Today's Internet Threat Level: GREEN
Handler on Duty: Deborah Hale
Handler on Duty: Deborah Hale
Today´s DiaryIf you have more information or corrections regarding our diary, click here to contact us.
Published: 2009-07-13,
0 comment(s)
Last Updated: 2009-07-15 02:21:05 UTC by Adrien de Beaupre (Version: 10) Update1: The vulnerability is being actively exploited on web sites. More to follow. Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven't seen it used or mentioned in public as of yet (this has changed, we are seeing active exploit pages). Which may tend to indicate it has been used in targeted rather than broad based attacks. At the moment there is no patch, there is a workaround, and it can be automated for enterprise deployment. The specific CLSIDs to set the killbit for are: {0002E541-0000-0000-C000-000000000046} Start working on this on ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d. Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx KB article: http://support.microsoft.com/kb/973472 MSRC blog: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx There is a long list of affected products:
For information on how to prevent ActiveX controls from running check out this Microsoft KB article on modifying the registry. This article describes how to deploy using Active Directory. If you have administrative privileges on a single system and are running Internet Explorer, you can click on this 'fixit' link to set the killbit and mitigate the vulnerability on a home computer for example. Update1: The vulnerability is being actively exploited on web sites. More to follow. Update2: One other obvious mitigation step is to use an alternate web browser (as in other than IE) that does not make use of ActiveX. Update3: We have raised the Infocon to yellow for 24 hours due to the active exploitation of this vulnerability. Update4: We will be updating our existing diary post of domains to block with domains that are hosting this exploit as well. You can see that diary entry at the following url. http://isc.sans.org/diary.html?storyid=6739 (newly added domains are in yellow) - AndreL Update5: Attack vectors used to exploit this vulnerability.
Update6: This blog has additional information, with examples of code that may have been used in this attack. hxxp://safelab.spaces.live.com/blog/cns!A6B213403DBD59AF!1463.entry (obscured on purpose, some AV products will trigger accessing the page. Another example is here: hxxp://xeye.us/blog/2009/07/ One part of a signature looking for the exploit would be ActiveXObject("OWC10.Spreadsheet"), which could also be used for legitimate web applications trying to open a spreadsheet. Update7: attempt at snort sigs (until something better comes along): alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MS 0day Excel ActiveX1 CVE-2009-1136 ref isc.sans.org/diary.html?storyid=6778"; flow:from_server, established; content:"0002E559-0000-0000-C000-000000000046"; nocase; pcre:"/<OBJECTs+[^>]*classids*=s*[x22x27]?s*clsids*x3as* x7B?s*0002E559-0000-0000-C000-000000000046/si"; classtype:attempted-user; sid:1000099; rev:1;) Update8: Metasploit have released a module exploiting the vulnerability. Update9: Matt Hrynkow and John Silvestri have submitted .ADM files for use in Active Directory GPO templates for setting the ActiveX killbits for last week's and this weeks vulnerabilities. Here is the one for The MS Office Web Object 973472 CVE-2009-1136. --Start here-- CLASS MACHINE Update10: This MSDN blog has 32 and 64 bit versions of the Active Directory GPO ADM files and .reg files that should mitigate this vulnerability: http://blogs.msdn.com/askie/archive/2009/07/14/group-policy-adm-template-to-implement-the-workaround-from-security-advisory-973472.aspx The one posted above in Update9 apparently only works on 32 bit, and is missing the backslashes. Thanks Jim and Brian for letting us know. Thanks to all who have contributed to this diary! Cheers, Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.
Published: 2009-07-14,
0 comment(s)
Last Updated: 2009-07-14 22:18:01 UTC by Swa Frantzen (Version: 1) Oracle's quarterly patch release day was today as well. Oracle keeps details restricted to customers with an account so we only have access to the overview they publish themselves: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html Best approach in my experience is to walk through the list with those managing the products such as DBAs and get an action plan in place. --
Published: 2009-07-14,
0 comment(s)
Last Updated: 2009-07-14 21:04:24 UTC by Swa Frantzen (Version: 1) The Internet Systems Consortium released patches to their dhcp implementation. The patches fix a stack overflow in dhclient (the dhcp client) CVE-2009-0692. Expect a large number of unix and linux distributions as well as third party solutions using dhcp to need an update in the coming days. US-CERT tracks vendors in their VU #410676. --
Published: 2009-07-14,
5 comment(s)
Last Updated: 2009-07-14 20:14:14 UTC by Swa Frantzen (Version: 3) Updated story, thanks to for helping figure it out! The mozilla security blog confirms an exploit against an unpatched vulnerability Firefox 3.5 exists and has been made public. Do note that Heisse tried to confirm the vulnerability and only managed a crash on Vista and can't seem to make it work on Windows 7 RC1 The mozilla blog above has a workaround by temporary disabling the Alternatively one could install and use NoSCript to disable all javascript by default. --
Keywords: Firefox
5 comment(s)
Published: 2009-07-14,
3 comment(s)
Last Updated: 2009-07-14 17:34:08 UTC by Swa Frantzen (Version: 1) Overview of the July 2009 Microsoft patches and their status.
We will update issues on this page for about a week or so as they evolve.
We appreciate updates US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
(**): Assuming a worst case scenario (***): If you use virtual server to create a shared environment and have users accessing virtual machines while not allowing them to manage the system, make that critical. --
Published: 2009-07-14,
1 comment(s)
Last Updated: 2009-07-14 16:54:17 UTC by Adrien de Beaupre (Version: 1) After the rush of the new vulnerability being published, exploits in the wild, and malware being distributed it is time to return the Infocon to normal status. Hopefully it has served its purpose of raising awareness of the Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution CVE-2009-1136 and Microsoft advisory 973472. Cheers,
Keywords:
1 comment(s)
Published: 2009-07-13,
0 comment(s)
Last Updated: 2009-07-14 16:50:13 UTC by Adrien de Beaupre (Version: 1) The SANS Internet Storm Center has raised the Infocon to yellow for 24 hours to raise awareness of active exploitation of the Office Web Components ActiveX vulnerability in this diary: http://isc.sans.org/diary.html?storyid=6778 As more information is made available the diary will be updated. After 24 hours the Infocon will return to green. Update1: The Infocon is returning to green. Cheers, Teaching SANS Cutting-Edge Hacking Techniques in Ottawa this September.
Published: 2009-07-14,
7 comment(s)
Last Updated: 2009-07-14 14:30:49 UTC by Swa Frantzen (Version: 1) With the most recent ActiveX vulnerability (CVE-1136-2009) still very fresh and the attacks still evolving out there, reactive protection mechanisms need to update for such exploits rapidly, and as the exploit is quite easy to modify and obfuscate they have their work cut out for them. Still some out there might get lulled into feeling safe and above all of this e.g.:
So what would I do in a corporate setting?
--
Keywords:
7 comment(s)
If you have more information or corrections regarding our diary, click here to contact us. Diary Archive
Search Diaries: |
StormCastlast update 08 hrs 29 min ago. Featured EventLatest Reading Room PapersPollTrendsWorld Map | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||