0-Day

Sigh… The latest “exploit” that affects hundreds of programs and will be the end of the world as we currently know it is actually a well documented feature of Windows. It has actually been around since the DOS days. In the old days we used to call these Companion viruses. It worked by using a different file extension that will be executed before the real executable. For example if you had a “gwbasic.exe” you would create a “gwbasic.com” anywhere in the path and if the user just typed “gwbasic” he would execute the “gwbasic.com” and not the “gwbasic.exe”. If the author of the “gwbasic.com” was ‘nice’ he could execute the “gwbasic.exe” so as to make the existence of the “gwbasic.com” file harder to detect. ...

On April 9th, Tavis Ormandy published a proof of concept about how to use the latest version of Java to compromise a pc. You can read about it here. He notified Sun, but they weren’t concerned enough to break their patch cycle, so he published the code. The problem is that when Sun released Java 6, update 10 in April 2008, they introduced a new feature (it’s not a bug, it’s a feature folks) called Java Web Start. In order to make it easier for developers to install software, they created a method to execute a program from a website. ...

For the current vulnerability in Internet Explorer 6 and 7 which already gets actively exploited on the net, Microsoft is already testing a patch. The company is still considering whether to release the patch on the regular Patchday or out-of-band. Meanwhile, a “Fix-it”-solution is available. With some registry changes the affected peers factory in iepeers.dll gets disabled by a mouse click. You can download it from Microsoft’s knowledgebase. ...

Hot on the heels of the Patch Tuesday announcements yesterday, came the announcement of a new zero-day in Internet Explorer (CVE-2010-0806). Whilst checking through some URLs supposedly serving up malicious code to exploit this vulnerability, I noticed a link to some spam runs from earlier in the week. On March 8th SophosLabs saw spam messages attempting to trick the recipient into visiting rogue web pages. Messages used at least two social engineering tricks to lure victims into clicking the malicious link. ...

Exploit code for the the zero-day vulnerability in Internet Explorer has been added to the Metasploit framework. According to an email HD Moore wrote to ZDNet’s Ryan Naraine, the exploit works quite reliable – successful 50% of the times on Windows XP with SP2 and SP3 with IE7 and deactivated Data Execution Prevention (DEP). The security hole got reported yesterday on Microsoft’s March 2010 Patch Tuesday. Drive-by-Download-Exploits are likely to appear now as the Metasploit framework is open source and the exploit can now be abused even by script kiddies. Time to change the default browser – Microsoft just released a new browser choice screen which allows for exactly that! ...

First, make a note: after Adobe updates, restart your machine immediately to remove the Adobe Download Manger – it can be a vector for malcode. Now, back to our story. Aviv Raff has discovered a vulnerability with Adobe’s web site in combination with its Download Manager, an ActiveX script that is used to download updates for Reader and Flash. After a Reader or Flash update the download manager remains running on a user’s machine until it is rebooted. Malicious operators could exploit it to download their code of choice. ...