vulnerability – Paul's Tech Talk

Microsoft Issues a Security Advisory KB971778

PaulMay 29, 2009

Microsoft Security Advisory: Vulnerability in Microsoft DirectShow could allow remote code execution

http://support.microsoft.com/kb/971778

The systems that are vulnerable are Windows 2000, Windows XP or Windows Server 2003. I like this new way Microsoft is helping the less educated. They now havea Fix it button on the site. This fix it button is a registry change to there system. It does all the work for the End user. Although the corporate field will have to modify the registry there own way.

[ad]It looks like Microsoft is thinking of making this more user friendly. Here is how to do a manual registry fix for your computer:

Click Start, click Run, type regedit in the Open box, and then click OK.

Locate and then click the following subkeys in the registry:
- For 32-bit Windows systems:
  HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}
- For 64 bit Windows Systems:
  HKEY_CLASSES_ROOT\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}
  HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{D51BD5A0-7548-11CF-A520-0080C77EF58A}

On the File menu, click Export.

In the Export Registry File dialog box, type Quicktime_Parser_Backup.reg, and then click Save.
Note By default, this will create a backup of this registry key in the My Documents folder.

Press DELETE on the keyboard to delete the registry key. When prompted to delete the registry key in the Confirm Key Delete dialog box, click Yes.

Exit Registry Editor.

This will fix the problem until Microsoft has come out with a patch. If you are not comfortable doing it this way, you can always go hit the fix it button to have it do it automatically. This will help prevent someone from using this exploit!!

JSRedir-R/Gumblar The underlying problem!!

PaulMay 18, 2009

Some people have made comments about there website being hosted to Malware injection into there site. I’ve been seing a Lot of talk about JSRedir-R/Gumblar found to be the biggest malware threat on the Web. They estimate that it is 42% of infected websites to be carrying this malware threat, last week. I have heard some think it is weak login creditals.

[ad]See the Graph from Sophos about the percentage. I also wanted to tell people how to identify if you have the infection or not. This is very important to check because people are letting this Malware spread and all.

I on the other hand think the way this is spreading is a Cross Site Scripting vulnerability for these websites but there are a few websites that do keep your login cache on your system. I would recommend if your a web site owner to have your cache deleted everytime you exit your web browser. This should in theory help prevent Cross Site scripting and Website owners should also either buy [intlink id=”2205″ type=”page”]Anti-virus and Firewall software or install the Free version[/intlink] to better protect your website.

Just like the[intlink id=”3308″ type=”post”]Twitter Cross Site Scripting tom foolery [/intlink]this is my theory on how websites are being injected with this malware. It is however just a theory. I was never logged into my account on twitter through my web browser when this happened and that is what kept me from spreading it to my Twitter users. You should also consider always logging off your web site when your done doing what you do! Just my thoughts on the matter, Remember only you can prevent from getting a Virus.

The Seriousness of the Twitter Vulnerability?

PaulMarch 25, 2009

The main question is how much do you want to know about this? Yes I am talking about a Vulnerability that could risk your twitter account or even yet inject malious software into the computer.

[ad#cricket-right-ez]We’ve seen that there have been [intlink id=”2650″ type=”post”]twitter phishing[/intlink] in the past, and [intlink id=”3008″ type=”post”]Facebook phishing[/intlink] have made people wonder out much do we depend on Twitter.

Lance James and Eric Wastl have provide Proof of Concept for this vulnerability, according to Information Weekly:

James cautions that XSS vulnerabilities should be taken seriously because they can reach beyond Web pages. “A lot of people think XSS is limited to the Web,” he said. If there’s another vulnerability in the victim’s browser, the Twitter flaw could be used to launch additional malicious code, he explained.

As you can see there is more to this problem then meets the eye. For one using the [intlink id=”2980″ type=”post”]URL redirects[/intlink] could be one way this could be used. No telling what other vulnerabilities lay for the client side twitter programs. Twitter has a long way to go to be security minded, and yet Twitter hasn’t said what they will do to fix this problem.

I for one would like to see this problem fixed just as quickly as possible due to the security risk involved to me, the consumer. Twitter needs to jump on this and fix it to prevent any more attacks against there twitter audience. Although it doesn’t hurt to have [intlink id=”2205″ type=”page”]Anti-virus And a good firewall[/intlink], it all depends on End user to prevent this for the time being.

Come on Twitter, Fix this problem.

Gmail Vulnerable to a Change PW Attack!

PaulMarch 3, 2009

Securiteam has made an announcement that Gmail has an issue. I will quote:

GMail is vulnerable to CSRF attacks in the “Change Password” functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request.

[ad#ad2-right]An attacker can create a page that includes requests to the “Change password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker.

The attack is facilitated since the “Change Password” request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the “Change Password” form.

[Via Securiteam]

One way to prevent this to a point is right now having GMAIL automatically connect securely. You would go into your settings in gmail and make sure it uses https connection:
This is one way to prevent the cookie attack but is still needing to be fixed. Since it is using the HTTP GET method it should use the HTTPS method as soon as you try accessing the site. Google needs to change to the HTTPS Get method instead to prevent this type of attack. If you have any other ideas for Google just leave a comment.

Zero Day For IE7 Being used in the wild.

PaulFebruary 17, 2009

It looks like IE7 patches are being used right now in the wild. According to TrendMicro:

HTML_DLOADER.AS exploits the CVE-2009-0075 vulnerability, which is already addressed by the MS09-002 security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS.

[Image from TrendMicro Blog]

[ad#ad2-right]As you can see this this can be very bad for the companies who wait a while. Internet Explorer is still being used 1 out of 4 users and I see it it all the time on my stats. The Good news is this isn’t as hard to get rid as the Conflicker but should be taken serious because the writers might start to want to get even more malicious and make it even harder.

This is the next step to prevent yourself from getting caught with your pants down so to speak, you need to patch all systems that have internet access. I still like the Autopatcher because it will do the job with very little input from the user. It also makes it easier for people to patch big systems. You should also consider installing some Free Anti-virus software to help protect the systems you do have.

From the looks of this virus, someone could easily make this into a botnet and you know how that can could affect your systems and your ISP. So it is best to get this months patches on the floor of your company as soon as possible.

You should also consider telling your users to start using Firefox to prevent infection from even happening. Until you patch, you are vulnerable.