Just by opening a directory containing the infected shortcut will get user infected. Once the infected shortcut icon is displayed in Windows Explorer, malicious code is launched without any further user interaction. Hackers have already developed malware that spreads via USB sticks, using this vulnerabilities.  Independent security researcher Frank Boldewin had found the attack is currently targeted toward the WinCC SCADA system by Siemens. “Looks like this malware was made for espionage,” Boldewin writes.

On Sunday, a researcher known as “Ivanlef0u” published aproof-of-concept code to several locations on the Internet. There is already a Metasploit module that implements the exploit with the WebDAV method.

To protect yourself from the attack, Microsoft suggests disabling the displaying of icon for shortcut and turning off WebClient service as workarounds against possible attacks. Please reference Microsoft advisory for details of how to “Disable the displaying of icons for shortcuts“. Another way to protect yourself is to use Didier Stevens’ tool Ariad .

Additional information on the flaw can be found in a blog post by the SANS Institute’s Internet Storm Centre here.

source:

Experts Warn of New Windows Shortcut Flaw

MS confirms Windows shortcut zero-day flaw

Preempting a Major Issue Due to the LNK Vulnerability – Raising Infocon to Yellow

The classical approach to analyze malware is to set up a virtual machine on a computer specifically designed for that purpose and then release the malware and monitor how it affects the system. The drawback of this protocol is that much of the malware’s behavior can remain hidden, while deeper analysis is not a convenient option.

REMnux comes as a solution to these disadvantages and offers an alternative approach for taking apart a malicious code. Typically, infection of another laboratory system with the malware sample is followed by direction of the potentially-malicious connections to the REMnux “monitoring” ports.

This approach combines a generous number of popular malware-analysis, reverse-engineering, network monitoring, and memory forensic tools. Amongst them, REMnux contains three tools for analyzing Flash-specific malware, namely SWF tools, Flasm, and Flare. Furthermore, it contains several applications for analyzing malicious PDFs, such as the Didier Steven’s analysis tools. The OS also provides a lot of tools for de-obfucating JavaScript, including Rhino debugger, a NoScript-version of Firefox, JavaScript Deobfuscator and Firebug, and Windows Script Decoder. In addition to the above analysis tools, a small Web server, an IRC server, and a pseudo-DNS server are also included. Further, several tools for network monitoring and interactions, such as the virtual honeypot server, HoneyD, as well as Wireshark, INetSim, fakedns and fakesmtp scripts, and NetCat are also part of REMnux.

Behind the development of REMnux stands the idea of providing a useful set of tools for people interested in the field, rather than a be-all reverse-engineering environment. As Zeltser himself puts it: “This doesn’t have every tool in it, because I think people can get distracted with too many tools in there”. On the contrary, Zeltser states that this OS targets beginners or people that are not Linux experts. He also hopes that users’ input and comments will aid in further development of REMnux to reach an improved version of the OS.

Any interested and adventurous potential developers, who would like to contribute to the improvement of REMnux,  are welcomed to contact Lenny Zelter directly.

John Aycock who co-authored a paper with assistant professor Mea Wang and students Daniel Medeiros Nunes de Castro and Eric Lin have come up with solutions which support computers with security defences against threats of various Adwares like the Typhoid Adware.

Click here for more information.

http://news.cnet.com/8301-27080_3-20005420-245.html?tag=mncol;title

http://www.microsoft.com/technet/security/advisory/2028859.mspx

http://secunia.com/advisories/39577

The scripts on the page check for installed plugins and compare the version of the installed plugin with the latest version that is offered officially by the developer of the plugin. Some supported plug-ins (among others) are Apple Quicktime, Shockwave Flash, Adobe Acrobat, Java, RealPlayer and Windows Media Player plugins. Furthermore the Mozila Firefox development team now extends the page to support all the popular browsers.

The service checks the browser plug-ins on Internet Explorer, Chrome, Opera, Safari and Firefox. This special page promises to check these plug-ins for you, and advise you of when it is time to update. Johnathan Nightingale, director of Firefox development, claimed that in the months since the page was deployed, it had seen over 60 per cent of Adobe Flash users with the most recent version, with the number growing to more than 75 per cent if the second most recent update is included.He said: “We believe that plug-in safety is an issue for the web as a whole, so while our initial efforts focused on building a page that would work for Firefox users, the team has since expanded plug-in check coverage to work with Safari 4, Chrome 4 and Opera 10.5.“We have added support for Internet Explorer 7 and 8 for the most popular plug-ins, as well, but since IE requires specific code to be written for each plug-in it will take us a little longer to get to full coverage.“This has been a phenomenal amount of work to develop and test, and the matrix of browser, plug-in and OS grows very quickly.”

Plugins are either rated as safe or potentially vulnerable (there might be a third rating for vulnerable plugins). An update button is displayed next to potentially vulnerable plugins which should lead to a download page to update the latest version of the plugin. Some plugins do not reveal their full version which means that they will be shown as potentially vulnerable even if the latest version is installed.

Graham Cluley, senior technology consultant at Sophos, said: “It’s great that Mozilla has extended its service to offer an additional security check for users of other browsers. Hopefully it will encourage more computer users to keep their systems patched, and make life more difficult for hackers.”

You can check your plugins here and you can find more on this project here.

References : scmagazineuk

The IE8 filter works by scanning outbound requests for strings that may be malicious. When such a string is detected, IE8 will dynamically generate a regular expression matching the outbound string. The browser then looks for the same pattern in responses from the server. If a match is made anywhere in the server’s response, the browser assumes that a reflected XSS attack is being conducted and the browser will automatically alter the response so that the XSS attack will be unsuccessful.

For the most part, this neutering mechanism is effective at blocking certain types of XSS attacks from occurring. However, altering a server’s response before it gets rendered by the browser may have unintended consequences.
The researchers figured out a way to use IE8′s altered response to conduct simple abuses and universal cross-site scripting attacks, which worked against sites that would not otherwise have been vulnerable to XSS attacks. Moreover the filter can be used in order to disable client-side security functionality from working by faking a XSS attack in the incoming string. Additionally it can be used to inject HTML code because the browser will improperly interpret the “malicious” JavaScript.

The researchers who discover these vulnerabilities are suggesting techniques to close the hole in IE 8 filter.One way is to disable execution of a filtered string found to be an attack by the users browser. Another possible technique is to utilize site-wide anti-CSRF tokens that prevent any sort of XSS from being exploited in the first place.

Microsoft will update the IE cross-site scripting (XSS) filter in June to fix the hole that researchers discover.

For more information on the IE8 filter vulnerabilities you can read the researchers documentation here.

References: Slashdot , Cnet, ZDnet

The security issue affects current version of Safari (v. 4.0.5) for Microsoft Windows (confirmed) and probably for Mac. Earlier versions of Safari might also be vulnerable. Successful exploitation of the issue leads to remote code execution or exposure of victim’s private data. Secunia has released advisory SA39670, which explains that the flaw exists because of ‘a use-after-free error when handling pop-up boxes created from a child window’ which can result in a function call using an invalid pointer. It is also stated that it ‘can be exploited to execute arbitrary code when a user visits a specially crafted web page’. Another issue mentioned is that Safari includes HTTP basic authentication credentials in an HTTP request if a web page that requires HTTP basic authentication redirects to a different domain (e.g. via a “Location” header).

Secunia’s advisory includes the full exploit code available to public in Original Advisory section. The vulnerability is not patched yet, so Secunia advices Safari users to disable Javascript, do not follow unsolicited links and do not authenticate to sites which use redirections using HTTP basic authentication.

CVE Reference: CVE-2010-1939

An example of that kind of messages is shown below.

The link seems to lead to an image file, as you can see from the above image. If the link is clicked on, the browser will present a page that looks like the RapidShare Web hosting site, trying to make the victim download a compressed file that contains a malicious executable file whose extension is .com.

The next step is sending itself through messages, that include malicious links to a variety of files, to the contacts of the victim’s e-mail list. Since the worm has infected the victim, it is able to receive remote commands, spread through USB drives, avoid antivirus detection and conceal its existence.

References:
CNET NEWS

source:

http://www.theregister.co.uk/2010/05/12/may_patch_tuesday/

http://www.microsoft.com/technet/security/Bulletin/MS10-030.mspx

For this reason Microsoft update IE 8 and contains a new feature to detect reflected cross-site scripting (XSS) vulnerabilities. This feature is the XSS filter that discovers likely XSS in a cross-site request, it identifies and neuters the attack if it is replayed in the server’s response. After that, the web page has been modified and the XSS attack is blocked. The user of IE 8 can control the XSS filter using the Internet Control Panel.

Last but not least, recently disclosed reserch has identified a flaw with the XSS filter included with IE 8 that allows for XSS attacks against sites that would otherwise not be vulnerable to that particular attack. Microsoft has responded that they are continually updating the filter to address the changing nature of XSS attack vectors.