AB
Premium
join:2006-04-04
Leesburg, VA
| reply to javaMan
Re: Microsoft Security Advisory (935423) Vulnerability in Window
said by javaMan  :The distinction he was making, I believe, is that vulnerabilities exist that JavaScript is used to exploit. In other words, it is not a vulnerability in JavaScript that is exploitable. From practical standpoint the end result is the same I suppose but it seems unreasonable to blame the automobile when the bank robbers get away. I'm not blaming the automobile. I'm saying javascript seems to be integral to the execution of this malware, as it often is.
I don't care about semantics, the bottom line is my concern.
The bottom line is that I prefer not to be infected. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to NICK ADSL UK
"Because simply previewing an HTML e-mail message can result in an infection, Microsoft also provided additional details late yesterday on which of its e-mail clients are safest to use. According to Adrian Stone, an MSRC program manager, Outlook 2007 is invulnerable, as is Vista's Windows Mail -- as long as users don't reply or forward the attacker's messages. The SANS Institute's testing, however, contradicted Microsoft; by SANS' account, Outlook Express in Windows XP, Windows Mail in Vista, and Outlook 2003 in any version of Windows puts users at risk when they simply preview a malicious message. They don't have to actually open the message to be in danger of an infection.
In-the-wild attacks, said Dunham, have been limited so far to those against Windows XP SP2 through Microsoft's Internet Explorer 6 and 7 (IE6 and IE7) browsers. But that won't likely remain the case for long. "Our tests prove that trivial modification is all that's required to update the payload and functionality on multiple operating system builds," he said.
And while Microsoft yesterday said Vista's version of IE7 protects users, eEye's Brown added that browser-based attacks aren't the only game in town. "I get the PR [public relations] angle they're going down, but there are all sorts of ways this can come in, including HTML e-mail. Vista's not immune."
»www.computerworld.com/action/art···=9015138
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Kiwi
Premium
join:2003-05-26
USA
2 edits | reply to NICK ADSL UK
I have not read all responses, but this appears like a Java based exploit. Interesting.
[Edit]
This seems more Trojan based, than either a virus or worm. The Java aspect seems related to an indirect ASPI hook. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to NICK ADSL UK
I love it when every AV house expert claims they have the skills to squeeze one off with a little extra effort that Microsoft will never hear but everyone will smell...but I am really waiting for the surgeons to come in and go to work. 
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
| reply to AB
said by AB :said by javaMan :The distinction he was making, I believe, is that vulnerabilities exist that JavaScript is used to exploit. In other words, it is not a vulnerability in JavaScript that is exploitable. From practical standpoint the end result is the same I suppose but it seems unreasonable to blame the automobile when the bank robbers get away. I'm not blaming the automobile. I'm saying javascript seems to be integral to the execution of this malware, as it often is. I don't care about semantics, the bottom line is my concern. The bottom line is that I prefer not to be infected. In the sense that blame should be placed for the current problem, it isn't semantics at all. JavaScript is just a tool like the automobile and it works as it's supposed to. That it can be used to do bad things is not the fault of the tool any more than the automobile. It is not a surprise that JavaScript--or a similar tool-- would be used in a web based attack. In fact, I would be surprised if it weren't; what else would a web based attack use but a web based tool? I also expect a bank robber to use a car but the same car can be used to pick my kids up after school. The problem here is apparently within the Windows API, not JavaScript.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
AB
Premium
join:2006-04-04
Leesburg, VA
| said by javaMan :said by AB :said by javaMan :The distinction he was making, I believe, is that vulnerabilities exist that JavaScript is used to exploit. In other words, it is not a vulnerability in JavaScript that is exploitable. From practical standpoint the end result is the same I suppose but it seems unreasonable to blame the automobile when the bank robbers get away. I'm not blaming the automobile. I'm saying javascript seems to be integral to the execution of this malware, as it often is. I don't care about semantics, the bottom line is my concern. The bottom line is that I prefer not to be infected. In the sense that blame should be placed for the current problem, it isn't semantics at all. JavaScript is just a tool like the automobile and it works as it's supposed to. That it can be used to do bad things is not the fault of the tool any more than the automobile. It is not a surprise that JavaScript--or a similar tool-- would be used in a web based attack. In fact, I would be surprised if it weren't; what else would a web based attack use but a web based tool? I also expect a bank robber to use a car but the same car can be used to pick my kids up after school. The problem here is apparently within the Windows API, not JavaScript. What on Earth is your point here, javaMan?
Hopefully something beyond simply being a defender of, and apologist for, javascript.
I've noted that javascripting seems to be crucial to the employment of this vulnerability, nothing more. So . . .??
And you might want to change those tags and dump the shotguns before picking up the kids, btw. |
|
Kiwi
Premium
join:2003-05-26
USA
 ·Comcast
 ·Aristotle Internet
| said by AB :What on Earth is your point here, javaMan? Hopefully something beyond simply being a defender of, and apologist for, javascript. I've noted that javascripting seems to be crucial to the employment of this vulnerability, nothing more. So . . .?? And you might want to change those tags and dump the shotguns before picking up the kids, btw. There are many script types out there, Java seems to be targeted more frequently than even ActiveX. Java was a worthy scripting alternative, a bit LARGE; but workable. That's how the bad guys got in on the game, frivolous [huge] sized scripts. Meaning they could hide small C++ in the corners of Java. |
|
javaMan
Premium,MVM
join:2002-07-15
San Luis Obispo, CA
2 edits | reply to AB
said by AB :What on Earth is your point here, javaMan? Hopefully something beyond simply being a defender of, and apologist for, javascript. I've noted that javascripting seems to be crucial to the employment of this vulnerability, nothing more. So . . .?? And you might want to change those tags and dump the shotguns before picking up the kids, btw. Sorry, I thought I was being clear. First, JavaScript doesn't seem to be crucial in this case but can be utilized to deliver the exploit, yes. But my point is that a tool is benign (assuming there is no flaw in the tool), it is how the tool is used that matters. It may certainly be beneficial to secure a browser by not allowing just any script to run willy-nilly since one will not always know which script is bad and which is not. But I hope you would agree that most scripts are not bad. Therefore, it is a mistake to condemn the technology because it can be used to do bad things.
Edit: To further clarify, this vulnerability lies outside the scope of JavaScript. In other words, the script will do what is legitimate and legal, it is a weakness in Windows that causes the problem. If that problem didn't exist, the script would be harmless.
--
Woe unto them that call evil good, and good evil; that put darkness for light, and light for darkness. . . Isa. 5:20 |
|
aka Iceman
join:2007-02-11
| reply to NICK ADSL UK
Re: Microsoft Security Advisory (935423) Vulnerability in Window
Some comments and prevention tips from CERT:
copy & paste
* Configure Outlook to display messages in plain text
An attacker may be able to exploit this vulnerability by convincing a user to display a specially crafted HTML email. This can happen automatically if the preview pane is enabled in your mail client. Configuring Outlook to display email in plain text can help prevent exploitation of this vulnerability through email. Consider the security of fellow Internet users and send email in plain text format when possible.
Note: The Outlook Express option for displaying messages in plain text will not prevent exploitation of this vulnerability. This workaround is only viable for systems with Microsoft Outlook
------------------
* Disable email preview pane
By disabling the preview pane in your mail client, incoming email messages will not be automatically rendered. This can help prevent exploitation of this vulnerability.
-------------------
* Configure Windows Explorer to use Windows Classic Folders
When Windows Explorer is configured to use the "Show common tasks in folders" option, HTML within a file may be processed when that file is selected. If the "Show common tasks in folders" is enabled, selecting a specially crafted HTML document in Windows Explorer may trigger this vulnerability. Note that the "Show common tasks in folders" is enabled by default. To mitigate this attack vector, enable the "Use Windows classic folders" option. To enable this option in Windows Explorer:
Open Windows Explorer
Select Folder Options from the Tools menu
Select the "Use Windows classic folders" option in the Tasks section
--------------------------
see: »www.kb.cert.org/vuls/id/191609
|
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to NICK ADSL UK
The Internet Storm Center (SANS Institute) has just raised the INternet threat level to YELLOW because of this exploit:
"*ANI exploit code drives INFOCon to Yellow
Published: 2007-03-31,
Last Updated: 2007-03-31 14:31:15 UTC
by Kevin Liston (Version: 1)
The ANI vulnerability has been been of recent concern. I've been waiting for a few key events to be confirmed before adjusting the INFOCon. We don't take these decisions lightly.
Rating systems such as Symantec's ThreatCon (currently at 2 of 4,) FS/ISAC's Cyber Threat Advisory (currently at Guarded,) and our INFOCon (now at Yellow) all have their particular niche. Symantec focuses on their AV and managed-security-service customers. FS/ISAC focuses on financial institutions. The Internet Storm Center's INFOCon intent is to "to reflect changes in malicious traffic and the possibility of disrupted connectivity."
In the initial stages of this event, we did not satisfy the criteria to raise the INFOCon level. Now, we have a different landscape.
* Exploit code has been publicly released which allows trivial modification to add any arbitrary payload.
* The number of malicious sites reported is rising rapidly, limiting the efficacy of blacklisting.
* The number of compromised sites pointing to malicious sites is also on the rise.
Recommendations:
* Keep anti-virus up-to-date. So far this is the most effective layer, particularly generic signatures that detect non-compliant ANI files. Also, the secondary payloads downloaded by these exploits are often detectable (not always though.)
* Content-filtering. If your environment supports it, dropping ANI files (not based on file extention, but actual file-inspection) may be prudent until patches are deployed. This will impact your myspace.com browsing experience though.
We intend to maintain INFOCon Yellow status and reassess every 24 hours. (~1400 UTC)"
»isc.sans.org/diary.html?storyid=2542
My AV does not protect against this. 
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to NICK ADSL UK
More vulnerabilities, ANI-one?
»www.f-secure.com/weblog/archives···00001154
Update on ANI Exploit
»www.f-secure.com/weblog/archives···00001156
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
Kiwi
Premium
join:2003-05-26
USA | reply to Mele20
May not as it seems Trojan based. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| I use Avira free version and I am not a happy camper at the moment. I posted about this at the Avira forums yesterday as Avira is one of the FEW AV not currently protecting. A mod asked me what the big deal was and my post was moved to the most obscure forum there. I then posted a lot of research on this exploit and asked if my post was moved because Avira was ashamed of dropping the ball on this one. That got my posts moved to a more relevant forum but the mod commented that since Avira personnel mostly don't work on weekends probably there will be no update for this until Monday.
I am also re-evaluating my use of Avira free because it doesn't have an email scanner. I have always avoided using an email scanner on Outlook Express because of Microsoft's admonishment to not do so due to the fragility of the OE database store. However, if my AV had an email scanner, I would certainly turn it on in a situation such as this one. I always read email in Plain Text but that, in this case, is LESS protective than using HTML.
I guess I should install the eEye patch which I have, but have been reluctant to install it as the last time I installed a third party patch it worked fine but then when MS issued a patch, the one I had would not uninstall properly.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
bettywont
Premium
join:2004-09-11
Montreal, QC | reply to Mele20
Could you please list the 7 companies or provide a link so we can have some piece of mind or mental illness.
Thanks |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | reply to NICK ADSL UK
Exploit code here:
»seclists.org/fulldisclosure/2007···563.html
Doesn't work if DEP is on for Explorer.
POC is here:
»seclists.org/fulldisclosure/2007···569.html
When I go to that POC on IE6 on XP Pro SP2, IE immediately crashes.
When go on Fx 1.5.0.11, I get this WHEN USING THE PROXOMITRON WITH SIDKI'S FILTERS:
Microsoft Windows .ANI 0DAY Exploit
Copyright (c) 2007 devcode
• JS Alert: Boo
If I go to to the POC on Fx, WITH PROXO DISABLED, Fx appears to be vulnerable! Or am I misinterpreting this? I do not use an extension to turn off scripting in Fx because I feel the Proxomitron will protect in that area as it has done in this instance.
EDIT: I tried the POC again on Fx with Proxo enabled and now I am getting the same thing I have shown in the screenshot. Orginally, with Proxo running, I only got a plain text alert in the upper left corner of the screen about the javascript. Now I am seeing the popup with Boo in it. I'm not sure what this signifies in regards to Fx vulnerability. Maybe nothing because Fx doesn't crash at POC like IE does? Maybe I need to close and reopen Fx to get an accurate test? I have too many tabs open to do that!
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
NICK ADSL UK
Premium,MVM
join:2004-02-22 | reply to NICK ADSL UK
Determina Security Research
»www.determina.com/security.resea···der.html |
|
Kiwi
Premium
join:2003-05-26
USA
·Comcast
·Aristotle Internet
1 edit | reply to bettywont
To retain some sanity  Avoid MySpace, use an email client other than outlook (Nobody learns). Disable Java & ActiveX, as most pre VISTA folks do. Check your Reg files on occasion for unsupported changes. Next relax, this to will pass. To date I have not seen any migration into secure sites and that's my only real concern.
[Edit] Stack overflow is how 98% of these work.
Still don't get hard hat foils out until some damage is done from respected folks who know how to secure a rig. Granted, most visiting here have a clue and the general public won't. Net Habits, folks, habits..... |
|
NICK ADSL UK
Premium,MVM
join:2004-02-22 | reply to NICK ADSL UK
And from Microsoft's Christopher Budd
»blogs.technet.com/msrc/archive/2···423.aspx |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to bettywont
said by bettywont :Could you please list the 7 companies or provide a link so we can have some piece of mind or mental illness. Thanks yes
first two links will give you the names and write up of the two badboys detected..
»www.f-secure.com/v-descs/exploit···_c.shtml
»www.f-secure.com/v-descs/trojan-···kv.shtml
AND SANS is the place to monitor that will keep you abreast of those products which seems to detect what is out there.
Windows Animated Cursor Handling vulnerability - CVE-2007-0038
Published: 2007-03-29,
Last Updated: 2007-03-31 11:36:34 UTC
by Maarten Van Horenbeeck (Version: 14)
Anti-virus detection is improving now, with F-Secure, CA, Kaspersky, Trend, Sophos, McAfee and Microsoft detecting malicious ANI files. One specific file was also discovered by a product triggering on a signature written for MS05-002, a similar vulnerability from 2005. This will not apply to most exploits in the wild.
»isc.sans.org/diary.html?storyid=···84c25591
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/ |
|
