2008 April | MalwareTeks Blog
MalwareTeks - Home Page
Are You Infected? Are you plagued by pop-ups? Problems with Spyware, Malware?
Are you an Anti-Malware Fighter and would like to contribute?
Dedicated to keeping your PC clean of Scumware, Badware, Spyware, Malware, Viruses and Trojans.

Archive for April, 2008

Security Myths

Tuesday, April 29th, 2008

think you can tell if you have a virus without av? think you’re smart enough to avoid viruses? you might need to think again

read more | digg story

Posted in Security | No Comments »

Windows XP Service Pack 3 Released to Manufacturing

Monday, April 21st, 2008

Posted today by Chris Keroack [MSFT] at 21 Apr 2008 5:04 PM UTC on TechNet Forums

Today we are happy to announce that Windows XP Service Pack 3 (SP3) has released to manufacturing (RTM). Windows XP SP3 bits are now working their way through our manufacturing channels to be available to OEM and Enterprise customers.

We are also in the final stages of preparing for release to the web (i.e. you!) on April 29th, via Windows Update and the Microsoft Download Center. Online documentation for Windows XP SP3, such as Microsoft Knowledge Base articles and the Microsoft TechNet Windows XP TechCenter, will be updated then. For customers who use Windows XP at home, Windows XP SP3 Automatic Update distribution for users at home will begin in early summer.

Thanks to everyone here who installed the public betas – you not only gave us detailed feedback but also helped each other out with timely troubleshooting. Through the beta program we found several important issues and were able to confirm some essential fixes. We couldn’t have done this without you.

We will still be monitoring this forum during the next few weeks in case you have more feedback about the release of Windows XP SP3.

On behalf of myself, Shashank Bansal and Windows Serviceability, many thanks.

Chris Keroack
Release Manager, Windows XP Service Pack 3
Windows Serviceability

Posted in Security | No Comments »

Microsoft Security Advisory (951306)

Friday, April 18th, 2008

Microsoft Security Advisory (951306)

Vulnerability in Windows Could Allow Elevation of Privilege

Published: April 17, 2008

Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.

Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

General Information

Overview

Purpose of Advisory: To provide customers with the initial notification and provide additional information regarding the impact to Windows service accounts. For more information, see the Workarounds and Suggested Actions sections of the security advisory.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

References Identification

Microsoft Knowledge Base Article

951306

CVE Reference

CVE-2008-1436

This advisory discusses the following software.

Related Software

Windows XP Professional Service Pack 2

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems

Windows Vista and Windows Vista Service Pack 1

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Windows Server 2008 for 32-bit Systems

Windows Server 2008 for x64-based Systems

Windows Server 2008 for Itanium-based Systems

Frequently Asked Questions

What is the scope of the advisory?
This advisory clarifies public reports of a potential vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows Server 2003, Windows Vista, and Windows Server 2008. The issue affects the software listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process.

What causes this threat?
Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService. Some of these processes may have the ability to elevate their privileges to LocalSystem, allowing any NetworkService or LocalService processes to elevate their privileges to LocalSystem as well.

How is IIS affected?
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios:

Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0
ASP.NET configured to run with a trust level lower than Full Trust.
Classic ASP code

How is SQL Server affected?
SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.

Are there other vectors that an attacker could leverage?
Yes. On Windows Server 2003, an attacker can leverage the Microsoft Distributed Transaction Coordinator (MSDTC) service that runs as NetworkService to acquire a NetworkService token into a process that is running as an identity other than a service identity. An attacker can then use this NetworkService token to elevate to System if this process identity possesses the SeImpersonatePrivilege. This vector does not exist on Windows Server 2008 or Windows Vista.

What additional applications may be affected?
Any process with SeImpersonatePrivilege, as described in Microsoft Knowledge Base Article 821546, which loads and runs user-provided code may be susceptible to an elevation of privilege attack as described in this advisory.

What systems are primarily at risk from the vulnerability?
Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008 may be at risk if IIS is enabled or SQL Server is installed and configured or deployed in a vulnerable state as described by this advisory. IIS systems that allow users to upload code are at increased risk. SQL Server systems are at risk if untrusted users are granted privileged account access. This may include Web hosting providers or similar environments.

Suggested Actions

Workarounds

IIS 6.0 - Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC

Perform the following steps:

1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool and select Properties.
2. Click the Identity tab and click Configurable. In the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate.
3. Add the chosen user account to the IIS_WPG group.

Disabling the Distributed Transaction Coordinator will help protect the affected system from attempts to exploit this vulnerability. To disable the Distributed Transaction Coordinator, perform these steps:

1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools. Alternatively, click Switch to Classic View and then double-click Administrative Tools.
3. Double-click Services.
4. Double-click Distributed Transaction Coordinator.
5. In the Startup type list, click Disabled.
6. Click Stop (if started), and then click OK.

You can also stop and disable the MSDTC service by using the following command at the command prompt:

sc stop MSDTC & sc config MSDTC start= disabled

Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected. Disabling MSDTC will prevent applications from using distributed transactions. Disabling MSDTC will prevent IIS 5.1 from running in Windows XP Professional Service Pack 2 and IIS 6.0 running in IIS 5.0 compatibility mode. Disabling MSDTC will prevent configuration as well as running of COM+ applications.

IIS 7.0 - Specify a WPI for an application pool in IIS Manager

1. In IIS Manager, expand the server node, click Application Pools, right-click the application pool, and then click Advanced Settings…
2. .Find the Identity entry, and click the button to open the Application Pool Identity dialog box.
3. Select the Custom account option and click Set to open the Set Credentials dialog box. Type in the selected Account name and Password in the user name and password text boxes. Retype the Password in the Confirm password text box, then click OK.

Note Application pool identities are dynamically added to IIS_WPG group in IIS7 and don’t need to be manually added.

Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected.

IIS 7.0 - Specify a WPI for an application pool using the Command Line utility APPCMD.exe

1. From a command prompt, change to the %systemroot%\system32\inetsrv directory.
2. Execute the APPCMD.exe command using the following syntax: string is the name of the application pool; Username string is the user name of the account assigned to the application pool; Password string is the password for the account.

appcmd set config /section:applicationPools /
[name='string'].processModel.identityType:SpecificUser  /
[name='string'].processModel.userName:string /
[name='string'].processModel.password:string

Note Application pool identities are dynamically added to IIS_WPG group in IIS 7.0 and don’t need to be manually added.

Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected.

Resources:

You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.
Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support.
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided “as is” without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

April 17, 2008: Advisory published

Posted in Security | No Comments »

SecurityFocus SQL Injection Bogus

Monday, April 14th, 2008

Originally posted at Photo Matt

Since people are asking, this so-called alert on Security Focus appears to be completely false and has no information that an attacker or the WordPress developers could use. It is completely content-free, except for making claims that every version of WP since 2.0 is vulnerable.

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.  [More ...]

Posted in Security | No Comments »

Zango Alleges Kaspersky Lab Spyware Is ‘Badware’ Itself

Monday, April 7th, 2008

by Wendy Davis, Tuesday, Apr 1, 2008 8:00 AM ET

ADWARE PURVEYOR ZANGO IS PRESSING forward with its case that spyware removal vendor Kaspersky Lab wrongly interfered with Zango’s relationships with Web users.

In papers filed with a federal appeals court, Bellevue, Wash.-based Zango argued that Kaspersky, which removes software that serves pop-up ads, should itself be considered “badware.” “Kaspersky disabled Zango without the customer’s consent and without the customer’s ability to override Kaspersky’s invasive actions,” Zango argued to the Ninth Circuit in a brief filed late last week. “Kaspersky inflicted this interference by behaving like the very ‘badware’ from which it purported to protect consumers.”

[Full Story]

Thanks to Suzi at Spyware Warrior.

Posted in Spyware | No Comments »


Content © 2006-2008 MalwareTeks - Every post is the opinion of the author

Creative Commons License
All works are licensed under a
Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License.

Bad Behavior has blocked 219 access attempts in the last 7 days.