Threat Center Live Blog: July 2007

Yesterday, Adobe announced a vulnerability in its flash player that could be exploited to run arbitrary code. This vulnerability is cross browser and cross platform and the vulnerable software is installed by default on all recent copies of Windows and OS X.

All users who allow flash content in their browsers are at risk.

This morning we saw the first proof-of-concept exploit, which we fully expect to be the tip of the iceberg. Its likely that we'll see mass exploitation in the next few days..

To protect yourself, the best thing to do is to upgrade your flash plugin to 9.0.47.0 or later. If you use FireFox, the NoScript plugin will prevent flash content from running unless you specifically trust the source or grant it temporary permission. NoScript can be annoying, but its an extremely valuable tool in combatting malicious websites.

And, of course, make sure you're running gateway and desktop antivirus and intrusion prevention products that are up-to-date.

We'll keep you posted as we see more.

Note from the sponsor: eSoft's Gateway AntiVirus and Intrusion Prevention Softpaks provide full protection for this vulnerability and provided that protection starting shortly after the announcement of the vulnerability and well before any exploits became public.

After a small pause, Threat Center Live is back. We've been very busy at Threat Center building up our honeypots, honeymonkeys, and other systems for finding live malware and exploits in the wild. We've also been busy tracking down and writing signatures for a variety of vulnerabilities. Here's a rundown of the latest news:

The first (as far as I am aware) cross *browser* exploit has been discovered. It affects Windows machines with both Internet Explorer and Firefox installed and uses a trick to cause Internet Explorer (and presumably Outlook, Outlook Express, and other programs that use the same engine as IE) to launch firefox and pass arbitrary javascript code to it in a trusted context -- meaning that applications can be launched without any user interaction. There are some good demonstrations of the exploit here and here, and with these examples I think we can expect malicious exploits as early as today. Note that this is a vulnerability with firefox, but it can only be exploited if someone is using IE despite having firefox installed.

Next in the security roundup from the last couple of days is Microsoft's July Patch Tuesday. This is the first patch tuesday in quite awhile in which there were no fixes for Internet Explorer, Outlook, or Outlook Express. However, our series of patches for Microsoft Office products remains uninterrupted. Here's the breakdown of what you need to know:

MS07-036 -- Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution

3 vulnerabilities in Excel can allow a malicious Excel file to execute arbitrary code. Although no proof-of-concept exploits have been released to the public, the eSoft Threat Prevention Team was able to reconstruct an exploit from the information in Microsoft's advisory. We believe this is a serious threat. As always, do not open unsolicited file attachments and keep your antivirus signatures up-to-date. eSoft products have zero day protection for this vulnerability when and if exploits start to circulate.

MS07-037 -- Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution

Malformed Microsoft Publisher files opened with Publisher 2007 can cause arbitrary code to be executed on a host computer. We recommend blocking .pub files at the gateway to protect against this threat.

MS07-038 -- Vulnerability in Windows Vista Firewall Could Allow Information Disclosure
It appears that this vulnerability could allow an attacker to see what services are running on a machine even if those services are firewalled. The vulnerability involves the encapsulation of IPv6 packets inside IPv4 packets. This kind of traffic cannot be blocked at the firewall as it is legitimate traffic. If you don't use IPv6, then you should follow the directions in Microsoft's advisory to disable Teredo. They offer three different ways to block this traffic, the easiest of which is to use the Vista Firewall to block Teredo packets in and out of a machine.

MS07-039 -- Vulnerability in Windows Active Directory Could Allow Remote Code Execution

Few organizations will allow LDAP access to their Active Directory service through the firewall, so this threat shouldn't be too large for most installations. However, there's always those organizations with non-standard setups and the insider threat. At this point we don't have enough information to give this a full analysis. No public exploits exist.

MS07-040 -- Vulnerabilities in .NET Framework Could Allow Remote Code Execution

This is in fact three vulnerabilities. Most intrusion prevention systems should have protected against the null-byte vulnerability already in a more generic form. The other two vulnerabilities are a bit more ambiguous as to what programs are vulnerable and how they could be exploited. We're keeping a close eye on this one as a variety of applications use the .NET framework and this could impact many of them.
MS07-041 -- Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution

This is in fact a rehash of an older known vulnerability in IIS 5.1 on WinXP SP2. It was previously thought to be only a denial of service issue. Many intrusion prevention systems likely already catch attempts to exploit this vulnerability. The exploit is a specially crafted URL, but as the affected software is very outdated there are probably very few vulnerable installations and therefore a low likelihood of someone developing a working exploit that does more than denial of service.

As usual, follow best security practices and patch your systems as soon as possible.

Note from the sponsor: eSoft's Intrusion Prevention and Gateway AntiVirus Softpaks provide protection against all known exploits of the above vulnerabilities and for some of the vlnerabilities, all theoretical exploit vectors.