[Sunnet Alert] Advisory #240 - Internet Explorer (Multiple), Firefox, Yahoo! Messenger, Ghost, Multiple News
Security and IT News Alerts
alertmailinglist at skiifwrald.com
Sun Jun 10 20:49:52 EST 2007
Sûnnet Beskerming Alert List Advisory #240
You are receiving this message because you have subscribed to our
Information Security Alert Mailing List, or have been selected for a
specific one-off copy. If you believe that you are receiving this
message in error, please contact info at beskerming.com to resolve the
error.
Why not upgrade to get same day notification on security threats?
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).
Why not go the next step and get delivery tailored just for your
company?
(http://www.beskerming.com/premium/focussed_advisory.html)
Contents
--------------------------------------------------------------------
1. SECURITY
--------------------------------------------------------------------
1.1 Internet Explorer (Multiple)
- Remote Hacker Automatic Data Theft
- Time Since Discovery - 5 Days
1.2 Firefox
- Remote Hacker Automatic Control
- Time Since Discovery - 5 Days
1.3 Yahoo! Messenger
- Remote Hacker Automatic Control
- Time Since Discovery - 3 Days
1.4 Ghost
- Remote Hacker Automatic Denial of Service
- Time Since Discovery - 3 Days
=======================================
/*
- Remote or Local - Can it be achieved through a network or does it
require physical access?
- Hacker - The bad guy
- Manual or Automatic - Does the vulnerability need to be manually
performed, or can it be automated?
- Control, Denial of Service or Data Theft - Will the hacker get
control of your system / website, will they prevent you from using
it, or will they steal data.
*/
--------------------------------------------------------------------
2. NEWS
--------------------------------------------------------------------
2.1 Web Servers as Viewed by Google
2.2 Tech Community Pressure Helps get Case Turned Over
2.3 Risks of Persistent Storage
2.4 June 2007 Microsoft Security Patch Advance Notification
2.5 This is not a Real Security Update
2.6 Recent Yahoo! Messenger Vulnerabilities Attract Attacks
2.7 I Know What You Did Last Visit
=====================================
1. SECURITY
1.1 Internet Explorer (Multiple) - Remote Hacker Automatic Data Theft
-- Products Affected --
Internet Explorer 7.x and prior.
-- Technical Description --
Race condition in at least IE 6.x and 7.x, which can be exploited by
an attacker using JavaScript to arbitrarily change content on sites
opened from a malicious web page. This includes cookie modification
and may lead to browser crashes (memory corruption) if DOM content
that has not been initialised is accessed. It is also possible to
spoof the address in the IE 6 address bar, including the spoofing of
https addresses. This is achieved through malicious scripting. Full
exploit data is readily available.
-- Description --
A serious vulnerability in the Internet Explorer Internet browser
has been discovered and disclosed to a number of security sources.
This vulnerability will allow a remote attacker to modify content
displayed by the browser for sites opened from a malicious site. This
can also be used to modify cookie content and may also lead to a
browser crash. It has also been discovered that it is possible to
spoof the address bar data in Internet Explorer 6 (for all versions
of IE 6). This could allow a remote attacker to overwrite the actual
site address with any information that they choose, effectively
misleading the user into believing that they are on the legitimate
site, when they are on the attacker's choice of site. Full exploit
details are readily available.
-- Recommended Action --
Disabling Active Scripting support in the browser should prevent the
exploit from working, given that it requires the use of JavaScript to
function. Alternatively, consider running IE from a less-privileged
account (though there are still risks), or consider the use of an
alternate Internet browser.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.2 Firefox - Remote Hacker Automatic Control
-- Products Affected --
Firefox 2.0.0.4 and prior.
-- Technical Description --
Multiple vulnerabilities affecting Firefox have been disclosed.
Through the use of various JavaScript actions, it is possible to
inject arbitrary content on sites that rely on IFRAMEs to display
content to the user. It is also possible to read keystrokes using the
same vulnerability - risking potential disclosure of passwords or
other sensitive information. Another vulnerability can be used to
download arbitrary content to the user's download folder - bypassing
the delay timers used by some configuration messages. Under specific
conditions, this could be used to execute arbitrary content on a
victim's system.
-- Description --
Multiple vulnerabilities affecting the popular Internet browser
Firefox have been discovered. These vulnerabilities could allow a
remote attacker to read keystrokes, inject arbitrary web content and
even download and potentially run software of the attacker's choice.
Exploit code is readily available for all vulnerabilities.
-- Recommended Action --
Apply caution when visiting untrusted sites and consider disabling
support for JavaScript until Mozilla are able to release a patch for
the issue. Alternatively, consider the use of an alternate Internet
browser, such as Opera. Users should also consider operating Firefox
from a less-privileged user account.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 10 10 (Highly Critical)
Corporate 10 10 (Highly Critical)
1.3 Yahoo! Messenger - Remote Hacker Automatic Control
-- Products Affected --
Yahoo! Messenger At least version 8.1
-- Technical Description --
Arbitrary remote code execution vulnerabilities affecting the
ActiveX control associated with Yahoo! Messenger's support for
webcams (ywcvwr.dll). Multiple derivatives of the vulnerabilities
have been disclosed, complete with exploit code. Specifically, the
vulnerabilities appear to be buffer overflows and can be triggered by
the victim visiting a malicious web page. The ywcupl.dll is also
vulnerable to remote code execution attacks.
-- Description --
Multiple vulnerabilities have been discovered and disclosed
affecting the Yahoo! IM software for Windows. Specifically, the
vulnerabilities affect the support for webcams from within Yahoo!
Messenger. Using the exploits that have already been circulated, it
is possible for an attacker to run software of their choice on a
victim's system.
-- Recommended Action --
Update to the latest Yahoo! Messenger version. Advanced users and
administrators may consider setting the killbit for the vulnerable
ActiveX controls (clsid:DCE2F8B1-A520-11D4-8FD0-00D0B7730277), and
(clsid:9D39223E-AE8E-11D4-8FD3-00D0B7730277)
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
1.4 Ghost Solution Suite - Remote hacker Automatic Denial of Service
-- Products Affected --
Ghost Solution Suite 2.0.0 and prior.
-- Technical Description --
Multiple denial of service vulnerabilities affecting the Symantec
Ghost Solution Suite. A remote attacker is able to trigger the denial
of service attacks by sending malicious UDP traffic to systems
running either the client or server components of the Ghost Solution
Suite.
-- Description --
Symantec Ghost Solution Suite, the business version of the popular
archiving and recovery software, Ghost, has been discovered that it
has multiple vulnerabilities that could allow a remote attacker to
prevent the use of either the server or client software components of
the Ghost Solution Suite. All that the attacker needs to do in order
to prevent use of the software is to send malicious network traffic
to a vulnerable system.
-- Recommended Action --
Apply the latest patches for the vulnerable versions, from the
update link provided below.
-- Source --
(Paid subscription required to access)
-- Updates Available --
(Paid subscription required to access)
-- External Tracking Data --
(Paid subscription required to access)
-- Threat Matrix --
U O
Home User 7 7 (High)
Corporate 7 7 (High)
=======================================
/*
Threat Matrix:
U - User
O - Operator
Harmless - 0 ----- 10 - Highly Critical
*/
=======================================
2. NEWS
2.1 Web Servers as Viewed by Google
For a long time, one of the most reputable sources for the breakdown
of the numbers of installed web servers across the Internet has been
the Netcraft survey of web servers. Now, Google has released
information about how the Googlebot webcrawler has been viewing the
Internet.
Based off almost 80 million individual servers, discounting any
virtual host servers (so it would only count each physical server),
and deriving results from the HTTP 'Server:' header, Google have
identified that 66% of the sample set are using Apache to provide web
server capabilities, with only 23% using Microsoft's IIS to serve web
data.
From a vulnerability perspective, and considering only the number of
IIS 5.x servers (approximately 20% of the total IIS numbers), it
indicates that the recently highlighted authentication bypass methods
could be used against 3.5 million individual web hosts. If there are
virtual hosts in use, where a number of different websites are hosted
on the same physical server, then the 3.5 million servers could
feasibly translate into 10 million or more actual website domains.
This may be reflected in the data presented by Google which indicates
that almost half of the 70,000 domains recently identified by Google
as hosting or distributing malware and Internet-based exploits are
hosted on IIS. The underlying truth is that the percentage balance of
IIS 5.x to IIS 6.x from this restricted dataset is almost the same as
for the overall web hosting numbers.
2.2 Tech Community Pressure Helps get Case Turned Over
A common problem that can plague Windows-based systems are
uncontrolled popups whenever the system is connected to the Internet.
Although all browsers can be at risk of advertising popups (or
interstitials, as some companies like to call them), Windows systems
are also prone to advertising popups via the Windows Messenger
service (not to be confused with MSN), especially for systems
compromised by spyware or other malware.
When Julie Amero, substitute teacher at a Norwich middle school,
encountered pornographic popups on a classroom computer while
teaching a class of seventh grade students in late 2004, she was
arrested and hauled off to court where she was found guilty of 'risk
of injury to a minor' and potentially faced 40 years imprisonment.
An almost unanimous outcry by technical experts amongst the online
community following the January 2007 conviction (sentencing was to
follow at a later date), over the extremely poor standards of
technical 'forensic' investigation that were used to confuse the jury
(more relevant and accurate defence forensics were excluded from the
case), was cause for criticism from the judge who overruled the
original verdict - sending the case back for a retrial (which is
unlikely to happen). In the judge's ruling, they claimed that the
public criticism of the case was "improperly influenc[ing]" the court.
Following the overturning of the earlier conviction, many technical
experts sighed a collective sigh of relief that accurate technical
knowledge helped keep an innocent person from facing significant jail
time.
2.3 Risks of Persistent Storage
How to interact with online content when a user is offline has been a
problem that many minds have struggled with over the years. In recent
months one of the most popular theories of how users potentially
would be able to interact with online content while offline has
really taken off - that of caching significant data levels while
online, then accessing and interacting with them while offline, all
through the same interface.
While it may not be the first to implement such an idea, the
introduction of Google Gears has attracted attention that previous
attempts have not been able to. With this attention has come the
attention of web application security experts, who have begun to
consider the risks and potential security weaknesses that these
systems can introduce.
Of greatest interest to the researchers is the concept of 'persistent
storage', which means that projects such as Gears use a client-side
(i.e. on the user's computer) database or other data storage method
to store a chunk of online data that the user is expected to interact
with while offline. Essentially, the data 'persists' on the user's
system even after the connection to the Internet is gone. The
technology behind the persistent storage for Gears is SQLite, a
lightweight database engine that supports SQL data management and
storage and which can be easily integrated within an application -
rather than needing a separate database engine like many CMS do.
The safe passing of data to SQL databases is fairly well known, with
techniques such as bound parameters, stored queries, and careful
input filtering amongst the methods used to achieve safe data storage
and interaction.
It is reported that Google Gears is making use of bound parameters to
help protect against potential abuse of data input and mitigate
against the risk of SQL injection.
With the number of persistent storage offline interaction systems
soon to increase in number and use (Firefox is soon to include a
SQLite-based system in Firefox 3), all it is going to take is a
single mistake by a development team for a serious vulnerability to
be included. From there, it will only be a matter of time before the
dedicated and creative researchers find it and work out how to
exploit it.
2.4 June 2007 Microsoft Security Patch Advance Notification
Microsoft have provided basic details of the patches that they expect
to release with the June 2007 security patch release, due for release
next Tuesday.
At this stage Microsoft are expecting to release six patches for a
variety of their products, including Windows, Office, Internet
Explorer, and various email products.
Of the six patches, four are rated as Critical, which is Microsoft's
highest vulnerability rating, with one rated as Important, and the
last rated as Moderate.
Unfortunately for end users and administrators, all but one of the
patch releases could lead to arbitrary remote code execution against
the vulnerable software.
While Microsoft's latest operating system, Windows Vista, avoids any
Critical vulnerabilities affecting the core operating system, it is
affected by two Critical vulnerabilities, affecting Windows Mail and
Internet Explorer.
2.5 This is not a Real Security Update
Following extremely closely after the notification of the expected
patches for June 2007 comes news that malware is already spreading
via spam that claims to be a valid Microsoft security update.
Even though this is not the first time that spam has been used to
push malware on unsuspecting victims by claiming to be a valid update
from Microsoft, the close timing to the advance notification for this
month's patches has caught the attention of a number of Information
Security groups.
From the various reports available about the spam, it appears that
the body of the emails claim to supply patches for a range of
vulnerabilities, using varied security update numbers and patch
descriptions.
While the spam is relatively well constructed, the most obvious flaw
is the release of a MS06 security update in the middle of 2007. For
readers who are not aware of how Microsoft label patches and updates,
the first four characters of the update are always MSXX, where XX is
the current year.
Beyond that obvious flaw, Microsoft will not mass email users to tell
them of an update - the built-in update services will already know
about them.
2.6 Recent Yahoo! Messenger Vulnerabilities Attract Attacks
The recently disclosed vulnerabilities with Yahoo! Messenger's
support for webcams, allowing attackers to run software of their
choice on a victim's system, have already attracted the attention of
malware developers.
The Chinese Incident Security Response Team (CISRT) is reporting that
a Chinese malware author has released a new piece of malware that
targets the specific vulnerabilities discovered in Yahoo! Messenger.
Yahoo! have already issued patches for this issue, so it is
imperative that users and administrators update to the latest version
as soon as possible in order to be protected from this new malware.
It appears that the malware is making use of publicly available
exploit samples that are available from a number of readily available
sources.
2.7 I Know What You Did Last Visit
In the ruling of a court case fought by the Motion Picture
Association of America (MPAA) against a number of filesharing sites
and products, the popular BitTorrent hosting site TorrentSpy was
ordered to start keeping logs of site visitors and then turn those
records over to the MPAA.
The practice of not keeping logs on users, as actually described in
the TorrentSpy Privacy Policy, is not a new technique in use by sites
where a user's activity could be illegal or there are strong privacy
concerns. In responding to the ruling, TorrentSpy's legal counsel
explained that the site would sooner prevent access to content by US
visitors, than it would commence logging for the sole purpose of
turning over those records.
Community reaction, especially from frequent users of similar sites,
has been of disbelief. Even if they don't support the potentially
illegal activity taking place on the site, commentators have found it
difficult to reconcile the court's ruling - many finding that it is a
precedent that could be extremely risky for many other websites.
Supporters have even pointed out that it is possible to find the same
illegal data through sites such as Google, so why not go after them,
instead?
Further complicating matters are accusations that the MPAA used an
illegal network breach to gain access to correspondence and trade
secrets belonging to TorrentSpy (though what comprises a trade secret
for such a site is unknown). The accusations form the basis of a
concurrently-running suit in a Californian court.
=======================================
Sincerely,
Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444
** Sûnnet Beskerming Pty. Ltd. **
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist
and, in conjunction with the tools developed by Jongsma & Jongsma
Pty. Ltd., provides total security solutions and services, from the
perimeter to internal data stores, including web application security
and security testing and analysis.
More information about the Alertmailinglist
mailing list