Tuesday, August 31, 2010

Update on Security Advisory 2269673, Including Microsoft Fix it

Last week, Microsoft released Security Advisory 2269637 which relates to a remote attack vector to a class of vulnerabilities affecting applications that load DLL’s in an insecure manner.  As described in the Security, Research & Defense blog, the following would need to occur in order to be exploited: 
"this class of vulnerabilities could allow malicious code to run if an attacker can convince a victim to do the following:
  • Browse to a malicious, untrusted WebDAV server in the Internet Zone; and
  • Double-click a file that appears by its extension and icon to be safe"
    Jerry Bryant explained at the MSRC Blog in Update on Security Advisory 2269673 that Microsoft plans to address the Microsoft products affected by this issue, primarily be in the form of security updates or defense-in-depth updates.

    It is important to keep in mind that while Microsoft continues investigations in Microsoft products that are impacted by the vulnerability, there are many third-party applications that are also impacted (see DLL Hijacking (KB 2269637) – the unofficial list by Peter Van Eeckhoutte).  It is up to those vendors to provide patches for their affected software, which may take some time or, as Jerry Bryant indicated, may not be possible.  As a result, the Microsoft Fix it Team has developed a Fix it solution to enable the Microsoft-recommended setting which blocks most network-based vectors.


    Steps:
    1. Download and then install update 2264107, available from the bottom of the page at KB 2264107.
    2. From the same page, click the Fix it button or link under the Enable this fix it heading. Click Run in the File Download dialog box, and then follow the steps in the fix it wizard. 

      The Fix it solution will deploy the registry entry that is needed to block nonsecure DLL loads from WebDAV and SMB locations.
    Note:  The tool is limited to protecting against DLL preloading only and does not protect against .exe files that do not properly load files via a fully qualified path.  As stated previously, the software vendors will be required to update those applications accordingly.


    References:
    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Advisory, Vulnerabilities, Information, Fix it, How to,


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Thursday, August 26, 2010

    Protection From DLL Vulnerability with WinPatrol PLUS

    The day after Microsoft released Security Advisory 2269637 (relating to a remote attack vector to a class of vulnerabilities affecting applications that load DLL’s in an insecure manner), the first exploits were released. These exploits were identified as targeting programs including Firefox, uTorrent BitTorrent client, and Microsoft PowerPoint. As reported by Peter Van Eeckhoutte in DLL Hijacking (KB 2269637) – the unofficial list, the list is much longer now and includes many well known applications.

    The MSRC Blog reported that Microsoft conducting investigations into how this vector may affect Microsoft products. In addition, Microsoft released KB Article 2264107, which includes a new CWDIllegalInDllSearch registry entry to control the DLL search path algorithm:
    "The update allows the administrator to define the following on a system-wide or a per-application basis:
    • Remove the current working directory from the library search path.
    • Prevent an application from loading a library from a WebDAV location.
    • Prevent an application from loading a library from both a WebDAV, as well as a remote UNC location."
    That may be fine for IT Professionals, but what about home computer users? If, like me, you use WinPatrol PLUS, you have at your fingertips a simple method of adding protection from the DLL (CWDIllegalInDllSearch) vulnerability. Bill Pytlovany added the entries to include in WinPatrol Registry Monitoring Scripts . With this simple entry, WinPatrol will notify you if anyone tries to create and change this value from a non-zero value.

    Edit Note: The instructions have been updated to change the following question by ky331 and response by Bill Pytlovany after his discussions with some folks at Microsoft. (See the Comments below.)

    The steps are simple. Start by launching WinPatrol, select the "Registry Monitoring" tab and click Add:


    As illustrated in the simple steps below, a new window will open to add the item to be monitored.




  • Registry Key: In the Registry Key selection drop-down, make sure HKEY_LOCAL_MACHINE is selected.



  • Type or copy/paste the following in the space provided under Registry Key:
    SYSTEM\CurrentControlSet\Control\Session Manager



  • Name: In the Name space, type or copy/paste CWDIllegalInDllSearch



  • Value: In the space for Value, type 1 (the number one).



  • Value Type: In the drop-down box, select REG_DWORD



  • Click the Add button.


  • The results:


    It is that simple with WinPatrol PLUS! Unemployed and unable to afford a license? Be sure to check out WinPatrol Supports Unemployed Job Seekers.




    References:

    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, WinPatrol, Information, Advisory, Vulnerabilities, How-to, WinPatrol,




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, August 24, 2010

    Microsoft Security Advisory 2269637 Released


    Microsoft released Security Advisory 2269637 which relates to a remote attack vector to a class of vulnerabilities affecting applications that load DLL’s in an insecure manner.

    Microsoft is conducting investigations into how this vector may affect Microsoft products. In the meantime, both the Security Advisory and the SR&D blog have information for IT Pros as well as a tool that can be configured to disable the loading of libraries from network shares. See Knowledge Base article 2264107.

    Although the above addresses networks, what danger is there to home computer users? The people most likely to be impacted are those who use P2P file-sharing programs such as uTorrent. The Mitigating Factors in the Security Advisory are pertinent in this regard.
    This issue only affects applications that do not load external libraries securely.

    For an attack to be successful, a user must visit an untrusted remote file system location or WebDAV share and open a document from this location that is then loaded by a vulnerable application.
    P2P programs form a direct conduit on to your computer. They have always been a target of malware writers. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

    With P2P file sharing, what means do you have of identifying or authenticating the source of the download? In addition, a file can be distributed among many hosts, and peers will provide for download the sections that they have already downloaded. This results in the distinct possibility of a distribution method in which malicious bits are mixed with with good files.

    Computers are expensive. Protect your investment. Only download programs from reputable websites and do not use P2P file-sharing software programs.


    References:

    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Advisory, Vulnerabilities, Information,




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Monday, August 23, 2010

    Firefox Extension: Team Cymru's MHR 1.1

    A number of people I know have no use for Twitter, some going out of their way to point out the security risks. However, I have found that with care in who you follow and the information shared, Twitter can be a valuable resource.

    It was through Twitter that I found the new Team Cymru MHR 1.1 Firefox extension. The purpose of the extension is to check downloaded files against multiple anti-virus and anti-malware products from the Firefox download window. All you need do is click "Check MHR" shown under the time in the download window:


    Note: This extension does not replace your antivirus software. Rather, it is a supplement. In the event the download is identified as malware, it can be deleted rather than installed.

    With further investigation, I discovered an article by Brian Krebs about a similar tool. See WinMHR: (Re)Introducing the Malware Hash Registry. Correction: Brian's article is not about the Firefox extension but rather about a similar tool expected to be released later this month. Edited appropriately.

    For those interested in more information about Team Cymru (pronounced "kum-ree") see About Us - Team Cymru.


    Clubhouse Tags: Clubhouse, Security, How-to, Firefox, Mozilla, Information


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    How to Disable DOM Storage "Cookies"

    Many people are fanatic about managing the cookies stored on their computer to the extent of clearing the browsing history following each session. DOM Storage does not store "cookies" per se, but rather per-session or domain-specific data, the term cookie is generally associated by consumers with data stored by websites visited.

    As described in the MSDN Library article, Introduction to DOM Storage:
    "DOM Storage is often compared to HTTP cookies. Like cookies, Web developers can store per-session or domain-specific data as name/value pairs on the client using DOM Storage. However, unlike cookies, DOM Storage makes it easier to control how information stored by one window is visible to another."
    DOM Storage is comprised of two primary parts

    In Session Storage, any data input is stored for the duration of the session. Thus, if a new tab is opened, the data from the Session in the original tab is stored for the new tab.

    Local Storage, spans multiple windows and persists beyond the current session. Local Storage allows Web applications to store up to 10 MB of user data. This could include data stored offline for later reading.

    The referenced MSDN Library article provides examples more detailed information of both Session Storage and Local Storage.

    Disable DOM Storage

    It is easy to disable DOM storage "cookies" by following the simple instructions I obtained from Fred de Vries.

    Internet Explorer
    • Launch Internet Explorer 8 and open the Tools Menu
    • Select 'Internet Options'
    • Click the 'Advanced' tab
    • Scroll down until you reach ‘Security’
    • Uncheck ‘Enable DOM Storage’
    • Click 'Ok'

    Mozila Firefox
    • Launch Firefox and type about:config in the address bar
    • Click "I'll be careful, I promise!" to the warning
    • Scroll down until you reach ‘dom.storage.enabled’ or copy/paste dom.storage.enabled in the filter
    • Double-click the line item and it will change from its default value ‘True’ to ‘False’
    • Close the about:config tab
    To undo the change, simply reverse the above steps.


    References:

    , Privacy, Information



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Sunday, August 22, 2010

    WinPatrol Supports Unemployed Job Seekers


    Once again, Bill Pytlovany, Microsoft MVP and the developer of my favorite Windows security software program, illustrates his caring for the Windows community. Through the end of August, 2010, Bill is generously providing a free WinPatrol PLUS license to people who are unemployed. As Bill explains,

    "For someone looking for a new job, a computer is a must have tool. Unfortunately, they’re also the targets of scam artists who take advantage of folks who need help the most."

    Unlike other promotions or discounts offered by vendors, this offer is not limited to the U.S. but is open worldwide. To be eligible for a free WinPatrol PLUS license, you only need provide proof of unemployment benefits or similar reasonable proof of unemployment. For complete information, see Bill's post at Bits from Bill: Free Security for People Looking for Work.

    I hope other software vendors take up Bill's challenge to do the same!

    If you are fortunate to be included among the people who are gainfully employed, consider supporting Bill's generous gesture with a one-time purchase of a WinPatrol PLUS license.


    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, WinPatrol, Information,




    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Beware: Fake Microsoft Security Essentials Rogue

    Further substantiation of the increasing popularity of Microsoft Security Essentials (MSE) is evidenced by the new five-in-one rogue reported by Microsoft MVP, Lawrence Abrams of Bleeping Computer. As illustrated by the image capture by Bleeping Computer, this rogue disguises itself as an alert from MSE.

    Image and Description by Bleeping Computer:



    Description:

    "The fake Microsoft Security Essentials Alert is a Trojan that attempts to trick you into thinking you are infected so that you will then install and purchase one of 5 rogue anti-virus programs that it is distributing. When the Trojan is run it will masquerade as an alert from the legitimate Windows Microsoft Security Essentials Program anti-virus program. This alert will be titled Microsoft Security Essentials Alert and states that a Trojan was detected on your computer. It will list this Trojan as Unknown Win32/Trojan and state that it is a severe infection. It will then prompt you to clean your computer using the program in order to remove it. When you click on the Clean Computer or Apply actions button, it will state that it was unable to remove it and then prompt you to scan online. If you click on the Scan Online button it will list 35 different anti-virus programs, 30 of which are legitimate anti-virus programs and 5 that are rogues that the Trojan is distributing. These five rogue programs are:

    • Red Cross Antivirus
    • Peak Protection 2010
    • Pest Detector 4.1
    • Major Defense Kit
    • AntiSpySafeguard or AntiSpy Safeguard

    During this fake online scan only the 5 fake anti-virus programs listed above will state that this supposed Trojan is an infection. It does this to scare you into clicking the Free Install button next to them that will install the rogue program onto your computer and then reboot your computer. It should be noted that Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard, and AntiSpy Safeguard that this Trojan is distributing are exactly the same."

    In the event you or someone you know is fooled by this rogue trojan, detailed removal instructions are available at Remove the Fake Microsoft Security Essentials Alert Trojan.

    Follow-up Actions:
    • If additional assistance is needed to clean the computer, follow the posting instructions at one of these sites that provide Malware Removal Help.
    • Review the 4 Steps to Protect Your Computer and check that third-party programs such as Adobe Flash, Adobe Reader and Java are up-to-date.

    , Rogue, Fraud



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Saturday, August 21, 2010

    Devasting Results from E-mail Scam

    Graham Cluley reported a devasting story about 67-year-old Al Circelli who committed suicide after losing $50,000 to West African romance scammers.

    "Circelli's son Peter says he stumbled across evidence that his late father had wired considerable amounts of money to Ghana, and discovered email messages and photos on his father's laptop supposedly from a woman called Aisha, who wanted to come to the USA to begin a new life and promised to bring a small fortune with her

    According to media reports, "Aisha" needed money to be sent to her in Ghana via Western Union to pay for expenses - and when Circelli ran out of his own money, he took out credit cards in his son's name and stopped making mortgage payments.

    Peter Circelli says that his father commited suicide on the day that "Aisha" was due to arrive in the USA but, of course, she never showed up. Bizarrely, an email message has been found on the dead man's laptop from a Ghanaian intermediary in the money transactions claiming that "Aisha" had also killed herself."

    Let this be a wake-up call to anyone who has gullible family members. Make certain that they understand about phishing scams. Natural disasters, elections, tax time, holidays all result in a spew of new scams. Be sure to educate your family.

    In addition to the references below, additional tips and information on phishing are available in these Security Garden posts.


    References:

    , Phishing, Fraud



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Adobe Reader and Acrobat Critical Security Updates


    Adobe released an out-of-cycle security update to address the critical security issues in CVE-2010-2862 (discussed at the recent Black Hat USA 2010 security conference) and vulnerabilities addressed in the August 10 Adobe Flash Player update as noted in Security Bulletin APSB10-16.


    Release date: August 19, 2010
    Vulnerability identifier: APSB10-17
    CVE numbers: CVE-2010-2862, CVE-2010-1240
    Platform: All Platforms

    Acrobat and Reader users can update to the latest version, v. 9.3.4, using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from here. As usual, the caution to UNCHECK the box shown below. It is not needed for the update!

    McAfee Security Scan Plus

    The next quarterly security updates for Adobe Reader and Acrobat is scheduled for October 12, 2010.


    References:

    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Have You Updated Java?

    java Even if your computer has all Microsoft Security Updates installed, have you checked for updates to third-party software recently? An important update you may have missed was Oracle update 20 for Java SE JDK 6 and Java SE JRE 6.

    According to the MMPC Blog report:
    "Infection can occur when a user visits a webpage that hosts a malicious Java applet. If the user’s browser runs a vulnerable version of the Java Runtime Environment (up to version 6 update 18), exploitation may be successful and malware may be installed."
    Microsoft is detecting malicious applets that exploit this vulnerability. The current version of Java is SE JRE 6 Update 21.

    The first step is to check the Java Version installed: http://www.java.com/en/download/help/testvm.xml. (Edit Note: Link corrected. Thanks, Gof.)

    Next, download the update: Java SE Runtime Environment 6u21
    Note: UNcheck any pre-checked toolbar and/or software options presented with the update. They are not part of the software update and are completely optional.
    Please check add/remove programs to ensure that you have uninstalled all prior (and vulnerable) versions of SunJava.


    References:

    Clubhouse Tags: Clubhouse, Security, Vulnerabilities, Updates, Java


    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Tuesday, August 10, 2010

    Adobe Flash Player Security Update


    An Adobe Security Bulletin has been posted to address critical security issues in Adobe Flash Player and Adobe Air.

    Although Adobe suggests downloading the upate from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, the direct download links are as follows:

    If you use the Adobe Flash Player Download Center, be careful to UNCHECK the box shown below. It is not needed for the Flash Player update!

    1 MB

    McAfee Security Scan Plus

    Verify Installation:

    To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. Do this for each browser installed on your computer.

    Verify the version of Adobe AIR installed on your system in the Adobe AIR TechNote.

    Details from Security Bulletin APSB10-16:

    Release date: August 10, 2010

    Vulnerability identifier: APSB10-16

    CVE number: CVE-2010-0209, CVE-2010-2188, CVE-2010-2213, CVE-2010-2214, CVE-2010-2215, CVE-2010-2216

    Platform: All Platforms

    Summary

    Critical vulnerabilities have been identified in Adobe Flash Player version 10.1.53.64 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

    Adobe recommends users of Adobe Flash Player 10.A1.53.64 and earlier versions update to Adobe Flash Player 10.1.82.76. Adobe recommends users of Adobe AIR 2.0.2.12610 and earlier versions update to Adobe AIR 2.0.3.

    Affected software versions

    • Adobe Flash Player 10.1.53.64 and earlier versions for Windows, Macintosh, Linux, and Solaris
    • Adobe AIR 2.0.2.12610 and earlier versions for Windows, Macintosh and Linux


    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    August 2010 Security Bulletin Release


    Microsoft released fourteen security bulletins today. Eight have a maximum severity rating of Critical with the other six having a maximum severity rating of Important.

    Note, however, as illustrated in the excellent table provided by the Security Research & Defense Blog, that the bulletins do not effect all operating systems/products.

    The Malicious Software Removal Tool (MSRT) has been updated to include the following list of new malware:
    Although none of the vulnerabilities addressed below have been observed under exploit in the wild. they are identified in the MSRC Blog as high-priority deployments:
    • MS10-052 This bulletin resolves a privately reported vulnerability in Microsoft's MPEG Layer-3 audio codecs. The vulnerability could allow remote code execution if a user opens a specially crafted media file or receives specially crafted streaming content from a Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
    • MS10-055 This bulletin resolves a privately reported vulnerability in Cinepak Codec, which is used by Windows Media Player to support the .avi audiovisual format. The vulnerability could allow remote code execution if a user opens a specially crafted media file, or receives specially crafted streaming content from a Web site. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.
    • MS10-056 This bulletin resolves four privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens or previews a specially crafted RTF e-mail message. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Windows Vista and Windows 7 are less exploitable due to additional heap mitigation mechanisms in those operating systems.
    • MS10-060 This bulletin resolves two privately reported vulnerabilities, both of which could allow remote code execution, in Microsoft .NET Framework and Microsoft Silverlight.
    Microsoft is also releasing Microsoft Security Advisory (2264072) and closing Security Advisory 977377.

    For complete details, see the references listed below.


    References:

    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Thursday, August 05, 2010

    August 2010 Bulletin Release Advance Notification

    On August 10, 2010 Microsoft is planning to release fourteen (14) new security bulletins. Eight of the bulletins are currently rated as critical and six are rated as important.

    In addition, Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Too. It will be available on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

    Bulletin IDMaximum Severity Rating and Vulnerability ImpactRestart RequirementAffected Software

    Bulletin 1

    Critical
    Remote Code Execution

    Requires restart

    Microsoft Windows

    Bulletin 2

    Critical
    Remote Code Execution

    Requires restart

    Microsoft Windows

    Bulletin 3

    Critical
    Remote Code Execution

    May require restart

    Microsoft Windows

    Bulletin 4

    Critical
    Remote Code Execution

    Requires restart

    Microsoft Windows, Internet Explorer

    Bulletin 5

    Critical
    Remote Code Execution

    Requires restart

    Microsoft Windows

    Bulletin 6

    Critical
    Remote Code Execution

    May require restart

    Microsoft Windows

    Bulletin 7

    Critical
    Remote Code Execution

    May require restart

    Microsoft Office

    Bulletin 8

    Critical
    Remote Code Execution

    May require restart

    Microsoft Windows,
    Microsoft Silverlight

    Bulletin 9

    Important
    Elevation of Privilege

    Requires restart

    Microsoft Windows

    Bulletin 10

    Important
    Elevation of Privilege

    Requires restart

    Microsoft Windows

    Bulletin 11

    Important
    Remote Code Execution

    May require restart

    Microsoft Windows

    Bulletin 12

    Important
    Remote Code Execution

    May require restart

    Microsoft Office

    Bulletin 13

    Important
    Elevation of Privilege

    Requires restart

    Microsoft Windows

    Bulletin 14

    Important
    Elevation of Privilege

    May require restart

    Microsoft Windows





    References:


    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information,





    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...

    Monday, August 02, 2010

    Critical Out-of-Band Update Released for MS10-046

    Microsoft released Security Bulletin MS10-046 out-of-band to address a vulnerability in Windows. The security update is identified as critical and addresses a vulnerability in the handling of shortcuts. The vulnerability affects all currently supported versions of Windows XP, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.

    A restart is required to complete the installation of the update.


    Notes
    :
    1. If you installed the work around provided by Microsoft Fix 50486, you can undo the changes made by the Fix it solution by using Microsoft Fix it 50487 available in Microsoft KB 2286198.

    2. If you deployed the work-around via Group Policy, as illustrated by Microsoft MVP, Alan Burchill in How to workaround KB2286198 Shortcut Icon security issues with Group Policy, after installing the update, you will want to reverse the changes.

    3. It may be necessary to check with other vendors who released a work-around if you have issues after the update.
    Please install this critical update as soon as possible.

    From the Bulletin:

    MS10-04 -- Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

    This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
    References:

    Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Vulnerabilities, Information,



    Remember - "A day without laughter is a day wasted."
    May the wind sing to you and the sun rise in your heart...