Within the last week, two large-scale releases of malicious code have included exploits for a vulnerability that Microsoft patched in April 2006. The weekend's defacement of more than 70,000 Web sites and the installation of an MBR rootkit both require exploitation of the number of older vulnerabilities, including MS06-014. Why bother?
The original security bulletin for MS06-014 was posted back in April 2006. It concerned a flaw within the Microsoft Data Access Components (MDAC), specifically within the RDS.Dataspace ActiveX control, that is part of the ActiveX Data Objects (ADO) distributed in MDAC. Shortly after the patch was available, an exploit was published to the Web.
Roger Thompson, chief research officer at Grisoft, said in an e-mail, "MS06-014 works really well, and it's really easy to use and modify. It's shocking that it's still producing enough to make it worth their while, but it must be so."
Shortly after MS06-014 was published, Microsoft released Windows XP SP2, which, among other things, includes all the previous Windows XP security patches.
Given the exploit's revival, there must be a large number of machines still running Windows with XP SP1 or before.
Thompson said the continued use of older exploits "underlines how hard it is to do a new exploit, as opposed to just using someone else's." Thompson, whose company makes the Linkscanner safe browsing application, said blocking these exploits is the best protection. Of course, keeping your Windows system up-to-date can't hurt either.
On Wednesday, the SANS Internet Storm Center and others published details about the massive SQL-based Web attack that occurred over the weekend. The attack, says SANS, is similar to a smaller SQL-injection attack seen in November. At least 70,000 sites were compromised in a short period of time, leading some to speculate this was an automated attack.
From logs files, the attack code appears to exploit a variety of SQL injection vulnerabilities existing on Web sites using Microsoft SQL or Microsoft IIS. On the vulnerable sites, malicious JavaScript is injected into all variable character fields and text fields in the SQL database such that when visitors hit the site, their browsers, if vulnerable, are then redirected to another domain--in this case, us8010.com.
Roger Thompson, chief research officer at Grisoft, identified one of the exploits served at the malicious server as taking advantage of MS06-014, a Microsoft Data Access Components vulnerability that Microsoft patched in September 2006. He also noted that "this domain uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains." Yet by January 5, most of these domains had already been cleaned.
What's interesting about this attack, aside from its automation, is that the SQL injection script is given in terms of a CAST statement, code that converts one data type to another. Ryan Barnett has provided a decoded version of this attack.
Barnett suggests that to protect against this attack a Web site should be front-ended by an Apache proxy and then back-ended by ISS or MS-SQL. SANS says other methods, such as blocking CAST statements, would also be effective.
Grisoft, maker of AVG antivirus and Internet security software, on Wednesday announced the acquisition of Exploit Prevention Labs, maker of the LinkScanner family of safe Web-browsing applications.
Unlike other safe-surfing applications, which tend to rely on databases, LinkScanner uses technology that determines, as the page is downloaded onto your browser, whether it is tainted with malicious software.
In CNET Reviews testing, LinkScanner has detected recent changes on Web pages where other safe surfing applications, such as McAfee SiteAdvisor, has not. One limitation of LinkScanner is its inability to determine whether a page is fraudulent; LinkScanner determines only whether the page has malicious content.
Grisoft plans to host Exploit Prevention Labs' products on its site. According to Grisoft, Exploit Prevention Labs' 18 employees will join Grisoft. Roger Thompson will become chief research officer, Greg Mosher will become vice president of engineering, and Chris Weltzien will become vice president of business development.
- prev
- 1
- next
