Archive for Current Threats and Vulnerabilities

ActiveX Killbits

Beginning in May 2008, Microsoft has released cumulative patches to install ActiveX Killbits.  Below is an analysis of the killbits released via these patches to date.  The analysis was performed against patches for Windows XP, however, it is assumed that these killbits are applicable to all Operating Systems.

As of July 27, 2009:

Total Killbits applied by latest cumulative patch (MS09-032): 175

Monthly Count
May 2008: 4
June 2008: 3
August 2008: 96
October 2008: 12
February 2009: 10
June 2009: 5
July 2009: 45 

Vendor Count
Akamai: 1
Aurigma: 74
BackWeb: 1
Ebay: 2
HP: 23
HusDawg: 1
Microgaming: 2
Microsoft 67
PhotoStockPlus: 1
RIM: 1
Yahoo: 2

Details for each Killbit (including links to advisories)

(download PDF here)

May-08 {22FD7C0A-850C-4A53-9821-0B0915C96139} Yahoo Yahoo! MediaGrid
May-08 {314111B8-A502-11D2-BBCA-00C04F8EC294} Microsoft Microsoft Help 2.0 Contents
May-08 {314111C6-A502-11D2-BBCA-00C04F8EC294} Microsoft Microsoft Help 2.0 Index
May-08 {5F810AFC-BB5F-4416-BE63-E01DD117BD6C} Yahoo Yahoo! DataGrid
Jun-08 {3BEE4890-4FE9-4A37-8C1E-5E7E12791C1F} Microsoft SpSharedRecognizer
Jun-08 {40F23EB7-B397-4285-8F3C-AACE4FA40309} BackWeb BackWeb Lite Install Runner
Jun-08 {47206204-5ECA-11D2-960F-00C04F8EE628} Microsoft SpSharedRecoContext
Aug-08 {00D46195-B634-4C41-B53B-5093527FB791} Aurigma Aurigma Image Uploader
Aug-08 {0270E604-387F-48ED-BB6D-AA51F51D6FC3} Aurigma Aurigma Image Uploader
Aug-08 {038F6F55-C9F0-4601-8740-98EF1CA9DF9A} Aurigma Aurigma Image Uploader
Aug-08 {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} Aurigma Aurigma Image Uploader
Aug-08 {0B9C0C26-728C-4FDA-B8DD-59806E20E4D9} Aurigma Aurigma Image Uploader
Aug-08 {0C378864-D5C4-4D9C-854C-432E3BEC9CCB} HP HP eDiag
Aug-08 {101D2283-EED9-4BA2-8F3F-23DB860946EB} Aurigma Aurigma Image Uploader
Aug-08 {108092BF-B7DB-40D1-B7FB-F55922FCC9BE} Aurigma Aurigma Image Uploader
Aug-08 {14C1B87C-3342-445F-9B5E-365FF330A3AC} HP HP Instant Support
Aug-08 {17E67D4A-23A1-40D8-A049-EE34C0AF756A} HP HP eDiag
Aug-08 {1E0D3332-7441-44FF-A225-AF48E977D8B6} Aurigma Aurigma Image Uploader
Aug-08 {285CAE3C-F16A-4A84-9A80-FF23D6E56D68} Aurigma Aurigma Image Uploader
Aug-08 {2875E7A5-EE3C-4FE7-A23E-DE0529D12028} Aurigma Aurigma Image Uploader
Aug-08 {2C2DE2E6-2AD1-4301-A6A7-DF364858EF01} Aurigma Aurigma Image Uploader
Aug-08 {3604EC19-E009-4DCB-ABC5-BB95BF92FD8B} Aurigma Aurigma Image Uploader
Aug-08 {3D6A1A85-DE54-4768-9951-053B3B02B9B0} Aurigma Aurigma Image Uploader
Aug-08 {41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA} Aurigma Aurigma Image Uploader
Aug-08 {42C68651-1700-4750-A81F-A1F5110E0F66} HP HP eDiag
Aug-08 {44A6A9CA-AC5B-4C39-8FE6-17E7D06903A9} Aurigma Aurigma Image Uploader
Aug-08 {4614C49A-0B7D-4E0D-A877-38CCCFE7D589} Aurigma Aurigma Image Uploader
Aug-08 {4774922A-8983-4ECC-94FD-7235F06F53A1} HP HP eDiag
Aug-08 {47AF06DD-8E1B-4CA4-8F55-6B1E9FF36ACB} Aurigma Aurigma Image Uploader
Aug-08 {497EE41C-CE06-4DD4-8308-6C730713C646} Aurigma Aurigma Image Uploader
Aug-08 {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} Aurigma Aurigma Image Uploader
Aug-08 {60178279-6D62-43AF-A336-77925651A4C6} HP HP eDiag
Aug-08 {6470DE80-1635-4B5D-93A3-3701CE148A79} HP HP eDiag
Aug-08 {652623DC-2BB4-4C1C-ADFB-57A218F1A5EE} Aurigma Aurigma Image Uploader
Aug-08 {65FB3073-CA8E-42A1-9A9A-2F826D05A843} Aurigma Aurigma Image Uploader
Aug-08 {66E07EF9-4E89-4284-9632-6D6904B77732} Aurigma Aurigma Image Uploader
Aug-08 {68BBCA71-E1F6-47B2-87D3-369E1349D990} Aurigma Aurigma Image Uploader
Aug-08 {692898BE-C7CC-4CB3-A45C-66508B7E2C33} Aurigma Aurigma Image Uploader
Aug-08 {6981B978-70D9-40B9-B00E-903B6FC8CA8A} Aurigma Aurigma Image Uploader
Aug-08 {69C462E1-CD41-49E3-9EC2-D305155718C1} Aurigma Aurigma Image Uploader
Aug-08 {6C095616-6064-43CA-9180-CF1B6B6A0BE4} Aurigma Aurigma Image Uploader
Aug-08 {6CA73E8B-B584-4533-A405-3D6F9C012B56} Aurigma Aurigma Image Uploader
Aug-08 {6E5E167B-1566-4316-B27F-0DDAB3484CF7} Aurigma Aurigma Image Uploader
Aug-08 {73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A} Aurigma Aurigma Image Uploader
Aug-08 {76EE578D-314B-4755-8365-6E1722C001A2} Aurigma Aurigma Image Uploader
Aug-08 {784F2933-6BDD-4E5F-B1BA-A8D99B603649} HP HP eDiag
Aug-08 {7A12547F-B772-4F2D-BE36-CE5D0FA886A1} Aurigma Aurigma Image Uploader
Aug-08 {7EB2A2EC-1C3A-4946-9614-86D3A10EDBF3} Aurigma Aurigma Image Uploader
Aug-08 {833E62AD-1655-499F-908E-62DCA1EB2EC6} Aurigma Aurigma Image Uploader
Aug-08 {86C2B477-5382-4A09-8CA3-E63B1158A377} Aurigma Aurigma Image Uploader
Aug-08 {8C7A23D9-2A9B-4AEA-BA91-3003A316B44D} Aurigma Aurigma Image Uploader
Aug-08 {8CC18E3F-4E2B-4D27-840E-CB2F99A3A003} Aurigma Aurigma Image Uploader
Aug-08 {8DBC7A04-B478-41D5-BE05-5545D565B59C} Aurigma Aurigma Image Uploader
Aug-08 {905BF7D7-6BC1-445A-BE53-9478AC096BEB} Aurigma Aurigma Image Uploader
Aug-08 {910E7ADE-7F75-402D-A4A6-BB1A82362FCA} HP HP eDiag
Aug-08 {916063A5-0098-4FB7-8717-1B2C62DD4E45} Aurigma Aurigma Image Uploader
Aug-08 {926618A9-4035-4CD6-8240-64C58EB37B07} Aurigma Aurigma Image Uploader
Aug-08 {9275A865-754B-4EDF-B828-FED0F8D344FC} Aurigma Aurigma Image Uploader
Aug-08 {93441C07-E57E-4086-B912-F323D741A9D8} HP HP eDiag
Aug-08 {93C5524B-97AE-491E-8EB7-2A3AD964F926} Aurigma Aurigma Image Uploader
Aug-08 {947F2947-2296-42FE-92E6-E2E03519B895} Aurigma Aurigma Image Uploader
Aug-08 {974E1D88-BADF-4C80-8594-A59039C992EA} Aurigma Aurigma Image Uploader
Aug-08 {977315A5-C0DB-4EFD-89C2-10AA86CA39A5} Aurigma Aurigma Image Uploader
Aug-08 {9BAFC7B3-F318-4BD4-BABB-6E403272615A} Aurigma Aurigma Image Uploader
Aug-08 {A233E654-53FF-43AA-B1E2-60DA2E89A1EC} Aurigma Aurigma Image Uploader
Aug-08 {A3796166-A03C-418A-AF3A-060115D4E478} Aurigma Aurigma Image Uploader
Aug-08 {A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} Aurigma Aurigma Image Uploader
Aug-08 {A7866636-ED52-4722-82A9-6BAABEFDBF96} Aurigma Aurigma Image Uploader
Aug-08 {A95845D8-8463-4605-B5FB-4F8CFBAC5C47} HP HP eDiag
Aug-08 {AA13BD85-7EC0-4CC8-9958-1BB2AA32FD0B} Aurigma Aurigma Image Uploader
Aug-08 {AB049B11-607B-46C8-BBF7-F4D6AF301046} HP HP eDiag
Aug-08 {AB237044-8A3B-42BB-9EE1-9BFA6721D9ED} HP HP eDiag
Aug-08 {AE2B937E-EA7D-4A8D-888C-B68D7F72A3C4} Aurigma Aurigma Image Uploader
Aug-08 {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} Aurigma Aurigma Image Uploader
Aug-08 {B0A08D67-9464-4E73-A549-2CC208AC60D3} Aurigma Aurigma Image Uploader
Aug-08 {B26E6120-DD35-4BEA-B1E3-E75F546EBF2A} Aurigma Aurigma Image Uploader
Aug-08 {B60770C2-0390-41A8-A8DE-61889888D840} Aurigma Aurigma Image Uploader
Aug-08 {B85537E9-2D9C-400A-BC92-B04F4D9FF17D} Aurigma Aurigma Image Uploader
Aug-08 {B95B52E9-B839-4412-96EB-4DABAB2E4E24} Aurigma Aurigma Image Uploader
Aug-08 {B9C13CD0-5A97-4C6B-8A50-7638020E2462} HP HP eDiag
Aug-08 {BA162249-F2C5-4851-8ADC-FC58CB424243} Aurigma Aurigma Image Uploader
Aug-08 {BF931895-AF82-467A-8819-917C6EE2D1F3} HP HP eDiag
Aug-08 {C70D0641-DDE1-4FD7-A4D4-DA187B80741D} HP HP eDiag
Aug-08 {C86EE68A-9C77-4441-BD35-14CC6CC4A189} Aurigma Aurigma Image Uploader
Aug-08 {C94188F6-0F9F-46B3-8B78-D71907BD8B77} HP HP eDiag
Aug-08 {CB05A177-1069-4A7A-AB0A-5E6E00DCDB76} Aurigma Aurigma Image Uploader
Aug-08 {CC7DA087-B7F4-4829-B038-DA01DFB5D879} Aurigma Aurigma Image Uploader
Aug-08 {CDAF9CEC-F3EC-4B22-ABA3-9726713560F8} HP HP eDiag
Aug-08 {CF08D263-B832-42DB-8950-F40C9E672E27} Aurigma Aurigma Image Uploader
Aug-08 {CF6866F9-B67C-4B24-9957-F91E91E788DC} HP HP eDiag
Aug-08 {D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6} Aurigma Aurigma Image Uploader
Aug-08 {DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772} HP HP eDiag
Aug-08 {DE233AFF-8BD5-457E-B7F0-702DBEA5A828} HP HP eDiag
Aug-08 {E12DA4F2-BDFB-4EAD-B12F-2725251FA6B0} HP HP eDiag
Aug-08 {E1A26BBF-26C0-401D-B82B-5C4CC67457E0} Aurigma Aurigma Image Uploader
Aug-08 {E4C97925-C194-4551-8831-EABBD0280885} Aurigma Aurigma Image Uploader
Aug-08 {E6127E3B-8D17-4BEA-A039-8BB9D0D105A2} Aurigma Aurigma Image Uploader
Aug-08 {F1F51698-7B63-4394-8743-1F4CF1853DE1} Aurigma Aurigma Image Uploader
Aug-08 {F399F5B6-3C63-4674-B0FF-E94328B1947D} Aurigma Aurigma Image Uploader
Aug-08 {F6A7FF1B-9951-4CBE-B197-EA554D6DF40D} Aurigma Aurigma Image Uploader
Aug-08 {F89EF74A-956B-4BD3-A066-4F23DF891982} Aurigma Aurigma Image Uploader
Aug-08 {FA8932FF-E064-4378-901C-69CB94E3A20A} Aurigma Aurigma Image Uploader
Aug-08 {FC28B75F-F9F6-4C92-AF91-14A3A51C49FB} Aurigma Aurigma Image Uploader
Oct-08 {0002E500-0000-0000-C000-000000000046} Microsoft OWC.Chart.9 
Oct-08 {0002E510-0000-0000-C000-000000000046} Microsoft OWC.Spreadsheet.9
Oct-08 {0002E511-0000-0000-C000-000000000046} Microsoft OWC9 Control
Oct-08 {0002E520-0000-0000-C000-000000000046} Microsoft OWC.PivotTable.9
Oct-08 {0002E530-0000-0000-C000-000000000046} Microsoft OWC.DataSourceControl.9
Oct-08 {AED98630-0251-4E83-917D-43A23D66D507} Microgaming Microgaming Download Helper
Oct-08 {F0E42D50-368C-11D0-AD81-00A0C90DC8D9} Microsoft Snapshot Viewer for Microsoft Access
Oct-08 {F0E42D60-368C-11D0-AD81-00A0C90DC8D9} Microsoft Snapshot Viewer for Microsoft Access
Oct-08 {F2175210-368C-11D0-AD81-00A0C90DC8D9} Microsoft Snapshot Viewer for Microsoft Access
Oct-08 {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} HusDawg Husdawg System Requirements Lab
Oct-08 {E48BB416-C578-4A62-84C9-5E3389ABE5FC} PhotoStockPlus PhotoStockPlus Uploader Tool
Oct-08 {FA91DF8D-53AB-455D-AB20-F2F023E498D3} Microsoft SQL Report Services Client Printing
Feb-09 {0ECD9B64-23AA-11D0-B351-00A0C9055D8E} Microsoft Hierarchical FlexGrid Control for VB6
Feb-09 {1E216240-1B7D-11CF-9D53-00AA003C9CB6} Microsoft Capicom
Feb-09 {248DD896-BB45-11CF-9ABC-0080C7E7B78D} Microsoft Capicom
Feb-09 {3A2B370C-BA0A-11D1-B137-0000F8753F5D} Microsoft Charts Control for VB6
Feb-09 {4788DE08-3552-49EA-AC8C-233DA52523B9} RIM Blackberry Application Web Loader
Feb-09 {6262D3A0-531B-11CF-91F6-C2863C385E30} Microsoft FlexGrid Control for VB6
Feb-09 {B09DE715-87C1-11D1-8BE3-0000F8754DA1} Microsoft Windows Common Control for VB6
Feb-09 {C932BA85-4374-101B-A56C-00AA003668DC} Microsoft Masked Edit Control for VB6
Feb-09 {CDE57A43-8B86-11D0-B3C6-00A0C90AEA82} Microsoft DataGrid  Control for VB6
Feb-09 {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} Akamai Akamai Download Manager
Jun-09 {00000032-9593-4264-8B29-930B3E4EDCCD} HP Virtual Rooms
Jun-09 {4C39376E-FA9D-4349-BACC-D305C1750EF3} Ebay Enhanced Picture Services
Jun-09 {648A5600-2C6E-101B-82B6-000000000014} Microsoft MSCOMM32.OCX ATL Loader in VB6
Jun-09 {C3EB1670-84E0-4EDA-B570-0B51AAE81679} Ebay Enhanced Picture Services
Jun-09 {D8089245-3211-40F6-819B-9E5E92CD61A2} Microgaming FlashXControl
Jul-09 {011B3619-FE63-4814-8A84-15A194CE9CE3} Microsoft msvidctl.dll
Jul-09 {0149EEDF-D08F-4142-8D73-D23903D21E90} Microsoft msvidctl.dll
Jul-09 {0369B4E5-45B6-11D3-B650-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {0369B4E6-45B6-11D3-B650-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {055CB2D7-2969-45CD-914B-76890722F112} Microsoft msvidctl.dll
Jul-09 {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF} Microsoft msvidctl.dll
Jul-09 {15D6504A-5494-499C-886C-973C9E53B9F1} Microsoft msvidctl.dll
Jul-09 {1BE49F30-0E1B-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {1C15D484-911D-11D2-B632-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {1DF7D126-4050-47F0-A7CF-4C4CA9241333} Microsoft msvidctl.dll
Jul-09 {2C63E4EB-4CEA-41B8-919C-E947EA19A77C} Microsoft msvidctl.dll
Jul-09 {334125C0-77E5-11D3-B653-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {37B0353C-A4C8-11D2-B634-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {37B03543-A4C8-11D2-B634-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {37B03544-A4C8-11D2-B634-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {418008F3-CF67-4668-9628-10DC52BE1D08} Microsoft msvidctl.dll
Jul-09 {4A5869CF-929D-4040-AE03-FCAFC5B9CD42} Microsoft msvidctl.dll
Jul-09 {577FAA18-4518-445E-8F70-1473F8CF4BA4} Microsoft msvidctl.dll
Jul-09 {59DC47A8-116C-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {7F9CB14D-48E4-43B6-9346-1AEBC39C64D3} Microsoft msvidctl.dll
Jul-09 {823535A0-0318-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {8872FF1B-98FA-4D7A-8D93-C9F1055F85BB} Microsoft msvidctl.dll
Jul-09 {8A674B4C-1F63-11D3-B64C-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {8A674B4D-1F63-11D3-B64C-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {9CD64701-BDF3-4D14-8E03-F12983D86664} Microsoft msvidctl.dll
Jul-09 {9E77AAC4-35E5-42A1-BDC2-8F3FF399847C} Microsoft msvidctl.dll
Jul-09 {A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {A2E3074E-6C3D-11D3-B653-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {A2E30750-6C3D-11D3-B653-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE} Microsoft msvidctl.dll
Jul-09 {AD8E510D-217F-409B-8076-29C5E73B98E8} Microsoft msvidctl.dll
Jul-09 {B0EDF163-910A-11D2-B632-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {B64016F3-C9A2-4066-96F0-BD9563314726} Microsoft msvidctl.dll
Jul-09 {BB530C63-D9DF-4B49-9439-63453962E598} Microsoft msvidctl.dll
Jul-09 {C531D9FD-9685-4028-8B68-6E1232079F1E} Microsoft msvidctl.dll
Jul-09 {C5702CCC-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CCD-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CCE-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CCF-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C5702CD0-9B79-11D3-B654-00C04F79498E} Microsoft msvidctl.dll
Jul-09 {C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7} Microsoft msvidctl.dll
Jul-09 {CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} Microsoft msvidctl.dll
Jul-09 {D02AAC50-027E-11D3-9D8E-00C04F72D980} Microsoft msvidctl.dll
Jul-09 {F9769A06-7ACA-4E39-9CFB-97BB35F0E77E} Microsoft msvidctl.dll
Jul-09 {FA7C375B-66A7-4280-879D-FD459C84BB02} Microsoft msvidctl.dll

Leave a comment »

New Microsoft IIS Zero-Day Vulnerability

Today (May 19, 2009) Microsoft released a security advisory for Microsoft IIS Servers. This flaw can enable attackers to read sensitive files on the webserver by submitting a specially crafted URL to the IIS server.

This is only the third vulnerability we’ve seen in IIS since October of 2004 (last issues were Feb 2008 and July 2006) – IIS has been pretty secure over the last few years (unlike the years 2000-2004 where we saw numerous bulletins, patches, and exploitations such as code red and nimda).

This flaw appears to me much more serious for customers running IIS 5 (Windows 2000) because the vulnerable WebDAV services are running by default. IIS6 (Windows Server 2003) doesn’t enable WebDAV by default.

It is unclear what level of access may be granted to an attacker via this exploit as it all depends on how the webserver has been configured and how the file system security has been applied to the data on the webserver. In a default configuration (and I would gather most installations), this flaw might allow the attacker to read certain files on the webserver, but would not allow them to write any files. If the attacker us unable to write any files to the webserver, it’s far less likely that the attacker can upload or execute any malicious code on the server or gain additional levels of access to the server. One note of caution – this flaw could enable attackers to read code pages on the webserver, where these pages might include usernames or passwords for applications or databases controlled by the webserver.

Shavlik recommends people running IIS5 or IIS6 run the IIS Lockdown and URLScan tools from Microsoft. Both of these tools disable WebDAV and will protect your system from this latest zero day.

Leave a comment »

Microsoft releases patch for Powerpoint 0-day flaw

Microsoft patched all Windows versions of Powerpoint today – addressing both a 0-day flaw and 13 other privately reported security vulnerabilities. The 0-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website. The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user. (If the user was logged on as an administrator, the evil code could execute as admin. If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).

Microsoft has NOT released a patch at this time for Powerpoint on Mac. They said they weren’t seeing this flaw being executed against Macs and therefore didn’t want to hold up release of this patch for Windows machines while they finished the Mac patch. The patch for Powerpoint on Mac will be released at a later date.

The patches released today include versions of Powerpoint that weren’t flagged as vulnerable to the zero-day as Microsoft also included fixes for 13 additional vulnerabilities that were privately reported. Some of these vulnerabilities impact the newer versions of Powerpoint that were not vulnerable to the 0-day. Included in today’s release are patches for the Powerpoint viewer as well as the full version of Powerpoint.

Security patches for items like Powerpoint are considered ‘client-side’ patches because they can only attack a machine once a user has taken an action on their computer. Typical client-side actions might include opening malicious documents, reading an evil email, or viewing an evil web page. These types of attacks are usually constrained to systems where a user is interactively working on the desktop. Systems which don’t have a lot of user interaction at the desktop, like servers, are usually less susceptible to client-side attacks, though they are just as vulnerable if a user performs one of these actions at the desktop. In most cases, client side exploits only obtain the same level of access on the system as that of the currently logged on user.

Server-side attacks, on the other hand, don’t require user interaction to exploit vulnerabilities. Both workstations and servers are susceptible to server-side attacks. Server-side vulnerabilities leverage flaws in ‘services’ that are running on machines such as web services, file and print services, and networking services (such as TCP/IP or NetBIOS). Because these services are constantly running and are exposed externally on the system, no user interaction is required to interact with these services. This means the exploit can propagate from machine to machine very quickly. SQL Slammer, Nimda, Code Red, and Conficker are all examples of server-side exploitation. In many instances, server-side exploitation leads to administrative or ‘system’ level access on the target computer.

Viruses are a great example of a client-side vulnerability. Because it’s client-side, viruses usually require user interaction in order to spread and are therefoew slower to spread than a Worm. Worms, on the other hand, are representative of server-side exploitation. Since a worm doesn’t require user intervention to spread, it can propagate to other systems very rapidly.

Based on these definitions, today’s Powerpoint release addresses a client-side vulnerability. Its attack vector is dependant upon a user performing an action. As a result, we won’t see rapid propagation of infected systems through this vector (though once a machine is infected, it could launch other attacks using worm-like server side attack mechanisms such as Conficker). Best to patch your client-side systems (where users interact with the desktop) for this issue first, then patch any servers where Powerpoint products may be installed.

Leave a comment »

Excel zero day flaw announced

Microsoft released a security advisory today about a new Excel vulnerability.

This vulnerability impacts all versions of Microsoft Excel from 2000 to 2007.

In order to exploit a system, the attacker needs to entice the user to open a malformed Excel document. If this happens, the attacker can then take any action on the target system under the context of the logged on user. If the logged on user is an administrator, then the attacker can do anything they wish on the system (delete files, reformat the hard drive, steal information from the system, etc.). If the logged on user is a ‘user’ on the system (and not admin), then the attacker has fewer options on the box (read data accessible to the end user, delete data written by the end user, etc.).

Microsoft is researching the issue and will probably create a patch to fix the issue.

This is not unlike any other Microsoft Office vulnerability, except in this instance, knowledge of the vulnerability has been made public before a patch is available. Shavlik encourages users not to open Excel documents from unknown senders or locations.

Leave a comment »

Zero Day vulnerability in Adobe Reader and Adobe Acrobat

A security vulnerability was recently identified in two Adobe products that could allow attackers to take complete control of your system. Opening a malformed PDF document could allow unintended code to execute without the knowledge of the local user. The evil code could do anything on the system, up to the level of access given to the currently logged on user. Security researchers are seeing limited, targeted attacks in the wild. In most instances, the evil PDF file will crash the Adobe application, and in some instances may try and entice users to install a malicious anti-spyware application.

Adobe intends to patch their PDF products starting on March 11, 2009. Until the patch is released, users may protect themselves by disabling JavaScript in their Adobe applications. However, recent research indicates that even this workaround (disabling JavaScript) does not prevent exploitation of this vulnerability.

More info here:
http://blogs.zdnet.com/security/?p=2631

The official Adobe response here:
http://www.adobe.com/support/security/advisories/apsa09-01.html

Leave a comment »

MS08-067 OOB Patch – Conficker – Downadup worm

AV vendor F-Secure estimates that over 8 million systems have been infected with a variant of the Conficker worm known as ‘Downadup’. This worm leverages the security vulnerability addressed by the Microsoft out-of-band patch MS08-067 released in October 2008.

The worm spreads by accessing computers over the NetBIOS\SMB ports 139 and 445. It can also infect computers via malicious code on USB devices. Once a computer is infected it scans the local network looking for other machines to infect. If it can’t propagate to other systems via the vulnerability, it attempts to logon to the admin$ share by brute-forcing username\password combinations until it mounts the hard drive.

Once infected, the worm turns off the Windows Update service – thereby preventing the machine from obtaining the very patch that would have prevented the initial exploitation. The worm also denies Internet access to the websites of many different security vendors. Attempting to go to your AV or security vendor of choice to download detection or removal tools will be blocked by this worm. (The Shavlik domain is not blocked by the worm.) The worm is also known to modify the Windows firewall settings to allow access to the computer via specified ports.

Finally, the worm ‘phones home’ to see if the malware authors have published any instructions to their army of infected ‘zombies’. To date, no instructions have been released, however, there is a concern in the security community that infected machines may be instructed to ‘wake up’ and perform malicious acts at some point in the future.

Users are encouraged to install the MS08-067 patch as soon as possible – recognizing that the built-in windowsupdate agent functionality may not function if the machine has already been infected. Microsoft has also released an updated malicious software removal tool that removes some variants of the Conficker worm.

Additional information about the details of the worm can be found on the F-Secure blog here: http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

Leave a comment »

MS08-078 Emergency IE patch

Microsoft’s latest IE out of band patch release needs to be installed right away. The number of infected websites is growing at an alarming rate – even people visiting legitimate websites are getting hacked with this exploit. Patch it now – just do it.

Why did this come out as an out of band release? It looks like Microsoft was informed of the IE zero day at the same time as everyone else – namely, last Tuesday (patch Tuesday). Based on Microsoft MSRC blog posts, starting on Tuesday, Microsoft studied the exploit and reviewed source code and determined that it impacted all versions of IE. From that point on, it can be assumed that Microsoft has been working quickly on a patch for all versions of IE.

Microsoft had to determine how serious the issue was – as that gave them guidance as to whether or not to release an out of band patch or wait until the next monthly cycle. By late last week, Microsoft was aware that this issue was starting to infect user’s systems at a faster rate than they’ve seen with past zero day exploits. Specifically, attackers were loading the exploit on legitimate websites so that even users who visit only non-nefarious websites might also get infected. Based on this level of data, it’s my belief that Microsoft decided the issue warranted an out of band patch release.

Researching, fixing, testing, and releasing a security patch within an eight day window is an incredible feat – especially given the need to support all versions of IE across all platforms and languages. This is an ‘all hands on deck’ response from Microsoft – I don’t think we’ll see this as the norm for less critical patches in the future as it is quite disruptive to their own processes.

Now, it’s equally as important for customers to roll out this patch to all of their systems as soon as possible. I’d bet you a cookie that many companies can’t get it rolled out as quickly as Microsoft got it built.

Leave a comment »