" /> MowGreen: October 2005 Archives

Main | November 2005 »

October 15, 2005

Workaround/Fixes for Microsoft Security Bulletins MS05-051 (KB909444) and MS05-052 ( KB896688 )

Workarounds for issues associated with Microsoft Security Bulletin MS05-051- Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) and Microsoft Security Bulletin MS05-052 - Cumulative Security Update for Internet Explorer (896688) are available.


Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC

SYMPTOMS
On a computer that is running Microsoft Windows XP, Microsoft Windows 2000 Server, or Windows Server 2003, one or more problems may occur after you install the critical update that is discussed in Microsoft Security Bulletin MS05-051. These problems include the following:

• The Windows Installer service may not start.

• The Windows Firewall Service may not start.

• The Network Connections folder is empty.

• The Windows Update Web site may incorrectly recommend that you change the Userdata persistence setting in Microsoft Internet Explorer.

• Active Server Pages (ASP) pages that are running on Microsoft Internet Information Services (IIS) return an “HTTP 500 – Internal Server Error” error message.

• The Microsoft COM+ EventSystem service will not start.

• COM+ applications will not start.

• The computers node in the Microsoft Component Services Microsoft Management Console (MMC) tree will not expand.

• Authenticated users cannot log on, and a blank screen appears after the users apply the October Security Updates.

Please read the instructions on the MS web page for detailed steps to workaround the above issues.


Microsoft Security Bulletin MS05-052 Cumulative Security Update for Internet Explorer (896688)
When downloading the update, during the Preparing download ...phase the error code 0x80242008 appears or the update will not install. When checking the WindowsUpdate.log located in the %WINDOWS% directory, this entry appears :
1.032: c:\06dcef1fbf2f33a9684e702fa40c34\update\update.exe (version 6.1.22.4)
1.042: Hotfix started with following command line: /log:D:\xx.log
1.132: Unexpected Error While Executing Line 1 ( Test.IE7InstallBlock.Section ) of PreRequisite
1.152: KB896688 Setup canceled.
2.744: Message displayed to the user: KB896688 Setup canceled.
2.744: User Input: OK
2.744: Update.exe extended error code = 0xf00d
2.744: Update.exe return code was masked to 0x643 for MSI custom action
compliance.

2 "unofficial" workarounds are :

1) The Program Files folder does not reside on the same drive as the %windir% was installed to.
Example : Windows is installed to the C:\ drive. Program Files resides on the D:\ drive.

Use TweakUI to move Program Files back to the C:\ drive or the same drive that the %windir% is on.

2) Edit the registry so that this key's value for ProgramFilesDir is C:\Program Files ( or the drive that %windir% was installed to ) .


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
ProgramFilesDir="C:\Program Files"


Change the value back again to whatever it was originally set to after successfully installing the update.

Posted by MowGreen at 5:27 AM | | Comments (1) | TrackBacks (0)

October 11, 2005

October 2005 Security Release from MS

3 Critical Releases :

Microsoft Security Bulletin MS05-050
Vulnerability in DirectShow Could Allow Remote Code Execution (904706)

Affected Software:
• Microsoft DirectX 7.0 on Microsoft Windows 2000 with Service Pack 4 – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows XP Service Pack 1 and on Microsoft Windows XP with Service Pack 2 – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows XP Professional x64 Edition – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows Server 2003 and on Microsoft Windows Server 2003 with Service Pack 1 – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows Server 2003 for Itanium-based Systems and on Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update

• Microsoft DirectX 8.1 on Microsoft Windows Server 2003 x64 Edition – Download the update

• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) –Available on Windows Update and Microsoft Update ONLY


Microsoft Security Bulletin MS05-052
Cumulative Security Update for Internet Explorer (896688)

Affected Software:
• Microsoft Windows 2000 Service Pack 4
• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
• Microsoft Windows Server 2003 x64 Edition
• Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)


Affected Components:
• Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 – Download the update

• Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 or on Microsoft Windows XP Service Pack 1 – Download the update

• Internet Explorer 6 for Microsoft Windows XP Service Pack 2 – Download the update

• Internet Explorer 6 for Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 – Download the update

• Internet Explorer 6 for Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update

• Internet Explorer 6 for Microsoft Windows Server 2003 x64 Edition – Download the update

• Internet Explorer 6 for Microsoft Windows XP Professional x64 Edition – Download the update

• Internet Explorer 5.5 Service Pack 2 on Microsoft Windows Millennium Edition - Available on Windows Update and Microsoft Update ONLY

• Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, on Microsoft Windows 98 SE, or on Microsoft Windows Millennium Edition - Available on Windows Update and Microsoft Update ONLY

Microsoft Security Bulletin MS05-05
Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400)

Affected Software:
• Microsoft Windows 2000 Service Pack 4 – Download the update

• Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – Download the update

* Microsoft Windows XP Professional x64 Edition – Download the update

• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 – Download the update

• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems – Download the update

• Microsoft Windows Server 2003 x64 Edition – Download the update

Non-Affected Software:
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

There are 3 Critical, 4 Important, and 2 Moderate rated updates for October, 2005:
Microsoft Security Bulletin Summary for October 2005
Please visit the page to learn more about them.

To learn how Microsoft determines the category for
updates, please visit Microsoft Security Response Center Security Bulletin Severity Rating System .

Posted by MowGreen at 6:56 PM | | Comments (0) | TrackBacks (0)

October 7, 2005

Phishers Plant Fake Google Toolbar

From InformationWeek


Phishers are playing off Google's brand name, a security researcher said Wednesday, by flooding IM and IRC with messages that lead to a download of a bogus Google toolbar whose sole purpose is to steal credit card information.
Facetime's senior researcher Chris Boyd warned that two URL links are in circulation over instant messaging (IM) and Internet relay chat (IRC) channels; both links lead the naïve to a page which, among other actions, installs and launches a phony Google toolbar, hijacks the Windows HOSTS file, and adds the anti-spyware program known as "World Antispy." The toolbar, in connection with the rewritten HOSTS file, redirects most Google addresses and pops up a window asking for credit card information.

IMlogic, another IM security vendor, said in its alert that the IM side of the attack was limited to Yahoo Messenger users, and the hack was using some of the same vulnerabilities in Microsoft's Internet Explorer as the infamous CoolWebSearch, the broad name given to a line of sneaky software that has in the past been dubbed "the Ebola of adware." This is the first known instance of a CoolWebSearch-style attack being propagated over an IM network.

Boyd said that Facetime has spotted three variations of the attack, each one exploiting a different vulnerability and installing a slightly different payload.

"Hackers are clearly using new vectors such as IM to take advantage of reputable, trusted brands such as Google," said Boyd in a statement. "Our research finds that this phishing scam is financially motivated by a third party using incredibly elaborate bundles that deliver a rogue Google toolbar with many of the same elements as the real Google toolbar."

The phishing attack is just the latest threat coming in over IM networks. According to IMlogic, the number of IM assaults has jumped by 14 times since the first of the year. In the third quarter alone, IMlogic tracked 10 times the number of IM threats than in all of 2004.

Further reference can be found at : Google Toolbar Whacking - Developing Story

And, this is where the story first broke - Kephyr.com

Perfhost.com - 28 Sep 2005
The perfhost.com video shows how applications are installed without consent, by exploiting a security hole. The following programs appear in the Add/Remove programs dialog: "Google Toolbar for Internet Explorer" and "PremiumSearch StartPage". A short while after I ended the video capture a program called "WorldAntiSpy" also appeared. The following are some of the new entries that appears in the log:

C:\WINDOWS\System32\usbhdctl.exe
O1 - Hosts: 69.31.81.22 www.google.de
O1 - Hosts: 69.31.81.22 www.google.dj
O1 - Hosts: 69.31.81.22 www.google.dk
O1 - Hosts: 69.31.81.22 www.google.es
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar2.dll
O4 - HKLM\..\Run: [apisvc.exe] C:\WINDOWS\System32\apisvc.exe
O4 - Global Startup: WorldAntiSpy.lnk = C:\Program\WorldAntiSpy\WorldAntiSpy.exe

For more details please look in the HijackThis logs (1, 2, 3).

I notified Google Toolbar Support about this issue on the 28th of September 2005. I am convinced Google will track down and stop the individual or company behind the non-consensual toolbar install.

Noted Windows - Security MVP, Chris Boyd, helped break this unfolding story.
They whacked Google !

Posted by MowGreen at 11:16 AM | | Comments (0) | TrackBacks (0)

Sun Java (J2SE/JRE) Automatic Update Vulnerability

The Sun Java (J2SE/JRE) Automatic Updater does not uninstall previous versions that have vulnerabilities. In addition, if a User is not aware of this behavior, said User may end up with several Java packages installed . Leaving previously, vulnerable versions installed runs the risk of infestation/infection due to malware writers ability to call them. In plain English, they can utilize them to infest a system with malware such as Cool Web Search or Trojan.Byte.Verify.

Plus, leaving the previous versions installed consumes disk ( Hard Drive) space. Since each package is over 100 megabytes, this is not a trivial matter. This link is from a thread at the AumHa Hijack This Forum and shows a malware victim who had 3 versions of Sun Java installed and was not even aware of it .

Also received an email from a User worried about multiple Java versions that were installed on her system:

There was mention of Sun releasing "Alert Notifications", which I
would like to see. Is there an "email notification" that one can sign
up ? I went to "http://sunsolve.sun.com", but all that I saw was a
EULA; is there something more ?
I have the following 6 on my computer; do you recommend removing
any of them ?
1) J2SE Runtime Environment 5.0 Update 1
2) " " " " Update 2
3) " " " " Update 4
4) Java 2 Runtime Environment, SE v 1.4.2_06
5) " " " Standard Edition v 1.3.1
6) " " " " " v 1.3.1_02

At over 100 MB per each Java package, that means way over 600 MB of the HD was being taken up by 5 Java versions that should have been uninstalled by the Java Update mechanism
In February of 2005 I contacted Sun concerning the Auto Updaters insecure and sloppy behavior. Here is their reply


========================================================================

Hello Steve,

---------------------------------------------------------------------------------------------------------------------------------- > Reading this Sun Alert ID: 57708 >http://sunsolve.sun.com/search/document.do?assetkey=1-26-57708-1

> It states :

>Note: It is recommended that affected versions be removed from your system. For more information, please see the installation notes on the respective java.sun.com download pages.

>Neither page that I went to from the link on java.sun.com download page state that previous vulnerable >versions should be uninstalled :
>http://java.com/en/download/help/5000010200.xml >http://java.com/en/download/help/5000010300.xml

>If a User utilizes the automatic update mechanism of the JRE the previous vulnerable version is left on the >system. As I understand it, those previous vulnerable versions can still be called by malware. If this is not the case, please set me straight.
---------------------------------------------------------------------------------------------------------------------------------

You are correct that the previous vulnerable versions can still be called by malware. We forwarded your e-mail along to the Java group and they let us know that they are currently investigating your suggestions of updating the java.com pages and the auto update uninstallation issue and appreciate the feedback. We will follow-up with any further updates.

Best regards,

Sun Security Coordination Team

security-alert@sun.com

========================================================================

After waiting 6 months I sent them another email inquiring if this issued had been addressed. There was no reply.

Apparently, Sun appreciates the feedback but will not address the issue. Thus, the genesis of this article. Their behavior is not acceptable and shows a cavalier attitude towards the users of Sun Java. Why is Sun not being held accountable ? Well, they are now. Concerned Users of Sun Java may want to contact them at the above email address to express their displeasure.

Another article that deals with this situation, authored by MS-MVP Sandi Hardmeier, can be viewed here : Sun Java Vulnerabilities continue

How hard is it to code the installer to uninstall older, vulnerable Java versions ? In the world according to Sun, it's seemingly impossible.

Posted by MowGreen at 9:52 AM | | Comments (0) | TrackBacks (0)

October 6, 2005

Sober.R

Again, from Harry Waldron, MS-MVP and Moderator at McAfee Support Forums :

" Batten down the hatches ... Trafton provided an early warning for us in the McAfee forums for a well designed new variant of the Sober.R worm.

Cleaning this new variant is difficult as some new techniques used by the virus writer lock down security
of infected files, (blocks access to files using special registry settings), so that you have to clean in SAFE MODE until McAfee releases it's next DAT file (which will reset file access permissions to allow direct cleaning).

Sober.R -- McAfee declares MEDIUM RISK
http://forums.mcafeehelp.com/viewtopic.php?t=56045 "


McAfee's latest DAT detects Sober.R. Be sure to check for it !!!

McAfee's Stinger has been updated to include detection of Sober.R

Posted by MowGreen at 6:33 PM | | Comments (1) | TrackBacks (0)

October 5, 2005

W32.Spybot.YCL

Alert received from MS-MVP Harry Waldron who says :

" This new version of Spybot has to be one of the most comprehensive attacks I've seen today for this large family of viruses. It attacks weak passwords, uses existing back door infections, plus attacks through some of the most prominent security vulnerabilities if a system is unpatched.

Users should be completely up-to-date on all security patches, avoid weak passwords, and ensure their PC is free of infections that might create a backdoor. "
http://msmvps.com/harrywaldron/archive/2005/10/04/68991.aspx

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.ycl.html

W32.Spybot.YCL is a worm that has distributed denial of service and back door capabilities. The worm spreads by exploiting vulnerabilities and backdoors left by other malware.

Spreads to other computers by exploiting the following vulnerabilities:

* The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
* The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011)http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
* The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039)http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
* The Microsoft Windows ntdll.dll Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS03-007).http://www.microsoft.com/technet/security/bulletin/MS03-007.mspx
* The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
* The Microsft Windows ASN.1 Vulnerability (as described in Microsoft Security Bulletin MS04-007)http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx
* The DameWare Mini Remote Control Server Pre-Authentication Buffer Overflow vulnerability (as described in Bugtraq ID 9213).http://www.securityfocus.com/bid/9213
* The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability.http://seer.support.veritas.com/docs/273420.htm

Spreads to compromised computers by using back doors left behind by other malware such as:

* W32.Mydoom@mm
* W32.Beagle@mm
* Backdoor.Netdevil
* Backdoor.Optix
* Backdoor.Subseven

Posted by MowGreen at 4:16 AM | | Comments (0) | TrackBacks (0)

October 4, 2005

Howly Mowly !!

Beware crudware vendors ... Just like in the Old West days, vigilantes are a huntin' for ya. This blog is going to go after them, software vendors who's updating mechanism leaves Users at risk, software vendors who do not live up to their agreements, and any one else who tries to bully or rip-off innocent Users.
If I run across any newly published vulnerabilities or patches for them, which I believe will impact a large number of the Internet Community, I'll post 'em here.

Yee haaaa ... there's a new Sheriff in town.

Special thanks go to Robin and Paul. When do you guys sleep ?

Posted by MowGreen at 10:44 PM | | Comments (3) | TrackBacks (0)