My Anti Spyware

Zinaps – fresh fake antispyware (Removal instructions)

Zinaps is a rogue antispyware program, reports false or exaggerated system security threats on the computer. The user is then prompted to pay for a full license of the application in order to remove the errors.

Continue reading Zinaps – fresh fake antispyware (Removal instructions)…

New way for push exploit to your PC

Full exploit code

This code exploit “double free error” in msado15.dll NextRecordset() function.
As a result of double freeing of same string, rewriting of Heap Control Block
by malicious data is occuring.
Technique of exploitation is based on “Lookaside remapping”.

was published for Microsoft Data Access Components vulnerability MS07-009. The original demonstration of this vulnerability occurred on July 29, 2006 in HD Moore’s Month of Browser Bugs

On February 13, 2007, Microsoft® released patch MS07-009 to address this vulnerability. You should apply this patch immediately, if you have not yet done so.

Affected Software:
•    Microsoft Data Access Components 2.5 Service Pack 3 on Microsoft Windows 2000 Service Pack 4
•    Microsoft Data Access Components 2.8 Service Pack 1 on Microsoft Windows XP Service Pack 2
•    Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003
•    Microsoft Data Access Components 2.8 on Microsoft Windows Server 2003 for Itanium-based Systems

Found first security flaw hits Vista

The security firm eEye has discovered one of the first security flaws to directly affect Windows Vista, a bug that it claims allows local users to escalate their privileges.

The flaw involves Windows’ system for managing user security levels, User Account Control (UAC), which was introduced with Vista. UAC is designed to limit the damage that can be caused by mass attacks such as worms by giving standard users limited privileges, a practice common with other operating systems.

Combined with a remote vulnerability, the newly discovered bug could essentially render UAC useless, escalating standard user privileges to system-level access, according to eEye.

eEye said: “A flaw exists within Windows Vista that allows local privilege escalation to System”

Read more: User-privilege flaw hits Vista

Found vulnerability in the Firefox built-in popup blocker

This vulnerability, coupled with an additional trick, allows the attacker to read arbitrary user-accessible files on the system, and thus steal some fairly sensitive information.

Vulnerable Systems: Firefox version 1.5.0.9

For security reasons, Firefox does not allow Internet-originating websites to access the file:// namespace. When the user chooses to manually allow a blocked popup however, normal URL permission checks are bypassed. The attacker may fool the browser to parse a chosen HTML document stored on the local filesystem, and because Firefox security manager treats all file:/// URLs as having “same origin”, such a document could read other local files at its discretion with the use of XMLHttpRequest, and relay that information to a remote server.

For protect your PC, upgrade Firefox to Firefox 2.0

Read more: Firefox Popup Blocker Allows Reading Arbitrary Local Files

Found new vulnerability in the Internet Explorer / how to protect

Found new vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user’s system.

The vulnerability is caused due to an error in the Windows Shell and is exposed via the “setSlice()” method in the WebViewFolderIcon ActiveX control (webvw.dll). This can e.g. be exploited via Internet Explorer by a malicious website to corrupt memory by passing specially crafted arguments to the “setSlice()” method.

Successful exploitation allows execution of arbitrary code.

For protect your PC you can make next:

You can disable attempts to instantiate this ActiveX control in Internet Explorer by setting the kill bit for the control in the registry.

To set the kill bit for a CLSID with a value of {e5df9d10-3b52-11d1-83e8-00a0c90dc849}, paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{e5df9d10-3b52-11d1-83e8-00a0c90dc849}]
“Compatibility Flags”=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871}]
“Compatibility Flags”=dword:00000400

You can apply this .reg file to individual systems by double-clicking it.

You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.
2. Click the Security tab.
3. Click Internet, and then click Custom Level.
4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
5. Click Local intranet, and then click Custom Level.
6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.
7. Click OK two times to return to Internet Explorer.

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High. To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

1. On the Internet Explorer Tools menu, click Internet Options.
2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.
3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Read more: Vulnerability in Windows Shell Could Allow Remote Code Execution, WebViewFolderIcon setSlice, Microsoft Windows Shell Code Execution Vulnerability

How to block VML exploit

Some days ago has been found new Zero day exploit. The exploit uses a bug in VML in Internet Explorer to overflow a buffer and inject shellcode. It is currently on and off again at a number of sites.

Secunia reported:

The vulnerability is caused due to a boundary error in the Microsoft Vector Graphics Rendering(VML) library (vgx.dll) when processing certain content in Vector Markup Language (VML) documents. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a malicious VML document containing an overly long “fill” method inside a “rect” tag with the Internet Explorer browser.

Successful exploitation allows execution of arbitrary code with the privileges of the application using the vulnerable functionality in the library.

For block the VML Exploit, try next:

1. Click Start, click Run, type “regsvr32 -u “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll ” (without the quotation marks), and then click OK.
2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Impact of Workaround: Applications that render VML will no longer do so once Vgx.dll has been unregistered. To undo this change, re-register Vgx.dll by following the above steps. Replace the text in Step 1 with “regsvr32 “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll” (without the quotation marks).

Thanks to SunbeltBlog.

Found new Internet Explorer Vulnerability

Found Internet Explorer (daxctle.ocx) Heap Overflow Vulnerability.

When Internet Explorer handle DirectAnimation.PathControl COM
object(daxctle.ocx) Spline method, Set the first parameter to 0xffffffff will triggers an
invalid memory write, That an attacker may DoS and possibly could execute arbitrary code.

Affected windows version:
Windows 2000
Windows XP
Windows 2003

Windows users.. check out Firefox, Opera, and whatever other nice browsers you can throw out there.

Exploits for new microsoft vulnerabilities available

Internet Storm Center reported about available exploit code for MS06-034, MS06-035, and MS06-036.
If you haven’t already patched for these vulnerabilities you should take immediate action.

MS06-034 – unchecked IIS buffer vulnerability in ASP files processing

This patch fixes what seems to be a buffer overflow in IIS. This buffer overflow can be exploited when IIS is processing ASP files.

In other words, in order to exploit this vulnerability, an attacker has to somehow be able to upload ASP files on the target server, which is running IIS (versions 5.0, 5.1 and 6.0 are affected). Normally, you would require a user to authenticate before they can upload files to the server, so the vulnerability is rated moderate/important.

In case that you do allow people to upload ASP files on your IIS server, it would be wise to apply the patch as soon as possible, although we don’t know about any public exploits yet.

MS06-035 (CVE-2006-1314)

The vulnerability can be exploited remotely against the “Server” service.
So this would definitely be something that could be used for
widespread compromise with no user interaction, or a worm.

Looks like Windows 2000 SP4 is vulnerable by default. Windows XP SP2
and Server 2003 don’t appear to be vulnerable with a default
installation unless services are listening on Mailslots. At this
point, it is unclear exactly what software would enable Mailslots to
create a vulnerable condition.

MS06-036 – unchecked buffer Vulnerability in DHCP Client Service Could Allow Remote Code Execution (914388)

MS has said systems “Primarily” at risk are Microsoft Windows 2000, Windows XP and Windows Server 2003.

“How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by answering a client’s DHCP request on the local subnet with malformed packets.”

“Could the vulnerability be exploited over the Internet?
An attacker could try to exploit this vulnerability over the Internet.”

“Are Windows 98, Windows 98 Second Edition or Windows Millennium Edition critically affected by this vulnerability?
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, however the vulnerability is not critical.”

New way – Exploiting over distiance

An ISC reader pointed out this relatively new exploit vector. At the upcoming BlackHat conference, a duo is going to demonstrate hacking WiFi device drivers to assume control of a target machine.

The two researchers used an open-source 802.11 hacking tool called LORCON (Loss of Radio Connectivity) to throw an extremely large number of wireless packets at different wireless cards. Hackers use this technique, called fuzzing, to see if they can cause programs to fail, or perhaps even run unauthorized software when they are bombarded with unexpected data.

Using tools like LORCON, Maynor and Ellch were able to discover many examples of wireless device driver flaws, including one that allowed them to take over a laptop by exploiting a bug in an 802.11 wireless driver. They also examined other networking technologies including Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink Packet Access).

The combination of device drivers (which sit close to the kernel) and wireless technology makes this vector uniquely possible. Most devices drivers you couldn’t safely attack because devices are attached to the actual hardware, but wireless is meant to work over distance. The vector is still limited by distance to those close enough to some transmission agent, but with the growing prevalence of free wireless hotspots it is easy to find places where enough laptops congregate to get good results (say a conference or in an airport terminal).

OpenOffice.org fixes three security vulnerabilites

OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, They urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor’s patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.

The three vulnerabilities involve:

• Java Applets, CVE-2006-2199

It is possible for some Java applets to break out of the secure “sandbox” in which they are normally constrained. The applet code could potentially have access to the entire system with whatever privileges the current user has.

A workaround is provided to temporarily disable support for Java applets. Instructions are provided for both 1.1.x and 2.0.x.

• Macro, CVE-2006-2198;
  A flaw with the macro mechanism could allow an atatacker to include certain macros that would be executed even if the user has disabled document macros. Such macros could potentially have access to the entire system with whatever privileges the current user has.There is no workaround for this issue
• File Format, CVE-2006-3117
  A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents. The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.There is no workaround for this issue.

Update OpenOffice now.