The 2006 Security Event Overview (IV)

October 2006

October 1: Second third party fix for Windows bug 

A group of security experts calling themselves Zeroday Emergency Response Team (ZERT) released a patch to cover the hole in Windows while Microsoft’s update-patch is still pending. Two weeks ago, ZERT did something similar for the VML bug inside Windows. This time it is the Internet Explorer exploit misusing the WebViewFolderIcon component. Time will tell if ZERT will be a new trend releasing patches quicker than Microsoft.

October 2: Mac OSX Flaw

Again a new flaw has been found for the Mac OSX, where the attacker could gain full access to the system. Although Apple did release a patch for this flaw last week already, there are still systems out there that are not patched or patched too late. The exploit that has been released using this flaw is relatively harmless only executing the “/usr/bin/id" utility. This utility will show the user then that he has full privileges.

October 6: Google Code Search misused

Google has released a new search engine, looking for source code. This is of course a very convenient tool to locate some specific code you have been looking for, but it can also be misused by hackers a lot. If somewhere on the net the source code of security tools are published, it will be easy to find hardcode passwords, examine the tools for flaws, etc. Of course the implications are not that bad as initially thought of: if security software’s source code is online somewhere and it has hardcoded passwords or obvious flaws, it would be a matter of time anyway before it was found through conventional ways.

October 9: US Department of Commerce under attack by the Chinese

The websystems of the US Department of Commerce have been under attack mainly from systems in China. As a result, the systems of the bureau that grants export licenses had to be locked off the Internet for more than a month as the attacks seem to be concentrating on getting sensitive information from the systems.

October 17: Windows worms on Apple iPods

Apple has warned the public that some iPods of the latest batch were shipped out with a worm for the Windows platform on it (a W32/Delf variant). The worm itself poses no danger to the iPod or any Mac OS running system the iPod is connected to, but when the iPod is connected to a Windows based computer, the worm may be executed from the iPod or copied onto the computer. The number of iPods that have this worm on it is low, and Apple has increased its security protocols to prevent this from happening again. The cruel pit was a single infected Windows machine in one of the manufacturing lines.

October 18: First vulnerability for Internet Explore 7 just hours after its release

Hours after the official release of the long awaited Internet Explorer version 7, the first vulnerability has been discovered that can disclose potential sensitive information. The vulnerability is caused by the way URLs are handled by the “mhtml" URL Redirection Information handler. As quite often is the case, disabling active scripting makes the vulnerability harmless.

November 2006

November 1: Windows CE 6 will come with the kernel sources

Today, Microsoft released version 6 of “Windows Embedded CE". The new version of course has been made stronger security-wise and has more features, but above all will have the source code of the kernel available. A decade ago, Windows CE was created as an embedded real-time operating system. Now, Windows CE is also the core for Windows Mobile which is used more and more for smart phones, multi-media devices, PDAs, etc. As the machines on which Windows CE is running get more powerful, Windows CE’s multitasking has been enhanced to run 32.000 processes and support 2GB of virtual memory.

November 3: Teacher says computer virus planted child porn

By blaming a computer virus that altered a website and placing child porn images, a former math teacher from Georgia tried to evade conviction. Earlier this year on March 10, we have seen proof that the adware and spyware authors go at length to get their tools of bad programs installed on your machine to the extend of even using a child porn movie as a distraction while downloading and installing their programs. But so far, this would only happen if you would execute the program to see the movie. After examination of the teacher’s system by the High Technology Investigative Unit of the Justice department, two viruses were found, but both were incapable of downloading child pornography images. The suspect was sentenced to 17,5 years imprisonment.

November 13: GMail is a virus, according to Microsoft

Google’s e-mail service GMail is rather popular, so if it turns out to be a virus, it would be devastating. Today, when a user who also have installed Window’s OneCare, opened the GMail website, OneCare would block access to the website as it found it to be infected with the “BAT/BWG.A" virus. Of course this was a false positive, and of course Microsoft is new to the game. Microsoft responded by releasing new defintionfiles with an altered signature to find the virus and not alert on the website.

November 16: Two Chilean hackers released

Two Chilean citizens that are accused of hacking thousands of government websites have been released from prison pending further investigation. The court has ordered that during the investigation they have to stay away of computers. The two accused are allegedly members of the “Byond Team", responsible of hacking into 8.000 websites worldwide. The police have 90 days to complete their investigation. Until that time the two accused cannot leave the country.

November 23: Microsoft hits on phishers

Microsoft has started 129 lawsuits against phishers in EMEA (Europe, Middle East and Asia). Microsoft has started lawsuits earlier and was successful there, e.g. with a 2,5 year verdict for a Turkish phisher. ID fraud sadly is getting more common and Microsoft has initiated an effort to fight this within the Redmond’s Global Phishing Enforcement Initiative.

November 27: Firefox Flaw

A bug in the password manager of the Firefox browser makes it easy for hackers to steal user information. The password manager can be tricked into sending login credentials to the attacker’s website. To make this work, the attacker will need to create a HTML form on a website, but this is common practice and allowed on e.g. blogging and dating sites.

November 28: Symantec Antivirus as spread vector

A new bot is spreading using a vulnerability in Symantec’s antivirus software and exploiting five Microsoft vulnerabilities. All vulnerabilities were long time patched, but nevertheless, some people were ‘caught’. The bot, a variant of W32/Spybot, will probe port 2967 to see if a certain system has a vulnerable (non-patched/non-up-to-date) Symantec antivirus installed and if so, transfer itself.

December 2006

December 5: Zero-Day attack using Microsoft Word vulnerability

Microsoft has sent out an alert that an unpatched vulnerability in Word is used as a zero-day attack. Opening a crafted Word document would allow the execution or remote code, giving the attacker full system access.

Funnily, to avoid being hit by this exploit, Microsoft suggests that users "not open or save Word files," even from trusted sources. "As a best practice, users should always exercise extreme caution when opening unsolicited attachments from both known and unknown sources," Microsoft said. So how should you handle company documents written by a colleague employee you don’t know?

December 11: Zero-Day attack using Microsoft Word vulnerability again

A week after the exploit was found, it is still not patched. Another Trojan appeared that is exploiting this vulnerability. Microsoft has announced that the patches on patch-Tuesday (12 December) will not include a fix for this flaw. This means that the flaw remains active at least until January and that malware writers can easily craft more trojans exploiting the flaw for another month.

December 20: Planted logical bomb

With the possibility of loosing his job, a computer administrator planted a logical bomb in his employer’s computer system at Medco Health Solutions Inc. The logical bomb, when ‘detonated’ would have erased critical information of patients. According to the local authorities, the computer administrator wrote the logical bomb himself and planted it onto the Medco servers to delete virtually all data from servers by modifying existing computer code and adding new code. It allegedly was set to detonate automatically on his birthday, being 23 April

December 27: HD DVD’s AACS protection broken 

It only took 8 days for the hacker named Muslix64 to break the ‘unbreakable’ AACS protection. Reason why: he could not watch a HD movie on his computer running Windows as his video card is not HDCP compliant.

The Advanced Access Content System (AACS) is a standard for content distribution and digital rights management, which will allow restricting access to and copying of the next generation of optical discs and DVDs. AACS utilizes cryptography to control the use of digital media. AACS-protected content is encrypted under one or more title keys using the Advanced Encryption Standard (AES).
Title keys are derived from a combination of a media key and several elements, including the volume ID of the media (e.g., a physical serial number embedded on a DVD), and a cryptographic hash of the title usage rules.

The principal difference between AACS and earlier content management systems such as CSS is in the means by which title-specific decryption keys are distributed. Under CSS, all players of a given model are provisioned with the same, shared decryption key. Content is encrypted under the title-specific key, which is itself encrypted under each model’s key.