SQL Worms Continue to Raise Their Ugly Heads

Posted on by
Reply

For the last few weeks I have been watching old versions of SQL attacks, worms and probes continue to circulate around the Internet. For a year or so now, I have continued to be fascinated by the life span of old attacks and worms. I have written a couple of articles about how our HoneyPoints continue to capture both NIMDA and Code Red worm traffic.

The thing about these SQL worms is that their traffic is so large, even today. According to popular sources like ATLAS, they represent nearly 70% of all malicious traffic on the Internet today. 70% is a large number, especially for vulnerabilities that date back to 2002. Here we are more than 5 years later and these threats are still propagating!

Port UDP/1434 is still the most commonly threatened port according to ATLAS, which I find hard to believe. Our HoneyPoint experience shows that ports 25 and 80 are the most frequently attacked, unless you add in the myriad of Windows RPC noise you get on the Windows SMB and RPC ports. Maybe ATLAS does not include spam or PHP probes in their attack statistics?

While I am unsure of the frequency of global 1434 attacks, it is very true that the traffic is still around. Our HoneyPoints often detect Slammer worm activity and illicit SQL probes from the Internet. These probes originate from all around the world and no particular region seems to emerge as the most common, though we should study these frequency statistics more deeply when time allows.

But what of targets? How many SQL server instances are still exposed to the raw Internet? Our assessment technicians say they almost never run into one in corporate environments today. I suppose that they still exist in more than a few cable modem or other systems without proper firewalls, but certainly the availability of SQL services to the raw Internet has to have dwindled to almost none. If that is true, then why all the scanning activity?

I have made a few attempts to backtrack hosts that perform the scans and at first blush many show the signs of common bot-net infections. Most are not running exposed SQL themselves, so that means that the code has likely been implemented into many bot-net exploitation frameworks. Perhaps the bot masters have the idea that when they infiltrate a commercial network, the SQL exploits will be available and useful to them? My assessment team says this is pretty true. Even today, they find blank “sa” passwords and other age old SQL issues inside major corporate clients. So perhaps, that is why these old exploits continue to thrive.

In either case, significant efforts should be made to reduce or eliminate these older vulnerabilities and to remove them from our current threats that we face today. So long as we have this noisy attack traffic from the past circulating, it makes it even harder for us to focus on emerging threats and risks that affect our Internet facing systems today. It is simply one more set of alerts, log entries and intrusion deception emails to sort through…

WS_FTP Buffer Overflow Vulnerability

Posted on by
Reply

A vulnerability has been identified in IpSwitch’s WS_FTP Server with SSH software. The vulnerability is a buffer overflow. It is possible to exploit this issue to cause a denial of server condition, and it may be possible to execute code. The vulnerability is confirmed in IpSwitch WS_FTP Server with SSH version 6.1. Other versions may also be affected.

Excel Exploit In The Wild

Posted on by
Reply

Microsoft reported today that a previously unknown vulnerability in Excel is being actively exploited. According to the release the issue affects older versions of Excel, including Microsoft Office Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for OS X. The exploit requires the victim to open a malicious Excel file in order for the exploit to execute.

There is currently no fix for this issue, other than being very careful about which Excel files are opened. Microsoft said that they are working on a fix that may come out before the next patch cycle.

Microsoft’s advisory is at: http://www.microsoft.com/technet/security/advisory/947563.mspx

QuickTime 7.4 is available

Posted on by
Reply

The hits just keep coming! Apple has released another version of Quicktime this time around multiple vulnerabilities that may allow arbitrary code execution have been addressed. These include:

    An unspecified handling error in the processing of Sorenson 3 video files.

    An error in the processing of embedded Macintosh Resource records within QuickTime movies.

    Parsing errors of malformed Image Descriptor (IDSC) atoms.

    A boundary error in the processing of compressed PICT images.

We recommend that everyone upgrade to QuickTime 7.4
See Apple’s full advisory at:
http://docs.info.apple.com/article.html?artnum=307301

Oracle Critical Patches for January 2008

Posted on by
Reply

As apart of their ongoing security program, Oracle has released their latest round of critical patches. Most versions of Oracle from 9i through 12 are affected in some manner and the vulnerabilities are unspecified. For full details visit their original advisory at:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html

The Continuing Saga of Malware by Email

Posted on by
Reply

We’re seeing reports of a new round of storm virus emails. This time they’re using valentine’s day to lure users to a site to download and run the malware. Otherwise it is essentially the same attack as before. We advise that you ensure all your email and virus defenses are running with the latest updates and that your users are reminded to ignore emails from unknown entities. They should also never download attachments from emails or web sites that are not explicitly trusted. There are plenty of potentially intriguing subjects that could be used to dup unsuspecting users. Things like winning Super Bowl tickets, checking out the latest American Idol videos, or even the latest news on the presidential campaign.

Quicktime PoC

Posted on by
Reply

Apple released an update to Quicktime yesterday, and attackers wasted no time coming up with a new exploit for it. Already in the public is a proof of concept exploit for Quicktime 7.3.1.70. It seems that Apple still hasn’t fixed the root cause of the RTSP vulnerability.

In other news, a survey over the past year on Oracle admins found that only 1 in 3 Oracle database admins bother to patch their databases. 68% of the admins admitted to never applying any patches at all. If that is true, it’s rather frightening.

QuickTime 7.3.1 is available

Posted on by
Reply

Apple has released QuickTime 7.3.1 to address several vulnerabilities. These include the buffer overflow in RTSP, a heap buffer overflow found in QuickTime’s handling of QTL files and vulnerabilities which exist in QuickTime’s Flash media handler. Updates are available for: Mac OS X v10.3.9 or later, Windows Vista, and XP SP2. The relevant CVEs are CVE-2007-6166, CVE-2007-4706 and CVE-2007-4707 respectively.

Level One WBR-3460A Wireless Router Telnet Vulnerability

Posted on by
Reply

This device presents a telnet prompt on the standard port (23/tcp). This instance of telnet allows local users to login without authenticating. This gives the user access to the file system where they are able to manipulate files or grab the administrator password for the web interface. A fix is in development.

Sun Java Identity Manager Vulnerabilities

Posted on by
Reply

Sun released two advisories today. The first details Coss-Site Scripting vulnerabilites in Sun Java System Identity Manager. They consist of input validation errors in the parameters “cntry” and “lang” of /idm/login.jsp, the “resultsForm” parameter of /idm/account/findForSelect.jsp and the “helpUrl” parameter of /idm/help/index.jsp. The original advisory can be found at:http://sunsolve.sun.com/search/document.do?assetkey=1-26-103180-1

The second involves