SQL Injection Worms Infecting New Sites

Posted on May 7, 2008 by Adam Hostetler

Attacks continue in the wild against ASP pages with SQL injection flaws. It appears that the worm is injection scripts and iframes into the webpages which then forwards users to another page with an exploit embedded. The exploits are believed to be based on recent Real Player vulnerabilities. take over visitors to the websites. It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well. It’d be a good idea to make sure everyone has Real Player updated if it is installed as a precaution for users that may visit any infected site.

Windows XP Service Pack 3

Posted on May 6, 2008 by Adam Hostetler

Windows XP Service Pack 3 has been released. This long awaited update to Windows XP offers some enhanced security features borrowed from Windows Vista and a few other things. Rolling out this service pack will also install all of the Windows updates released since service pack 2. Some of the enhancements in SP3 includes black hole router detection, network access protection, enhanced security for administrator and service policy entries, and a kernel mode cryptographic module.

Akamai Download Manager Vulnerability

Posted on May 5, 2008 by Adam Hostetler

Akamai Download Manager installs an ActiveX control if a user uses the ActiveX download manager. The ActiveX control will remain installed on the users computer until manually removed. A program execution vulnerabillity has been identified within this ActiveX control. This problem is due to two undocumented object parameters. By using these parameters in a malicous website, it is possible to cause the Download Manager to automatically download and execute arbitrary applications from malicious hosts.

Akamai has released a new version of the download manager to correct this issue. MicroSolved recommends updating to the newest version if you have ever used the Download Manager. It is also possible to manually remove the ActiveX control, or set the kill-bits for this control to disable it.

Lotus Expeditor Client Vulnerability

Posted on May 1, 2008 by Adam Hostetler

A vulnerability in IBM Lotus Expeditor has been identified, which could be exploited to compromise a user’s system. The issue is that the application registers the “cai” URI handler, which allows launching rcplauncher.exe with arbitrary command line arguments. This can be exploited to execute arbitrary by having a user click on a malicous url link. It’s reported that Lotus Expeditor Client for Desktop versions 6.1.0, 6.1.2, and 6.1.2 are vulnerable. Contact IBM Support to request a patch to mitigate this issue.

WordPress Code Execution Vulnerability

Posted on April 29, 2008 by Adam Hostetler

Two new vulnerabilities have been identified in WordPress 2.5. The vulnerabilities could allow an attacker to conduct xss attacks, bypass some security restrictions, compromise the vulnerable system. The first vuln could allow an attacker to bypass the authentication mechanism by creating a cookie with certain settings.

The second vulnerability is caused by passing input to an unspecified parameter which is not properly sanitised by the server. This vulnerability can be exploited to execute arbitrary script code in a user’s browser session.

All users should update to the latest version of WordPress, version 2.5.1.

Intel Centrino Wireless Exploit

Posted on April 18, 2008 by Adam Hostetler

A popular attack framework has released an exploit that takes advantage of a vulnerability within older Intel Centrino wireless drivers. Specifically the Intel 2200BG has this issue. The vulnerability exists with the w22n51.sys driver which has a buffer overflow. It would be a very good idea to make sure you are running the latest wireless drivers if you’re using an Intel Centrino based laptop, as the exploit will infect every machine vulnerable within the vicinity at the kernel level.

HP OpenView NNM Exploit

Posted on April 16, 2008 by Adam Hostetler

There was an exploit released for a recent HP OpenView vulnerability that was disclosed a few days ago. The exploit is able to return a shell on version 7.5.1, and would only take a little more work to affect other versions. HP has not released an update for this vulnerability yet, but is expected to soon. In the mean time, restrict access to the OpenView NNM, which defaults to port 2954/tcp.

New Tools Keep Coming

Posted on April 15, 2008 by Adam Hostetler

Several new and updated tools have been released recently. These are mostly aimed at application scanning, specifically getting into the backend database. While it’s no surprise that these tools keep coming, we just want to reinforce the need for better application security. We don’t anticipate an end to attacker tools anytime soon, so keep your guards up 😉

Adobe Flash Update

Posted on April 14, 2008 by Adam Hostetler

Adobe has released a new version of their flash plugin. The new version fixes a recent vulnerability that was exploited during a contest to compromise a fully patched Windows Vista machine. The update also fixes other disclosed vulnerabilities known to exist in older versions of the Flash plugin. MicroSolved recommends that all users update to the newest version immediately. This can be done by downloading at Abode’s website, or through the Flash auto updater.

Apache Tomcat Connector Exploit

Posted on April 7, 2008 by Adam Hostetler

An exploit has been released into the wild for Tomcat Connector version jk2-2.0.2. The vulnerability exploited exists in the Host Header field of the apache jk2 module. At this point it’s known to work on Fedora Core versions 6,7, and 8. Other distros will likely also be affected by the exploit. If you are using the legacy 2.0.x tree of the Apache Tomcat Connector, upgrade to version 2.0.4, or use the newest version of mod_jk.

MSI :: State of Security

Insight from the Information Security Experts

Author Archives: Adam Hostetler