Exposure:

Today, Microsoft released two security bulletins describing seven vulnerabilities found in components that ship with Microsoft Office XP and 2003 for Windows, and Office 2004 for Mac. These bulletins do not affect the more current versions of Office, such as 2007 Microsoft Office System or Microsoft Office 2008 for Mac.

The vulnerabilities affect different versions of Office to varying degrees. Though the seven vulnerabilities differ technically, and affect two different Office components, they share the same scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents. In one bulletin, Microsoft specifically states PowerPoint documents are vulnerable. However, they also mention any "Office file" in their other alert. Therefore, we recommend you beware of all unexpected Office documents.

If you’d like to learn more about each individual flaw, drill into the "Vulnerability Details" section of the security bulletins listed below:

•  MS10-003: Multiple PowerPoint Code Execution Vulnerabilities, rated Important
•  MS10-004: Microsoft Office MSO.DLL Code Execution Vulnerability, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

MS10-003:

•  Office XP w/SP3
•  Office 2004 for Mac

MS10-004:

PowerPoint update for:

•  Office XP w/SP3
•  Office 2003 w/SP3
•  Office 2004 for Mac

“payment request from "Qualcomm" or “payment request from "Google"” or “Your Credit Balance is over its limit”

These all contain a backdoor Trojan in the attachment so again and again I remind everyone to not click those attachments you get in email. I like that “transaction inspector module”, they are always looking for something that will just make people click away, well DON’T!

Severity: High

5 November, 2009

Summary:

§ This vulnerability affects: Adobe Shockwave Player 11.5.1.601 and earlier, running on Windows and Macintosh computers

§ How an attacker exploits it: By enticing your users to visit a website containing a malicious Flash file

§ Impact: An attacker can execute code on your computer, potentially gaining control of it

§ What to do: Download and install the latest version of Adobe Shockwave Player

Exposure:

Adobe Shockwave Player displays interactive, animated web content called Shockwave (.SWF) files. According to Adobe, Shockwave Player is installed on some 450 million PCs.

In a security bulletin released late Tuesday, Adobe warned of critical vulnerabilities that affect Adobe Shockwave Player 11.5.1.601 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin refers to five CVE numbers, which suggests that their update fixes five security vulnerabilities. The bulletin doesn’t describe the flaws in much technical detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Shockwave (SWF) content, he could exploit this unspecified vulnerability to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you deploy Adobe Shockwave throughout your network, we recommend you download and install the latest version as soon as you can.

Solution Path

Adobe has released a new version of Shockwave Player, version 11.5.2.602. If you use Adobe Flash in your network, we recommend you download and deploy this updated player as soon as possible.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

§ Adobe Security Bulletin

This alert was researched and written by Corey Nachreiner, CISSP.

In this case I pulled up a site I think most would consider “safe”, The Christian Science Monitor. However within that page was a redirect to another server located in Germany owned by a guy in Norway. Of course the infected server I was being redirected to could easily be a legit site which has been hacked or a site setup to specifically try to distribute malware and in this case I suspect the latter as no website actually exist on that server. As to the source of the infection my bet is one of the Flash banners on the primary site was the source of the redirect and just one more reason to disable plug ins whenever possible. Instead of a hacker needing to attack Christian Science Monitor all they have to do is go after the company offering up the advertising banners or even sign up as an advertiser.

Severity: Medium

9 September, 2009

Summary:

§ These vulnerabilities affect: QuickTime for OS X or Windows

§ How an attacker exploits them: By enticing your user to click a malicious link or view a maliciously-crafted movie or image

§ Impact: An attacker could execute code on your user’s computer, potentially gaining control of it

§ What to do: Download and install QuickTime 7.6.4 for Windows or OS X (or use Apple’s Software Update tool)

Exposure:

Today, Apple released a security update to fix four vulnerabilities in QuickTime, their popular media player for both Windows and Macintosh OS X. The vulnerabilities differ technically, but all involve various buffer overflow or memory corruption vulnerabilities. They also share the same scope and impact. By luring one of your users into viewing a maliciously crafted movie or image file, an attacker can exploit one of the four QuickTime flaws to execute code on that user’s computer (or, less worrisome, crash QuickTime). Some of the files susceptible to this attack include MPEG-4, H.264, and FlashPix. These vulnerabilities can be exploited on Windows and OS X computers, with differing results. Attackers exploiting these flaws only gain the privilege of the logged in user. OS X separates normal users privileges from root or administrative privileges. So an attacker will not gain complete control of OS X machines with these flaws. However, most Windows users have local administrative privileges. So an attacker could potentially leverage these flaws to gain complete control of Windows machines.

Solution Path:

Apple has released QuickTime 7.6.4 to fix these security issues. Windows and OS X administrators should download, test, and deploy the appropriate update as soon as possible. By default, Apple’s download bundles iTunes with QuickTime, but because iTunes often has security issues of its own, we recommend that you select the option of downloading QuickTime alone.

For All Users:

Because QuickTime handles so many different media types (many of which are essential for doing business today), trying to block exploitable file types using your firewall may not be the best way to support your organization’s mission. Instead, your best solution is to download and install Apple’s fixes.

Status:

Apple has released updates to fix these issues.

References:

§ Apple’s September QuickTime advisory

This alert was researched and written by Corey Nachreiner, CISSP.

Severity: High

28 May, 2009

Summary:

§ This vulnerability affects: Microsoft DirectX 9.0 and earlier versions (does not affect DirectX 10)  

§ How an attacker exploits it: By enticing your users into downloading and playing a malicious Quicktime movie, or into visiting a malicious web page

§ Impact: An attacker can execute code on your computer, potentially gaining control of it

§ What to do: Implement the workarounds described in the Solution Path section of this alert

Exposure:

Today, Microsoft released a security advisory warning of a serious unpatched DirectX vulnerability, which attackers have already begun exploiting on the Internet. The vulnerability affects DirectX 9.0 (and earlier versions) running on Windows 2000, XP and Server 2003 computers. It does not seem to affect DirectX 10 running on Windows Vista or Server 2008 computers.

Since Microsoft just learned about this flaw, they don’t describe it in much technical detail. They only say the flaw involves the way DirectShow (a component of DirectX) handles specially crafted Quicktime files. However, the advisory does tell how attackers can leverage the flaw. By enticing one of your users into downloading and opening a malicious Quicktime movie, or into visiting a malicious web page, an attacker can exploit this vulnerability to execute code on a victim’s computer, inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

With attackers actively exploiting this vulnerability in the wild, it poses a significant threat to Windows 2000, XP, and Server 2003 users. We recommend you implement the workarounds described below to mitigate the risk of this dangerous zero day attack.

Solution Path:

Microsoft has not had time to release a full patch for this zero day vulnerability. However, they have released a "Fix it" workaround that will disable DirectX’s ability to handle Quicktime files. If you don’t mind disabling Quicktime file handling in Windows, we recommend you apply this "Fix it" workaround until Microsoft releases their final patch. The workarounds described below can also help mitigate the risk of this zero day vulnerability:

1. Inform your users of this vulnerability. Advise them to remain wary of unsolicited Quicktime (.mov) movies. If they don’t absolutely need to view a Quicktime movie, and don’t fully trust the entity it came from, they should avoid watching it until Microsoft releases a patch.

2. Use up-to-date antivirus (AV) software. AV companies are sure to release signatures that detect these malicious Quicktime files. Make sure to update your AV regularly.

3. Use a gateway device, like your Firebox, to block Quicktime files. If your users can’t download Quicktime files, this exploit won’t affect them. Unfortunately, doing this blocks legitimate Quicktime files as well. Nonetheless, depending on your business needs, you may still consider blocking Quicktime files until Microsoft releases a patch.

We will update this alert when Microsoft releases a patch.

Courtesy of WatchGuard

Since Microsoft just learned about this flaw, they don’t describe it in much detail. They only describe how attackers exploit it. By enticing one of your users into downloading and opening a maliciously crafted Excel document (.xls), an attacker can exploit this vulnerability to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

With attackers actively exploiting this vulnerability in the wild, it poses a critical risk to Microsoft Office and Excel users. Microsoft hasn’t had time to patch the flaw yet, but they plan to do so in the future. Until then, we recommend you implement the workarounds described below to mitigate the risk of this dangerous zero day attack.

Solution Path

Microsoft has not had time to release a patch for this zero day vulnerability. However, the workarounds described below should mitigate the risk of attacks currently circulating in the wild.

§ Inform your users of this vulnerability. Advise them to remain wary of unsolicited Excel (.xls) documents arriving via email. If they don’t absolutely need the document, and don’t trust the entity it came from, they should avoid opening it until Microsoft releases a patch.

§ Use antivirus (AV) software and make sure it’s up to date. Some AV companies already have signatures that detect these malicious Excel files. Other AV companies will surely follow.

§ Use the Microsoft Office Isolated Conversion Environment (MOICE) to open untrusted Excel document.  MOICE is a Microsoft add on that provides a special environment which allows you to more securely open Word, Excel, and PowerPoint binary format files. For more details on using it, see the "Suggested Actions" section of  Microsoft’s security advisory.