If at first you don't succeed; call it version 1.0
Monday, August 21, 2006

As I already reported, I've found a vulnerability in AOL Security Toolbar, which could allow an attacker to control the user's toolbar configuration options from remote.

Within 1 (one) day, AOL replied by email, confirmed the vulnerability and delivered a fixed version. Wow, very fast response!

I've verified that this fix actually plugs the hole. Good job Spencer!

So, I recommend to anyone who use the AOL Security Toolbar to update to the latest version.

To know which version you are using, go to Left Button Arrow -->  Help --> "About AOL Security Toolbar". The vulnerable version is: Version 1.11 (08-03-06).

If you are using this version, and have not received (or ignored) the message asking you to update your toolbar, you can manually update by going to Left Button Arrow --> "Update Toolbar...". You should be notified if you use the latest version of the AOL Security Toolbar.

But just to be sure, the version that is not vulnerable is: Version 1.13 (08-18-06).

I will update this post on Friday with a proof-of-concept exploit for this vulnerability.

 


Monday, August 21, 2006 8:39:05 PM UTC | Comments [1] | Security#
Friday, August 18, 2006

March 2004: Softomate Toolbar is classified as an adware by CA.

~November 2004: Softomate Toolbar is classified as an adware by Kaspersky.

March 2005: Softomate Toolbar is classified as an adware by McAfee.

Early August 2006: AOL uses Softomate for the "AOL Security Toolbar", which is bundled (and installed by default) in their free Anti-Virus package.

Late August 2006: Security vulnerability was found in the "AOL Security Toolbar", reported and confirmed by AOL.

More info: AOL Security Tools Raise Adware Questions


Friday, August 18, 2006 6:34:52 PM UTC | Comments [0] | Security#
Monday, August 14, 2006

I was more than happy to help HD Moore with MoBB, and provided some nice browser bugs for this project.

One of those bugs was "MoBB #30 - Orphan Object Properties". This bug occurs when referencing an object that was created inside an object data window inside a frame, and then relocating the frame to a different position, leaving the created object orphan.
I've found this bug while creating a subset of the Hamachi fuzzer. So, I've decided to create a specific fuzzer that will find all possible orphan object referencing bugs. I've actually found over 15 crashes involving 8 different objects.

Last Tuesday Microsoft released a cumulative security update for Internet Explorer, MS06-042. I was surprised to find out that they were quick to fix the orphan objects issue, with no mention of fixing this vulnerability in the security bulletin.

As this vulnerability was silently patched and the orphan objects' bugs cannot be exploited anymore, I've decided to stop my research on this issue and I'm releasing the fuzzer to the public.
The Orphan Objects Fuzzer can be downloaded from here. An online version of the fuzzer can be found here.


On the other hand, this cumulative security patch included another patch for the "COM Object Instantiation Memory Corruption Vulnerability". Those patches (the first was MS05-038) are actually a workaround for the real problem. Instead of fixing the browser's code, Microsoft has decided to update IE's kill-bit repository with the problematic COM objects' CLSIDs.

By now, all they did is to add CLSIDs of the operating system's COM objects. What they forgot is that their user base includes a lot of PCs with 3rd party COM objects installed. Some of them (e.g. Yahoo Messenger, AOL's new Anti-Virus' Security Toolbar, and more) can be used to exploit the same vulnerability.

I don't know if they did this on purpose, or because they were not aware of the 3rd party issue. I can only hope they are going to fix this vulnerability, which is known for over 10 months now, and this time for real.

P.S. AOL's new security toolbar is not playing nice in another point of view. I will discuss this on one of my next posts.


Monday, August 14, 2006 9:12:53 AM UTC | Comments [2] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.