Security

Microsoft said on Tuesday that it is investigating reports of a zero-day vulnerability affecting Windows 7 and Vista.

The flaw in Windows 7 could allow an attack which would cause a critical system error, or "blue screen of death," according to researcher Laurent Gaffie.

Gaffie wrote in his blog that the flaw lies in a Server Message Block 2 (SMB2) driver.

"SRV2.SYS fails to handle malformed SMB headers for the NEGOTIATE PROTOCOL REQUEST functionality," wrote Gaffie in a blog post Monday.

Gaffie said he had contacted Microsoft. Comments on his blog by other users said that the flaw could lead not only to denial of service, but could also lead to remote code execution.

Microsoft said in a statement on Tuesday that it was investigating, but said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact."

Computer security publication "The H" wrote on Tuesday that its German sister publication had tested the proof-of-concept code, and that while the exploit had caused a reboot on Vista, the exploit had not worked on Windows 7.

Metasploit creator HD Moore said in a tweet on Tuesday that an SMB bug appeared to have been introduced into Vista SP1. Coder Josh Goebel said in a blog post that he had added the exploit code to Metasploit.

Tom Espiner of ZDNet UK reported from London. CNET News' Ina Fried contributed to this report.

Microsoft on Tuesday issued a security advisory for a Web server flaw that was made public on Monday.

The flaw affects certain versions of Microsoft Internet Information Services product, but to be exploited it requires a user to have the FTP function enabled. The flaw could allow an attacker to take over the server.

In its advisory, Microsoft said it has not seen any active attacks, although it acknowledges that detailed exploit code was published to the Web.

Microsoft said it is still working on patching the flaw but said the advisory has advice that customers can use to protect themselves.

"Microsoft is currently working to develop a security update for this issue to address this vulnerability and will release it once it has reached an appropriate level of quality for broad distribution," Microsoft said.

In a posting on Monday, the U.S. Computer Emergency Readiness Team (US-CERT) suggested IT administrators "disable anonymous write access to the FTP server to help mitigate the vulnerability" but added that "a proper impact analysis should be performed prior to taking defensive measures."

A security researcher has released zero-day code for a flaw in the Linux kernel, saying that it bypasses security protections in the operating system.

The source code for the exploit was made available last week by researcher Brad Spengler on the Dailydave mailing list. According to the researcher, the code exploits a vulnerability in Linux version 2.6.30, and 2.6.18, and affects both 32-bit and 64-bit versions. The 2.6.18 kernel is used in Red Hat Enterprise Linux 5.

The exploit bypasses null pointer de-reference protection in the mainline kernel, which could allow an attacker to gain root control of a system, Spengler wrote.

It also uses arbitrary code execution to disable security features such as auditing, Security-Enhanced Linux (SELinux), AppArmor and Linux Security Module, while making the applications running outside the kernel believe that SELinux is still operating.

In the notes for his source code, Spengler said the exploit is strengthened if SELinux is applied to the operating system. SELinux is a set of modifications that can be applied to the kernel to harden it, by providing a set of security policies.

"Having SELinux enabled actually weakens system security for these kinds of exploits," he wrote.

Security training organization the Sans Institute called the exploit "fascinating." In a blog post on Friday, Sans Institute incident handler Bojan Zdrnja said that the exploit uses the Linux compiler to overcome the security features.

"The compiler will introduce the vulnerability to the binary code, which didn't exist in the source code," wrote Zdrnja. "This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland--and this finally pwns the box."

In his notes on the source code, Spengler said that a workaround would be for administrators to compile the kernel with fno-delete-null-pointer-checks.

Tom Espiner of ZDNet UK reported from London.

There is a critical JavaScript vulnerability in the Firefox 3.5 Web browser, Mozilla has warned.

The zero-day flaw lies in Firefox 3.5's Just-in-time (JIT) JavaScript compiler. Proof-of-concept code to exploit the vulnerability has been posted online by a security research group, Mozilla said in a post on its security blog on Wednesday. Security company Secunia rated the vulnerability as "highly critical" on Wednesday.

The hole could allow a hacker to launch a "drive-by" attack, according to Mozilla. That means an attacker may be able to execute malicious code on a target machine, if the victim visits a Web site containing an exploit.

No patch is currently available, but Mozilla developers are working on a fix. A workaround suggested in the blog post is to disable the Firefox 3.5 JIT compiler. However, Mozilla warned this would result in decreased JavaScript performance in Firefox.

The JIT compiler is part of TraceMonkey, which was added to Firefox for its 3.5 update released at the end of June. TraceMonkey is meant to optimise the browser, which is faster than previous iterations of Firefox, according to Mozilla.

On Wednesday, the United States Computer Emergency Response Team said users and administrators should completely disable JavaScript functionality in Firefox 3.5.

The Sans Institute also said people could disable JavaScript, and suggested using NoScript, an open-source Firefox plug-in that only allows script to be executed by trusted Web sites.

Tom Espiner of ZDNet UK reported from London.

Microsoft has failed to remove a long-recognized Windows Explorer security risk from Windows 7, according to security company F-Secure.

The "hide extensions" feature, which was present in Windows NT, 2000, XP, and Vista, is also included in the Windows 7 release candidate, Mikko Hypponen, F-Secure's chief research officer, said Tuesday in a blog. The feature could allow virus writers to trick users into opening and running malicious files, he added.

Images: A peek at Windows 7 release candidate

View the full gallery

"In Windows NT, 2000, XP and Vista, Explorer used to hide extensions for known file types," Hypponen said. "And virus writers used this 'feature' to make people mistake executables for stuff such as document files."

For example, malicious code writers could name a "virus.exe" file as "virus.txt.exe" or "virus.jpg.exe," he said. Windows Explorer would then hide the .exe part of the filename, meaning that the user would only see "virus.txt" or "virus.jpg." Additionally, virus writers could change the icon displayed with the file in Windows Explorer so it looks like the icon of a text file or an image. Users might then click on the disguised file.

The blog post appeared on the same day that Microsoft had been scheduled to make the Windows 7 RC1 available for download to the public, although the OS release did in fact arrive early. Microsoft made its Windows 7 release candidate available to MSDN and TechNet subscribers Thursday. Microsoft hasn't yet given a release date for the final product.

Microsoft had not responded to a request for comment at the time of writing.

Tom Espiner of ZDNet UKreported from London.

Hackers have launched attacks targeting an unpatched flaw in Microsoft PowerPoint, the company warned Thursday.

The vulnerability, which affects Microsoft Office 2000 SP3, 2002 SP3, and 2003 SP3, can be exploited by getting a person to open a PowerPoint file rigged for the attack. When the file is opened, PowerPoint will access an invalid object in memory. That then allows an attacker to remotely execute code on the system.

In a security advisory, Microsoft said that at present, attacks are not widespread but are tailored to affect specific victims.

"Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially crafted PowerPoint file," said the advisory. "At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability."

While there is currently no fix for the PowerPoint flaw, Microsoft said that it may release one outside its monthly patching schedule. Workarounds suggested by the company include not opening files received from untrusted sources, using the Microsoft Office Isolated Conversion Environment (MOICE) to open untrusted files, and using Microsoft Office File Block policy to restrict the opening of Office 2003 and earlier documents.

Microsoft's last major PowerPoint patches were released in August.

Tom Espiner of ZDNet UK reported from London.

Even worm creators write buggy software.

Once it infects a computer, the Conficker worm closes the hole in Windows that it used to get onto the system so no other malware can get in. This also makes it difficult for organizations to detect which computers have the legitimate Microsoft patch and which have the fake Conficker patch.

However, Conficker's "patch" has a weakness that can be used to distinguish between patched computers and infected computers that look patched, according to the nonprofit Honeynet Project.

Some of the researchers have released a proof-of-concept scanner that can be used to detect Conficker. The tool is being integrated into the free nMap vulnerability scanner, as well as scanning tools from companies including Qualys, nCircle, and Tenable. The tools are designed for use by network administrators at companies and not consumer users.

"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive who worked with The Honeynet Project, wrote on his blog. "We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

Qualys' remote-detection Conficker scanner is automatically available to its subscribers and will be available to others soon, said Wolfgang Kandek, Qualys' chief technology officer.

The worm has been around since November, but the most recent variant is programmed to connect to other computers on April 1 and as a result has triggered mass confusion and a media frenzy.

The worm exploits a vulnerability in Windows that Microsoft patched in October, as well as through network shares and removable storage devices like USB drives.

The latest variant shuts down security services, blocks connections to security Web sites, downloads a Trojan, and connects to other infected computers via peer-to-peer technology. It also includes a list of 50,000 different domains to reach out to for updated copies or instructions, but only 500 of those will be contacted on April 1. Earlier versions of the worm attempted to contact 250 domains.

A quick way to tell if your computer is infected is to try to access the Web site of a major antivirus vendor, which the worm blocks.

The U.S. Department of Homeland Security has released a Conficker detection tool for government agencies and state and local governments to use that ws developed by US-CERT.

The OpenDNS security services provider blocks access to the domains listed in the Conficker code. Microsoft has more information on its site, as does Symantec. The Web site of the Conficker Working Group, which is composed of companies allied to combat Conficker, also has information and worm removal tools.

Asked what impact the Conficker worm will have on Wednesday, Kandek said:

"I don't think anything is going to happen. Conficker authors are smart and determined people. They have a huge botnet in their hands, which they will try to get money from. It's better for them to fly under the radar and maintain as many machines from that botnet as possible. The real issue is this is a really good worm and...people are learning to write these things better and better."

Does that mean the next version will fix the flaw in the code?

Update at 8:45 a.m. PST: Information from security firm Symantec added.

Attackers are making the rounds and exploiting a critical security flaw in Adobe Reader 9 and Acrobat 9.

Earlier versions of the PDF-related software are also affected by the critical security flaw, which could cause the applications to crash and potentially let an attacker gain control of a person's computer, Adobe Systems warned Thursday.

Reports also surfaced that attackers have developed an exploit and are taking advantage of the flaw, the company said.

Adobe has yet to develop an update to address the vulnerability but noted it expects to have one ready for Adobe Reader 9 and Acrobat 9 by March 11. After that, the company expects to launch updates for the earlier versions of the software going back to Adobe Reader 7 and Acrobat 7.

Until then, Adobe advises, people should update their virus definitions and exercise caution when opening documents from unknown sources.

Security company McAfee noted in a blog that the current attacks appear to be targeted ones but that it expects new variants of the exploit to make the rounds as more information becomes public.

In its posting, McAfee said that malicious PDF documents began to surface at the start of the year, exploiting a vulnerability in Adobe Reader versions 8 and 9. The attackers can then take advantage of a bug in Reader to overwrite memory at gain control of executing code. After that, attackers can install a Trojan horse and from there add a proverbial backdoor to a person's computer to remotely control and monitor the infected system.

Symantec, meanwhile, reports seeing the exploit used against only a few government agencies and large corporations, and within those organizations, only a few people are targeted, said Kevin Haley, a Symantec Security Response director.

"We've seen it used in only a few small places, so it tells us it's a targeted attack and someone is not trying to use it in a widespread way," Haley said, noting fewer than 100 people have been affected since it noticed the attacks on February 12.

But he added it seems likely other attackers may try to exploit the Adobe vulnerabilities and that the range of exploits may grow beyond the malware that Symantec calls Trojan.Pidief.E.

In its blog on Trojan.Pidief.E, Symantec advices users to consider disabling JavaScript in Adobe Reader and has provided instructions in a blog on a different issue.

Apple has issued a critical security update for QuickTime media player, aimed at resolving vulnerabilities that could potentially allow a malicious attacker to take control of a person's computer, according to an Apple advisory released this week.

People running QuickTime 7 for Windows and for Mac OS X, are affected, as well as those who are using Mac OS X 10.4 or Mac OS X 10.5, according to Apple.

Apple is advising people to update to QuickTime 7.6 for Windows, QuickTime 7.6 for Leopard, or QuickTime 7.6 for Tiger.

The update seeks to address QuickTime security flaws that could potentially allow a malicious attacker to launch a buffer overflow and execute arbitrary code on a user's system.

The attack could potentially occur via a maliciously crafted movie file, AVI movie file, QTVR movie file, or an RTSP URL, according to Apple.

Security researcher Secunia, in an advisory released Thursday, noted the vulnerabilities are considered "highly critical."