MowGreen

The Heathens have hacked Santa ! No, I'm not kidding. The source code of the Genuine Santa Page shows an iFrame that contains http://81.xxx.3.1xx/sp2_update/index.php . Once the iFrame is launched the javascript attempts to download and install file.exe. Scanning the file at VirusTotal shows

Complete scanning result of "file.exe", received in VirusTotal at 12.23.2006, 20:24:44 (CET).

Antivirus - Version - Update - Result
AntiVir 7.3.0.21 12.22.2006 HEUR/Malware
Authentium 4.93.8 12.22.2006 Possibly a new variant of W32/Dlr-Trojan-Malware-based!Maximus
Avast 4.7.892.0 12.21.2006 no virus found
AVG 386 12.23.2006 no virus found
BitDefender 7.2 12.23.2006 Generic.Malware.Bdld!!.39E6F2BB
CAT-QuickHeal 8.00 12.23.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 12.23.2006 no virus found
DrWeb 4.33 12.23.2006 DLOADER.Trojan
eSafe 7.0.14.0 12.23.2006 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.9712.23.2006 no virus found
eTrust-Vet 30.3.3271 12.23.2006 no virus found
Ewido 4.0 12.23.2006 no virus found
Fortinet 2.82.0.0 12.23.2006 suspicious
F-Prot 3.16f 12.22.2006 Possibly a new variant of W32/Dlr-Trojan-Malware-based!Maximus
F-Prot4 4.2.1.29 12.22.2006 W32/Dlr-Trojan-Malware-based!Maximus
Ikarus T3.1.0.27 12.23.2006 no virus found
Kaspersky 4.0.2.24 12.23.2006 no virus found
McAfee 4925 12.22.2006 no virus found
Microsoft 1.1904 12.23.2006 no virus found
NOD32v2 1936 12.23.2006 probably a variant of Win32/TrojanDownloader.Small.AIF
Norman 5.80.02 12.22.2006 W32/Suscpious_F.gen
Panda 9.0.0.4 12.23.2006 Suspicious file
Prevx1 V2 12.23.2006 no virus found
Sophos 4.12.0 12.22.2006 Mal/Packer
Sunbelt 2.2.907.0 12.18.2006 VIPRE.Suspicious
TheHacker 6.0.3.135 12.20.2006 no virus found
UNA 1.83 12.22.2006 no virus found
VBA32 3.11.1 12.23.2006 suspected of Win32.Trojan.Downloader (http://...)
VirusBuster 4.3.19:9 12.23.2006 novirus:Packed/FSG

Apparently, this code attempts to exploit the vulnerability in Microsoft Security Bulletin MS06-071
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)

A vulnerability exists in the XMLHTTP ActiveX control within Microsoft XML Core Services that could allow for remote code execution. An attacker could exploit the vulnerability by constructing a specially crafted Web page that could potentially allow remote code execution if a user visited that page or clicked a link in an e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. However, user interaction is required to exploit this vulnerability.

As far as I see this, once the page is visited the malware file will be downloaded and run because of the vulnerability in the XMLHTTP ActiveX control.
Make sure that this update is installed already by going to Add/Remove Programs in the Control Panel. It will not be listed under WIndows XP - Software Updates, but rather, will be listed as
MSXML 4 SP2 (KB927978)

If, for some reason, the update is not installed, please go the Security Bulletin page and click the Download the update link under Affected components for the version of MSXML that is currently installed.
In order to determine which version is installed if there are no MSXML packages listed in Add/Remove Programs,
check the WINDOWS\system32 folder for :

Msxml4.dll
and
Msxml6.dll

If either are present, right click it, choose Properties, and then click the Version tab.
The files contained in the update are the following Versions:

Msxml4.dll Version number 4.20.9841.0
Msxml6.dll Version number 6.0.3890.0

Both are dated 11/4/2006
If you've had an issue installing KB929798, then check to see if KB925672 is installed in Add/Remove Programs.
If it is, uninstall it, reboot, and then install KB929798, then reboot, as it supercedes it.

From the Secunia Advisory :

Description:
A vulnerability has been discovered in Microsoft XML Core Services, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the XMLHTTP ActiveX Control (msxml4.dll) within the "setRequestHeader()" method.

Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website using Internet Explorer.

The vulnerability is confirmed on a fully patched Windows XP SP2 system with msxml4.dll version 4.20.9818.0 installed. Other versions may also be affected.

NOTE: The vulnerability is already being actively exploited.

Ho, Ho, Ho !

Posted by MowGreen at 11:39 AM | Permalink | Comments (0) | TrackBacks (0)

From our 'buddies' at Sun : Vulnerabilities in the Java Runtime Environment may Allow Untrusted Applets to Elevate Privileges and Execute Arbitrary Code

Impact

Two buffer overflow vulnerabilities in the Java Runtime Environment may independently allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Sun acknowledges, with thanks, Chris Evans, for bringing these issues to our attention.
2. Contributing Factors

These issues can occur in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 7 and earlier
* SDK and JRE 1.4.2_12 and earlier
* SDK and JRE 1.3.1_18 and earlier

Vulnerabilities in the Java Runtime Environment may Allow an Untrusted Applet to Access Data in Other Applets

Impact
Two vulnerabilities in the Java Runtime Environment may independently allow an untrusted applet to access data in other applets.

Sun acknowledges, with thanks, Tom Hawtin, for bringing these issues to our attention.
2. Contributing Factors

The first issue can occur in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 5 and earlier
* SDK and JRE 1.4.2_10 and earlier
* SDK and JRE 1.3.1_18 and earlier

The second issue can occur in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 6 and earlier
* SDK and JRE 1.4.2_12 and earlier
* SDK and JRE 1.3.1_18 and earlier

Vulnerabilities Related to Serialization in the Java Runtime Environment may Allow Untrusted Applets to Elevate Privileges

Impact

Two vulnerabilities related to serialization in the Java Runtime Environment may independently allow an untrusted applet or application to elevate its privileges.

Sun acknowledges, with thanks, Tom Hawtin, for bringing these issues to our attention.
2. Contributing Factors

These issues can occur in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 7 and earlier
* SDK and JRE 1.4.2_12 and earlier

Note: SDK and JRE 1.3.x are not affected.

The only safe versions of the JRE/JDK/SDK/J2SE, as far as I know or believe Sun, are

Resolution

These issues are addressed in the following releases (for Windows, Solaris, and Linux):

* JDK and JRE 5.0 Update 8 or later
* SDK and JRE 1.4.2_13 or later

Note: JRE 5.0 Update 8 for Solaris was also delivered in the following patches:

* J2SE 5.0: update 8 (as delivered in patch 118666-07)
* J2SE 5.0: update 8 (as delivered in patch 118667-07 (64bit))
* J2SE 5.0_x86: update 8 (as delivered in patch 118668-07)
* J2SE 5.0_x86: update 8 (as delivered in patch 118669-07 (64bit))

The latest releases for J2SE are available for download at:

J2SE 5.0:

* http://java.sun.com/javase/downloads/index_jdk5.jsp
* http://java.com

J2SE 5.0 Update 9 for Solaris is also available in the following patches:

* J2SE 5.0: update 9 (as delivered in patch 118666-09)
* J2SE 5.0: update 9 (as delivered in patch 118667-09 (64bit))
* J2SE 5.0_x86: update 9 (as delivered in patch 118668-09)
* J2SE 5.0_x86: update 9 (as delivered in patch 118669-09 (64bit))

J2SE 1.4.2 is available for download at:

* http://java.sun.com/j2se/1.4.2/download.html

Of course, depending on Sun's 'information' is like depending on a crack addict to tell the truth.
It's the applets, stupid !
And, remember to uninstall the older, vulnerable versions from Add/Remove Programs in the Control Panel after installing the latest 'secure' Java Runtime.
The latest Update to Version 5.0 is Update 10.
For those who are already running Vista, it's highly recommended that Java Runtime Environment (JRE) 6 be installed.

For further laughs check this out Java SE Naming and Versions

The current release is Java Platform, Standard Edition 6 (Java SE 6). The previous release was Java 2 Platform, Standard Edition 5.0 (J2SE 5.0).

Sun Microsystems simplified the platform name in 2006 to better reflect the level of maturity, stability, scalability, and security built into the Java platform. Sun dropped the "2" from the name and deleted the "dot number" (the number following the period). Any updates to Java platforms will simply be noted as updates rather than adding a "dot number" at the end of the platform name.

Due to significant popularity within the Java developer community, the development kit has reverted back to the name "JDK" from "Java 2 SDK" (or "J2SDK"). The runtime environment has reverted back to "JRE" from "J2RE." (Note that "JDK" stands for "J2SE Development Kit" in version 5.0.)

For more information on platform names and version numbers, see the following pages:

* Java SE 6 Platform Name and Version Numbers
* J2SE Version 1.5.0 or 5.0?
* J2SE SDK/JRE Version String Naming Convention

Posted by MowGreen at 12:17 PM | Permalink | Comments (0) | TrackBacks (0)

Version 6 of the Sun JRE was released today. Don't hold your breath waiting for the so-called java autoupdater to notify you of it's availibilty, though. In fact, while checking out the latest version of Sun's JRE, I came across their Manual Download web page
Trouble is, the version offered there is v.1.5.0_09. The latest v.5 Java is now at 1.5.0_10 !
So, WHY is it not being offered ?
Better yet, going to the Verify Installation page tells me that the latest version is installed.

Description -- Your Environment
Java Runtime Vendor: Sun Microsystems Inc.
Java Runtime Version 1.5.0_09

CONGRATULATIONS, you have the Latest version of Java!

WRONG !
Thanks, Sun for a job NOT well done. Pathetic boobs.
Your arrogance towards security leads me to nominate Sun as Security Mowron of the Year

Posted by MowGreen at 2:24 PM | Permalink | Comments (0) | TrackBacks (0)