Microsoft to release emergency Internet Explorer patch on Tuesday

Microsoft has announced that it will be issuing an emergency out-of-band patch for a critical security hole in some versions of Internet Explorer on Tuesday 30 March.

 

According to a Microsoft advisory, the emergency fix is designed to protect users of Internet Explorer 6 and Internet Explorer 7.

 

Microsoft normally bundles its security updates into a monthly package, known in the industry as “Patch Tuesday” (the second Tuesday of each month), and it is relatively unusual for the company to issue a fix for a security vulnerability outside of this cycle. Clearly Microsoft considers the bug particularly important to patch as soon as possible.

 

And in my opinion they’re right not to leave this vulnerability unpatched until April 13th. Earlier this month I described how hackers are actively exploiting the vulnerability, in their attempt to infect computers.

 

The researchers in SophosLabs reported some of the malicious spam messages we have seen being distributed which attempt to trick users into visiting websites that will exploit the zero day vulnerability and infect Windows PCs.

 

More information about the security flaw can be found in Sophos’s analysis of the problem.

 

So, if you are still using Internet Explorer versions 6 or 7, please be sure to update your systems as soon as Microsoft releases the fix. But, in all honesty, what are you doing running such old versions of IE anyway? Shouldn’t you have upgraded to Internet Explorer 8 by now?

 

By Graham Cluley, Sophos

 

 

Related Blogs

Critical Firefox security hole fixed – have you updated?

Mozilla has responded to concern about a critical security vulnerability in Firefox 3.6, by releasing version 3.6.2 of its popular browser ahead of schedule.

 

Firefox 3.6.2 fixes a vulnerability first discovered by security researcher Evgeny Legerov last month, which could allow hackers to launch malicious code on users’ computers.

 

As I blogged yesterday, concern about the bug was so high that the likes of the German government had advised internet users to switch to an alternative browser until a fix from Mozilla was available (at the time that fix was not scheduled until March 30th).

 

However, concern about the severity of the security flaw encouraged Mozilla to accelerate its timetable for release and speed up the schedule.

 

If you are a Firefox 3.6 user, go to the Help menu and choose “Check for Updates” to update your installation of Firefox to the latest version. You can also visit www.getfirefox.com if you wish to download the full version.

 

I would also strongly recommend that all Firefox users consider using NoScript, the Firefox addon that provides a higher level of protection by allowing you to choose which websites are allowed to run active content (such as JavaScript).

 

By Graham Cluley, Sophos

 

 

Protecting against the Internet Explorer zero day vulnerability

A few days ago Microsoft warned its users of an unpatched security hole in its products that could leave Windows users exposed to attacks by cybercriminals.

 

The Internet Explorer vulnerability, which has the CVE reference CVE-2010-0806 and fortunately does not affect Internet Explorer 8, is being actively exploited by malicious hackers. As reported on the SophosLabs blog, we have seen malicious spam messages being distributed which try and trick users into visiting websites that will exploit the zero day vulnerability to infect PCs.

 

Sophos detects the exploit scripts seen so far generically as Troj/ExpJS-R.

 

A proper patch from Microsoft for the problem is not yet available, but the company has issued a couple of workarounds that can be used by vulnerable Windows users.

 

One of Microsoft’s workarounds makes it easy for users to automate the changes that need to be made to the Windows registry (something that normally can give regular users the heebie-jeebies) to disable the “peer factory” class on Windows XP and Windows Server 2003.

 

They have also provided a workaround that enables Data Execution Prevention (DEP) on Internet Explorer 6 Service Pack 2 and Internet Explorer 7.

 

If you are responsible for the security of a number of Windows PC, rather than just your personal computer, you may wish to read the more detailed advice Microsoft provides on workarounds.

 

More information about the security flaw can be found in Sophos’s analysis of the problem.

 

There’s no word yet on when Microsoft will make available a proper fix for this problem, or indeed whether it will be included in their next scheduled “Patch Tuesday” bundle of patches scheduled for April 13th or released as an out-of-bound fix.

 

But I think it’s good that they gave the less geeky users of computers a fairly easy way to implement the workaround, rather than leaving them befuddled by complicated instructions.

 

This latest attack is a timely reminder for all Internet Explorer users that maybe it’s high time they updated their systems to version 8.0 of the popular web browser.

 

By Graham Cluley, Sophos

 

 

Windows and Mac users urged to update Safari

Apple has released version 4.0.5 of its Safari browser, fixing a number of issues with its browser for Windows and Mac OS X including – most importantly – a grand total of 16 security vulnerabilities.

 

If you dilly-dally over updating your computer, it’s possible that hackers could exploit the security bugs – including some that could mean that simply visiting a webpage with a maliciously crafted image could lead to malicious code being automatically run on your computer.

 

Interestingly, one of the bugs (CVE-2009-2285) fixed in Safari 4.0.5 was announced and patched in Mac OS X 10.6.2 back in December 2009, and in Mac OS X 10.5 since January, meaning that Windows users of Safari have been vulnerable for over two months to the way their browser handles booby-trapped TIFF images.

 

But it doesn’t matter whether you own a Mac or PC, if you run Safari the message is clear: It’s time to update your browser and ensure that you are protected against hackers exploiting the security holes detailed in the security advisory on Apple’s website.

 

Safari users should practise safe computing, and update their systems as soon as possible.

 

By Graham Cluley, Sophos

 

 

Energizer DUO USB battery charger software allows unauthorized remote system access

 

Overview

The software available for the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access.

 

 

I. Description

Energizer DUO is a USB battery charger. An optional Windows application that allows the user to view the battery charging status has been available on the Energizer website. The installer for the Energizer DUO software places the file UsbCharger.dll in the application’s directory and Arucer.dll in the Windows system32 directory. When the Energizer UsbCharger software executes, it utilizes the UsbCharger.dll component for providing USB communication capabilities. UsbCharger.dll executes Arucer.dll via the Windows rundll32.exe mechanism, and it also configures Arucer.dll to execute automatically when Windows starts by creating an entry in the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.

 

Arucer.dll is a backdoor that allows unauthorized remote system access via accepting connections on 7777/tcp. Note that Windows XP SP2 and later systems include a firewall by default. Upon running the Energizer UsbCharger software for the first time, a dialog similar to the following is displayed:

If the user selects “Unblock,” then the system will be at risk. Also note that if the application is unblocked, this will cause Windows to add rundll32.exe to the Windows Firewall exceptions list. This means that any DLL that is executed through the rundll32.exe mechanism will be excluded from the Windows Firewall, regardless of the DLL or port used.

 

The backdoor capabilities include the ability to list directories, send and receive files, and execute programs. The hash information for the file is:
MD5: 1070be3e60a1868d2cd62fc90d76c861
SHA1: d102b1d2538d8771be85403272e5a22a4b3f81ad

The file details for Arucer.dll are:

--a-- W32i   DLL CHS         1.0.0.1 shp     28,672 05-10-2007 arucer.dll
Language        0x0804 (Chinese (PRC))
CharSet         0x04b0 Unicode
OleSelfRegister Disabled
CompanyName
FileDescription Arucer DLL
InternalName    Arucer
OriginalFilenam Arucer.DLL
ProductName     Arucer Dynamic Link Library
ProductVersion  1, 0, 0, 1
FileVersion     1, 0, 0, 1
LegalCopyright  ???? (C) 2006
LegalTrademarks

VS_FIXEDFILEINFO:
Signature:      feef04bd
Struc Ver:      00010000
FileVer:        00010000:00000001 (1.0:0.1)
ProdVer:        00010000:00000001 (1.0:0.1)
FlagMask:       0000003f
Flags:          00000000
OS:             00000004 Win32
FileType:       00000002 Dll
SubType:        00000000
FileDate:       00000000:00000000

 

II. Impact

An attacker is able to remotely control a system, including the ability to list directories, send and receive files, and execute programs. The backdoor operates with the privileges of the logged-on user.

 

 

III. Solution

Remove the Energizer UsbCharger software

Removing the Energizer UsbCharger software will also remove the registry value that causes the backdoor to execute automatically when Windows starts. The Arucer.dll file will remain in the system32 directory, but the mechanisms for executing the code in the DLL will not be present.

 

Remove the Arucer.dll file

The backdoor component of the Energizer UsbCharger software can be removed by deleting the Arucer.dll file from the Windows system32 directory. Because the backdoor hosted by rundll32.exe continues to run after the software has been uninstalled, the Windows may need to be restarted before this file can be removed.

 

Remove “Run DLL as an App” exclusion from the Windows Firewall

If the user unblocks Run DLL as an App (rundll32.exe) from the Windows Firewall, the exclusion will remain after the Energizer UsbCharger software has been uninstalled. To restore the firewall to the previous state, the “Run a DLL as an App” entry should be removed from the exclusions list.

 

Block or restrict network access

Blocking access to 7777/tcp can mitigate this vulnerability by preventing network connectivity to the backdoor. This may be achieved with network perimeter devices or host-based software firewalls. The Energizer UsbCharger software does not automatically add an exception to the Windows Firewall for 7777/tcp or the backdoor application. Therefore, the first time that Energizer UsbCharger is executed, the user will be prompted that “Run a DLL as an APP” has been blocked by the Windows Firewall.

 

The following Snort rules can be used to detect network traffic related to this backdoor:

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; classtype:trojan-activity; sid:1000004; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; classtype:trojan-activity; sid:1000005; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; classtype:trojan-activity; sid:1000006; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; classtype:trojan-activity; sid:1000007; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; classtype:trojan-activity; sid:1000008; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; classtype:trojan-activity; sid:1000009; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; classtype:trojan-activity; sid:1000010; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; classtype:trojan-activity; sid:1000011; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; classtype:trojan-activity; sid:1000012; rev:2;

 

Systems Affected

 

Source : www.kb.cert.org

 

 

Operation Aurora: Microsoft knew about Internet Explorer flaw for four months

On Thursday there were sighs of relief from all corners as Microsoft released a security patch for a vulnerability that had been exploited by hackers.

 

The patch fixed a critical zero-day vulnerability in versions of Internet Explorer that would have meant visiting a boobytrapped webpage could have infected your computer, opening a backdoor for remote hackers.

 

Nasty stuff, especially as it was being alleged that the security hole had been exploited by Chinese hackers who broke into the likes of Google and Adobe in an attack dubbed “Operation Aurora”.

 

Interestingly, details are now emerging that Microsoft was first told about the security hole early last September – a full four months before it hit the world’s headlines.

 

According to reports, Microsoft was informed about the security problem with its software (and the potential for hackers to take advantage of it) by security researcher Meron Sellen, and the company planned to roll-out a fix in a cumulative update for Internet Explorer scheduled for next month.

 

Now, if you were one of the high-tech, financial or miltary targets that are said to have been struck by the Chinese hackers you might be feeling a little bit miffed that Microsoft didn’t roll out its patch for this critical vulnerability sooner.

 

For their part, Microsoft may well feel that as the flaw primarily affected Internet Explorer 6 that such organisations should already have updated to a more secure version of their browser (such as version 8.0).

 

Is four months too long a time to fix a security hole of this severity? I’m not sure. One thing we have to bear in mind is that it can be very complicated developing and then testing a security patch to ensure that it works in all environments with multiple different versions of the software being patched.

 

I would rather a patch worked than was rushed out and caused more problems than the bug it was trying to solve.

 

The thing we should all be grateful for is that there is now a patch for Internet Explorer, meaning there really is no excuse for any company to be breached via this particular security hole again.

 

But if Microsoft knew about this critical security vulnerability four months ago, I wonder how many other security holes there are that they secretly know about, but we don’t have a clue about yet.

 

Oh, and don’t forget, there’s nothing to suggest that the hackers only exploited this Internet Explorer flaw. Chances are that they took advantage of a whole bunch of different weaknesses in different products, as well as some social engineering tricks, to break into computers inside the affected companies.

 

By Graham Cluley, Sophos

 

Critical flaws fixed in Firefox 3.5.4

If your a user of the Firefox web browser then it’s time to update your software again, as Mozilla has issued an important update that fixes a number of critical flaws.

 

In total, 16 vulnerabilities are patched in Firefox 3.5.4 – with 11 given the highest rating of “critical”. What does that mean? Well, according to Mozilla’s own website a “critical” vulnerability is one which “can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”

 

In other words, critical vulnerabilities can be used to invisibly install and run malicious code on your computer – such as a Trojan horse or worm.

 

As we revealed in the Sophos Threat Report [PDF] published earlier this year, SophosLabs sees in excess of 23,000 new malicious webpages every day – infected with the intention of compromising your computer. So it’s really important that alongside running up-to-date with anti-virus software, you ensure your web browser – whether it be Firefox, Internet Explorer, Safari, Opera, or something else – is protected with the latest patches.

 

The update is now available from the Mozilla website, but hopefully most existing users will be pestered into updating by Firefox’s auto-update facility.

 

Firefox’s security is becoming ever more important as it creeps up on Microsoft Internet Explorer’s pole position as number one browser for the web. It is estimated that there are now over 330 million users of Firefox - more than the population of the United States!

 

by Graham Cluley, Sophos

 

Microsoft user? Adobe user? Update your systems now

As part of its regular “Patch Tuesday” cycle, Microsoft has released a number of fixes for a number of its widely deployed products to patch critical security vulnerabilities.

 

Eight of the critical patches, addressing vulnerabilities in Windows, Microsoft Office, Internet Explorer, Silverlight, SQL Server, Forefront, Visual Studio, and other products, aim to stop hackers dead in their tracks from launching malicious attacks remotely.

 

A further five of the patches are classified as “important.”

 

In total, 34 security holes are fixed in what is Microsoft’s largest ever bundle of Patch Tuesday security updates.

 

Microsoft’s security response center has also released a chart, showing the severity of each vulnerability. “Red” means “critical” – in other words, that’s as bad as thing gets.

 

So the amount of “red” you see below should be a good indication of how serious these vulnerabilities are. If any more underlining of the importance were necessary, bear in mind that functioning code which exploits some of the vulnerabilities addressed by Microsoft’s patches has already been published.

 

You can learn much more about the patches in an advisory posted on Microsoft’s website.

 

Meanwhile, Adobe has also issued advice regarding critical vulnerabilities in Adobe Reader and Adobe Acrobat. Unlike the patches released by Microsoft, Adobe’s fixes cover Windows, Apple Mac OS X, and Unix/Linux.

 

In total, the Adobe fixes patch a stonking 29 vulnerabilities. Sophos has already seen malware which exploits some of the vulnerabilities affecting the Adobe PDF file format.

 

Over on his blog, Chet has some interesting things to say about these latest patches – looking in greater detail at some of the vulnerabilities, and questioning whether Adobe could learn a thing or two from Microsoft when it comes to responding to flaws in their code.

 

Whether you agree with Chet or not, one thing is clear – if you’re an affected Microsoft or Adobe user, you need to roll these patches out as a matter of priority.

 

by Graham Cluley, Sophos

Cracked Windows – Microsoft warns of critical flaw

Microsoft has published a security advisory warning of a critical vulnerability in Microsoft DirectX on older versions of Windows.

The problem is in the way that Microsoft DirectShow handles QuickTime format files – meaning that if a user opened a maliciously crafted QuickTime media file, the hackers could run dangerous code on your computer.

Read more

« Previous Page