Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Firefox 1.0.1 fixes vulns; RootkitRevealer output; more on port 41523 - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Firefox 1.0.1 fixes vulns; RootkitRevealer output; more on port 41523

Redhots heah!....come getcha redhots!

Mozilla Foundation released an update to Firefox that fixes the following issues
since 1.0:

MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing

MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files

MFSA 2005-27 Plugins can be used to load privileged content

MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab

MFSA 2005-25 Image drag and drop executable spoofing

MFSA 2005-24 HTTP auth prompt tab spoofing

MFSA 2005-23 Download dialog source spoofing

MFSA 2005-22 Download dialog spoofing using Content-Disposition header

MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice

MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts

MFSA 2005-19 Autocomplete data leak

MFSA 2005-18 Memory overwrite in string library

MFSA 2005-17 Install source spoofing with user:pass@host

MFSA 2005-16 Spoofing download and security dialogs with overlapping windows

MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion

MFSA 2005-14 SSL "secure site" indicator spoofing

MFSA 2005-13 Window Injection Spoofing

Download at

This being said, it is always adviseable to turn of any functionality you don't
need AND recognize that just because a web developer types "trust me!" you
shouldn't blindly click without being prepared for surprises. I like using the
prefbar extension to rapidly turn on and off images, flash, java, javascript,
cookies, etc. without navigating through menus.

There has been plenty of dicussion about "luring" users into taking actions on
behalf of an attacker by creating objects for you to drag 'n' drop, then hiding
them behind, or hidden in, things like flash or images. Peruse the Bugtraq
archives and look for things like "firescrolling". While the browser developers
continue to play cat <-> mouse with the vuln devels, you should recognize that
with more "features" come more possible badguy avenues. I personally use a
text-only browser (links is my choice, but there are others such as lynx, elinks
& w3m) for most casual browsing, and fire up the ol' gooey when necessary, but
everyone's needs are different, I understand.

void rant(){

This tug-o-war between features and vulnerabilities reminds me of a conversation
I had with a colleague about anonymity. We agreed that to be a consumer of all
the technological wonders available (ATMs, voice mail, online pharmaceuticals,
etc.) you need to give something in return - the right to use any and all information that you provide for those services. Remember, friends, whenver information is out of your direct control, it is percisely that. Don't expect the technologists and developers to provide hack-proof solutions. Remember Microsoft's 10th
: Technology is not a panacea. *These laws are MS's crowning security achievement, IMHO* If, instead, you prefer all of your personal details be safe and unreachable from the digital inquisitorial squads, you are quite welcome to change your identity, sell all of your technologically-acquired assets, and plant yourself somewhere in Garfield County, Montana (or the NE Kingdom of Vermont, for that matter). No offense, Rick!


RootkitRevealer output

Someone wrote in:

Yesterdays post suggested that a new release tool at assists with
identifying hidden software or code on a computer.

Upon reading through the available SysInternals tool related help and directions
for using this tool, running it on a test system, I do not find any
specific code installations that I be able to classify as a rootkit. On the
contrary I see the following as an example,
C:\$AttrDef 11/28/2004 10:09 2.50 KB Hidden from Windows API.
C:\$BadClus 11/28/2004 10:09 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 11/28/2004 10:09 5.87 GB Hidden from Windows API.
C:\$Bitmap 11/28/2004 10:09 187.77 KB Hidden from Windows API.
C:\$Boot 11/28/2004 10:09 8.00 KB Hidden from Windows API.
C:\$Extend 11/28/2004 10:09 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 11/28/2004 16:58 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 11/28/2004 16:58 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 11/28/2004 16:58 0 bytes Hidden from Windows API.
C:\$LogFile 11/28/2004 10:09 32.05 MB Hidden from Windows API.
C:\$MFT 11/28/2004 10:09 14.52 MB Hidden from Windows API.
C:\$MFTMirr 11/28/2004 10:09 4.00 KB Hidden from Windows API.
C:\$Secure 11/28/2004 10:09 0 bytes Hidden from Windows API.
C:\$UpCase 11/28/2004 10:09 128.00 KB Hidden from Windows API.
C:\$Volume 11/28/2004 10:09 0 bytes Hidden from Windows API.
Any suggestions where can I read more about these files and any references will
be appreciated.

What you are seeing is RootkitRevealer noting NTFS metafiles.
Metafiles are listed in the MFT (Master File Table) but are not
intended for usersace access, thus are "hidden" from the Windows API.
RootkitRevealer identifies discrepancies between low-level access
results and API access results, thus can't make any determinations on
the integrity of metadata files.

See the
for a good overview of NTFS particulars.

Port 41523 info

James Williams from CA wrote:

I have some additional information related to Handlers Diary February 24th 2005.

1) in the php-worm section, please note that eTrust-Iris does detect the malware. detection name is Perl/ShellBot!Worm, and latest signature version is 11.7.8963. earlier sig versions also detected it.

2) eTrust-Vet signature version 23.68.46 detects new versions of the malware. earlier sig versions also detected it.

3) in the "two ports moving as one" section, 41523/tcp is indeed used by ARCserve, but it is not used by eTrust AV 7.x.

Thanks for the update

25 Posts
Feb 26th 2005

Sign Up for Free or Log In to start participating in the conversation!