As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Computer Security Thread] EAC stands for "Easily Accessible Compromise"

1235795

Posts

  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited February 2010
    busfahrer wrote: »
    I've certainly added your testimonial to the OP! Thanks for the input.

    Nice, but I think there's a typo or something in the link :mrgreen:

    You saw nuthink!

    Just kidding. Link should be fixed. Sorry, just a brain-fart on my part.

    TetraNitroCubane on
    VuIBhrs.png
  • krushkrush Registered User regular
    edited February 2010
    don't know if this has been mentioned, but if you're like me and have a few machines networked plus a good hardware firewall and a decent switch, then I would really recommend looking at running Splunk on one of your machines.

    Splunk pulls together all of your syslogs (and can do WMI events), stores them in a fairly fast database (proprietary) and allows you to search on nearly anything in those logs very quickly. I've got a Cisco Pix 501 and I've turned remote logging on so it's feeding the Splunk db as well as my Win32, Solaris 10, and RHEL machines. Any peculiar events I can look at and drill down on.

    krush on
  • TofystedethTofystedeth Registered User regular
    edited February 2010
    maerdred wrote: »
    Fencingsax wrote: »
    So when I click on a link in google, I sometimes get an ad to some bullshit instead. Search and Destroy and Malwarebytes AntiMalware cannot detect anything wrong. Suggestions?

    There are a number of things you can try. The fact that S&D doesn't find anything isn't surprising, but MBAM not doing the trick might be worrisome. This may be a rootkit type infection. Have you used an A/V scanner yet, and if so, which one?

    I'd start by checking your HOSTS file with notepad (should be in \Windows\system32\drivers\etc\), and verifying that your DNS settings haven't been tampered with. Overall, though, these are just symptoms, and even if they're responsible for your redirects, correcting them won't solve the problem of how they were changed to begin with.

    I'd recommend scanning with MBAM in safe mode, and / or using a LiveCD to scan your computer from outside of the operating system. If you want several second opinions at once, go ahead and try out Hitman Pro 3.5. Hitman uses several A/V scanners at once, and also boasts the ability to catch a few nasty rootkits. You don't have to buy their stuff, though, if you find anything. There's a 30-day free license if you want to use it, but honestly if it finds something nasty I'd just reformat and reinstall instead of doing that.
    Check your proxy settings?

    I agree with all of this. It's probably a Proxy, Hosts File, or a address redirector. If S&D and MBAM didn't find it, try SuperAntiSpyware, I've had good luck with that specific product lately. If you know what to look for in their logs, HijackThis can also help clear this type of thing up.
    If the problem you're getting is that sometimes a google link will take not to the page you expect, but will instead take you somewhere else, and pop up one of those fake security warnings, you may not be infected with anything. Especially if it happens only intermittently. If it's everywhere yes, just some things, some times with no pattern you can tell, it's probably not you.

    A lot of times these days a site will get malicious code injected onto their server, or in a malicious banner ad, then the bot will use their tricks to get it to show up near the top of search engine rankings. I've seen this several times at work with people doing google searches for something innocuous, usually a recent news event, and one of the top links will be a site that brings these "security" scareware popups. After digging around on my PC I found that many times these sites are completely legit but have nothing to do with the search term, they just had their website compromised. Running with AdBlock in FireFox will stop many of them, NoScript should take care of the rest. If you can find a contact info for the webmasters of those sites, they usually appreciate getting a heads up, since oftentimes it's not an actual page on their site that is infected, simply a fake page inserted on their server which is only reachable via those bogus search results.

    Tofystedeth on
    steam_sig.png
  • SynthesisSynthesis Honda Today! Registered User regular
    edited February 2010
    So...on a completely unrelated note, is stuff like CCleaner worth having, or actually dangerous? Is there a better alternative, or is it something you shouldn't worry about?

    Synthesis on
  • TofystedethTofystedeth Registered User regular
    edited February 2010
    CCleaner is ok sometimes. Most of the rest is bad, clumsy, or at best ineffective.

    I guess I should clarify. It depends on what you use it for. In general "registry cleaners" "registry boosters" and the like are either malware, crap enough to make things worse, or just don't do anything useful. The best bet is to remove old programs via Add/Remove. Watch the stuff you install. Windows disk cleanup is usually fine for reclaiming space.

    Tofystedeth on
    steam_sig.png
  • SynthesisSynthesis Honda Today! Registered User regular
    edited February 2010
    Yeah, I expected as much. I've gotten to the point where I can slowly browse my registry and remove old leftover keys (keeping a backup handy, naturally). Just thought I'd ask.

    Synthesis on
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited February 2010
    If the problem you're getting is that sometimes a google link will take not to the page you expect, but will instead take you somewhere else, and pop up one of those fake security warnings, you may not be infected with anything. Especially if it happens only intermittently. If it's everywhere yes, just some things, some times with no pattern you can tell, it's probably not you.

    A lot of times these days a site will get malicious code injected onto their server, or in a malicious banner ad, then the bot will use their tricks to get it to show up near the top of search engine rankings. I've seen this several times at work with people doing google searches for something innocuous, usually a recent news event, and one of the top links will be a site that brings these "security" scareware popups. After digging around on my PC I found that many times these sites are completely legit but have nothing to do with the search term, they just had their website compromised. Running with AdBlock in FireFox will stop many of them, NoScript should take care of the rest. If you can find a contact info for the webmasters of those sites, they usually appreciate getting a heads up, since oftentimes it's not an actual page on their site that is infected, simply a fake page inserted on their server which is only reachable via those bogus search results.

    Absolutely correct. This is one that's quickly on the rise, and is probably the leading vector for malware today. Either iFrame injections into trusted sites, or more often exploits hidden in rotating banner ads, are being used more and more to deliver the payload these days. The days of getting malware through email are down. Now it's being served up on your trusted sites. Our servers where I work just got hit with tiny injection scripts to do this, and it was a horror to clean up.

    Usually, as Tofystedeth pointed out, these things are fake security popups. They run in javascript (not java) and mimic your OS (sometimes dynamically!) to convince you they're performing a scan. The trick is, sometimes that's enough to hit you hard. The latest wave of PDF exploits that Adobe took a month to patch were delivered in this way - If you were running the vulnerable software and one of these things hit, that was it, infected. Most of the time the javascript window is just a ruse to lure you into downloading the payload. The trick is, clicking anywhere delivers it, so the red 'X' in the upper left and the 'No' or 'Cancel' button will initiate download and try to find other holes for execution. If you ever see one of these fake windows, call up task manager and kill your browser immediately. Then do a MBAM scan to sweep out the cache, to be safe.

    Javascript whitelisting and ad blocking (whatever you method and browser of choice) are the best lines of defense against these attacks. Even if a trusted site gets hacked, or an injection attack works, usually all you'll find is a redirection link that points you toward a malicious domain. If that domain doesn't have javascript enabled, the attack has no teeth. At least, until the bastards find out some other way to make our lives miserable.

    TetraNitroCubane on
    VuIBhrs.png
  • TofystedethTofystedeth Registered User regular
    edited February 2010
    An addendum to that. I read an interesting article, I think it was on Slashdot or Ars Technica, where they talked about a new type of attack that's shown up in the last couple months where the malicious code only shows up in images you reach through Google Image Search if the GIS frame is active. Weird.

    Edit: Ah here it is.
    The malicious code only executes if GIS is the referer.

    Tofystedeth on
    steam_sig.png
  • BeltaineBeltaine BOO BOO DOO DE DOORegistered User regular
    edited February 2010
    Is there any of this that can be setup to operate transparent to users where they can't muck with the settings after the fact?

    I keep all my shit locked down at home and at work, but since nothing I've used out there includes functionality for deciding who can and can't change the settings, I end up just letting other users' machines slide and give them a disclaimer about keeping anything vital on their system. When one gets screwed up, I just re-load the image and go on.

    This is a problem with our Win2k3 Terminal Server though. Even with locked down user accounts and policies I have things that manage to get installed or infected regardless, and am running scans and uninstalls weekly to keep it clean.

    Didn't know about DropMyRights, though. Hoping that will clear up some of it.

    Beltaine on
    XdDBi4F.jpg
    PSN: Beltaine-77 | Steam: beltane77 | Battle.net BadHaggis#1433
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited February 2010
    An addendum to that. I read an interesting article, I think it was on Slashdot or Ars Technica, where they talked about a new type of attack that's shown up in the last couple months where the malicious code only shows up in images you reach through Google Image Search if the GIS frame is active. Weird.

    Edit: Ah here it is.
    The malicious code only executes if GIS is the referer.

    I swear, between adword poisoning, blackhat search engine optimization, and now this, Google is quickly becoming a primary vector for malware. Though in this case, it's certainly not Google's fault at all.
    Beltaine wrote: »
    Is there any of this that can be setup to operate transparent to users where they can't muck with the settings after the fact?

    I keep all my shit locked down at home and at work, but since nothing I've used out there includes functionality for deciding who can and can't change the settings, I end up just letting other users' machines slide and give them a disclaimer about keeping anything vital on their system. When one gets screwed up, I just re-load the image and go on.

    This is a problem with our Win2k3 Terminal Server though. Even with locked down user accounts and policies I have things that manage to get installed or infected regardless, and am running scans and uninstalls weekly to keep it clean.

    Didn't know about DropMyRights, though. Hoping that will clear up some of it.

    You said you're running with locked down user accounts and policies. If you have limited user accounts already in place, have you tried implementing SRP (Software resistrction policy)? Combined with limited user accounts it's supposed to be pretty potent. There's a good article on it here, and Microsoft has an article about setting it up on Win2k3 here. People over at Wilders swear by this implementation, above and beyond any kind of protective anti-malware or anti-virus software.

    Next time I rebuild a machine, I think I'll try to implement SRP. But for personal/gaming use it feels like such a hassle, particularly with patches and updates.

    TetraNitroCubane on
    VuIBhrs.png
  • FingerSlutFingerSlut __BANNED USERS regular
    edited February 2010
    An addendum to that. I read an interesting article, I think it was on Slashdot or Ars Technica, where they talked about a new type of attack that's shown up in the last couple months where the malicious code only shows up in images you reach through Google Image Search if the GIS frame is active. Weird.

    Edit: Ah here it is.
    The malicious code only executes if GIS is the referer.

    I swear, between adword poisoning, blackhat search engine optimization, and now this, Google is quickly becoming a primary vector for malware. Though in this case, it's certainly not Google's fault at all.
    Beltaine wrote: »
    Is there any of this that can be setup to operate transparent to users where they can't muck with the settings after the fact?

    I keep all my shit locked down at home and at work, but since nothing I've used out there includes functionality for deciding who can and can't change the settings, I end up just letting other users' machines slide and give them a disclaimer about keeping anything vital on their system. When one gets screwed up, I just re-load the image and go on.

    This is a problem with our Win2k3 Terminal Server though. Even with locked down user accounts and policies I have things that manage to get installed or infected regardless, and am running scans and uninstalls weekly to keep it clean.

    Didn't know about DropMyRights, though. Hoping that will clear up some of it.

    You said you're running with locked down user accounts and policies. If you have limited user accounts already in place, have you tried implementing SRP (Software resistrction policy)? Combined with limited user accounts it's supposed to be pretty potent. There's a good article on it here, and Microsoft has an article about setting it up on Win2k3 here. People over at Wilders swear by this implementation, above and beyond any kind of protective anti-malware or anti-virus software.

    Next time I rebuild a machine, I think I'll try to implement SRP. But for personal/gaming use it feels like such a hassle, particularly with patches and updates.


    Why not make a good system image and lock the registry?

    FingerSlut on
  • BeltaineBeltaine BOO BOO DOO DE DOORegistered User regular
    edited February 2010
    SRP looks like the ticket. Will get a machine up on the test network with it tomorrow.

    Also testing MSE on our netbooks. We have Vexira antivirus because it is/was cheap but it really dogs the little netbooks we use for student labs.

    Have also been wanting to buy a corp license for MBAM, but the doofuses won't return my calls/emails.

    Beltaine on
    XdDBi4F.jpg
    PSN: Beltaine-77 | Steam: beltane77 | Battle.net BadHaggis#1433
  • FencingsaxFencingsax It is difficult to get a man to understand, when his salary depends upon his not understanding GNU Terry PratchettRegistered User regular
    edited February 2010
    Well, bad news. Whatever the fuck is happening to my computer, the "Host Process for Windows Services" now periodically stops working. Great.

    Fencingsax on
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited February 2010
    Fencingsax wrote: »
    Well, bad news. Whatever the fuck is happening to my computer, the "Host Process for Windows Services" now periodically stops working. Great.

    My condolences. Unfortunately, at this point, Ripley's advice might be the best course of action: Nuke it from orbit - Reformat, reinstall. It can be a pain, but on the bright side, you'll have that fresh computer feeling!

    TetraNitroCubane on
    VuIBhrs.png
  • initiatefailureinitiatefailure Registered User regular
    edited February 2010
    So I'm not sure if this would be the place to ask or not. It's related to my computer's security though.

    I'm going to a LAN party next month with some friends. Personally I've never been to one or had my personal computer hooked into a LAN network.

    Is there anything I should do security wise to protect myself while I'm connected to hundreds of other computers? Is there even a risk that comes with being connected like this?

    My computer is running AVG and (I think) has the default firewall disabled and no other firewall on the computer

    initiatefailure on
  • TofystedethTofystedeth Registered User regular
    edited February 2010
    Make sure you're up-to-date on Windows updates adn virus defs. If you know the specific games you'll be LANning with and are feeling paranoid, find out what ports they use and block everything but those at your firewall.

    Tofystedeth on
    steam_sig.png
  • TofystedethTofystedeth Registered User regular
    edited February 2010
    Here's an interesting story linked on /. today.

    Dissects a little bit how SQL injection makes good sites go bad.

    Tofystedeth on
    steam_sig.png
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited February 2010
    Here's an interesting story linked on /. today.

    Dissects a little bit how SQL injection makes good sites go bad.

    Thanks for the link, certainly. A good, and terrifying, read. It really drives the point home that there's no such thing as a safe website anymore.

    Just because I'm dense: Does anyone know how these droppers work, at least to the point where you can prevent them? Let's say a trusted website you visit - one that needs javascript active to function correctly - has been compromised to serve up malware. Is it usually just a redirect script on the compromised website that points you toward another server, or is the payload actually distributed from the original landing point at the compromised website? Virtualized browsing sounds better and better these days.

    TetraNitroCubane on
    VuIBhrs.png
  • FencingsaxFencingsax It is difficult to get a man to understand, when his salary depends upon his not understanding GNU Terry PratchettRegistered User regular
    edited February 2010
    So good and bad news. MSE has found the problem. Unfortunately, it can't get rid of it, or at least can't get rid of the underlying problem. It is a Backdoor:WinNT/Rustock.gen!B The location is file:C:\Windows\Temp\mphf.tmp\svchost.exe->[aPLib_034]

    Fencingsax on
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited February 2010
    Fencingsax wrote: »
    So good and bad news. MSE has found the problem. Unfortunately, it can't get rid of it, or at least can't get rid of the underlying problem. It is a Backdoor:WinNT/Rustock.gen!B The location is file:C:\Windows\Temp\mphf.tmp\svchost.exe->[aPLib_034]

    Ick. From what I can see on various site that have any information about WinNT/Rustock.gen!B, it looks like this piece of garbage drops a kernel-level driver. Even if you remove the immediate threat, there's no way to clean this with any certainty without starting fresh.

    Reformatting and reinstalling your OS would be an excellent idea. Ninite will make your life easier in this. Make sure to scan your backups and disable autorun before you restore your data.

    TetraNitroCubane on
    VuIBhrs.png
  • FencingsaxFencingsax It is difficult to get a man to understand, when his salary depends upon his not understanding GNU Terry PratchettRegistered User regular
    edited February 2010
    I had a feeling it might be. It keeps popping up. Argh, I will probably do it tomorrow. Definitely have to backup my music. Fortunately this computer's relatively new, and so not much is on it that I can't easily reinstall.

    Fencingsax on
  • Dark ShroudDark Shroud Registered User regular
    edited February 2010
    If you know the file location you can try using unlocker to delete the rouge file.

    Dark Shroud on
  • undeinPiratundeinPirat Registered User regular
    edited February 2010
    Seems rude for me to juts pop in and ask for help, but I am in the situation where there might be a keylogger on my computer. I am running Malwarebytes full scan and Microsoft Security Essentials full scan -- would these find it if it were on my computer? Are there other scans that would deal with this more effectively? I just want to figure out if there's something else I can do while the scans are running that would definitively give me a yes or no answer to whether I have a keylogger on this computer.

    edit: also I haven't typed in any passwords or anything since I've installed what I think would've given me the keylogger, so I'm not worried; I just want secure knowledge whether I have it or not and which applications to use for that sort of definitive answer.

    undeinPirat on
    [SIGPIC][/SIGPIC] steam: undeinpirat
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited February 2010
    Fencingsax wrote: »
    I had a feeling it might be. It keeps popping up. Argh, I will probably do it tomorrow. Definitely have to backup my music. Fortunately this computer's relatively new, and so not much is on it that I can't easily reinstall.
    If you know the file location you can try using unlocker to delete the rouge file.

    True, but that specific file listed above (the rudely named scvhost.exe in a Temp directory) is very likely not the heart of the matter. From what I found my Googling the threat name, it sounds like a kernel-level driver with rootkit like behavior. The issue is likely to replicate itself over and over, because the true infection is hidden in a place most scanners won't be able to touch / see. I could be wrong about this, though! I'm no expert, it's just my opinion.
    Seems rude for me to juts pop in and ask for help, but I am in the situation where there might be a keylogger on my computer. I am running Malwarebytes full scan and Microsoft Security Essentials full scan -- would these find it if it were on my computer? Are there other scans that would deal with this more effectively? I just want to figure out if there's something else I can do while the scans are running that would definitively give me a yes or no answer to whether I have a keylogger on this computer.

    edit: also I haven't typed in any passwords or anything since I've installed what I think would've given me the keylogger, so I'm not worried; I just want secure knowledge whether I have it or not and which applications to use for that sort of definitive answer.

    Don't feel it rude at all - It's what the thread is here for!

    A MBAM scan and a MSE scan (both full) are good places to start. In my experience there are certainly a number of things that you can do to get a second opinion on the matter (as far as other scanners), but it all depends on your level of paranoia. Unfortunately it's hard to prove a negative - The sad thing is that a clean result doesn't promise a clean system. Do you mind my asking what leads you to surmise you have a keylogger, though?

    TetraNitroCubane on
    VuIBhrs.png
  • Dark ShroudDark Shroud Registered User regular
    edited February 2010
    Seems rude for me to juts pop in and ask for help, but I am in the situation where there might be a keylogger on my computer. I am running Malwarebytes full scan and Microsoft Security Essentials full scan -- would these find it if it were on my computer? Are there other scans that would deal with this more effectively? I just want to figure out if there's something else I can do while the scans are running that would definitively give me a yes or no answer to whether I have a keylogger on this computer.

    edit: also I haven't typed in any passwords or anything since I've installed what I think would've given me the keylogger, so I'm not worried; I just want secure knowledge whether I have it or not and which applications to use for that sort of definitive answer.

    Give this free trail a try. http://www.pctools.com/spyware-doctor-antivirus/

    Dark Shroud on
  • FingerSlutFingerSlut __BANNED USERS regular
    edited February 2010
    SQL injection only works if the admin allows variables that have no place in the work that is being done. As long as you lock down your database injection can be thwarted. Not too big of a threat anymore.

    FingerSlut on
  • undeinPiratundeinPirat Registered User regular
    edited February 2010
    Seems rude for me to juts pop in and ask for help, but I am in the situation where there might be a keylogger on my computer. I am running Malwarebytes full scan and Microsoft Security Essentials full scan -- would these find it if it were on my computer? Are there other scans that would deal with this more effectively? I just want to figure out if there's something else I can do while the scans are running that would definitively give me a yes or no answer to whether I have a keylogger on this computer.

    edit: also I haven't typed in any passwords or anything since I've installed what I think would've given me the keylogger, so I'm not worried; I just want secure knowledge whether I have it or not and which applications to use for that sort of definitive answer.

    Don't feel it rude at all - It's what the thread is here for!

    A MBAM scan and a MSE scan (both full) are good places to start. In my experience there are certainly a number of things that you can do to get a second opinion on the matter (as far as other scanners), but it all depends on your level of paranoia. Unfortunately it's hard to prove a negative - The sad thing is that a clean result doesn't promise a clean system. Do you mind my asking what leads you to surmise you have a keylogger, though?

    Ah, well a file I hastily downloaded from a dev that I trusted and ran was in about 10 minutes reported for having a keylogger by someone else whose email started sending out spam emails -- however both scans came back clean. I think the other user had some sort of other problem and cried wolf, and at this point I'm not too paranoid as no one else using this build of the software has said they had a keylogger or virus of any kind for that matter, and others have been posting clean scans from various virus and malware suites and websites. Seems like I'm in the clear at this point, so no more panic.

    edit: Nail in the coffin: user who reported keylogger reported a different md5 hash than the one the dev distributed. Confusing as to how that happened for that user, but my md5 matches up with the dev, so I'm good.

    undeinPirat on
    [SIGPIC][/SIGPIC] steam: undeinpirat
  • RhalloTonnyRhalloTonny Of the BrownlandsRegistered User regular
    edited February 2010
    FingerSlut wrote: »
    SQL injection only works if the admin allows variables that have no place in the work that is being done. As long as you lock down your database injection can be thwarted. Not too big of a threat anymore.

    This.

    SQL Injection is something that's pretty well documented and good developers are aware of it- the problem comes from rushed jobs or code that doesn't have any kind cleaning or checks.

    RhalloTonny on
    !
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited February 2010
    Good to know that SQL injections are easily prevented, if the code is laid down correctly.

    Quick note: A recent trend in the social engineering vector has been to target forums of all kinds recently. Wilders has been cropping up with reports on this. Basically, someone will compromise an Admin account on the forums, and then use that account to start sending PMs to all users on the forum warning them that their computers are 'infected'. Of course, the helpful message also includes a link to a scanner - which is unsurprisingly the real infection. Nothing terribly new at the core, here, but it seems that the social engineering aspect of these attacks is trending more and more toward finding 'trusted' people to hijack/impersonate so as to lure in victims. I guess people are learning not to trust unsolicited messages these days.

    Also, malware authors have recently used the Virustotal name in their obfuscating approach to distributing scareware. Sophos wrote a decent article about it here.

    TetraNitroCubane on
    VuIBhrs.png
  • Shorn Scrotum ManShorn Scrotum Man Registered User regular
    edited February 2010
    Little do they know known of us would read anything Tube sent us anyways :P

    Shorn Scrotum Man on
    steam_sig.png
  • TofystedethTofystedeth Registered User regular
    edited March 2010
    Little do they know known of us would read anything Tube sent us anyways :P
    fwd:fwd:fwd:re:OMG!
    hey guyz check out this adorable picture of a hedgehog lol!

    Tofystedeth on
    steam_sig.png
  • TofystedethTofystedeth Registered User regular
    edited March 2010
    FingerSlut wrote: »
    SQL injection only works if the admin allows variables that have no place in the work that is being done. As long as you lock down your database injection can be thwarted. Not too big of a threat anymore.

    This.

    SQL Injection is something that's pretty well documented and good developers are aware of it- the problem comes from rushed jobs or code that doesn't have any kind cleaning or checks.

    A valuable lesson learned from the story of little Bobby Tables.

    Tofystedeth on
    steam_sig.png
  • Shorn Scrotum ManShorn Scrotum Man Registered User regular
    edited March 2010
    FingerSlut wrote: »
    SQL injection only works if the admin allows variables that have no place in the work that is being done. As long as you lock down your database injection can be thwarted. Not too big of a threat anymore.

    This.

    SQL Injection is something that's pretty well documented and good developers are aware of it- the problem comes from rushed jobs or code that doesn't have any kind cleaning or checks.

    A valuable lesson learned from the story of little Bobby Tables.

    I work as a DBA and that comic got printed out a couple of months ago and sits upon my monitor. Generally I consider xkcd to be very hit and miss, that one was a definite hit though.

    Shorn Scrotum Man on
    steam_sig.png
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited March 2010
    Oh goody, a new vulnerability.

    To be fair, this one is pretty lame. It only impacts 2000, XP, and 2k3 server, so Vista and 7 are safe. That being said, this line of attack requires the user to push F1 to access Windows Help in order to deliver payload. Seems very specific, but Microsoft has said that they are "concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk." Which may indicate that this is in the wild.

    Edit: This threat also seems to be IE specific. ("The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer")

    TetraNitroCubane on
    VuIBhrs.png
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited March 2010
    Next in line for 'Ridiculous Browser Vulnerabilities" is my personal browser of choice: Opera!

    With the release of 10.5 less than a week ago, Secunia have already found a highly critical vulnerability in the browser. There's no mitigation known, so if you're using Opera chances are you want to be highly careful. This may impact earlier versions as well.

    Also, if you've upgraded to 10.5, note that Opera's keeping ports open on your computer for the silliest, goose-iest of reasons. In 10.1 the Opera Unite webserver options still 'listened' and 'broadcasted' despite turning them off in the GUI. In order to terminate those features, you had to use the opera:config menu and drill down to find the webserver options. In 10.5, it's not possible to close the UDP ports that Opera opens for this purpose. You can find out more here.
    It really seems that final 10.50 keeps Unite enabled and sends IGMP messages. Most likely UPnP / Service Discovery. What ever you do you can't close UDP port 1900 and another random UDP port.

    Late Edit: Holy shit, but the Opera forums are a seething cesspool of nasty fanboys. Not only has opera at this point denied that the buffer overrun is a security problem, but members of their forums are outright belligerent toward anyone suggesting this security issue is critical.

    TetraNitroCubane on
    VuIBhrs.png
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited March 2010
    Not to be outdone by Opera, IE 6 and IE 7 are both still kickin' along with new vulnerabilities! Despite IE 6 having a funeral, at that.

    The new Microsoft security advisory explains it better than I can. Bottom line: Don't use IE 6 or IE 7. There's really no reason to anymore - And if there is, there's something wrong with the websites you're relying upon.
    Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7. Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected. The main impact of the vulnerability is remote code execution. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

    Update: I don't know if anyone's been following the Opera vulnerability debacle, but it's taken an interesting turn. After 10.5 was released, someone disclosed the buffer overrun described above. Opera's official response to the community was "This isn't a security issue - it only causes a crash". Secunia posted the issue as a vulnerability anyway, which prompted Opera to request additional information. Afterward, Secuina elaborated with this statement, basically saying "No, really, you guys have a buffer overrun that can cause remote code execution". Opera devs respond accordingly by saying it will be handled in due time.

    TetraNitroCubane on
    VuIBhrs.png
  • SynthesisSynthesis Honda Today! Registered User regular
    edited March 2010
    Somewhat unrelated, apparently MSE released a major upgrade recently. Complete with a little corner-right popup asking you to update. Unfortunately, through no real fault of Microsoft, the pop-up message looks a lot like the various "phishing" antivirus programs that have been cropping up recently.

    Instinctively, I closed the original popup, but I did check MSE, which had the notification. I'd never seen this upgrade screen before, so it's surprising.

    Synthesis on
  • BarrakkethBarrakketh Registered User regular
    edited March 2010
    Update: I don't know if anyone's been following the Opera vulnerability debacle, but it's taken an interesting turn. After 10.5 was released, someone disclosed the buffer overrun described above. Opera's official response was "This isn't a security issue - it only causes a crash". Secunia posted the issue as a vulnerability anyway, to much grumbling from the Opera community. Secuina fired back with this statement, saying "No, really, you guys have a buffer overrun that can cause remote code execution". Opera devs have been silent ever since.
    Opera devs haven't been silent according to that link. They "[have] acknowledged to us that they are now handling it as a security issue and will be issuing an advisory and fix as soon as possible."

    They had previously contacted Secunia after the advisory was released with their position that it wasn't a security vulnerability, and as per the linked article asked Secunia to either a) revise it, or b) "provide them with additional information." Secunia chose the second option, and the Opera devs changed their position on the matter.

    Barrakketh on
    Rollers are red, chargers are blue....omae wa mou shindeiru
  • TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited March 2010
    Barrakketh wrote: »
    Update: I don't know if anyone's been following the Opera vulnerability debacle, but it's taken an interesting turn. After 10.5 was released, someone disclosed the buffer overrun described above. Opera's official response was "This isn't a security issue - it only causes a crash". Secunia posted the issue as a vulnerability anyway, to much grumbling from the Opera community. Secuina fired back with this statement, saying "No, really, you guys have a buffer overrun that can cause remote code execution". Opera devs have been silent ever since.
    Opera devs haven't been silent according to that link. They "[have] acknowledged to us that they are now handling it as a security issue and will be issuing an advisory and fix as soon as possible."

    They had previously contacted Secunia after the advisory was released with their position that it wasn't a security vulnerability, and as per the linked article asked Secunia to either a) revise it, or b) "provide them with additional information." Secunia chose the second option, and the Opera devs changed their position on the matter.

    Ok. I revised my statement to reflect this.

    TetraNitroCubane on
    VuIBhrs.png
  • yotesyotes Registered User regular
    edited March 2010
    Potentially silly question, but..

    I haven't been able to access Windows Update for a few months without using TOR. Should I be worried that a malicious man in the middle might be poisoning my downloads? I know the possibility exists, but WU should have checksums and such to verify updates, right?

    yotes on
    [SIGPIC][/SIGPIC]
Sign In or Register to comment.