Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Wednesday, July 15, 2009

It's raining 0day's...

Whew.. ! Last 10 days have been quite busy for security folks like me. There have been 3 incidences of 0day's being discovered recently. It all started with the DirectX ActiveX vulnerability which I blogged previously. Then later, an Microsoft office web component ActiveX vulnerability was observed to be exploited in the wild. The list of domains hosting the Microsoft exploit is published & maintained at sans, so in case you are not too sure of a URL or domain, you can look it up there.

And today it's the 0day in latest Mozilla Firefox browser (3.5) ! Wow.. that's just too many goodies for the bad guys to pwn you :) ! Though there are no known cases of this vulnerability being exploited in the wild yet, it's just a matter of time. It's a standard heap-spraying kind of an exploit, but a little hard to make it reliable. I doubt it will be that popular with the bad guys mainly for two reasons - firstly, the code execution works only with WinXP SP2 - it just crashes the browser with SP3 and secondly, Firefox 3.5 has been recently released so not sure how much of a audience will be there for the bad guys. A patch for this is in process but has not been released yet so the only workaround right now is to disable JIT in the Javascript engine. Refer to the advisory here for more details on how to do that.

As if this wasn't enough, the anti-sec fellows are all over the Full-disclosure mailing lists and apparently they claim they have 0day's for SSH and Apache web server. Now, a lot of people think that these are all rumors since very little evidence has been posted regarding the SSH exploit. But they have already hacked into some websites like imageshack and astalavista to prove their point, so you never know ! These so called anti-sec fellows are now targeting and Milw0rm and are openly threatening to shut them down. While I am not completely against their philosophy of vulnerability disclosure, hacking into somebody's box and executing "rm -rf /" is absolutely not the way of tackling this issue !

So, my dear friends it's never to late to patch and upgrade you systems. Firefox is a amazing browser but that doesn't mean it won't be targeted.

Update1: The Mozilla vulnerability is fixed in 3.5.1, so it's time to upgrade your browser !

Update2: There is a adobe flash 0day on the loose again ! .. The rate at which these 0day's are coming these days, looks like we will have to coin a new term for it ! :P .. Anyways, the exploit is delivered via a PDF file which is embedded with a malicious flash file - talk about new attack vectors ! Very little information is available regarding the exact vulnerability and SEO has already started doing its damage, so please be careful with what PDF's you are viewing. Will keep you posted as the mystery unfolds..

Tuesday, July 7, 2009

Microsoft IE 0day ...Not again !?

Sad, but true. Once again MS Internet Explorer users have to run around hiding from the MPEG2 ActiveX exploit that is lurking around exploiting this new vulnerability in "msvidctl.dll". And there is still no patch available for this critical vulnerability. I think, looking at the licensing costs, Micro$oft products should come with some sort of SLA when we buy them, like maybe fixing critical vulnerability within a day or something like that. I mean its ridiculous that its been more than 48 hrs that the exploit for this vulnerability is actively being hosted on literally thousands of websites and we still don't have a patch for it !

Anyways, the vulnerability is pretty interesting in itself. I mean, its not the standard ActiveX kind of vulnerability where you just overflow some parameters inside a function to pwn the SEH. The exploit requires some kind of a GIF file to successfully execute shellcode. Well, not a GIF file as such, but a specially crafted image file - the extension could be anything. This along with the ActiveX control together causes the overflow and SEH overwrite. In fact, the SEH is overwritten by the contents of the image file.

Currently, there are websites hosting this malicious html page. Innocent users are lurked into browsing these websites by some sort of link sent in a mail or via XSS or by social networking sites. Once the user lands on this malicious website, a downloader is executed on users machine as a part of shellcode within the exploit. This further opens up the machine for a host of different malware infections. The exploit for this has been partially published on the internet. Now, it won't be long before we start seeing another flurry of malware distribution being done using this technique.

So, as we wait for our dear Mr.Gates to release a fix for this, I suggest you keep away from those silly mails that ask you to click on some weird link or links that you receive on social networking sites like Facebook/Orkut/Twitter. Now-a-days these so called social networking sites are gaining so much popularity, that attackers have also started targeting these websites first. Also, as a workaround I would suggest to set the kill bit for this ActiveX control (which is a way of preventing vulnerable ActiveX controls from executing inside the browser). You can find more information on that in the Microsoft knowledge base.

As for the Microsoft advisory (whats the point of having one if there is no solution !) you can read it here.

Be careful and browse safe !

Wednesday, July 1, 2009

Bad news for some.. good for others..

It’s said that bad news travels fast ! And no doubt it does, but generally it’s the bad guys who catch it first. Whether it is Michael Jackson's death or Swine flu pandemic or France Airline crash, malware authors don't spare anything that they can use as bait. Moment such news is out, the bad guys immediately register fake domain names and using SEO (Search Engine Optimization) attacks make sure that their malicious links are out there.

This time it was rumors surrounding MJ's news that apart from DoS'ing out Facebook and Twitter websites, had malware authors going in a frenzy to capitalize on the shear volume of searches. Once such fake site was soon distributing malware called "" to visitors who browsed that site. Others claimed they had some video showing Michael’s last moments in Life and redirected uses to a link that looked like It then used an old trick of prompting users to install a fake codec (malware) in order to view the link.

[ Fig 1 - Fake youtube website showing MJ's last moments ]

It’s a known fact that malware authors have these so called scripts that keep track of websites such as google trends and as soon as they see a surge in hits on a particular topic, they will register a new domain and start distributing malware using SEO. Now that's some clever scripting !

So folks, be careful and extra cautious when you start searching for any latest ground breaking news on the internet. Do not install any kind of executable or ActiveX or flash kind of component for your browser if you are not sure about the source. It’s better to visit some other link than taking the risk of installing anything on your machine. Some tools (obviously free !) that I would like to recommend to you are some browser plug-ins for Mozilla. This is what I use and it really helps sometimes -
  • WOT or Web of Trust Plug-in: This Mozilla plug-in kind of preemptively warns you by displaying a small circle next to the link with various colors for bad or good links on any website.
  • FlagFox: This neat utility plug-in will show a small flag of the country to which the website you are browsing belongs too. So next time you get redirected to a Russian or Korean domain you know what to do :)
Apart from that, sometimes Mozilla or google search itself will show a banner informing that the site has been blocked or not safe for viewing. Now, I am not advocating any of this plug-ins to you and neither will I say that these guarantee 100% protection against malware but hey, something is better than nothing ;) !

So here's wishing you a safe & happy browsing.. :) !