Everyone has different reasons for exposing Windows security flaws. Some do it for avenging a fellow security researcher's insult, others to bring home the bacon. Unlike the Microsoft -Spurned Researcher Collective, which falls in the former category, Danish security firm Secunia's motivation is purely pecuniary.
“The vulnerability is caused due to a boundary error in the "UpdateFrameTitleForDocument()" function of the CFrameWnd class in mfc42.dll. This can be exploited to cause a stack-based buffer overflow by passing an overly long title string argument to the affected function,” Secunia said on its site.
According to group manager Jerry Bryant, “Microsoft is investigating new public claims of a possible vulnerability in Windows 2000 and Windows XP.” However, he is unaware of any attacks based on the vulnerability.
July 4 turned out to be a field day for hackers and chance cyber-saboteurs as they converged on the world's most popular video streaming site to wreck havoc using a cross-site scripting (XSS) vulnerability. They inserted malicious code in the comments section of many YouTube videos to trigger a series of anomalous events, including redirects to porn sites and nasty pop-ups, whenever a user visited a targeted video. Justin Bieber fans were probably the worst hit, with hackers and pranksters concertedly targeting the Canadian singer's videos.
But Google wasted little time in plugging the hole. "We took swift action to fix a cross-site scripting (XSS) vulnerability on youtube.com," a spokesperson for YouTube's parent company said. "Comments were temporarily hidden by default within an hour [of discovering the problem], and we released a complete fix for the issue in about two hours. We’re continuing to study the vulnerability to help prevent similar issues in the future."
Microsoft has acknowledged that it is aware of a zero-day vulnerability in the HCP protocol. It learned about the threat on June 5, 2010 from Google security engineer Tavis Ormandy, who barely waited four more days before making the details of the threat public, complete with his proof-of-concept exploit code.
Microsoft took a dim view of Ormandy’s eagerness to make a public disclosure. “Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk,” wrote Mike Reavey, director of the Microsoft Security Response Center, in a blog post.
Reavey also criticized Ormandy for not being thorough in his analysis: “It turns out that the analysis is incomplete and the actual workaround Google suggested is easily circumvented.”
The vulnerability is known to affect Windows XP and Windows Server 2003 only. Microsoft is currently working on a fix. In the interim, users can protect themselves by unregistering the HCP protocol as described in Microsoft Security Advisory 2219475.
Soccer fans around the world are eagerly waiting for the 2010 FIFA World Cup to kick off. Soccer's marquee event will virtually transform host nation South Africa into the mecca for the sport's impassioned followers around the world. Like with any other major world event or cataclysm, the internet's dark alleys are filled with people ready to tax the outpouring of human emotion during the World Cup. It is likely that some of their nefarious plans are already afoot, even though there is a fair bit to go before the start of the event.
Symantec recently discovered a “targeted attack” that quite clearly tries to exploit the mounting soccer fever. Thankfully, the attack was thwarted before it could cause any damage. The attackers tried to drop their malicious payload using an email message ostensibly sent by a legitimate African Safari organiser, Greenlife. To the untrained eye, the sender had attached a “highly informative World Cup Travel Guide” with the message. But in reality the attached file was a modified variant of the real Greenlife's actual PDF guide. The actual PDF document was first debased with malicious code to exploit a recently patched vulnerability in Adobe Reader before being forwarded as an attachment.
“The patch for this critical rated vulnerability was released by Adobe on February 16, 2010. Since then we have observed a large number of targeted attacks attempting to exploit this vulnerability. Proof-of-Concept exploit code is available in the Internet which is contributing to the large number of observed attacks,” Daren Lewis, a Symantec employee wrote on the MessageLabs Intelligence blog.
Targeted attacks are known to be precise and less spammy. For instance, Symantec only has to deal with less than 100 such attacks every day, despite it blocking around 500,000 malicious emails per day. Such attacks usually target organizations, with people at the top of the pecking order more likely to be attacked first. This way the attackers can gain access to a pretty large chunk of that organization's sensitive information. In this case, the malicious email was sent to a person only identified as “a user in a major international organisation that brings together governments from all over the world.”
Adobe last week released a security update for a critical vulnerability in Adobe Flash, but according to security researcher Aviv Raff, installing the update could be cause for concern.
"If you did upgrade to the latest version of Flash from the Adobe website, you very likely have Adobe Download Manager installed," Raff points out.
So what's the big deal? Raff says there's an undisclosed flaw in the way Adobe's Download Manager works, which makes it possible for an "attacker [to] force an automatic download and installation of any executable he desires." In other words, those who download the update end up exposing themselves to a zero-day attack, Raff claims.
Adobe is apparently aware of the issue and is reportedly working with Raff to patch it up. The software maker also downplayed the security risk, saying "the user has to accept a number of prompts before being taken through the installation process," and therefore making it hard for a user to install unwanted and malicious software without their knowledge.
I've been a relatively fortunate mobile phone owner. I've dropped various phones countless times throughout my geek life, including the extended cleaning of my first-ever iPhone by accidentally introducing it to my apartment complex's pool. I've broken countless critical features on my phones as a result of this clumsiness, the smashing of a phone against the car keys in my pocket, and the general wear-and-tear of a semi-busy lifestyle. In college, I had a flip-phone that was anything but, the exterior having been beaten up and bruised enough to transform the phone's external screen into a strobe light of-sorts whenever anyone called. Awesome for parties; useless for caller ID.
I've never lost my phone, though. And every day I board a train to head to work, sit in a taxicab, or go about my business without really paying much attention to where I last put my dialing device, I wonder: Is this it? Will today be the day that some unscrupulous person gets a hold of my iPhone and, by proxy, my entire online life?
In some ways, someone already has.
This isn't some kind of "won't somebody think of the children" scare tactic. It's a simple reality: You're hearing a lot about the wonders of cloud computing at this year's CES. And while that has different applications for the enterprise level than consumer, the practical reality of it for most PC users (and laptop users especially cough-cough-Chrome OS-cough) is that you're taking the data that would otherwise reside on a system within your control and placing it in the hands of another entity.
Cloud applications can be super-useful when you let others run the services that improve your geeky life. Your data, however, is your own--the more consumers coalesce their computing lives into access points, the more this data becomes ripe for abuse... or worse.
There's been a bit of a disagreement in the security community over how serious a recently discovered vulnerability in Microsoft's Internet Information Services (IIS) really is. On one hand, the researcher who discovered the bug labeled it as "highly critical," while at least one other security firm showed far less concern. So what does Microsoft have to say about all this?
"We've completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found there is no vulnerability in IIS," Microsoft wrote in a blog post.
Confused? Microsoft did admit "that there is an inconsistency in IIs 6 only in how it handles semicolons in URLs," but said in order for an attacker to bypass content filtering software to upload and execute malicious code on an IIS server, it would have to already be configured to allow both "write" and "execute" privileges on the directory.
"This is not the default configuration for IIS and is contrary to all of our published best practices," Microsoft added. "Quite simply, an IIS server configured in this manner is inherently vulnerable to attack."
Attackers have a new vulnerability to exploit in Microsoft's Internet Information Services (IIS), which would allow them to execute malicious code on machines configured with the webserver software. According to researcher Soroush Dalili, the bug stems from how IIS parses file names with colons or semicolons. By appending benign file extensions to a malicious file, attackers can effectively bypass filters designed to stop dirty code from getting through, The Register reports.
Dalili said the bug affects all versions of IIS, and while he rated it "highly critical," not everyone agrees with his assessment. Secunia classified the bug as "less critical," which is the security firm's second least "critical" ranking on five-tiered scale.
"Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as '.asp,' '.cer,' '.asa,' and so on," Dalili wrote ."Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.
So why did Secunia only rate it as "less critical?" The company didn't say, noting only that it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6.
The other day, Adobe announced it had discovered a vulnerability in its Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild, and assured users the company was investigating the issue. The good news is that Adobe's security team has finished the investigation. And the bad news? You'll have to wait until at least January 12, 2010 -- the targeted ship date -- to receive a patch.
According to Adobe, it considering stopping everything else and working immediately on an out-of-cycle security update with a one-off fix, but because that would still take between two and three weeks, doing so would knock off the timing of its next planned quarterly security update. So instead the fix will be rolled into the code branch for the next quarterly update.
AutoRun was originally intended to help automatically start programs stored on optical media. However, once USB drives became popular, AutoRun also became a popular way to launch programs from hard disks and thumb drives by working with Windows' built-in AutoPlay functionality. Unfortunately, AutoRun's ability to provide instant launching for programs has also been widely exploited by malware such as the notorious Conficker/Downadup worm and others. Microsoft changed how AutoRun works in Windows 7 RC, but until now, Windows XP, Windows Vista, and Windows Server 2003 have been wide open to USB-based AutoRun attacks. To find out how Redmond's reining in AutoRun, join us after the jump.