Microsoft has announced that they have discovered a vulnerability in DirectShow. Exploitation of the vulnerability could allow a criminal to run code of their choice in the victim’s security context simply by the victim browsing to a website while allowing scripts to run. The browser being used doesn’t matter providing it allows scripting. Microsoft is aware of limited attacks in-the-wild. Patches are being developed.

All versions of Windows are vulnerable, except Vista and Server 2008. It is worth noting that DirectShow was patched for similar vulnerabilities in April 2009, and previously in December of 2007. Neither of those vulnerabilities was ever significantly exploited.

(more…)

Verizon Business customers, and security professionals generally, should resist succumbing to a herd mentality and fear of the unknown surrounding the Conficker worm. In most respects, Conficker (a.k.a. Downadup or Kido) is just another piece of crimeware threatening Windows computers. The known risks it represents are minimal; so far, versions A and B simply spread and version C is presently dormant. They impact the integrity of infected systems but the costs are limited to disinfection. Our defenses are set and we are alert for significant changes in the risk environment if they come, but risk has changed little at this time regardless of the apparent desire of the technical press and the blogosphere to indicate otherwise.

Conficker is not generating spam revenue for the outlaws, nor is it exporting data from infected systems or any of the other myriad of hostile activities current crimeware usually exhibits. Infected systems are under the control of a criminal and could begin executing more criminal instructions. On April 1st, 2009, version C is expected to begin listening for instructions from its master(s) using a new Command and Control (C&C) method.

(more…)

So rumors abound that a paper and exploit code will be published today that use a vulnerability in a processor’s caching mechanism to install code that is being called “undetectable.”

If it appears that we’re obviously not stating names and vendors, you’re right, we aren’t. At the time of writing all we’ve seen is speculation.

But let’s just take one aspect of the current hoopla: “Can something be installed on your computer and become undetectable?”

(more…)

Today Microsoft released a patch for the “click-jacking” vulnerability announced by Robert Hanson in September. The issue, as you may remember, was that exploiting this vulnerability (in all versions of XMLHTTP but 3.0) allowed him to cause your click on a web page to be directed at anything he wanted. So you might have thought you were clicking a URL to http://securityblog.verizonbusiness.com, but you’d visit http://Ive_Got_You_Now_Sucker.com.

(more…)

From January to July 2008 Microsoft’s technologies disinfected just over 8 million more computers than it did in the previous six month period according to their just released 5th Security Intelligence Report.

Such a statement will make many jump to the conclusion that the state of crimeware is getting worse. But such a conclusion may not be accurate. For example, the increase in distinct computers cleansed in this latest period is just under 50%, whereas in the 2H07 report the increase was just over 79%. The increase in 1H07 was 95%. So the percentage increase this time around is smaller than it has been previously. The same can be said for the number of distinct infections cleansed. 1H08 was 47% higher than 2H07, but 2H07 was 219% higher than 1H07 and 1H07 was 80% higher than 2H06.

(more…)

By Peter Tippett and Russ Cooper

There is a huge amount of angst, discussion, testing and endless worry about the “new DNS vulnerability” whose existence was published a few weeks ago concurrent with a coordinated patch release. Its dastardly “vulnerability” or “threat scenario” will be disclosed in full in early August. The worry is that, once fully disclosed, the unprepared world will be at risk—or at least large portions will be—and whole new categories of exploit will suddenly be possible…or something like that.

Let’s get out a few facts, and then discuss some hypothetical attacks. We’ll assume the extremes and see just how a very old and well-understood vulnerability might behave differently if, for example, a simple cache poisoning attack tool or technique were released. [For a primer on DNS look here. For a primer on DNS Cache Poisoning look here.]

(more…)

by Dave Kennedy

Implementations of the Domain Name Servers (DNS) protocol may leave systems vulnerable to DNS cache poisoning attacks. Last week many incident response teams, along with software and hardware vendors, issued security bulletins and patches to reduce this risk. Cache poisoning attacks are almost as old as the DNS system itself. Enterprises already protect and monitor their DNS systems to prevent and detect cache-poisoning attacks. There has been no increase in reports of cache poisoning attacks and no reports of attacks on this specific vulnerability. DNS is infrastructure. Infrastructure must be trusted, and it must be perceived as trustworthy. (more…)

By Peter Tippett and Wade Baker

Studies are useful to help us to learn what works and what does not. Studies of other’s experiences, such as The Verizon Business 2008 Data Breach Investigations Report, are especially instructive. But most of us crave to actually understand why events play out as they do, and to be able to accurately predict what the results of those studies will be. Risk models can be very useful in driving our understanding.

(more…)