Security Bytes: New Microsoft exploits in the wild
The exploits target issues Microsoft patched earlier this month. Meanwhile, flaws are reported in Oracle for OpenView and a Mozilla Firefox keystroke logger is on the loose.
The SANS Internet Storm Centre (ISC) has reported that new exploits targeting Microsoft vulnerabilities are now in the wild, one of which has been posted for public consumption.
The exploits reportedly involve three of the flaws Microsoft patched earlier this month:
Johannes Ullrich, chief research officer of the Bethesda, Md.-based SANS ISC, said via email that the issue involving the flaw patched in MS06-036 is likely the most dangerous of the set.
"It would attack a client as it boots and attempts to connect to a DHCP server to obtain an IP address. The 'PoC' exploit released would add a new user to the system," Ullrich said. "There is no good defense against this issue -- other than patching -- in particular if you have to work in public networks."
However, he added, the exploit process is cumbersome, rebooting a PC a few times until it manages to work.
Ullrich said the issue involving MS06-035 has some worm potential, but a basic firewall should keep end-users protected. It could be used once inside a network to spread a bot internally.
He said the exploit involving the flaw in MS06-034 is likely the least severe. "It would require a user to upload a corrupt ASP page to a server. So an attacker would first need a valid user account on the system. This problem could be dangerous for users of shared web hosting environments," Ullrich said.
Sources have reported that exploit code for two of the flaws, MS06-034 and MS06-036, has been posted to the Milw0rm.com Web site.
"If you haven't already patched for these vulnerabilities," said SANS handler Donald Smith, "you should take immediate action."
Oracle for OpenView flaws discovered
The French Security Incident Response Team (FrSIRT) has reported multiple high-risk flaws in Oracle for OpenView, a data repository for Hewlett-Packard Co.'s OpenView systems management platform, created using a number of Oracle Enterprise Server and Oracle tools.
"These issues could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary files, disclose sensitive information, conduct SQL injection attacks or bypass certain security restrictions," FrSIRT said.
Affected Oracle for OpenView versions include 8.1.7, 9.1.01 and 9.2. The issues can be rectified by applying the fixes that Oracle released earlier this month in its most recent quarterly Critical Patch Update (CPU).
Firefox keystroke logger is on the loose
Mozilla Firefox users are warned to be on the lookout for instances of the FormSpy Trojan, instances of which are reported to be circulating in the wild.
Avert Labs Blog, said the low-risk issue was discovered on 24 July. It installs itself as a Firefox component extension and will forward data that a user submits via the browser to a malicious Web site.
"Upon successful execution, FormSpy hooks mouse and keyboard events," said McAfee's Geok Meng Ong. "It can then forward information such as credit card numbers, passwords and URLs typed in the browser to a malicious Web site hosted at IP address 81.95.xx.xx."
McAfee said the installer was heuristically detected as New.Malware.ag, but has also been discovered as Downloader-AXM. It may be installed by visiting a malicious Web page with no user interaction.
"Mozilla Firefox users should exercise caution in downloading and installing unsigned extension components from unreliable sources," McAfee said.
