Lost+Found: Look who's sniffing, chasing phantoms and link phishing
Too short for news, too good to lose; Lost+Found is a roundup of useful security news. This time: Microsoft's new tool for finding network cards that sniff traffic, bypassing ASLR with help from MS-Help, Kaspersky chases the Wiper phantom, and a format string vulnerability.
- Microsoft's new Promqry tool detects whether any network cards on a Windows system run in "promiscuous mode", for example in order to intercept network data traffic. The free tool for detecting network sniffers is available as a command line tool or as a version with a GUI.
- "With a little help by MS-Help", security researcher Parvez Anwar was able to bypass the Address Space Layout Randomisation (ASLR) feature under Windows 7. The basic problem is that ASLR still requires developers to opt-in. When calling a URL via
ms-help:, Internet Explorer loads hxds.dll, a library that is installed with Microsoft Office 2007/2010 and dispenses with this opt-in. This allows exploits to build a ROP (Return Oriented Programming) chain that activates their shell code. To prevent it, ASLR can be made mandatory using Microsoft's EMET tool.
- Security experts from Kaspersky are hunting the Wiper phantom: a mysterious piece of malware that doesn't seem to be interested in anything other than destroying the data that is stored on its host. It appears to be very successful at doing so, as the researchers have so far only managed to examine the data fragments that the virus has left behind. And of course, Flame is also said to be involved somehow.
- Norwegian researcher Henning Klevjer has demonstrated that services such as TinyURL can potentially be used to host phishing pages on the web. The trick: the rather long data: URL includes the whole web page encoded in base64, which causes browsers such as Firefox to directly render the content.
- If you thought that format string vulnerabilities in network services are a thing of the past you've been overly optimistic: EMC NetWorker Format String Vulnerability.
- It's quite astonishing to see who appears to be interested in the recent Java holes.