Last week, Google researcher Tavis Ormandy disclosed the details of a flaw in the Microsoft Help & Support Center on Windows XP and Server 2003 systems that he showed could be used to remotely compromise affected systems. Today, experts at security firm Sophos reported that they’re seeing the first malicious and/or hacked sites beginning to exploit the bug.

If you use Windows XP and have not yet taken Microsoft up on its suggestion to disable the vulnerable Help & Support Center component, please consider taking a moment to do that today. Until Microsoft issues an official fix for this flaw, the workaround they suggest is an easy and apparently painless one. The instructions are available at this link.

Update, June 17, 9:20 a.m. PST: Updated post to include link to Microsoft “FixIt” tool.

The vulnerability has to do with a weakness in how Windows Help and Support Center processes links. Both Windows XP and Server 2003 retrieve help and support information from a fixed set of Web pages that are included on a whitelist maintained by Windows. But Google security researcher Tavis Ormandy last week showed the world that it was possible to add URLs to that whitelist.

Microsoft said an attacker could exploit this flaw by tricking a user into clicking a specially crafted link. Any files fetched by that link would be granted the same privileges as the affected system’s current user, which could spell big problems for XP users browsing the Web in the operating system’s default configuration — using the all-powerful “administrator” account.

“Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” Microsoft said in a statement released last week.

I have frequently urged XP users to create and use a limited user account for everyday computing, and to use the administrator account only for occasional updates and other tinkering that can’t be done as a regular user. While more malware these days is being configured to run even in limited user accounts (the ZeuS and Clampi Trojans, to name a couple), a limited account will block a large number of attacks, and should prevent user-level infections from becoming system-wide infestations that are more challenging to clean up.

Google’s Ormandy, who has privately alerted Microsoft to a large number of security flaws he found in the company’s products over the years, indicated he was releasing the details of this bug publicly just five days after alerting Microsoft in an effort to force Microsoft to patch the flaw more quickly than it would have otherwise.

“I’ve concluded that there’s a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security,” Ormandy wrote. “Those of you with large support contracts are encouraged to tell your support representatives that you would like to see Microsoft invest in developing processes for faster responses to external security reports.”

Ormandy included a “hotfix” tool designed to help XP and Server 2003 users mitigate the threat from this vulnerability until Microsoft releases a patch for it. For its part, Microsoft claims Ormandy’s hotfix doesn’t protect users.

“Unfortunately it is ineffective at preventing the vulnerable code from being reached and can be easily bypassed,” Microsoft said in a post on its Security Research & Defense blog. “We recommend not counting on the Google hotfix tool for protection from the issue.”

Microsoft said it is working on a patch to plug this security hole, and that in the meantime affected users may wish to disable the vulnerable component. That process, detailed in the  “Workarounds” section of this advisory, involves “unregistering” or deleting an entry from the Windows Registry. Note that this can be a dicey affair for novice users, because one wrong move can cause serious stability and bootup problems. That said, as registry hacks go, this one is pretty simple.

In any case, Microsoft says its workaround may cause legitimate links that use the Windows Help and Support Center format (hcp:// as opposed to http://) to break, and that for example links in the Windows Control Panel might cease to function. I tested Microsoft’s workaround on my dummy XP system and didn’t run into any problems, and found no problems navigating any of the Control Panel links. Your mileage may vary.

Related Posts: Firm To Release Database and Web Server 0days

In a report being released today, Google said that between January 2009 and the end of January 2010, its malware detection infrastructure found some 11,000 malicious or hacked Web pages that attempted to foist fake anti-virus on visitors. The search giant discovered that as 2009 wore on, scareware peddlers dramatically increased both the number of unique strains of malware designed to install fake anti-virus as well as the frequency with which they deployed hacked or malicious sites set up to force the software on visitors.

Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What’s more, victims end up handing their credit or debit card information over to the people most likely to defraud them.

Google found that miscreants spreading fake anti-virus have over the last six months taken aggressive steps to evade the two most prevalent countermeasures against scareware: The daily updates shipped by the legitimate anti-virus makers designed to detect scareware installers; and programs like Google’s which scan millions of Web pages for malicious software and flag search results that lead to malware.

Google’s automated system scanned each potentially malicious page in real time using a number of licensed anti-virus engines, and all of the files were rescanned again at the end of the study. Beginning in June 2009, Google charted a massive increase in the number of unique fake anti-virus installer programs, a spike that Google security experts posit was a bid to overwhelm the ability of legitimate anti-virus programs to detect the programs. Indeed, the company discovered that during that time frame, the number of unique installer programs increased from an average of 300 to 1,462 per day, causing the detection rate to plummet to below 20 percent.

“We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates,” said Niels Provos, principal software engineer for Google’s infrastructure group. “It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads.”

In addition, Google determined that the average lifetime of sites that redirect users to Web pages that try to install scareware decreased over time, with the median lifetime dropping below 100 hours around April 2009, below 10 hours around September 2009, and below one hour since January 2010.

“These trends point to domain rotation, a technique that allows attackers to drive traffic to a fixed number of [Internet] addresses through multiple domains,” the company said in its report. “This is typically accomplished by setting up a number of landing domains, either as dedicated sites or by infecting legitimate sites, that redirect browsers to an intermediary under the attacker’s control. The intermediary is set up to redirect traffic to a set of active domains, which point to fake anti-virus distribution servers.”

Provos said the the domain rotation technique appears to be an extension of a “malware arms race” engineered to evade domain-based malware detection techniques.

“In fact, we noticed a distinct correlation between our improved ability to detect fake anti-virus, and the observed lifetime of each domain,” Provos said.

Last year, after a rogue ad on the New York Times Web site led to massive numbers of people being attacked by rogue anti-virus, I wrote a tutorial for The Washington Post called “What To Do When Scareware Strikes,” which details how to deal with these ambushes. The key is remain calm and avoid clicking on any prompts generated by the scareware. Check out that tutorial here.

In a separate report released Monday, Microsoft said its security products cleaned fake anti-virus related malware from 7.8 million computers in the second half of 2009, up from 5.3 million computers in the first six months of the year —an increase of 46.5 percent.

A copy of the Google report is available here (PDF).

Update, 4:47 p.m. ET: Security firm CA is reporting that the Storm Worm seems to have reawakened. According to CA, it was discovered bundled and distributed by Trojan downloader along with Win32/FakeAV or Rouge Antivirus malware.

Search giants Yahoo! and Google each have automated programs that crawl millions of Web sites each week in search of those hosting malicious code. When the search providers find these sites, they typically append a warning to the hacked Web site’s listing in search results, alerting the would-be visitor that the site could be dangerous. These warnings not only result in fewer people visiting infected sites, but they have a tendency to alert a listed site’s owners to a malware problem that needs attention.

This is all well and good for you and me, but not so wonderful for the bad guys. Unless, of course, said bad guys have planned ahead, by inserting code in their hacked sites that hands out malicious code to everyone except the automated anti-malware bots deployed by the top search providers.

Which is precisely what security expert David Dede found earlier this month while analyzing some Web-based malware.

“So basically the malware was checking if the user agent was from the Google or Yahoo bot and not returning the malware on that case,” wrote Dede, a security expert from Brazil who maintains the blog Sucuri Security. Meanwhile, regular visitors to the infected sites received malicious Javascript that tried to foist malware, Dede found.

Denis Sinegubko, a Russian researcher with the blog UnmaskParasites.com, recently has documented at least two examples of malware stitched into blogs that will modify the host site to hide malicious redirects from Google’s search bots.

“And the fact that I can see many such blogs in Google search results without any warnings shows that this simple trick does its job,” Sinegubko wrote.

Google’s search experts say they’re aware of and constantly counteracting these types of obfuscation techniques.

Niels Provos, principal software engineer at Google, said cyber crooks frequently try to play both sides, by attempting to block search bots from finding malware stitched into hacked sites, while simultaneously gaming the search engine bots.

“This has been going on for some time. What happens is if a Web crawler comes along, [the attackers will configure the hacked site so that it] ends up showing [trending content] they get from news sites,” Provos said. “This is to game the ranking of search content. But then if the visitor comes to one of these sites via a search engine, he ends up getting exploit code.”

Provos declined to discuss the specific steps Google takes to combat these tactics, noting that the fight with these Web site hackers is a constant arms race.

“Often these are just aimed at making it more difficult for someone from the outside investigating this kind of thing to find the bad code,” Provos said. “In any case, we have to make adjustments from time to time, but we work around them.”

On April 9, Google researcher Tavis Ormandy posted to the FullDisclosure mailing list that he’d discovered he could abuse a feature in Java to launch arbitrary applications on a Windows PC using a specially-crafted Web site.  Ormandy said the feature had been included in every version of Java since Java 6 Update 10, and was intended as a way to make it easier for developers to distribute their applications. Along with that disclosure, Ormandy published several examples of how attackers might use this functionality in Java to load malicious applications onto a user’s system.

As of this morning, songlyrics.com, a site that according to traffic analysis firm compete.com receives about 1.7 million visits each month, was loading code from assetmancomcareers.com, a Russian Web site with a history of pushing rogue anti-virus. The domain name servers for assetmancomcareers.com also serve:

spyeraser-security.com
spyeraser-trial.com
spyeraser-software.com

According to Roger Thompson, chief research officer at AVG, the site appears to use the very same code mentioned in Ormandy’s proof-of-concept to silently redirect songlyrics.com visitors to a site that loads the “Crimepack” exploit kit, a relatively new kit designed to throw a heap of software exploits at visiting browsers (see screenshot of a Crimepack administration page below).

It’s unclear whether Oracle plans to change the behavior of this feature in Java. For now, if you have Java installed on your system (don’t know? click here), you might consider implementing one or both of the workarounds mentioned here in a SANS Internet Storm Center writeup on this.

Update, 1:17 p.m. ET: The folks over at malwaredomainlist.com say that although the Wepawet scanning tool mentioned above detects this exploit kit as Crimepack, the pack in question may be one called SEO Sploit Pack. While this distinction may be lost on the hapless Windows user who stumbles upon such a site, I wanted to include this information nonetheless. Unfortunately, all I have is the stock logo for the SEO Sploit Pack (anyone want to share a screen shot of the admin page?).

This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.

Microsoft said it will continue monitoring this situation and take appropriate action to protect its customers, including releasing an out-of-band patch to address the threat. Typically, Microsoft issues patches on the second Tuesday of the month (a.k.a. “Patch Tuesday), but due to the seriousness of this threat and the sheer number of companies that have apparently already been hacked because of it, Microsoft is likely to push out an update before the end of the month. In fact, I would not be surprised to see a fix for this within the next 7 to 10 days.

In the meantime, Redmond is urging IE users to upgrade to the latest version, IE8, which the company touts as its most secure version of the browser. Still, even IE is still vulnerable, and this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple‘s Safari for Windows.

McAfee said its investigation revealed that one of the malicous software samples used in the attacks exploited a new, not publicly known vulnerability in IE that is present in all of Microsoft’s most recent operating system releases, including Windows 7.

George Kurtz, McAfee’s chief technology officer, said the IE vulnerability was just one of several previously unknown software flaws that were leveraged in the targeted attacks, which security experts at iDefense have said affected at least 33 different companies.

“While we have identified the Internet Explorer vulnerability as one of the vectors of attack in this incident, many of these targeted attacks often involve a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios,” Kurtz wrote in a posting to the company’s Security Insights Blog. “So there very well may be other attack vectors that are not known to us at this time. That said, contrary to some reports our findings to date have not shown a vulnerability in Adobe Reader being a factor in these attacks.”

Several sources, including McAfee, now say Microsoft plans to release more information later today about the vulnerability. A spokeswoman for Microsoft would not confirm that claim, saying only that “Microsoft is investigating these reports and will provide more information when it is available.”

UPDATE, 5:25 p.m: Microsoft has issued an advisory confirming the existence of a previously unknown vulnerability in all supported versions of IE on pretty much every supported version of Windows. The MS advisory is here.

Original post:

In related news, names of additional victims of this targeted attack, which appears to have targeted trade secrets and source code, are starting to trickle out. The Washington Post is reporting that list includes Yahoo, Symantec, Northrop Grumman and Dow Chemical. A source told me that router maker Juniper Systems Inc. also may have been victimized, although I am still trying to confirm that claim.

Update, 10:34 p.m: Juniper issued the following statement about claims that it, too, was one of the nearly three dozen companies hit by targeted attacks: ” Juniper Networks recently became aware, and is currently investigating, a cyber security incident involving a sophisticated and targeted attack against a number of companies. As with any investigation of this nature, Juniper does not disclose details.”

Also, Google switches to “always on” encryption for all Gmail users. And some pundits see ulterior motives in Google’s Chinese hacking disclosure. More after the jump.

In a report released shortly after Google’s disclosure Tuesday evening, Sterling, Va. based iDefense cited two independent, anonymous sources in the defense contracting and intelligence consulting community as saying that Google traced the attack back to a “drop server” used as a repository for stolen files, where Google discovered its own data as well as proprietary data suggesting that at least 33 additional companies had been hit.

iDefense said the attack bears “significant resemblance” to a July 2009 attack in which assailants launched targeted e-mail campaigns against approximately 100 IT-focused companies. That attack employed a PDF file that exploited a then-undocumented vulnerability in Adobe Reader, and that a similar leveraging booby-trapped PDFs-as-attachments was used in the attack against Google, the report notes.

Kim Zetter at Wired.com’s Threat Level blog has a great deal more information in her thorough story on this.

Cynics see all kinds of ulterior motives in Google’s announcement that it got hacked and the subsequent arm-twisting with the Chinese government. Foreign Policy‘s Evgeny Morozov has penned a pair of incisive and trenchant opinion pieces speculating that Google’s move was little more than a calculated PR and business bid to gain market share vis-a-vis China’s dominant Baidu search engine. Krebsonsecurity.com reader and fellow security blogger Gunnar Peterson pointed my attention to a piece by Motley Fool‘s Tim Hanson that echoes those sentiments.

In apparently related news, Google has switched to “always on” encryption for all Gmail users, not just for those who have gone out of their way to select the “always use https://” option. By default, Google has always forced users to transmit their credentials over an encrypted (https://) connection when logging in, but after that Gmail users were popped back into an unencrypted connection unless they had changed the default option in the Gmail user settings to encrypt all Gmail communications.

The danger is that there are now free tools that help attackers steal the session cookie that most Webmail providers use to indicate users have already authenticated.  Armed with these tools, anyone recording the traffic on the local network would be able to access your Gmail inbox by simply loading that cookie on their machine. While these tools assume the attacker is on the same network as the target, most users do not sign out of Web mail services, and any session cookies that keep users logged in to their Webmail will most likely be transmitted periodically when roving users connect to a wireless network, for example.

Alas, Google has many properties that still do not enjoy this always-encrypted setting. In mid-2009, a Who’s Who of more than three dozen high-tech and security experts from industry and academia urged Google to encrypt all Google services by default, noting that tens of millions of consumers now rely on Google for a wide array of services that include sensitive data, such as Google Adsense, Adwords, Google Health. Still, this is a welcome step that hopefully will be emulated by the likes of Microsoft and Yahoo!, the other two major Webmail providers.