New vulnerability in Internet Explorer
Vulnerability watchers warn that attackers could launch malicious code by exploiting a new, unpatched security hole in Internet Explorer. Independent researcher Tom Ferris discovered the flaw and reported the basic details on his Security Protocols Web site. "Well, looks like I've found a bit of an issue within IE 6.0 on Windows XP SP2 fully patched," he said. "I have reported this to Microsoft, and I think they are working on it… The way things are looking, I believe this one is exploitable."
Silver Spring, Md.-based Security Tracker said in an advisory, "A remote user can create specially crafted HTML that, when loaded by the target user, will cause the target user's browser to crash or potentially execute arbitrary code."
Workaround, fix for Adobe Version Cue flaw
Attackers could exploit two vulnerabilities in Adobe Version Cue software to launch malicious code with root privileges, Reston, Va.-based iDefense said in an advisory. Adobe Version Cue is a software-based tracking system for Adobe products distributed with Adobe Creative Suite and other products, according to iDefense, which is now part of VeriSign.
The first problem comes into play when predictable log file names are used. "Version Cue includes a 'setuid' root application named VCNative, which is vulnerable to a symlink attack," iDefense said. "VCNative uses a format such as 'VCNative-[pid].log' for the filename and stores the file in the current working directory. Attackers can easily predict the created filename and supply user-controlled data via the '-host' and '- port' options. A carefully supplied value can cause a crafted log file to be written. Crafted strings written to root-owned files can lead to arbitrary code execution with root privileges."
The second problem is an unchecked command line option parameter. "The '-lib' command line option allows users to specify library 'bundles,' which allows for the introduction of arbitrary code in the context of a root-owned process," iDefense said. "The 'init' function in a shared library is executed immediately upon loading. By utilizing the '-lib' argument to load a malicious library, local attackers can execute arbitrary code with root privileges."
As a workaround, iDefense suggests users remove the "setuid" bit from the VCNative binary and "execute the application as a root user when necessary." Adobe Version Cue Update 2 addresses the vulnerabilities and is available for download on Adobe's Web site.
List of Zotob suspects growing
Less than a week after two men were arrested in connection with the recent Zotob worm outbreak, the FBI says it has 16 more people in its crosshairs -- some of whom may be connected to a credit card fraud ring.
Louis Reigel, assistant director of the FBI's cyberdivision, offered the update in a speech to more than 650 cybersleuths gathered in Monterey, Calif., to share the latest high-tech crime-fighting techniques and tools, Information Week reported Tuesday.
Friday, the FBI and Microsoft announced the arrest of Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker Diabl0; and Atilla Ekici, also known as Coder, a 21-year-old resident of Turkey, in connection with the attacks -- in which multiple variants of Zotob and other worms targeted the Plug and Play flaw in Windows 2000. Microsoft released a patch for the vulnerability Aug. 9. Corporate networks around the world suffered most from the attacks, including news organizations like CNN, ABC and The New York Times
The FBI is now investigating whether Ekici is connected with a credit card fraud ring in Turkey.
Zotob writer linked to 20 other viruses
As the FBI continues its investigation, Lynnfield, Mass.-based antivirus firm Sophos is linking one of the Zotob suspects to 20 other viruses. Diabl0, the screen moniker of 18-year-old Farid Essebar, a Russian-born Moroccan resident, was embedded inside Zotob-A, and Sophos researchers have determined that more than 20 other viruses include the Diablo handle, including Mydoom-BG and many versions of Mytob.
"To the untrained eye the Mytob and Zotob worms can appear quite different: One group of viruses travels via e-mail, the other primarily by exploiting a Microsoft security hole. However, when examined by an experienced virus analyst, the similarities become clear. It appears that whoever wrote Zotob had access to the Mytob source code, ripped out the e-mail-spreading section, and plugged in the Microsoft exploit," Graham Cluley, Sophos' senior technology consultant, said in a statement. "The Mytob worms have made a significant impact on the virus outbreak charts this year, so anything which may prevent future variants from being developed and released must be welcomed. However, it's possible that several people have access to the Mytob source code, so it may not be the last we see of this Internet scourge."