Microsoft Black Tuesday Overview
Overview of the November 2006 Microsoft patches and their status.
| # | Affected | Contra Indications | Known Exploits | Microsoft rating | ISC rating(*) | |
|---|---|---|---|---|---|---|
| clients | servers | |||||
| MS06-066 | Netware client services - remote code execution & DoS CVE-2006-4688 CVE-2006-4689 |
No known problems KB 923980 |
PoC exploits available in for pay program |
Important | Less Urgent | Less Urgent |
| MS06-067 | Internet Explorer - remote code execution CVE-2006-4446 CVE-2006-4777 CVE-2006-4687 |
No known problems KB 922760 |
Actively exploited on websites in the wild websense |
Critical | PATCH NOW | Important |
| MS06-068 | Microsoft Agent - remote code execution CVE-2006-3445 |
No known problems KB 920213 |
No known exploits |
Critical | Critical | Less Urgent |
| MS06-069 | Adobe flash player - remote code execution CVE-2006-3014 CVE-2006-3311 CVE-2006-3587 CVE-2006-3588 CVE-2006-4640 |
No known problems KB 923789 |
No known exploits |
Critical | Critical | Less Urgent |
| MS06-070 | Workstation service - remote code execution CVE-2006-4691 |
No known problems KB 924270 |
Vulnerability details are public ; Exploit publicly available |
Critical |
Critical (**) |
Critical (**) |
| MS06-071 | XML Core services CVE-2006-5745 |
No known problems KB 928088 also: KB 927977 KB 927978 |
Exploits publicly available |
Critical | PATCH NOW | Important |
We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
- We use 4 levels:
- PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
- Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
- Important: Things where more testing and other measures can help.
- Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
- The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
- The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
- Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
- All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.
--
Swa Frantzen -- Section 66
Keywords: mspatchday
0 comment(s)
Critical security vulnerability in WinZip 10
WinZip Computing released a new build of WinZip 10 that fixes a critical security vulnerability in this popular ZIP program.
The vulnerability exists in an ActiveX component that is shipped with WinZip 10 only (so if you are running previous versions of WinZip you are not affected by this vulnerability). This ActiveX component is marked safe for scripting which means that a remote attacker can exploit it if you visit a web page hosting the exploit.
Build 7245 of WinZip 10 is available at http://www.winzip.com/wz7245.htm. If you, for some reason, can not upgrade, you should disable the affected ActiveX control (WZFILEVIEW.FileViewCtrl.61) ? its CLSID is A09AE68F-B14D-43ED-B713-BA413F034904.
UPDATE:
MS06-067 (http://isc.sans.org/diary.php?storyid=1854) actually disables this vulnerability. Beside the other things that this update does, it also sets the kill bits for vulnerable ActiveX components.
Thanks to Carl for spotting this.
UPDATE 2:
Couple of exploits for this vulnerability have been already released, so be sure to either patch WinZip or install MS06-067.
Thanks to Juha-Matti for sending information about this.
The vulnerability exists in an ActiveX component that is shipped with WinZip 10 only (so if you are running previous versions of WinZip you are not affected by this vulnerability). This ActiveX component is marked safe for scripting which means that a remote attacker can exploit it if you visit a web page hosting the exploit.
Build 7245 of WinZip 10 is available at http://www.winzip.com/wz7245.htm. If you, for some reason, can not upgrade, you should disable the affected ActiveX control (WZFILEVIEW.FileViewCtrl.61) ? its CLSID is A09AE68F-B14D-43ED-B713-BA413F034904.
UPDATE:
MS06-067 (http://isc.sans.org/diary.php?storyid=1854) actually disables this vulnerability. Beside the other things that this update does, it also sets the kill bits for vulnerable ActiveX components.
Thanks to Carl for spotting this.
UPDATE 2:
Couple of exploits for this vulnerability have been already released, so be sure to either patch WinZip or install MS06-067.
Thanks to Juha-Matti for sending information about this.
Keywords:
0 comment(s)
SANS Top 20 Update
Today, the SANS Institute released an updated Top 20 Internet Security Attack Targets list.
This update reorganizes the list recognizing the new reality of operating system independent issues. Sections for cross-platform applications, network devices, policy and the overall issue of 0-day attacks where added.
The list has been released for the last 7 years. From the start, organizations like the FBI assisted in putting the list together. It is in particular useful if you have to set and defend priorities.
Comparing the different versions it is interesting that one issue from the first list (back then it was "vulnerable CGI programs") has come back as the category of "Vulnerable Web Applications". Take a look for yourself and see how your personal infosec career is reflected in the evolution of this list.
This update reorganizes the list recognizing the new reality of operating system independent issues. Sections for cross-platform applications, network devices, policy and the overall issue of 0-day attacks where added.
The list has been released for the last 7 years. From the start, organizations like the FBI assisted in putting the list together. It is in particular useful if you have to set and defend priorities.
Comparing the different versions it is interesting that one issue from the first list (back then it was "vulnerable CGI programs") has come back as the category of "Vulnerable Web Applications". Take a look for yourself and see how your personal infosec career is reflected in the evolution of this list.
Keywords:
0 comment(s)
Malware with new features
One of our readers, Jerry Askew, sent us an interesting downloader today. The malware was spammed in e-mail (of course) and it was an executable file disguised as a jpeg, inside a ZIP archive.
Various AV tools at that point in time did not detect this particular sample, so we decided to spend some time analyzing what it does.
Downloader after downloader
The sample is a downloader, which is typical for a vast majority of malware that is spammed today. The downloader connects to a web site and downloads the second stage payload, which is another downloader.
This second stage downloader downloads and installs a small zoo of malware. Besides the usual culprits, such as keyloggers and BHOs (Browser Helper Objects), what's interesting is that it downloads multiple versions of the same Trojan. Brief analysis of these files showed that they all behave absolutely the same, but look different and have different checksums. When we tested them against AV programs, they had different detection depending on the file scanned (although some AV programs detected all of them as being the same family, but different minor versions). Why the authors decided to do this is not clear, but I suspect that they were just trying to increase their chance of getting the malware onto a machine ? even if your AV program detected and blocked couple of samples, there might be one which is not detected.
After this third stage executable has been downloaded, it will turn off the host based firewall that comes with Windows XP SP2. It actually completely disables the Windows Security Center Service (wscsvc).
Malware then connects to its control and command center, which is a plain web server this time (no IRC). The web server produces a nice HTML page which has three different forms: ftpstaticdata, softstaticdata and softvardata. These will instruct malware to download additional modules. Of special interest was the ftpstaticdata section. This section contained an FTP server IP address and a username/password pair that malware used to upload keylogger logs.
Google Maps at your service
Now comes the interesting part. The authors actually went a step further. Before uploading the data to the FTP server, the malware connects to detectlocation.ru, which seems to be another compromised site setup just for this, and executes a perl script on that site. The perl script takes the IP address of the infected machine as input (this is passed as a parameter in the URL) and detects the geographical location of the IP address. What's interesting is that it even passes back valid coordinates that can be used in Google Maps!
Now when uploading data captured by the keylogger malware also automatically sorts it into directories, depending on the location of the IP address.
While at this moment malware only seems to be capturing information on infected machines, it will be interesting to monitor it to see whether it is related to the latest spam increase.
Lessons learned
In any case, it looks like malware authors got a little bit creative when they decided to use Google Maps. Also, the huge number of installed Trojans and other malicious programs once again show that when you encounter an infection like this one, reinstallation is the only option.
Various AV tools at that point in time did not detect this particular sample, so we decided to spend some time analyzing what it does.
Downloader after downloader
The sample is a downloader, which is typical for a vast majority of malware that is spammed today. The downloader connects to a web site and downloads the second stage payload, which is another downloader.
This second stage downloader downloads and installs a small zoo of malware. Besides the usual culprits, such as keyloggers and BHOs (Browser Helper Objects), what's interesting is that it downloads multiple versions of the same Trojan. Brief analysis of these files showed that they all behave absolutely the same, but look different and have different checksums. When we tested them against AV programs, they had different detection depending on the file scanned (although some AV programs detected all of them as being the same family, but different minor versions). Why the authors decided to do this is not clear, but I suspect that they were just trying to increase their chance of getting the malware onto a machine ? even if your AV program detected and blocked couple of samples, there might be one which is not detected.
After this third stage executable has been downloaded, it will turn off the host based firewall that comes with Windows XP SP2. It actually completely disables the Windows Security Center Service (wscsvc).
Malware then connects to its control and command center, which is a plain web server this time (no IRC). The web server produces a nice HTML page which has three different forms: ftpstaticdata, softstaticdata and softvardata. These will instruct malware to download additional modules. Of special interest was the ftpstaticdata section. This section contained an FTP server IP address and a username/password pair that malware used to upload keylogger logs.
Google Maps at your service
Now comes the interesting part. The authors actually went a step further. Before uploading the data to the FTP server, the malware connects to detectlocation.ru, which seems to be another compromised site setup just for this, and executes a perl script on that site. The perl script takes the IP address of the infected machine as input (this is passed as a parameter in the URL) and detects the geographical location of the IP address. What's interesting is that it even passes back valid coordinates that can be used in Google Maps!
Now when uploading data captured by the keylogger malware also automatically sorts it into directories, depending on the location of the IP address.
While at this moment malware only seems to be capturing information on infected machines, it will be interesting to monitor it to see whether it is related to the latest spam increase.
Lessons learned
In any case, it looks like malware authors got a little bit creative when they decided to use Google Maps. Also, the huge number of installed Trojans and other malicious programs once again show that when you encounter an infection like this one, reinstallation is the only option.
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
© 2024 SANS™ Internet Storm Center
Developers: We have an API for you! 
Comments