Microsoft has reported a critical new vulnerability in Microsoft DirectX affecting older versions of Windows. The vulnerability could allow remote code execution if a user opens a rogue QuickTime media file. Microsoft reports limited, active attacks that use this exploit code.
The vulnerability exists in the way a DirectX application programming interface known as DirectShow handles supported QuickTime files. By manipulating the format, attackers can gain the same system privileges assigned to the logged-in user. The Microsoft Security Advisory states: “If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
All versions of Windows Vista, Windows Server 2008, and the beta version of Windows 7 are NOT vulnerable. In addition, Apple’s Quick Time player is NOT affected.
Please consult the official Microsoft Security Advisory for details on workarounds, fixes and patch availability.
Microsoft has issued a workaround that disables the automatic QuickTime parsing on machines running Window 2000, Windows XP or Windows Server 2003.
While AV protection and firewalls can mitigate attacks to port 445, the best defense is to ensure all PCs are up-to-date for Microsoft security changes. For example, an unpatched PC might become infected if their firewall fails or isn't active when connected to the Internet. If this worm were present on a laptop, it could infect unpatched corporate web servers and PCs if Intranet firewall controls are missing.
This new worm represents the most advanced MS08-067 attacks to date. As noted in every link, it's important to PATCH NOW if you have any systems that don't have this update.
New malware using an ms08-067 exploit gained momentum
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/
http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/
http://isc.sans.org/diary.html?storyid=5401
QUOTE: First let me say, “PATCH your systems” if you have not done so already! Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!
According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet.
The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.
W32/Conficker.worm Detailed Information
http://vil.nai.com/vil/content/v_153464.htm
http://www.f-secure.com/v-descs/worm_w32_downadup_a.shtml
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75911
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EA&VSect=P
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
Trend - Behavioral Diagram
http://www.trendmicro.com/vinfo/images/blog/DOWNAD123.jpg
PATCH NOW - if there are any servers or PCs that are not update for Microsoft security releases. Home users can employ the Windows Update process. More information can be found in the link below:
MS08-067 Security Patch Information
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Security researchers at Microsoft Corp. Tuesday warned of a significant climb in exploits of a Windows bug it patched with an emergency fix last month, confirming earlier reports by Symantec Corp.
Microsoft again urged users to apply the MS08-067 patch if they have not already done so.
The new attacks, which Microsoft's Malware Protection Center said began over the weekend but spiked in the past two days, use the same worm Symantec first spotted last Friday.
Dubbed "Conficker.a" by Microsoft and "Downadup" by Symantec, the worm exploits the vulnerability in the Windows Server service, used by all versions of the operating system to connect to file and print servers on a network. Microsoft patched the bug in an out-of-cycle update five weeks ago after it discovered a small number of infected PCs, most of them in Southeast Asia.
Microsoft has released Service Pack 3 for Windows XP. Unsurprisingly, it's having some problems.
The biggest problem is that some systems reboot endlessly, ending in blue screens every time. Microsoft says in KB888372 that this happens when an AMD-based system has a disk image originally developed on an Intel-based system. Apparently, many HP systems did this, although HP wasn't commenting. This configuration dies in SP3 because that section of the registry isn't used anymore ("orphaned"), and the system ends up trying to load both the AMD and the Intel drivers. Bad things happen after that.
This shouldn't be a problem with Dell computers, they stick to Intel - but keep it in mind for any AMD-based XP systems you know about. The KnowledgeBase article, I'm told, has instructions for preventing this from happening, or for fixing it afterwards, provided you can find away to boot into Safe mode.
Good luck and get a Mac or Linux-Based system.
Posts
