Security Watch

DirectX Confusion Is Good News -- For Hackers

Thanks to Microsoft, outdated versions of DirectX can leave users vulnerable.

Hacking
MS05-050 v2 - Vulnerability in DirectShow Could Allow Remote Code Execution: Microsoft re-issued this bulletin yet again, this time providing an entirely new binary that is now alleged to account for all possible problem DirectX installations. Problem installations come about because some users may have installed the wrong DirectX version on their system. Of course one has to ask the question: How the heck could someone install the wrong version of DirectX on their system? The answer lies in the ongoing problem Microsoft has that some technologies have their own teams who seem to be unaware of the various Microsoft operating systems, or at the very least how to properly identify them.

I choose to install the wrong version of a package on my system…shame on me…MS allows me to install the wrong version of an integral component on my system…what are they thinking?

It was a rough year for Internet Explorer 6.0 in 2005. We received seven Cumulative Updates for Internet Explorer addressing 18 different vulnerabilities in 2005, versus only four in 2004, which addressed 16 vulnerabilities. Probably the most interesting fact was that all of the IE vulnerabilities addressed in 2005 affected IE 6.0 SP2 equally with IE 6.0 pre-SP2. Given all of the hoopla associated with the massive effort put into developing SP2, one could have hoped to see it fare better than its predecessors. One could easily conclude that the exhaustive search Microsoft suggested it did to root out bad code simply yielded more features and, seemingly, little bad code. On the upside I suppose we can say that at least we didn’t see vulnerabilities that were unique to IE 6.0 SP2.

Metasploit Framework v3 “Alpha” released: Metasploit Framework is an open-source platform for, amongst other things, exploit “research” and testing.

The primary change in this version seems to be the change from Perl to Ruby as the development language.

Denial of Service
Northgate Information Systems, 3Com and online fashion retailer ASOS were among companies affected by explosions at the oil depot near Hemel Hempstead, U.K. Northgate indicated that, as a result of the damage caused by the explosion, its backup facilities failed. As such, they had to institute their business continuity plan, which involved the use of off-site facilities in order to service their customers.

This just goes to emphasize that it's not just your building you have to worry about, but nearby buildings, too, when considering your disaster recovery and business continuity plan.

Malicious Code
The next big Sober worm attack was scheduled to take place Jan. 5 or 6. The date was embedded in previous Sober variants. AV vendors determined the URLs the worm would use to download new instructions from.

You got to love the hype that was wrapped around that announcement. Far be it for me to suggest that this had anything to do with hoped-for Christmas sales of anti-virus and other security software.

Spyaxe purports to be an anti-spyware tool, but it’s in fact adware. It has been, at times, the No. 2 hit on Google for "spyware." CoolWebSearch was No. 1 on the you-don't-want-to-get list, but it has now been replaced by Spyaxe. This isn’t the first time that software purporting to be “security software” has, in fact, been malicious…nevertheless, it demonstrates the problem the public face. What do they hear? “Got spyware, get an anti-spyware tool!” How are they to know that one tool is legitimate and yet another isn’t?

Human Factors
Adobe has announced that it, too, like Microsoft, Cisco and others, is going to go to a regularly monthly schedule for publishing fixes for most, if not all, of their products. This will also include updates for the Macromedia Flash Player, recently acquired by Adobe.

We’ve been in favor of monthly patch release schedules, particularly for security updates. However, we do hope that Adobe chooses a date of their own rather than piggybacking on a date in use by others, especially the second Tuesday of each month used by Microsoft. If all vendors decided to use the same day, that day would easily become too burdensome to allow for immediate action should it be needed by any vendor.

Physical Security
A victim of the recent Sam's Club security breach believes his information was stolen via a card-skimming device attached to the credit card reader on the Sam’s Club gas pump. "I remember the credit card reader looking different," he said. "Unfortunately, I realized what this meant after I discovered the fraudulent charges."

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

Problems determining whether cash is real or fake have led to numerous improvements, but regardless it remains a prevalent risk for any consumer and merchant. Today, consumers face the additional problem of being able to determine whether or not the device a merchant offers them to pay electronically is legitimate or not. With so many steps in the process, there is a far greater opportunity for fraud in electronic payment processing than there is in cash payments, yet electronic transactions remain the safest method for consumers, primarily by virtue of the financial institutions’ willingness to reimburse customers for fraud.

Windows OneCare Live has been found to disable Absolute Software's Computrace LoJack software. Windows OneCare Live is a comprehensive security solution from Microsoft, which is still in beta; it provides firewall, anti-virus, anti-spyware and “tune-up” features. LoJack is intended to provide laptop tracing in the event a laptop is stolen.

News stories about problems with beta software…you gotta love it. Unfortunately, far too many people forget the purpose of beta testing, which is to determine whether any problems exist, and if they do, get them resolved prior to going public. In this case, one beta tester decided to inform Cnet, who in turn made a story out of it.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.