Advisory

Secunia Research 20/05/2008

Foxit Reader “util.printf()” Buffer Overflow.

1) Affected Software
* Foxit Reader 2.3 build 2825
NOTE: Other versions may also be affected.

2) Severity
Rating: Highly critical
Impact: From remote
Where: System access

3) Vendor’s Description of Software
“Foxit Reader is a free PDF document viewer and printer, with
incredible small size (only 2.55 M download size), breezing-fast
launch speed and rich feature set. Foxit Reader supports Windows Me/
2000/XP/2003/Vista. Its core function is compatible with PDF Standard
1.7.”.
Product Link:
http://www.foxitsoftware.com/pdf/rd_intro.php

4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Foxit Reader, which
can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to a boundary error when parsing
format strings containing a floating point specifier in the
“util.printf()” JavaScript function. This can be exploited to cause a
stack-based buffer overflow via a specially crafted PDF file.
Successful exploitation allows execution of arbitrary code.

5) Solution
The vulnerability is fixed in upcoming version 2.3 build 2912.

6) Time Table
23/04/2008 - Vendor notified.
08/05/2008 - Vendor notified again.
08/05/2008 - Vendor response.
20/05/2008 - Public disclosure.

{ 0 comments }

Apple

Engineers designed Safari to be secure from day one.

Secunia Advisory: SA29483
Release Date: 2008-03-24
Safari Address Bar Spoofing and Memory Corruption Vulnerabilities

Highly critical
Impact: Spoofing
System access
Where: From remote
Solution Status: Unpatched

Description:
Juan Pablo Lopez Yacubian has discovered two vulnerabilities in Safari, which can be exploited by malicious people to conduct spoofing attacks or potentially compromise a user’s system.

1) An error when downloading e.g. a .ZIP file with an overly long filename can be exploited to cause a memory corruption.

Successful exploitation may allow execution of arbitrary code.

2) An error in the handling of windows can be exploited to display arbitrary content while showing the URL of a trusted web site in the address bar.

The vulnerabilities are confirmed in version 3.1 for Windows. Other versions may also be affected.

{ 2 comments }

Be mindful of malicious spam pushing screensavers with backdoor trojan payloads.

According to Sunbelt’s blog, the trail of this new wave of spam leads back to malware loading group “Loads.cc”; who are using a new domain for their botnets after being taken off-line in January 2008 by a DDoS attack from a rival malware gang.

October 2007 Article at PCWorld.

{ 0 comments }

Storm is evolving into a very complex beast.

From rbnexploit.blogspot

Obviously the Russian Business Network (RBN) is working overtime during the Christmas and New Year holiday, no doubt planning for many in the ISP security and anti-spam arena to be on skeleton staff.

There are some interesting elements concerning which make this attack innovative:

# Although much of that detected is conventional spam, however there is also a large amount of spam which is getting through many anti-spam defenses due to the use of “fake” BlogSpot (Blogger) links

# Although most have identified as the Zhelatin Storm email worm or variant, it is also as the more recent fake codec downloads, dependent upon where the unfortunate user has come from. This now shows a “polymorphic” format, i.e. the virus or exploit has the ability to alter its signature in an attempt to combat anti-virus tools.

RBN – New and Improved Storm Botnet for 2008

Source: Harry Waldron

Intertwined. Malware on Google Blogspot

Users are getting infected every day with no interaction required.
Unlike some of these Zlob\Codec sites where users are duped into
downloading something. Or the current run of Storm variants being
pushed via Blogspot for that matter.

If you have the misfortune to be infected, I suggest you seek help at one of the sites listed in the right side column under “Security Forums”.

{ 0 comments }

If you have Norton installed on your computers you should pay attention to this.

Chris Quirke’s Blog: Norton Security Scan - False Positives

Unfortunately, it detects protective settings applied by Spyware Blaster and similar tools, as being the malware these tools are protecting against.

Hosts News: Symantec detects suspicious entries in the MVPS HOSTS file

… seems Symantec added a new update SecurityRisk.URLRedir which they describe as “detection for suspicious entries added to the hosts file”

{ 0 comments }

It is that time of year again and several blogs are giving you great tips for shopping on-line wisely and safely.

The Security Garden: Holiday Online Shopping Safety Tips

Bits from Bill: Top Ten Online Shopping Mistakes

Nonetheless, no matter how security savvy one may be, there are still ways to be ripped off and this dear reader was my experience.

I placed an order 07-11-07 with cuisineclassique.com aka sharpknives.com, for three kitchen ceramic items.

My order arrived promptly in the most horrendous packing, two of the items smashed beyond repair.

I informed customercare at cuisineclassique.com who explained they had a new person needing more shipping and handling training. They asked me to make a claim with UPS which I did, and they would send me a replacement.

So far so good, they seemed like decent people, however the replacement never arrived. More emails and more excuses, such as:

The package is still on the shelf in the hallway waiting for UPS to pick up.

That’s enough already, please refund > more promises > no refund.

Now I am getting pretty cranky, remember I paid for this order on 07-11-07.

9/9/2007 from the company holding my refund hostage.

We have had some very severe monsoon storms here and lost our roof in one of them. Our phones have been out and our internet service has been spotty at best. Between the lightning strike and rain, we are just now recovering some of the lost information on our computers including our email server.
I apologize that we caused you so much aggravation.

They promised I would be reimbursed that week but holding true to the entire Cuisine Classique experience, I was never reimbursed.

Lesson number one.
I informed the company who handled the payment and was told they couldn’t do anything because I had filed a damages claim with UPS, instead of returning the package to Cuisine Classique.

Lesson number two.
UPS told me they couldn’t devulge if they had paid Cuisine Classique on the damage claim.

One can pretty much count on it that they did. I followed their instructions to the letter in order for a valid claim to be processed.

Was Cuisine Classique paid twice for the items I ordered, once by me and also by UPS? Regardless, I still have not been refunded.

How great is that. By the way, I told Cuisine Classique several times I would be blogging this if I did not receive a refund.

Guess they didn’t care.

{ 0 comments }

Possible Faults:

US-CERT is aware of reports of possible flaws in the Application-Based Firewall in Mac OS X Leopard. According to these reports, users may be misinformed of the status of their firewall rule set, thus placing users with listening network services at an increased risk.

Users are urged to exercise caution when relying on the firewall rules for access control.

US-CERT will provide additional information as it becomes available.

{ 0 comments }

Mac users who practice unsafe hex will find more than they bargained for.

From Intego:

Exploit: OSX.RSPlug.A Trojan Horse
Discovered: October 30, 2007
Risk: Critical

OSX.RSPlug.A Trojan Horse Changes Local DNS Settings to
Redirect to Malicious DNS Servers

Description: A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following:

Quicktime Player is unable to play movie file.

Please click here to download new version of codec.
After the page loads, a disk image (.dmg) file automatically downloads to the user’s Mac. If the user has checked Open “Safe” Files After Downloading in Safari’s General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg.

If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator’s password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download.

Intego Press Release

Sunbelt Blog: Screenshot
Commentary: Mac trojan overhype? You tell me.

Well, we knew it was coming, Apple users may get hit hard now if the malware gangs are targeting.

Vnunet.com UPDATE: McAfee has confirmed the OSX.RSPlug.A trojan and reported that it is spreading through fake codec sites in addition to the porn website.

{ 0 comments }

The Microsoft Security Response Center (MSRC)

This week we became aware of publicly disclosed exploit code being used in limited attacks on customers. This change in the threat landscape has prompted us to update last week’s Security Advisory 943521 and triggered our Software Security Incident Response Plan (SSIRP).

Third party applications are currently being used as the vector for attack and customers who have applied the security updates available from these vendors are currently protected. However, because the vulnerability mentioned in this advisory is in the Microsoft Windows ShellExecute function, these third party updates do not resolve the vulnerability – they just close an attack vector.

Article: October 25th Update.

{ 0 comments }