Microsoft Security Advisory (2286198): Vulnerability in Windows Shell Could Allow Remote Code Execution

Vulnerability in Windows Shell Could Allow Remote Code Execution
Published: July 16, 2010
Version: 1.0
General Information Executive Summary
Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers.

Source: http://www.microsoft.com/technet/security/advisory/2286198.mspx

Spyware: The New Annoying Threat

A friend called me one day, frustrated out of his mind that his computer was acting very strange.  When he opened his Internet Explorer, it sent him to a strange site and pop-up windows kept covering his screen.  He even complained about the performance of his Intel Pentium 4 computer system, stating it was running a lot slower than two weeks prior.  I told him that it sounded like a bad case of a spyware infection.

So what is this spyware?  Spyware is software that collects personal information from your computer without your knowledge of the occurring event.  Information gathered from spyware ranges from the collection of all web-browsing activities to collecting sensitive information like usernames, passwords, address and even your social security number.  Spyware has the ability, when installed, to modify system settings, which perform undesirable tasks on your computer system.  Furthermore, spyware has been known to redirect user’s web browsers, cause computers to dial services for which they are billed and install DLLs and other executables files to send your personal data to another computer.  This is done by using the computer’s memory resources and also by utilizing bandwidth, as it sends information back to the spyware’s home server via the user’s Internet connection.  Because the spyware program is using memory and system resources, the applications running in the background can lead to system crashes or general system instability.

Some of the more notable spyware programs are listed below

  • Bonzi Buddy
  • Gator, made by the Claria Corporation (Advertising, pop ups, privacy violation, significant security risk, partially disables firewalls, some stability issues)
  • Internet Optimizer (Advertising, fake alert messages, possible privacy violatiom, security risk)
  • lop (advertising, pop ups, security risk, tries to dial out at random)
  • MarketScore (Claims to speed up Internet connections: serious privacy violation, loss of Internet connection on some systems)
  • New.net (security risk, stability issues, common cause of inability to connect)

So, how does a person acquire one of these spyware programs anyway?  Well, spyware can be installed onto your computer system through many different methods. You might be the target of spyware if you download software, music or free games off the Internet from unknown websites.  Spyware is hidden in freely available software, and when you download and install the software, the spyware programs are injected into your system.  Since the software is free, an abundance of users usually download them without reservations.

The other method of obtaining spyware on your computer system is through the security flaws in Internet Explorer (IE).  IE makes it very easy for spyware to be installed on your computer without your knowledge.  This process is occuring through ActiveX and Active Scripting. These two technologies are designed specifically for the purpose of giving websites more control over your computer. Unfortunately, as we have seen or experienced firsthand, that’s not always a good thing.  IE has proving to be a useful entry point for hackers, providing an easy way for them to plant malicious programs onto your computer system.

Spyware categories[1]

Adware networks
The backbone for big time spyware are ad-serving networks that pay publishers of games, utilities and music/video players per download, to include their ad serving programs. Ad serving networks are DoubleClick, Web3000, Radiate, SaveNow, GAIN.

Stalking horses
A number of programs that enable the adware networks to function on desktops are bundled in many popular programs and often (not always!) presented in installation disclosure screens as desirable add-ons to their Trojan horse hosts. All collect information. Included in TopText, Cydoor, OnFlow, Medialoads, Delfin, WebHancer, New.net.

Trojan horses
These popular Internet downloads usually come with the ad serving network basic software and at least one stalking horse. Included in KaZaa, Grokster, Morpheus, Limewire, AudioGalaxy, iMesh, DivX.

Backdoor Santas
Stand-alone programs that incorporate similar approaches have no links to ad serving networks and collect information from users. Included in Alexa, Hotbar, Comet Cursor, eWallet, CuteFTP, BonziBuddy.

Cookies
Netscape Navigator and Internet Explorer will still send out existing cookies even after disabling cookies in the browser settings. You must manually delete any/all cookie files on your system to eliminate being tracked by third-party ad networks, spyware and adware providers.

Protecting your computer from spyware

Here are a few tips on detecting, removing and protecting your computer system from spyware.

Watch what you download

Before you download anything from a Web site do some research, such as asking friends or checking other resources you trust.  Spyware can be intrusive and often difficult to delete. Sometimes, people actually wipe their hard drives clean and start over again just to get rid of them.

Beware of freeware programs

Before you download anything from a Web site do some research, such as asking friends or checking other resources you trust.  When you install any program make sure you read the message on each window before you click “Agree” or “OK.”

Know good cookies from bad cookies.

These little text files have a bad reputation. But much of that is based on ignorance. Cookies actually perform valuable services. For instance, they can shoot you right into a site so you don’t have to enter your password.

Install a personal firewall

Personal firewall can assist in preventing establishment of unauthorized connections from your computer to remote computers.

Install a Spyware detection and removal program

Spybot, a freely available program is definitely good spyware and adware detection and removal.

Install a Virus Program

Popular anti-virus products such the latest versions of McAfee VirusScan and Norton Anti-Virus 2004 now include adware and spyware scanning.

Update Software

Make sure your Windows software is always current. You can do this by visiting Windows Update and by enabling Automatic Updates. For detailed instructions, see our story about updating your Microsoft software.

Adjust your Internet Explorer (Web browser) security settings

If you change the security level to “low,” Web sites will be able to download software to your computer without telling you, so be careful when using this setting. If you need to change the security level to low for some reason, change it back to medium or higher as soon as possible.

Conclusion

Aside from the questions pertaining to ethics and privacy concerns, spyware is very annoying.  The bright side in curbing this annoying situation is more entities are joining the battle to help out the end user.  Virus companies are bundling spyware detection and removal software in their new releases, and some Internet service providers (ISPs) are introducing protection from adware and spyware. For example, America Online (AOL) announced in January spyware protection as an enhancement for AOL 9.0 Optimized.

I’ve even heard of users, so annoyed with spyware who stated they stopped using IE and switched over to another browser as their web browser of choice to access the Internet, while another user threaten to switch their computer system altogether to a Macintosh.

This problem will not go away quickly, but it should be more manageable in the near future as more users become aware and educated with spyware, the new annoying threat.


[1] http://www.downloadatoz.com/guardie/faqs.html

 

Automated Log Management and Analysis using Splunk for Computer Incident Investigations

I define “Log Analysis” as a process of collecting system logs (syslog) and event data from computer systems, network devices and applications to look for anomalous events that are malicious or are in violation of organizational policies.

Many organizations spend thousands of dollars on equipment deployment, but ignore the system and event logs from those exact systems. Log analysis is one of the most overlooked aspects of operational computer and network security today.

Traditionally, security teams would use outdated methods and inefficient analysis techniques such as command lines and scripts to review log files. Furthermore, the security team has limited access to data, and when that data has to be collected from multiple locations and equipment to be analyzed, that often increases the amount of time necessary to produce a conclusion of an incident.

By introducing Splunk a search engine for log data that supports many log sources such as Apache access logs, mysql database logs, and any log in standard syslog format, we were able to be more productive in our log analysis.

Splunk comes in two versions, basic and professional. The basic version is free as long as you keep the data limited to 500MB a day while the professional version cost is dependent on the amount of data collected as well as some other neat features.

Splunk provides both real-time and historical visibility into all network, application, server and user activity to support investigations, alerting and reporting. It provides that bridge security and computer investigators need to do their jobs right.

For more information on Splunk and log management you can visit:
www.splunk.com

Personal Security on Social Networking Sites

Visits to social networking sites account for more than 10% of the total time people spend on the Internet, according Nielsen Online. A social network site focuses on building online communities of people who share common interests and activities, such as Linkedin.com and Facebook.com. Facebook is now the most visited social networking site on the Internet, with nearly 1.2 billion visits in January 2009 alone, while Twitter and Linkedin are steadily gaining ground.

Hackers have adopted the popularity of social networking sites into their malicious plans to compromise systems and steal personal identifiable information. Recent attacks such as the Koobface virus on Facebook and the clickjacking issues faced by Twitter are all prime examples of the recent challenges. Also, these very same hackers have the capability to remain anonymous on these social networking sites, which enforces the notion, you really do not know who is on the Internet with you.

Security on social networking sites are at a minimal standard right now, they rely on usernames and passwords for authentication and security, which means that anyone who finds out your username and password can gain access to your account. Until social networking site security evolves with time and improves, users need to be very careful and diligent.

Here are a few tips that should assist in making sure you are safe when using social networking sites:

1. Understand how the social networking site displays your information. Some sites will allow the user to control who can see your information, while others will allow anyone and everyone to view postings.

2. Don’t click on shortened (or “condensed”) URL’s, like those created by TinyURL and Bit.ly. There’s no telling where these links lead to, and that makes it easy to funnel you to malicious websites (Drive-by-Download).

3. Be mindful of your personal information such as, don’t post your full name, address, age, hometown or information about your family. Even your screen name can pose a lot of identifiable information.

4. Post appropriate information that are comfortable with others seeing and knowing, such as your employer, co-workers and acquaints. Many people will see your page or postings, including the people who will be interviewing you for a current position or a future job.

5. Remember that once you post information online, it may be impossible to take it back. This includes photos that can be manipulated.

6. Be careful when it comes to online personal socializations such as flirting or disputes. Some people lie about whom they are. Be wary if a new online friend wants to meet you in person.

7. Trust your instincts if you have suspicions. If you feel threatened by someone or uncomfortable because of something online, report it to the police and to the operators of the social networking site. You could end up preventing someone else from becoming a victim.

Social networking sites are evolving into our personal and business lives. People from various stages and walks of life are participating in these events with very little knowledge into the dangers of these social networking sites. The site owners only provide the minimal required security measures, while hackers are using tactics that has shown great success in circumventing them. It is up to us, to do what is necessary to protect ourselves until better security measures are implemented or the hackers give up. Don’t hold your breath on the hacker’s giving up.

For more information on this article and other informative articles go to: www.securityorb.com

Microsoft Security Bulletin Summary for July 2010

MS10-042 – Vulnerability in Help and SupportCenter Could Allow Remote Code
Execution (2229593)

“This security update resolves a publicly disclosed vulnerability in the
Windows Help and Support Center feature that is delivered with supported
editions of Windows XP and Windows Server 2003. This vulnerability could
allow remote code execution if a user views a specially crafted Web page
using a Web browser or clicks a specially crafted link in an e-mail
message. The vulnerability cannot be exploited automatically through
e-mail. For an attack to be successful, a user must click a link listed
within an e-mail message.
“This security update resolves a publicly disclosed vulnerability in the
Windows Help and Support Center feature that is delivered with supported
editions of Windows XP and Windows Server 2003. This vulnerability could
allow remote code execution if a user views a specially crafted Web page
using a Web browser or clicks a specially crafted link in an e-mail
message. The vulnerability cannot be exploited automatically through
e-mail. For an attack to be successful, a user must click a link listed
within an e-mail message.”

MS10-043 Vulnerability in Canonical Display Driver Could Allow Remote Code
Execution (2032276)

MS10-044 Vulnerabilities in Microsoft Office Access ActiveX Controls Could
Allow Remote Code Execution (982335)

MS10-045 Vulnerability in Microsoft Office Outlook Could Allow Remote Code
Execution (978212)

Source: http://www.microsoft.com/technet/security/Bulletin/MS10-jul.mspx

Microsoft’s Next Move for Windows – Samara Lynn

Microsoft has bounced back into good grace from Windows Vista with its latest release of its operating system, Windows 7.  Many Windows-based users have adopted Windows 7, either upgrading from Windows XP or scraping Vista.  In an interesting article titled, “Will Windows 8 Be A Business-Only OS?” from PC Mag, Samara Lynn discussing Microsoft’s potential next move.

http://www.pcmag.com/article2/0,2817,2366282,00.asp