Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2010-03-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Internet Explorer 9 "Platform Preview" Now Available From Microsoft

Published: 2010-03-16
Last Updated: 2010-03-16 21:09:49 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

Microsoft released a "Platform Preview" version of the next version of Internet Explorer. You can download it from http://ie.microsoft.com/testdrive/Default.html. There are several security implications of this release:

  1. Security professionals may be interested in exploring what security features and enhancements (if any) are built into Internet Explorer 9
  2. Attackers may be interested in exploring what vulnerabilities (if any) exist in the code added to Internet Explorer 9
  3. Attackers may start using the lure of installing Internet Explorer 9 as part of phishing and drive-by campaigns

Regarding point #3... At the moment, searching for "Internet Explorer 9" doesn't provide many links that look malicious. I suspect this will change as malicious sites using Search Engine Optimization (SEO) techniques will spring into action to take advantage of people's interest in the new browser.

Have you had a chance to look at Internet Explorer 9? Let us know your security-related observations.

-- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Keywords:
0 comment(s)

Trouble Ticket Express Exploit in the Wild a Day After the Vulnerability Announcement

Published: 2010-03-16
Last Updated: 2010-03-16 14:11:19 UTC
by Lenny Zeltser (Version: 1)
1 comment(s)

The time between the announcement of a vulnerability and seeing the exploit in the wild is short, especially if the announcement includes proof-of-concept code. A day ago, a proof-of-concept exploit in Trouble Ticket Express help desk software was made public. Just a day later, ISC reader Ben saw the exploit in the wild:

64.15.159.171 - - [15/Mar/2010:18:42:23 -0700] "GET /ttx.cgi?cmd=file&fn=%7C%65%63%68%6F%20%2D%6E%20%62%75%66%75%77%75%7A%68%65%72%3B%65%63%68%6F%20%65%7C HTTP/1.1" 403 960 "-" "Plesk"

The decoded version of this particular URI is:

/ttx.cgi?cmd=file&fn=|echo%20-n%20bufuwuzher;echo%20e|

The targeted vulnerability in the application could allow the attacker to execute arbitrary code on the system.

If you are running Trouble Ticket Express version 3.01 or lower, update the program's File Module or disable access to the TTXFile.pm module on your server.

 -- Lenny

Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You can find him on Twitter.

Keywords:
1 comment(s)
Diary Archives