Posted by: Barracuda Labs
July proved to be quite an eventful month for security researchers! First we had 0Day in Microsoft video ActiveX controller exploiting DirectShow discussed here (http://www.microsoft.com/technet/security/advisory/972890.mspx) , then another 0Day in Office Web Component (OWC) (http://www.microsoft.com/technet/security/advisory/973472.mspx) , followed by 0Day in Firefox (http://www.mozilla.org/security/announce/2009/mfsa2009-41.html) and ended with a 0Day in Adobe flash player (http://www.adobe.com/support/security/advisories/apsa09-03.html). Each of these vulnerabilities is being exploited in wild right now and switching from one browser to another is no longer a solution. Instead users should take all precautionary measures suggested by vendors to avoid these exploits and they should also update their systems as soon as the fix is out for vulnerable components.
Another interesting point to notice in all these exploits is their transport mechanism. In most cases attackers try to lure users to visit a site hosting the exploit. However due to diligent work by security researchers it is becoming harder to keep specific malware serving sites up for long time before they get blacklisted! So what does an attacker do? Find a reputable site that can host the malware! Why would a valid site host a malware ? They wont ‘knowingly’ but what if bad stuff gets in their via door site owners don’t know about! Attackers are trying to find holes like SQLInjection in legitimate sites not to steal data but to inject malicious scripts that make their way back to the webpage served to the user when users visit the site.One real world attempt to serve exploit for OWC is reported here (http://isc.sans.org/diary.html?storyid=6811). So this is not all theory but happening now. You can only imagine millions of other websites that are ready to be victims of these kind of exploits. If you have a site make sure you do everything to not become attacker’s accomplice.
For now users can set the killbit for ActiveX controls as suggested by Microsoft for OWC (http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx) and for Microsoft Video control ActiveX component (http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activex-control-object-in-msvidctl-dll.aspx). Users using Firefox 3.5 should update to 3.5.1 a new release issued by Mozilla fixing the issue. Adobe has released a fix for flash plugin (http://www.adobe.com/support/security/bulletins/apsb09-10.html).