10.12.08

Unpatched Internet Explorer 7 Vulnerability Exploited As Microsoft Patch Fixes 28 Security Vulnerabilities


Microsoft released today patches for at least 28 vulnerabilities affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player. According to a warning from security researchers, malicious hackers are exploiting an unpatched zero-day flaw in Microsoft’s Internet Explorer 7 browser to launch a new wave of malware attacks.
Of the 28 flaws, 23 could be used to launch remote code execution attacks with minimal user action. Most of the bulletins address client-side flaws that could be exploited via the browser or if a user opens a booby-trapped file, a rigged RTF (Rich Text Format) Word file for example.
Here are the details and overview of the December 2008 Microsoft patches:
MS08-070 (Critical) Multiple vulnerabilities in activeX controls from visual basic 6.0’s runtime allow random code execution. Also affects Visual studio, Foxpro, Frontpage, and MS Project. The vulnerable files are distributed with 3rd party applications as well. Affected: Visual Basic Active X (CVE-2008-3704, CVE-2008-4252, CVE-2008-4256, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255). CVE-2008-3704 Exploit code publicly available since August 2008.
MS08-071 (Critical) Multiple overflow vulnerabilities allow code execution with the rights of the logged on user via crafted WMF files. Replaces MS08-021. Affected: GDI (CVE-2008-3465, CVE-2008-2249) No publicly known exploits.
MS08-072 (Critical) A multitude of vulnerabilities allow random code execution in office (and via extension Outlook). Also affects the mac versions of office (Office 2004 and Office 2008). Replaces MS08-026, MS08-042, MS08-052 and MS08-057. Affected: MS Word (CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4028, CVE-2008-4030, CVE-2008-4837, CVE-2008-4031). No publicly known exploits.
MS08-073 (Critical) Multiple vulnerabilities allow random code execution with the rights of the logged on user. Replaces MS08-058. Affected: MS Internet Explorer (CVE-2008-4258, CVE-2008-4259, CVE-2008-4261, CVE-2008-4260). No publicly known exploits.
MS08-074 (Critical) Multiple vulnerabilities allo allow random code execution in MS Office. Also affects the mac versions of office (Office 2004 and Office 2008). Replaces MS08-058. Affected: Excel (CVE-2008-4265, CVE-2008-4264, CVE-2008-4266) No publicly known exploits.
MS08-075 (Critical) Multiple vulnerabilities allow random code execution with the rights of the logged on user. Replaces MS08-038. Affected:Windows explorer (CVE-2008-4269, CVE-2008-4268). No publicly known exploits.
MS08-076 (Important) Multiple vulnerabilities allow random code execution with the rights of the logged-on user. Affected: WMC media player (CVE-2008-3010, CVE-2008-3009). No publicly known exploits.
MS08-077 (Important) Bypassing authentication is possible on sharepoint servers. Replaces MS07-059. Affected: Sharepoint (CVE-2008-4032). Microsoft’s workaround publicizes more details in here.
Users running IE 7 on Windows XP SP2 can still be infected by a Trojan downloader that exploits unpatched IE7 vulnerability. The exploit was published the same day Microsoft patched a wide range of vulnerabilities mentioned above. The bug exploits the way IE handles XML (Extensible Markup Language). For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw.
In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations. Currently there is public proof-of-concept code and the attacks may become more widespread (some hacked Chinese-language websites already infect visitors).

7.12.08

Login And Password Stealing Trojan Masquerades As Firefox Plug-in


A password stealing Trojan that poses as a Firefox Plugin is doing the rounds, according to Romanian security firm BitDefender. ChromeInject-A is typically downloaded onto Windows PCs already compromised by other malware.
It drops an executable file (which is a Firefox 3 add-on) and a JavaScript file (detected by Bitdefender as Trojan.PWS.ChromeInject.A) into the Firefox plugins and chrome folders respectively. It filters the URLs within the Mozilla Firefox browser and whenever encounter the specific addresses opened in the Firefox browser it captures the login credentials. It is the first malware that targets Firefox. The filtering is done by a JavaScript file running in Firefox’s chrome environment.
The backdoor code looks for data exchanged between a compromised machine and a list of pre-programmed banking sites in Europe, Australia and the US. Harvested login credentials are captured and subsequently posted to a server located in Russia.
BitDefender reports that incidents of the malware are “very low”, so the attack is more notable for its novelty than its potency. Malware that capitalises on the popularity of Firefox is rare, but not unprecedented.

4.12.08

Military US Base Systems In Afghanistan And Iraq Hit By A Virus, At Least One Classified Network Penetrated


The ‘malware’ strike, thought to be from inside Russia, hit combat zone computers and the U.S. Central Command overseeing Iraq and Afghanistan. According to a report from Washington, the incursion posed unusual concern among commanders and raised potential implications for national security.
Defense officials would not describe the extent of damage inflicted on military networks. But they said that the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network.
Military computers are regularly beset by outside hackers, computer viruses and worms. But defense officials said the most recent attack involved an intrusive piece of malicious software, or “malware,” apparently designed specifically to target military networks. The invasive software, known as agent.btz, has circulated among nongovernmental U.S. computers for months. But only recently has it affected the Pentagon’s networks. It is not clear whether the version responsible for the cyber-intrusion of classified networks is the same as the one affecting other computer systems.
The malware is able to spread to any flash drive plugged into an infected computer. The risk of spreading the malware to other networks prompted the military to ban the drives.
Although officials are withholding many details, the attack underscores the increasing danger and potential significance of computer warfare, which defense experts say could one day be used by combatants to undermine even a militarily superior adversary.
Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement. Defense experts may never be able to answer such questions, officials said.
Suspicions of Russian involvement come at an especially delicate time because of sagging relations between Washington and Moscow and growing tension over U.S. plans to develop a missile defense system in Eastern Europe. The two governments also have traded charges of regional meddling after U.S. support for democratic elections in former Soviet states and recent Russian overtures in Latin America.
The offending program has been cleansed from a number of military networks. But officials said they did not believe they had removed every bit of infection from all Defense Department computers.