Security Bytes: Symantec warns of more WMF glitches

By SearchSecurity.com Staff 10 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Symantec warns of more WMF glitches
Days after Microsoft rushed out a patch for the extremely critical Windows Meta File (WMF) flaw, Cupertino, Calif.-based AV giant Symantec Corp. is warning of additional security holes in the program. In a message to customers of its DeepSight Threat Management System, Symantec cited two new vulnerabilities reported on its BugTraq forum.

"An attacker may leverage these issues to carry out a denial-of-service attack or execute arbitrary code on an affected computer with the privileges of the user viewing a malicious image," Symantec said. "An attacker may gain system privileges if an administrator views the malicious file. Local code execution may also facilitate a complete compromise."

Symantec said the first vulnerability is triggered "when the 'WMFRECORD.Function,PlayMetaFileRecord' value of the WMFRECORD structure is set to 0xff followed by supplying malicious values for 'Parameters.All_PointtStruct_Num' and 'PointtStruct.PointNum.' This causes the 'PointtStruct' structure to trigger an access violation error."

The firm said the second issue is triggered "when a large value such as 0xffff is supplied to the 'cbInput' parameter and a small value is supplied to 'szInData' parameter of the 'ExtEscape' function. This also causes an access violation error."

These problems appear when a user views a malicious WMF-formatted file containing specially crafted data, Symantec added. The vulnerabilities are triggered when a file is parsed, which typically happens when an image is displayed, printed or used as a thumbnail.

Fortunately, Symantec is not aware of any exploits for these issues. The firm recommended the following steps to blunt the flaw's impact:

• Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
• Do not allow untrusted individuals to have local access to computers.
• Deploy network intrusion detection systems to monitor network traffic for malicious activity.
• Do not accept or execute files from untrusted or unknown sources.
• Do not follow links provided by unknown or untrusted sources.
• Disabling client support for HTML e-mail may limit exposure to this attack vector.

Two accused of bogus spyware claims settle with FTC
Two organizations -- Spyware Assassin and Trustsoft -- that promoted spyware detection products by making bogus claims have agreed to settle Federal Trade Commission (FTC) charges that their claims were deceptive and violated federal law, the FTC said in a statement. "Each operation claimed to detect spyware, even when there was not any, and then sold consumers antispyware software that either did not work or did not work as advertised," the FTC said.

The settlements require that the defendants give up nearly $2 million in "ill-gotten gains" and prohibit deceptive claims. One set of defendants will be barred from selling or marketing any antispyware product or service in the future, the FTC added.

In March 2005 the FTC charged that Spyware Assassin and its affiliates used Web sites, e-mail, banner ads and pop-ups to drive consumers to the Spyware Assassin Web site. Consumers were told the Web site "scanned" consumers' computers at no cost to determine whether they were infected with spyware. The results of the "scans" were positive, often falsely, and the site warned consumers that they had spyware installed on their systems, the commission said in its statement.

In June 2005, the FTC charged an unrelated operation, Trustsoft, with using similar tactics to sell its "SpyKiller" software. The FTC alleged the defendants sent pop-up and e-mail messages informing consumers that their computers had been remotely "scanned" and that spyware had been "detected," even though defendants had not performed any such scans. The defendants urged consumers to access the SpyKiller Web site to get "free scans" for spyware, the FTC statement said.

U.S. district courts ordered a halt to the deceptive practices of both operations, pending trials. The FTC said settlements announced this week end those lawsuits.

Sober explosion fails to materialize
Malicious code-watchers were on edge last week as they waited for an expected attack from the prolific Sober worm family. But so far, cyberspace appears to have dodged a bullet.

The Sober attack was predicted last month by iDefense Security Intelligence Services, a division of Mountain View, Calif.-based VeriSign Inc. At the time, iDefense said it had discovered hard-coded commands within the recent Sober-X variant that were programmed to launch a new wave of Sober assaults Thursday, Jan. 5, 2006. But as of Tuesday, no attack had materialized.

"We've been monitoring the locations of the files that infected machines are now trying to download. So far none of them have activated," Finnish firm F-Secure Corp. said in its daily lab blog.

Many AV firms had already updated their signatures to counter the threat. But iDefense spokesman Jason Greenwood warns that the danger isn't over. Last week, he said, "If nothing happens on Jan. 6, the worm is programmed to stay dormant for 14 days. After 14 days it is programmed to look for a different set of sites. The process will repeat every 14 days."

Tags: Information Security Laws, Investigations and Ethics,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Malware, Viruses, Trojans and Spyware,  Security Industry Market Trends, Predictions and Forecasts,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Malware, Viruses, Trojans and Spyware iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) FERPA  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary