Maximum PC exploit RSS Feed

Some Linksys and Netgear Routers Vulnerable to New Exploit

Paul Lilly — Mon, 03 Aug 2009 09:43:49 -0500

Two security researchers on Saturday have warned that if you use cPanel to administer your website or certain Linksys or Netgear routers, you're leaving yourself open to web-based attacks that could potentially take control of your systems.

The attacks are based on CSRF, or cross-site request forgery, which can be exploited simply by surfing to the 'wrong' website, say Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org.

"CSRF is bad stuff," Bailey said at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means we have these kinds of holes all over."

When visiting a malicous website while logged in to the program, the attack is able to trick cPanel into carrying out sensitive commands by duping the device into thinking they came from the victim. And it doesn't look like this will be fixed anytime soon.

"The response I got from cPanel was we can't fix this because it's a feature," Bailey said. "Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."

Much more info here.

Image Credit: Linksys

World's First Cell Phone Botnet Could be Coming Soon

Paul Lilly — Mon, 20 Jul 2009 12:55:51 -0500

You knew it would happen sooner or later, we're just a little surprised it took this long for hackers to release a botnet running on mobile phones. According to Symantec, a piece of malicious software called Sexy Space may be the first documented case.

Like most botnets, Sexy Space relies on quite a bit of user interaction to be effective. Those who ultimately become a zombie in the botnet first receive a text message saying "A very sexy girl, Try it now!" Inside the message is a link that must be clicked, which then asks the potential victim to download software. The software then scours through the user's contact list and sends an SMS with the same message to each person.

Symantec says that this particular botnet is being controlled by a central server, but it remains unclear whether or not the phones respond to remote commands.

We're undoubtedly preaching to the choir on this one, but be wary of any rogue text messages, especially when they ask you to click a link and download software.

Image Credit: chosun.com

Mozilla Patches TraceMonkey Exploit with Firefox 3.5.1

Paul Lilly — Mon, 20 Jul 2009 06:39:03 -0500

If you're a Firefox user, be sure to grab the latest update bringing Firefox 3.5 to 3.5.1. A number of security and stability issues have been addressed in the newest release, but its main purpose was to patch a critical security vulnerability in the browser's TraceMonkey JavaScript engine. Prior to the patch, the bug could cause Firefox to crash when typing text into an input box on certain websites.

"This is a JS engine bug dealing with deep bailing not properly restoring the return value from the result of the (fast native) escape function. We then try to do something with the uninitialized memory and crash in the interpreter," wrote Mozilla's Blake Kaplan in a comment on the bug report.

It didn't take long for researchers to discover that the bug was exploitable and could be used to execute arbitrary code. It's also been squashed in the 3.5.1 update, however researchers have discovered a similar bug that remains. According to Mozilla, it is looking into the issue, but so far doesn't believe the newly discovered bug is exploitable.

Microsoft Releases Workaround for Video ActiveX Vulnerability That Can Pwn Your PC

Mark Edward Soper — Tue, 07 Jul 2009 19:40:58 -0500

This week, Microsoft announced that DirectShow ActiveX code in Internet Explorer 6 and 7 that was reserved for future use has finally been used - by malware providers. The DirectShow Video ActiveX control in the msvidctr.dll file can be used to take over your system if you visit an infected website. According to Symantec, thousands of websites (primarily in China and other parts of Asia) have been affected.

Who's vulnerable? According to Microsoft Knowledge Base article 972890, Windows Server 2003, Windows XP SP2, Windows XP SP3, and Windows XP 64-bit edition are at risk if they haven't upgraded to IE8. IE8 is not vulnerable because the DirectShow ActiveX control being exploited was disabled in IE8. But, if you're still running IE7 (or - horrors! - IE6), what now?

Although Microsoft doesn't have a software patch, it's offering the next best thing: visit KB article 972890 to download and run Microsoft Fix it control 50287 to work around the problem (the same site also offers Microsoft Fix it control 50288 to disable the workaround). The woraround and disable workaround controls are distributed in .msi installer files. Microsoft also recommends the workaround for Windows Vista and Windows Server 2008 users who are still running IE7.

If you want to learn more about what the workaround changes, you can visit the Microsoft Security Advisory (972890) page. This page lists the CLSID values that must be changed. This information can be incorporated into a .reg file, or can be distributed to multiple PCs in a domain using Group Policy. For additional information, see Security Focus article 35558.

Fearing Exploit, Microsoft Patches PowerPoint

Paul Lilly — Fri, 15 May 2009 15:56:40 -0500

Hackers have targeted everyone from QuickTime users to epilepsy patients, so is anyone really suprised to see them now going after PowerPoint users?

That's the latest word from Microsoft, who noted that Mac users running PowerPoint are also vulnerable (no matter what Justin Long says), although there has been no evidence that hackers have tried to attack the platform. The "critical" vulnerability relies on the intended victim opening an infected PowerPoint file either downloaded from the web or received as an email attachment.

"At that point, the attacker would then have complete control over everything the user's account has permission to do on the system," said Alfred Huger, a senior researcher with Symantec.

Patches have been released for Windows users, but not for Mac computers. However, Microsoft did say it was working on one.

Image Credit: poweredtemplates.com

Redmond Reins in AutoRun, AutoPlay to Help Make Windows More Secure

Mark Edward Soper — Fri, 01 May 2009 19:04:35 -0500

AutoRun and AutoPlay, Microsoft's "dangerous duo" for launching programs from CD/DVD and other removable media types, have become among malware authors' favorite infection vectors - and Microsoft has finally said, "enough already!"

A research study by Forefront Client Security cited by the Engineering Windows 7 blog determined that infections that can be started with AutoRun amounted to 17.7% of detected infections in the second half of 2008.

Although AutoRun was originally designed strictly for optical media, it can be used for other types of media. For example, you can create an autorun.inf file that adds the program on the media to the AutoPlay menu Windows displays, and change the default icon to make the malware program mimic a legitimate program. Conficker used this method to spread, as illustrated here.

Starting in Windows 7 RC, Microsoft has changed how both AutoRun and AutoPlay work:

AutoPlay no longer supports AutoRun on non-optical removable media. An autorun.inf file on a USB or other type of non-optical removable media will be disregarded. Only AutoPlay options that pertain to the types of files on the media will be listed.
When AutoPlay displays programs present on the media, the dialog now states that those programs will be run from the media.

Microsoft's Security Research and Defense blog provides sample dialogs and more details of how these changes work. The best news? Microsoft is planning to extend these security improvements to Windows Vista and XP users as well.

Are there any downsides? For a vigorous discussion of programs and devices that might not work after this change, see the comment thread at the Engineering Windows 7 blog. To start a MaximumPC-style discussion, you know what to do: click Comment and sound off!

[Not So] Crazy - Redmond to Protect Pirated and Legit Window 7 Copies

Mark Edward Soper — Thu, 30 Apr 2009 14:54:01 -0500

Softpedia reports that pirated copies of Windows 7 will be provided with security updates, update rollups, and even service packs. What is Microsoft thinking? Is Redmond promoting piracy?

The idea of providing security and other updates to pirated copies as well as legit copies of Windows might seem crazy, but here's the reasoning, straight from Paul Cooke, director of Windows Client Enterprise Security:

Keeping a machine up to date is one of the first steps in helping ensure that they remain reliable, compatible, and safe from threats when they are online. Some of the most famous incidents of malicious software infection have come after security updates were publicly available from Microsoft - Blaster, Zotob, Conficker and Sasser, just to name a few. Rest assured that we at Microsoft are committed to making sure that security updates are available to all of our users to help ensure a safe online experience for everyone.

Note that Cooke is laying the blame for many recent security problems where it belongs: on users and companies who will not upgrade their software to block such threats. By continuing the recent policy of allowing users of non-genuine Windows to receive security updates, Microsoft is saying, in effect, 'don't blame us if unpatched systems are compromised.'

However, don't think that Redmond's turning a patched eye to either casual piracy or software counterfeiting. Pirated copies of Windows 7 won't be eligible for some of Microsoft's goodies, and Softpedia points out that counterfeit copies of Windows often come with a "free" bonus: malware.

For your chance to sound off on security for software pirates, hit Comment.

Twitter Users Hope Cure for Mikeyy Worm Lasts

Mark Edward Soper — Tue, 14 Apr 2009 18:47:08 -0500

Over Easter weekend, many Twitter fans were getting worms instead of finding Easter Eggs, as the developer of a rival microblogging site (StalkDaily), one 17-year-old Michael "Mikeyy" Mooney, was busy drawing Twitter users to his site by using the so-called "Mikeyy" or "StalkDaily" worm to infect links and Twitter profiles. According to PCWorld and the Twitter status page, the infection has now been brought under control. But inquiring minds want to know, "what happened?" and "how can we stop a future attack?"

Doing a Google search for "Mikeyy" or "TwitterWorm" isn't the best way to find out, though, as the F-Secure security blog points out that fake news sites are being used to infect curious searchers with (unrelated) malware. So what really happened?

Mikeyy/StalkDaily used XSS (Cross-Site Scripting) and CSRF (Cross Site Request Forgery) attacks (we've discussed XSS a number of times here at MaximumPC.com). Website developer and Twitter expert Lynne Pope offers an excellent analysis of how the Mikeyy/StalkDaily attacks worked, and how you can protect yourself from similar exploits in the future:

The very first thing you must do to protect yourself is this - do not browse to any sites while logged on to another site. Leaving authentication cookies exposed is dangerous. Log off, then navigate away.

Ms. Pope also recommends:

Firefox fans should use NoScript to prevent scripts from running without explicit permission.
Use the Hosts file to block domains pointed to by malware.
Use tools available at LongURL.org to determine where short URLs are actually pointing to (Mikeyy/StalkDaily used bit.ly and tinyurl.com to conceal the actual websites used for spreading the worm).

Were you affected by the Mikeyy/StalkDaily worm? Hit Comment and tell us your war stories.