Vulnerability Note VU#125868

Avast! antivirus buffer overflow vulnerability

Overview

Avast! antivirus contains a buffer overflow vulnerability. This vulnerability may allow an attacker to execute code a vulnerable system.

I. Description

Avast! antivirus is an antivirus application that can scan different types of files. The Symbian Installer Format (SIS) file format is used by the Symbian OS to package files for distribution to mobile devices.Avast! antivirus contains a buffer overflow vulnerability. By convincing a user to scan a specially crafted SIS file with a vulnerable version of Avast! antivirus, an attacker may be able to trigger the overflow.

II. Impact

A remote unauthenticated attacker may be able to execute arbitrary code, or create a denial-of-service condition.

III. Solution

Update

Version 4.7.700 has been released to address this issue. Users are encouraged to update as soon as possible.

Systems Affected

References

http://www.avast.com/eng/adnm-management-client-revision-history.html
http://www.avast.com/eng/search.php?searchFor=sergio+alvarez
http://www.nruns.com/security_advisory.php
http://www.symbian.com/Developer/techlib/v70sdocs/doc_source/ToolsAndU tilities/Installing-ref/PackageFileFormatReference.guide.html

Credit

Thanks to Sergio Alvarez of n.runs AG and Avast! for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Produced 2007 by US-CERT, a government organization

Security folks always tell you that if you want to transact online safely, you should type the address of the financial institution in the browser instead of following a link, that you should only enter your personal information in trusted sites that use encryption, that you need to check the little padlock in the corner of your browser is locked..

read more | digg story

As a retired soldier and combat vet, I found this touching and fitting.

Memorial Day video

Well, it’s been nearly 2 weeks since Enigma Software Group (ESG) the makers of SpyHunter held open discussions, at Spyware Warrior, with members of the Security Community. Looks like they’ve taken to heart some of our suggestions.

Some of you will recall that I was publicly critical, of the ‘Spamvertising’ tactics employed by some of Enigma’s affiliates, and the manner in which the SpyHunter download was presented on affiliate sites. Well, it appears that Enigma Software Group has gotten their affiliates to stop using this highly questionable tactic, and the SpyHunter download has been renamed to reflect that SpyHunter is the tool that is being downloaded.

Kudo’s to the ESG team.

While catching up on my blog reading, I came across this particular article at Hosts News, Affiliates gone wild! Now, what caught my attention was the piece about the Mediaplex AdServer Cookie.

What exactly is a cookie? HTTP cookies, sometimes known as web cookies, tracking cookies, or just cookies, are small text files sent by a server to a web browser and back unchanged. Cookies are used for authenticating, tracking, and maintaining specific information about users, such as site preferences and shopping cart contents.

There are some privacy concerns around the use of cookies. They can be used for tracking browsing behavior. As a result, they have been subject to legislation in various countries such as the United States and in the European Union. Cookies have also been criticised because the identification of users they provide is not always accurate and they could potentially be used for network attacks.

Cookies are also subject to a number of misconceptions, mostly based on the erroneous notion that they are computer programs. In fact, cookies are simple pieces of data unable to perform any operation by themselves. They are neither spyware nor viruses, despite the detection of certain cookies by many anti-spyware products.

Most modern browsers allow users to accept or reject cookies, but rejecting cookies will make some websites unusable. Common misconceptions about cookies are:

• Myth: Cookies are like worms and viruses in that they can erase data from the user’s hard disks;
• Myth: Cookies are a form of spyware in that they can read personal information stored on the user’s computer;
• Myth: Cookies generate popups;
• Myth: Cookies are used for spamming;
• Myth: Cookies are only used for advertising.

Cookies are simple pieces of data unable to perform any operation by themselves. They are neither spyware nor viruses. Cookies are not program code. They cannot erase or read information from the user’s computer. However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in a profile of the user. Such profiles are often anonymous, they do not contain personal information.

In his paper, Cookies Detected by Anti-Spyware Programs: The Current Status, Benjamin Edelman states, “Advertising systems use cookies for a mix of purposes, but primarily to track which users have seen which ads. Such tracking helps show ads more effectively — e.g. by avoiding showing the same ad repeatedly to a single user. ”

“… cookies arrive on a users’ disks merely because users visit web sites that place such cookies. The cookies’ arrival actually reflects browsers and sites working as they were designed …”

What or Who is Mediaplex? “Mediaplex provides technology and services that help advertisers, agencies and publishers manage their interactive and traditional advertising activities. Mediaplex’s complete suite of technology solutions includes MOJO Adserver for third party advertising, MOJO Mail for email management and delivery, MOJO Publisher for ad management, the AdVault suite of products for agency production and financial management and media management and Content Depot for digital advertising management solutions.”

From the site of a security vendor, to remain nameless, “Mediaplex is a tracking cookie that tracks your Internet surfing habits such as Web sites visited, and sends the information to a third-party server where it can be analyzed for marketing purposes. When installed, Mediaplex cookie can potentially record any data including sensitive information from your computer.”

The above statement in and of itself is not untruthful, to an extent. However, it can be misleading to the uninformed web surfer. Recall what I stated earlier about cookies. Cookies are simple pieces of data unable to perform any operation by themselves. They are neither spyware nor viruses. Cookies are not program code. They cannot erase or read information from the user’s computer. However, cookies allow for detecting the Web pages viewed by a user on a given site or set of sites. This information can be collected in a profile of the user. Such profiles are often anonymous, they do not contain personal information.

Hold onto to your socks, because here comes the completely exaggerated part.

To quote webhelp2002 from the Affiliates gone wild! article, “Now that must be one hell of a Cookie to do all that! … of course this is a extremely exaggerated claim. There is no evidence that a Mediaplex cookie is involved in any of this type activity.”

That’s a fairly decent summation of my sentiments.

To carry the exaggeration a bit futher, the same website goes on to state:

“WARNING: Mediaplex manual detection and removal process is difficult. You’re required to access sensitive files in your machine. NOT recommended unless you’re an expert in this field.”

Normally that would be a fair assessment when dealing with a Virus or Trojan. However, it’s a cookie, just delete it. Now bear in mind that any time you visit a website that uses Mediaplex to serve ads, the mediaplex cookie will be downloaded by your browser.

To delete cookies:

Internet Explorer Users
1. On the Tools menu, click Internet Options.
2. On the General tab, click Settings, and then click View files.
3. Select the cookie you want to delete, and then, on the File menu, click Delete.

To delete all of the cookies on your computer, click Delete Cookies on the General tab.

Firefox Users
On the Tools menu, Options, clicking the Privacy button, and under Cookies click the Clear button.

Opera Users
Can manage, disable, and enable cookies by clicking the File menu, Preferences, and selecting Privacy.

Note
Some Web sites store your member name and password or other personally identifiable information about you in a cookie; therefore, if you delete a cookie, you may need to re-enter this information the next time you visit the site.

Recently we came across an interesting Trojan sample, detected by Symantec as Trojan.Kardphisher. The Trojan is not very technical - it’s really just another classic social-engineering attack. What makes it interesting is that the author…

read more | digg story

On Tuesday 8 May 2007 Microsoft is planning to release:

Security Updates

• Two Microsoft Security Bulletins affecting Microsoft Windows. The highest Maximum Severity rating for these is Critical. These updates will require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

• Three Microsoft Security Bulletins affecting Microsoft Office. The highest Maximum Severity rating for these is Critical. These updates may require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

• One Microsoft Security Bulletin affecting Microsoft Exchange. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer.

• One Microsoft Security Bulletin affecting CAPICOM and BizTalk. The highest Maximum Severity rating for these is Critical. These updates will not require a restart. These updates will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.

Microsoft Windows Malicious Software Removal Tool

• Microsoft will release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services and the Download Center.

Note that this tool will NOT be distributed using Software Update Services (SUS).

Non-security High Priority updates on MU, WU, WSUS and SUS

• Microsoft will release 1 NON-SECURITY High-Priority Update for Windows on Windows Update (WU) and Software Update Services (SUS).

• Microsoft will release 6 NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).

This includes a fix for the Windows DNS Server vulnerabilty.

Here is a nice How To article I found at The Register.

http://www.theregister.com/2007/05/05/wipe_swap_file/

Written by Thomas C. Green, this article explains how to securely wipe the Swapfile and hibernation files on Windows; and gives an explanation on how to securely wipe the swap partition on Linux systems.