On the heels of resolving the Bloodhound.Exploit.104 virus alert last night, I was greeted with a Bloodhound.Exploit.106 alert this morning When our file server was indexed by Sharepoint, the antivirus on the file server quarantined a word document. I believe this detection is a false positive.
Bloodhound.Exploit.106 is a heuristic detection for an Unspecified Vulnerability in Microsoft Word (as described in Microsoft Security Advisory 929433).
The URL I have used in the past to submit files no longer seems to be available. So I enabled the quarantine option to submit the file to Symantec. It was the first time I’ve used that method of submission. They say the reply time to reporting this false positive is two days. I hope it doesn’t take that long.
Archive for December 2006
Bloodhound.Exploit.106 False Positive
Bloodhound.Exploit.104
This evening I received several virus alerts from a computer indicating a Bloodhound.Exploit.104 infection in a file in the temporary internet files folder. The filename ended in “videojs.js”.
Bloodhound is Symantec Antivirus’s attempt at a heuristic detection. The writeup at the Symantec website indicates that Bloodhound.Exploit.104 is a heuristic detection for Microsoft Internet Explorer DHTML Node Normalize Vulnerability (as described in Microsoft Security Bulletin MS06-072).
A quick Google revealed that videojs.js is a javascript used on the website video.google.com. A visit to that website, and soon I too had Symantec detecting the bloodhound.exploit.104. (and the video would not load) I am using the 12/12 rev 19 virus definitions.
I looked at www.symantec.com/avcenter and found that there is a newer virus definition available. I used liveupdate to update to 12/12 rev 51. This seems to have solved the problem.
Offline patching
You don’t always have the ability to download patches, perhaps the system only has dialup access to the internet.
There are a couple of ways to deal with this.
http://www.heise-security.co.uk/articles/80682
http://www.autopatcher.com/
I’d be a bit concerned about whether this method is all right with Microsoft and whether anyone is sneaking something into the offline patch collection. Autopatcher has been around for a while, so I’d trust it more. The Heise-Security Offline Update is new to me.
F-Secure on Quicktime vulns
F-Secure’s Weblog has a couple entry on the recent Quicktime troubles, highlighted by the myspace worm. They report two similar vulnerabilities, and their tests has found one of the javascript tricks works with Quicktime users on a Mac with Safari.
Is this vulnerability listed on the eEye Zero Day Tracker? Not so far. Hmmm.
The Battle Shifts to Office
It doesn’t take a lot of prognosticating power to see that the bad guys are focusing in Office attacks.
George Ou writes Is Microsoft Office Becoming a Zero Day Liability All Year Long.
That ought to get the Firefox sheep to try Open Office. Unlike IE, that would really hit MS in the ole pocketbook. Of course integrating Open Office into an enterprise patching strategy could be a problem. But then that didn’t slow down some companies at all with Firefox.
Removing Old Flash
When I ran the Secunia Software Inspector yesterday, it found I had old versions of Firefox, Winamp, Flash, and JAVA. The Flash and JAVA detections were complaining about older versions that were installed although I do have the current version installed. Secunia recommended that I remove the earlier version.
Its not really clear if having older versions of the Flash.ocx file on a computer is actually a vulnerability or not. I figured I’d try what they suggested anyway. I downloaded a flash remover tool from adobe. After closing any program that could be using Flash, I ran uninstall_flash_player.exe. I was still left with C:\windows\system32\Macromed\flash\Flash.ocx which has a file verison of 7.0.19.0. There was also a getflash.exe in that directory with the version number matching the latest version of Flash I had installed.
I’m not really sure if I should remove that file or not. I went ahead and installed the lasted version of Flash since I need to have flash on my computer.
Secunia Software Inspector
I saw this over on Donna’s Security Flash.
Secunia has created a Software Inspector Application. Its a JAVA based single system auditor that checks your local system for vulnerabilities. (see list for checked versions).
Pretty slick. Obviously its not a full scale vulnerability checker, but it does check for some common software vulnerabilities.
“Security Conscious NASA”
MSNBC has an article on the Word doc banning at NASA that I alluded to earlier this week.
Adobe Download Manager Vulnerability
On December 5th eEye released an advisory about Adobe Download Manager. If you have downloaded software such as Adobe Reader from them using one of those stupid download clients you have Adobe Download Manager installed.
A malicious aom file could be hosted on a webpage. If you visit that webpage with IE it will automatically run exploit code in the file.
Adobe suggests that you
Browse to the following location:
Locate the file named AdobeDownloadManager.exe. If the directory or file do not exist, no further action is required.
Right-click on the AdobeDownloadManager.exe file and select Properties.
Click on the Version tab of the Properties dialog box.
If the version is 2.1.x or lower, uninstall using the uninstaller provided here.
Should adobe release a 7.x patch for Reader/Professional?
It seems that Adobe is leveraging a vulnerability in their 7.x series of Adobe Professional and Adobe Reader to cause people to upgrade to 8 which was just released this week.
They’ve released a dll file that you can copy into place overwriting the vulnerable version in 7.x, but that solution is neither easy for most home users or approprate for enterprse deployment.
I’m well down the path of testing a 7.0.8 deployment and don’t particularly feel like starting over.
http://www.adobe.com/support/security/bulletins/apsb06-20.html
