F-Secure’s Weblog has a couple entry on the recent Quicktime troubles, highlighted by the myspace worm. They report two similar vulnerabilities, and their tests has found one of the javascript tricks works with Quicktime users on a Mac with Safari.
Is this vulnerability listed on the eEye Zero Day Tracker? Not so far. Hmmm.
Posts tagged ‘F-Secure’
F-Secure on Quicktime vulns
Myspace-qucktime-zango phishing worm
Several sites are reporting a worm infecting Myspace profiles and attempting to phish passwords through the use of javascript in Quicktime files. The vulnerability sounds similar to the Word URL autolaunch vulnerability or the same problem in Adobe.
An exploited user profile in Youtube will contain a Quicktime file. The Quicktime will likely play without user interaction when they go to the webpage. This will use javascript to open a popunder and also infect your Youtube profile if you have one.
More info is available:
F-Secure Weblog
Websense
SpywareGuide
Apple Rant
Apple somehow manages to blame Microsoft when Apple ships a virus preloaded on some IPods. Gee, I thought Apple was super secure and didn’t need any of that fancy stuff like antivirus. Most companies have learned that scanning for viruses before shipping is part of quality control.
I expect that soon User Friendly will have a comic strip showing how the Microsoft blackops team planted this virus on the iPods.
Here’s F-Secure’s take.
Windows Shell Vulnerability aka setslice exploit
So there is a new vulnerability (announced last week) accessed through Internet Explorer. Microsoft describes it as a Windows Shell vulnerability. You may see it listed through other sources as a setslice exploit.
The SANS ISC set their Infocon alert status to Yellow. Of course, they do this to increase “awareness” not because of any specific widespread threat. F-Secure reports that while its out there, they aren’t seeing it in huge numbers.
Of the mitigations listed, my favorite is to set the activeX kill bits.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
“Compatibility Flags”=dword:00000400
The problem with this mitigation (as with most mitigations) is understanding the potential impact. Microsoft reports that performing this step could cause “Web sites that use the WebViewFolderIcon ActiveX Control to no longer display or function correctly.” But there is no statement regarding how common this will actually be.
Additionally, I wonder if this will effect viewing folders locally. I dont know. The phrase WebviewFoldericon makes me wonder.
Lastly, while creating an activeX kill bit is easy, I feel like it is more difficult to put the computer back to its original state after the patch.
The bottom line is that I dont feel like I have enough information to make a decision.
CA accuses F-Secure of Mobile Malware FUD
http://news.zdnet.co.uk/communications/3ggprs/0,39020339,39279551,00.htm
“A spat has erupted between the two security services companies
following CA’s accusation that antivirus vendor F-Secure was
overplaying the threat of mobile malware.”
Amazing, I actually agree with CA about something.
Phone Phishing
I just saw this linked from the F-Secure blog. In an April 2006 article, the Computer Crime Research Organization reports sightings of Phish that prompt you to call an 800 number. Users may be appropriately suspicious of financial emails yet be less suspicious of a phone number. The 800 number prompted the user for their credit card number and security code.
When contacting your financial institution, it is best to rely on URLs and Phone numbers on your financial statement.
w97m/kukudro.a
Catching up on some things from while I was out this week. We got a spike in detections of a new virus w97m/kukudro.a. F-Secure reports that the file is sent in a zipped archive. When opened, it uses an ancient exploit to run automatically. This occurs in Office XP and 2000 even if macros are disabled. In Office 2003 the vulnerability does not exist so the exploit will obey the macro setting. In many environments, the default macro security setting is to ask the user what to do.
Did you know…
Did you know that Microsoft update and Windows update are not the same thing?
I knew that Microsoft was providing office updates outside of going to officeupdate.microsoft.com but I didn’t know why I wasn’t seeing those updates at windowsupdate.microsoft.com. I typically select Tools > Windows Update from within Internet Explorer. Turns out there is a update.microsoft.com, which must be where I had gotten updates for Microsoft products, not just windows. A tip of the keyboard to F-Secure and Sunbelt for writing about that this week, and thus reminding me.
Nice Trick
F-Secure’s blog reports on a use of rapid polymorphism in the latest bagel.
