My Anti Spyware

New way for push exploit to your PC

Full exploit code

This code exploit “double free error” in msado15.dll NextRecordset() function.
As a result of double freeing of same string, rewriting of Heap Control Block
by malicious data is occuring.
Technique of exploitation is based on “Lookaside remapping”.

was published for Microsoft Data Access Components vulnerability MS07-009. The original demonstration of this vulnerability occurred on July 29, 2006 in HD Moore’s Month of Browser Bugs

On February 13, 2007, Microsoft® released patch MS07-009 to address this vulnerability. You should apply this patch immediately, if you have not yet done so.

Affected Software:
•    Microsoft Data Access Components 2.5 Service Pack 3 on Microsoft Windows 2000 Service Pack 4
•    Microsoft Data Access Components 2.8 Service Pack 1 on Microsoft Windows XP Service Pack 2
•    Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003
•    Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003 for Itanium-based Systems

Exploits for new microsoft vulnerabilities available

Internet Storm Center reported about available exploit code for MS06-034, MS06-035, and MS06-036.
If you haven’t already patched for these vulnerabilities you should take immediate action.

MS06-034 – unchecked IIS buffer vulnerability in ASP files processing

This patch fixes what seems to be a buffer overflow in IIS. This buffer overflow can be exploited when IIS is processing ASP files.

In other words, in order to exploit this vulnerability, an attacker has to somehow be able to upload ASP files on the target server, which is running IIS (versions 5.0, 5.1 and 6.0 are affected). Normally, you would require a user to authenticate before they can upload files to the server, so the vulnerability is rated moderate/important.

In case that you do allow people to upload ASP files on your IIS server, it would be wise to apply the patch as soon as possible, although we don’t know about any public exploits yet.

MS06-035 (CVE-2006-1314)

The vulnerability can be exploited remotely against the “Server” service.
So this would definitely be something that could be used for
widespread compromise with no user interaction, or a worm.

Looks like Windows 2000 SP4 is vulnerable by default. Windows XP SP2
and Server 2003 don’t appear to be vulnerable with a default
installation unless services are listening on Mailslots. At this
point, it is unclear exactly what software would enable Mailslots to
create a vulnerable condition.

MS06-036 – unchecked buffer Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

MS has said systems “Primarily” at risk are Microsoft Windows 2000, Windows XP and Windows Server 2003.

“How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by answering a client’s DHCP request on the local subnet with malformed packets.”

“Could the vulnerability be exploited over the Internet?
An attacker could try to exploit this vulnerability over the Internet.”

“Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, however the vulnerability is not critical.”

Update your systems

Microsoft released twelve updates addressing various issues yesterday. There are several for different flavors of Windows and IE, and others for Word (MS06-027), PowerPoint (MS06-028), and Media Player 10 (MS06-024).The patch for Word fixes an issue that was found in May.

Make update soon. ISC reported about newly released exploits for these vulnerabilities.

Here a quick lists of what we have seen so far:

MS06-024: Windows Media Player.

Exploit released by penetration testing vendor to customers.

MS06-025: RRAS

Exploit released by penetration testing vendor to customers.

MS06-027: Word remote code execution

Exploit available before release of patch.

MS06-030: SMB Priviledge Escalation.

Two exploits released to the public.

MS06-032: IP Source Routing Exploit.

DoS exploits released privately (trivial exploit)

Download the updates for your home computer or laptop from the Microsoft Update Web site now.

Urgent patch – buffer overflow vulnerability in the F-Secure products

F-Secure issued a bulletin today highlighting a buffer overflow in the web console feature of F-Secure Anti-Virus for Microsoft Exchange and F-Secure Internet Gatekeeper. F-Secure rates this vulnerability as high in the cases where the web console is configured to only allow connections from localhost or specific trusted hosts and critical if configured to allow connections from all hosts. They have released patches, the table below is taken directly from their advisory.

Patch availability:

New Winamp Fixes Major Security flaw

AOL’s Nullsoft division released a new version of its popular Winamp music and video player on Thursday, in part to fix a “major” security flaw in the program, according to the accompanying advisory.

Winamp 5.22 includes a huge list of stability updates and at least a couple of security tweaks, though the advisory doesn’t get too far into specifics on the latter front.

We have seen active exploitation of Winamp flaws in the past,

Winamp Remote Code Execution
Winamp exploit used to push spyware
Multiple vulnerabilities in WinAmp – Affected all versions (including 5.13)

so please do not put off downloading and installing this new version now, if you use Winamp.

The Patch day!

Microsoft released the following Security patches:

Critical:

Cumulative Security Update for Internet Explorer

This patch should be applied as fast as possible, but due to a change in ActiveX functionality requires extra careful testing. Microsoft bundled all but one of this months Internet Explorer updates in this “Cumulative update”. This particular update patches no less then 8 remote code execution issues. In addition one information disclosure problem and an address bar spoofing vulnerability are fixed. Note that there are exploits public for at least one (CVE-2006-1245) and possibly two (CVE-2006-1388) of the advisories. While the exploits known to us only trigger a DoS condition, it is very much possible that more sinister exploits are already in use. Microsoft states that they are not aware of any exploits in the wild, which likely refers to remote execution exploits, not DoS exploit.

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerability in Windows Explorer Could Allow Remote Code Execution

A remote code execution vulnerability exists in Windows Explorer because of the way that it handles COM objects. An attacker would need to convince a user to visit a Web site that could force a connection to a remote file server. This remote file server could then cause Windows Explorer to fail in a way that could allow code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

if you can’t apply the patch right away, MS recommends:

* Disable the Web Client service
* Use the Group Policy settings to disable the WebClient service on all affected systems that do not require this feature.
* Block TCP ports 139 and 445 at the firewall

Important:

Cumulative Security Update for Outlook Express

A remote code execution vulnerability exists within Outlook Express involving its handling of Windows Address Book (.wab) files. Attackers can craft a suitable version of the .wab file and then convince the end user to open the file through either direct email, or through opening a link on a web site. The attacker would gain the
same administrative rights as the end user.

Moderate:

Vulnerability in Microsoft FrontPage Server Extensions Could Allow Cross-Site Scripting

A remote code execution exists in FrontPage Server Extensions (FPSE) or Sharepoint Team Services (STS) which could allow an attacker to run client-side scripts on behalf of an FPSE user. If the user has administrative rights, the attacker would gain complete access of the server. Otherwise, it will be limited to the administrative rights granted to the end user. As there is a list of mitigating circumstances, and the default install of Windows Server, Microsoft is releasing this as a moderate issue. However, pay attention that this is a remote code execution problem and could be more critical in your particular circumstances.

For download the updates visit to the Windows Update website. You may also get the updates thru Automatic Updates functionality in Windows system.

Temporary fix for IE vulnerability

eEye has released a patch for the active IE vulnerability.

Organizations that choose to employ this workaround should take the steps required to uninstall it once the official Microsoft patch is released. This workaround is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw. Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation [my emphasis].

Read more and download here

But small comment, don’t bother using this patch — Disable Active Scripting Support in IE is a valid mitigator.

RealNetworks Products Multiple Buffer Overflow Vulnerabilities

Some vulnerabilities have been reported in various RealNetworks products, which can be exploited by malicious people to compromise a user’s system.

1) A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user’s system.

2) A boundary error within the handling of web pages can be exploited via a specially crafted web page on a malicious server to cause a heap-based buffer overflow. This may allow execution of arbitrary code on the user’s system.

3) A boundary error in the processing of MBC files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user’s system.

A weakness when executing other programs is caused due to incorrect use of the “CreateProcess()” API. This may allow execution of an arbitrary program on the system, if this can be placed in the program path.

The following products are affected by one of more of the vulnerabilities:
* RealPlayer 10.5 (6.0.12.1040-1348)
* RealPlayer 10
* RealOne Player v2
* RealOne Player v1
* RealPlayer 8
* RealPlayer Enterprise
* Rhapsody 3 (build 0.815 � 1.0.269)
* Mac RealPlayer 10 (10.0.0.305 – 331)
* Mac RealOne Player
* Linux RealPlayer 10 (10.0.6)
* Helix Player (10.0.6)
* Linux RealPlayer 10 (10.0.0 – 5)
* Helix Player (10.0.0 – 5)

Patch your RealPlayer now.

Vulnerability in Windows Media Player Could Allow Remote Code Execution

Windows Media player has a unchecked buffer that will allow for remote code execution if users view or open a specially crafted .bmp file. Keep in mind there are many ways for this to be exploited and .bmp files are not the only way. Microsoft states: “An attacker could also attempt to exploit this vulnerability by embedding a specially crafted Windows Media Player (.wmp) image within another file, such as a Word document and convince a user to open this document.”

Affected Software:
∙ Windows Media Player for XP on Microsoft Windows XP Service Pack 1
∙ Windows Media Player 9 on Microsoft Windows XP Service Pack 2
∙ Windows Media Player 9 on Microsoft Windows Server 2003
∙ Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Affected Components:
∙ Microsoft Windows Media Player 7.1 when installed on Windows 2000 Service Pack 4
∙ Microsoft Windows Media Player 9 when installed on Windows 2000 Service Pack 4 or Windows XP Service Pack 1
∙ Microsoft Windows Media Player 10 when installed on Windows XP Service Pack 1 or Windows XP Service Pack 2

Download patches now.

Sun Java JRE sandbox bypass vulnerability

Sun has released an alert on 7 vulnerabilities in JRE. These vulnerabilities are related to the use of “reflection” API in JRE. As noted in the alert, there is no workaround, upgrading to the latest version is the only solution.

Read How to update Java.