XRamp Security Advisories

Symantec Warns Users of New Drive-By Pharming Attack

XRamp Security Services, Inc

XRAMP/US-Cert SECURITY NOTICE: Symantec Warns Users of New Drive-By Pharming Attack

In an announcement made yesterday, security researchers at Symantec and Indiana University School of Informatics revealed that they had uncovered a serious new security threat targeting home broadband routers. The attack, dubbed Drive-By Pharming, allows an attacker to change the configuration of a home router when a user unknowingly visits a malicious website. The website employs malicious JavaScript code that allows an attacker to log into many types of home routers if the default password has not been changed. Once logged in, the attacker is able to change the configuration of the home router, including the Domain Name Server (DNS) server settings.

This type of attack is particularly concerning for a few reasons:

Simply viewing the malicious webpage is all that is required for a user to fall victim to this attack.
Many home users fail to change the default password on their broadband routers. The Symantec report indicates that 50% of all users could fall into this category.
Changing the Domain Name Server (DNS) server settings allow an attacker to redirect the home user to a DNS server of their choice. This includes a malicious server set up by the attacker to direct users to other malicious websites, where information such as financial account numbers, passwords, and other sensitive data can be stolen.

Symantec notes that the best defense against this type of attack is for home users to change their default password. The following links provide support resources for three of the more common home router vendors:

US-CERT cautions users to avoid clicking on links sent in unsolicited emails. Users should also remain cautious when browsing the web and avoid visiting untrusted sites. More information can be found in Securing Your Web Browser document.

To learn more, or to view a flash-animation of the attack, visit Security Response Weblog.

Adobe Acrobat Reader Unspecified Heap Corruption Vulnerability

XRamp Security Services, Inc

XRAMP/SecurityFocus SECURITY NOTICE: Adobe Acrobat Reader Unspecified Heap Corruption Vulnerability

I. Description

Adobe Acrobat Reader is prone to a heap-based buffer-overflow vulnerability because the application fails to properly bounds-check malicious PDF files, resulting in a heap-based buffer overflow.

Successfully exploiting this issue may allow a remote attacker to execute arbitrary code in the context of the victim user running the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

An attacker could exploit this issue by enticing a victim to open a malicious PDF file.

II. Exploit

Currently we are not aware of any exploits for this issue..

III. Solution

The vendor has released an advisory along with fixes to address this issue. Please see the referenced advisory for information on obtaining and applying fixes.

Adobe Acrobat Reader 7.0

Turbolinux AdobeReader_enu-7.0.9-1TL1.i686.rpm
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

References

Adobe Home Page (Adobe)
Adobe Reader Download Page (Adobe)
Adobe Security Advisory APSB07-01 (Adobe)
Adobe Reader Remote Heap Memory Corruption - Subroutine Pointer Overwrite (Piotr Bania)
Adobe Reader Remote Heap Memory Corruption-Subroutine Pointer Overwrite (Piotr Bania)

Anomalous DNS Activity

XRamp Security Services, Inc

XRAMP/US-Cert SECURITY NOTICE: Anomalous DNS Activity

US-CERT was made aware of anomalous Domain Name Server (DNS) traffic that began on 6 Feb 2007. It is not confirmed whether this is a DDOS attempt or an incidental effect of something else, however it is likely that the traffic is Distributed Denial of Service (DDOS) related.

At approximately 0001 GMT on 6 Feb 2007, several root-level DNS servers began receiving a large volume of malformed DNS queries. This initial attack appears to have been a warm-up for a much larger attack that began at 1000 GMT.

DNS servers G (U.S. DOD Network Information Center), L (Internet Corporation for Assigned Names and Numbers), and M (WIDE project) appear to have been the most severely impacted although none were ever unreachable. The servers were operational and reachable even with the high volume attack.

US-CERT has been in contact with various groups affected to ensure that appropriate actions are being taken.

US-CERT will continue to investigate and provide additional information as needed.

Mozilla Firefox Popup Blocker Cross Zone Security Bypass Weakness

XRamp Security Services, Inc

XRAMP/SecurityFocus SECURITY NOTICE: Mozilla Firefox Popup Blocker Cross Zone Security Bypass Weakness

I. Description: Mozilla Firefox is prone to a cross-zone security-bypass weakness. This issue allows attackers to open 'file://' URIs from remote websites.; By exploiting this issue in conjunction with other weaknesses or vulnerabilities, attackers may be able to execute arbitrary script code with the elevated privileges that are granted to scripts when they are executed from local sources.; Mozilla Firefox 1.5.0.9 is affected by this issue; other versions may be affected as well.
II. Exploit: Attackers use standard web development and server applications to exploit this issue.
III. Solution: Currently we are not aware of any vendor-supplied patches for this issue.

References

Mozilla Firefox Home Page (Mozilla)
Firefox + popup blocker + XMLHttpRequest + srand() = oops (Michal Zalewski)
Re: Firefox + popup blocker + XMLHttpRequest + srand () = oops (Michal Zalewski)

Microsoft Releases Security Advisory for Unpatched Vulnerability in Office involving Excel

XRamp Security Services, Inc

XRAMP/US-Cert SECURITY NOTICE: Microsoft Releases Security Advisory for Unpatched Vulnerability in Office involving Excel

Microsoft has released Security Advisory 932553 to address a new vulnerability that affects multiple versions of Microsoft Office. When Office applications improperly process a malformed string, a corruption in system memory occurs. By persuading a user to open a specially crafted Office document from an email attachment or web site, a remote attacker may be able to execute arbirtary code with privileges of the user.

The Securiry Advisory states that the following Office versions are vulnerable: Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac.

According to the Microsoft Security Response Center Blog, there are very limited, targeted attacks attempting to use Excel documents as an attack vector to exploit this vulnerability in Microsoft Office. However, the issue can also affect all Office documents.

Until Microsoft provides a security update, or more important becomes available, US-CERT recommends the following actions to help mitigate the security risk:

Do not open untrusted Word documents or attachments from unsolicited email messages.
Disable automatic opening of Microsoft Office documents, as specified in the Office Document Open Confirmation Tool document for Office 2000.
Do not rely on file name extensions as a way to securely filter against malicious files.
Limit user privileges to no administrator rights.
Review Microsoft Security Advisory 932553 for additional workarounds.

US-CERT will continue to investigate and provide additional information as it becomes available.

Cisco Releases Security Advisories for Multiple Vulnerabilities in IOS

XRamp Security Services, Inc

XRAMP/US-Cert SECURITY NOTICE: Cisco Releases Security Advisories for Multiple Vulnerabilities in IOS

Cisco has released three Security Advisories to address severly rated vulnerabilities in their Internetwork Operating System Software

Cisco Security Advisory: Crafted IP Option Vulnerability addresses a remotely exploitable denial-of-service vulnerability that may potentially allow for arbitrary code execution. This vulnerability may be exploited when an affected device processes a crafted packet that meets all of the following conditions:

The packet contains a specific crafted IP option.
The packet is one of the following protocols:
- ICMP - Echo Request (Type 8)
- ICMP - Timestamp (Type 13)
- ICMP - Information Request (Type 15)
- ICMP - Address Mask Request (Type 17)
- PIMv2 - IP protocol 103
- PGM - IP protocol 113
- URD - TCP Port 465
The packet is sent to a physical or virtual IPv4 address configured on the affected device.

Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service addresses a denial-of-service vulnerability in the Transmission Control Protocol listener. Crafted packets may cause the device to leak a small amount of memory. Over time, such a memory leak may lead to memory exhaustion and a denial-of-service condition.

Cisco Security Advisory: IPv6 Routing Header Vulnerability addresses a remotely exploitable denial-of-service vulnerability in the IPv6 Type 0 Routing header handling. This vulnerability can be triggered by a packet containing crafted IPv6 Type 0 Routing headers.

More information about these vulnerabilities can be found in the Vulnerability Notes Database.

US-CERT encourages users to apply the fixes and workarounds described in the Cisco Security Advisories and Vulnerability Notes, and will continue to investigate and provide additional information as it becomes available.

Microsoft Internet Explorer Multiple ActiveX Controls Denial of Service Vulnerabilities

XRamp Security Services, Inc

XRAMP/SecurityFocus SECURITY NOTICE: Microsoft Internet Explorer Multiple ActiveX Controls Denial of Service Vulnerabilities

I. Description

Microsoft Internet Explorer is prone to multiple denial-of-service vulnerabilities because the application fails to handle exceptional conditions.

These issues are triggered when an attacker entices a victim user to visit a malicious website.

Remote attackers may exploit these issues to crash Internet Explorer, effictively denying service to legitimate users.

II. Exploit

An attacker may exploit this issue by enticing victims into viewing malicious HTML content.

An proof of concept has been provided:

/data/vulnerabilities/exploits/ie_ax_dos

III. Solution

Currently we are not aware of any vendor-supplied patches for this issue.

References

Internet Explorer ActiveX bgColor Property Denial of Service (Determina Security Research)
Internet Explorer Home Page (Microsoft)

New Unpatched Vulnerability in Microsoft Word

XRamp Security Services, Inc

XRAMP/US-Cert SECURITY NOTICE: New Unpatched Vulnerability in Microsoft Word

US-CERT is investigating reports of new Microsoft Word vulnerability affecting Word 2000 and Word 2003/XP. Earlier today, Symantec published an alert indicating that the vulnerability could be exploited to allow an attacker to execute arbitrary code in the context of the user who is logged in. Details of the vulnerability are not yet clear; however, the alert indicated that exploitatin is occuring in the wild.

Until more information becomes available, US-CERT recommends the following actions to help mitigate the security risk:

Do not open untrusted Word documents or attachments from unsolicited email messages.
Disable automatic opening of Microsoft Office documents.
Do not rely on file name extensions as a way to securely filter against malicious files.
Install anti-virus software and keep its virus signature files up-to-date.
Save and scan any attachments before opening them.
Limit user privileges to no administrator rights.

US-CERT will continue to investigate and provide additional information as it becomes available.

Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability

XRamp Security Services, Inc

XRAMP/SecurityFocus SECURITY NOTICE: Microsoft Outlook Malformed Email Header Remote Denial of Service Vulnerability

I. Description

Microsoft Outlook is prone to a remote denial-of-service vulnerability because the application fails to properly handle malformed email messages.

A remote attacker can exploit this issue to crash affected email clients. This issue will persist as long as the email message resides on the mail server, creating a prolonged denial-of-service condition.

II. Exploit

Attackers exploit this issue by using standard email clients or readily available network utilities.

III. Solution

Microsoft has released an advisory and fixes to address this issue. Please see the references for more information.

Microsoft Outlook 2000 0

Microsoft Security Update for Outlook 2000 (KB921593)
http://www.microsoft.com/downloads/details.aspx?familyid=97CE0B32-C6AF-4C6C-ABF1-838ED89062EB

Microsoft Outlook 2002 0

Microsoft Security Update for Outlook 2002 (KB921594)
http://www.microsoft.com/downloads/details.aspx?familyid=1D1991C5-3DE3-4258-9120-058FFD62B4F5

Microsoft Outlook 2002 SP1

Microsoft Security Update for Outlook 2002 (KB921594)
http://www.microsoft.com/downloads/details.aspx?familyid=1D1991C5-3DE3-4258-9120-058FFD62B4F5

Microsoft Outlook 2000 SR1

Microsoft Security Update for Outlook 2000 (KB921593)
http://www.microsoft.com/downloads/details.aspx?familyid=1D1991C5-3DE3-4258-9120-058FFD62B4F5

Microsoft Outlook 2003 0

Microsoft Security Update for Outlook 2003 (KB924085)
http://www.microsoft.com/downloads/details.aspx?familyid=1D1991C5-3DE3-4258-9120-058FFD62B4F5

Microsoft Outlook 2000 SP3

Microsoft Security Update for Outlook 2000 (KB921593)
http://www.microsoft.com/downloads/details.aspx?familyid=97CE0B32-C6AF-4C6C-ABF1-838ED89062EB

Microsoft Outlook 2000 SP2

Microsoft Security Update for Outlook 2000 (KB921593)
http://www.microsoft.com/downloads/details.aspx?familyid=97CE0B32-C6AF-4C6C-ABF1-838ED89062EB

Microsoft Outlook 2002 SP2

Microsoft Security Update for Outlook 2002 (KB921594)
http://www.microsoft.com/downloads/details.aspx?familyid=1D1991C5-3DE3-4258-9120-058FFD62B4F5

Microsoft Outlook 2002 SP3

Microsoft Security Update for Outlook 2002 (KB921594)
http://www.microsoft.com/downloads/details.aspx?familyid=1D1991C5-3DE3-4258-9120-058FFD62B4F5

References

Microsoft Outlook Home Page (Microsoft)
Microsoft Security Bulletin MS07-003 (Microsoft)

Apple Releases Security Update for Vulnerability in QuickTime

XRamp Security Services, Inc

XRAMP/US-Cert SECURITY NOTICE: Apple Releases Security Update for Vulnerability in QuickTime

Apple has released Security Update 2007-001 to correct a buffer overflow vulnerability in Apple QuickTime. The flaw is in the way that QuickTime handles Real Time Streaming Protocol (RTSP) URL strings. By persuading a user to access a specially crafted QuickTime file, a remote attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system. US-CERT is also aware of publicly available proof-of-concept code that exploits this vulnerability.

Additionally, the Month of Apple Bugs MOAB-01-01-2007 website states that an attacker may also submit a specially crafted HTML document (e.g., a webpage or an HTML email message) or Javascript code to cause a buffer overflow and compromise a vulnerable system.

More information about this vulnerability is located in the following:

Vulnerability Note VU#442497 - Apple QuickTime RTSP buffer overflow
Technical Cyber Security Alert TA07-005A - Apple QuickTime RTSP buffer overflow
Apple Security Update 2007-001
Month of Apple BugsMOAB-01-01-2007 - Apple QuickTime rtsp URL Handler Stack-based Buffer Overflow

US-CERT encourages users to apply the appropriate updates as specified in Apple Security Update 2007-001 as soon as possible.

Disable the QuickTime ActiveX controls in Internet Explorer as specified in Microsoft Support Document 240797.
Disable the QuickTime plug-in for Mozilla-based browsers as specified in the PluginDoc article Uninstalling Plugins.
Disable file association for QuickTime files.
Disable JavaScrpit as specified in the Securing Your Web Browser document.
Do not access QuickTime files from untrusted sources.