Windows Media Player DRM exploits used by Trojan installers

Apparently not content with the 'lowliest of the low' position they plumbed during 2004, several of the e-scum responsible for many phishing scams seem to have really felt a need to show they could go even lower, recently resorting to scams that involve ripping off money that would otherwise have gone to victims of the Asian Tsunami. Nice one guys - after you are caught, tried and sentenced, I just hope that your cell-mate's grandmother was one of your victims so you really get what you're due...

This issue's topics:

Introduction:

* DRM Trojans; MS AS/AV utilities; Windows, iTunes, DB2 updates

Virus News:

* Windows Media Player DRM exploits used by Trojan installers

* Microsoft enters anti-spyware market; MS antivirus next?

Security News:

* Remote code execution via HTML Help ActiveX control fixed

* Update fixes cursor and icon handling flaws in all Windows versions

* Third remote code execution vulnerability fixed

* iTunes updates for Windows and Mac OS fix remote code execution bug

* Multiple DB2 flaws fixed in latest fixpaks

Introduction:

Apparently not content with the 'lowliest of the low' position they plumbed during 2004, several of the e-scum responsible for many phishing scams seem to have really felt a need to show they could go even lower, recently resorting to scams that involve ripping off money that would otherwise have gone to victims of the Asian Tsunami. Nice one guys - after you are caught, tried and sentenced, I just hope that your cell-mate's grandmother was one of your victims so you really get what you're due...

All that aside, what better way to kick off a new year of Virus & Security Watch newsletters than with an issue at the end of a 'Patch Tuesday' week? This month Microsoft dished up three patches, with two rated as critical and affecting all supported (and almost unsupported) OSes, including the creaky old Windows 98/ME.

Microsoft was also in the news with the public beta release of its anti-spyware product, based closely on GIANT AntiSpyware. A beta release of the Microsoft Windows AntiSpyware is now available for download and use.

Also on the security front, both Mac OS and Windows versions of iTunes have been updated to fix a remote code execution vulnerability and multiple DB2 database server security updates have been released.

Since I last wrote there have been several more Christmas-themed malware postings and the Cabir Bluetooth cell-phone virus source code was published, leading to a flood of minor variants and perhaps the beginning of a series of copy-cat viruses. This was all pretty much 'same old, same old' stuff though, so we have decided to include coverage of a new twist for distributing undesirable software via Windows Media Player Digital Rights management (DRM) mechanisms and the latest updates on Microsoft's entry into the anti-spyware market and possible entry to the antivirus market.

Virus News:

* Windows Media Player DRM exploits used by Trojan installers

Reports are surfacing of adware and spyware being installed via a twist in the new Digital Rights Management (DRM) functions in Windows Media Player 10 and XP SP2. Media files on P2P networks have been found that have DRM licensing requirements that direct the media player to a series of websites where various dubious software (adware, keyloggers, etc) are offered and installed.

Trojans exploit Windows DRM loophole - theregister.co.uk

Network Associates Virus Information Library

Network Associates Virus Information Library

F-Secure Security Information Center

* Microsoft enters anti-spyware market; MS antivirus next?

Following the publication of the final V&S Watch last year, Microsoft announced its purchase of GIANT Company Software Inc and its plans to provide its own anti-spyware product and service based on the successful GIANT AntiSpyware. The Redmond elves must have been busy over the Christmas period, as a beta of the Microsoft Windows AntiSpyware product is now available. Existing GIANT AntiSpyware customers are advised to read the advice directed to them on the page linked below, as certain features of the GIANT product, and the supported OSes, have been removed from the Microsoft version.

Note that pricing information is not yet available, but the beta itself is free. Obtaining the download requires one to go through the 'genuine Microsoft Windows' validation process.

Also just released is Microsoft's Malicious Software Removal Tool. Usage and download instructions are included in the KnowledgeBase article linked below.

Some have taken the appearance of this utility as a signal that the release of 'Microsoft AntiVirus 2.0', based on the technology purchase from Romanian antivirus developer GeCAD in mid-2003, is now imminent. However, the Malicious Software Removal Tool is a very simple thing, only capable of detecting and removing some of the variants of eight worms featured in the most recent massive outbreaks. Thus speculation that this tool's availability indicates progress toward the release of the much-talked-about 'Microsoft AntiVirus 2.0' seems spurious at best. (The '2.0' in the tongue-in-cheek suggested name for Microsoft's likely forthcoming antivirus software offering is a reference to the much earlier, infamous and very short-lived MSAV bundled with MS DOS 5.0.)

Monthly updates to the Malicious Software Removal Tool are scheduled for inclusion in Microsoft's monthly 'Patch Tuesday' releases and will be available through WindowsUpdate along with the monthly security update releases.

Microsoft Windows AntiSpyware home page - microsoft.com

Important information for GIANT AntiSpyware users - microsoft.com

Malicious Software Removal Tool KnowledgeBase article - microsoft.com

Security News:

* Remote code execution via HTML Help ActiveX control fixed

Microsoft has released a critical update that affects all currently supported OS and Internet Explorer combinations. This vulnerability was publicly disclosed late last year and various malware and dubious web sites have been found exploiting the vulnerability. Microsoft rightly rates this vulnerability as being of critical severity and users are strongly recommended to obtain and install the update as soon as possible. Windows 98 and ME are affected and the vulnerability is rated as being critical on those platforms, so an update is also available for them.

The vulnerability is a domain determination error in the handling of content in HTML Help files. In certain circumstances the HTML Help ActiveX control in Internet Explorer incorrectly extends the privileges of the local ('My Computer') zone to content sourced from another, less privileged domain (typically the Internet security zone).

Apart from addressing the specific cross- domain vulnerability, this update changes other functionality of the HTML Help ActiveX control. With the update installed under a default configuration only HTML Help files served from the Local Machine (aka 'My Computer') security zone will be able to be rendered by the HTML Help ActiveX control. This may affect the functionality of certain web applications so Microsoft has provided several methods to work around this restriction. The FAQ section of the MS05-001 security bulletin should be consulted for details of resolving any such loss of functionality that may be due to these changes in the HTML Help control.

Microsoft Security Bulletin MS05-001

* Update fixes cursor and icon handling flaws in all Windows versions

Another remote code execution vulnerability affecting all supported versions of Windows is addressed in MS05-002. This update addresses two vulnerabilities in the handling of icon, animated icon and cursor files - one vulnerability presents denial of service opportunity, wherein an attempt to display a suitably malformed icon or cursor would result in the machine becoming unresponsive and requiring a restart; the other opens full arbitrary code execution opportunities, gaining this update its critical severity rating. Again, as with MS01-001, Windows 98 and ME are also affected and with a critical severity rating, so an update for those OSes is also available.

Although the Microsoft security bulletin says that no publicly disclosed exploits of this vulnerability were known when the bulletin was released, several 'proof of concept' exploits for this vulnerability have been released since the security bulletin was posted, so obtaining and installing this patch should now be treated with some urgency.

Windows ANI File Parsing Buffer Overflow - eeye.com

Microsoft Security Bulletin MS05-002

* Third remote code execution vulnerability fixed

A third vulnerability that potentially allows remote execution of arbitrary code on Windows XP and Server 2003 has also been fixed. For remote exploitation this vulnerability depends on a number of non-default configuration options to have been enabled, so Microsoft rates the severity as 'important' rather than as 'critical'. Further, although the vulnerability does not effect Windows 2000, Microsoft recommends that Windows 2000 users install the update. This is because as well as fixing this vulnerability, the update includes additional security functionality for the affected indexing control and Windows 2000 users can benefit from that additional functionality.

Microsoft Security Bulletin MS05-003

* iTunes updates for Windows and Mac OS fix remote code execution bug

A remotely exploitable buffer overflow in iTunes' handling of the popular .M3U and .PLS playlist file formats has been fixed by Apple. iTunes 4.7.1 includes a fix for this vulnerability which could allow an attacker to run any code of their choice. Although, as of this writing, the iTunes home page still refers to iTunes 4.6 as the current version, the iTunes download page offers version 4.7.1.

Apple iTunes Playlist Parsing Buffer Overflow - idefense.com

iTunes download page - apple.com

* Multiple DB2 flaws fixed in latest fixpaks

NGSSoftware researchers have published nine advisories describing various vulnerabilities in current versions of IBM's DB2 database server and related products. Some of these vulnerabilities open the possibility of remote arbitrary code execution. These are all fixed in the latest fixpaks, whose download locations are included in the advisories.

NGSSoftware advisories page - ngssoftware.com

Join the newsletter!

Error: Please check your email address.

More about AppleApple.F-SecureIBM AustraliaMicrosoft

Show Comments

Market Place

[]