Remote Code Execution

Mozilla Disables Insecure Microsoft Firefox Add-on

When I fired up my laptop the other day, I was greeted with this pop-up box:

If you’re running Firefox, you may have already seen it yourself. Recall that these add-ons were installed into Firefox without the user’s permission, causing quite an uproar in the Mozilla user community. Brian Krebs of The Washington Post wrote:

In May, I wrote about a Windows patch for the Microsoft .NET package that silently installed the Microsoft .NET Framework Assistant add-on into Firefox. The package also included an associated plug-in for Firefox called the Windows Presentation Foundation plug-in. The Mozilla user community was up arms over not just the fact that Microsoft was introducing unwanted components that could potentially weaken the security of Firefox, but that Redmond had made the thing almost impossible to remove.

Mike Shaver, Mozilla’s vice president of engineering, wrote Friday on the Mozilla Security Blog:

Because of the difficulties some users have had entirely removing the add-on, and because of the severity of the risk it represents if not disabled, we contacted Microsoft today to indicate that we were looking to disable the extension and plugin for all users via our blocklisting mechanism. Microsoft agreed with the plan, and we put the blocklist entry live immediately.

At least Microsoft agreed with Mozilla’s action to block the insecure add-on, but shame on them for blatantly compromising the security of a browser they don’t even own.

Conspiracy theorists: Do you have an opinion on this?

Patch Tuesday – Microsoft Fixes Eight Security Flaws

All of them are critical, but not a single one of them affects Windows 7, scheduled for release on October 22.

The most dangerous flaw covered by this month’s batch of patches is a remote code execution vulnerability in the way that the JScript scripting engine decodes script in Web pages (MS09-045). A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page and this could result in execution of arbitrary code on the affected system. All versions of Windows—except Windows 7—are vulnerable. Here is the list of bulletins taken from the Microsoft Security Bulletin Summary for September 2009:

MS09-045 Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)

It remains to be seen how Windows 7 will fare once it’s released to retail, but so far, it appears to be more secure the previous versions of Windows. According to Wolfgang Kandek, chief technology officer at software security provider Qualys, "There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor."

We can only hope.

I’ll Say it Again—Turn Off the Remote Web Management Interface!

I don’t know how many times I’ve told people that the embedded management interface on most devices is a security breach waiting to happen. I just got wind of some news, but can’t seem to find anything more than this mention. As soon as I dig up some details, I’ll let you know. This exchange is from Security Now! Episode 206 for July 23, 2009:

Steve…Stanford security lab….will also be showing some very distressing news this weekend at the Black Hat conference. They tested 21 different devices from 16 different manufacturers. These are web-enabled gizmos - webcams, printers, network switches, photo frames, VoIP phones, remote management tools, all of these things - and, like, consumer routers, all of these things that are web-enabled, meaning that like so many peripherals now, they’ve got an Internet connection and a web interface. They tested the vulnerability of 21 devices made by 16 different manufacturers. There was not one that was not vulnerable to serious web-oriented problems. For example, they were able to enter JavaScript commands into the logon prompts.

Leo: Oh, boy.

Steve: And the device logged the log-on attempts. So when the administrator brought up the log, the act of displaying the log replayed the JavaScript commands…And that allowed the commands to connect to a remote server and download malware. They said that among the worst devices were network attached storage devices. They enumerated five different classes of attacks, and they said that the NAS…were vulnerable to all five classes of attack. For example, you could rename files to JavaScript strings. There was no control over file naming in these. And of course we all have long filenames now in our state-of-the-art file systems. Well, long meaning JavaScript. And so anytime this device attempted to display the filenames on a web page, again, you were running JavaScript. So now there’s scripting running in your directory listing, which is displayed on a web page, causing your browser to do whatever the JavaScript has said. And it’s running in the local context. So even systems that have security saying don’t allow remote sites to execute script, but of course we trust our self, well, now we can’t trust our self.

Don’t tell me I didn’t say so. Turn that interface OFF!

Microsoft Releases Security Advisory (961040)

Microsoft’s latest Security Advisory (961040) covers a vulnerability in SQL Server that could allow remote code execution:

Microsoft is investigating new public reports of a vulnerability that could allow remote code execution on systems with supported editions of Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). Systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008 are not affected by this issue.

Exploit code has been published on the Internet, but Microsoft states that it’s not aware of any active exploits or customer impact at this time. One mitigating factor is that this vulnerability is not exposed anonymously–an attacker would need to authenticate in order to take advantage of the flaw, thus leaving evidence for investigators.

Microsoft has issued tested workarounds for the affected versions. While they don’t repair the underlying vulnerablity, they effectively block the known attack vectors

Internet Explorer Targeted by Zero-day Attack

Even though Microsoft released the biggest batch of patches ever on Tuesday–28 flaws affecting Windows, Office, Internet Explorer, Visual Basic Active Controls and Windows Media Player, 23 of them rated “critical”–there’s no fix for a zero-day XML parser vulnerability that surfaced the same day. This was first reported by Robert McMillan of IDG News and was picked up quickly by other media. According to McMillan:

The code exploits a bug in the way IE handles XML (Extensible Markup Language) and works on the browser about “one in three times,” Huang said in an instant message interview. For the attack to work, a victim must first visit a Web site that serves the malicious JavaScript code that takes advantage of the flaw. …

In attacks, the code drops a malicious program on the victim’s PC which then goes to download malicious software from various locations.

According to a blog post by Symantec:

The vulnerability is caused by a function that incorrectly frees a certain region of heap memory so that an attacker is able to control the EAX register with a specially crafted Unicode URL, which includes the magic “0×0A0A” value in it,” Elia Florio, a security researcher at Symantec, wrote….

Symantec released the antivirus signature Bloodhound.Exploit.219 and IPS signature 23241 - HTTP MSIE Malformed XML BO to protect users against this exploit.

I recommend that anyone using Symantec’s antivirus or IPS products, immediately perform an update. Furthermore, Symantec recommends blocking the following hosts which are apparently being used by the exploit to download and install other malware:

• wwwwyyyyy.cn
• sllwrnm5.cn
• baikec.cn
•  oiuytr.net
• laoyang4.cn
• cc4y7.cn

In its security advisory 961051, Microsoft presents the following mitigating factors:

• Protected Mode in Internet Explorer 7 and Internet Explorer 8 in Windows Vista limits the impact of the vulnerability.

•By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.

•An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

•Currently known attacks cannot exploit this issue automatically through e-mail.

Nevertheless, users should avoid using Internet Explorer and should instead use Firefox with the NoScript extension installed until Microsoft issues a patch. We may see an out-of-cycle patch on this one according to the security advisory:

We are actively investigating the vulnerability these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Well, since I’m forced to use IE for certain applications in my job, this customer needs a patch as quickly as possible.

Opera Zero-day Vulnerability

Just as Opera completed patches for critical vulnerabilities in its browser, researchers discovered another remote code execution bug. In its recent article, “Opera scrambles to quash zero-day bug in freshly-patched browser,”
The Register reports:

Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims’ browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that’s based on the same weakness.

Until Opera releases version 9.62, which should be “very, very soon” according to Opera spokesman Thomas Ford, your best bet is to disable iFrames and turn off scripting. Open opera:config and select Extensions|iFrames. Change the setting from “1″ to “0.” Similarly, change Extensions|Scripting from “1″ to “0.”

Bear in mind that the above temporary workaround is going to break a lot of sites that use scripting. It would be simpler if Opera had some way to designate “trusted sites” (or a plug-in like NoScript), but I’m not aware of any way to do this. Hit the comments and let me know if there’s a better workaround (I haven’t used Opera since my conversion to Firefox four years ago).

Microsoft Releases Out-of-Band Security Bulletin MS08-067

Microsoft just released a critical update for a “privately reported” vulnerability in the server service:

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

Exploits are already being detected, according to the Microsoft Malware Protection Center:

Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected. Our products provide real-time protection that will block that malware from being copied to the hard drive. You can read more details about this malware in our encyclopedia write ups.

I’m going to update the servers right now. Everyone should do the same.

Safari for Windows Flaw Quick Fix

Microsoft has issued Security Advisory 953818 advising Safari users to “restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple.” According to Microsoft:

“A combination of the default download location in Safari and how the Windows desktop handles executables creates a blended threat in which files may be downloaded to a user’s machine without prompting, allowing them to be executed. An attacker could trick users into visiting a specially crafted Web site that could download content to a user’s machine and execute the content locally using the same permissions as the logged-on user. “

Oddly enough, there’s a quick fix for the problem. In the advisory, Microsoft clearly states: “Mitigating Factors: Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.” Just go to Edit > Preferences > General > Save downloaded files to [your chosen new location].

That was easy.

Phlashing Attack Can Damage Systems Beyond Repair

It has long been an “everybody knows” that viruses and other malware cannot physically damage hardware. We’ve all seen those alarming emails that say, “…the virus destroys Sector Zero, thus permanently destroying the hard disk,” a statement we know is rubbish; at worst, the disk is rendered incapable of booting an OS, but the drive is still operable and the data recoverable. Seems that now, however, an HP researcher has found a way to exploit security vulnerabilities to create a permanent DOS (PDOS) attack by thrashing embedded hardware. From The Register:

The cyber-assault thrashes systems by abusing firmware update mechanisms. If successful, the so-called phlashing attack would force victims to replace systems.

The attack was demonstrated by Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, at the EUSecWest security conference in London on Wednesday [21 May 2008]. Smith told Dark Reading that such a “permanent denial of service” attack could be carried out remotely over the internet.

The attack would be carried out by exploiting flaws in remote management interfaces to gain access to the system and then flashing or fuzzing the firmware binaries to render the hardware useless. One such remote management interface is HP’s Integrated Lights Out (ILO) which is embedded in their ProLiant servers; however, Doug Hascall, an HP manager in charge of ILO firmware, believes the security architecture of the interface makes it invulnerable to the attack.

Security watchers, myself included, don’t see crackers destroying systems since there would be no money in it; rather, this attack could make it possible for them to plant malware inside of the firmware: a far more insidious threat. Moreover, a country’s enemies could use the technique as an effective cyberwarfare weapon either to take out critical infrastructure or to implant spyware to gather military intelligence.

Foxit Reader Security Vulnerability

Since I discovered Foxit Reader in early 2006, I’ve been recommending it to everyone. There’s no question it’s a best-of-breed tool for speed and simplicity. But recently, Secunia issued a bulletin advising of a security vulnerability in the program. According to that bulletin, Foxit Reader version 2.3 build 2825 is vulnerable to a remote code execution buffer overflow. attack on your system. The problem will be fixed in the upcoming build 2912.

I’m still using version 1.3.x which, apparently, is not vulnerable. So, if you’re using an older version of Foxit, you should be OK; however, just as soon as build 2912 is available, I’m going to upgrade just to be on the safe side. You should, too.