alert « JusticeDept.com

October 5, 2009

Alert: Portable Document Format (PDF)

Filed under: Uncategorized — Tags: Adobe, alert, exploit, PDF, safety, security, vulnerability — @ 2:21 am

by Art Manion

Adobe Reader and Acrobat JavaScript vulnerabilities

Overview
Adobe Reader and Acrobat contain vulnerabilities in the customDictionaryOpen() and getAnnots() JavaScript methods.
I. Description
Adobe Reader and the Adobe Acrobat family of software is designed to create, view, and edit Portable Document Format (PDF) files. Adobe Reader is widely deployed, and the Acrobat Reader Plug-In displays PDF inside a web browser.
Adobe Reader and Acrobat support JavaScript. The JavaScript methods customDictionaryOpen() (CVE-2009-1493) and getAnnots() (CVE-2009-1492) do not safely handle specially crafted arguments and can be manipulated to execute arbitrary code. Publicly available exploit code claims to work on Adobe Reader 9.1 and 8.1.4 on GNU/Linux. Limited testing shows that Adobe Reader and Acrobat on and Microsoft Windows platforms crash when parsing a PDF file that contains a specially crafted getAnnots() call. As of 2009-04-29 we have not confirmed the reported customDictionaryOpen() vulnerability.

Adobe Security Advisory APSA09-02 states that the getAnnots() vulnerability affects Adobe Reader and Acrobat for Microsoft Windows, Apple Mac OS X, and UNIX, while the customDictionaryOpen() vulnerability appears to only affect Adobe Reader for UNIX.

II. Impact
By convincing a user to open a specially crafted PDF file, an attacker may be able to execute arbitrary code.
III. Solution
Update
From Adobe Security Bulletin APSB09-06, update to version 9.1.1, 8.1.5, or 7.1.2 of Adobe Reader and Adobe Acrobat Standard, Pro and Pro Extended.

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript prevents these vulnerabilities from being exploited and reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To disable JavaScript in Adobe Reader:

Open Adobe Acrobat Reader.
Open the Edit menu.
Choose the Preferences… option.
Choose the JavaScript section.
Uncheck the Enable Acrobat JavaScript check box.
Disabling JavaScript will not resolve the vulnerabilities, it will only disable the vulnerable JavaScript component. When JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript.

Some vendors ship JavaScript support in a separate package. Removing this package may remove JavaScript support.

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
“EditFlags”=hex:00,00,00,00
Disable the displaying of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser with Adobe Reader:

Open Adobe Acrobat Reader.
Open the Edit menu.
Choose the Preferences… option.
Choose the Internet section.
Uncheck the Display PDF in browser check box.
Rename or remove Annots.api

To disable the vulnerable getAnnots() method, rename or remove the Annots.api file. This will disable some Annotation functionality, however annotations can still be viewed. This does not protect against the customDictionaryOpen() vulnerability.

On Windows, Annots.api is typically located here:

“%ProgramFiles%\Adobe\Reader 9.0\Reader\plug_ins”
Example location on GNU/Linux:

/opt/Adobe/Reader8/Reader/intellinux/plug_ins/Annots.api
Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.
Systems Affected
Vendor Status Date Notified Date Updated
Adobe Vulnerable 2009-04-28 2009-05-13

References

http://www.adobe.com/support/security/bulletins/apsb09-06.html
http://www.adobe.com/support/security/advisories/apsa09-02.html
http://blogs.adobe.com/psirt/2009/04/potential_adobe_reader_issue.html
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://blogs.adobe.com/psirt/2009/05/adobe_reader_issue_update.html
http://www.adobe.com/devnet/acrobat/pdfs/js_api_reference.pdf
http://www.securityfocus.com/bid/34736/
http://www.securityfocus.com/bid/34740/

Credit
These vulnerabilities were publicly reported by Arr1val.

Comments Off

August 2, 2009

Vulnerability: Microsoft ActiveX

Filed under: Uncategorized — Tags: alert, computers, Internet, Microsoft, security — @ 11:32 pm

US-Cert — ActiveX controls built with Microsoft ATL fail to properly handle initialization data
Overview
ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
I. Description
Microsoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as “safe for scripting,” which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as “safe for initialization,” which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls.
II. Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.
III. Solution
Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.

Update and recompile ActiveX controls

Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the “Securing Your Web Browser” document.

Comments (1)

June 23, 2009

Update for Microsoft Outlook Phishing Scams

Filed under: Uncategorized — Tags: alert, email, identity theft, Microsoft, Outlook, safety — @ 1:15 pm

A massive phishing scam similar to the recent bank fraud scams is being sent in emails that look like the following:

From: “Microsoft Customer Support”
Subject: Update for Microsoft Outlook

Critical Update

Update for Microsoft Outlook / Outlook Express (KB910721)

Brief Description

Microsoft has released an update for Microsoft Outlook / Outlook Express. This update is critical and provides you with the latest version of the Microsoft Outlook / Outlook Express and offers the highest levels of stability and security.

Instructions

* To install Update for Microsoft Outlook / Outlook Express (KB910721) please visit Microsoft Update Center:
http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=860973044736591820463007000000

Quick Details

* File Name: officexp-KB910721-FullFile-ENU.exe
* Version: 1.4
* Date Published: Tue, 23 Jun 2009 07:21:24 -0400
* Language: English
* File Size: 81 KB

System Requirements

* Supported Operating Systems: Windows 2000; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP; Windows Vista
* This update applies to the following product: Microsoft Outlook / Outlook Express
Contact Us
© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement

The above URL is not the actual link. Hidden in the HTML code it the domain name that the link really take you to –
http://update.microsoft.com.ilfl1i1.net/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=860973044736591820463007003404087″>http://update.microsoft.com/microsoftofficeupdate/isapdl/default.aspx?ln=en-us&id=86097304473659182046300700340000

If you get one of these emails, you should safely clear it from your computer and under no circumstance visit the website. In fact, if you are using a Microsoft based computer and / or email program, you should not open the email.

Comments Off

June 14, 2009

Microsoft Security Bulletin

Filed under: Uncategorized — Tags: alert, Explorer, Microsoft, web browser, Windows — @ 1:14 pm

Microsoft has released an update to address vulnerabilities in Microsoft Windows, Office, and Internet Explorer as part of the Microsoft Security Bulletin Summary for June 2009. These vulnerabilities may allow an attacker to execute arbitrary code, operate with elevated privileges, or obtain sensitive information.

Comments Off

Apple Safari Vulnerabilities

Filed under: Uncategorized — Tags: alert, Apple, Safari, web browser — @ 1:10 pm

Apple has released Safari 4.0 for Windows and Mac OS X to address multiple vulnerabilities in CFNetwork, CoreGraphics, ImageIO, International Components for Unicode, libxml, Safari, Safari Windows Installer, and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, bypass security restrictions, or conduct cross-site scripting attacks.

Comments Off

January 26, 2009

Apple QuickTime Updates for Multiple Vulnerabilities

Filed under: Uncategorized — Tags: alert, Apple, internet security, QuickTime — @ 5:36 pm

National Cyber Alert System
Technical Cyber Security Alert TA09-022A
Apple QuickTime Updates for Multiple Vulnerabilities
Original release date: January 22, 2009
Source: US-CERT

Systems Affected
Apple QuickTime 7.5 for Windows and Mac OS X

Overview
Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. Attackers may be able to exploit these vulnerabilities to execute arbitrary code or cause a denial of service.

I. Description
Apple QuickTime 7.6 addresses a number of vulnerabilities affecting QuickTime. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted media or movie file. This file could be hosted on a web page or sent via email.

II. Impact
The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution and denial of service.

III. Solution
Upgrade to QuickTime 7.6. This and other updates are available via Software Update or via Apple Downloads.

Comments Off

Microsoft Windows Does Not Disable AutoRun Properly

Filed under: Uncategorized — Tags: alert, internet security, Microsoft, Windows — @ 5:34 pm

National Cyber Alert System
Technical Cyber Security Alert TA09-020A
Microsoft Windows Does Not Disable AutoRun Properly
Source: US-CERT

Systems Affected
Microsoft Windows

Overview
Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft’s guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability.

I. Description
Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations:
A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or FireWire device, or mapping a network drive. This connection can result in code execution without any additional user interaction.

A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive’s contents, this action can cause code execution.

The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected.

Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code.

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

II. Impact
By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

III. Solution
Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”
To import this value, perform the following steps:

Copy the text
Paste the text into Windows Notepad
Save the file as autorun.reg
Navigate to the file location
Double-click the file to import it into the Windows registry
Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround.

Update:

Microsoft has provided support document KB953252, which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin. Windows 2000, XP, and Server 2003 users must install the update manually. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun as well as the workaround described above.

Comments (133)

Oracle National Cyber Alert System

Filed under: Uncategorized — Tags: alert, Internet, Oracle, security — @ 5:20 pm

Oracle Updates for Multiple Vulnerabilities
Original release date: January 15, 2009
Source: US-CERT

Overview
Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

I. Description
The Oracle Critical Patch Update – January 2009 addresses 41 vulnerabilities in different Oracle products and components. The document provides information about affected components, access and authorization required, and the impact from the vulnerabilities on data confidentiality, integrity, and availability.

Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact
The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information.

III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update – January 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

Comments (1)