One could argue that August 2010 was The Month of 0-dayz with the release of the Windows Application DLL Loading Hijacking Thing.
I am sure you know about it by now. Originally discovered by Acros and published as Remote Binary Planting in Apple iTunes for Windows [txt] and then soon after re-researched by HD Moore to uncover the full extent of problem. It´s in the order of the file structure searches Windows performs when any DLL not listed in the KnownDLLs registry key is loaded by an application. Bojan Zdrnja wrote an in-depth and nuff technical ISC Diary post explaining the bug in detail.
Check also the Rapid7 blog post and the Metasploit blog post by HD Moore for details and updates. Reportedly hundreds of Windows applications affected. 0-day of all time maybe? In any case it is as huge as the media coverage suggests.
The 0-day stream definitely continues in September as the Abyssec Security Team is having the Month Of Abyssec Undisclosed Bugs in collaboration with the exploit-db.com.
The first four are out. They are very detailed advisories. Adobe Reader and Flash Player (advisory with unstable exploit), QuickTime (advisory with Proof-of-Concept), CPanel (advisory) and Rainbowportal (XSS and SQL Injection) are affected this far. If Abyssec continues with the pace set on first two days, there will be about 56 more 0-dayz out before the month is over.
Its the second 0-day for QuickTime actually already this week. There was a very curious one published on Monday. See the Bugtraq post by Reversemode about it. Gotta love the naming of the properties here btw.
Its full disclosure with Proof-of-Concept code, apparently quite trivial to exploit, works via Internet Explorer (in case any QuickTime components are installed on the system) and allows code execution in the context of the web browser or QuickTime Player with user privileges.
Enough bugs around. Good time to chill out with QuickTime at least. On Windows workstations you maybe want to killbit the following registry keys in order to prevent the drive-by exploitation via the Internet Explorer at least.
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
{4063BE15-3B08-470D-A0D5-B37161CFFD69}
Or even better temporarily block all different file types (as attack vectors) associated with the vulnerable QuickTime Player by _deleting_ ALL registry keys matching
HKEY_CLASSES_ROOT\QuickTime.*
Have them backed up in order to restore the QuickTime functionality after the vulnerability has been fixed. There are multiple.
September 2, 2010
Subscribe to:
Posts (Atom)