[Sunnet Alert] Advisory #216 - Windows, Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Sat Mar 31 04:27:07 EST 2007 

Sûnnet Beskerming Alert List Advisory #216

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Windows
	- Remote Hacker Automatic Control
	- Time Since Discovery - 1 Day
=======================================

/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	The Sûnnet Beskerming Difference (Microsoft ANI Problems)
2.2	A Real Problem For Online Banking
=====================================

1.	SECURITY

1.1	Windows - Remote Hacker Automatic Control

	-- Products Affected --
	Windows 2000, XP, 2003, Vista

	-- Technical Description --
	All current versions of Windows are vulnerable to an arbitrary  
remote code execution exploit affecting ANI files.  Discovered in the  
wild, this issue is related to, but distinct from, the ANI issues  
fixed with MS05-002

	-- Description --
	Exploitation of a vulnerability in the way Windows handles ANI  
(cursors, animated cursors, icons) files is occurring in the wild,  
with successful exploitation allowing the attacker to take control of  
vulnerable systems.  This is capable of being exploited through  
Internet Explorer 6 and 7, as well as Outlook.  Although related to a  
historical vulnerability (MS05-002), this is a distinct issue.

	-- Recommended Action --
	Until such time as Microsoft is able to issue an official patch,  
consider the use of an alternate browser to Internet Explorer, and  
consider the use of an alternate email program (reading emails in  
text mode means users are still vulnerable).  Some third party  
providers, such as eEye, have provided interim patches which address  
the vulnerability, however user caution is urged when applying these  
unofficial patches.  It is reported that IE 7 users on Vista are  
protected against the current malware.  Ensure that the latest  
definitions files for antivirus and antimalware applications have  
been applied.

	-- Source --
	http://www.microsoft.com/technet/security/advisory/935423.mspx

	-- Threat Matrix --
			U	O
	Home User	10	10 (Highly Critical)
	Corporate	10	10 (Highly Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	The Sûnnet Beskerming Difference (Microsoft ANI Problems)

The Sûnnet Beskerming difference has again become evident with the  
recent discovery and disclosure of the Windows ANI 0-day  
vulnerability.  After the original discoverer, Sûnnet Beskerming was  
the first company to identify and report the issue, globally (to our  
fee-based lists, so if you want the benefits of advanced detection  
and notification, upgrade!).  This success builds on a number of  
previous firsts, where Sûnnet Beskerming has led the market to the  
disclosure and notification of serious Information Security threats  
and trends (keep an eye on the threat to ASLR).

It is interesting to note that this issue has received widespread  
attention almost 8 years to the day after the Melissa Internet worm  
appeared, and an interesting malware infection attempt (convincing  
users to download IE 7 beta 2 with spam that appears to come from  
admin at microsoft.com) is not getting the attention it might otherwise  
deserve (the malware is even named correctly and approximately the  
right size).

McAfee, the original discoverers of the problem, suggest that the  
current exploitation attempts might be related to the attack on the  
Dolphin Stadium website (where the NFL SuperBowl was played this  
year), where site visitors were infected with malware after an  
attacker successfully used an SQL injection to insert malicious code  
on the site.


2.2	A Real Problem For Online Banking

Continuing their strong run, the McAfee Avert Labs blog discusses the  
emergence of a fairly capable banking trojan, and the efforts of the  
creator to sell / lease their creation.  Joining the ranks of the  
more-advanced malware, this particular trojan targets a range of  
banks that use Transaction Authentication Numbers (TANs) as part of  
their efforts to protect customers against phishing / financial fraud.

Intercepting the victim's browser session, the trojan claims that the  
first TAN entered is invalid, before silently passing the full  
account details and the live TAN off to the trojan controller.  The  
trojan ensures that the user logs into the banking site every time by  
deleting site cookies and even parses the user-inputted data for  
sanity checks before accepting the data as potentially live.

Sûnnet Beskerming's banking and identity validation solutions are  
immune to this style of attack, and continue to provide protection  
that has not been reliably defeated.  Sûnnet Beskerming - returning  
the confidence to online banking.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list