A month of zero day(s)!

Print Friendly, PDF & Email

Posted by: Barracuda Labs

July proved to be quite an eventful month for security researchers! First we had 0Day in Microsoft video ActiveX controller exploiting DirectShow discussed here (http://www.microsoft.com/technet/security/advisory/972890.mspx) , then another 0Day in Office Web Component (OWC) (http://www.microsoft.com/technet/security/advisory/973472.mspx) , followed by 0Day in Firefox (http://www.mozilla.org/security/announce/2009/mfsa2009-41.html) and ended with a 0Day in Adobe flash player (http://www.adobe.com/support/security/advisories/apsa09-03.html). Each of these vulnerabilities is being exploited in wild right now and switching from one browser to another is no longer a solution. Instead users should take all precautionary measures suggested by vendors to avoid these exploits and they should also update their systems as soon as the fix is out for vulnerable components.

As for researchers it is interesting to see how quickly attackers are adapting various ways to make sure that exploits execute unnoticed and stay alive to take advantage of the period between advisory and fix or users who don’t update their systems immediately! When we first started following the msVidCtl (DirectShow) exploit, it looked pretty usual heap spray and shellcode injection attack served as javascript include. However, soon attackers started masking javascript as jpg and lying about the content-types so if your scanner only scanned files that are served as javascript extensions, you would be out of luck for any protection at that time. Next they started fragmenting the exploit javascript in multiple smaller javascript includes so looking at just one file you can not determine if it is serving an exploit. Use of various obfuscation techniques for hiding javascript has become very common and it probably needs its own post .. may be next time. We saw similar techniques being employed in OWC exploits and it would not be a surprise if we start seeing them with Firefox exploits or flash exploits.

Another interesting point to notice in all these exploits is their transport mechanism. In most cases attackers try to lure users to visit a site hosting the exploit. However due to diligent work by security researchers it is becoming harder to keep specific malware serving sites up for long time before they get blacklisted! So what does an attacker do? Find a reputable site that can host the malware! Why would a valid site host a malware ? They wont ‘knowingly’ but what if bad stuff gets in their via door site owners don’t know about! Attackers are trying to find holes like SQLInjection in legitimate sites not to steal data but to inject malicious scripts that make their way back to the webpage served to the user when users visit the site.One real world attempt to serve exploit for OWC is reported here (http://isc.sans.org/diary.html?storyid=6811). So this is not all theory but happening now. You can only imagine millions of other websites that are ready to be victims of these kind of exploits. If you have a site make sure you do everything to not become attacker’s accomplice.

For now users can set the killbit for ActiveX controls as suggested by Microsoft for OWC (http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx) and for Microsoft Video control ActiveX component (http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activex-control-object-in-msvidctl-dll.aspx). Users using Firefox 3.5 should update to 3.5.1 a new release issued by Mozilla fixing the issue. Adobe has released a fix for flash plugin (http://www.adobe.com/support/security/bulletins/apsb09-10.html).

Scroll to top
Tweet
Share
Share