mysec
Premium
join:2005-11-29
edit:
March 23rd, @05:29AM
| reply to daveinpoway
Re: Microsoft warns of new attack on Word
This isn't the first time we've seen msjet40.dll exploited:
»ww3.ps-sp.gc.ca/opsprods/advisor···20_e.asp
Advisory Number: AV05-020
Microsoft Jet DB engine vulnerabilities
15 April 2005
said by article :
The purpose of this advisory is to bring attention a report of a vulnerability in Microsoft Jet Database Engine.
Microsoft Jet database is a lightweight database widely used by MS Office applications. The main component of the Microsoft Jet database engine is msjet40.dll,... Sufficient data validation is not performed when msjet40.dll parses the database file.
Also, from 2007:
»Zero-Day Microsoft Access Exploit
Quick: What does this exploit do?
From the code of the PoC:
For calc.exe, substitute the latest and greatest trojan.
Evidently a patch has not been forthcoming. Microsoft's solution:
»www.microsoft.com/technet/securi···627.mspx
said by article :
Suggested Actions
Protect Your PC
We continue to encourage customers to follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing antivirus software.
(Question: Why isn't White Listing ever suggested?
Possible answer: because MS pushes AV solutions?)
For some insights in these types of exploits:
»isc.sans.org/diary.html?storyid=4177
said by diary :
The attacks generally start with a very trustworthy looking e-mail, being spoofed as originating from a known contact, to someone within a community.
The messages contain an attachment which exploits a client side vulnerability. Generally these are:
CHM Help files with embedded objects;
Acrobat Reader PDF exploits;
Microsoft Office exploits;
The handler who wrote this diary presented a paper (.pdf file linked in the diary) in which he analyzes the actions of the exploit:
said by paper :
Application document
Exploitation Shellcode
Shellcode
Embedded executable Installs trojan code
or executesmalicious action
See page 10 of his .pdf paper for a nice diagram.
Often I can substitute a trojan file (not-white listed on my machine) to really test the exploit. This PoC, however, does not work on my Win2K machine. Here is an old one, a document with embedded trojan attempting to drop a .dll file:
___________________________________________________________________________
Essentially, this is nothing more than a remote code execution exploit packaged in a different wrapper, easily blocked by White Listing.
The MS Security Bulletin offers a workaround to disable the offending jet.dll file. But what about the next exploit using another vulnerable file? And the next?
As suggested some years ago, White Listing removes the need for such workaround patching:
An Ounce of Prevention
»www.infosec.co.uk/ExhibitorLibra···tion.pdf
said by article :
This approach can effectively eliminate the need to patch in emergency mode. Malicious code by default is not on the white list which means that enterprises can rest assured that their exposed software vulnerabilities are safe from potential exploitation, enabling their IT staff to work proactively to develop scheduled patch deployments rather than being in a constant state of emergency.
I've seen this approach used effectively in education institutions. Today, there are many home solutions available in the various security products providing execution protection, thus completely neutralizing this particular common exploit.
---------------------------------------------
Other references:
Microsoft Office Security, part one
Overview of recent MS Office vulnerabilities
»www.securityfocus.com/infocus/1874
»www.f-secure.com/weblog/archives···406.html
PDF file exploit:
said by article :
The exploit silently drops and runs a file called C:\Program Files\Update\winkey.exe. This is a
keylogger that collects and sends everything typed on the affected machine to a server running at xsz.8800.org.
»www.avertlabs.com/research/blog/···victims/
CHM (MS Help File) exploit
said by article :
As the two cases looked similar (both drop a file named music.exe... drops and loads zipfldr.dl
Cyber Attacks Target Pro-Tibet Groups
»www.washingtonpost.com/wp-dyn/co···605.html
said by article :
attached Microsoft Word document... included a Trojan horse program that opened a "backdoor" on any computer used to open the file, giving the senders remote access over the system.
Van Horenbeeck [of sans.org] said the danger with the e-mail viruses involved in the attacks is that they are so hand-crafted and new that they usually go undetected by dozens of commercial anti-virus scanners on the market today.
"Last week, I had two of these samples that were detected by two out of 32 different anti-virus scanners, and another that was completely undetected," he said.
----
rich |
mysec
Premium
join:2005-11-29
| reply to mysec
Update
Maarten Van Horenbeeck of sans.org has updated the diary I referred to:
Overview of cyber attacks against Tibetan communities
»isc.sans.org/diary.html?storyid=4177
You don't often find thorough analyses of attacks, so it's worth a careful reading.
This particular attack is described as "targeted."
The term Targeted has been used in a couple of ways in the security community:
1) attacks aimed at a particular group of people, such as the organization described in the diary; or, a company or corporation
2) those aimed at specific people in an organization. This requires compromising an email list.
This example uses both types of targeting.
While targeting has been used in the past, this example shows a sophistication in technique often missing:
==> A good command of the English language;
==> thoroughly researched details of the subject of world condition (Tibet in this case) which make the "social engineering" part of the exploit more convincing - here, including published articles in different formats (.doc, .pdf, .ppt) which embed the packed trojan.
Note that some victims have been home users.
Note again that use of a msjet40.dll exploit first surfaced in 2005.
----
rich |
SUMware
Premium
join:2002-05-21
| Microsoft admits it knew about, didn't patch, bugs
From your link: said by CW :
Microsoft Corp.'s security team today acknowledged that it knew of bugs in its Jet Database Engine as far back as 2005 but did not patch the problems because it thought it had blocked the obvious attack vectors.
A researcher at Symantec Corp. said Microsoft should have fixed the flaws years ago.
In a post to the Microsoft Security Research Center (MSRC) blog late Monday afternoon, Mike Reavey, the MSRC's operations manager, admitted that outside researchers had notified Microsoft in 2005 and 2007 of separate bugs in Jet, a Windows component that provides data access to applications such as Microsoft Access and Visual Basic.
In both cases, Microsoft told the researchers that it would not fix the flaw because it considered users safe.
Wrong. |
