There’s been considerable stink lately about the Race to Zero contest that is to be held at Defcon. I, for one, am a bit perplexed by this. This article from ZDNet Australia is what finally made my eyes cross in confusion/aggravation.

I don’t know at what point the collective “wisdom” became that signature-based AV was ever intended to be about defending against every threat ever devised, before it was ever devised. Signature-based scanners are intended to detect and clean known threats. If you modify a known threat, it’s not really “known” anymore, is it? Now it’s a variant of a known threat.

It’s certainly desirable to have protection against all threats, known and not-yet-known. This is what things like firewalls, Intrusion Prevention Systems, Data Leakage Prevention and all those other wonderful security products are intended to do, in concert with AV. Most AV software now also includes proactive static detection like Generic and Heuristic detection, along with more dynamic detection like emulation or behavioral detection. Many AV programs now also include broader security functionality like a firewall or IPS.

Generic and Heuristic detection is certainly better at picking up unknown threats than simple signature-based scanning, but there are three things that limit it. For one, it’s still reactive, basing detection on known bad techniques. Secondly, it’s static - obfuscation can still muck up the detection, if it causes the file to deviate from the known bad technique. Finally, there’s still a need for these detections not to be false-prone. Heuristics and generics essentially cover known “really, really bad” techniques. The threshold of badness must be quite high to make it into AV products. Consider how many commercial products and widely used administration tools blur those lines, and you may come to appreciate what a very fine line it is.

It’s not clear from what I’ve seen whether the contest’s judges intend to use the most paranoid settings available within the various products, but their description does seem to indicate they’ll only use the static detection, rather than running it real-time through the products. This does not accomplish a full testing of the products capability, it only tests one component. The results they get will not be what an average user will get.

The contest organizers and participants are playing with fire in order to prove what we already know: Signature-based scanners are meant to protect against known threats. That doesn’t mean that AV is dead, or that it’s useless. The industry is evolving, and its products with it. AV is intended to be one tool in a complete security arsenal. Defense in depth is where it’s at, if you’re really looking to protect your network.

A Microsoft Works ActiveX potential zero-day threat has been disclosed on a handful of Chinese blog sites. This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted. (Show of hands: Who’s surprised?)

Here’s the meat of this: The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll). Yes, it appears successful exploitation would allow for code execution via a controlled pointer. For this to occur, the victim would need to visit a malicious Web site.

On the plus side, this control is not marked safe, and attempts to use it should be accompanied with a warning from Internet Explorer. Even though this is the case, you will want to set the kill bit for clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 to help mitigate. Initial testing on Windows XP SP2 and Internet Explorer 7 shows this to be easily exploitable once past the “warning” hurdle.

In the mean time, McAfee Avert Labs will continue researching this issue.

No, it’s not a Massive Ordnance Air Blast Bomb, thankfully. But could users of Apple software feel that it’s really that bad? January 2007 is the Month of Apple Bugs (MoAB), in which a new Apple-related vulnerability is announced for every day of the month.

The first two MoAB bugs affect Apple Quicktime and VLC Media Player respectively. If exploited, both bugs would allow remote code execution — however user interaction is needed.

MoAB is a project similar to November 2006’s Month of Kernel Bugs (MoKB). The bugs released during the MoKB affected software from a gamut of vendors, including Apple, Linux, Microsoft, NetGear, and others. In both projects, security researchers announce previously-unknown bugs in selected software in order to raise awareness about the state of security in these software products.

While many MoKB bugs remain un-patched and the software they affect remain vulnerable, Apple users affected by MoAB can thank Landon Fuller for some temporary relief. Landon, a system architect, has promised to develop unofficial patches for software affected by MoAB bugs.

The researchers at McAfee Avert Labs will continue to follow MoAB closely, so keep reading!

Well, we’ve seen the first of the promised bugs for Apple and Apple products as a part of the “Month of Apple Bugs“. And perhaps unsurprisingly, the first bug is also applicable to Windows as well, being a buffer overflow vulnerability for QuickTime. There’s also some saying that this may be rather difficult to implement.

So in short, this month of bugs that’s supposed to take Mac fans down a peg…also exposes holes in Windows. And maybe it works, maybe it doesn’t. Way to start it off with a bang, there!

As a Mac fan who realizes Apple software is written by humans just like any other software, which will inevitably have the occasional bug, perhaps I’m not the demographic they’re looking to deflate. But really, I think you’d be hard pressed to find even the most rabid Mac fan who believes Apple software is 100% bulletproof. That’s just plain deluded. I think most Mac users at this point are of the opinion that it’s more akin to the risk of mosquito bites in August at Crater Lake, versus in January at the South Pole. There’s just a lot more nasty critters flying around the Windows environs than the OS X environs for the time being.

But even from a strictly researcher perspective, I am curious to see what this month brings up, both in terms of exploits and the discussion around them. Expect to see lots more here on that subject as things progress!

Apparently not! On December 20, a new zero-day exploit for Microsoft Windows operating systems was released. This exploit targets a weakness in the Client Server Run-Time Subsystem, and allows local privilege escalation or denial of service.

Microsoft has acknowledged this vulnerability and admitted that its newest operating system, Windows Vista, is vulnerable.

Keep reading for more on exploits released this holiday season. Happy holidays!

In the week leading up to 12 December 2006, two new Microsoft Word zero-day vulnerabilities became public (Word I, Word II). Microsoft’s December Patch Tuesday fell on December 12, but this cocktail of Microsoft’s patches did not include fixes for the two new Word flaws. To make matters worse, on December 12, a third zero-day Word flaw was released (Word III).

Although one could argue that the December 12 release of a new Microsoft flaw was only a coincidence, it fits the trend of the disclosure of Microsoft vulnerabilities on or just after a Patch Tuesday. November’s trend-fitter, a vulnerability in Microsoft Active Directory, did not include a public proof-of-concept; this month’s trend-fitter, however, does have a public proof-of-concept.

So the Word zero-day trio has a window of exposure of at least a month. Please stay secure as we continue to protect our customers against such attacks.

Last Wednesday, Microsoft posted an advisory for a targeted “zero-day” attack using a Microsoft Word vulnerability CVE-2006-5994, we refer to this as “Microsoft Word 0-Day Vulnerability I”.

In our tracking of this new 0-day vulnerability, I analyzed a Word Document sample for MessageLabs. Just when you would have thought this could be the same 0-day which was most recent, Microsoft confirmed upon our request that we are seeing double trouble — this was really “Microsoft Word 0-Day Vulnerability II”.

I previously wrote about non-executable file formats being a popular vector in recent years; this is a trend that will continue into 2007 and deserves to be given ample consideration in planning for security resources, policies and user education programs.

McAfee Avert Labs released DAT coverage for payload associated with “Microsoft Word 0-Day Vulnerability I” in DAT version 4914 for Downloader-AZQ and Downloader-AZR. The new threat that is exploiting “Microsoft Word 0-Day Vulnerability II” is now covered in DAT version 4915 as Exploit-MSWord.b.

Today, Avert Labs announced the availability of its podcast on the “Top Ten Security Trends in 2007”.

As part of this podcast, McAfee will identify those threats it believes businesses and consumers will face in 2007 as computer criminals become more organized and professional in their approach.

Download the podcast

On Sunday November 5th, we blogged about a 0-day exploit discovered in the wild that was targeting a Microsoft XML Core Services vulnerability. McAfee Avert Labs had been tracking and monitoring the payload deployed by this exploit.

W32/Kibik.a was the detection name assigned on Sunday, which was soon included in the McAfee VirusScan DAT release the following week. With rootkit heuristics, behavioral detection and IP blacklists being the talk of the (security) town in recent years, W32/Kibik.a makes an interesting attempt to survive in this competitive matrix of today.

W32/Kibik.a is a parasite that attaches to Windows Explorer (explorer.exe), even covering backup copies of explorer.exe in system restore, service pack installation and windows installer folders, making it a hard time for the victims to restore the original system file. On the process list, explorer.exe has its perfectly legitimate presence; on disk, the infected explorer.exe file has no distinction in filesize because W32/Kibik.a attaches to unused segments in the original file. Behavioral detection products looking for rootkit characteristics or autorun register keys will find nothing, because there isn’t any rootkit or autorun key.

To make it even difficult to track for network administrators, W32/Kibik.a sends innocent looking search requests to Google Blogsearch - only the search keywords are unique hexadecimal strings. Google Blogsearch, unlike Google Web Search that we are most familiar with, indexes blog entries with RSS and Atom feeds from blog authors. This makes blog content more readily searchable than Web search. When indexed, search results can return dynamic data, such as URLs to download, or commands to execute in a synchronized manner. At the time of writing, W32/Kibik.a’s searches have not yielded any results thus far.

From silent installation via a 0-day exploit, to silent residence and operations and virtually silent and innocent looking Google search; W32/Kibik.a could well be the start of a new trend in scalable remote controlled malware (a.k.a. botnet) in 2007. It is no wonder with its stealthy elements, few security vendors had detected or repaired W32/Kibik.a to date.

McAfee Avert Labs continues to monitor W32/Kibik.a and other malware using these techniques.

Š

Microsoft recently posted Security Advisory (927892) for a critical vulnerability in Microsoft XML Core Services. This vulnerability was discovered in the field and allows for remote code execution. This equates to another means for drive-by attacks via Internet Explorer. Exploitation is not believed to be wide spread at this time, but we can expect exploit code to become public early in the week at which point exploitation will pick up exponentially.

Workarounds include setting the kill bit for the XMLHTTP 4.0 ActiveX Control and modifying Internet Explorer’s security settings. For more information, see:
http://www.microsoft.com/technet/security/advisory/927892.mspx

McAfee Avert Labs is currently analyzing this threat.

In my last blog entry I talked about the consequences of Microsoft’s policy of releasing security updates only once a month. Is this encouraging exploit writers to release zero-day Microsoft exploits soon after a month’s Patch Tuesday to maximize the vulnerability’s window of exposure? Yesterday, on 24 Oct 2006, exploit code was released for a Microsoft Internet Explorer (IE) vulnerability. This proof-of-code code could cause denial-of-service (DoS) in IE. Avert Labs is investigating this exploit further.

Patch Tuesday next month falls on November 14. So this IE bug’s potential window of exposure is at least three weeks…

As timescales compress in computer security, research organizations feel increasing pressure to be first to report on a threat. It’s hard to perform lengthy fact checking in hours time. In the last couple of months we heard about two different 0-day attacks from two different major security vendors, neither of which were 0-day attacks. This week analysis was posted on a “new” anti-virtual-keyboard technique used by a password stealing trojan; only problem is that technique is at least 3 years old. And this week an IE 7 0-day vulnerability turned out to be more than 5 months old.

Of course the irony is that other researchers have to chase the claims, which reduces the amount of time available for fact checking prior to release for the issues they’re trying to report on; so it’s a vicious cycle. Additionally, people who report on such issues are often excited and anxious to spread the news, not to mention the competitive aspect of all of this.

Generally speaking, the largest organizations tend to lean towards lengthy validation cycles, taking a long time to react, while smaller shops may only do a quick check to validate their claims.

Personally I think either extreme is not good and a balance needs to be found. Part of that balance should include going with what you know at the time, allowing for terms like ‘under investigation’ or ‘believed to be’, while reserving absolute statements until after due diligence has been given.

Maybe that’s just me?

Patch Tuesday refers to the second Tuesday of each month when Microsoft releases security updates for its products. As a matter of policy, Microsoft releases patches only on Patch Tuesday. (One recent exception to this was an out-of-cycle patch for the Internet Explorer VML vulnerability.)

The researchers at McAfee Avert Labs follow Patch Tuesday with interest: Microsoft’s products are used by the lion’s share of industry and home users, and un-patched vulnerabilities in Microsoft’s products can often have an impact on global security.

Back in July 2006, Patch Tuesday fell on July 11. On July 12, a Trojan, Exploit-PPT.b, was released. This Trojan exploited a previously-unknown Microsoft PowerPoint vulnerability.

An exploit for a new vulnerability follows a Patch Tuesday. A one-time event?

This month, on 12 October 2006-two days after the October Patch Tuesday-we discovered a zero-day exploit in the wild for a new Microsoft PowerPoint 2003 vulnerability, CVE-2006-5296. Microsoft has said on its TechNet blog that this exploit could carry out code execution on the victim’s machine.

Security expert Bruce Schneier has commented that exploits might be released to follow a Patch Tuesday to maximize the “window of exposure”-the time until next month’s Patch Tuesday arrives with security patches for the new vulnerability.

Is Zero-Day Wednesday (or Thursday) going to become a trend? We’ll be watching.

Today Microsoft patched 26 vulnerabilities, a record high since their monthly patch cycle started. Among the patched vulnerabilities are the 0-Day vulnerabilities in Word and PowerPoint that have been used in targeted attacks against large enterprises. The vulnerability in the WebViewFolderIcon ActiveX object that allows for Internet Explorer drive-by-install and drive-by-download attacks, has been patched as well. None of today's patched vulnerabilities has been tagged as a worm candidate.

The anticipated remediation of the vulnerability in the DirectAnimation.PathControl ActiveX object in Internet Explorer did not see the light yet.

The update of our graphs of last month is found below. The graphs show that Microsoft has continued the trend of patching a large number of critical vulnerabilities each month.

To follow up on my Another Day, Another 0-day post; today (Sep 27, 2006), Microsoft has released a security advisory for this vulnerability:

Microsoft Security Advisory (925984)
Vulnerability in PowerPoint Could Allow Remote Code Execution

The following versions of PowerPoint are affected:

• PowerPoint 2000
• PowerPoint 2002
• PowerPoint 2003
• PowerPoint 2004 for Mac
• PowerPoint v. X for Mac

CVE-2006-4694 was assigned for this vulnerability on Sep 11, 2006.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4694

As one zero day gets patched, (Microsoft released an out-of-cycle patch for the recent VML Fill vulnerability) another is found.

Today we discovered an exploit affecting Microsoft PowerPoint (preliminary testing shows Office 2000, Office XP, and Office 2003 are affected). A single target of this exploit has been identified, so like other recent Microsoft Office 0-day discoveries, it appears that this one is also a targeted attack.

What makes this attack interesting, is the fact that it appears that Microsoft’s antivirus product added detection three days ago. The only public information on these threats is the boiler plate Malicious Software Encyclopedia entries (which show an incorrect discovery date of Sep 26, when virus definition files from Sep 23 detect):

• Exploit:Win32/Controlppt.W
• Exploit:Win32/Controlppt.X

There isn’t a public advisory from Microsoft; suggesting the Microsoft’s security team knew of this in-the-wild attack but did not make the information public.

For the record, I am not a fan of full disclosure (the concept, not explicitly the mailing list). I believe that more money has been lost, more data stolen, and more illegal activity around exploits has happened because of full disclosure. Historically, those with the skills to find vulnerabilities and create exploits are not the ones who write Blaster and Sasser, etc. Generally, the people who heavily abuse exploit code have “copy & pasted” the work of others. They customize the payload and release, and in these cases damages would have been significantly reduced if it were not for the availability of exploit details.

That said, if an attack is in the wild, acknowledgment of the attack is not something to conceal. Non-disclose the nitty-gritty details, but do inform.

- Update Sep 27, 2006 9:30 -
Correction, coverage went into the 4861 DAT release.

- Update Sep 26, 2006 17:00 -
McAfee antivirus coverage for these two exploits was released earlier today in DAT version 4860; detected as Exploit-PPT.d trojan.

Today was launched the ZERT - ZeroDay Emergency Response Team . The goal of this group of security professionals is to study 0day exploits and develop unofficial patches when those exploits pose a security risk to the internet or users in general and a vendor-supplied patch has not been released yet.

This is an interesting approach, since we have recently seen so many critical security vulnerabilities and exploits without patches. Remeber the Windows WMF vulnerability?

On the other hand, despite of the fact that the ZERT group may perform extensive testing, it is ALWAYS advisable to perform your own tests in your own environment, if you plan to apply them, since it may break applications or conflict with a software/hardware vendor guarantee.

Anyway, it is nice to see efforts like this.

Thousands of websites are compromised everyday. Many end up defaced or vandalized with greetz to the hacker and flames to the system administrator for failing to maintain server security. Defacing is the lowest form of internet graffiti and is usually done for fun or attention.

More sinister is when organized crime groups use compromised web servers to host malware. The compromised web pages are modified to host zero-day exploits which compromise users via drive by downloads or can be used as staging servers for trojan downloaders to pull and push further malware. Attack script toolkits like WebAttacker are being sold on the internet and are then custom configured to infect visiting computers without any user interaction. An attacker only needs to send spam via email addresses or instant messenger messages inviting recipients to visit a compromised website hosting the vulnerability and its malware exploit.

So how does one know where the attacks will come from? What can be done to track down the bad guys and combat them? One, of many ways, is to scan the internet for vulnerable systems and then monitor the sites that are found to be vulnerable, waiting for them to be hacked. Once the site is compromised, don’t attempt to get the compromised server shutdown as that would only make the bad guys move elsewhere. Rather keep an eye on the server and monitor it for any malicious uploads and downloads.

To quote a recent example, when code for the Exploit-WMF was released, a security company was able to come up with a listing of over a hundred sites that were compromised and hosting this exploit, much faster than big search engines indexed the Internet. Critics may argue that this is akin to watching the enemy plant landmines and waiting for hapless victims to step on it because one happens to be in the business of manufacturing prosthetic limbs. The more intel that can be gathered, the better chance the security community has of shutting down the bad guys. Let us all work with the law enforcement and intel communities.

The internet is a scary place as crime increasingly becomes an omnipresent menace. The window between vulnerability discovery to its incorporation into exploit code has shrunk from months or weeks to true zero-day as attackers and security experts are perpetually in a race against time. Browser vulnerabilities and exploits such as the Exploit-VMLFill are just a prelude to a series of pending exploits that pose the fastest growing threats to internet surfing. At the time of writing, a security update to address this vulnerability is being worked upon by Microsoft and their goal is to release the update on Tuesday, October 10, 2006, or sooner.

With ever increasing browser-based attacks, it is more important than ever that users not trust seemingly familiar or safe links particularly when received via Instant Messengers, Internet Relay Chat or Email. McAfee Avert Labs is committed to continued research against all known exploits of the Vector Markup Language vulnerability and will continue to update our coverage as new attack vectors and threats emerge. The problem will not go away…. but we can sure make life difficult for the bad guys.

Overview

Encrypting File System (EFS) [1], is integrated in Microsoft’s Windows platform since Windows 2000. Additionally, Windows XP Professional, Windows 2003 Server and Windows 2005 Media Center operating systems also support it. EFS uses public key cryptography that makes use of a user’s account login and password pair to encrypt a private key. The private key is used to encrypt the original data (files or folders). Encrypting any files or folders, in the supported operating systems, is a trivial task and can be done in many ways. For example as shown in the image below calc.exe can be encrypted just by clicking on “advanced” and then checking “Encrypt contents to secure data”.

Programmatically this can be achieved using calling various APIs that support file encryption like CreateFile with FILE_ATTRIBUTE_ENCRYPTED flag or EncryptFile function. Microsoft’s commandline utility Cipher.exe can also be used for encrypting directories and their contents. The result of such encryption is that only authorized user can view these files. Many businesses or home users frequently use it to encrypt the confidential data that needs to be protected from hackers, uploader trojans or somebody gaining physical access to machine.

Concerns

Recently a trojan was seen to take advantage of EFS to protect itself and execute with administrative privileges. This malware is composed of obfuscated DLL and PE files that are thoughtfully crafted. It has two main components, a dialer component that is detected as Qdial-45 the other is a downloader/dropper component detected as Spy-Agent.bf that drops this dialer along with an EFS encrypted downloader file. McAfee has been detecting variants of this trojan since August 02, 2006, however we have observed an upsurge in infection rates in last few weeks.

The trojan creates an administrator login account with a random name and random password. Using this login key pair it then encrypts the downloader component that it drops. It then creates a random service that points to the encrypted file with logon properties of the newly created login and password. This service can be arbitrarily started. The encrypted file is executed with the logon credentials that the trojan created, to download the updated variants of spy-agent.bf. Some variants of this trojan also drops a Browser Helper Object, a DLL file in alternate data streams. The DLL file is obfuscated as well and tries to download updated copies of Spy-Agent.bf trojan.

It has been observed to contact the following IPs and domains for updates and DNS queries.

• shiptrop.com
• 195.225.176.85
• 195.225.177.22
• esthost.com
• wscooler.com

The downloader component of the trojan uses steganographic techniques to hide the downloaded packets from network sniffers. From its download servers it downloads a packed file with a “gif” header. It decrypts this fake gif file in memory and creates a random named executable in “C:Documets and Settings\%LocalUser%My Documents” folder and launches it. The origins of these trojans appear to be the domain names “Gromozon.com”, “xearl.com”, and “micotad.com”. Most of them resolves to IP addresses in range 195.225.176.* - 195.225.177.*. It is advisable not to visit these web sites as they may still contain various browser exploits. We have always seen a tendency toward copycat malware. More malware may adopt similar techniques of self preservation using EFS. It is useful to understand what proactive steps can be taken to prevent such an attack.

Prevention

1. As a best practice disable download of unsigned ActiveX controls in the browser and always update Windows and McAfee products for latest signatures and updates.

2. VirusScan Access Protection rules.

• Block Access to Cipher.exe so that it cannot be used to encrypt arbitrary files and folders.
• Prevent Creation of NTFS stream in windows and its subdirectories by adding following rule to prevent file creation.
  • “%windir%**:*”

3. If EFS is not needed it can be disabled by following registry modifications.

• Navigate to the key HKEY_LOCAL_MACHINESOFTWAREMicrosoft Windows NTCurrentVersionEFS
• On the right pane, right click to select New, and then click DWORD Value.
• Enter EfsConfiguration for the value name and 1 for the value data to disable EFS.
• Restart the system.
• Any attempt to encrypt the file at this stage will result in the following message. “An error occurred applying attributes to the file: filename. The directory has been disabled for encryption.”

4. EFS can also be disabled by adding a desktop.ini file, with the following lines, in the folder that needs to be protected from adding encrypted files.

[Encryption]
Disable=1;

5. Programmatically EFS can also be disabled using API EncryptionDisable(DirPath, BOOL) [2].

References

[1] Encrypting File Systems in Windows XP and Windows Server 2003

[2] Disabling EFS for a Specific Folder

Yesterday McAfee Avert Labs updated the W32/Mofei.worm entry. This threat has recently been seen in the wild being dropped by Microsoft Office documents that used a 0-day exploit to compromise the victim’s computer.

To respond to some questions I received in Paris, I took a look at this sample.

The dropper is a malformed Microsoft Word document exploiting an undocumented and previously unknown vulnerability in Microsoft Word. The file I used for my tests is a Japanese 3 page Word document. It is approximately 79,265 bytes in size. Via the properties windows, we can see 2 five-uppercase-letters names as author and company names. Names started with the letter K. According to the statistics folder it was created on September 1st.

After I opened this document (Office 2000 on a Windows 2000 machine), 2 files were silently installed in my %windir%system32 directory:

• clipbook.dll (30,720 bytes)
• clipbook.exe (33,713 bytes)

A word document was also created in the %windir% directory (28,160 bytes). It is a “clean” copy of the malformed one.

The files in the system32 directory are related to an old network share propagation worm previously named W32/Mofei.worm. It attempts to spread by copying itself to the ADMIN$ share of remote machines. It scans IP addresses, tries to gain access to the share by trying weak administrator username and passwords. It creates temp and/or log files in the system32 directory. On my system I noticed a file named clipbook.dat.

The Microsoft Word dropper is now detected as W32/Mofei.worm.dr.
Exe and dll files are now detected as W32/Mofei.worm with DAT-4844. With older signature files, clipbook.exe is detected as “Trojan or variant New Malware.n” (since DAT version 4677).

Last night Sunbelt blogged about a zero day IE exploit being discovered in the wild. This attack has taken shape much the way Exploit-WMF did back in December 2005. A trojan toolkit known as WebAttacker was updated to include exploiting a new Vector Markup Language Buffer Overflow vulnerability. This toolkit is known to be sold on the underground for as little as $17 US, but just like the Exploit-WMF case, we can expect exploit source to be readily available shortly.

General advice around this kind of attack is to stay on the straight and narrow path while touring the Internet. However, WebAttacker has historically been installed on compromised web servers, and we’ve seen message board posts and blog entries that include iframes to refer to other sites that are running WebAttacker. Disabling JavaSript effectively neuters known attacks. Using an alternate web browser also thwarts this attack.

Microsoft has posted an advisory including workarounds:
http://www.microsoft.com/technet/security/advisory/925568.mspx

McAfee product coverage (including proactive 0-day protection) can be found here:
Exploit information: http://vil.nai.com/vil/Content/v_140629.htm
Vulnerability information: http://vil.nai.com/vil/Content/v_vul26881.htm

P.S. As I write this entry, Exploit-WMF remains as the top most reported malware blocked by our VirusScan Online products.

An epic transformation in the world of security is upon us. Today, we released the first issue of our semi-annual security magazine Sage. We will leverage this communication vehicle to deliver meaningful and sometime raw content to the masses. We take our responsibility to protect the public from malicious malcontents very seriously and will not shy away from difficult content or taboo topics. Instead, we will share with the world our day-to-day fight and let you decide how important the concepts being broached are to you.

The premiere issue examines the use of open source by the malware writing community. We show the pivotal role that code sharing and full disclosure have played in the evolution of the threat environment, and we anticipate a surge in malware quality and reliability as the malware writers become more professional. Though open source cannot be blamed for how some unsavory individuals may choose to use its tools, techniques, and methodologies, the movement should acknowledge that there are dangers associated with some of its fundamental beliefs.

Sage is meant to be a forum for thought leadership and serious discourse on topical security issues. By drawing on the Labs wealth of data and expertise, and writing challenging security articles, we hope to provoke important discussion about the digital battlefield we have found ourselves in.

Get Sage now from the McAfee Threat Center site:

http://www.mcafee.com/us/threat_center/white_paper.html

Last week, Microsoft announced that it had received a single report for a new 0-day vulnerability involving Excel. A malicious spreadsheet was attached to an e-mail and sent to a targeted victim. Various information is available from Microsoft and an interesting FAQ is also available on the Securiteam blog:
http://blogs.technet.com/msrc/archive/2006/06/16/436174.aspx
http://www.microsoft.com/technet/security/advisory/921365.mspx
http://blogs.securiteam.com/?p=451

Today, this threat has been deemed Low-Profiled due to media attention. FrSIRT has also posted an announcement at http://www.frsirt.com/english/advisories/2006/2361.

According to various reports, the original file is named okN.xls. Supposedly when a user opens the file the software unexpectly closes and some binary files are dropped in the Windows System directory as well as the system root directory.

I have studied a sample. It had a 127,488 byte size. On my French system, the file had a long name with semi-graphical ASCII characters possibly of Asian origin. After I renamed the file and opened it on an English Microsoft Excel 2000 version running on a Windows 2000 environment, the expected exploit did not occur. The filename visible on the left and high corner of the window indicated to me that the file was partially loaded, but no spreadsheet was visible. When I attempted to close Excel, I received an application error message saying some memory address could not be read. I made another test on a Windows XP-PRO (French) environment and with Excel 2002. This time an error message appeared and the file could not be loaded.

My colleagues also tested the file in a Japanese environment with the same disappointing results. We suspect that the exploit is more specifically crafted for Excel 2003 running on a specific OS version. It perhaps uses hardcoded return EIP offsets.

Despite these problems, the XLS file and its embedded downloader are detected as downloader-AWV.dr and downloader-AWV.

A zero day Yahoo! Mail vulnerability was exploited today that results in the execution of arbitrary code.  The vulnerability lies within Yahoo's onload event handling, allowing an attacker to craft an email message that results in script execution when users read their Yahoo! Mail.  In today's attack, a virus author utilized this exploit to run JavaScript that spams @yahoo.com and @yahoogroups.com recipients with a new virus (JS/Yamanner@MM - http://vil.mcafeesecurity.com/vil/content/v_139913.htm).  Yahoo is reportedly working on a fix and blocking these messages.

A new 0-day working exploit code for an unpatched vulnerability in Oracle Export Extensions was posted to Bugtraq last week. US-CERT announces that successful exploitation may allow a remote attacker with some authentication credentials to execute arbitrary SQL statements with elevated privileges. This may allow an attacker to access and modify sensitive information within an Oracle database.

Rare in 2003/2004, 0-day attacks seem to be more and more common. This term applies to distribution of an exploit linked to a vulnerability which has not yet been corrected. In this case, the period between the appearance of the exploit and that of the corrective patch is null or negative : null if the exploit and the patch arrive on the same day, negative if the patch arrives several days after the exploit.

More information about this new vulnerability can be found here:
CERT-US : Public Exploit Code for Unpatched Vulnerability in Oracle
Secunia Advisory: SA19860

On May 2nd, we are not aware of any vendor-supplied patches for this issue.