Maximum PC vulnerability RSS Feed

Microsoft Blocks AutoRun/AutoPlay Vulnerability in XP, Vista, and Windows Server [Updated!]

Mark Edward Soper — Mon, 31 Aug 2009 11:41:03 -0500

AutoRun was originally intended to help automatically start programs stored on optical media. However, once USB drives became popular, AutoRun also became a popular way to launch programs from hard disks and thumb drives by working with Windows' built-in AutoPlay functionality.

AutoRun Versus AutoPlay

AutoRun uses an AutoRun.inf file in the root folder of CD or DVD media and other removable drives to specify what happens when the media is inserted or the drive is plugged into a USB or other hot-swap port. Allowable actions include launching a program, displaying an icon, and so on.

AutoPlay is a hot-swap-drive-specific technology in Windows that displays a list of actions that are specific to the media and its content. For example, if you insert a music CD, the AutoPlay menu would provide options for music playback with Windows Media Player or other installed media playback programs. If you connect a USB thumb drive or hard disk that contains different types of media, the AutoPlay list displays programs that can be used to view or play back each of the supported media types (such as photos, music, videos, and so on) stored on the drive. In Windows XP, AutoPlay is configured on a drive-by-drive basis, using programs such as TweakUI. Windows Vista and Windows 7 control AutoPlay on a media-type basis through the Control Panel's AutoPlay applet.

On removable drives, any executable files included in the AutoRun.inf file are automatically added to the AutoPlay menu [thanks to reader MRrelabled for suggesting this new section - updated 8-31-2009].

AutoRun is Not Your Friend (Unless You're a Malware Developer)

Unfortunately, AutoRun's ability to provide instant launching for programs has also been widely exploited by malware such as the notorious Conficker/Downadup worm and others.

First Windows 7, Now the Rest

Back in May, we reported how Microsoft changed how AutoPlay and AutoRun work in Windows 7, preventing USB drives from automatically starting programs using AutoRun. Now, as promised, Redmond's reining in AutoRun's interaction with AutoPlay on Windows XP, Windows Vista, and Windows Server 2003 with its KB971029 security update. It's not available on Windows Update yet, so if you want the update, download and install it manually.

Once you install KB971029, only CD and DVD drives (and programs that emulate CD/DVD drives, such as U3, which is used by SanDisk and other USB flash drive makers) can use AutoRun.

Better Security, But at a Price

Are there downsides to disabling AutoRun? Microsoft points out that you'll need to launch programs from USB drives manually - unless the USB drive emulates a CD drive when you plug it in (such as SanDisk Cruzers and others that use U3 software).

Like the improved security? Find it annoying? Want to report problems with some of your favorite utilities? Hit Comment and sound off.

Some Linksys and Netgear Routers Vulnerable to New Exploit

Paul Lilly — Mon, 03 Aug 2009 09:43:49 -0500

Two security researchers on Saturday have warned that if you use cPanel to administer your website or certain Linksys or Netgear routers, you're leaving yourself open to web-based attacks that could potentially take control of your systems.

The attacks are based on CSRF, or cross-site request forgery, which can be exploited simply by surfing to the 'wrong' website, say Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org.

"CSRF is bad stuff," Bailey said at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means we have these kinds of holes all over."

When visiting a malicous website while logged in to the program, the attack is able to trick cPanel into carrying out sensitive commands by duping the device into thinking they came from the victim. And it doesn't look like this will be fixed anytime soon.

"The response I got from cPanel was we can't fix this because it's a feature," Bailey said. "Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."

Much more info here.

Image Credit: Linksys

Recent Twitter Hacks Highlight Social Networking Vulnerabilities

Paul Lilly — Fri, 17 Jul 2009 08:54:45 -0500

Last month, a hacker calling himself Hacker Croll infiltrated an administrator's email account who works for Twitter, gaining access to the employee's Google Apps account, where Twitter shares spreadsheets and documents outlining business ideas and various financial details, said Biz Stone, a Twitter co-founder.

After doing so, the hacker sent all sorts of confidential documents to a pair of news blogs: TechCrunch and Korben. While the breach and subsequent sharing of information might have been embarrassing for Twitter, analysts say the attack highlights the bigger problem of people using the same password for ever site they visit.

According to security firm Sophos, 40 percent of Internet users use the same password for every website. And with so many personal details floating around social networking sites, it makes it that much easier for hackers to breach someone's account.

"A lot of the Twitter users are much living their lives in public," said Chris King, director of product marketing at Palo Alto Networks, which creates firewalls. "If you broadcast all your details about what your dog's name is and what hour hometown is, it's not that hard to figure out a password."

This won't come as a surprise to power users, but to avoid being hacked, use strong passwords that combine letters and numbers, change your passwords often, and don't use the same password for every site you visit.

Image Credit: ecu.edu

How To Protect Yourself from Newly Discovered "Critical" JavaScript Vulnerability in Firefox 3.5

Paul Lilly — Wed, 15 Jul 2009 13:30:11 -0500

According to Mozilla, a bug was discovered last week in Firefox 3.5's Just-in-Time JavaScript compiler and was disclosed publicly on Monday. Mozilla classifies the vulnerability as "critical," saying it can be used to execute malicious code. More specifically, by exploiting the bug, a hacker could trick a victim into viewing a malicious website containing the exploit code.

"This vulnerability is due to an error in the way JavaScript code is processed," the US-CERT acknowledged. "Exploitation of this vulnerability may allow an attacker to execute arbitrary code. Additionally, exploit code is publicly available for this vulnerability."

While Mozilla said it is currently working on a fix, Firefox 3.5 users don't have to be sitting ducks. Mozilla says the vulnerability can be mitigated by disabling the JIT in the JavaScript engine, which you can accomplish by doing the following:

Enter about:config in the browser's location bar
Type jit in the Filter box
Double-click the line containing javascript.options.jit.content and set the value to false

Mozilla warns that this is a temporary fix and will reduce JavaScript performance. Once an official fix has been put in place, you'll want to go back in and change the value back to true.

If you'd rather not mess around with about:config settings, you can still disable JIT by running Firefox in Safe Mode, which is accessible from the Mozilla Firefox folder.

Microsoft Releases Workaround for Video ActiveX Vulnerability That Can Pwn Your PC

Mark Edward Soper — Tue, 07 Jul 2009 19:40:58 -0500

This week, Microsoft announced that DirectShow ActiveX code in Internet Explorer 6 and 7 that was reserved for future use has finally been used - by malware providers. The DirectShow Video ActiveX control in the msvidctr.dll file can be used to take over your system if you visit an infected website. According to Symantec, thousands of websites (primarily in China and other parts of Asia) have been affected.

Who's vulnerable? According to Microsoft Knowledge Base article 972890, Windows Server 2003, Windows XP SP2, Windows XP SP3, and Windows XP 64-bit edition are at risk if they haven't upgraded to IE8. IE8 is not vulnerable because the DirectShow ActiveX control being exploited was disabled in IE8. But, if you're still running IE7 (or - horrors! - IE6), what now?

Although Microsoft doesn't have a software patch, it's offering the next best thing: visit KB article 972890 to download and run Microsoft Fix it control 50287 to work around the problem (the same site also offers Microsoft Fix it control 50288 to disable the workaround). The woraround and disable workaround controls are distributed in .msi installer files. Microsoft also recommends the workaround for Windows Vista and Windows Server 2008 users who are still running IE7.

If you want to learn more about what the workaround changes, you can visit the Microsoft Security Advisory (972890) page. This page lists the CLSID values that must be changed. This information can be incorporated into a .reg file, or can be distributed to multiple PCs in a domain using Group Policy. For additional information, see Security Focus article 35558.

Twitter Users Hope Cure for Mikeyy Worm Lasts

Mark Edward Soper — Tue, 14 Apr 2009 18:47:08 -0500

Over Easter weekend, many Twitter fans were getting worms instead of finding Easter Eggs, as the developer of a rival microblogging site (StalkDaily), one 17-year-old Michael "Mikeyy" Mooney, was busy drawing Twitter users to his site by using the so-called "Mikeyy" or "StalkDaily" worm to infect links and Twitter profiles. According to PCWorld and the Twitter status page, the infection has now been brought under control. But inquiring minds want to know, "what happened?" and "how can we stop a future attack?"

Doing a Google search for "Mikeyy" or "TwitterWorm" isn't the best way to find out, though, as the F-Secure security blog points out that fake news sites are being used to infect curious searchers with (unrelated) malware. So what really happened?

Mikeyy/StalkDaily used XSS (Cross-Site Scripting) and CSRF (Cross Site Request Forgery) attacks (we've discussed XSS a number of times here at MaximumPC.com). Website developer and Twitter expert Lynne Pope offers an excellent analysis of how the Mikeyy/StalkDaily attacks worked, and how you can protect yourself from similar exploits in the future:

The very first thing you must do to protect yourself is this - do not browse to any sites while logged on to another site. Leaving authentication cookies exposed is dangerous. Log off, then navigate away.

Ms. Pope also recommends:

Firefox fans should use NoScript to prevent scripts from running without explicit permission.
Use the Hosts file to block domains pointed to by malware.
Use tools available at LongURL.org to determine where short URLs are actually pointing to (Mikeyy/StalkDaily used bit.ly and tinyurl.com to conceal the actual websites used for spreading the worm).

Were you affected by the Mikeyy/StalkDaily worm? Hit Comment and tell us your war stories.

Twitter logo courtesy of a MESS of commentary.

Microsoft Mulls Out-of-Cycle Security Update for Newly Discovered PowerPoint Vulnerability

Paul Lilly — Fri, 03 Apr 2009 14:15:14 -0500

No rest for the weary, especially Windows users. Following the Conficker.c scare that, up to this point, hasn't lived up to the hype, a Microsoft Security Advisory (969136) warns of a newly discovered vulnerability in PowerPoint.

"Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if user opens a specially crafted PowerPoint file," said the advisory. "At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability."

Microsoft said the vulnerability is caused when PowerPoint accesses an invalid object in memory when parsing a specially crafted PowerPoint file. The security hole makes it possible for attackers to gain the same user rights as the local user.

No fix is currently in place, however Microsoft indicated it may release a patch before the next monthly security update. In the meantime, PowerPoint users are advised not to open or save Office files from un-trusted sources (thanks for that gem, MS!).

This is No Joke: Conficker.C to Strike on April Fools' Day

Mark Edward Soper — Mon, 16 Mar 2009 17:06:59 -0500

Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:

Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
Creating access control entries and locking the file(s)
Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method

To find out what happens when Conficker.C strikes, join us after the jump.

Conficker.C's payload makes it harder than ever to recover from being infected:

Deactivates Windows Security Center notifications
Prevents restart in Safe Mode
Prevents Windows Defender from running at system startup
Deletes all system restore points
Disables various error-reporting and security services
Terminates over twenty security-related processes
Blocks DNS queries
Blocks access to security and antivirus websites
And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

See the Win32/Conficker.C writeup at CA's website for complete technical details.

Microsoft, Panda Software, Symantec, and McAfee are just a few of the vendors that have now updated their threat encyclopedias to include Conficker.C (it's sometimes listed as Conficker.B++). Since Conficker.B and the new Conficker.C are designed to block access to antivirus websites, you might want to download removal tools now - just in case. You can get one developed by BitDefender from the Downadup.org website (Downadup is the alternative name for Conficker); however, keep in mind that ArsTechnica isn't certain if it will remove Conficker.C (it will remove older versions).

Naturally, prevention's way better than curing a nasty worm outbreak. To learn more about preventing infections, and for links to additional removal tools, see our previous Conficker articles.

Have you been hit by any Conficker version? Any tips for the rest of us? Hit Comment and pass them along.