Gladiator Research and Security

GSA Reference Number: AD081216-01

Simply Put: Microsoft will be releasing an out-of-band patch today, December 17, to address the critical Internet Explorer vulnerability currently being exploited by malicious websites.  The patch affects Internet Explorer 6 and 7 and is rated critical by Microsoft.  Since this exploit allows remote code execution, Gladiator recommends applying the patch as soon as possible.

There has been more information released about the Internet Explorer (IE) 0-day vulnerability.  Microsoft has stated now that the vulnerability affects more versions of IE than previously thought.  Vulnerable versions include IE 7, IE 8 (beta), IE 6 (non-SP2) and IE 5.  Gladiator recommends that users switch to a different browser for the time being.  Using Internet Explorer for banking applications that are not compatible with other browsers is fine, but do not use IE to browse the Internet.

Internet Explorer 7 has a new 0-day exploit, meaning that it is currently being exploited through malicious websites and there is no patch available.  If a user visits a malicious site, there is a possibility that an attacker could run arbitrary code on the system.  The exploit appears to use a vulnerability in Internet Explorer’s handling of XML code.  This issue has been confirmed for users with IE 7 running Windows XP or Windows 2003.   Further details are not available at this time. Gladiator recommends that users run the Firefox browser, if possible, for general web browsing until a patch is released.

If you have been reading the news or surfing any IT based websites, you may have heard of “cloud computing,” a new buzz word going around.  Cloud computing is a new style of providing IT or business applications and services via the Web or Internet “cloud.”  One very popular form of cloud computing is Google Apps.  With Google Apps, Google is able to provide many publishing applications, similar to Microsoft’s Desktop Suite (Word, Excel, PowerPoint), over the Web.  Users can log in via an Internet browser and access the applications that are actually running on servers hosted by Google.

Microsoft has released 8 new patches resolving 6 critical and 2 important vulnerabilities found in its various products.  The vulnerability for the Visual Basic 6.0 ActiveX Control has publicly available exploit code, so it should be patched as soon as possible. The products with critical severity vulnerabilities include:

• GDI
• Windows Search
• Internet Explorer
• Visual Basic 6.0 Runtime Extended Files (ActiveX Controls)
• Microsoft Office Word
• Microsoft Office Excel

For years Cross-site request forgery (CSRF) attacks have occurred on many websites and network devices, often undetected.  CSRF attacks execute malicious content on a trusted site, or device, that appear to come from the victim.  These attacks are often difficult to both detect and protect against.  While CSRF attacks are nothing new, a security researcher named Nathan Hamiel, has recently discovered that most DSL modems (and Cable modems) are still just as vulnerable to CSRF attacks as other technologies.

GSA Reference Number: AD081204-01

Simply Put: BlackBerry Desktop Software 4.2.2 through 4.7 is vulnerable to a remote system compromise because it includes a vulnerable ActiveX control from FlexNET.  An ActiveX vulnerability can be exploited through Internet Explorer by a malicious website.