Dave Aitel over at ImmunitySec has released exploit code for the Symantec RAR vulnerability which was announced in December. This code has been released only to customers of ImmunitySec only. This is a sign that it is possible to develop an exploit for this vulnerability. Not only that, if history is any indication, the super dupper bad guys probably already have it and have been using it in secret in targeted attacks.
[update] – I see this is old news, this actually occured on 2/6/2006, but Symantec Deepsight Alert Service only told me about it now.
Archive for February 2006
Private exploit available for Symantec RAR vulnerability
Some interesting trackback spam
I was reviewing my trackback spam. Yes, I review what the system calls spam just to make sure no legitimate content gets sidetracked. Some of the spam had links to a Radford Professor’s website. If you followed the link to the University site, and you have javascript enabled, you’ll find yourself immediately redirected to a porn site (not located on the Radford server).
If the spammer had half a brain, he would have social engineered people much better than that. First make it look like a real post. A comment or trackback with tons of links is not going to get through. Second, instead of obvious spam content, the trackback could be a bit more relevant to what is posted. Since the spammer is 0wning a legit domain like Radford.edu use that value. People will trust it more than a link to sexsexsex.more
Windows Defender Beta 2
Paul Thurrott reviews Windows Defender (formerly Microsoft Antispyware, formerly Giant Antispyware), and its well worth the read.
Thurrott reports that the reason for the long delay is Microsoft needed to rebuild it from the ground up in order to prepare for a 64 bit future, and to allow for region language versions amongst other reasons.
I haven’t tried it out for myself yet, my computers are busy troubleshooting a work problem. But their is some cool stuff here such as it pdates through the automatic updates service.
One thing I am wondering is, will this download automatically through the update mechanism of beta one? All I have heard is that I can install beta 2 over beta 1.
Microsoft Antispyware false positive pooches SAV
Looks like I should blog this since Chris Mosby is linking over here. (thanks for the linkage chris). I posted about it on the myitforum.com antivirus discussion list rather than posting here so I could see what others were seeing.
An blog entry by tech reporter Brian Krebs notes that Microsoft Antispyware (MSAS) is (or has) tagged Symantec Antivirus as a keystroke logger. If you then follow the MSAS removal prompt, you’ll remove enough of your SAV client that it wont work anymore.
The source of these reports are Microsoft Antispyware newsgroups, I haven’t seen anything on the Symantec or Microsoft website on this. Apparently the problem was with the 2/10 definitions. Newer definitions are available.
One interesting thing from the comments in the MS Newsgroup, they have had problems in the beta with deploying Microsoft Antispyware updates. Caching servers are really causing a problem.
If this has happened to you, you best bet is probably an uninstall reinstall. I dont know if restoring from Quarantine will work in this case. Time to go check on the status of systems in my enterprise to see if any have had this problem.
[UPDATE]:
Techworld reports that this effects pretty much all SCS and SAV corporate edition. That makes sense since it is detecting something in the landesk registry key that SAV stores all its stuff in.
NTBugtraq
I thought I just got unsubscribed from NTBugTraq for using the Out of Office Assistant in Outlook. Instead it looks like they haven’t sent anything out since September. I just got an email from NTBugtraq using listserv’s list renewal feature probing if I wish to remain subscribed. Not sure if I really care to continue the subscription. It was once at the forefront of NT security. But now, with Microsoft announcing their own patches in a timely manner, and with things like SANS, Secunia and FSIRT it just doesn’t seem needed. Besides, with the blog echo chamber, I’m sure if its important someone will copy and paste it into their own blog and I’ll see it there.
Now if NTBugtraq had an RSS feed I might consider subscribing to that.
Last Minute Work
I’ve got a project due today in my computer forensics course. Right now, I’m frantically trying to learn everything I can about FAT and how recover files when the file allocation table has been erased. It looks like its been done in such a way that I need to recreate the FAT table by hand. I haven’t found any utilities that can recover these files for me.
12 hours to go. Full panic mode now. 
Gmail a replacement for exchange? I think not
A blog called Googling Google over at ZDnet writes about a possible new Gmail feature where you could point your domain to Google and use them as your mail server. He goes on to say
Companies can use it as a replacement to Microsoft Exchange as it has the potential to have shared contact lists, shared calendars, instant communication (the new talk feature), etc. Imagine also the possibility of Google allowing companies to skin their own GMail service  colors, layout, and even the logo could be customizable. Of course, even if Google allow this, ads will likely be delivered regardless.
Lets not get carried away! Companies aren’t really going to be doing away with Exchange and migrating to Google Mail. This is not the Exchange Killer the anti-Microsoft forces have sought. This might be a fit for very small companies who currently use the mail services provided by their ISP or webhost. Even then, you’d have to wonder about the wisdom of using a BETA service as your corporate email solution. I would also worry about Google’s propensity for serving ads based on the text in the message.
Boardfish
Shameless self-promotion really irks me. For months now Duncan McAlynn has been getting the tech press to promote his forum at Boardfish.com. This trend continues in the Feb 2006 Information Security Magazine. Symantec pulled the plug on their bulletin board in December, and Boardfish apparently put out press releases about how it was the community replacement for Symantec’s board. The two boards have something in common. No useful content. Symantec’s board was an ok resource for people without support. It was an exercise in waiting weeks hoping the single Symantec employee on the board will respond. Rarely would anyone else both to help out. Boardfish on the other hand, people are more likely to be willing to help, but there just isn’t that much traffic.
Boardfish promoted itself as the place for online Symantec antivirus discussion when it had only created a symantec forum moments earlier. It just urks me.
Adobe Reader 7.0.7
You may have noticed if you have autoupdates turned on…Adobe Reader/Acrobat 7.0.7 is out.
Adobe lists some unnamed security fixes, and some new features. The patching merry-go-round never ends.
SUN JAVA Patches
Just about the time we finish the last round of JAVA patches, a new version is available from SUN. It seems Security Vulnerabilities in the Java Runtime Environment may Allow an Untrusted Applet to Elevate its Privileges.
SUN recommends removing vulnerable versions. What this means is that you can look in add/remove programs at your JAVA versions there. Then take a look in the control panel in the JAVA applet there (on the JAVA tab select view). You can also run java -fullversion at the command prompt although for me that just gave me the latest version.
There are three flavors
JDK and JRE 5.0
SDK and JRE 1.4.2
SDK and JRE 1.3.1
What I would do update each version to its latest release and make sure that no earlier build of that version still exists on your computer.
If you have Java Runtime Environment 5.0 update 4, update that to 6 or whatever the latest version is
from here: http://java.sun.com/j2se/1.5.0/download.jsp
Same with 1.4.2, get that here: http://java.sun.com/j2se/1.4.2/download.html
The latest 1.3.x is here: http://java.sun.com/j2se/1.3/download.html
Make sure you uninstall the earlier versions. Installing a new version will leave you with both installed. Also you want the java run time environment not the SDK (Software Development Kit). The website is sort of confusing.
