A vulnerability in Microsoft Word could allow attackers the ability to execute arbitrary code. Cascading Style Sheets (CSS) are documents that allow the definition of various styles within a word document. A vulnerability in the processing of CSS results in memory corruption, which could be exploited by malicious attackers. Users would have to open an infected document on their local system to trigger the exploit.
Microsoft posted their patches for May today. Looks like 3 critical patches, all of which allow remote code execution. A denial of service patch is also included as a moderate.
Given the interest lately in patch-based vulnerability generation, if exploits don’t already exist in the wild, they are likely very quickly.
Organizations should immediately begin testing the patches against their normal QA process and get them applied as quickly as possible.
Reports of a mass file injection attack were seen over the weekend. Upwards of 400,000 sites seem to have been affected so far by URLs that download a file that seems to be related to the Zlob trojan. Most of these sites seem to be running phpBB forum software. If you have the capability you may want to examine egress logs and/or blacklist the two URLs that are currently known to be distributors. Those URLs are:
hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js
A new version of the Mozilla Thunderbird Client was released today. The new version fixes a security issue that could allow JavaScript to escalate privileges and execute arbitrary code. It also fixes a crashing issue. If you use Thunderbird as your mail client it should be updated as soon as possible due to the mitigation of a security flaw.
Nothing like a disaster to bring out the crimeware.
Keep your eyes open for disaster and aid oriented phishing and trojan scams. There is likely to be the same types of attacks that we have seen with other disasters. We can expect everything from Trojan horses designed to look like headline update tools, phishing schemes asking for donations, basic client-side exploits from web and HTML emails and the usual myriad of outright fraud.
Basically, if you really want to help folks, drop by known and trusted organizations such as the Red Cross, etc.
Be on the look out for strange network activity as this is likely going to be a basis for growing the bot-nets by yet another expansion.
Attacks continue in the wild against ASP pages with SQL injection flaws. It appears that the worm is injection scripts and iframes into the webpages which then forwards users to another page with an exploit embedded. The exploits are believed to be based on recent Real Player vulnerabilities. take over visitors to the websites. It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well. It’d be a good idea to make sure everyone has Real Player updated if it is installed as a precaution for users that may visit any infected site.
Windows XP Service Pack 3 has been released. This long awaited update to Windows XP offers some enhanced security features borrowed from Windows Vista and a few other things. Rolling out this service pack will also install all of the Windows updates released since service pack 2. Some of the enhancements in SP3 includes black hole router detection, network access protection, enhanced security for administrator and service policy entries, and a kernel mode cryptographic module.
Akamai Download Manager installs an ActiveX control if a user uses the ActiveX download manager. The ActiveX control will remain installed on the users computer until manually removed. A program execution vulnerabillity has been identified within this ActiveX control. This problem is due to two undocumented object parameters. By using these parameters in a malicous website, it is possible to cause the Download Manager to automatically download and execute arbitrary applications from malicious hosts.
Akamai has released a new version of the download manager to correct this issue. MicroSolved recommends updating to the newest version if you have ever used the Download Manager. It is also possible to manually remove the ActiveX control, or set the kill-bits for this control to disable it.
An unspecified vulnerability in the Java plug-in can allow an untrusted applet to gain escalated privileges. The vulnerability is known to exist in version 5.0.2. For full details see IBM’s advisory at:http://www-1.ibm.com/support/docview.wss?uid=swg1PK65161
A vulnerability in IBM Lotus Expeditor has been identified, which could be exploited to compromise a user’s system. The issue is that the application registers the “cai” URI handler, which allows launching rcplauncher.exe with arbitrary command line arguments. This can be exploited to execute arbitrary by having a user click on a malicous url link. It’s reported that Lotus Expeditor Client for Desktop versions 6.1.0, 6.1.2, and 6.1.2 are vulnerable. Contact IBM Support to request a patch to mitigate this issue.