Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Black Tuesday Overview

Published: 2006-11-16
Last Updated: 2006-11-16 14:53:36 UTC
by Swa Frantzen (Version: 8)
0 comment(s)

Overview of the November 2006 Microsoft patches and their status.

# Affected Contra Indications Known Exploits Microsoft rating ISC rating(*)
clients servers
MS06-066 Netware client services - remote code execution & DoS

CVE-2006-4688
CVE-2006-4689
No known problems

KB 923980
PoC exploits available in for pay program
Important Less Urgent Less Urgent
MS06-067 Internet Explorer - remote code execution

CVE-2006-4446
CVE-2006-4777
CVE-2006-4687
No known problems

KB 922760
Actively exploited on websites in the wild

websense
Critical PATCH NOW Important
MS06-068 Microsoft Agent - remote code execution

CVE-2006-3445
No known problems

KB 920213
No known exploits
Critical Critical Less Urgent
MS06-069 Adobe flash player - remote code execution

CVE-2006-3014
CVE-2006-3311
CVE-2006-3587
CVE-2006-3588
CVE-2006-4640
No known problems

KB 923789
No known exploits
Critical Critical Less Urgent
MS06-070 Workstation service - remote code execution

CVE-2006-4691
No known problems

KB 924270
Vulnerability details are public ;
Exploit publicly available
Critical
Critical
(**)
Critical
(**)
MS06-071 XML Core services

CVE-2006-5745
No known problems

KB 928088
also:
KB 927977
KB 927978
Exploits publicly available
Critical PATCH NOW Important

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
(**): Of the supported versions of windows this is mainly affecting Windows 2000. The vulnerability exists on Windows XP, to a lesser degree and seems to be absent from Windows 2003.

--
Swa Frantzen -- Section 66

Keywords:
0 comment(s)

Critical security vulnerability in WinZip 10

Published: 2006-11-15
Last Updated: 2006-11-15 19:48:38 UTC
by Bojan Zdrnja (Version: 3)
0 comment(s)
WinZip Computing released a new build of WinZip 10 that fixes a critical security vulnerability in this popular ZIP program.

The vulnerability exists in an ActiveX component that is shipped with WinZip 10 only (so if you are running previous versions of WinZip you are not affected by this vulnerability). This ActiveX component is marked safe for scripting which means that a remote attacker can exploit it if you visit a web page hosting the exploit.

Build 7245 of WinZip 10 is available at http://www.winzip.com/wz7245.htm. If you, for some reason, can not upgrade, you should disable the affected ActiveX control (WZFILEVIEW.FileViewCtrl.61) its CLSID is A09AE68F-B14D-43ED-B713-BA413F034904.

UPDATE:

MS06-067 (http://isc.sans.org/diary.php?storyid=1854) actually disables this vulnerability. Beside the other things that this update does, it also sets the kill bits for vulnerable ActiveX components.

Thanks to Carl for spotting this.

UPDATE 2:

Couple of exploits for this vulnerability have been already released, so be sure to either patch WinZip or install MS06-067.

Thanks to Juha-Matti for sending information about this.

Keywords:
0 comment(s)

SANS Top 20 Update

Published: 2006-11-15
Last Updated: 2006-11-15 12:43:39 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Today, the SANS Institute released an updated Top 20 Internet Security Attack Targets list.
This update reorganizes the list recognizing the new reality of operating system independent issues. Sections for cross-platform applications, network devices, policy and the overall issue of 0-day attacks where added.

The list has been released for the last 7 years. From the start, organizations like the FBI assisted in putting the list together. It is in particular useful if you have to set and defend priorities.

Comparing the different versions it is interesting that one issue from the first list (back then it was "vulnerable CGI programs") has come back as the category of "Vulnerable Web Applications". Take a look for yourself and see how your personal infosec career is reflected in the evolution of this list.
Keywords:
0 comment(s)

Malware with new features

Published: 2006-11-15
Last Updated: 2006-11-15 10:16:22 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
One of our readers, Jerry Askew, sent us an interesting downloader today. The malware was spammed in e-mail (of course) and it was an executable file disguised as a jpeg, inside a ZIP archive.
Various AV tools at that point in time did not detect this particular sample, so we decided to spend some time analyzing what it does.

Downloader after downloader

The sample is a downloader, which is typical for a vast majority of malware that is spammed today. The downloader connects to a web site and downloads the second stage payload, which is another downloader.

This second stage downloader downloads and installs a small zoo of malware. Besides the usual culprits, such as keyloggers and BHOs (Browser Helper Objects), what's interesting is that it downloads multiple versions of the same Trojan. Brief analysis of these files showed that they all behave absolutely the same, but look different and have different checksums. When we tested them against AV programs, they had different detection depending on the file scanned (although some AV programs detected all of them as being the same family, but different minor versions). Why the authors decided to do this is not clear, but I suspect that they were just trying to increase their chance of getting the malware onto a machine even if your AV program detected and blocked couple of samples, there might be one which is not detected.

After this third stage executable has been downloaded, it will turn off the host based firewall that comes with Windows XP SP2. It actually completely disables the Windows Security Center Service (wscsvc).

Malware then connects to its control and command center, which is a plain web server this time (no IRC). The web server produces a nice HTML page which has three different forms: ftpstaticdata, softstaticdata and softvardata. These will instruct malware to download additional modules. Of special interest was the ftpstaticdata section. This section contained an FTP server IP address and a username/password pair that malware used to upload keylogger logs.

Google Maps at your service

Now comes the interesting part. The authors actually went a step further. Before uploading the data to the FTP server, the malware connects to detectlocation.ru, which seems to be another compromised site setup just for this, and executes a perl script on that site. The perl script takes the IP address of the infected machine as input (this is passed as a parameter in the URL) and detects the geographical location of the IP address. What's interesting is that it even passes back valid coordinates that can be used in Google Maps!
Now when uploading data captured by the keylogger malware also automatically sorts it into directories, depending on the location of the IP address.

While at this moment malware only seems to be capturing information on infected machines, it will be interesting to monitor it to see whether it is related to the latest spam increase.

Lessons learned

In any case, it looks like malware authors got a little bit creative when they decided to use Google Maps. Also, the huge number of installed Trojans and other malicious programs once again show that when you encounter an infection like this one, reinstallation is the only option.

Keywords:
0 comment(s)
Diary Archives