Archive | July, 2010

Firefox 3.6.7 Fixes a Bunch of Drive-by Download Vulnerabilities

Summary:

  • These vulnerabilities affect: Firefox 3.6.x and 3.5.x for Windows, Linux, and Macintosh
  • How an attacker exploits it: Typically by enticing one of your users to visit a malicious web page
  • Impact: Various results; in the worst case, an attacker executes code on your user’s computer, gaining complete control of it
  • What to do: Upgrade to Firefox 3.6.7 (or 3.5.11), or let Firefox’s automatic update do it for you

Exposure:

Today, Mozilla released an advisory describing 16 (count based on CVE number) vulnerabilities in Firefox 3.6.4 (and earlier versions) running on all platforms. Mozilla rates more than half of these vulnerabilities as critical; meaning an attacker can leverage them to execute code and install software without user interaction beyond normal browsing. We summarize three of the most critical Firefox 3.6.4 vulnerabilities below:

  • PNG Image Buffer Overflow Vulnerability (2010-41). The graphics code that helps Firefox handle PNG images suffers from a buffer overflow vulnerability. By enticing one of your users to a web page containing a maliciously crafted image, an attacker can leverage this buffer overflow to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • Typical Memory Corruption Vulnerabilities (2010-34). Mozilla’s update fixes two unspecified memory “safety” or corruption vulnerabilities, which can at least crash Firefox. Mozilla’s alert doesn’t say much about these vulnerabilities, other than they lie within Firefox’s browser engine. Mozilla presumes that, with enough effort, attackers could exploit some of these memory corruption flaws to run arbitrary code on a victim’s computer. To do so, an attacker would first have to trick one of your users into visiting a maliciously crafted web page. If your user took the bait, the attacker could execute malicious code on that user’s machine, with that user’s privileges. If the user happened to be a local administrator or had root privileges, the attacker would gain total control of the victim’s computer.
    Mozilla Impact rating: Critical
  • DOM Attribute Cloning Code Execution Vulnerability (2010-35). The Document Object Model (DOM) is a W3C specification for representing structured documents as objects, in a platform and language neutral manner. Firefox’s DOM attribute cloning routine suffers from a code execution vulnerability. By enticing one of your users to a maliciously crafted web page, an attacker can leverage this flaw to either crash Firefox, or to execute malicious code on that user’s machine, with that user’s privileges. As usual, an attacker may gain full control of your users’ computers if they have administrative privileges.

Mozilla’s alert describes many more vulnerabilities, including other code execution flaws, Cross-Site Scripting (XSS) or cross-origin vulnerabilities, and spoofing vulnerabilities. Visit Mozilla’s Known Vulnerabilities page for a complete list of the vulnerabilities that Firefox 3.6.7 fixes.

On a related note, some of these vulnerabilities also affect Firefox 3.5.x. If you use 3.5.x, we recommend you move to 3.6.7. However, if you must stay with 3.5.x, Mozilla has also released an update for that legacy version as well.

Solution Path:

Mozilla has released Firefox 3.6.7 and 3.5.11, to correct these security vulnerabilities. If you use Firefox in your network, we recommend that you download and deploy version 3.6.7 as soon as possible. If, for some reason, you must remain with Firefox 3.5.x, make sure to upgrade to 3.5.11.

Note: The latest version of Firefox 3.6.x automatically informs you when a Firefox update is available. We highly recommend you keep this feature enabled so that Firefox receives its updates as soon as Mozilla releases them. To verify that you have Firefox configured to automatically check for updates, click Tools => Options => Advanced tab => Update tab. Make sure that “Firefox” is checked under “Automatically check for updates.” In this menu, you can configure Firefox to always download and install any update, or if you prefer, only to inform the user that an update exists.

As an aside, attackers cannot leverage many of these vulnerabilities without JavaScript. Disabling JavaScript by default is a good way to prevent many web-based vulnerabilities. If you use Firefox, we recommend you also install the NoScript extension, which will disable Javascript (and other active scripts) by default.

For All Users:

This attack arrives as normal-looking HTTP traffic, which you must allow through your firewall if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.

Status:

The Mozilla Foundation has released Firefox 3.6.7 to fix these vulnerabilities.

References:

Microsoft Patches Critical Windows Help Center Vulnerability: Two Windows Bulletins Correct Flaws in Helpctr.exe and Cdd.dll

Summary:

  • These vulnerabilities affect: All versions of Windows XP and Server 2003, as well as the 64-bit versions of Windows 7 and Server 2008 R2
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to visit a specially crafted website
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two Windows security bulletins describing two vulnerabilities that, combined, affect many of the currently used versions of Windows. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-042: Windows Help and Support Center Zero Day Vulnerability

About a month ago, Tavis Ormandy, an Information Security Engineer at Google, disclosed a complicated, yet serious security vulnerability in Windows’ Help and Support Center (Helpctr.exe) to the Full-Disclosure mailing list. Essentially, the issue has to do with a security bypass vulnerability in Helpctr.exe combined with a Cross-Site Scripting (XSS) flaw in one of Windows’ default help documents. You can learn more about this flaw in our original Wire post. In short, if an attacker can lure you to a specially crafted web page or link, he can leverage these flaws to execute code on your computer, possibly gaining  full control of it. Ormandy included a Proof-of-Concept (PoC) exploit with his early disclosures, and a few days later, attackers reportedly began exploiting this flaw in the wild. For this reason, we recommend you download, test, and deploy this update as quickly as you can. This vulnerability only affects Windows XP and Server 2003.
Microsoft rating: Critical.

  • MS10-043: Canonical Display Driver Vulnerability Affects Windows x64

In May, Microsoft also released a Security Advisory about an unpatched image handling vulnerability involving the Canonical Display Driver (Cdd.dll) that ships with the 64-bit versions of Windows 7 and Server 2008 R2. We described this vulnerability in this Wire post. Basically, if an attacker can entice you to a malicious website containing a specially crafted image, or into opening such an image within an application that uses the flawed graphics APIs, he can exploit this flaw to either cause your machine to crash and reboot with a Blue Screen of Death (BSOD), or to execute code on your machine with your privileges. Since most Windows users have local administrative privileges, attackers could likely leverage this flaw to gain complete control of a victim’s PC. Today’s bulletin fixes this previously unpatched issue.
Microsoft rating: Critical.

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-042:

Note: This flaw does not affect any other versions of Windows.

MS10-043:

Note: This flaw does not affect any other versions of Windows.

Does My Firewall Help?

Attackers can exploit these flaws using diverse exploitation methods, including by simply tricking you into viewing a malicious image. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

Microsoft Office Updates Fix ActiveX Controls and Outlook

Summary:

  • These vulnerabilities affect: Microsoft Office 2002, 2003, and 2007 (Windows only) or the components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including enticing your users to a malicious website, or into opening a malicious attachment.
  • Impact: Various results; in the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released two security bulletins describing three vulnerabilities that affect the Windows versions of Microsoft Office 2002, 2003, and 2007 or components that ship with it. Each vulnerability affects Office components to varying degrees. However, a remote attacker could exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS10-044: Various Office ActiveX Control Code Execution Vulnerabilities

ActiveX controls are essentially small programs, often shared between applications, that work behind the scenes performing minor tasks on Windows-based computers. They are kind of like Microsoft-only Java applets. Many Microsoft applications, including Office, ship with many different ActiveX controls for performing various tasks For instance, Microsoft Office installs an ActiveX control (common to both Outlook and IE) that allows elements of your Outlook environment, such as your calendar or email messages, to be viewed as a web page.

Unfortunately, some of the ActiveX controls that ship with Office 2003 and 2007 Microsoft Office System suffer from two vulnerabilities involving the way these control handle memory. While the flaws differ technically, they share the same end result. If an attacker can entice one of your users into visiting a maliciously crafted web page, he can exploit either of these vulnerabilities to execute code on that user’s computer, inheriting that user’s level of privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine. 
Microsoft rating:
Critical.

  • MS10-045: Outlook Attachment Code Execution Vulnerability

Outlook suffers from a code execution vulnerability due to its inability to handle attachments that are attached to an email in a particular way. Microsoft’s bulletin doesn’t describe exactly what type of attachment causes the issue. The flaws lies more in how the attachment is attached (using the ATTACH_BY_REFERENCE value of the PR_ATTACH_METHOD property), rather than what type of attachment it is. In any case, by enticing one of your users into opening an attachment from a specially crafted email, an attacker can exploit this flaw to execute code on your user’s computer, with that user’s privileges. Since most Windows users have local administrative privileges, the attacker would likely gain full control of your user’s computer.
Microsoft rating: Important.

Solution Path:

Microsoft has released patches that correct all of these Office related vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS10-044:

Other versions of Office not affected.

MS10-045:

Outlook update for:

Does My Firewall Help?

Attackers can exploit these flaws using diverse exploitation methods, such as luring you to a seemingly normal website or opening an unspecified attachment. Therefore, installing Microsoft’s updates is your most secure course of action. That said, in general, we recommend you train your users to avoid opening any unsolicited attachment.

Status:

Microsoft has released patches correcting these issues.

References:


%d bloggers like this: