GeoApps Security Newsletter for the week of 2009-09-21

1. Remote exploit, temporary patch released for SMB2 worm hole
2. Why kids should never have admin rights
3. Rampant brute-force attack against Yahoo Mail

The SMB2 hole reported here last week now has both a remote exploit and a "one-click" temporary patch from Microsoft. The hole affects Windows Vista, Windows 7 RC (but not Windows 7 RTM), and Windows Server 2008. Windows XP and earlier versions, which do not support SMB2, are not affected. See Remote exploit released for Windows Vista SMB2 worm hole and Microsoft ships one-click 'workaround' for critical SMB2 flaw, both at ZDNet's "Zero Day" blog. See also Microsoft Releases A "Fix it" Workaround For SMBv2 Vulnerability at the ISC SANS daily diary.

The fix involves manually visiting each potentially-affected machine. I expect Microsoft will roll out a Windows Update patch soon.

Last week it wasn't just the New York Times site that was hacked to serve up malware. Another popular mainstream site, PBS.org, was also hacked. The Zero Day blog at ZDNet.comreports the following:

Some sections of the popular PBS.org Web site have been hijacked by hackers serving up a cocktail of dangerous exploits. According to researchers at Purewire, attempts to access certain PBS Web site pages yielded JavaScript that serves exploits from a malicious domain via an iframe. The malicious JavaScript was found on the “Curious George” page that provides content on the popular animation series. ...

The URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).

UPDATE: A representative for PBS.org tells me the malicious code has been removed from the site.

A quick review of the various CVE pages suggests that any malware downloaded would execute using the privileges of the logged-in user. If the person visiting PBS's Curious George page is a local administrator, then the system could be taken over. If the person visiting the Curious George page is just logged in to a "user-level" account, then the potential to damage the system is much lower.

Click the links at the ZDNet page for more details.

Back to Top

If you have an account at Yahoo or a Yahoo Mail account, and your password is 8 characters or less (both of mine were) you should change the password ASAP. I have tested this attack and it works -- the Bad Guys can attack Yahoo accounts by brute force, and 8 characters is just not enough to resist this attack. My Yahoo accounts now all have passwords using 12 or more random characters (including mixed case, numbers, and punctuation). The details of the attack are reported here:

"A widespread brute-force attack against Yahoo email users aims to obtain login credentials and then use the hijacked accounts for spamming, a researcher at Breach Security disclosed last week. "

Based on the details provided in this article I was able to test multiple different Yahoo accounts for both valid login names and valid passwords, and if a simple user like methis, a real hacker can too... If someone has your Yahoo login name, determining the password using this technique is just a matter of testing Tuesday, September 22, 2009 force until you get in. Not Good for those of us with short (8 characters or less) passwords.