Wednesday, July 30, 2008

Severe Vulnerability In Oracle WebLogic Server

There has been found a critical vulnerability in Oracle WebLogic Server (known previously as BEA WebLogic Server).

With a specifically crafted HTTP POST call an attacker can cause a buffer overflow in WebLogic component (mod_weblogic) made for Apache. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password.

Vulnerability affects all platforms. Servers which use Apache mod_security module are not vulnerable. Vulnerable WebLogic Server and WebLogic Express versions are:
- WebLogic Server 10.0 Maintenance Pack 1 and earlier versions
- WebLogic Server 9.2 Maintenance Pack 3 and earlier versions
- WebLogic Server 9.1 and earlier versions
- WebLogic Server 9.0 and earlier versions
- WebLogic Server 8.1 Service Pack 6 and earlier versions
- WebLogic Server 7.0 Service Pack 7 and earlier versions
- WebLogic Server 6.1 Service Pack 7 and earlier versions


Oracle has promised to provide a fix before its next quarterly released CPU (critical patch update) in October. Until the fix is released Oracle recommends limiting maximum URL length to 4000 bytes. Another way is to enable Apache mod_security module. More information can be read here.

Monday, July 28, 2008

Updates For RealPlayer

RealNetworks has released updated version of its RealPlayer software that fixes a few security vulnerabilities.

Vulnerable are following RealPlayer versions:
- RealPlayer 10
- RealPlayer 10.5 (builds 6.0.12.1040 - 6.0.12.1663, 6.0.12.1698,6.0.12.1741)
- RealPlayer Enterprise
- Mac RealPlayer 10 (10.0.0.305 - 352)
- Mac RealPlayer 10.1 (10.0.0.396 - 10.0.0.503)
- Linux RealPlayer 10


More information and instructions for updating can be read from RealNetworks site

Thursday, July 24, 2008

DoubleClick's Open Redirects Abused By Malware

TrendMicro writes in its blog about malware's abuse of DoubleClick's Open Redirects. The Trend Micro Advanced Threat Research has discovered a number of malicious URLs under the domain of DoubleClick, global Internet advertising company.

All found links are leading to the file msvideoc.exe which causes the affected system to connect to a remote site. Upon connection it downloads a file which Trend Micro detects as TROJ_DLOAD.DI. This file in turn downloads a file detected as TROJ_MUTANT.GC. Following list of DoubleClick links are already blocked.

- hxtp://ad.doubleclick.net/click;h=ADWAJJzSVGmEDCBbJkMiTUfmdIhuADWAJJzS;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aHPDZwqljHnlNScXoBJgzRzaFppDaHPDZwql;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=ahRQJQoWHYpFFYzgAFizZJdQnlgvahRQJQoW;~ss cs=%3fhttp://www.{BLOCKED}otel.eu/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aKXFNafnFbXukmAZjmqAhawpjVYYaKXFNafn;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aMwjNqwdSMZFJUDKSnOUSUwsRiQLaMwjNqwd;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=AMZEPQvqcklBUaAiRxzguoHmlydDAMZEPQvq;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe


This kind of methods make it harder for antispam to identify the links malicious since the redirector is under a legitimate domain. Also, familiar-looking domain at the beginning of the URL makes the link look legitimate by a quick look. However, the ending of the URL shows that its far from legit.

Thursday, July 17, 2008

Vulnerabilities In Mozilla Firefox, SeaMonkey and Thunderbird

There's been found a vulnerability related to CSS object handling in Firefox and SeaMonkey web browsers. By exploiting the vulnerability an attacker could cause a crash and then take an advantage of it by running arbitrary code on the victim's computer. Vulnerability affects only to Thunderbird email software if it's JavaScript support is enabled. By default support is disabled.

Among meantioned vulnerability there was found also another vulnerability in Firefox browsers. That vulnerability is related to the way Firefox handles URIs (Uniform Resource Identifier) entered from command-line. By exploiting the vulnerability an attacker could open multiple into browser while Firefox is not running, access system information and run arbitrary code on the victim's computer.

Vulnerable versions are:
- Mozilla Firefox prior version 3.0.1
- Mozilla Firefox prior version 2.0.0.16
- Mozilla Thunderbird prior version 2.0.0.16
- Mozilla SeaMonkey prior version 1.1.11

As a resolution it's advisable to update vulnerable versions to these versions:
- Mozilla Firefox 3.0.1 and 2.0.0.16
- Mozilla Thunderbird 2.0.0.16
- Mozilla SeaMonkey 1.1.11

Update can be made using automatic update functionality or by installing the latest versions from http://www.mozilla.com and http://www.seamonkey-project.org.

Wednesday, July 16, 2008

Vulnerability In Microsoft Word Application

There's been found a vulnerability in Microsoft Word text editor application. The vulnerability could allow for remote code execution and it's reported to be used in targeted attacks. To exploit the vulnerability an attacker has to lure the user to open specifically crafted Word file.

According to Microsoft Office Word 2002 Service Pack 3 is the only version affected by the vulnerability. As a workaround, until proper fix is released, Microsoft advises to use Microsoft Office Word 2003 Viewer- or MicrosoftOffice Word 2003 Viewer SP3 -application for opening Word files.

More information on the vulnerability:
Microsoft Security Advisory
SANS Internet Storm Center

Updates For Oracle Products

Oracle has released updates that contains fixes to 45 different vulnerabilities. The fixes are part of the company's quarterly CPU (critical patch update).

Exact list of the vulnerabilities and instructions how to apply the fixes can be read from Oracle's Critical Patch Update Advisory.

Next critical patch update Oracle plans to release in October.

Tuesday, July 15, 2008

Updates For Apple iPhone And iPod touch Software

Apple has released updates for Apple iPhone and iPod touch devices. The updates fix 13 vulnerabilities in both operating system of the devices and applications. Eight vulnerabilities are directly related to mobile version of Safari web browser.

Vulnerable versions are Apple iPhone 1.0 - 1.1.4 and Apple iPod touch 1.1 - 1.1.4. It's advisable to update software to version 2 with iTunes program.

More information about the updates here.

Saturday, July 12, 2008

Malware Targets Simpsons Cartoon Series Fans On AIM

FaceTime Security Labs writes in its blog about malware that's spread in AIM (AOL Instant Messenger) network. To be more exact spreader is username 'Chunkylover53' which has its status set to away and away message contains a link to a malicious file. So, what's so special with name Chunkylover53? Well, in one old episode of Simpsons cartoon series it was revealed that Homer Simpson's (one of the main characters of the series) email address was Chunkylover53@aol.com. This malware link spreading username may not necessarily be related to this email address in anyway but the 'Chunkylover53' name itself is enough to attract Simpsons fans and possibly make them add it to their AIM contact list.

In its away message 'Chunkylover53' adverts a link saying that by downloading its contents user gets "a new internet-only exclusive Simpson's episode that is only being released to the internet fans". According to FaceTime Security Labs user ends up with 'Kimya.exe' file that is in fact a trojan that among other bad things deposits the infected PC into a Turkish origin botnet.

Thus far Chunkylover53's away message has been changed a couple of times. It's also possible that party behind Chunkylover53 may use botnet to spread malicious messages or urls in IM network. Keeping that possibility in mind infected users are advised to keep an eye on all Instant Messaging activity until they can clean the infection from their computer.

FaceTime Security Labs identifies the trojan as Kimya.

Thursday, July 10, 2008

Update For Sun Java Runtime Environment Released

Sun has released update for Java SE Runtime Environment (JRE) 6. JRE allows end-users to run Java applications. The latest update can be downloaded from Sun's Java SE Downloads site.

More information about contents of the update can be read from Release Notes of Java SE 6 Update 7.

Wednesday, July 9, 2008

Updates For Microsoft Windows, Exchange And SQL Server

Microsoft released yesterday (7/8/2008) four update packets that fix nine vulnerabilities. Along with the vulnerability fixes a new version of Microsoft Windows Malicious Software Removal Tool was released too.

MS08-037 update fixes two vulnerabilities in Windows Domain Name System (DNS). Affected systems are all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2008.

MS08-038 update fixes a vulnerability in Windows Explorer that could allow remote code execution when a specially crafted saved-search file is opened and saved. Affected are all supported editions of Windows Vista and Windows Server 2008.

MS08-039 update fixes two vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server. This update is rated important for all supported editions of Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007.

MS08-040 update fixes four vulnerabilities in SQL Server memory handling. Update is rated important for supported releases of SQL Server 7.0, SQL Server 2000, SQL Server 2005, Microsoft Data Engine (MSDE) 1.0, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).

More information about the updates can be read from Microsoft Security Bulletins (links above).

The easiest way to update is to use Microsoft automatic update service.

Tuesday, July 8, 2008

Vulnerability In Microsoft Office Snapshot Viewer ActiveX control

There has been found a vulnerability in Microsoft Office Snapshot Viewer ActiveX control (snapview.ocx). The vulnerability can allow a remote, unauthenticated attacker to download arbitrary files to arbitrary locations. Vulnerability can be used for example to place files in Windows startup folder to make them executed when system starts up on next reboot. US-CERT tell that they have received reports of active exploitation of the vulnerability.

Vulnerable are Office versions 2000, XP and 2003 which all contain meantioned ActiveX control. The ActiveX control is also shipped with the standalone Snapshot Viewer.

At the moment there isn't a fix available for the vulnerability. As a workaround it's recommended to disable the vulnerable ActiveX control by following instructions in Microsoft Security Advisory.

More information on the vulnerability:
US-CERT vulnerability note
Microsoft Security Response Center (MSRC) blog

Sunday, July 6, 2008

Opera 9.51 Released

There's been released version 9.51 of Opera web browser. New version contains a fix for Windows version vulnerability that could be used to execute arbitrary code. Opera Software will publish more information on the vulnerability at a later date. Also the issue where canvas -functions could reveal data from random places in memory is fixed. Other details about the update can be read here.

Opera users can download updated version here.

Friday, July 4, 2008

Mozilla Fixes Vulnerabilities In Firefox Web Browsers

Mozilla has released update that fixes 13 vulnerabilities in Firefox web browser.

Vulnerable versions are:
Mozilla Firefox versions before 2.0.0.15
Mozilla SeaMonkey versions before 1.1.10
Mozilla Thunderbird 2.0.0.14 and versions before it.

Mozilla Firefox 2.0.0.x version users are advised to update their versions to 2.0.0.15 (or version 3) and Mozilla SeaMonkey users should get version 1.1.10. There isn't a update for Mozilla Thunderbird yet and that's why its users are advised to turn JavaScript support off until the fix is released.

Firefox 3 is not vulnerable to these reported vulnerabilities. However, vulnerability that was reported shortly after Firefox 3 release is still waiting to be fixed.

Thursday, July 3, 2008

Vulnerability in VLC Media Player

There has been found a vulnerability in VLC Media Player. Vulnerability is related to integer overflow that may occur when specifically crafted WAV file is opened. Successful exploitation may allow execution of arbitrary code.

Vulnerability is confirmed in version 0.8.6h but also previous versions may be affected.

Vulnerability is fixed in an upcoming version 0.8.6i. Meanwhile, it's recommended to not open unknown WAV files.

Wednesday, July 2, 2008

Microsoft MVP Award

I received Microsoft MVP (Most Valuable Professional) Award yesterday, on the 1st of July.

This all still feels like a dream. :)

Here is some information on the MVP Award and here is a link to my profile.

Tuesday, July 1, 2008

F-Secure Rescue CD 3.00 Released

F-Secure released over a week ago Rescue CD version 3.00 that can be used to scan the system for malware. Program renames all files containing malware to .virus file extension. Following list is quoted from Release Notes of Rescue CD:

Rescue CD will by default scan:
* all hard drives in the computer
* all USB drives attached to the computer
* Windows FAT and NTFS filesystems
* Virus definition databases are updated automatically if the computer has
an internet connection
* Virus definition databases can be updated manually by using a USB drive
* The Rescue CD Guide (pdf) has step by step instructions how use the CD


To use F-Secure Rescue CD on a computer the computer must:

* Be x86 compatible
* Have at least 256MB of RAM
* Be able to boot from a CD
* Be able to connect to the Internet or be able to use a USB drive



According to F-Secure the big changes compared to 2.00 include a proper manual for the product, ability to update databases manually with a USB stick, better hardware support (Knoppix version 5.3.1), upgraded NTFS driver (NTFS-3G 1.2506) and the ability to detect MBR viruses.

Rescue CD can't be used to scan encrypted files or folders.