Microsoft recently released a security advisory regarding a vulnerability found in the WebViewFolderIcon ActiveX control (Web View). They’ve also reported that they are already working on a security update scheduled for release on October 10.

Just an overview, Web View is one of two different formats provided by Windows Explorer for viewing file and folder information. This feature allows users to preview documents in a thumbnail view before opening. Additional information such as the title and author is also displayed.

In Web-based attack scenarios, the attacker would have to host a Web site containing a Web page that is used to exploit this vulnerability. The attacker would have no way to force users to visit a malicious Web site and instead he would have to persuade them to visit the Web site, commonly by getting them to click a link that takes the user to the attacker’s Web site containing the malicious web page. Basically, an attacker who can successfully exploit this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We already posted an article regarding this vulnerability a couple of days ago.

Some industry experts have coined a new term - “exploit week” - to call the days following the release of a Microsoft Security Bulletin. Very fitting, considering that for the past couple of months, new zero-day exploits and undetermined vulnerabilities are released days after Microsoft has posted their fix patches, which serves as a solution to previous zero-day exploits that were released days before… well, you get the picture.

One day after Microsoft’s special Security Bulletin release concerning the VML vulnerability- which, by the way, caused so much hullabaloo that ZERT, a third-party organization, even released an unofficial patch for it - two new zero-day exploits were detected by Trend Micro. The first is TROJ_PPDROPPER.L, which takes advantage of a vulnerability in MS PowerPoint to drop and execute a backdoor. Hours later, a proof-of-concept HTML file detected as HTML_IESLICE.Awas discovered, taking advantage of a new vulnerability in Internet Explorer (as if the security industry doesn’t have its hands full on the other IE exploit already…) that could allow remote attackers to execute possibly malicious code on an affected system.

Gone were the days when an exploit code was released after the vulnerability patch is made available. Remember the MSBLAST, SASSER, and ZOTOB worms? They wreaked such a havoc during their time, yet they were not released in the wild until at most a week after Patch Tuesday. Now, it seems that the trend is to chase after exploit codes - and by “chase” it usually means users have to wait 30 more days for the patch (and even that is not always a sure thing). It seems that from being proactive, Microsoft is becoming reactive.

This poses a question: is Patch Tuesday still relevant? Granted, Microsoft has to follow a strict schedule for various reasons… but will it be better if they release fixes as soon as a bug is discovered? And with the emergence of ZERT - who aims to provide patches to vulnerabilities deemed threatening to information and system security - what, then would be Microsoft’s role than just an official patch distributor?

Right after Microsoft has released an out-of-cylce security update, a new 0-day exploit that affects MS PowerPoint has been found in the wild. Apparently, Microsoft has been aware of this vulnerability prior to the discovery of the sample in the wild because they have already detected the sample as Exploit:Win32/Controlppt.X. The vulnerability must have been responsibly disclosed by the discoverer. In addition, Microsoft has published a security advisory to provide its customers a comprehensive information and workarounds.

TrendLabs has acquired a sample of the malicious PowerPoint file and has given the detection name TROJ_PPDROPPER.L.

Last June, one of my blogs talked about how ASLR (Address Space Layout Randomization) would help prevent vulnerability attacks on Windows Vista by loading code that run the system into different memory locations. Recently, a paper has been released regarding a flaw present in the implementation of this security measure.

Here’s a summary of what the paper talks about: Although ASLR does actually randomize processes when they are loaded into memory, the way it randomizes it is fairly predictable. Based on how it is implemented, there are 256 ways of loading the code into memory—that is, 256 locations for the operating system to randomize. However, it only uses 32 locations among the 256 locations. This means that whenever it randomizes an address, it can use a single one frequently, making its location predictable for would-be attackers.

I share the same sentiments with the writer of the paper. Vista’s ASLR is far from utilizing its full potential. Improvements should definitely be made before this flaw can be used to facilitate another attack.

Tatana Kucharova, an 18-year old blonde beauty from the Czech Republic, was crowned as Miss World 2006 in the beauty pageant’s finals last September 30 in Warsaw, Poland. Some malware authors found it convenient to use this event as a way to spread their creations, as in the case of TROJ_AGENT.EVJ, which I mentioned in one of my blogsseveral weeks ago.

With news of Tatana’s coronation still hot from the presses, another similar incident has happened. This new threat, which Trend now detects as WORM_SOHANAD.A (detection available since CPR 3.812.07), uses instant messenger applications as its propagation vector. Users who were frequently online the past few days may have received this message sent to them from an unknown source:

The latest picture of our upcoming Miss World 2006: [link follows here]

At first glance, the link seems to be harmless the casual user may think that it points to a forum where he can find a nice picture of the newly crowned Miss World. But once the link is clicked, no picture of Tatana can be seen. In fact, the website that the URL refers does not even contain a forum discussing Miss World but rather a webpage describing a rare cancer disease. Huh?

Here’s what actually happened. Similar to what transpired with TROJ_AGENT.EVJ, when the user clicked on the link for the forum, the browser got redirected to another site that downloaded WORM_SOHANAD.A into the system. To cover-up the deception, another redirection takes place and this time the browser displays the webpage that describes the rare cancer disease.

The worm is downloaded into the affected system as the file svhost.exe or svchost32.exe in the Windows folder. To prevent advanced users from inspecting the worm, it disables the registry editor and the task manager. Should the worm be removed from the system, future reinstallation is ensured by the malware through the modification of IE’s startup page which points to the website that downloads the worm into the system.

Malware propagation through instant messenger applications is not new. Interesting messages are often used as the social engineering trigger to entice the user into clicking the malicious link. In fact, the messages for WORM_SOHANAD.A are not only limited to the Miss World message mentioned above but also has the following messages:

Just check out my new personal website

can u tell me what he will do next?

The end for girls who follow the famous footballer

A new dangerous computer virus that can destroys all your data has just been released. Click here to know how to avoid it.

As a security measure, do not click on any links sent through IM messages especially if they come from an unknown source.