Update: Zero Day Photoshop Buffer Overflow Expands

Severity: Medium

30 April, 2007

Update:

On Thursday 26 April, we published an alert about a zero day vulnerability that affects Adobe Photoshop. By enticing one of your users into downloading a BMP, DIB, or RLE image file, and then opening it in Photoshop, an attacker can exploit this flaw to execute code on your user’s computer, with that user’s privileges. If your users have local administrator privileges, an attacker could use this flaw to gain complete control of their machines.

Over the weekend, the researcher who revealed the flaw above posted new exploit code for yet another unpatched Photoshop CS2 and CS3 vulnerability. This new flaw also stems from a buffer overflow vulnerability, except this time it involves PNG image files. If an attacker can trick your Photoshop users into downloading and opening a specially crafted PNG image, he can exploit this flaw to execute code and potentially gain complete control of your computer. Furthermore, this new Photoshop flaw also affects Photoshop Elements 5.0 and Corel Paint Shop Pro 11.20.

As he did with the earlier flaw, the researcher who discovered this vulnerability released exploit code for it without bothering to inform Adobe. They haven’t had time to release a patch for it yet. Until they do, we recommend you follow the tips found in the Solution section of our previous alert. Just add PNG files to your list of potentially malicious image types. As a convenient reference, we’ve duplicated the 26 April Photoshop alert, below. You can also find it in the LiveSecurity Latest Broadcasts archive.

---

Summary:

Yesterday, a gray hat researcher publicly released exploit code for a previously unknown buffer overflow vulnerability in Adobe Photoshop. By enticing one of your users into downloading an image file, and then opening it in Photoshop, an attacker can exploit this flaw to execute code on your user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker could gain total control of the victim’s PC. If any of your users run Photoshop, warn them of this flaw, and refer to the Solutions section of this alert for possible workarounds.

Exposure:

Adobe Photoshop is arguably the most popular image editing application used today. If you have a marketing department, or do any graphic design, chances are you have at least one computer running it.

In a post to a popular archive site, a gray hat researcher called Marsu released exploit code that attacks a zero day buffer overflow vulnerability in Adobe Photoshop CS2 and CS3. Specifically, the code creates a malicious BMP image file that, when opened in Photoshop, executes the Windows Calculator program. Opening your calculator may not sound dangerous. However, Marsu has written his exploit modularly, making it trivial for an attacker to replace his benign payload with a much worse one. In short, if an attacker can trick one of your users into downloading a malicious BMP, DIB, or RLE image file, and then opening that image in Photoshop, he could exploit this vulnerability to execute arbitrary code on your user’s computer, inheriting your user’s privileges. If your Photoshop users have administrative privileges, the attacker would gain complete control of their machines.

Since this vulnerability first came to our attention as a zero day exploit, without responsible disclosure, we don’t know everything about it yet. For example, Marsu wrote his exploit code specifically for Photoshop CS2 and CS3. However, we believe this flaw could potentially affect older versions of Photoshop, and other applications in the Photoshop family, such as the “lite” version of Photoshop bundled with scanners. Also, Marsu wrote his exploit to attack the French version of Windows XP SP2. We don’t know whether or not it affects the Mac versions. Despite these unknowns, one thing remains clear: Bad guys have access to an easily modifiable exploit that could give them full access to your Photoshop user’s computers. You should warn your Photoshop users of this flaw immediately.

Solution Path:

Since Marsu released his exploit without informing Adobe, they haven’t had time to patch. We will inform you when Adobe releases their patch. For now, follow the tips below to help protect yourself from this zero day attack:

• Inform your Photoshop users immediately. Tell your users that attackers can trigger this flaw using malicious BMP, DIB, and RLE images. Then your Photoshop users can avoid opening these sorts of images in Photoshop, especially when the images come from an untrusted source.

• Make sure Photoshop is not your default BMP image viewer. In Windows File Explorer, click Tools => Folder Options… => Files Types tab. Scroll through this list of file types looking for BMP, DIB, and RLE, then make sure that Photoshop is NOT the default application associated with these files. This may lessen the chance that your users accidentally open a malicious file in Photoshop.

• Use your Firebox to strip BMP, DIB, and RLE images. You can use your Firebox’s proxies to prevent your users from accessing these image files via the Web or email. However, this technique has drawbacks; see the next paragraph.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from accessing BMP, DIB, and RLE image files via the Web or email (note that this method blocks all such files, both malicious and legitimate). If you like, you can temporarily mitigate the risk of this vulnerability by blocking these files using your Firebox’s HTTP and SMTP proxy services. However, many Web sites use BMP images heavily. Blocking them could significantly degrade your users’ Web browsing experience. If you still want to block these files, follow the links below for instructions:

• Firebox X Edge running 8.5
  • POP3 Proxy
  • HTTP Proxy

• Firebox III and X Core running WFS
  • SMTP Proxy
  • HTTP Proxy
  • Online Training Proxy Module

• Firebox X Core and X Peak running Fireware Pro
  • SMTP Proxy
  • HTTP Proxy

• Vclass
  • SMTP Proxy. You’ll have to create or adjust a custom proxy action based on SMTP-Incoming in order to strip .BMP, .DIB, and .RLE image files. If you have created your own Proxy Action based on SMTP-Incoming, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Content Checking tab, change “Category” to Attachment Filename and click either the Add to Top or Insert After button (only one or the other will display). Next, type “BMP_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.BMP” and select Strip as the Action. Repeat these steps for the other files extensions as well. Now you can apply this new Proxy Action to your SMTP rule to ensure your Firebox blocks these files.
  • HTTP Proxy. You’ll have to create or adjust a custom proxy action based on HTTP-Outgoing in order to strip .BMP, .DIB, and .RLE image files. If you have created your own Proxy Action based on HTTP-Outgoing, you can edit it so that it blocks these files. In the Vcontroller software, click the Proxies button and double-click your custom proxy action. Under the Request General tab, change “Category” to URL Paths and click on Add. Next, type “BMP_files” as the new rule’s name, and choose Pattern Match. Next to Pattern Match, type “*.BMP” and select Strip as the Action. Repeat these steps for the other file extensions, too. Now you can apply this new Proxy Action to your HTTP proxy action to ensure your Firebox blocks these files.

Status:

Adobe hasn’t released a patch yet. We’ll inform you when they do.

References:

• Milw0rm.com Photoshop BMP Buffer Overflow Proof-of-Concept
• Secunia’s Photoshop Alert

Zero Day Adobe Photoshop Buffer Overflow Revealed

Severity: Medium

26 April, 2007

Summary:

Yesterday, a gray hat researcher publicly released exploit code for a previously unknown buffer overflow vulnerability in Adobe Photoshop. By enticing one of your users into downloading an image file, and then opening it in Photoshop, an attacker can exploit this flaw to execute code on your user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker could gain total control of the victim’s PC. If any of your users run Photoshop, warn them of this flaw, and refer to the Solutions section of this alert for possible workarounds.

Exposure:

Adobe Photoshop is arguably the most popular image editing application used today. If you have a marketing department, or do any graphic design, chances are you have at least one computer running it.

In a post to a popular archive site, a gray hat researcher called Marsu released exploit code that attacks a zero day buffer overflow vulnerability in Adobe Photoshop CS2 and CS3. Specifically, the code creates a malicious BMP image file that, when opened in Photoshop, executes the Windows Calculator program. Opening your calculator may not sound dangerous. However, Marsu has written his exploit modularly, making it trivial for an attacker to replace his benign payload with a much worse one. In short, if an attacker can trick one of your users into downloading a malicious BMP, DIB, or RLE image file, and then opening that image in Photoshop, he could exploit this vulnerability to execute arbitrary code on your user’s computer, inheriting your user’s privileges. If your Photoshop users have administrative privileges, the attacker would gain complete control of their machines.

Since this vulnerability first came to our attention as a zero day exploit, without responsible disclosure, we don’t know everything about it yet. For example, Marsu wrote his exploit code specifically for Photoshop CS2 and CS3. However, we believe this flaw could potentially affect older versions of Photoshop, and other applications in the Photoshop family, such as the “lite” version of Photoshop bundled with scanners. Also, Marsu wrote his exploit to attack the French version of Windows XP SP2. We don’t know whether or not it affects the Mac versions. Despite these unknowns, one thing remains clear: Bad guys have access to an easily modifiable exploit that could give them full access to your Photoshop user’s computers. You should warn your Photoshop users of this flaw immediately.

Solution Path:

Since Marsu released his exploit without informing Adobe, they haven’t had time to patch. We will inform you when Adobe releases their patch. For now, follow the tips below to help protect yourself from this zero day attack:

• Inform your Photoshop users immediately. Tell your users that attackers can trigger this flaw using malicious BMP, DIB, and RLE images. Then your Photoshop users can avoid opening these sorts of images in Photoshop, especially when the images come from an untrusted source.

• Make sure Photoshop is not your default BMP image viewer. In Windows File Explorer, click Tools => Folder Options… => Files Types tab. Scroll through this list of file types looking for BMP, DIB, and RLE, then make sure that Photoshop is NOT the default application associated with these files. This may lessen the chance that your users accidentally open a malicious file in Photoshop.

• Use your Firebox to strip BMP, DIB, and RLE images. You can use your Firebox’s proxies to prevent your users from accessing these image files via the Web or email. However, this technique has drawbacks; see the next paragraph.

Status:

Adobe hasn’t released a patch yet. We’ll inform you when they do.

References:

• Milw0rm.com Photoshop BMP Buffer Overflow Proof-of-Concept
• Secunia’s Photoshop Alert

Acer recalls 27,000 laptop batteries for overheating

BEIJING, April 26 (Xinhuanet) — One of the world’s largest computer maker Acer Inc. announced a recall on Wednesday for 27,000 PC batteries which may overheat and cause a fire, despite it claimed its laptop PC users do not need to replace any batteries six months ago.    The recall is being made in cooperation with the U.S. Consumer Product Safety Commission.

    The announcement followed a number of high profile laptop PC battery recalls related to Sony-made cells. The recalls started with Dell Inc. last August, and continued on to nearly every major PC vendor in the world, including Lenovo Group Ltd. and Sony Corp. itself.

    Acer is the latest company to warn of faulty Sony-made lithium-ion batteries. Up to now, over 9.6 million laptop PC batteries have been recalled.

    No users have reported problems with overheating batteries in Acer laptops, the company said, but it is still working with the consumer agency to conduct the voluntary recall. The company has provided a list of TravelMate and Aspire brand notebook PCs sold in the U.S. between May 2004 through November 2006 that contain faulty batteries.

    A Web site set up for the battery recall lists affected laptop models which contains the TravelMate series with 4-digit model numbers beginning with 242, 320, 321, 330, 422, 467, 561, C20, and the Aspire series beginning with model numbers 556, 560, 567, 930, 941, 980 and offers users instructions about how to replace the battery.

    Customers should stop using the recalled batteries immediately, Acer said, and use their AC adapter and power cord until a free replacement battery arrives after contact the company.

Microsoft: iPhone lacks business savvy

Apple’s soon-to-be-launched iPhone will be irrelevant to business users because it is a “closed device” and does not support Microsoft Office, a senior executive with the software giant said this week.

“It’s a great music phone, and I’m sure it will be fantastic and have an interesting user interface,” Chris Sorenson, Microsoft’s Asia-Pacific head of smart-phone strategy, told press during a recent visit to Australia.

“However, it’s a closed device that you cannot install applications on, and there’s no support for Office documents. If you’re an enterprise and want to roll out a line of business applications, it’s just not an option. Even using it as a heavy messaging device will be a challenge,” the executive added.

Microsoft’s Windows Mobile operating system is already running on 140 phone models, while Apple’s iPhone is not expected to hit the U.S. market until June, and Australia in 2008. The Windows mobile devices have picked up a significant portion of the converged device market, although they are up against the dominance of Nokia and its Symbian OS, Research In Motion and its BlackBerry software, and decreasingly, Palm.

While the entry of the iPhone (with its cut-down version of Mac OS X) into this market offers new options for consumers, Sorenson believes user familiarity with the Windows Mobile interface–and the ease with which companies can buy and develop applications for the platform–will sustain its increasing popularity and help keep the iPhone out of the lucrative corporate market.

Windows Mobile was released in May 2005, but it wasn’t until early 2006 that devices based on the operating system had become widely available to Australian buyers. By contrast, devices running the latest edition of Windows Mobile, version 6 (WM6) will be on the Australian market before the end of the month–beating Microsoft’s own projections that the platform would ship in the third calendar quarter.

#textCarousel { width: 140px; border-color: #360; border-width: 1px; border-style: solid; padding: 10px; float: right; margin: 15px 0 15px 15px; background-image: url(/i/ne05/fmwk/greyfadeback.jpg); background-repeat: no-repeat; background-position: -150px top; } #textCarousel li { font-size: 95%; line-height: 1em; margin-bottom: 10px; } #textCarousel h4 { margin: 0 0 5px 0; font-size: 110%; }While the iPhone will focus on integrating phone, Internet browsing and iPod features such as music, WM6 adds enterprise-targeted features such as better synchronization of data between mobile devices and office servers.

“With 3G we see Australians wanting more bandwidth on devices than ever before. There’s a growing trend toward smarter devices, and with WM6 we’ve tried to bring more of what you can do on a PC onto the devices. Manufacturers can innovate heavily in their designs, but keep that consistent (Windows) look and feel,” Sorenson said.

When contacted, an Apple Australia representative said: “I am not interested in commenting.”

Hacker breaks into Mac at security conference

April 20, 2007 (IDG News Service) — A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver.

In winning the contest, he exposed a hole in Safari, Apple Inc.’s browser. “Currently, every copy of OS X out there now is vulnerable to this,” said Sean Comeau, one of the organizers of CanSecWest.

The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. “You see a lot of people running OS X saying it’s so secure and frankly Microsoft is putting more work into security than Apple has,” said Dragos Ruiu, the principal organizer of security conferences including CanSecWest

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

Dino Di Zovie, who lives in New York, sent along a URL that exposed the hole. Since the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on.

The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said.

The vulnerability won’t be published. 3Com Corp.’s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.

The prize for the contest was originally one of the Macs. But on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest.

One reason Macs haven’t been much of a target for hackers is that there are fewer to attack, said Terri Forslof, manager of security response for TippingPoint. “It’s an incentive issue. The Mac is not as widely deployed of a platform as say Windows,” she said. In this case, the cash may have provided motivation.

The contest was a chance for hackers to demonstrate techniques they may have boasted about. “I hear a lot of people bragging about how easy it is to break into Macs,” Ruiu said.

Some attendees didn’t think it was a coincidence that on late Thursday Apple released a patch for 25 vulnerabilities in OS X.

Macs haven’t been targets for hackers and malicious code writers nearly to the degree that Windows machines have historically. That’s in part because there are fewer Macs in use, thus making the potential impact of malicious code smaller than on the more widely used PCs.

Also, Apple is “extremely litigious when people do find stuff,” noted Theo de Raadt, OpenBSD project leader and an attendee at the conference. He suspects that will backfire on Apple, which could begin to “look evil” if hackers begin to publish potentially threatening letters from the company.

Dell Resurrects Windows XP

Due to the customers demand, Dell will offer again Windows XP as an option on some of its consumer PCs. The announcement was made on Dell’s Idea Storm website, where consumers are invited to post their opinions.

In February, Dell has launched two new ways for customers to share ideas and experiences directly with their peers and the company. Dell IdeaStorm and StudioDell were announced during a presentation by Dell Chairman and CEO Michael Dell at a statewide education summit in

Texas. Soon after the launch the most popular idea on IdeaStorm the consumers said they want computers preloaded with Linux and other open source solutions. And now they want Windows XP resurrected.

The “Don’t eliminate XP just yet” post managed to obtain close 12308 points and Dell responded with a brief statement. ”We heard you loud and clear on bringing the Windows XP option back to our Dell consumer PC offerings,” Dell said in a Web posting Thursday.

Starting immediately, Dell said, it is adding XP Home and Professional as options on four Inspiron laptop models and two Dimension desktops.

As many other computer makers, Dell  stopped to offer Windows XP on its computers after Microsoft launched Windows Vista for consumers in January this year.

was also a key factor as consumer shipments declined rapidly while commercial volume was more stable.

According to AP, Microsoft countered that Dell’s move was in response to a ‘’small minority of customers” with a ‘’specific request.” Michael Burk, a product manager for Microsoft’s Windows Client group, said in an e-mailed statement, ”The vast majority of consumers want the latest and greatest technology, and that includes Windows Vista.”

In January 2007, Microsoft announced the addition of an Extended Support phase for the Windows XP Home Edition and Windows XP Media Center Edition operating systems, providing consumers with an additional phase of support.

With the addition of Extended Support, the support life cycle for Windows XP Home Edition and Windows XP Media Center Edition will include a total of five years of Mainstream Support (until April 2009) and five years of Extended Support, matching the support policy provided for Windows XP Professional.

The Microsoft Support Lifecycle policy standardizes Microsoft product support policies for business and developer products as well as for consumer, hardware, multimedia and Microsoft Dynamics products.

Previously, all support for Windows XP Home was slated to end two years after the release of
Vista, in other words, at the end of January 2009. Windows XP debuted in October 2001.

According to the last IDC’s report about PC market, Dell continued to struggle with a slow
U.S. market and internal restructuring. A focus on the slower growing commercial market and a strategy of not chasing share at the expense of profitability while facing aggressive competition from HP and other competitors has reduced growth dramatically.

Similar to the fourth quarter, Dell shipments declined by more than 14% in the
United States and grew by just over 1% internationally. As a result, overall shipments declined by 6.9% year on year and international shipments rose to 52% of volume. Although Dell’s Portable business saw healthy growth internationally, domestic sales were down.

Apple Patches 25 More OS X Vulnerabilities

Severity: High

19 April, 2007

Summary:

Today, Apple released a security update fixing 25 security issues in software packages that ship as part of OS X, including fetchmail, kerberos, and ftpd. An attacker exploiting the worst of these security issues could execute code on your Mac, possibly gaining full control of your computer. If you manage OS X 10.3.9 or 10.4.9 computers, you should download, test, and install the appropriate Apple security update as soon as possible.

Exposure:

Apple’s latest security update corrects 25 vulnerabilities affecting software packages that ship as part of OS X 10.3.9 and 10.4.9. Many of these vulnerabilities allow attackers to execute any code they choose on your OS X machines, so we rate this update Critical. You should apply it as soon as you can. Some of the fixed vulnerabilities include:

Remote code execution vulnerability caused by disk images. OS X ships with a package of file system tools called diskdev. One of the tools in this package, fsck, suffers from a memory corruption vulnerability. Attackers can create a specially crafted disk image that will automatically run fsck and trigger this vulnerability. By enticing one of your users into downloading and mounting a malicious disk image, an attacker can exploit this flaw to execute code on that user’s computer, inheriting that user’s privileges. The attacker could then exploit other local vulnerabilities described in Apple’s alert to gain complete control of that user’s Mac.
Format string vulnerability in Help Viewer. Help Viewer is the OS X component that allows you to view Help files. It suffers from a format string vulnerability caused by help files having specially-crafted names. By tricking one of your users into downloading and opening a malicious help file, an attacker could exploit this flaw to execute code on that user’s computer, with that user’s privileges. The attacker could then exploit other local vulnerabilities described in Apple’s alert to gain complete control of that user’s Mac.
Two code execution vulnerabilities in Libinfo. Libinfo, a component that ships with OS X, suffers from two vulnerabilities: an integer overflow flaw, and an unspecified flaw in its error reporting. By enticing one of your users to a malicious Web page, an attacker can exploit the most severe of these two vulnerabilities to execute attack code on your computer, potentially gaining control of it.
Apple’s alert includes 21 more flaws, including many more code execution flaws like those described above. The remaining vulnerabilities also include local elevation of privilege flaws, some password bypassing vulnerabilities, and more. Other components that this security update patches include:

AFP Client

Airport

ftpd

Login Window

GNU Tar

network_cmds

HID family

SMB

Installer

System Configuration

Kerberos

VideoConference

URLMount

WebDAV

CarbonCore

WebFoundation

Refer to Apple’s alert for more details.

Solution Path:

Apple has released updates to fix these vulnerabilities for both OS X 10.3.9 and 10.4.9. Apple OS X administrators should download, test, and deploy the appropriate updates as soon as possible.

Security Update 2007-004 (10.3.9 Client)
Security Update 2007-004 (10.3.9 Server)
Security Update 2007-004 (PPC)
Security Update 2007-004 (Universal)
Note: If you have trouble figuring out which of these patches corresponds to your version of OS X, we recommend you let OS X’s Software Update utility automatically pick the correct update for you.

For All Users:

These flaws support diverse exploitation methods. Some of the exploits are local, meaning that your perimeter firewall never encounters the attack (unless you use firewalls internally between departments). The most secure course of action is to install the updates.

Status:

Apple released updates to fix these issues.

References:

Apple’s April OS X Advisory

Microsoft offers nearly free software

BEIJING, China (UPI) — Microsoft Corp. said in Beijing Thursday it would offer stripped-down versions of Windows, Office and other software for $3 to people in developing nations.
Chairman Bill Gates said the program — a major expansion of the Microsoft Windows XP Starter Edition program begun in 2004 — ‘would help close the digital divide in all parts of the globe,’ a Microsoft statement said.
It will also expand Microsoft`s global reach at a time when some governments in developing countries have encouraged Windows alternatives such as the free Linux operating system.
The Microsoft Unlimited Potential program offers the deeply discounted software — including Windows XP Starter Edition and Office Home and Office 2007 — to governments purchasing bulk orders of computers that would then be distributed to students and other individuals.
Gates said Microsoft viewed Windows Starter as ‘a passport to a digital society.’
The stripped-down software is ‘tailored to the needs and wants of first-time PC users, optimized to run on low-cost hardware and localized for various geographies,’ Microsoft said in a statement.
Windows XP Starter Edition, first released in Thailand in 2004, was later made available in 139 countries and 24 languages. Windows Vista Starter will be available in 139 countries and 59 languages.
Copyright 2007 by United Press International

Two New “Storm Worm” Variants Making Headlines

Severity: Medium

13 April, 2007

About the Virus

Yesterday, Computerworld published an article warning of a “massive spam outbreak” that contained two dangerous new variants of a trojan the media has dubbed the “Storm Worm.” We first warned you of the Storm Worm in a Wire post last January. Today, others in the press have jumped on the bandwagon and published many shrill reports [ 1 / 2 / 3 ] that hype the severity of these latest Storm variants. While we don’t doubt that attackers have aggressively seeded these variants using spamming techniques, we haven’t yet seen them infect businesses in large numbers. In fact, antivirus (AV) companies still only rate them as low risks. While you should make yourself, and your users, aware of these new Storm Worm variants, neither offer reason for panic.

Unfortunately, the lack of coordination among AV vendors’ naming conventions makes it difficult to track these threats. While the media generally calls this family of trojans the Storm Worm, AV vendors have given this trojan a variety of names including:

• Peacomm (Symantec)
• Nuwar (McAfee)
• Zhelatin (F-Secure)
• Dref. (Sophos)
• Nuwar / Dorf (TrendMicro)
• Nurech (Panda Software)

Furthermore, attackers have released many different variants of the Storm Worm, all of which have different characteristics. For simplicity’s sake, we’ll distinguish these two new Storm variants by calling one the “Love Storm” and the other the “Security Storm.”

Distinguishing Characteristics

The two new Storm variants have different distinguishing characteristics but share a similar impact.

The Love Storm variant arrives as an email with a love-themed subject. Below you’ll find a partial list of subjects Love Storm might use:

• A Rose for My Love
• A Toast My Love
• A Token of My Love
• Come Dance with Me
• Come Relax with Me
• Destiny
• Dream of You
• Eternal Love
• Eternity of Your Love
• Falling In Love with You
• For You….My Love

Love Storm also comes with a .EXE attachment. It randomly selects its attachment from the following list of possibilities:

• postcard.exe
• Greeting Card.exe
• Greeting Postcard.exe
• Flash Postcard.exe
• With Love.exe
• Love Postcard.exe
• My Love.exe

Conversely, the Security Storm variant ironically pretends to be a security-related email. Its subject warns you of a new worm, virus, or trojan. It randomly selects its subject from the following list of possibilities:

• Worm Detected!
• Virus Detected!
• Virus Activity Detected!
• ATTN!
• Spyware Alert!
• Spyware Detected!
• Warning!
• Trojan Alert!
• Trojan Detected!
• Worm Activity Detected!
• Virus Alert!

Also, Security Storm arrives with a password-protected .ZIP file as its attachment. Its email includes a GIF image that shows you the password necessary to open the malicious .ZIP file. Although Security Storm randomly generates the name of its .ZIP attachment, it always uses one of the following prefixes:

• patch-
• removal-
• hotfix-
• bugfix-

If you open the password-protected .ZIP file, you’ll find the real malicious payload stored as a .EXE file.

If you run either of these Storm variant’s malicious .EXE attachments, Storm:

• Copies itself to various locations on your computer and adds registry entries to make sure it can restart after your next reboot.
• Installs rootkit technology to help it hide on your computer.
• Tries to lower your computer’s security by disabling many popular security applications.
• Steals sensitive information.
• Installs a trojan on your computer capable of downloading new malware.
• Adds your computer to a malicious botnet.

These new Storm variants don’t use any tricks that you haven’t seen before. You should have no problems distinguishing them in your inbox, and avoiding them. However, attackers have spammed these two new variants very aggressively. If one of your users does accidentally run one of their malicious attachments, they could cause a lot of damage to your network. Make sure to inform your users of these new Storm variants so they know to avoid them. However, you don’t need to panic over these new threats, despite what the media may suggest.

What you can do

• As always, remind your users never to open unexpected attachments from any source. Inform them that most modern viruses falsify the “From” field and can appear to come from friends, co-workers, or other trusted parties.
• Most major antivirus vendors already have signatures that detect the payload included with both new Storm variants. Check with your vendor for the latest update. 

• Educate your users by downloading and presenting the new SecurityWise module, “E-mail Safety in the Age of Cybercrime.” This resource is available free of charge, exclusively to LiveSecurity Service subscribers.

References:

• Computerworld Article
• CIO Today Article
• E-Commerce Times Article
• SC Magazine Article
• Peacomm (Symantec)
• Nuwar (McAfee)
• Zhelatin (F-Secure)
• Dref. (Sophos)
• Nuwar / Dorf (TrendMicro)
• Nurech (Panda Software)
• Original Storm Worm Wire Post

Zero Day Microsoft DNS Vulnerability Discovered in the Wild

Severity: Medium

Summary:

Today, Microsoft released an early advisory warning of a serious, zero day vulnerability affecting Windows 2000 and 2003 servers that run the DNS service. By sending a specially crafted RPC packet, a remote attacker can exploit this flaw to gain complete control of your Microsoft DNS Server. If you manage a Microsoft DNS Server, you should implement the workarounds described in the Solution Path section of this alert until Microsoft releases a patch.

Exposure:

In their early security advisory, Microsoft describes a new, unpatched buffer overflow vulnerability in the DNS service that ships with Windows 2000 and Windows Server 2003. Other versions of Windows are not affected. The buffer overflow flaw specifically involves the RPC interface associated with Microsoft’s DNS service. By sending a maliciously crafted RPC packet, an anonymous, remote attacker can exploit this flaw to gain complete control of your DNS server. By controlling your DNS server, an attacker gains significant leverage toward owning the rest of your network.

Microsoft first discovered this new vulnerability in the wild, which means attackers have already started to exploit it (though on a limited scale). Furthermore, Microsoft has not had time to patch the flaw. Combine those factors with this vulnerability’s serious impact, and it seems to pose an extremely high risk. However, one mitigating factor significantly dampens its severity. Though the vulnerability involves the DNS service, attackers can’t exploit it over the typical DNS port (TCP port 53). The DNS service’s vulnerable RPC interface binds itself to a port within the range of 1024-5000. An attacker must have access to this range of ports on your DNS server to exploit this flaw. Firewalls like WatchGuard’s Firebox block these ports by default. Most administrators with firewalls are protected from an Internet-based attacker that exploits this vulnerability.

Solution Path:

Microsoft hasn’t had time to patch this zero day vulnerability. However, they have listed workarounds for it in the “Suggest Actions” section of their advisory. We recommend you implement these workarounds until Microsoft releases their patch. We’ll let you know when the patch comes out.

Status:

Microsoft has not released a patch for this issue. We will update you when they do.

References:

• Microsoft’s DNS Vulnerability Security Advisory