I don't fully understand the irony behind me consistently trying to upload a new GeekyCast whenever I'm sick. This seems especially true when my nose is involved and my being sick becomes more audible than normal, hence highly evident in today's episode.
Beyond me sneezing with the mouthpiece covered and some general updates, today I quickly go over my internal checklist whenever I start tinkering with my friends' computers in an effort to make them perform better. I've created small "Utilities" folders in many of my friends' computers and laptops, sort of a signature mark of me having done work on the unit.
The software I discuss is generally free and is available for download from the web using trusted sites like Download.com, currently part of the CNET group of websites.
If you have questions or further ideas, feel free to leave your comments here or get in touch with me directly - it's easy enough if you just look around.
Download this episode (14 min)
Showing posts with label antivirus. Show all posts
Showing posts with label antivirus. Show all posts
Apr 19, 2007
[Security] McAfee VirusScan On-Access Scanner Vulnerability
iDefense has released a report about a vulnerability in McAfee VirusScan. This vulnerability manifests itself when the On-Access Scanner component scans a file with a long file name that contains multibyte characters, and only on computers with East Asia language files installed, and the Unicode default codepage is set to multibyte language character set.
When the vulnerability is succesfully exploited, the On-Access Scanner component of the app is disabled or remote code execution happens.
This vulnerability is hard to exploit, as there are lots of conditions that must be fulfilled:
1. The file must have a long file name
2. The file name contains multibyte characters
3. East Asia language files must be installed on the target computer and Unicode codepage is set to multibyte character language
4. The attacker must be able to place the file in the target computer (as an attachment to an email message, probably, but the user has to save the attachment first)
5. The file must be opened or the user hovers the mouse over the file
There is no workaround for this vulnerability, so McAfee VirusScan users are advised to install Patch15. View the McAfee Security Bulletin.
(Cross posted from here.)
When the vulnerability is succesfully exploited, the On-Access Scanner component of the app is disabled or remote code execution happens.
This vulnerability is hard to exploit, as there are lots of conditions that must be fulfilled:
1. The file must have a long file name
2. The file name contains multibyte characters
3. East Asia language files must be installed on the target computer and Unicode codepage is set to multibyte character language
4. The attacker must be able to place the file in the target computer (as an attachment to an email message, probably, but the user has to save the attachment first)
5. The file must be opened or the user hovers the mouse over the file
There is no workaround for this vulnerability, so McAfee VirusScan users are advised to install Patch15. View the McAfee Security Bulletin.
(Cross posted from here.)
Apr 17, 2007
[Security] Clam AV CAB File Unstore Vulnerability
Free (licensed under GPL) antivirus Clam AV is an alternative to other antivirus apps out there. Like any other application, it is also vulnerable.
iDefense has recently reported a vulnerability in Clam AV when scanning (either malformed or maliciously malformed) CAB files. Successfully exploiting this vulnerability results to remote code execution. When the exploit fails, the application crashes. Versions 0.9x are affected.
Since there is no workaround for this vulnerability, Clam AV users are advised to upgrade to 0.90.2. Get it at Clam AV Downloads page.
NOTE: Remote code execution is dangerous because user intervention is unnecessary in this case. Crashing an app is considered as a denial of service.
(Cross-posted from here.)
iDefense has recently reported a vulnerability in Clam AV when scanning (either malformed or maliciously malformed) CAB files. Successfully exploiting this vulnerability results to remote code execution. When the exploit fails, the application crashes. Versions 0.9x are affected.
Since there is no workaround for this vulnerability, Clam AV users are advised to upgrade to 0.90.2. Get it at Clam AV Downloads page.
NOTE: Remote code execution is dangerous because user intervention is unnecessary in this case. Crashing an app is considered as a denial of service.
(Cross-posted from here.)
Apr 10, 2007
[Security] Two Kaspersky Vulnerabilities
Two vulnerabilities regarding Kaspersky security products have been disclosed by iDefense.
There is a heap overflow vulnerability in Kaspersky Internet Security Suite. This vulnerability allows for a remote code execution.
Kaspersky's response is here.
An information disclosure vulnerability is discovered involving Kaspersky Antivirus (version 6). This vulnerability could allow malicious Web sites to obtain files from a user's computer. The danger here is that in this vulnerability, no dialog nor warning window is shown when a malicious script starts a file transfer.
Kaspersky's response for this vulnerability is here.
Kaspersky users are advised to install Maintenance Pack 2 to patch these vulnerabilities.
NOTE: Remote code execution occurs when an outsider is able to execute a program on a remote computer through holes in the computer, either via vulnerabilities or backdoors. An information disclosure occurs when a vulnerable application allows an outsider to gain/steal any information.
There is a heap overflow vulnerability in Kaspersky Internet Security Suite. This vulnerability allows for a remote code execution.
Kaspersky's response is here.
An information disclosure vulnerability is discovered involving Kaspersky Antivirus (version 6). This vulnerability could allow malicious Web sites to obtain files from a user's computer. The danger here is that in this vulnerability, no dialog nor warning window is shown when a malicious script starts a file transfer.
Kaspersky's response for this vulnerability is here.
Kaspersky users are advised to install Maintenance Pack 2 to patch these vulnerabilities.
NOTE: Remote code execution occurs when an outsider is able to execute a program on a remote computer through holes in the computer, either via vulnerabilities or backdoors. An information disclosure occurs when a vulnerable application allows an outsider to gain/steal any information.
Apr 3, 2007
[Security] Microsoft Windows ANI Handling Vulnerability
Who loves those animated cursors?
Before grabbing those stuff from anywhere, be careful. Microsoft has recently issued an advisory on a Windows vulnerability in handling ANI files (animated cursors).
And people being prone to social engineering attacks, animated cursors are very good social engineering attack vectors. Hence, malware exploiting the said vulnerability has appeared. There's the Trojan downloader TROJ_ANICMOO.AX, which downloads (what else) another Trojan. Then there's Agent.BKY, which infects PHP and HTML files with a script that points to a site where the ANI file is hosted.
A specially-made ANI file to exploit the vulnerability can be embedded on an email or on a Web page. So read SANS Internet Storm Center for mitigation measures.
Good thing that Microsoft will issue a patch on April 3 PDT (that will be April 4 PH time), one week ahead of the usual Patch Tuesday. Don't forget to patch, and update your antivirus apps.
Before grabbing those stuff from anywhere, be careful. Microsoft has recently issued an advisory on a Windows vulnerability in handling ANI files (animated cursors).
And people being prone to social engineering attacks, animated cursors are very good social engineering attack vectors. Hence, malware exploiting the said vulnerability has appeared. There's the Trojan downloader TROJ_ANICMOO.AX, which downloads (what else) another Trojan. Then there's Agent.BKY, which infects PHP and HTML files with a script that points to a site where the ANI file is hosted.
A specially-made ANI file to exploit the vulnerability can be embedded on an email or on a Web page. So read SANS Internet Storm Center for mitigation measures.
Good thing that Microsoft will issue a patch on April 3 PDT (that will be April 4 PH time), one week ahead of the usual Patch Tuesday. Don't forget to patch, and update your antivirus apps.
Jan 30, 2007
[Malware Warning] New MS Word Zero-day Exploit in the Wild
A new Microsoft Word 2000 zero-day exploit has been found. Microsoft has released a security advisory about this vulnerability, and a patch may be issued this coming February Patch Tuesday.
This vulnerability is present on Word 2000. When opened, a malicious .DOC file may corrupt system memory, allowing a remote user to execute arbitrary code on the affected system. This vulnerability does not affect any other Word versions.
Trend Micro detects the exploid code as TROJ_MDROPPER.EQ, and Symantec detects this as Trojan.Mdropper.W.
The usual precautions apply. Do not open email attachments from unknown sources. Update your antivirus apps. Patch your system when patches are available.
This vulnerability is present on Word 2000. When opened, a malicious .DOC file may corrupt system memory, allowing a remote user to execute arbitrary code on the affected system. This vulnerability does not affect any other Word versions.
Trend Micro detects the exploid code as TROJ_MDROPPER.EQ, and Symantec detects this as Trojan.Mdropper.W.
The usual precautions apply. Do not open email attachments from unknown sources. Update your antivirus apps. Patch your system when patches are available.
Jan 24, 2007
[Malware Warning] CME-711 on the Loose
The Storm worm and its Trojan cohorts had a wonderful run during the weekends, and the fun continues.
The recent variant, Small.DAM (F-Secure, Radar Alert 2) or TROJ_SMALL.EDW(Trend Micro, Medium overall risk rating) or CME-711 or Downloader-BAI!M711 (McAfee) or Trojan.Peacomm (Symantec, Category 3), is usually spammed or dropped by another malware. The subject of the spam emails that carry this Trojan are usually related to recent or current events.
When executed, this Trojan drops several files, one of which is a rootkit , which enables this Trojan to hide its files and processes.
It also connects to several IP addresses using port 4000 (F-Secure data; Trend Micro lists several UDP ports).
Elimination of this Trojan is difficult because of the rootkit. Delete the following files if you have found them on your system:
* peers.ini
* wincom32.sys
* wincom32.ini
If you believe your system is infected but cannot find the said files, use rootkit detectors; here are some of them:
* Trend Micro RootkitBuster (free)
* Microsoft Rootkit Revealer
Note that these are technical in nature and thus not for average users. I suggest you use the documentation (if any) that is provided by the software maker.
For a detailed cleaning solution, read the one from Trend Micro.
Your antivirus can remove this malware automatically, as long as its detection is updated.
The recent variant, Small.DAM (F-Secure, Radar Alert 2) or TROJ_SMALL.EDW(Trend Micro, Medium overall risk rating) or CME-711 or Downloader-BAI!M711 (McAfee) or Trojan.Peacomm (Symantec, Category 3), is usually spammed or dropped by another malware. The subject of the spam emails that carry this Trojan are usually related to recent or current events.
When executed, this Trojan drops several files, one of which is a rootkit , which enables this Trojan to hide its files and processes.
It also connects to several IP addresses using port 4000 (F-Secure data; Trend Micro lists several UDP ports).
Elimination of this Trojan is difficult because of the rootkit. Delete the following files if you have found them on your system:
* peers.ini
* wincom32.sys
* wincom32.ini
If you believe your system is infected but cannot find the said files, use rootkit detectors; here are some of them:
* Trend Micro RootkitBuster (free)
* Microsoft Rootkit Revealer
Note that these are technical in nature and thus not for average users. I suggest you use the documentation (if any) that is provided by the software maker.
For a detailed cleaning solution, read the one from Trend Micro.
Your antivirus can remove this malware automatically, as long as its detection is updated.
Subscribe to:
Posts (Atom)