Advertisement
  • About the Author
  • About this Blog

    • Posts Tagged: FixIt

    Latest Warnings / Security Tools17 Comments
    4
    Nov 11

    Microsoft Issues Stopgap Fix for ‘Duqu’ Flaw

    Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the “Duqu” Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet.

    According to the advisory, the critical vulnerability resides in most supported versions of Windows, including Windows XP, Vista and Windows 7. The problem stems from the way Windows parses certain font types. Microsoft says it is aware of targeted attacks exploiting this flaw, but that it believes few users have been affected.

    Nevertheless, the flaw is a dangerous one. Microsoft said that an attacker who successfully exploited this vulnerability could run arbitrary code, install programs; view, change, or delete data; or create new accounts with full user rights. The most likely vehicle for the exploit is a poisoned email attachment.

    Microsoft is working on developing an official security update to fix the flaw. For now, it has released a point-and-click Fixit tool that allows Windows users to disable the vulnerable component. Enabling this tweak may cause fonts in some applications to display improperly. If you experience problems after applying the Fixit solution, you can always undo it by clicking “disable” image in the Microsoft advisory and following the prompts.

    Update, Nov. 10, 9:22 a.m. ET: As several readers have noted, installing this FixIt may cause Windows Update to repeatedly ask prompt you to install two particular updates: KB972270, and KB982132. Uninstalling the FixIt seems to stop these incessant prompts, although it leaves the vulnerable Windows component exposed.

    Latest Warnings / The Coming Storm24 Comments
    14
    Mar 11

    Adobe: Attacks on Flash Player Flaw

    Adobe warned today attackers are exploiting a previously unknown security flaw in all supported versions of its Flash Player software. The company said the same vulnerability exists in Adobe Reader and Acrobat, but that it hasn’t yet seen attacks targeting the flaw in those programs.

    In an advisory released today, Adobe said malicious hackers were exploiting a critical security hole in Flash (up to and including the latest version of Flash. The software maker warned the vulnerability also exists in Adobe Flash player 10.2.152.33 and earlier versions for Windows, Mac, Linux and Solaris operating systems (10.2.154.13 and earlier for Chrome users), Flash Player 101.106.16 and earlier for Android. In addition, Adobe believes the bug lives in the “authplay.dll” component that ships with Adobe Reader and Acrobat X (10.0.1) and earlier 10.x and 9.x versions for Windows and Mac systems.

    Adobe warns that the security hole is currently being exploited via Flash (.swf) files embedded in a Microsoft Excel document delivered as an email attachment. Why someone would need to embed a Flash file in an Excel document is anyone’s guess.

    Continue reading →

    Latest Warnings / Time to Patch14 Comments
    1
    Sep 10

    MS Fix Shores Up Security for Windows Users

    Microsoft has released a point-and-click tool to help protect Windows users from a broad category of security threats that stem from a mix of insecure default behaviors in Windows and poorly written third-party applications.

    My explanation of the reason that this is a big deal may seem a bit geeky and esoteric, but it’s a good idea for people to have a basic understanding of the threat because a number of examples of how to exploit the situation have already been posted online. Readers who’d prefer to skip the diagnosis and go straight to the treatment can click here.

    DLL Hijacking

    Windows relies heavily on powerful chunks of computer code called “dynamic link libraries” or DLLs. Each of these DLLs performs a specific set of commonly-used functions, and they are designed so that Windows can share these functions with other third-party programs that may want to invoke them for their own purposes. Many third-party apps will load these DLLs or bring their own when they first start up and often while they’re already running.

    Typically, DLLs are stored in key places, such as the Windows System (or System32) directory, or in the directory from which the application was loaded. Ideally, applications will let Windows know where to find the DLLs they need, but many do not.

    The potential for trouble starts when an application requests a specific DLL that doesn’t exist on the system. At that point, Windows sets off searching for it — looking in the above-mentioned key places first. But eventually, if Windows doesn’t find the DLL there or in a couple of other places, it will look in the user’s current directory, which could be the Windows Desktop, a removable device such as a USB key, or a folder shared on a local or remote network.

    And while an attacker may not have permission to write files to the Windows system or program directories, he may be able to supply his own malicious DLL from a local or remote file directory, according to the U.S. Computer Emergency Readiness Team.

    Several months ago, experts from a Slovenian security firm warned that hundreds of third-party applications were vulnerable to remote attacks that could trick those apps into loading and running malicious DLLs. According to the Exploit Database — which has been tracking confirmed reports of applications that are vulnerable to this attack — vulnerable apps include Windows Live Mail, Windows Movie Maker, Microsoft Office Powerpoint 2007, Skype, Opera, Medialplayer Classic and uTorrent, to name just a few.

    The FixIt Tool

    Roughly one week ago, Microsoft released a workaround tool to help users and system administrators blunt the threat from all of this by blocking insecure DLLs from loading from remote and local file sharing locations. But the tool wasn’t exactly made for home users: After you installed and rebooted, you still had to manually set a key in the Windows registry, an operation that can cause serious problems for Windows if done imprecisely.

    On Tuesday, Microsoft simplified things a tiny bit, by releasing one of its “FixIt” tools to make that registry fix so users don’t have to monkey around in there. Trouble is, you still need to have installed the initial workaround tool before you can install this point-and-click FixIt tool.

    It’s tough to gauge whether DLL hijacking poses the same threat to home users that it does to users on larger enterprise networks. Microsoft maintains that this class of vulnerability does not enable a “driveby” or “browse-and-get-owned” zero-click attack, but the attack scenarios Redmond describes where a Windows user could get owned by this attack probably would work against a majority of average Windows users.

    And while it may take some time for developers of vulnerable third-party apps to fix their code, Microsoft’s interim fix does add a measure of protection. If you’d like to take advantage of that protection, visit this link, scroll down to the Update Information tab, and click the package that matches your version of Windows. Install the fix and reboot Windows. Then visit this link, and click the FixIt icon in the center of the page and follow the installation prompts.

    Further reading:

    An excellent writeup on this from SANS Internet Storm Center incident handler Bojan Zdrnja.

    A discussion thread about this on DSL Reports’ security forum.

    Other33 Comments
    2
    Aug 10

    Patch for Critical Windows Flaw Available

    Microsoft today released an emergency security update to fix a critical flaw present in all supported versions of Windows. The patch comes as virus writers are starting to ramp up attacks that leverage the vulnerability.

    There are a couple of things you should know before installing this update. If you took advantage of the “FixIt” tool that Microsoft shipped last month to blunt the threat from this flaw, you should take a moment now to undo that fix. To do that, visit this link, then click the image below the “Disable Workaround” heading, and follow the prompts. You will need to reboot the system before installing the official fix released today, which is available from Windows Update.

    The patch issued today carries the Microsoft Knowledge Base (KB) number KB2286198, in case you’ve just run Windows Update and are checking to see whether this update is available to you yet.

    You will need to reboot after installing the patch. After I applied this patch and rebooted the system, Windows Explorer stalled, leaving Windows unresponsive. After a forced restart (powering the system off and then on again), my 64-bit Windows 7 system booted into Windows normally.

    When this vulnerability was initially disclosed, it was only being used in targeted attacks online. However, as Microsoft warned and others have confirmed, this vulnerability is now showing up in more mainstream attacks. Please take a moment to apply this update today if you can, particularly if your Windows system is not already protected with the FixIt tool mentioned above.

    More information on this update is available from the Microsoft bulletin. And as always, please leave a comment below if you experience any problems installing this update.

    Latest Warnings / Time to Patch32 Comments
    21
    Jul 10

    Tool Blunts Threat from Windows Shortcut Flaw

    Microsoft has released a stopgap fix to help Windows users protect themselves against threats that may try to target a newly discovered, critical security hole that is present in every supported version of Windows.

    Last week, KrebsOnSecurity.com reported that security researchers in Belarus had found a sophisticated strain of malware that was exploiting a previously unknown flaw in the way Windows handles shortcut files. Experts determined that the malware exploiting the vulnerability was being used to attack computers that interact with networks responsible for controlling the operations of large, distributed and very sensitive systems, such as manufacturing and power plants.

    When Microsoft initially released an advisory acknowledging the security hole last week, it said customers could disable the vulnerable component by editing the Windows registry. Trouble is, editing the registry can be a dicey affair for those less experienced working under the hood in Windows because one errant change can cause system-wide problems.

    But in an updated advisory posted Tuesday evening, Microsoft added instructions for using a much simpler, point-and-click “FixIt” tool to disable the flawed Windows features. That tool, available from this link, allows Windows users to nix the vulnerable component by clicking the “FixIt” icon, following the prompts, and then rebooting the system.

    Be advised, however, that making this change could make it significantly more difficult for regular users to navigate their computer and desktop, as it removes the graphical representation of icons on the Task bar and Start menu bar and replaces them with plain, white icons.

    For instance, most Windows users are familiar with these icons:

    According to Microsoft, after applying this fix, those icons will be replaced with nondescript (and frankly ugly) placeholders that look like this:

    Continue reading →

    Latest Warnings / Time to Patch11 Comments
    5
    Jul 10

    Microsoft Warns of Uptick in Attacks on Unpatched Windows Flaw

    Microsoft is warning that hackers have ramped up attacks against an unpatched, critical security hole in computers powered by Windows XP and Server 2003 operating systems. The software giant says it is working on an official patch to fix the flaw, but in the meantime it is urging users to apply an interim workaround to disable the vulnerable component.

    Redmond first warned of limited attacks against the vulnerability in mid-June, not long after a Google researcher disclosed the details of a flaw in the Microsoft Help & Support Center that can be used to remotely compromise affected systems. Last week, Microsoft said the pace of attacks against Windows users had picked up, and that more than 10,000 distinct computers have reported seeing this attack at least one time.

    If you run either Windows XP or Server 2003, I’d encourage you to consider running Microsoft’s stopgap “FixIt” tool to disable the vulnerable Help Center component. To do this, click this link, then click the “FixIt” button in the middle of the page under the “enable this fix” heading. Should you need to re-enable the component for any reason, click the other FixIt icon. Users who apply this fix don’t need to undo it before applying the official patch once it becomes available, which at this rate probably will be on Tuesday, July 13.