Zero-Day Exploit: WICD under Linux

This has been a bad week for computing systems.

• Oracle Java exploit under Apple MacOSX, open and shut case.


• Microsoft Zero-Day Exploit in nearly all applications, still somewhat open.


• Adobe Acrobat Reader (Windows, MacOSX and Linux), open and shut case.


• Now a Linux Security issue, open and shut case.

WICD Linux Exploit

As published in the patch description.

Backtrack 5 R2 (the latest version) allowed the student to overwrite settings to gain a root shell. The flaw was found in wicd (the Wireless
Interface Connection Daemon)

What is WICD?

A network connection manager that aims to simplify wired and wireless networking in Linux.

If you are a wireless Linux user of WICD, get your patch.

Windows: Security Issues Again

Zero-Day Flaw in Windows Apps Since Early 2000's

Zero-Day Exploit:

A Zero-Day Exploit means that you turn-on or install software - you are vulnerable. Most PC's shipped applications bundled like MS Office on PC's, right out of the factory. Microsoft posted a security bulletin in April regarding some vulnerabilities.

Exploit Description:

The Register writes:

One of the four critical patches in the batch – MS12-027 – addresses an Active X issue that impacts numerous application and creates a mechanism to drop malware onto vulnerable Windows systems.

Microsoft warned of attacks in the wild against the zero-day flaw, which affects an unusually wide range of Microsoft products and Microsoft users. Applications affected include Office 2003 through 2010 on Windows; SQL Server 2000 through 2008 R2; BizTalk Server 2002; Commerce Server 2002 through 2009 R2; Visual FoxPro 8; and Visual Basic 6 Runtime.

And quotes:

"Attackers have been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the target into opening the file, most commonly by attaching it to an email," Wolfgang Kandek CTO at security services firm Qualys explains. "Another possible vector is through web browsing..."

Scope:

Basically, if you have a MS Windows platform with any Microsoft Application (i.e. Works, Office, Internet Explorer, etc.) - you are vulnerable... and Microsoft is warning users that attacks will begin to surge in the next 30 days, while people have not yet patched their system.

This thing has been around a decade, a facility provided by the OS, and embedded into applications on nearly every Windows based server and/or desktop on the internet. A patch is available now, but another issue recently uncovered will not be fixed until next month.

By the way, If you are a Windows, Apple, or Linux user - Adobe Acrobat Reader needs some patching, too.

If you are a Solaris client user, your system should be fine.


Nightmare Scenario:

We just discussed several days back about an Apple vulnerability due to a third-party Java exploit. This one is due to a competing Microsoft Technology called "Active-X".

Welcome to the proverbial nightmare scenario for network managers - every system, everywhere, must be patched immediately, because of OS based issues with nearly every business and consumer application. Don't delay!

Inevitable: Apple MacOSX Infected Via Java on Web

Inevitable: Apple MacOSX Infected via Java on Web

Abstract:
Desktop and Server based systems based upon Microsoft Windows platform have long been the most vulnerable platforms on the internet, providing the most efficient platform for malware writers to steal computing and network cycles from owners around the world. Various other open platforms (i.e. UNIX based systems), which serves much of the internet traffic, have long tried to keep from being infected, by applying more rigorous security rules at the OS level. Apple, being one such vendor who migrated to a UNIX platform, had been successful in keeping their clients secure - but finally a single Java based vulnerability has been discovered (and leveraged) to exploit some systems.

Virus Buster:
A virus vendor located in Russia recently published a short research article on a particular threat, which has been closed by Apple.

Doctor Web—the Russian anti-virus vendor—conducted a research to determine the scale of spreading of Trojan BackDoor.Flashback that infects computers running Mac OS X. Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.

While very uncommon, MacOSX based Apple Macintosh computers occasionally have third-party based software (i.e. Flash, Java, etc.) which can offer some level of vulnerability to all platforms, including MacOS, Windows, UNIX, etc.

The Origin:

The virus research company explains how computers get infected.

According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting dlink.com.

The Morphing:
Companies started working on a solution, but before Apple released a patch, there was an attempt to diversify the virus, so they might be able to survive once it was closed.

Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507).

Security, At Last:
While this vulnerability has been "in the wild" on the internet for awhile, this particular virus was exterminated.

The vulnerability has been closed by Apple only on April 3, 2012.

Protecting Yourself:
This particular threat is not unique to Apple, but also other systems like Windows. Apple released a security patch, to close this vulnerability - it would be well advised that you regularly download updates from Apple to apply these patches whenever possible.

A general rule of thumb: STAY AWAY FROM IMMORAL (i.e. pornography) AND ILLEGAL (i.e. copyrighted material like music, videos, software, etc.) DOWNLOADS - NEVER VIEW OR DOWNLOAD SOFTWARE OFF OF THE INTERNET, UNLESS IT IS A WELL KNOWN SITE - NO MATTER WHAT COMPUTER YOU ARE ON... these sites notoriously try to download viruses to your computer!