Critical security flaw discovered in Windows and other Microsoft programs
August 19, 2010
Another critical security flaw has been discovered in Microsoft Windows' operating system software and about forty other Microsoft programs. Security experts have found that malicious code can be injected easily and remotely, and that the OS is very vulnerable to remote-code execution attacks that are trivial to carry out.
H.D. Moore, security expert and chief architect of the Metasploit Project says "The security hole involves the method in which Windows loads so-called "safe" file types from remote network locations, and is almost identical to one that Apple removed in its iTunes system last week."
Moore added that the hole is “trivial” to remote exploits, but wasn't authorized to provide additional details about techniques or other vulnerable Microsoft applications.
According to a more detailed advisory for the iTunes fix, the “binary planting” vulnerability allowed potential hackers to execute malicious code on Windows computers by getting the media player to open a file located on the same network share as a maliciously designed DLL file that would be residing directly on the affected machine.
The security bulletin, which was written by ACROS Security states “All a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes, which should require minimal reconfiguration in most cases.”
“Since Windows systems by default have the Web Client service running – which makes remote network shares accessible via Web-DAV – the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet,” the advisory suggests.
In a prepared statement, Microsoft said it is currently investigating the report.
Moore added that Internet users can protect themselves against such attacks by blocking outbound SMB connections on ports 445 and 139 and on Web-DAV.
That will stop attacks that originate over the Internet right in their tracks, but users may still be susceptible to LAN-based attacks where an attacker has planted malicious DLLs on a network share.
In such methods, it is similar to workaround advice given for the Windows shortcut flaw that Microsoft patched earlier on Aug. 10.
Last month, Siemens said it had concocted a program it is making available for detecting and disinfecting malware and viruses attacking its complex power-grid management software.
Siemens' software also controls critical oil & gas refineries and manufacturing plants. The German enginerring firm warns that customers who use the infected software could have the devastating effect of disrupting whole power grids in the U.S., Canada, South America, Europe and Asia.
Siemens began distributing SysClean, a malware and virus scanner made by Trend Micro. It has been updated to remove StuxNet, a worm that spreads by exploiting two separate security flaws in Siemens's SCADA (supervisory control and data acquisition) software and every supported version of Microsoft Windows.
“As each plant is individually configured in a very unique method, we cannot rule out the possibility that removing the malware may affect your plant in any way," the Siemens advisory said.
The company also advised customers to keep the scanner updated at all times because “there are already some new derivative versions of the original virus around, and we are trying our best to mitigate these and other security issues.”
Recently, Siemens has come under blistering criticism for not removing the security vulnerability two years ago, when, according to Wired.com, the default password threat first came to light.
So far, StuxNet has infected the engineering environment of at least one unidentified Siemens customer, and has since been eliminated, Siemens said.
The company added that there are no known infections of production plants to this day, but warns that there's always the possibility that some could be discovered in the near future.
The worm spreads whenever a system running Siemens's SCADA software is attached to an infected USB stick. The attacks use a recently documented vulnerability in the Windows shortcut feature to take control of customer's personal computers in the workplace. Once there, the worm takes advantage of default passwords in WinCC, the security-prone, problematic SCADA software provided by Siemens.
Late yesterday, Siemens said it has updated WinCC to fix the security vulnerability. For its part, Microsoft has issued a stop-gap fix but hasn't said yet if and when it plans to patch the the Windows security flaw.
Chris Wysopal, CTO of application security tools firm Veracode says “Siemens has put their own customers at risk with this egregious vulnerability in their software. Worse, is all the many customers from around the world who purchased the software not knowing of any of its many security risks."
Source: Acros Security Inc.
You can link to the Internet Security web site as much as you like.