Archive for the ‘Windows Vulnerabilities’ Category

Microsoft Plugs Three Windows Security Holes

January 12, 2011

Microsoft Plugs Three Windows Security Holes: “

Microsoft today released security updates to fix at least three vulnerabilities in its Windows operating systems, including one labeled ‘critical,’ the company’s most serious rating. However, none of the patches address five zero-day flaws that can be used to attack Windows users.

The critical update targets two weaknesses present in all versions of Windows that Microsoft said hackers could exploit to break into unpatched systems just by getting users to visit a compromised or malicious Web site. A second update fixes a security issue in the Windows backup tool that affects Windows Vista machines.

The vulnerability in the Windows backup tool stems from a weakness that extends to hundreds of third-party, non-Microsoft applications built to run on Windows. I discussed this issue at length in a blog post in September, but the upshot is that Microsoft has made available a FixIt tool to help fortify a number of these applications against a broad swath of security threats that stem from a mix of insecure default behaviors in Windows and poorly-written third party apps. If you haven’t already done so, take a moment to read at least the short version of that post, and apply the supplied FixIt tool from Microsoft.

Microsoft chose not to address a number of outstanding, known vulnerabilities for which exploit code is publicly available. Redmond’s Jonathan Ness explains the company’s thinking in holding off on fixing these flaws in a post to the Microsoft Security Research and Defense blog.

Microsoft has released two separate FixIt tools to help users mitigate the threat from a couple of the more pressing outstanding vulnerabilities. If you use Windows, and especially if you browse the Web with Internet Explorer, you should take a moment to take advantage of these stopgap fixes, available here and here.

The updates are available through Windows Update or via the Automatic Update capability built into all supported Windows versions. As always, if you experience any problems or glitches that appear to be related to applying these updates, please drop a note in the comments section.


(Via Krebs on Security.)

Windows 7 Less Vulnerable Without Admin Rights

April 1, 2010

Windows 7 Less Vulnerable Without Admin Rights: “Most Windows 7 vulnerabilities can be mitigated by administrative rights limitations, report from BeyondTrust finds”

(Via DarkReading – All Stories.)

BSOD after MS10-015? TDL3 authors “apologize”

February 16, 2010

BSOD after MS10-015? TDL3 authors “apologize”: “

On last November we’ve blogged about a new rootkit spreading around the net. That rootkit, called TDL3 or TDSS or Tidserv (there are many different names for the same malware, as often happens between various security companies) was pretty scaring because of the new way it compromised the system, by using both improved and new tricks.

After a couple months, we’re here to raise again the alarm against this threat, which has been improved by their creators.

Fact is that the team of coders behind this rootkit is working hard to improve its creature. During these months they never stopped to update it, by releasing every day – sometimes even more times a day – new updated and rebuilt droppers able to evade generic detection signatures.

All TDL3 droppers have been server-side rebuilt every day during November, December, January and February. This allowed the authors to break weak signatures or badly written generic detection routines. Actually this was the only effective obstacle, otherwise only really few specific anti-rootkits are able to detect the infection when active.

Even the rootkit itself has been updated and armored, to defense itself against the attack of a number of anti-rootkit specific tools. It’s funny following the full story of the rootkit, because it looks like a nice chess game between security vendors and malware authors. It’s one of the few times you can see a team of rootkit writers counteracting almost in real time to security vendors.

We already knew the rootkit is able to infect a system driver and to filter every disk I/O request by applying a strong filtering mechanism. Now the rootkit added a watchdog thread able to prevent any change to the service registry key related to the infected driver.By doing so, it is able to block some basic cleanup tools.

Another self defense feature added to the rootkit is that no one is anymore able to get a handle to the infected driver file. By doing so, the rootkit is preventing some cleanup tools to read the content of the file. Prior versions of the rootkit allowed to read the infected file, though they were showing the clean copy of it. This trick was used by some security tools to recover the original clean copy of the file to restore.

We have some doubts about the real usefulness of this self defense feature. If it’s true that it’s not anymore possible to get the original file content, it’s even true that now is easier to discover the infected driver, because every scanner will get no access at all to the file and this anomaly will be reported.

On last Tuesday Microsoft released a number of Windows updates, some of them critical because they fixed a 17 years old bug. After some users updated their Windows operating systems, they got a scaring and really annoying blue screen of death.

Most of those users were angry with Microsoft, but the problem this time is not related to Microsoft. Indeed a number of the users affected by this BSOD was infected by TDL3/TDSS rootkit.

More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

Sadly the number of users affected by this BSOD is quite high and this means the rootkit infection is quickly spreading.

Moreover, a parallel version of the TDL3 rootkit is spreading too. This one is using an old infection technique, already seen in one of the first versions of TDL3. The injected dll is not anymore called tdlcmd.dll but instead z00clicker.dll.

International law police should really consider about cooperating with security vendors and try to shut down this botnet network by tracking down the gang behind it. They are active, they are able to release updates every day. They already are a serious threat that should be defeated as soon as possible.

If during a scan Prevx reports an infection caused by tdlcmd.dll or z00clicker.dll, please contact Prevx technical support. Our technicians will help our customers to get rid off of the TDL3 infection.

(Via Prevx Blog.)

Adobe predicted as top 2010 hacker target

December 30, 2009

Adobe predicted as top 2010 hacker target: “

McAfee’s crystal ball also reveals Google Chrome dangers

Adobe will overtake Microsoft as the primary target for hackers and virus writers in 2010, net-security firm McAfee predicts.…

Web threats: Why conventional protection doesn’t work

(Via The Register.)

Microsoft Investigating New IIS Zero Day

December 29, 2009

Microsoft Investigating New IIS Zero Day: “

Microsoft is investigating reports of a new zero-day vulnerability in its IIS Web server software, and says that the flaw is a problem mainly on servers that are poorly configured.

Shorten URL: Click to copy to clipboard or post to Twitter

ZeroClipboard.setMoviePath( ‘’ );
var clip = new ZeroClipboard.Client();
clip.setHandCursor( true );
clip.glue( ‘short_url_link’ , ‘short_url_cont’ );

(Via threatpost – The First Stop for Security News.)

Break Microsoft BitLocker encryption

December 2, 2009

Break Microsoft BitLocker encryption: “Passware created the first commercially available software to break Microsoft BitLocker hard drive encryption. BitLocker is an advanced, full-disk protection feature available in Windows Vista, Window…”

(Via Help Net Security – News.)

Security feature of Internet Explorer 8 unsafe

November 26, 2009

Security feature of Internet Explorer 8 unsafe: “The cross-site scripting filter of Microsoft’s browser reportedly contains vulnerabilities that allow the very cross-site scripting attacks it is meant to prevent”

(Via The H Security.)

Firefox most vulnerable browser, Safari close second

November 16, 2009

Firefox most vulnerable browser, Safari close second: “Cenzic released its report revealing the most prominent types of Web application vulnerabilities for the first half of 2009. The report details the steady rise of attacks targeting these exploits ulti…”

(Via Help Net Security – News.)

First Windows 7 zero-day bug confirmed by Microsoft

November 16, 2009

First Windows 7 zero-day bug confirmed by Microsoft: “The first Windows 7 vulnerability has been confirmed by Microsoft – a denial of service vulnerability in the Server Message Block (SMB) protocol that cannot be used to take control of or install malic…”

(Via Help Net Security – News.)

Microsoft security report shows worms are returning

November 2, 2009

Microsoft security report shows worms are returning: “

UK holding its own in cyber security

Microsoft’s latest security intelligence report shows a resurgence in worms, although rogue security software also remains a big issue.…

(Via The Register – Security.)