317 replies to this topic

[AplusWebMaster]

FYI...

CVE-2010-1885 attack status...
- http://blogs.technet...-2010-1885.aspx
30 Jun 2010 - "... attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution. If you have not yet considered the countermeasures listed in the Microsoft Security Advisory (2219475*), you should consider them. As of today, over 10,000 distinct computers have reported seeing this attack at least one time. The following list shows some of the payloads we've detected:
• Trojan:Win32/Swrort.A
• TrojanDownloader:Win32/Obitel.gen!A
• Spammer:Win32/Tedroo.AB
• Trojan:Win32/Oficla.M
• TrojanSpy:Win32/Neetro.A
• Virus:JS/Decdec.A ..."

* http://support.micro....com/kb/2219475
Last Review: July 13, 2010 - Revision: 3.0 - "... We have released security bulletin MS10-042* to address this issue..."
* http://www.microsoft...n/MS10-042.mspx

- http://web.nvd.nist....d=CVE-2010-1885
Last revised: 07/20/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://krebsonsecuri...d-windows-flaw/
July 5, 2010

- http://community.web...ompromised.aspx
5 Jul 2010 - "... Articlealley .com has been compromised and injected with obfuscated code. Article Alley is a free article directory that aims to help authors promote and syndicate their content. It allows authors and promoters to get their articles out on the Web with the potential of being read by millions of readers. This site was compromised from the root domain, and as a result all subsequent sub-pages were infected by the attack.... attack is targeting the Microsoft Help and Support Center 0-day vulnerability CVE-2010-1885..."
(Screenshots available at the Websense URL above.)

Edited by AplusWebMaster, 23 July 2010 - 09:09 AM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2219475)
Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution
- http://www.microsoft...ry/2219475.mspx
Published: June 10, 2010 | Updated: July 13, 2010 - "... We have issued M10-042* to address this issue..."
* http://www.microsoft...n/MS10-042.mspx

Microsoft Security Advisory (2028859)
Vulnerability in Canonical Display Driver Could Allow Remote Code Execution
- http://www.microsoft...ry/2028859.mspx
Published: May 18, 2010 | Updated: July 13, 2010 - "... We have issued MS10-043** to address this issue..."
** http://www.microsoft...n/MS10-043.mspx

- http://forums.whatth...=...st&p=666835

Edited by AplusWebMaster, 13 July 2010 - 01:35 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft...ry/2286198.mspx
July 16, 2010 - "Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue. The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers..."
• V1.1 (July 19, 2010)... "Microsoft is currently working to develop a security update for Windows to address this vulnerability..."

- http://blogs.technet...xnet-sting.aspx
16 Jul 2010

- http://www.kb.cert.org/vuls/id/940193
Last Updated: 2010-07-19

- http://www.us-cert.g...k_vulnerability
updated July 19, 2010

0-Day exploit is public
- http://www.f-secure....s/00001991.html
July 19, 2010

- http://securitytrack...ul/1024216.html
Updated: July 20 2010

Edited by AplusWebMaster, 20 July 2010 - 05:57 AM.

[AplusWebMaster]

FYI...

More 0-day malware drivers...
- http://www.f-secure....s/00001993.html
July 20, 2010 - "... another digitally signed Stuxnet* driver. This one uses a certificate from JMicron Technology Corporation. Our detection for this new binary is Rootkit:W32/Stuxnet.D... Realtek is the source of the previously used certificate which has now been revoked by VeriSign..."
* http://blogs.technet...xnet-sting.aspx

[AplusWebMaster]

FYI...

"Fixit" released for MS shortcut vuln...
Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
- http://www.microsoft...ry/2286198.mspx
• V1.2 (July 20, 2010): Clarified the vulnerability exploit description and updated the workarounds...
• Disable the displaying of icons for shortcuts ...
Note: See Microsoft Knowledge Base Article 2286198* to use the automated Microsoft Fix it solution to enable or disable this workaround. This Fix it solution will require a restart upon completion in order to be effective. This Fix it solution deploys the workaround, and thus has the same user impact. We recommend that administrators review the KB article closely prior to deploying this Fix it solution.
NOTE: Applying the fixit will remove the graphical representation of icons on the Task bar and Start menu bar and replace them with white icons without the graphical representation of the icon...
Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk...
* http://support.micro....com/kb/2286198
Last Review: July 21, 2010 - Revision: 1.0
---
• Disable the WebClient service ...
---
• Block the download of .LNK and .PIF files from the internet ...
___

Embedded Shortcuts in Documents...
- http://www.f-secure....s/00001994.html
July 21, 2010

- http://web.nvd.nist....d=CVE-2010-2568
Last revised: 07/22/2010
CVSS v2 Base Score: 9.3 (HIGH)

Edited by AplusWebMaster, 22 July 2010 - 08:20 PM.

[AplusWebMaster]

FYI...

Exploits in the wild for Windows shortcut vuln
- http://blog.trendmic...ty-in-the-wild/
July 22, 2010 - "Exploits for the recently discovered Windows shortcut vulnerability are now fully out in the wild and affecting users. While earlier samples were seen in more narrowly targeted attacks, the new samples Trend Micro analysts found are now aimed at broader audiences and pose a threat to users at large. Indonesia and India have been particularly hard-hit by this attack, accounting for more than 75 percent of the total number of infections. In addition, a recent update to Microsoft’s advisory has added a new vector for this vulnerability. File formats that support embedded shortcuts (e.g., Microsoft Office documents) can now be used to spread exploits as well. This means that users who download and open such files could find themselves the latest victim of this vulnerability. It has also been reported that this attack could be used in drive-by attack scenarios, further increasing risks... Below is a summary of these possibilities:
1. USB drive infection...
2. Network shares...
3. Malicious website...
4. Documents..."
(More detail at the URL above.)

- http://atlas.arbor.n...ndex#1754998770
Microsoft .lnk 0day Attack Vector
Severity: Extreme Severity
Analysis: This is a serious risk, and a critical one for SEIMENS WinCC sites. We encourage all Windows sites to review the bulletin for mitigation options in the absence of a patch..."

- http://threatinfo.tr..... Exploit.html

- http://www.symantec....tags/w32stuxnet
July 22, 2010 - "... Within the past 72 hours we've seen close to 14,000 unique IP addresses infected with W32.Stuxnet attempt to contact the C&C server..."

- http://web.nvd.nist....d=CVE-2010-2568
Last revised: 07/23/2010
CVSS v2 Base Score: 9.3 (HIGH)

- http://www.f-secure....2_stuxnet.shtml
- http://www.symantec..../...-99&tabid=2
- http://www.sophos.co...32stuxnetb.html

Edited by AplusWebMaster, 23 July 2010 - 03:16 PM.

[AplusWebMaster]

FYI...

MS .lnk 0-day attack vector
- http://atlas.arbor.n...ndex#1754998770
Severity: Extreme Severity
Analysis: This is a serious risk, and a critical one for SEIMENS WinCC sites. We encourage all Windows sites to review the bulletin* for mitigation options in the absence of a patch..."
* http://www.microsoft...ry/2286198.mspx

NEW malware families using .LNK vulnerability
- http://blogs.technet...nerability.aspx
23 Jul 2010

- http://web.nvd.nist....d=CVE-2010-2772
Last revised: 07/26/2010

- http://www.networkwo...picking-up.html
July 22, 2010 - "... Siemens issued a Security Update** for its customers on Thursday, but Microsoft has yet to patch the Windows bug that permits the worm to spread..."
** http://support.autom...amp;caller=view

- http://www.symantec....tags/w32stuxnet
July 25, 2010

Edited by AplusWebMaster, 28 July 2010 - 05:16 PM.

[AplusWebMaster]

FYI...

Windows Shortcut Exploit protection tool
- http://www.sophos.co...ction-tool.html
"... The Windows Shortcut Exploit is a zero-day vulnerability in all versions of Windows that allows a Windows shortcut link to run a malicious DLL file. Our free, easy-to-use tool blocks this exploit from running on your computer..."

- http://isc.sans.edu/...ml?storyid=9268
Last Updated: 2010-07-26 17:03:58 UTC

- http://www.sophos.co...cle/111570.html
Last updated: 26 Jul 2010

- http://www.sophos.co...loit-free-tool/
Video: 1:57

- http://www.f-secure....s/00001996.html
July 26, 2010 - "... several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198). But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors*. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit..."
* http://www.virustota...9965-1280146392
File dsafnegweje.lnk received on 2010.07.26 12:13:12 (UTC)
Result: 18/42 (42.86%)

- http://blog.trendmic...loit-bandwagon/
July 27, 2010 - "... exploits targeting the Windows shortcut zero-day vulnerability have risen in number. It is also now being used to spread ZBOT variants via malicious attachments to spammed messages... with the subject Microsoft Windows Security Advisory..."

Edited by AplusWebMaster, 30 July 2010 - 02:21 PM.

[AplusWebMaster]

FYI...

MS shortcut/vuln fix to be released 8.2.2010
- http://blogs.technet...ry-2286198.aspx
29 Jul 2010 - "... we're announcing plans to release a security update to address the vulnerability discussed in Security Advisory 2286198* on Monday, August 2, 2010 at or around 10 AM PDT..."
* http://www.microsoft...ry/2286198.mspx

- http://www.microsoft...n/ms10-aug.mspx
July 30, 2010

- http://blogs.technet...was-sality.aspx
30 Jul 2010 - "... Microsoft announced plans to release of an out-of-band update... numbers show infection attempts upon systems -we- protect... threats are becoming more widespread...
Malicious links exploiting CVE-2010-2568
Exploit:Win32/CplLnk.A
Exploit:Win32/CplLnk.B
Stuxnet
TrojanDropper:Win32/Stuxnet.A
Trojan:WinNT/Stuxnet.A
Trojan:WinNT/Stuxnet.B (initially called VirTool:WinNT/Rootkitdrv.HK)
Trojan:Win32/Stuxnet.A
Worm:Win32/Stuxnet.A
Worm:Win32/Stuxnet.B
Sality
Virus:Win32/Sality.AU (initial detection provided by generic signature Virus:Win32/Sality.AT)
Vobfus
Worm:Win32/Vobfus.H
Worm:Win32/Vobfus.P
Chymine
Trojan:Win32/Chymine.A
TrojanSpy:Win32/Chymine.A
TrojanDownloader:Win32/Chymine.A ..."

Edited by AplusWebMaster, 30 July 2010 - 05:48 PM.

[AplusWebMaster]

FYI...

MS10-046 released Out-of-Band...
- http://blogs.technet...band-today.aspx
2 Aug 2010 - "... today we released Security Bulletin MS10-046* out-of-band to address a vulnerability in Windows. This security update addresses a vulnerability in the handling of shortcuts that affects all currently supported versions of Windows XP, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2... For customers using automatic updates, this update will automatically be applied once it is released. Customers not using automatic updates should download, test and deploy this update as quickly as possible..."
* http://www.microsoft...n/MS10-046.mspx
"... This vulnerability is currently being exploited..."

- http://www.microsoft...ry/2286198.mspx
Updated: August 02, 2010 - "... We have issued MS10-046* to address this issue..."

- http://web.nvd.nist....d=CVE-2010-2568

- http://www.sophos.co...c/shortcut.html
August 2, 2010 - "... If you have the Sophos Windows Shortcut Exploit Protection Tool on your machine, uninstall it before deploying Microsoft's patch."

FIX:
- http://forums.whatth...=...st&p=672473

Stuxnet - Rootkit for SCADA Devices...
- http://www.symantec....t-scada-devices
August 6, 2010

Edited by AplusWebMaster, 08 August 2010 - 05:23 AM.

[AplusWebMaster]

FYI...

LNK vuln (MS10-046) now leveraged by botnet...
- http://www.symantec....sality-goes-lnk
August 9, 2010 - "... The discovery of the LNK vulnerability (BID 41732*), initially used by Stuxnet, gave malware authors a cheap, easy, and effective way to propagate their creations. The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this weekend that they decided to leverage their botnet to potentially infect even more computers. The latest package downloaded by Sality (sequence ID 122) refers to a few URLs, including Sality-standard hack tools (mail relay, HTTP proxy), but also to a dropper for Sality itself... make sure your operating system is properly patched..."
* http://www.securityf...1732/references

- http://forums.whatth...=...st&p=672473
"Critical ... This vulnerability is currently being exploited..."

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2264072)
Elevation of Privilege Using Windows Service Isolation Bypass
- http://www.microsoft...ry/2264072.mspx
August 10, 2010 - "Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege... Although, in most situations, untrusted code is not running under the NetworkService identity, the following scenarios have been identified as possible exceptions:
• Systems running Internet Information Services (IIS) in a non-default configuration are at an increased risk, particularly if IIS is running on Windows Server 2003 and Windows Server 2008, because the default worker process identity on these systems is NetworkService.
• Systems running SQL Server where users are granted SQL Server administrative privileges are at an increased risk.
• Systems running Windows Telephony Application Programming Interfaces (TAPI) are at an increased risk...
For the TAPI scenario, Microsoft is providing a non-security update*...
(FAQ) The Windows Service Isolation feature is an optional configuration that some customers may choose to deploy. This feature is not appropriate for all customers..."
- http://support.micro....com/kb/2264072

* TAPI non-security update: http://support.microsoft.com/kb/982316

- http://web.nvd.nist....d=CVE-2010-1886
Last revised: 08/17/2010
CVSS v2 Base Score: 6.8 (MEDIUM)
___

Microsoft Security Advisory (977377)
Vulnerability in TLS/SSL Could Allow Spoofing
- http://www.microsoft...ory/977377.mspx
Published: February 09, 2010 | Updated: August 10, 2010 - "... We have issued MS10-049* to address this issue..."
* http://www.microsoft...n/MS10-049.mspx
___

Update on the publicly disclosed Win32k.sys EoP Vulnerability
- http://blogs.technet...nerability.aspx
10 Aug 2010 - "... investigating a publicly disclosed vulnerability in the Windows Kernel-mode drivers (win32k.sys) affecting all supported operating systems. We are not aware of attacks that try to use the reported vulnerability or of any customer impact at this time... we are now able to report that this is a local elevation of privilege vulnerability only. This type of issue allows attackers to gain system-level privileges after they have already obtained an account on the target system. For this issue to be exploited, an attacker must have valid log-on credentials on the target system and be able to log on locally, or must already have code running on the target system. The vulnerability cannot be exploited remotely, or by anonymous users. We will not be releasing a security advisory for this issue, but it will be included in a future security update...."

.

Edited by AplusWebMaster, 26 August 2010 - 01:02 PM.

[AplusWebMaster]

FYI...

Microsoft Security Advisory (2269637)
Insecure Library Loading Could Allow Remote Code Execution
- http://www.microsoft...ry/2269637.mspx
August 23, 2010 - "Microsoft is aware that research has been published detailing a remote attack vector for a class of vulnerabilities that affects how applications load external libraries. This issue is caused by specific insecure programming practices that allow so-called "binary planting" or "DLL preloading attacks". These practices could allow an attacker to remotely execute arbitrary code in the context of the user running the vulnerable application when the user opens a file from an untrusted location. This issue is caused by applications passing an insufficiently qualified path when loading an external library. Microsoft has issued guidance to developers in the MSDN article, Dynamic-Link Library Security*, on how to correctly use the available application programming interfaces to prevent this class of vulnerability. Microsoft is also actively reaching out to third-party vendors through the Microsoft Vulnerability Research Program to inform them of the mitigations available in the operating system. Microsoft is also actively investigating which of its own applications may be affected. In addition to this guidance, Microsoft is releasing a tool** that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications. This advisory describes the functionality of this tool and other actions that customers can take to help protect their systems.
Mitigating Factors:
• This issue only affects applications that do not load external libraries securely. Microsoft has previously published guidelines for developers in the MSDN article, Dynamic-Link Library Security*, that recommend alternate methods to load libraries that are safe against these attacks.
• For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
• The file sharing protocol SMB is often disabled on the perimeter firewall. This limits the possible attack vectors for this vulnerability..."

* http://msdn.microsof...712(VS.85).aspx
8/19/2010

** http://support.micro....com/kb/2264107
Last Review: August 25, 2010 - Revision: 3.0

More... DLL Preloading remote attack vector
- http://blogs.technet...ack-vector.aspx
23 Aug 2010

- http://isc.sans.edu/...ml?storyid=9445
Last Updated: 2010-08-24 17:01:04 UTC ...(Version: 3) - "... UPDATE 2: We received some e-mails about active exploitation of this vulnerability in the wild... it appears that the attackers so far are exploiting uTorrent, Microsoft Office and Windows Mail... applications for which Proof of Concept exploits have been published... be very careful about files you open from network shares..."

- http://www.us-cert.g...urity_advisory5
August 24, 2010 - "... publicly available exploit code for this vulnerability... workarounds may reduce the functionality of the affected systems. Workarounds include:
• disabling the loading of libraries from WebDAV and remote network shares
• disabling the WebClient service
• blocking TCP ports 139 and 445 at the firewall ...

- http://securitytrack...ug/1024355.html
Aug 24 2010
___

- http://blog.eset.com...les/DLLvuln.png
August 26, 2010
___

Insecure Library Loading Vulnerability:
Release Date: 2010-08-25

Microsoft Windows Address Book...
- http://secunia.com/advisories/41050/
uTorrent...
- http://secunia.com/advisories/41051/
Adobe Photoshop...
- http://secunia.com/advisories/41060/
Microsoft Office PowerPoint...
- http://secunia.com/advisories/41063/
Wireshark...
- http://secunia.com/advisories/41064/
Opera...
- http://secunia.com/advisories/41083/
Mozilla Firefox...
- http://secunia.com/advisories/41095/
Windows Live Mail...
- http://secunia.com/advisories/41098/
Microsoft Office Groove...
- http://secunia.com/advisories/41104/
VLC Media Player...
- http://secunia.com/advisories/41107/
avast! Antivirus...
- http://secunia.com/advisories/41109/
Adobe Dreamweaver...
- http://secunia.com/advisories/41110/
TeamViewer...
- http://secunia.com/advisories/41112/

... Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched ...
"... vulnerability is confirmed...
Solution: Do not open untrusted files..."
___

- http://secunia.com/blog/120
24 August 2010 - "... the discovery of the remote vector just made this serious... The vulnerability is not in the Windows OS itself, but is caused by bad (insecure) programming practises in applications when loading libraries combined with how the library search order works in Windows. Ideally, when loading a library (or running an executable), a fully qualified path should be passed to the APIs used (e.g. LoadLibrary()). In case a programmer refrains from doing so and only supplies the library name, Windows searches for the file in a number of directories in a particular order. These directories may include the current working directory, which leads to the core of the problem related to the new, remote attack vector as Windows eventually searches for the file on e.g. a remote SMB or WebDAV share if that happens to be the current directory. This is the case if a user e.g. is tricked into opening a file located on a remote share. By placing a malicious library, which a vulnerable application searches for, on the share it is loaded into the application and code is executed with the privileges of the user running it. As the core problem is not in Windows, but rather caused by applications loading libraries insecurely (i.e. not supplying a fully qualified path or not initially calling SetDllDirectory() with a blank path), Secunia will not be issuing a general advisory for Windows. Instead, (likely, quite a lot of) advisories will be issued as affected applications are identified. Currently, we are seeing reports from various researchers having identified everywhere between 40 to 200 vulnerable applications, but the actual number may be a lot higher..."

- http://www.kb.cert.org/vuls/id/707943
Date Last Updated: 2010-08-25

Edited by AplusWebMaster, 28 August 2010 - 03:49 AM.

[AplusWebMaster]

FYI...

ESET graphic: DLL loading vulnerability
- http://blog.eset.com...les/DLLvuln.png
August 26, 2010

(One picture worth a thousand words.)

Edited by AplusWebMaster, 26 August 2010 - 01:51 PM.

[AplusWebMaster]

FYI...

- http://www.computerw...or_40_plus_apps
August 25, 2010 - "... The flaws stem from the way many Windows applications call code libraries - dubbed "dynamic-link library," or "DLL" - that give hackers wiggle room they can exploit by tricking an application into loading a malicious file with the same name as a required DLL. If attackers can dupe users into visiting malicious Web sites or remote shares, or get them to plug in a USB drive - and in some cases con them into opening a file - they can hijack a PC and plant malware on it... As of 3 p.m. ET, more than 30 exploits had been posted on Wednesday alone..."

- http://www.kb.cert.org/vuls/id/707943
Last Updated: 2010-09-08

- http://secunia.com/a...g Vulnerability
Last Updated: Oct. 18, 2010 - (Count is now -133-)

Microsoft apps... DLL hijacking attack vuln
- http://web.nvd.nist....d=CVE-2010-3138
- http://web.nvd.nist....d=CVE-2010-3139
- http://web.nvd.nist....d=CVE-2010-3140
- http://web.nvd.nist....d=CVE-2010-3141
- http://web.nvd.nist....d=CVE-2010-3142
- http://web.nvd.nist....d=CVE-2010-3143
- http://web.nvd.nist....d=CVE-2010-3144
- http://web.nvd.nist....d=CVE-2010-3145
- http://web.nvd.nist....d=CVE-2010-3146
- http://web.nvd.nist....d=CVE-2010-3147
- http://web.nvd.nist....d=CVE-2010-3148
Last revised: 08/30-31/2010
CVSS v2 Base Score: 9.3 (HIGH)

Edited by AplusWebMaster, 18 October 2010 - 09:56 AM.