if someone is using IE despite having firefox installed.

Next in the security roundup from the last couple of days is Microsoft's July Patch Tuesday. This is the first patch tuesday in quite awhile in which there were no fixes for Internet Explorer, Outlook, or Outlook Express. However, our series of patches for Microsoft Office products remains uninterrupted. Here's the breakdown of what you need to know:

• MS07-036 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
  
  3 vulnerabilities in Excel can allow a malicious Excel file to execute arbitrary code. Although no proof-of-concept exploits have been released to the public, the eSoft Threat Prevention Team was able to reconstruct an exploit from the information in Microsoft's advisory. We believe this is a serious threat. As always, do not open unsolicited file attachments and keep your antivirus signatures up-to-date. eSoft products have zero day protection for this vulnerability when and if exploits start to circulate.


• MS07-037 -- Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution
  
  Malformed Microsoft Publisher files opened with Publisher 2007 can cause arbitrary code to be executed on a host computer. We recommend blocking .pub files at the gateway to protect against this threat.


• MS07-038 -- Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
  It appears that this vulnerability could allow an attacker to see what services are running on a machine even if those services are firewalled. The vulnerability involves the encapsulation of IPv6 packets inside IPv4 packets. This kind of traffic cannot be blocked at the firewall as it is legitimate traffic. If you don't use IPv6, then you should follow the directions in Microsoft's advisory to disable Teredo. They offer three different ways to block this traffic, the easiest of which is to use the Vista Firewall to block Teredo packets in and out of a machine.


• MS07-039 -- Vulnerability in Windows Active Directory Could Allow Remote Code Execution
  
  Few organizations will allow LDAP access to their Active Directory service through the firewall, so this threat shouldn't be too large for most installations. However, there's always those organizations with non-standard setups and the insider threat. At this point we don't have enough information to give this a full analysis. No public exploits exist.


• MS07-040 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution
  
  This is in fact three vulnerabilities. Most intrusion prevention systems should have protected against the null-byte vulnerability already in a more generic form. The other two vulnerabilities are a bit more ambiguous as to what programs are vulnerable and how they could be exploited. We're keeping a close eye on this one as a variety of applications use the .NET framework and this could impact many of them.
  
  
• MS07-041 -- Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution
  
  This is in fact a rehash of an older known vulnerability in IIS 5.1 on WinXP SP2. It was previously thought to be only a denial of service issue. Many intrusion prevention systems likely already catch attempts to exploit this vulnerability. The exploit is a specially crafted URL, but as the affected software is very outdated there are probably very few vulnerable installations and therefore a low likelihood of someone developing a working exploit that does more than denial of service.

As usual, follow best security practices and patch your systems as soon as possible.

Note from the sponsor: eSoft's Intrusion Prevention and Gateway AntiVirus Softpaks provide protection against all known exploits of the above vulnerabilities and for some of the vlnerabilities, all theoretical exploit vectors.

Microsoft's May Patch Tuesday

Today is again Microsoft Patch Tuesday, the day on which Microsoft announces patches to a series of vulnerabilities and security researchers scramble to learn as much as possible about the vulnerabilities.

Of the announced issues, here are the ones you should be most concerned about:

• MS07-024 and MS07-025 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
  
  4 vulnerabilities affecting mostly Microsoft Word, but also all other applications in the Office suite could be used to compromise your computer if you were to open a malicious Office document. Important to note is that Microsoft Word Viewer and Microsoft Office on the Mac are also vulnerable. It almost goes without saying that you should never open office documents from untrusted sources. And remember, those e-mail forwards from your good friend didn't start with your friend and should be looked at with just as much suspicion as if they came from a total stranger.


• MS07-026 -- Vulnerabilities in Exchange Server Could Allow Remote Code Execution
  If you run Exchange Server to handle your mail, you need to update it now. There are four separate issues including two Denial of Service (specially crafted e-mail will cause the mail server service to hang or quit), one "information leakage" and one remote code execution.
  
  The first concern is the remote code execution. This vulnerability relates to malformed MIME-encoded attachments.
  
  We aren't aware of any exploits at this time and details are still scarce, but that could change very quickly.
  
  The second concern is the "information leakage." E-mails sent with attached HTML files can cause problems for people using Outlook Web Access -- Microsoft's web-based e-mail reader. Essentially, a malicious script could be run in a trusted context and used to steal login credentials, e-mails, and more. This is a cross-site scripting vulnerability and has been shown in similar cases to be a pretty serious breach of security even though it doesn't allow remote code execution.


• MS07-027 and MS07-028 -- Internet Explorer Multiple (Six) Remote Code Execution Vulnerabilities
  
  This is the bread and butter of these Patch Tuesdays: Internet Explorer issues. And despite IE7's enhanced security, it is vulnerable to most of these issues as well. As usual, ActiveX objects are the culprit. Microsoft wanted to allow website designers to be able to write full Windows applications and have them run inside Internet Explorer to create a "rich" web experience. Unfortunately, in doing this, Microsoft made two mistakes: every software component on Microsoft systems can be accessed by a web site. This means that software that wasn't intended to be run in Internet Explorer can be and in many of these cases there are exploitable bugs in the software.
  
  The usual way to deal with this is to explicitly disable specific ActiveX objects by using their "kill bits." Microsoft has a Knowledge Base article with instructions. Also, you can use the Group Policy Editor to set the kill bits on your entire domain. Here are the recommended "kills" from this batch up updates:
  
  

  CLSID	DLL	Comments
  D4FE6227-1288-11D0-9097-00AA004254A0	msdauth.dll	Windows Media component
  BE4191FB-59EF-4825-AEFC-109727951E42	chtskdic.dll
  17E3A1C3-EA8A-4970-AF29-7F54610B1D4C	CAPICOM	Provides encryption capabilities to programmers.
  FBAB033B-CDD0-4C5E-81AB-AEA575CD1338	CAPICOM

  
  
  Note that there are vulnerabilities being patched here that cannot be addressed by setting these kill bits, so your best bet is to upgrade as soon as possible. But still create policies in the Group Policy Editor in case an unpatched machine finds its way onto your network.


• MS07-029 -- Vulnerability in Windows DNS RPC Interface Could Allow Remote Code Execution
  
  We first mentioned this flaw -- and the exploits circulating in the wild -- on April 13th. The flaw has received a lot of press, but isn't a concern for most people. Only Microsoft-based DNS servers running on the Internet without any kind of firewall on them or between them and the Internet are susceptible to an external attack. And if a worm taking advantage of this exploit got into a local network, it would likely not be able to compromise more than one machine. Despite that disclaimer, its a serious bug that could allow someone to take full control of one of your servers, so this patch is here none too soon. For mitigation details, see our post from above referenced post.

Bottom line: it's time to update your Windows machines using Windows Update or Microsoft Update. And as always, make sure your intrusion prevention, firewall, and anti-virus products are up-to-date.

Note from the sponsor: a combination of eSoft's Firewall, Intrusion Prevention, and Gateway Anti-Virus products will protect customers from all known exploits of today's announced vulnerabilities.

How To Spot A Scam

Spotting a scam isn't always easy. More than anything, it helps to view e-mails, phone calls, and people at your front door with a critical, skeptical eye. If you're skeptical, you'll look for holes, and in 19/20 scams you'll find them without too much searching.

In this blog post I'll walk you through two recent examples of scams that have targeted me. The first one I'll talk about made it through my spam filter this morning.
Scam One

Here's the e-mail:


Let's start with the red flags:

I will need a few moments of your time to cover all related lottery-type information from procuring your prize to any related taxes.

Any time someone wants information for tax purposes, they want your social security number. This should cause alarm bells to ring. Loudly.

Then there's this line in the e-mail:

44.71.188.154 9/3/2006 0:19

This appears to be an IP address and a date and time. I believe this line is there to lend some kind of credibility to the e-mail, but the year says 2006 and the time is 19 minutes after midnight. Clearly something odd is going on.

Seeing that date lead me to look at the date of the e-mail, which is "April 25, 2007 4:14:23 AM MDT" -- and this is another red flag. A quick Google search tells us that North Aurora, Illinois (where this company is supposedly located) is in the Central time zone, so this e-mail went out at 5:14am Illinois time, which is a bit earlier than their own stated office hours:

P.S. For your convenience, we are available 8:30 AM to 4:00 PM Central Standard Time, Monday to Friday

As long as we're looking at the e-mail headers, let's take a look at the From address: cedwardsb -at- prize-claim-center.com. But the e-mail says its from "Michelle Ruland." Shouldn't that from address look more like mruland -at- prize-claim-center.com? Or micheller -at- prize-claim-center.com? It's another red flag.

By now its obvious that this is a scam, but as a final check, let's take a look at their website. We never click links in e-mails (and nor should you), but with proper protections in place, it can be okay to type a URL into your address bar. Instead of going to the referenced page used supposedly for unsubscribing from their list, let's check the site's home page:



...it's blank. No website there.

As a final note, there are a lot of these "claim your prize" type of e-mails out there. If you entered a drawing for a prize somewhere, you almost certainly gave your phone and mailing address. If you put your e-mail address on there as well, it will likely be used for spam and it will not be used to contact you about the prize. Finally, if you really did win, there would be specifics about when you filled out the form, where, what it was for, and what you won.

Scam Two

I received a phone call at home. The caller said he was with Discover card and wanted to confirm some charges on my account. I haven't used my Discover card in a long time -- in fact, I shredded it -- but even so, this sounded important and the caller rattled off a discover card number that was supposed to be mine. Then the caller asked me to confirm my identity by giving him my social security number. Whoa there! I've never had a fraud department ask for that information before. So although I was convinced that it was Discover calling, my skepticism kicked in and I asked if I could call him back. He gave me the real 800 number for Discover Card, which I confirmed after I got off the phone by going to their website. When I called Discover, they had no record of any charges on my account for several years and they confirmed what I already knew: it wasn't Discover who had contacted me. For good measure, I officially canceled the card on that call.

The big lesson here is again skepticism. Even very convincing, helpful, and friendly callers to your house who seem to know who you are and maybe other details about you, should not be trusted. If anyone, ever, calls you and then asks, for any reason, for details about you -- your address, mother's maiden name, social security number, etc. -- ask if you can call them back. Get their number, but then don't use the number they give you, instead look up the number on the Internet or in the phone book. Prudence will save you a world of headaches. Also, never trust Caller ID. Just because your phone says Discover Card Fraud Department is calling, doesn't make it so. That information is easy to fake.

Phishing

Phishing scams are getting better. Phishers are able to reproduce their target websites much better now so all the broken links that used to be a dead giveaway are happening less frequently. If you get an e-mail ostensibly from your bank, paypal, ebay, or any official institution, don't follow the links in the e-mail. Use your own bookmarks or enter the official site into your URL bar directly. Do this every time. What you lose in convenience, you more than make up for in security and identity protection.

Combatting Fraud

From the FTC website:

If a scam artist has contacted you or if you've been defrauded, contact the FTC at www.ftc.gov or 1-877-FTC-HELP. We gather evidence, identify fraud trends and alert law enforcement throughout the U.S., Canada, and abroad. By reporting your experience, you can prevent others from becoming victims and help put an end to fraud.

Here are e-mail addresses for forwarding scams, spam, phishing, and more (this has been compiled from different sources but most notably from the Internet Storm Center:

Spam

uce -at- ftc.gov

spamarchive.org is interested in any spam, but send it as an RFC822 attachment to submitautomated -at- spamarchive.org.

Child pornography

children -at- interpol.int

gmail -at- cybertip.ca

Do not send child porn e-mails to spamarchive.org or redistribute anywhere besides the above two addresses.

Nigerian/419 scams

419.fcd -at- usss.treas.gov.

OEM software

netpiracy -at- siia.net

piracy -at- microsoft.com

Phishing

reportphishing -at- antiphishing.org

phish -at- ists.dartmouth.edu

spam -at- mailpolice.com

phishing-report -at- us-cert.gov

phish -at- phishtank.com (but you have to register at phishtank.com first)

Also: postmaster -at- corp.mailsecurity.net.au, spoof -at- millersmiles.co.uk, and report -at- reportphish.org, but send the mail as an RFC822 attachment.

Pills

webcomplaints -at- ora.fda.gov

drugs -at- interpol.int

Pyramid scams

fraud -at- uspis.gov

Rolex/replicas

steve.govin -at- rolex.com

expert -at- lpconline.com

Stock/pump and dump

enforcement -at- sec.gov

Tobacco

alctob -at- ttb.treas.gov

Viruses

Submit to Threat Center, Jotti, and Virus Total. Also, you can forward to av -at- annex.esoft.com.

Note: If you have updates or additions to the above list of e-mail addresses and websites, please post them in the comments.

Patched Apple Flaws and New Quicktime Flaw Impacts Windows and Mac

Apple's been in the crosshairs recently. Last week they released their fourth security update of the year fixing 25 separate security issues. Several of the fixes are related to file format flaws announced in the Month of Apple Bugs in January. Others allow local privilege escalation.

Possibly the most serious issue is with the RPC runtime (libinfo) library used by services such as NFS. Mu Security has provided some very specific details on the flaw and for machines that are running NFS, the information may be enough for an attacker to create an exploit.

Although we haven't seen any exploits for any of these vulnerabilities, all Mac users should update before exploits start hitting the 'net.

On a related note, security researcher Dino Dai Zovi won a $10,000 bounty when he found a flaw and wrote an exploit to hack into a fully patched Mac laptop. We now know that the flaw he found was actually in the Quicktime application and can be exploited in various browsers and on various operating systems including both OS X and Windows. Exploitation of this flaw requires the user to browse to a malicious website. There is no fix for the flaw at this time, but disabling Java in your browser should protect you. If you don't regularly use Java Applets when browsing websites (I can't remember the last time I came across a website that required it) you should go to your preferences or options and disable it right now.

PHP Applications and Vulnerabilities

Every day we sift through an avalanche of newly found vulnerabilities in PHP applications and they all come down to improper sanitization of user-supplied input. Until our Universities are teaching secure coding techniques in Computer Science 101, we'll be in this situation for a long time. But that's a rant for another day.

Here's an example list of vulnerability announcements of PHP application over the last 24 hours:

• EclipseBB Phpbb_Root_Path Remote File Include Vulnerability
• Extreme PHPBB2 Remote File Inclusion
• Zomplog File.PHP Directory Traversal Vulnerability
• Joomla Template Module Index.PHP Remote File Include Vulnerability
• Gizzar Index.php Remote File Include Vulnerability
• Joomla/Mambo JoomlaPack Module MosConfig_Absolute_Path Remote File Include Vulnerability
• Cabron Connector InclusionService.PHP Remote File Include Vulnerability
• Wabbit PHP Gallery v0.9 Cross Site Scripting
• ActionPoll Script (actionpoll.php) Remote File Include 
• LS simple guestbook - arbitrary code execution
• MyBlog <= 0.9.8 Remote Command Execution Exploit
• my little forum 1.7 Remote File Include Vulnerability
• PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities
• Directory traversal vulnerability in Kai Content Management System (K-CMS)
• Directory traversal vulnerability in Monkey CMS 0.0.3 
• Cross-site scripting (XSS) vulnerability in OpenConcept Back-End CMS 0.4.7
• PHP remote file inclusion vulnerability in chat.php in MySpeach 1.9
• Multiple PHP remote file inclusion vulnerabilities in CNStats 2.9
• ... and more!

Remote file inclusion, remote code execution, SQL injection, directory traversal, and cross site scripting vulnerabilities are running amok in PHP programs.

Ed Finkler at CERIAS took the time to sort through the NIST vulnerability data and come up with the top 20 offending PHP programs by score and by volume of advisories. This is skewed, of course, because programs not being prodded could be just as vulnerable, but less visible. Just the same, it's pretty interesting. Here are the top 5 by number of entries:

1. MyBulletinBoard
2. phpBB
3. phpMyAdmin
4. WordPress
5. PHPNuke

The top 20 is even more enlightening if you happen to use some of those products (like VBulletin, Jupiter CMS, Joomla, and TikiWiki).

Anyone running this kind of software should be doing frequent scans of their files to make sure they haven't changed without their knowledge, frequent downloads of their website to make sure people haven't added code, and should make sure that their web server is isolated from sensitive parts of their network.

Note from the sponsor:eSoft's Intrusion Prevention Softpak has generic and specific detections for a number of common PHP vulnerabilities.

Triage For Oracle Critical Patch Updates

tri•age (from dictionary.com)

–noun

1.    the process of sorting victims, as of a battle or disaster, to determine medical priority in order to increase the number of survivors.

2.     the determination of priorities for action in an emergency.

As always, our focus at Threat Center is on remotely exploitable vulnerabilities. Our interest in privilege escalations and local attacks takes a back seat to vulnerabilities where an anonymous attacker could compromise your business.

Yesterday was Oracle's quarterly "Critical Patch Update" or CPU. This round they released 36 new security issues across the following products:

• Oracle Database


• Oracle Secure Enterprise Search


• Oracle Application Server


• Oracle Collaboration Suite


• Oracle E-Business Suite


• Oracle Enterprise Manager


• Oracle PeopleSoft Enterprise

In other words, just about every Oracle product is affected. The Suites listed above include numerous programs such as the Oracle Portal, Oracle Streams, Oracle iSupport, Oracle iStore, Oracle Applications Manager, Oracle Agent, and more. For details on all of the patches, view Oracle's security advisory. For a quick triage of the updates, read on below.

Oracle Database

DB01 Core RDBMS Authentication Bypass on Windows

This flaw was reported to Oracle in 2002. Exploiting this flaw is trivial and can be done remotely by an unauthenticated attacker... but you probably aren't affected.

This flaw is specific to Oracle databases running on Windows machines that have "Simple File Sharing" enabled. Simple File Sharing allows a user to share files with anyone without the hassle of managing usernames and passwords. All users are authenticated as Guest regardless of the username or password they provide. If Oracle is configured to use OS-based authentication on a machine with Simple File Sharing enabled, then every attempt to authenticate against the database as any user will be successful. Hopefully if you're running Oracle Database on a Windows machine you aren't also doing any kind of file sharing, and especially not the free-for-all file sharing that is "Simple File Sharing."

David Litchfield has a paper with the full details.

DB05 Authentication Component Logon Trigger Bypass

This is a flaw that requires login credentials and usually wouldn't merit a mention, but it could allow users to bypass logon triggers. These are frequently used to control access by time of day, IP, and other factors or to add extra audit trails, etc. Many of the fixed flaws in this batch that do require a user to first log in may be more dangerous if the user first takes advantage of this logon trigger bypass flaw.

Oracle Enterprise Manager

EM01 Oracle Agent Authentication Bypass

A person can connect to the Oracle Agent and shut it down without authentication.

Oracle Application Server

AS04 and AS05 Oracle Portal Component Flaws

Two flaws in Oracle Portal can be remotely exploited over HTTP to gain access to the system. Authentication is not required and one of them is rated as easy to exploit. This involves some kind of parameter tampering, but we don't have more details at this time.

Oracle E-Business Suite

APSS02 Oracle iProcurement and APPS03 Oracle Report Manager

The vulnerable pages for both of these components are blocked by default by the URL firewall and are therefore not of high concern.

APPS05 and APPS06 Oracle iStore Parameter Tampering Issues

While these two bugs both require authenticated users, an anonymous user can self-register and get an account that way. Once they have an account, the attacker can get unauthorized access to information such as order information for other users. It isn't clear, but this may include access to credit card data. Because of this possibility, and the fact that Oracle says the exploit is of low complexity, we're rating this as a serious vulnerability. If you use the Oracle iStore, upgrade your software right away.

And that's it for the vulnerabilities that look serious to us. For the less serious vulnerabilities where authenticated users are able to gain elevated privileges, there are some exploits in the wild, so if you have strict trust settings, you will want to get going on installing these patches.

Of course we recommend installing all of the patches as soon as possible. If you need time to test the patches before installing, then start with the ones listed above.

Note from the sponsor: Many of the flaws that are fixed in this month's Oracle CPU center around SQL Injection and Cross Site Scripting. eSoft's Intrusion Prevention Softpak provides generic protection for many of these types of attacks. To prevent these types of attacks in the future, refer to eSoft's newest whitepaper, 10 Tips to Better Security.

Microsoft DNS Server Exploits Abound

Over the weekend a number of exploits turned up that make it easy to exploit the recently announced flaw in RPC found on Microsoft DNS Servers.

Those using best practices to firewall inbound connections to ports not explicitly needed should be protected. People who have Windows servers at colocation facilities or who use ISPs to host services where the ISPs don't have gateway firewalls setup are at risk.

Among the circulating exploits are an exploit module for Metasploit.

We're also beginning to see variants on established worms, in particular the Rinbot/Nirbot worm, taking advantage of this exploit. This behavior means that unprotected machines will likely be found soon, so please make sure you are following all of the suggestions in the Microsoft Advisory as well as following firewall best practices.

Note from the sponsor: the new worms are detected and stopped by the Gateway AntiVirus Softpak, while attempts to exploit the DNS RPC flaw are detected and stopped by the Intrusion Prevention Softpak. The InstaGate firewall is also instrumental in defending against this vulnerability.

New Microsoft DNS Server Exploit

There is an exploit in the wild, although not yet public, that takes advantage of a flaw in RPC on Windows DNS Server. Microsoft has issued a security advisory with some recommendations on how to protect your computers while waiting for a patch from Microsoft.

Here is a list of affected operating systems:

• Windows 2000 Server Service Pack 4


• Windows Server 2003 Service Pack 1


• Windows Server 2003 Service Pack 2

The best advise from Microsoft on this issue at the moment is to disable RPC capability for DNS servers by changing a registry value. From Microsoft's advisory:

1. On the start menu click 'Run' and then type 'Regedit' and then press enter.
2. Navigate to the following registry location:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters



3. On the 'Edit' menu select 'New' and then click 'DWORD Value'


4. Where 'New Value #1' is highlighted type 'RpcProtocol' for the name of the value and then press enter.


5. Double click on the newly created value and change the value's data to '4' (without the quotes).


6. Restart the DNS service for the change to take effect.

And you should make sure you are blocking all unsolicited traffic on ports over 1024. In fact, you should block all unsolicited incoming traffic period. Use personal firewalls on individual machines and gateway firewalls between your machines and the Internet.