Next Page >>
shell extension
The vulnerability arises from the fact that there are other extensions such
as .svg, .mht, .mhtml that don't exist in the Chrome's malicious extension
blacklist and hence the user never gets a warning message before they are
auto downloaded to his or her computer. If these downloaded files are
clicked from the Chrome's download bar or Windows Explorer (which the user
is highely likely to click considering his or her trust in Chrome that it
warns for malicious extensions), they will automatically get opened in other
browsers and can be used to steal any file on the user's computer.
The reason for the name "Blended Browser Threats" is because here, Google
1. Stop the Operations Manager for Windows console and its additional binaries, such as node editor.
2. From a command prompt, backup %OvInstallDir%\bin\srcvw4.dll
3. From a command prompt, copy OMW60_srcvw4.dll into %OvInstallDir%\bin\srcvw4.dll
4. Verify that %OvInstallDir%\bin\srcvw4.dll is now v4.0.1.2
Note: Steps 2 and 3 above must be performed from the Windows command line, not from Windows Explorer.
For Operations Manager for Windows v7.5
Verify the version of srcvw32.dll currently installed
Internet Video Recording (IVR) files contain media content that is played and recorded by RealPlayer. A remote attacker could craft a malicious IVR file, that when sent to an unsuspecting user, may allow the execution of arbitrary code when viewed, using one of two vulnerabilities during RealPlayer's IVR processing routine:
* A heap corruption vulnerability that occurs when altering a field that determines the length of a structure
* A vulnerability that allows an attacker to write one null byte to an arbitrary memory address by using an overly long file name length value
It should be noted that the victim does not necessarily have to open the malicious file for exploitation to occur: the vulnerabilities lie in a DLL that is also used as a plugin for the Windows Explorer shell. A successful attack could take place by merely previewing the IVR file through Windows Explorer.
Solutions:
==========
The FortiGuard Global Security Research Team released the signature "RealNetworks.RealPlayer.IVR.File.Processing.Code.Execution"
If the resulting file is placed on the desktop, against ex. xp sp3
process explorer.exe will exit with code 1282 (0x502) that is
ERROR_STACK_BUFFER_OVERRUN and crash infinitely, you cannot even browse a folder
if the file is present in it
Solution: disable the shell extension, you may try shellexview by nirsoft
Note (added 30/05/2009, remote vector added): it works with network folders
too ...
against a win2k3 where explorer.exe is not patched with /GS flag:
Description:
Passing the file protocol handler to a certain HTML allows to read local
files.
On Windows it is possible to create an instance of Windows Explorer by
calling an executable file. Other operating systems were not tested.
In detail, the following flaw was determined:
> running in the same interactive logon space, and when it starts, it just
> calls another popup in the previous Outlook space and then terminates
> itself (that's close enough, anyway). The good news is that there is no
> "user hopping" or "boundary crossing" here.
Sounds comparable to what the Windows Explorer does when
it is not expicitly set to run as a separate process (or
started with the /separate switch).
Is there some design principle behind this kind of behaviour?
where X is an integer like 1,2,3, depending on the Internet Explorer
choice.
The cookies folder is hardcoded inside the Explorer engine as a
restricted site. You can check it by looking at the status bar when
browsing this folder with Windows Explorer.
When requesting a resource, for example, in the 'src' attribute of an
HTML 'img' tag, Internet Explorer allows the usage of 'smb' URIs. So,
when IE attempts to render the following line:
> > running in the same interactive logon space, and when it starts, it just
> > calls another popup in the previous Outlook space and then terminates
> > itself (that's close enough, anyway). The good news is that there is no
> > "user hopping" or "boundary crossing" here.
>
>Sounds comparable to what the Windows Explorer does when
>it is not expicitly set to run as a separate process (or
>started with the /separate switch).
Or what firefox, mozilla and other do when you start them on the command
Problem confirmed on multiple Windows Explorer releases and also reproduced on antivirus softwares (same infinite loop consumming 100% CPU).
can reduce potential attack vectors and make exploitation more
difficult.
Prevent PDF documents from being opened automatically by the Web browser
Disable JavaScript
Disable PDFShell extension by removing or renaming the Acrord32info.exe file
VI. VENDOR RESPONSE
Adobe has released a patch which addresses this issue. Information about
downloadable vendor updates can be found by clicking on the URLs shown.
The vendor did not provide fixes or workaround information.
To prevent the accidental execution of malicious scripting files you
can disable the default file association of the dangerous file
extensions in the Windows Explorer. The following KB article from
Microsoft describe how to deassociate a file extension.
http://support.microsoft.com/kb/307859
6. *Credits*
> > itself (that's close enough, anyway). The good news is that there
is
> no
> > "user hopping" or "boundary crossing" here.
>
> Sounds comparable to what the Windows Explorer does when
> it is not expicitly set to run as a separate process (or
> started with the /separate switch).
>
> Is there some design principle behind this kind of behaviour?
>
victim to open it. This can be accomplished by embedding the PDF file
into an IFRAME inside of a Web page, which will result in automatic
exploitation once the page is viewed. The file could also be e-mailed
as an attachment or placed on a file share. In these cases, a user
would have to manually open the file to trigger exploitation. If
preview is enable in Windows Explorer, this vulnerability can be
triggered simply by accessing a folder containing PDF files.
IV. DETECTION
Acrobat Reader and Acrobat Professional versions 7.1.0, 8.1.3, 9.0.0 and
It is important to note that a SAMI file does not necessarily have to
end with a .smi or .sami extension. DirectShow will identify the file
based on the file contents.
If "Web View Content" is enabled in Windows Explorer, which is the
default setting, a single click will open the malicious file in the
preview pane and trigger the vulnerability.
DirectX 9.0c is listed as an optional update for Windows 2000 operating
system in Windows Update site. It is not listed as a critical update.
> > calls another popup in the previous Outlook space and then terminates
> > itself (that's close enough, anyway). The good news is that there is
no
> > "user hopping" or "boundary crossing" here.
>
> Sounds comparable to what the Windows Explorer does when
> it is not expicitly set to run as a separate process (or
> started with the /separate switch).
>
> Is there some design principle behind this kind of behaviour?
>
located at: 'C:\Documents and settings\USERNAME\Local
settings\History\History.IE5\index.dat'. Although the format of this
file is not entirely text, IE will store every visited URL including any
parameters in the query string in plain text.
2. Although the aforementioned folder cannot be directly browsed
using Windows Explorer or Internet Explorer, it can be browsed and
viewed by referring to the same folder using the UNC notation:
'\\[COMPUTERNAME|127.0.0.1]\C$\Documents and settings\USERNAME\Local
settings\History\History.IE5'.
3. There are some HTML tags which allow to embed contents from
external files and treat them with a specific format disregarding the
Alternatively, use the file information below to determine if the
product installation is vulnerable.
CA ARCserve Backup r11.1 Windows:
1. Using Windows Explorer, locate the file "DBserver.dll". By
default, the file is located in the
"C:\Program Files\CA\BrightStor ARCserve Backup" directory.
2. Right click on the file and select Properties.
version number is 1.2.276 or higher. For support information,
visit http://shop.ca.com/support.
How to determine if you are affected:
1. Using Windows Explorer, locate the file "kmxfw.sys". By default,
the file is located in the "C:\Windows\system32\drivers\" directory.
2. Right click on the file and select Properties.
3. Select the General tab.
4. If the file version is less than indicated in the below table,
the installation is vulnerable.
latest patches.
BrightStor ARCserve Backup v9.01 - QO91098
CA Protection Suites r2 - QO91094
How to determine if you are affected:
1. Using Windows Explorer, locate the file “mediasvr.exe”. By
default, the file is located in the
“C:\Program Files\CA\BrightStor ARCserve Backup” directory.
2. Right click on the file and select Properties.
3. Select the General tab.
4. If the file timestamp is earlier than indicated in the table
CA Desktop Management Suite 11.2 localized:
Apply QO91111.
How to determine if you are affected:
For Windows:
1. Using Windows Explorer, locate the file "rxRPC.dll". The file
can be found in the following default locations:
Products \ Directory Paths
--------------------------
CA ARCserve Backup for Laptops and Desktops 11.5
How to determine if the installation is affected
For Windows:
1. Using Windows Explorer, locate the file indicated in the below
table. By default, the file can be found in the following locations:
Product
File
Directory Path
&searchID=RO04648
How to determine if you are affected:
1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the
"C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is
vulnerable.
&searchID=RO04648
How to determine if you are affected:
1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the
"C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is
vulnerable.
CA Host-Based Intrusion Prevention System 8.1 CF 1
How to determine if the installation is affected
1. Using Windows Explorer, locate the file "kmxIds.sys". By
default, the file is located in the
"C:\Windows\system32\drivers\" directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is less than indicated in the below table, the
CA ARCserve Backup r11.5 Windows,
CA ARCserve Backup r11.1 Windows,
CA ARCserve Backup r11.1 Netware,
CA Protection Suites r2*:
1. Using Windows Explorer, locate the file “asbrdcst.dll”. By
default, the file is located in the
“C:\Program Files\CA\SharedComponents\ARCserve Backup\CADS”
directory on 32 bit systems and “C:\Program Files (x86)\CA\
SharedComponents\ARCserve Backup\CADS” on 64 bit systems.
2. Right click on the file and select Properties.
How to determine if you are affected:
For Windows:
1. Using Windows Explorer, locate the file "caloggerd.exe". By
default, the file is located in the
"C:\Program Files\CA\BrightStor ARCserve Backup" directory.
2. Right click on the file and select Properties.
How to determine if the installation is affected
For products on Windows:
1. Using Windows Explorer, locate the file "arclib.dll". By
default, the file is located in the
"C:\Program Files\CA\SharedComponents\ScanEngine" directory (*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated below, the
How to determine if you are affected:
For Windows:
1. Using Windows Explorer, locate the file "rxRPC.dll". The file
can be found in the following default locations:
CA ARCserve Backup for Laptops and Desktops 11.5:
C:\Program Files\CA\BrightStor ARCserve Backup for Laptops and
Desktops\Server
Unicenter Remote Control r11.2 C1:
QO96090
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file "ListCtrl.ocx". By
default, the file is in the "C:\Program Files\CA\DSM\bin\"
directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the below
latest patches.
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file "alert.exe". By
default, the file is located in the
"C:\Program Files\CA\SharedComponents\Alert" directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the below
Next Page>>
|
