Avast WEBforum

Other => General Topics => Topic started by: avatar2005 on April 02, 2007, 12:17:40 PM

Title: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 02, 2007, 12:17:40 PM
31.03.2007 New MS Windows Exploit see here: Microsoft Security Advisory (935423) (http://www.microsoft.com/technet/security/advisory/935423.mspx) and it still no fixed :(
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: DavidR on April 02, 2007, 02:39:17 PM
There are new detections in the VPS for this vulnerability and it has been discussed in the forums previously. Check the VPS History and look for win32:ani- lots added in todays VPS update and many more a few days ago, 30/4, 31/4.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 02, 2007, 05:18:33 PM
No, you missunderstood me :-\. I mean to say that Microsoft hasn't release a fix to that "hole"  ::)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: DavidR on April 02, 2007, 05:30:50 PM
They are by all accounts going to release one tomorrow Wed 3rd April, avast general forum, >> Updates << topic.

Thankfully avast have been all over it like a rash with the VPS updates.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: polonus on April 02, 2007, 06:03:01 PM
Hi avatar2005 and DavidR,

Good that avast protects us from the first worm that uses the animated cursor leak in Windows. This worm spreads through e-mails and infected websites. So using Firefox browser until the hole is patched is recommended. Whenever you view the HTML the worm can be spread further, not only via the ANI-exploit, also through USB sticks and other media. The worm changes the settings of the Host file, and downloads a variant of the Trojan-PWS.Win32OnLineGames malware.
Microsoft was aware of this hole since December last. In severity the ANI-leak equals the WMF bug, so Internet Storm Center has yellow now.
ANI files date from the days of Windows 3.1. It is a bug in user32.dll, present in all 32bit Windows versions.
Actually it is a ridiculously simple bug, a stack-overflow in the second non-checked part of the ANI-header, more so while a similar stack overflow had been found in the first part of the ANI-header in 2005.
I think we are unaware of what holes lay dormant waiting for us to be discovered in the near future.

polonus
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 02, 2007, 07:13:31 PM
Microsoft knew of Windows .ANI flaw since December 2006
http://blogs.zdnet.com/security/?p=143&tag=nl.e589
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: cogadh on April 02, 2007, 07:30:10 PM
Microsoft knew of Windows .ANI flaw since December 2006
http://blogs.zdnet.com/security/?p=143&tag=nl.e589

Which is why will never use Internet Explorer again. Microsoft is notified of flaws and rather than address it immediately with at least some advice/warnings to their customers, they stay silent for four months before even mentioning it. I understand it can take time for them to come up with a permanent solution, but in the meantime users who don't know any better are infecting their machines daily. All Microsoft's silence does is perpetuate the proliferation of viruses around the world.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: drhayden1 on April 02, 2007, 07:42:10 PM
is this the one you are talking about ???
ANI Exploits - Microsoft releasing emergency patch on April 3rd

I'd suggest the following:

* Make sure anti-virus is on the latest definitions on servers and clients
* Avoid the eEye and ZERT patches in favor of the official patch
* Look at mitigating factors documented in the MS advisory
* Pilot test and roll the official patch out promptly
* All HTML code is now a little more dangerous and folks should be extra careful with email and website visitations.

ANI Exploits - Microsoft releasing emergency patch on April 3rd
http://www.microsoft.com/technet/security/...in/advance.mspx
http://isc.sans.org/diary.html?storyid=2555

Most of you probably won’t have to worry though, because most use either Opera or Firefox as their browser. This vulnerability only applies to Internet Explorer 6 or 7 on Windows 2000, XP, 2003, and Vista. However, if you’re using IE 7 on Vista and you have the User Account Control (UAC) enabled then you are also fine. When you have UAC enabled it will force IE 7 to run in “protected mode” which is helpful at preventing unwanted attacks such as this one.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: polonus on April 02, 2007, 08:23:12 PM
Hi drhayden1,

What I cannot understand is that this hole has been there since the days of Windows 3.1 (in computer terms that is Dino time), they had it in 2005 (other (first) part of the ANI-header), then warned for this one since 2006, and only when the cat is out of the basket they hurry for an emergency patch to be brought out.
The stack overflow was that simple you can take it from any hacker example textbook.

It is the same like you would steer a hum V built on a Volkwagen beetle frame and parts. Would not it rattle while the repair man running next to it to keep it patched? Who is living in cuckoo-land now?

polonus
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 02, 2007, 08:59:50 PM
is this the one you are talking about ???
ANI Exploits - Microsoft releasing emergency patch on April 3rd

***Skip***

Most of you probably won’t have to worry though, because most use either Opera or Firefox as their browser. This vulnerability only applies to Internet Explorer 6 or 7 on Windows 2000, XP, 2003, and Vista. However, if you’re using IE 7 on Vista and you have the User Account Control (UAC) enabled then you are also fine. When you have UAC enabled it will force IE 7 to run in “protected mode” which is helpful at preventing unwanted attacks such as this one.

Well I don't have a Vista to use UAC, but I indeed use a Opera 9.1, so I think, I'm protected better than those who use IE. ::)  ???
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: drhayden1 on April 02, 2007, 09:15:39 PM
same here use opera and also avant(ie clone)but won't use for the time being :o
and polonus why didn't they take care of this problem long ago but finally since the cat is out of the hat they are running around like crazy mice fixing the problem 8)
click on pic to enlarge ::)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 02, 2007, 09:27:03 PM
If you want to hear more about this, Steve Gibson has made a special edition of Security Now that talks about this.

http://www.twit.tv/SN
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: drhayden1 on April 02, 2007, 09:32:16 PM
thanks marc57
Depending upon your level of concern and/or exposure you could install the eEye patch now, or wait (one day) for Microsoft's official update. But be sure to look for this update on or after Tuesday, April 3rd.-sure will-but will get the official update to be on the safe side ::)
click to make kiss a-little bigger ;D
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: polonus on April 02, 2007, 09:39:33 PM
Hi drhayden1,

What shall we say to the "mice". We read in the textbook that counter-measures can be taken against stack overflow vulnerabilities, that is using secure programming code. Well no code is free of errors, but all too often code is produced that is brought in to solve some urgent problem (as is demonstrated here again), security in that case is often not taken as a first priority. Vendors of code (Microsoft at all included) are sloppy with code, too many are aware their code is full of holes, but do not want to pay attention or try to solve problems later in the form of a patch. Secure compilers shouild be used; arguments should be validated whether they are user- or program-directed. This may slow programs down slightly, but security of the application is enhanced. Use secure routines and check the return codes. Minimalize the number of processes that run. And install all vendor patches.
We advice not to install third party patches. The eEye patch already being circumvented by the malcreants. But our mice can read text books as well I think,

polonus
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: drhayden1 on April 02, 2007, 09:43:52 PM
thanks for the advice and or warning my friend on the patch issue..will wait till microsoft and their mouse running around with their heads cut off release the patch for us we thought protected computers users can get ::) ??? 8)
end of story :o
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 02, 2007, 09:46:22 PM
thanks marc57
Depending upon your level of concern and/or exposure you could install the eEye patch now, or wait (one day) for Microsoft's official update. But be sure to look for this update on or after Tuesday, April 3rd.-sure will-but will get the official update to be on the safe side ::)
click to make kiss a-little bigger ;D


Thanks for the pic. I think I'll wait until tomorrow, I'm running I.E. in protected mode and have Windows Mail set for text only so I think I'll be OK. (hope)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: drhayden1 on April 02, 2007, 09:49:03 PM
explain your protected mode or stealth mode you are running to say that your are protected...just curious ??? ::)
click on pic to enlarge ::) :P
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 02, 2007, 09:58:10 PM
explain your protected mode or stealth mode you are running to say that your are protected...just curious ??? ::)
click on pic to enlarge ::) :P


It was stated by Microsoft that if you have I.E. set to protected mode (Vista only) that it would stop the exploit if you browsed to a bad site.

"The exposure to attacks that exploit the flaw is mitigated on Vista machines with Internet Explorer 7, Microsoft noted. IE 7 protected mode shields the computer against drive-by installations because the browser is restricted to where it can write files."

(You have to have UAC turned on for this to work)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: drhayden1 on April 02, 2007, 10:00:43 PM
ok-you are right on that-later my friend-stay protected in all things you do ;)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 02, 2007, 10:11:42 PM
ok-you are right on that-later my friend-stay protected in all things you do ;)


Thanks my friend, I'll try.  One more thing, Your protected on the e-mail front if Windows Mail is set to text only, BUT if you reply or foreward the bad e-mail you can get infected because (for some reason) Windows Mail turns it back to HTML.  ???
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 03, 2007, 06:13:45 PM
For Firefox users

You might want to read this.

Firefox ANI exploit on the way - no protected mode

http://blogs.zdnet.com/Ou/?p=461
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 03, 2007, 07:02:01 PM
Spooky :o :o
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 03, 2007, 07:06:19 PM
Only George Ou could use a MS bug to bash Firefox.  ::)

Isn't the fix for this out today anyway?
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 03, 2007, 07:11:15 PM
Only George Ou could use a MS bug to bash Firefox.  ::)

Isn't the fix for this out today anyway?
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 03, 2007, 07:12:48 PM
I Just spoke with Opera support team & they said that Opera is safe to protect against ANI Exploit... for now... :-\ ::) ::)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 03, 2007, 07:15:27 PM
Thanks Bob!

I checked a few moments ago and it wasn't available in the UK, but I'll try again later.

Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 03, 2007, 07:25:12 PM
Thanks Bob!

I checked a few moments ago and it wasn't available in the UK, but I'll try again later.


I checked earlier this morning and it wasn't available here. Re-checked after I saw your post
and it was there. Thanks  :)
A reboot is required after this update.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: drhayden1 on April 03, 2007, 07:30:26 PM
Security Update for Windows XP (KB925902)
just got it......
Microsoft released the below security bulletin to address a CRITICAL vulnerability issue in Windows:

MS07-017 - Vulnerabilities in GDI Could Allow Remote Code Execution (925902)

The security update applies to:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 Service Pack 2
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems and Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows Server 2003 x64 Edition Service Pack 2
Microsoft Windows Vista

References:
MS Advisory 935423: http://www.microsoft.com/technet/security/...ory/935423.mspx
MS Security Bulletins for end-users: http://www.microsoft.com/athome/security/u...ins/200704.mspx
MS Security Bulletins for IT Pro: http://www.microsoft.com/technet/security/...n/ms07-apr.mspx
MS Response Center Blog: http://blogs.technet.com/msrc/default.aspx
MS KB925902: http://support.microsoft.com/?kbid=925902
MS Security Bulletin: http://www.microsoft.com/technet/security/...n/ms07-017.mspx

Note:
Microsoft NEVER send security updates via e-mail. Download only the updates using Windows Updates, Microsoft Download Center websites or Automatic Updates functionality in Windows.

Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 03, 2007, 07:34:14 PM
Oops! What does this mean?  ???

(http://donaldbroatch.users.btopenworld.com/dllerror.png)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Lisandro on April 03, 2007, 07:40:15 PM
Google rthdcpl.exe and you'll find it is an infection  ::)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 03, 2007, 07:40:37 PM
This is all I could find.

Description:
rthdcpl.exe is a process belonging to the Realtek HD Audio Control Panel and is bundled alongside Realtek sound cards and audio hardware. This program is a non-essential process, but should not be terminated unless suspected to be causing problems


Can you get an update?
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 03, 2007, 07:46:39 PM
This is why Microsoft takes so long to issue fixes- if it rushes them out like today, it'll bugger up something else at the same time it fixes the problem.

 >:(
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: igor on April 03, 2007, 07:53:28 PM
Hm, interesting. Yes, (the updated) user32.dll now has the same base address as hhctrl.ocx. I wouldn't think it should be a problem, however... that's why they are DLLs - they are relocatable.

Maybe the system doesn't like to relocate its system libraries... but I'd expect user32.dll to be loaded before hhctrl.ocx anyway...
Strange.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 03, 2007, 08:02:48 PM
I've got the same process, and so far no problems (Vista HP).
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: johnny223 on April 03, 2007, 08:48:48 PM
Oops! What does this mean?  ???

(http://donaldbroatch.users.btopenworld.com/dllerror.png)

I have exactly the same problem too!  and i do have the realtek audio as audio driver, for now i just restored the computer back to before the update, but i dont know how to fix this :'(
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 03, 2007, 09:00:06 PM
Just found this:

http://support.microsoft.com/?kbid=925902 (http://support.microsoft.com/?kbid=925902)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 03, 2007, 09:07:03 PM
Have you tried the hotfix Frank? does it work?
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: drhayden1 on April 03, 2007, 09:08:28 PM
thanks for the info freewheelinfrank...didn't get the error as some of you got since i don't have the realtek audio as audio driver on both of my computers..they must of rush this patch out and now they have another problem-way to go again microsoft
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 03, 2007, 09:11:17 PM
Quote
CAUSE
This problem may occur after you install security update 925902 (MS07-017) and security update 928843 (MS07-008). The Hhctrl.ocx file that is included in security update 928843 and the User32.dll file that is included in security update 925902 have conflicting base addresses. This problem occurs if the program loads the Hhctrl.ocx file before it loads the User32.dll file.

Quote
RESOLUTION
Hotfix information
A supported hotfix is now available from Microsoft. However, it is intended to correct only the problem that is described in this article. Apply it only to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows XP service pack that contains this hotfix.

To resolve this problem immediately, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Translation:

CAUSE
We goofed up.

RESOLUTION
We have a patch to fix the goof up, but it may goof up your computer even more, so we recommend you wait for the next blue moon XP service pack, or contact customer support where we will tell you how much we're going to charge for fixing our goof up.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 03, 2007, 09:27:23 PM
They're actually going to CHARGE to fix a problem THEY caused??   ???  ???
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 03, 2007, 09:30:07 PM
Quote
Have you tried the hotfix Frank? does it work?

Quote
To resolve this problem immediately, contact Microsoft Customer Support Services to obtain the hotfix. For a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem.

Translation:

You want us to fix our goof up? Let's talk money! Hey, maybe the call centre worker Microsoft Support Professional will let you have it for free if he's had a good day and is feeling generous.  :-X
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 03, 2007, 09:38:12 PM
Frank your translations appear to be your attitude toward MS not their official policy.
I've yet to pay a dime for any problems with a Microsoft problem that directly traces back to their
product or a fix of a product.....
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 03, 2007, 09:45:17 PM
I think my translations are a fairly accurate paraphrase of what I read.

My attitude to MS is purely ad hoc: to ask customers to phone a national rate phone line (and wait half an hour for an answer, no doubt) and then maybe pay for the privilege of receiving a hotfix really sucks.

I don't know what sort of attitude you were expecting in this situation, but scoffing at Microsoft seems reasonably justified.  >:(
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 03, 2007, 09:50:14 PM
Quote
I don't know what sort of attitude you were expecting in this situation, but scoffing at Microsoft seems reasonably justified.
Have you called MS ?    If so, where you charged?
False positives aren't anything new and this isn't any different. I'm sure if this related to Fireox, your words would be a little kinder.  :)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: johnny223 on April 03, 2007, 10:01:08 PM
i cant find the link to the hotfix file ???
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 03, 2007, 10:04:34 PM
@Bob

Quote
Have you called MS ?

Calls are charged at national rate. I might try tomorrow but if they keep me hanging on the line, I'm not going to run up a huge phone bill.

Quote
False positives aren't anything new and this isn't any different.

It's not a false positive: two of their patches collided in a traffic accident for some customers and they want those customers to pay to have the situation fixed- or wait for the next XP service pack, which is so far off on the horizon it's invisible.

Quote
I'm sure if this related to Firefox, your words would be a little kinder.

I don't know what this has to do with Firefox, but if Mozilla asked me to phone up customer support to get a hotfix and possibly pay for it I'd be just as pissed off.

@johnny223

There is no link. There's a link to customer support. In the UK it's a national rate telephone number. The page also is not clear whether a charge will be made for taking the call.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: DavidR on April 03, 2007, 11:24:46 PM
Calls are charged at national rate. I might try tomorrow but if they keep me hanging on the line, I'm not going to run up a huge phone bill.

If it is an 0870 number try a search on that number in http://www.saynoto0870.com/ and see if there is an alternative geographic number.

I signed up and use http://www.call18866.co.uk/ to make calls to geographic numbers, there is a connection charge of 5p, but the rest of the call is no charge, free.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 03, 2007, 11:29:25 PM
Frank
I know it's not a false positive but the effect is similar.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 04, 2007, 09:14:34 AM
Microsoft have obviously been reading my merciless ribbing and have put the hotfix on the web page:

http://support.microsoft.com/kb/935448/ (http://support.microsoft.com/kb/935448/)  8)

(Requires WGAPluginInstall.exe and GenuineCheck.exe.)

Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 04, 2007, 09:45:25 AM
Hotfix applied and no more problems.  8)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 04, 2007, 03:47:00 PM
the update for ex-SU users is finally avaliable today. Yey! It takes Long time
 :-\ ???
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: drhayden1 on April 04, 2007, 05:02:29 PM
what more next week ??? ::)
Next week is Patch Tuesday again:
Microsoft Security Bulletin Advance Notification
http://www.microsoft.com/technet/security/bulletin/advance.mspx
Updated: April 3, 2007

The next security bulletin advance notification is scheduled for April 5, 2007, and will outline information for the April 10, 2007 security bulletin release.

or am i reading it wrong ??? ???
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 05, 2007, 08:13:26 PM
Yes I Think You are right, as far as I understood the next update will be on 10th of April 2007. ::)
but I have a hypothetical question: are there some time to come, when Microsoft will fix all the holes in their Windows family product line? ::) ::) ??? ??? :-\
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 05, 2007, 09:22:22 PM
Yes I Think You are right, as far as I understood the next update will be on 10th of April 2007. ::)
but I have a hypothetical question: are there some time to come, when Microsoft will fix all the holes in their Windows family product line? ::) ::) ??? ??? :-\
Yes, right after people stop exploiting holes...... ;D :) ;D
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: OrangeCrate on April 06, 2007, 12:34:29 AM
Yes, right after people stop exploiting holes...... ;D :) ;D

Agreed, and I might add to that, when people stop running through the Internet barefooted and blind...

One of my favorite quotes:

"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -Rich Cook
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 06, 2007, 12:40:07 AM
Quote
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning. -Rich Cook"
Confucius says  "People who skate the net without a condom are sure to wind up with a pregnant roller skate."  ;D
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 06, 2007, 01:19:12 PM
 ;D Funny, but true ;D
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: polonus on April 09, 2007, 12:31:54 AM
Hi malware fighters,

The Microsoft patch has again caused trouble in Germany where an online taxpayers' program became corrupted through downloading the patch. The hotfix for this was not available on the german site at the time, but on an english site. The deadline for the german tax-collect is April 10th.
Haven't we developed all sorts of methods and techniques in software engineering to keep errors limited to a specific components, where changes in the implications of components or components do not have to lead to errors and failure. If the result of some buffer-overflow in the animated-mouse-cursor-component makes an application fail to respond, we have a case of "leaky abstractions", ill-chosen interfaces or a row of simple errors. When it was the first time this occured we could forgive M$, but this is not the first time....

polonus
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 09, 2007, 03:00:58 AM
Quote
When it was the first time this occurred we could forgive M$, but this is not the first time....
Why isn't the blame put on the folks that caused the need for a patch in the first place.  ???
Why is it Microsoft's fault that hackers are breaking their code ???
This is like blaming  the homeowner for allowing a thief brake into his home.  ??? ??? ???
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: DavidR on April 09, 2007, 03:50:02 AM
They aren't breaking MS's code, rather finding vulnerabilities and exploiting them. The code was/is already broken.

The home owner who leaves the doors or windows open can hardly be surprised when they are burgled. Lock the doors and windows and you can rightly feel aggrieved at getting burgled.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 09, 2007, 03:53:38 AM
David
I can leave my doors and windows wide open and it's still a crime
to break into my house.... :)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: DavidR on April 09, 2007, 04:07:13 AM
It might be a crime that doesn't mean your insurance company will pay out if you leave it unlocked or your premiums won't go up.

Yes it may be a computer crime (local laws accepted) for someone to break into your computer first they have to be caught but they are only able to do it because of vulnerabilities that haven't been closed. Were is the same punishment/consequences for their lax security, as for you the home owner whose premiums go up because you were burgled.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 09, 2007, 04:11:57 AM
I guess the world has turned upside down.
It's the homeowners fault when he gets robbed and the poor crook
should get a medal for showing every one how dishonest he is.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 09, 2007, 08:21:35 AM
The problem now affects several applications: the original Realtek control panel, the tax program Polonus mentioned:

http://sunbeltblog.blogspot.com/2007/04/ani-exploit-fixed-germany-gets-tax-free.html (http://sunbeltblog.blogspot.com/2007/04/ani-exploit-fixed-germany-gets-tax-free.html)

and others:

Quote
This problem occurs when the following third-party applications are installed:
•   Realtek HD Audio Control Panel
•   ElsterFormular 2006/2007
•   TUGZip
•   CD-Tag

Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: DavidR on April 09, 2007, 02:23:08 PM
I guess the world has turned upside down.
It's the homeowners fault when he gets robbed and the poor crook
should get a medal for showing every one how dishonest he is.

That is not what I mean, it is not what I said and you know it Bob, lets not forget you paid handsomely for windows and there is an expectation that it is fit for purpose. There are security holes galore in the windows OSes that are being exploited and at times they are very sloe to respond with some vulnerabilities months or more old and unpatched.

In a consumer environment you have a right to expect a product works or you try to get your money back under the sale of goods protection, try doing that with MS if you have broken the shrink wrap. If you have a car and it has faults that cause it to crash you would claim against the company, try doing that with MS.

Consumers have a right to expect a product that they purchased is fit for purpose or have it fixed promptly.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: OrangeCrate on April 09, 2007, 05:06:34 PM
I guess the world has turned upside down.
It's the homeowners fault when he gets robbed and the poor crook
should get a medal for showing every one how dishonest he is.

That is not what I mean, it is not what I said and you know it Bob, lets not forget you paid handsomely for windows and there is an expectation that it is fit for purpose. There are security holes galore in the windows OSes that are being exploited and at times they are very sloe to respond with some vulnerabilities months or more old and unpatched.

In a consumer environment you have a right to expect a product works or you try to get your money back under the sale of goods protection, try doing that with MS if you have broken the shrink wrap. If you have a car and it has faults that cause it to crash you would claim against the company, try doing that with MS.

Consumers have a right to expect a product that they purchased is fit for purpose or have it fixed promptly.

This is one of the best testimonials for switching to Linux as a primary operating system, and a commitment to open source, community developed software that I've ever seen.

Tech, Justin, or myself would be delighted to answer any questions you might have in making the switch...

 ;D
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: Marc57 on April 09, 2007, 09:35:28 PM
Microsoft to push fix for patch trouble

Microsoft on Tuesday plans to push out a fix to repair problems caused by last week's emergency cursor flaw patch.


http://news.com.com/Microsoft+to+push+fix+for+patch+trouble/2100-1002_3-6174540.html?tag=html.alert
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 10, 2007, 09:04:05 AM
Latest news on .ani attacks:

http://www.websense.com/securitylabs/blog/blog.php?BlogID=122 (http://www.websense.com/securitylabs/blog/blog.php?BlogID=122)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 10, 2007, 03:15:47 PM
Instead of pushing out news about the Vulnerability,
the push should be on making people aware that a patch has
already been issued.
Just update your system and you can put this breach behind you.  :)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 10, 2007, 09:11:25 PM
Responsible disclosure, the Microsoft way (http://blogs.zdnet.com/security/?p=157&tag=nl.e622)
No credit for the researcher who discovered  the ani vulnerability.  >:( :( >:(
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: polonus on April 10, 2007, 10:24:04 PM
Hi bob3160,

But that is not the attitude of the reseachers that make a full disclosure. They give the software developer 48 hours and then they open up with what they stumbled upon. In the case of the firebug gaping hole, pdp did not wait, and went public with it being aware the developer was away for Easter. You can read it here: http://www.gnucitizen.org/blog/firebug-goes-evil and my proposed simple protection near the bottom of the blog page. Anyways the firebug extension was immediately updated to a secure version, accolades to the developer there. Well that is why patches come that fast in public code. It works two ways. Those that find up holes and those that close them henceon work together to improve the code. They are waltzing towards security, not dancing constantly on the edge of a cliff..

How in contrast then with the security policy of the makers of the MS close code. These herders of what is mainly "security through obscurity" have other interests seemingly, and try to keep the lid on vulnerabilities (hushing up on the one we discussed here for a couple of months, hoping it would not materialize??). That is why we haven't seen a complete overhaul of this "code built on code" with dinosaur insecure bits in it, dating back from the days of win 3.01. As long as no-one is rattling the skeleton-bones a bit, they are kept hanging there...until they come down eventually. You just cannot trust this code fully apparently. Well no-one can code absolute securely, but then again it is about the attitude...

polonus

Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: DavidR on April 10, 2007, 11:34:01 PM
Interesting piece relating to this zero day vulnerability, MS appear to have known about it since Dec 2006.

Quote from: Extract Windows Secrets newsletter.
Microsoft's patch didn't come in time

According to the Microsoft Security Response Center blog (http://windowssecrets.com/links/kppxknwaepp9d/b439e8h/?url=blogs.technet.com%2Fmsrc%2Farchive%2F2007%2F03%2F30%2Fupdate-on-microsoft-security-advisory-935423.aspx), Microsoft was first notified about this vulnerability on Dec. 20, 2006, by a Determina security researcher. Microsoft also says it was made aware that the attack was being used in the wild on Mar. 28 by McAfee. The blog entry goes on to say that Determina is not to blame for leaking the flaw and speculates that it must have been discovered independently.

Microsoft released an emergency patch on Apr. 3, meaning that this exploit was being actively circulated for almost a week, if not longer.

I'm not going to blame Microsoft today for not predicting the future. What do you do when you're aware that a zero-day attack is being used in the wild, but your vendor doesn't have a patch. Do you sit back and take it, or do you craft your own mitigation strategy?
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 11, 2007, 01:03:35 AM
Quote
but then again it is about the attitude...
Unfortunately polonus in this case it can only be described as " PISS POOR"  :(
and since no recognition was given to the researcher who found it, there may not be
any notification when the next exploit is discovered since Microsoft seems to only want to do patches
on their schedule or once they've been released.
This attitude may require "7 patch Tuesdayseach week or, "Linux here I come" in order to keep
the user safe.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: OrangeCrate on April 11, 2007, 02:21:10 AM
This attitude may require "7 patch Tuesdayseach week or, "Linux here I come" in order to keep
the user safe.

Since Windows is my guest operating system, and is used only occasionally, I've tried to remain neutral on this issue since it was first posted. Just quietly reading all the comments. Very interesting.

It's worth mentioning that one of my son-in-laws was a software engineer for Microsoft early in his career, before starting his own consulting practice. Amongst other things, his company maintains several large Microsoft enterprise systems, and they have a couple of Windows boxes that are used for testing and such, that I swear could accelerate from 0 to 60 in about three seconds!

But for personal use at home, he uses a Mac. (I think he knows something he's not telling us...)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: OrangeCrate on April 11, 2007, 12:54:45 PM
Detail on the patch is here:

"Five critical reasons to update Windows today..."

http://www.theregister.co.uk/2007/04/11/ms_april_patch_tuesday/
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: polonus on April 11, 2007, 07:05:45 PM
Hi bob3160,

But this is even worse, the patches that weren't there or the so-called outstanding vulnerabilities, and there is a critical amongst 'em:
http://isc.sans.org/diary.html?storyid=1940&dshield=f4ef5d5410c17a922b1089efa3a7914c

How do you view this?

polonus
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: FreewheelinFrank on April 12, 2007, 10:42:11 PM
Quote
IT organizations are being urged to deploy a patch for a bug affecting how Microsoft Windows handles animated cursors as spammers step up their efforts to exploit the flaw—this time with a promise of lewd pictures of celebrity hotel heiress Paris Hilton.

Quote
"Although organizations appear to be getting better, we still see exploits for vulnerabilities long after the patches have been released," Hubbard said. "As an example we see approximately 10-15 percent exploitation success on vulnerabilities that have been patched for 6 months-plus still."

 :o

http://www.eweek.com/article2/0,1895,2113470,00.asp (http://www.eweek.com/article2/0,1895,2113470,00.asp)
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 12, 2007, 10:55:45 PM
Oh! & what we should do now. MS is continuing the fight with their "holes", but the costumers are still vulnerable to "ANI" ??? :o :-\ :'(
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 12, 2007, 11:15:08 PM
Oh! & what we should do now. MS is continuing the fight with their "holes", but the costumers are still vulnerable to "ANI" ??? :o :-\ :'(
It's been patched.... Did you do the update???
All this article states is that even though the patch has been issued, it's still in use and still effective
because people don't update their systems.
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: polonus on April 12, 2007, 11:37:31 PM
Hi bob3160,

But you did not see my link further up the thread or did not read the info there. There are some long(er) outstanding holes in Microsoft code for which there are no patches in sight. That is even worse like a zero-day that will be patched, but a hole for which there is no cure in siight is a security risk.

polonus
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 13, 2007, 12:14:41 AM
Hi bob3160,

But you did not see my link further up the thread or did not read the info there. There are some long(er) outstanding holes in Microsoft code for which there are no patches in sight. That is even worse like a zero-day that will be patched, but a hole for which there is no cure in siight is a security risk.

polonus
I saw and read your post Damien.  :)
Didn't answer it because we already know that MS only seems to act when it becomes an actual threat.  >:(
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 13, 2007, 08:42:17 AM
Hi Bob!
Indeed, that's why IMHO, the behavior of Microsoft in this situation is a huge problem ;(
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: polonus on April 13, 2007, 09:10:27 AM
Hi avatar2005,

One of the problems here is backward compatibility and M$ rather putting their own solutions on top as a way to steer away from competition (making their own standards prevail, or own them) or running other standards into the ground. Some of the problems mentioned are unavoidable, and just come with software and coders, because humans are fallible beings...etc)
But for some of its problems M$ has to blame themelves in their continuing drive to uphold their monopolies (their flip flop on Sun java for instance, while developers begged to come around another way: http://news.com.com/2100-1001-203541.html ). As this is not likely to change in the foreseeable, we're in for more surprise..

polonus
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: avatar2005 on April 13, 2007, 07:13:01 PM
I meant that ??? ??? ???
Title: Re: Exploit for "Zero-Day" Vulnerability Detected by Microsoft
Post by: bob3160 on April 14, 2007, 01:34:49 AM
Quote
But for some of its problems M$ has to blame themelves in their continuing drive to uphold their monopolies
polonus,
If it where your product and your bread and butter wouldn't you ???