PandaLabs : Vulnerabilities & Exploits

Zero day in MSVIDCTL.DLL

Luis Corrons — Wed, 08 Jul 2009 07:21:00 GMT

A couple of days ago we started spotting a new vulnerability affecting Microsoft Video ActiveX Control. Even though it's been said there are thousands of web sites affected, they are only a few dozens and most of them are in China: Anyway, it is a matter of time to see this attack expanding worldwide. We've seen this zero day installing a Lineage Trojan, but this could change and cybercriminals could install any kind of malware.

Microsoft has published an advisory with a workaround while they prepare a final solution. An important message to everyone: please apply this workaround ASAP.

If you are a Panda user with TruPrevent Technologies, then you are not in a hurry, as it is proactively stopping it. The best thing is that you don't need to install some kind of beta or technology preview, it just works in all of our consumer and corporate products as long as they have enabled TruPrevent. No matter which version you have installed, it covers not only the brand new 2010 products but any old version with TruPrevent.

Sean-Paul shows you here why and how you are protected:

MS09-008. Does the patch work?

Luis Corrons — Sat, 14 Mar 2009 12:47:00 GMT

The vulnerability MS09-008 affects the DNS server, more specifically WPAD (Web Proxy Autodiscovery Protocol) registration. This is a service that allows automatic configuration of proxy settings of the computers wihin a network without user intervention.

This vulnerability could be used to launch "man-in-the-middle" attacks on Windows DNS servers. The web browsers of the PCs in the network are configured through these WPAD entries, so a user that is getting the proxy configuration automatically could be redirected to a malicious proxy and the attacker will have access to all the traffic of the user. To perform this attack, the attacker could insert a WPAD entry in the DNS server when dynamic updates are enabled.

As a part of the solution to this vulnerability, Microsoft creates two new values in the registry under the key HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters, as you can see in the following screenshot:

Once created these values in the registry, if anyone tries to launch a “man-in-the-middle” attack it won’t success, as the system will block petitions to the WPAD entry, unless this entry had not been created before applying the patch.

Usually, if you are vulnerable to an attack and you patch the system you feel safe. For instance, all of you know about Conficker, which infects the system using the vulnerability MS08-067. Even if you have been previously infected, you can apply the patch and you won’t be infected anymore through this vulnerability.

However, in the case of MS09-008 patch it doesn’t work in the same way; even if we have applied the patch, if we were already attacked through this vulnerability, it doesn’t solve the problem and the “man-in-the-middle” attacks will continue. Why? Because in that case the data in the value GlobalQueryBlockList created when the patch is applied is “isatap” instead of “wpad isatap”, so the queries to WPAD are not being blocked.

To sum up: in case a successful attack has already taken place before applying the patch, your traffic can be being redirected to a malicious proxy. Then, even if you apply the patch, the issue is not completely solved, and the malicious proxy will stay there “sniffing” all your traffic.

To solve this, it is only needed to add in the registry to the value GlobalQueryBlockList the data wpad and restart the DNS service.

Microsoft guys have blogged about this, you can find more information here.

Kudos to David Sanchez for the research.

Microsoft Updates for January

Xabier Francisco — Wed, 14 Jan 2009 15:25:00 GMT

In the first security bulletin of the year 2009, MS09-001, Microsoft has published several critical updates which resolve 2 privately reported vulnerabilities and a publicly disclosed vulnerability in Microsoft Server Message Block (SMB) protocol.

If exploited successfully, an attacking user could execute remote code on the system, and could view, change or delete data, or create new accounts with full user rights.

This security update has been rated as critical for all the versions of Microsoft Windows 2000, Windows XP and Windows 2003 and as moderate for all the versions of Windows Vista and Windows Server 2008.

We remind you that in order to improve the security level of your computer against known and unknown network vulnerabilities, you can stop or block the access to any network service you don’t use by using a properly configured firewall or by disabling the network services that are not used in the system.

Although in PandaSecurity we work daily on how to improve our products in order to protect our clients from these new vulnerabilities, we always recommend to install as soon as possible the security patches published in the Microsoft’s security bulletins, as well as other security updates that may affect other products installed on the same system.

MS09-001 - Vulnerabilities in SMB Could Allow Remote Code Execution

Sony's Home hacked

Luis Corrons — Fri, 19 Dec 2008 12:37:00 GMT

It is not that someone has hacked Sony CEO's house, we are talking about the Sony Playstation Home:

Home is a virtual world for PlayStation 3 users, where they can interact with other gamers, create their own avatars, etc.

We've seen it here and this opens a totally new world for cybercrooks, as it could lead to identity theft and malware spreading. A user could even upload, download or delete any file within the Home server (!)

So what's all this talk of Clickjacking?

Ryan Sherstobitoff — Tue, 30 Sep 2008 17:30:00 GMT

So there has been a lot of talk recently about this new cross-browser vulnerability known as “Clickjacking”, but what is the potential impact of such a vulnerability to users abroad?

Well essentially the exploit allows a hacker to take control of the links that your browser visits and thus if you come in contact with a malicious site or site that is tainted with malicious code (either through spam, some site tainted by a SQL injection, etc), it then gives the hackers the ability to ‘capture’ your clicks and thus trick you into clicking on links you may have not intended on clicking. At this time technical details are a little sketchy in terms of information regarding specific exploit code, but some information is available here and here.

One could only guess what could happen next once you are forced to click on a link such as installation of a Banker Trojan or other malware is certaintly a possibility

VML, Viking and Lineage... Any further bids?

egonzalez — Fri, 20 Oct 2006 15:12:00 GMT

We have been aware of a site hosting a page that exploits the VML vulnerability. Through this exploit, it downloads a W32/Viking variant. This Viking downloads several Trj/Lineage variants. And finally, these Lineage variants are responsible for gathering victim's data, such as passwords. Have a careful surfing...