VB 6 Can Come Visually Flawed
VBP files might not be as they seem. Plus: MySpace ad fix; Max Vision gets locked up.
An overly long detail field in a VB6 VBP file could allow
code of the criminals choice to execute in the context of the victim
user, according to this
from SecurityFocus.com. Updates are not available.
Although VB6 is now nine years old, VB source files are all over the
Internet to aid people in learning how to program in VB. Current versions
of VB, via Visual Studio, support VB6 VBP files which are converted as
soon as they are opened. As such, there may be a legitimate reason for
users to obtain VBP files from unknown sources. VBP files are plain text
files -- as such, those files should always be opened in Notepad prior
to opening them in VB to ensure their contents are as expected. Examination
of any criminally crafted VBP file will quickly reveal shellcode used
to execute the criminals intent.
If you must allow VB6 VBP files in your environment, ensure users are
made aware that they should be cautious. Exploit code has been published.
Bad Exposure on MySpace
According to content filtering provider ScanSafe, ads being served up
on MySpace and other sites via banner ad provider RightMedia were laced
with criminal malware using an iframe that attempted to serve up numerous
exploits. ScanSafe said they believed the ads were being served for at
least several weeks, suggesting that millions were exposed to them. Photobucket
"attackers code inserted into the hostile ads was designed to recognize
the difference between one of their ads served to a regular Web site visitor
and RightMedia's scanning servers," said one Washington Post blogger
Allegedly the ads were being delivered to RightMedia via a third-party
server. RightMedia claims to have mechanisms in place to scan ads for
malware, but ScanSafe claim the ads contained code that recognized when
they were being inspected by RightMedias malware detectors, and
delivered just the benign ads to RightMedia.
Clearly theres a significant problem with the banner ad deliver
mechanisms. RightMedia should not be relying upon its own detection mechanisms
if those detection systems are not dynamic. It would be trivial to have
an ad that simply detects the IP addresses used by RightMedia, for example,
to avoid delivering criminal content to inspection systems. Criminals
have been hiding themselves from systems that inspect code for years,
so its not like this is a new idea.
RightMedia said it could not control what happens elsewhere on the Internet,
but if it's going to deliver content, even content that it received from
a third party, then RightMedia must be prepared to accept responsibility
for whatever it is sending. That means the company should have stricter
contracts with those third parties to ensure it has some means of redress
in the event a criminal submits a Trojan to RightMedia, directly or not.
Maxed Out on Credit Card Theft
Max Butler, also known as Max Vision and several other online
names, has been arrested and charged with three counts of wire fraud and
two counts of transferring stolen identity information, according to this
report from ComputerWorld. This is the same guy who, in 2000,
was convicted of hacking into government computers and installing back
As I always say: once a criminal, always a criminal. In 2000, Butler
continually said he was innocent, and nothing more than a security researcher
trying to secure sites by discovering vulnerabilities and patching
them. He served 18 months in prison and got three years probation, and
it would seem that shortly after his probation was up he went right back
to doing what he knew best -- namely, breaking into computers. He now
faces up to 40 years in prison and could be fined up to $1.5 million.
Meanwhile, the site he frequented to exchange information with other criminals
has publicly stated that it's erasing all of the information and recommending
those that participated in the site do the same. We can only hope that
group is arrested for destroying evidence.
This column was originally
published in our weekly Security Watch newsletter. To
subscribe, click here.
McKesson Loses Patient Info
McKesson, a health-care services company, had two computers stolen from
its offices. The company isn't sure how much patient information was on
either of the systems or whether the info was encrypted, says this
article in InformationWeek, and so are alerting everyone whose name
was on either. McKesson is providing free credit monitoring services for
one year for any patient who requests it.
Think about how insecurely this patient data was being stored. Not only
do they not know precisely what data was there: potentially, it included
diagnoses, prescriptions and dosages information, as well as personally
identifiable details like addresses, birth dates and Social Security numbers.
The company also dont know which computer the data was stored on,
and whether or not it was encrypted. One could argue that this is merely
a record-keeping issue, but more realistically it sounds like it simply
had no procedures in place to ensure the patient data was safe. Dont
let this happen to you!
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.