News Stay informed about the latest enterprise technology news and product updates.

Security Bytes: Firefox, Microsoft under attack

The exploits target issues Microsoft patched earlier this month. Meanwhile, flaws are reported in Oracle for OpenView and a Mozilla Firefox keystroke logger is on the loose.

New Microsoft exploits in the wild
The SANS Internet Storm Center (ISC) has reported that new exploits targeting Microsoft vulnerabilities are now in the wild, one of which has been posted for public consumption.

The exploits reportedly involve three of the flaws Microsoft patched earlier this month:

  • MS06-034, an "important" issue with Internet Information Services (IIS) involving a remote code execution flaw via a specially crafted Active Server Pages (.asp) file.

  • MS06-035, a mailslot heap overflow vulnerability in a server driver that could allow an attacker to take complete control of the affected system, and a server message block information disclosure flaw in the server service that could allow an attacker to view fragments of memory used to store server message block traffic during transport.

  • MS06-036, a buffer overrun flaw in Windows' Dynamic Host Configuration Protocol (DHCP) client service that attackers could exploit to take complete control of an affected system.

    Johannes Ullrich, chief research officer of the Bethesda, Md.-based SANS ISC, said via email that the issue involving the flaw patched in MS06-036 is likely the most dangerous of the set.

    "It would attack a client as it boots and attempts to connect to a DHCP server to obtain an IP address. The 'PoC' exploit released would add a new user to the system," Ullrich said. "There is no good defense against this issue -- other than patching -- in particular if you have to work in public networks."

    However, he added, the exploit process is cumbersome, rebooting a PC a few times until it manages to work.

    Ullrich said the issue involving MS06-035 has some worm potential, but a basic firewall should keep end-users protected. It could be used once inside a network to spread a bot internally.

    He said the exploit involving the flaw in MS06-034 is likely the least severe. "It would require a user to upload a corrupt ASP page to a server. So an attacker would first need a valid user account on the system. This problem could be dangerous for users of shared web hosting environments," Ullrich said.

    Sources have reported that exploit code for two of the flaws, MS06-034 and MS06-036, has been posted to the Web site.

    "If you haven't already patched for these vulnerabilities," said SANS handler Donald Smith, "you should take immediate action."

    Oracle for OpenView flaws discovered
    The French Security Incident Response Team (FrSIRT) has reported multiple high-risk flaws in Oracle for OpenView, a data repository for Hewlett-Packard Co.'s OpenView systems management platform, created using a number of Oracle Enterprise Server and Oracle tools.

    "These issues could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary files, disclose sensitive information, conduct SQL injection attacks or bypass certain security restrictions," FrSIRT said.

    Affected Oracle for OpenView versions include 8.1.7, 9.1.01 and 9.2. The issues can be rectified by applying the fixes that Oracle released earlier this month in its most recent quarterly Critical Patch Update (CPU).

    Firefox keystroke logger is on the loose
    Mozilla Firefox users are warned to be on the lookout for instances of the FormSpy Trojan, instances of which are reported to be circulating in the wild.

    Avert Labs Blog, said the low-risk issue was discovered Monday. It installs itself as a Firefox component extension and will forward data that a user submits via the browser to a malicious Web site.

    "Upon successful execution, FormSpy hooks mouse and keyboard events," said McAfee's Geok Meng Ong. "It can then forward information such as credit card numbers, passwords and URLs typed in the browser to a malicious Web site hosted at IP address 81.95.xx.xx."

    McAfee said the installer was heuristically detected as, but has also been discovered as Downloader-AXM. It may be installed by visiting a malicious Web page with no user interaction.

    "Mozilla Firefox users should exercise caution in downloading and installing unsigned extension components from unreliable sources," McAfee said.

    This article originally appeared on

  • Dig Deeper on Linux servers

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.