Network and Computer Security

A vulnerability has been reported in Microsoft XML Core Services, which can be exploited by malicious people to compromise a users system.

The vulnerability is caused due to an unspecified error in the XMLHTTP 4.0 ActiveX Control.

Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website using Internet Explorer.

Microsoft Advisory & Suggested Workarounds: http://www.microsoft.com/technet/security/advisory/927892.mspx

Microsoft today released ten patches to fix at least 26 separate security holes, including a whopping 16 flaws in Microsoft Office and its constituent apps.

According to Washingtonpost.com’s Security Fix blog, this is the most number of patches ever released by Redmond outside of a Windows service pack.
Also of note, six of today’s updates apply to fully patched Windows XP systems, and two of the flaws are actually present in Windows Vista.

Less than 1 month after the discovery of a very serious vulnerability in Internet Explorer, EEyes has just published an advisory concerning a very similar (through different) vulnerability in the lastest IE.

Here’s the overview:

“eEye Digital Security has discovered a second heap overflow vulnerability in the MS06-042 cumulative Internet Explorer update that would allow an attacker to execute arbitrary code on the system of a victim who attempts to access a malicious URL. Windows 2000, Windows XP SP1, and Windows 2003 SP0 systems running Internet Explorer 5 SP4 or Internet Explorer 6 SP1, with the MS06-042 patch applied, are vulnerable; unpatched and more recent versions of Internet Explorer are not affected.”

The actual problem lies in URLMON.DLL, here’s a link to the full advisory.

Just as if we needed that, a new polymorphism technique allows viruses on AMD-64 processors to be even harder to detect.

“The virus, dubbed W64.Bounds, is not spreading in the wild, but was submitted as a proof of concept to antivirus researchers. The program is not easy to detect because it encrypts itself using a new algorithm and exploits a Windows feature available only on AMD64 systems to control execution”, Peter Ferrie, senior antivirus researcher for Symantec, said.

See the full article on SecurityFocus.

Just as Microsoft released on August 8th an IE 6 update to fix multiple vulnerabilities (See Microsoft Security Bulletin MS06-042), the NSFocus security team has found this update does introduce a new vulnerability.

This vulnerability can be exploited remotely by sending an overly-long URL to the browser.

This issue has been assigned the name: CVE-2006-3869

See here for the full details: NSFOCUS Security Advisory (SA2006-08)

See here for the advisory from microsoft and the updated patch: Microsoft Security Bulletin MS06-042.

The last Microsoft Office version appears to contain lots of vulnerabilities; so much in fact that many experts fear a new macro-virus like Melissa is quite likely to appear very soon.

Since the end of 2005, about 20 vulnerabilities have been found in Office; that’s more than enough for the virus and worm writers out there to find an easy to exploit one and to take over all the machines with the lastest Office (Word, Excel, PowerPoint, Outlook, and, for professional users, Access) installed.

The problem is even more accute that in takes an average of 4 months to Microsoft to issue patches fixing security problems; so as the number of known vulnerabilities increases tons of systems remain vulnerable.

Read more here: Flaw finders lay siege to Microsoft Office

There aren’t enough good open source security related software so new ones are always welcome.

On the heels of Snort and Prelude, we know have OSSEC.

Here are the version 0.8 release notes:

OSSEC HIDS is an Open Source Host-based Intrusion
Detection System. It performs log analysis, integrity
checking, rootkit detection, time-based alerting and
active response.
It runs on most operating systems, including Linux,
OpenBSD, FreeBSD, Solaris and Windows.

This is the first version offering native support for
Windows (XP/2000/2003). It includes as well a new set
of log analysis rules for sendmail, web logs (Apache
and IIS), IDSs and Windows authentication events.

The correlation rules for squid, mail logs, firewall
events and authentication systems have been improved,
now detecting scans, worms and internal attacks.
The active-responses were also refined, with support
to IPFW (FreeBSD) added.

See here for the OSSEC homepage.