New Microsoft exploits in the wild
The SANS Internet Storm Centre (ISC)
has reported that new exploits targeting
Microsoft vulnerabilities are now in the wild, one of which has
been posted for public consumption.
The exploits reportedly involve
three of the flaws Microsoft patched earlier
this month:
- MS06-034, an "important" issue with Internet Information
Services (IIS) involving a remote code execution flaw via a
specially crafted Active Server Pages (.asp) file.
- MS06-035, a mailslot heap overflow vulnerability in a server
driver that could allow an attacker to take complete control of the
affected system, and a server message block information disclosure
flaw in the server service that could allow an attacker to view
fragments of memory used to store server message block traffic
during transport.
- MS06-036, a buffer overrun flaw in Windows' Dynamic Host
Configuration Protocol (DHCP) client service that attackers could
exploit to take complete control of an affected system.
Johannes Ullrich, chief research officer of the Bethesda,
Md.-based SANS ISC, said via email that the issue involving the
flaw patched in MS06-036 is likely the most dangerous of the
set.
"It would attack a client as it boots and attempts to connect to
a DHCP server to obtain an IP address. The 'PoC' exploit released
would add a new user to the system," Ullrich said. "There is no
good defense against this issue -- other than patching -- in
particular if you have to work in public networks."
However, he added, the exploit process is cumbersome, rebooting
a PC a few times until it manages to work.
Ullrich said the issue involving MS06-035 has some worm
potential, but a basic firewall should keep end-users protected. It
could be used once inside a network to spread a bot internally.
He said the exploit involving the flaw in MS06-034 is likely the
least severe. "It would require a user to upload a corrupt ASP page
to a server. So an attacker would first need a valid user account
on the system. This problem could be dangerous for users of shared
web hosting environments," Ullrich said.
Sources have reported that exploit code for two of the flaws,
MS06-034 and MS06-036, has been posted to the Milw0rm.com Web
site.
"If you haven't already patched for these vulnerabilities," said
SANS handler Donald Smith, "you should take immediate action."
Oracle for OpenView flaws discovered
The French Security Incident Response Team (FrSIRT) has
reported multiple high-risk flaws in Oracle for
OpenView, a data repository for Hewlett-Packard Co.'s OpenView
systems management platform, created using a number of Oracle
Enterprise Server and Oracle tools.
"These issues could be exploited by remote or local attackers to
cause a denial of service, execute arbitrary commands, read and
overwrite arbitrary files, disclose sensitive information, conduct
SQL injection attacks or bypass certain security restrictions,"
FrSIRT said.
Affected Oracle for OpenView versions include 8.1.7, 9.1.01 and
9.2. The issues can be rectified by applying the
fixes that Oracle released earlier this
month in its most recent quarterly Critical Patch Update
(CPU).
Firefox keystroke logger is on the loose
Mozilla Firefox users are warned to be on the lookout for instances
of the FormSpy Trojan, instances of which are reported to be
circulating in the wild.
Avert Labs Blog, said the low-risk issue was discovered on 24
July. It installs itself as a Firefox component extension and will
forward data that a user submits via the browser to a malicious Web
site.
"Upon successful execution, FormSpy hooks mouse and keyboard
events," said McAfee's Geok Meng Ong. "It can then forward
information such as credit card numbers, passwords and URLs typed
in the browser to a malicious Web site hosted at IP address
81.95.xx.xx."
McAfee said the installer was heuristically detected as
New.Malware.ag, but has also been discovered as Downloader-AXM. It
may be installed by visiting a malicious Web page with no user
interaction.
"Mozilla Firefox users should exercise caution in downloading
and installing unsigned extension components from unreliable
sources," McAfee said.