daveinpoway
join:2006-07-03
Poway, CA | Microsoft warns of new attack on Word
Read about it here: »www.pcworld.com/article/id,14374···l_dnxnws |
|
SUMware
Premium
join:2002-05-21
edit:
March 22nd, @03:52PM
| Thanks for the heads-up.
From »www.pcworld.com/article/id,14374···l_d:xnws
"At this time, we are aware only of targeted attacks that attempt to use this vulnerability," the company [Microsoft] said. "Current attacks require customers to take multiple steps in order to be successful; we believe the risk to be limited."
Following its usual policy, Microsoft didn't say when -- or if -- it planned to patch the bug. But in a statement sent to the press, the company did not rule out the possibility of an emergency patch, released ahead of its next set of security updates, which are expected on April 8.
Users of many versions of Word, including Word 2007, 2003, 2002 and 2000 are at risk, unless they are running Windows Vista or Windows Server 2003, Service Pack 2. Those two operating systems include a newer version of the Jet Database Engine that does not have the bug, Microsoft said.
For the technically savvy: this means that PCs with a version of the Msjet40.dll that is lower than 4.0.9505.0 are vulnerable.
[Above pic from »support.microsoft.com/kb/239114 ] |
|
jeno
@bellsouth.net
| Microsoft Jet DataBase Engine MDB File Parsing Remote Buffer Overflow Vulnerability
To exploit this issue, an attacker must entice a user into opening a malicious file.
*Workarounds
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Restrict the Microsoft Jet Database Engine from running.
To implement the workaround, enter the following command at a command prompt:
echo y| cacls "%SystemRoot%\system32\msjet40.dll" /E /P everyone:N
*To undo the workaround, enter the following command at a command prompt:
echo y| cacls "%SystemRoot%\system32\msjet40.dll" /E /R everyone
Impact of Workaround: Any application requiring the use of the Microsoft Jet Database Engine to make data access calls will not function.
Microsoft Security Advisory (950627)
Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution
Published: March 21, 2008:
»www.microsoft.com/technet/securi···627.mspx
The following exploit caused my SAVCE(updated today) to quarantine "Trogen.Horse"...
UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product.
The following exploit is available. Symantec has not verified this exploit.
* /data/vulnerabilities/exploits/26468.mdb
»www.securityfocus.com/bid/26468/exploit |
|
NICK ADSL UK
Premium,MVM
join:2004-02-22 | reply to daveinpoway
As posted here
»Microsoft Security Advisory (950627) |
|
jeno
@bellsouth.net | reply to jeno
Correction:
The following exploit caused my SAVCE(updated today) to quarantine"Trojan Horse" |
|
mysec
Premium
join:2005-11-29
edit:
March 23rd, @05:29AM
| reply to daveinpoway
This isn't the first time we've seen msjet40.dll exploited:
»ww3.ps-sp.gc.ca/opsprods/advisor···20_e.asp
Advisory Number: AV05-020
Microsoft Jet DB engine vulnerabilities
15 April 2005
said by article :
The purpose of this advisory is to bring attention a report of a vulnerability in Microsoft Jet Database Engine.
Microsoft Jet database is a lightweight database widely used by MS Office applications. The main component of the Microsoft Jet database engine is msjet40.dll,... Sufficient data validation is not performed when msjet40.dll parses the database file.
Also, from 2007:
»Zero-Day Microsoft Access Exploit
Quick: What does this exploit do?
From the code of the PoC:
For calc.exe, substitute the latest and greatest trojan.
Evidently a patch has not been forthcoming. Microsoft's solution:
»www.microsoft.com/technet/securi···627.mspx
said by article :
Suggested Actions
Protect Your PC
We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing antivirus software.
(Question: Why isn't White Listing ever suggested?
Possible answer: because MS pushes AV solutions?)
For some insights in these types of exploits:
»isc.sans.org/diary.html?storyid=4177
said by diary :
The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community.
The messages contain an attachment which exploits a client side vulnerability. Generally these are:
CHM Help files with embedded objects;
Acrobat Reader PDF exploits;
Microsoft Office exploits;
The handler who wrote this diary presented a paper (.pdf file linked in the diary) in which he analyzes the actions of the exploit:
said by paper :
Application document
Exploitation Shellcode
Shellcode
Embedded executable Installs trojan code
or executesmalicious action
See page 10 of his .pdf paper for a nice diagram.
Often I can substitute a trojan file (not-white listed on my machine) to really test the exploit. This PoC, however, does not work on my Win2K machine. Here is an old one, a document with embedded trojan attempting to drop a .dll file:
___________________________________________________________________________
Essentially, this is nothing more than a remote code execution exploit packaged in a different wrapper, easily blocked by White Listing.
The MS Security Bulletin offers a workaround to disable the offending jet.dll file. But what about the next exploit using another vulnerable file? And the next?
As suggested some years ago, White Listing removes the need for such workaround patching:
An Ounce of Prevention
»www.infosec.co.uk/ExhibitorLibra···tion.pdf
said by article :
This approach can effectively eliminate the need to patch in emergency mode. Malicious code by default is not on the white list which means that enterprises can rest assured that their exposed software vulnerabilities are safe from potential exploitation, enabling their IT staff to work proactively to develop scheduled patch deployments rather than being in a constant state of emergency.
I've seen this approach used effectively in education institutions. Today, there are many home solutions available in the various security products providing execution protection, thus completely neutralizing this particular common exploit.
---------------------------------------------
Other references:
Microsoft Office Security, part one
Overview of recent MS Office vulnerabilities
»www.securityfocus.com/infocus/1874
»www.f-secure.com/weblog/archives···406.html
PDF file exploit:
said by article :
The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org.
»www.avertlabs.com/research/blog/···victims/
CHM (MS Help File) exploit
said by article :
As the two cases looked similar (both drop a file named music.exe... drops and loads zipfldr.dl
Cyber Attacks Target Pro-Tibet Groups
»www.washingtonpost.com/wp-dyn/co···605.html
said by article :
attached Microsoft Word document... included a Trojan horse program that opened a "backdoor" on any computer used to open the file, giving the senders remote access over the system.
Van Horenbeeck [of sans.org] said the danger with the e-mail viruses involved in the attacks is that they are so hand-crafted and new that they usually go undetected by dozens of commercial anti-virus scanners on the market today.
"Last week, I had two of these samples that were detected by two out of 32 different anti-virus scanners, and another that was completely undetected," he said.
----
rich |
|
jeno
@bellsouth.net | Thanks for the additional info. |
|
mysec
Premium
join:2005-11-29
| reply to mysec
Update
Maarten Van Horenbeeck of sans.org has updated the diary I referred to:
Overview of cyber attacks against Tibetan communities
»isc.sans.org/diary.html?storyid=4177
You don't often find thorough analyses of attacks, so it's worth a careful reading.
This particular attack is described as "targeted."
The term Targeted has been used in a couple of ways in the security community:
1) attacks aimed at a particular group of people, such as the organization described in the diary; or, a company or corporation
2) those aimed at specific people in an organization. This requires compromising an email list.
This example uses both types of targeting.
While targeting has been used in the past, this example shows a sophistication in technique often missing:
==> A good command of the English language;
==> thoroughly researched details of the subject of world condition (Tibet in this case) which make the "social engineering" part of the exploit more convincing - here, including published articles in different formats (.doc, .pdf, .ppt) which embed the packed trojan.
Note that some victims have been home users.
Note again that use of a msjet40.dll exploit first surfaced in 2005.
----
rich |
|
daveinpoway
join:2006-07-03
Poway, CA | Some new info regarding the problem: »www.computerworld.com/action/art···&nlid=37 |
|
SUMware
Premium
join:2002-05-21
| Microsoft admits it knew about, didn't patch, bugs
From your link: said by CW :
Microsoft Corp.'s security team today acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005 but did not patch the problems because it thought it had blocked the obvious attack vectors.
A researcher at Symantec Corp. said Microsoft should have fixed the flaws years ago.
In a post to the Microsoft Security Research Center (MSRC) blog late Monday afternoon, Mike Reavey, the MSRC's operations manager, admitted that outside researchers had notified Microsoft in 2005 and 2007 of separate bugs in Jet, a Windows component that provides data access to applications such as Microsoft Access and Visual Basic.
In both cases, Microsoft told the researchers that it would not fix the flaw because it considered users safe.
Wrong. |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
edit:
March 26th, @01:50PM
| reply to daveinpoway
Re: Microsoft warns of new attack on Word
"Do not open or save Word files that you receive from untrusted sources or that you receive unexpectedly from trusted sources," Microsoft said in a security advisory posted to its Web site late in the day."
"It thought users were safe, but is now scrambling for a solution"
This, of course, is so obvious but still so open to any hole in any program from MS or anyone else. Social engineering has programmed humans to be all too much like Lemmings and we still, even knowing not to, open that which we shouldn't. Not that that gives MS any excuse for not patching this hole which should have been done years ago, but since they've put what not to do in writing, they're played at CYA and exonerated themselves. I wish my mistakes wee that easy to solve! 
--
JKK
Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!
»www.pbase.com/jaykaykay
|
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
| reply to daveinpoway
Interesting.
I had Office on this computer when first I got it, but later removed it since I never used it. However, I still have all the Jet files leftover. Argh.
Oh, and the workaround just throws an error saying it can't find echo.
Do I even need this stuff, and how can it be removed if I don't? I don't need all this detritus lying around waiting to be exploited.
-CaFF
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages |
|
daveinpoway
join:2006-07-03
Poway, CA
| Somewhat scary:
No matter what kind of patch it produces or when it pushes a fix to users, Microsoft can't change the .mdb file format to make it less dangerous, according to Reavey. "Jet database files (file type .mdb) will remain on the unsafe file type list because they can run code by design," he noted. "Even if we tried to, we could not secure this file format, it will always present attackers an opportunity to run code." |
|
lotusracer
Premium
join:1999-11-26
Moline, IL
| reply to caffeinator
said by caffeinator  :Interesting. Oh, and the workaround just throws an error saying it can't find echo. Do I even need this stuff, and how can it be removed if I don't? I don't need all this detritus lying around waiting to be exploited. -CaFF I've got a similar question.... my Sister, although being warned did open a Word file she received in an e-mail. She "thought" she knew the person that sent it. I may be able to upload the file from her computer if necessary.
How can I determine if the file was 'infected', and how best should I deal with this?
Seems to be a lot of discussion on the possible danger, but none on how to deal with it. Thanks for sharing any thoughts. |
|
mysec
Premium
join:2005-11-29
| said by lotusracer :How can I determine if the file was 'infected',
Since most of these exploits drop an executable, run the file in a test environment to see what happens.
I've not been able to get the PoC examples to work, so I would like to see the file you have.
said by lotusracer :Seems to be a lot of discussion on the possible danger, but none on how to deal with it. Thanks for sharing any thoughts.
1) Be wary of Word files received unsolicited.
2) If sender is unknown, delete. If received from a known sender (as in your sister's case) open the file in a text editor, such as WordPad, which will not run code
3) Have White List protection which will prevent the installing of any unauthorized executable (see my first post above).
I estimate that in the past few years I've opened hundreds of Word files submitted by students, and from sites on the internet, with no worries.
----
rich
|
|
lotusracer
Premium
join:1999-11-26
Moline, IL
| said by mysec :said by lotusracer :How can I determine if the file was 'infected', Since most of these exploits drop an executable, run the file in a test environment to see what happens. I've not been able to get the PoC examples to work, so I would like to see the file you have. ---- rich Thank you for your assist... checked with her and she must have completely deleted the file. Looked around for it myself and found nothing.
Like caffeinator said in his case, I tried the workaround and got the same error message saying it can't find echo.
What would be your suggestions on dealing with this potentially compromised machine? Should I suggest she no longer do on-line banking, or suggest a complete re-format of this XP system?
Or is there some program in particular that can tell me if she has indeed 'oops'ed' her machine. |
|
mysec
Premium
join:2005-11-29
edit:
March 31st, @06:12PM
| Someone else will have to help you deal with cleaning up an infected machine.
(For myself, if I ever suspected an infection, I would reformat and start over)
Once you are sure it's clean, there is no reason why she can't resume on-line banking. You might review security measures with her.
----
rich |
|
jouno53
Kirby user in SSBB
join:2006-03-04
United State | reply to daveinpoway
Thanks for the info.
But that's why I use OpenOffice |
|
SilverSurfer
join:2007-08-19 | reply to SUMware
That's why I use OO "Writer." None of this kind of BS. |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA
·WebBand
edit:
March 31st, @09:00PM
| I agree with you and jouno53 , but when I bought this used machine I did remove Office from this computer.
Yet those MSJet files are still there. Why? I have no idea.
Is something still needing them? If so, then why like most any Installer since 1998, did it not ask if I wanted them still as they may be in use?
Apparently, since it was used at 2am yesterday.
I was asleep so what app used it? WinDefender? MSupdate?
I have yet to find any way of removing Jet on it's own except just deleting the files, which obviously is a bad plan. Manual removal you say? Nope..check this: »support.microsoft.com/kb/q124902/
The computer came with no disks, no restore partition, nada. So, how?
More to my point, since I'd removed Office, naturally MS won't see fit to offer an update for the leftovers.
I don't see a real risk to me, as I don't even use a mail client on the PC, nor am I click-happy. Fact is, exe/doc/xls/etc. are blocked by my mailserver unless you Zip them.
BUT, I resent having this trail of acknowledged insecure crap left on this otherwise perfectly functional computer. You'd think the almighty Microsoft could create a un-installer that worked.
Since the workaround does nothing here, according to MS, I should just let it be...or upgrade to Vista. Ha!
With a P3-1Ghz/512Mb RAM Optiplex GX-150, that'd work really swell.
I swear, if I didn't need a windows PC for some things, I'd DBAN the ****** and install anything else.
Bleh. 
-CaFF
--
My 9/11 Tribute..online since 9/14/01
Need an Avatar? Check out Wafen's Avatar Pages |
|
